Unable to build Microk8s 1.31 FIPS Snap Package

[AdeepKrishnaKeelar]

Was attempting to build the Microk8s Snap Package using the 1.31 branch and after adding the FIPS commit on it. Had changed the Go version in the snapcraft.yaml to 1.21-fips/stable. Noticed a few issues --

• When attempting to build the snap package using a version higher than 1.21-fips, the build process breaks at the ETCD stage (v3.5.5), hence had to resort to 1.21-fips.
• When attempting in 1.21-fips, the Helm (v3.14.4) build stage breaks, with issues in applying the patch to enable CGO to build helm. Tried debugging using git-am commands, which does not really help. Only seeing Dirty index: cannot apply patches and rebase-error in .git
• Error pointing in the patch in Helm --> https://github.com/helm/helm/blob/main/Makefile#L77

Reproduction Steps

• Clone Microk8s Repo.
• Checkout 1.31 branch.
• Apply FIPS commit -- git cherry-pick $(git log -n 1 remotes/origin/fips --pretty=format:"%H")
• Resolve the merge conflict manually in snap/snapcraft.yaml
• Change the variables -- KUBE_VERSION=v1.31.3 in build-scripts/components/kubernetes/version.sh
• Change go version to 1.21-fips/stable in snap/snapcraft.yaml in build-deps
• Change FIPS Env variables (Uncomment OpenSSL and LD library and Go_FIPS=1) in microk8s-resources/default-args/
• Change pause-image to 3.9 in build-scripts/image.txt and microk8s-resources/default-args/containerd-template.toml
• sudo SNAPCRAFT_BUILD_ENVIRONMENT=host snapcraft

(The same can be attempted using the LXD Container in Github Actions)

What Should Happen Instead ?

Expected: Process completed with snap package created of 1.31 Microk8s with FIPS enabled variables.

Logs

Sharing the part of the build where the error occurred (both manually on an Ubuntu 20.04 VM and Workflow Build (Ubuntu 20.04, LXD Snap Build)

Building helm 
+ /root/project/build-scripts/build-component.sh helm
+++ dirname /root/project/build-scripts/build-component.sh
++ realpath /root/project/build-scripts
+ DIR=/root/project/build-scripts
+ BUILD_DIRECTORY=/root/parts/helm/build
+ INSTALL_DIRECTORY=/root/parts/helm/install
+ mkdir -p /root/parts/helm/build /root/parts/helm/install
+ COMPONENT_NAME=helm
+ COMPONENT_DIRECTORY=/root/project/build-scripts/components/helm
++ cat /root/project/build-scripts/components/helm/repository
+ GIT_REPOSITORY=https://github.com/helm/helm
++ /root/project/build-scripts/components/helm/version.sh
+ GIT_TAG=v3.14.4
+ COMPONENT_BUILD_DIRECTORY=/root/parts/helm/build/helm
+ '[' -d /root/parts/helm/build/helm ']'
+ '[' '!' -d /root/parts/helm/build/helm ']'
+ git clone https://github.com/helm/helm --depth 1 -b v3.14.4 /root/parts/helm/build/helm
Cloning into '/root/parts/helm/build/helm'...
Note: switching to '81c902a123462fd4052bc5e9aa9c513c4c8fc142'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:

  git switch -c <new-branch-name>

Or undo this operation with:

  git switch -

Turn off this advice by setting config variable advice.detachedHead to false

+ cd /root/parts/helm/build/helm
+ git config user.name 'MicroK8s builder bot'
+ git config user.email [email protected]
+ '[' -e /root/project/build-scripts/components/helm/pre-patch.sh ']'
++ python3 /root/project/build-scripts/print-patches-for.py helm v3.14.4
+ for patch in $(python3 "${DIR}/print-patches-for.py" "${COMPONENT_NAME}" "${GIT_TAG}")
+ git am /root/project/build-scripts/components/helm/patches/default/0001-disable-warnings-for-kubeconfig-permissions.patch
Applying: disable warnings for kubeconfig permissions
+ for patch in $(python3 "${DIR}/print-patches-for.py" "${COMPONENT_NAME}" "${GIT_TAG}")
+ git am /root/project/build-scripts/components/helm/patches/default/0002-enable-cgo.patch
error: patch failed: Makefile:77
error: Makefile: patch does not apply
hint: Use 'git am --show-current-patch' to see the failed patch
Applying: enable cgo
Patch failed at 0001 enable cgo
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".
Failed to run 'override-build': Exit code was 128.
Run the same command again with --debug to shell into the environment if you wish to introspect this failure.

[louiseschmidtgen]

Hello @AdeepKrishnaKeelar,

Thank you very much for reporting the issue.

Our team has to port the FIPS patch to the latest k8s. Could you please help us prioritize this work? Are there any deadlines on your side we should be aware of?

[AdeepKrishnaKeelar]

Hi @louiseschmidtgen, yes please, would it be taken up in priority ? We are attempting the 1.31-FIPS build, and Helm is causing the break.. even manually attempting to change the version to either higher (3.15.0) or lower (3.13.3, 3.12.0, 3.11.0) has failed to build..
For our release, we would like the FIPS patch to be ported by end of January so that we have enough time for our testing.

[louiseschmidtgen]

Hi @AdeepKrishnaKeelar,

I've squashed the fix into the FIPS branch.

All the best for your release!

[AdeepKrishnaKeelar]

Thanks a lot @louiseschmidtgen and team !!