feat(acl): add FIPS image builds for Azure Container Linux#8463
Open
feat(acl): add FIPS image builds for Azure Container Linux#8463
Conversation
hbeberman
requested review from
AbelHu,
Devinwong,
SriHarsha001,
awesomenix,
calvin197,
cameronmeissner,
djsly,
ganeshkumarashok,
junjiezhang1997,
lilypan26,
mxj220,
pdamianov-dev,
phealy,
r2k1,
sulixu,
surajssd,
timmy-wright and
zachary-bailey
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds support for building and validating new FIPS-enabled Azure Container Linux (ACL) Trusted Launch Gen2 VHDs (AMD64 + ARM64), wiring them through the VHD builder, SIG image config, and e2e coverage.
Changes:
- Add an ACL-specific
installFIPSimplementation and invoke it during ACL VHD build whenENABLE_FIPS=True. - Introduce new ACL FIPS distro identifiers and SIG image definitions/templates to make the images selectable/servable.
- Add pipeline jobs/parameters for the two new builds and add validation for ACL FIPS behavior (VHD content tests + e2e).
Reviewed changes
Copilot reviewed 14 out of 14 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
vhdbuilder/scripts/linux/acl/tool_installs_acl.sh |
Adds ACL installFIPS that installs the UKI addon and writes a marker file. |
vhdbuilder/packer/test/linux-vhd-content-test.sh |
Extends FIPS validation to ACL and checks ACL-specific marker/addon files. |
vhdbuilder/packer/pre-install-dependencies.sh |
Calls installFIPS for ACL builds when FIPS is enabled. |
spec/vhdbuilder/packer/ensure_sig_image_name_linux_spec.sh |
Adds ShellSpec coverage for new ACL FIPS SKU naming. |
pkg/agent/datamodel/types.go |
Adds new ACL FIPS distro constants and registers them as VHD-available. |
pkg/agent/datamodel/types_test.go |
Extends ACL detection tests to cover new FIPS distros. |
pkg/agent/datamodel/sig_config.go |
Adds SIG config templates + distro mappings for ACL FIPS images. |
pkg/agent/datamodel/sig_config_test.go |
Updates expected SIG config map contents/counts and validates new entries. |
pkg/agent/bakerapi_test.go |
Ensures API-level tests include new ACL FIPS distros. |
e2e/validators.go |
Adds an ACL FIPS validator and ensures algif_aead validation isn’t skipped for ACL. |
e2e/scenario_test.go |
Adds an e2e scenario for the AMD64 ACL FIPS TL Gen2 image. |
e2e/config/vhd.go |
Adds image definitions for ACL FIPS TL Gen2 (amd64 + arm64). |
.pipelines/.vsts-vhd-builder.yaml |
Adds CI build jobs for ACL FIPS TL Gen2 (amd64 + arm64). |
.pipelines/.vsts-vhd-builder-release.yaml |
Adds release-pipeline parameters/jobs for the two new builds. |
Adds a pre-flight check that /boot/acl/uki-addons/fips.addon.efi exists before attempting to install it, producing a clear error message if the source addon is missing. The Packer invocation already runs the script under bash -eux so a missing addon would fail the build either way, but the explicit check yields a much clearer diagnostic than the raw 'install: cannot stat' stderr.
Devinwong
reviewed
May 7, 2026
| }) | ||
| } | ||
|
|
||
| func Test_ACLGen2FIPSTL(t *testing.T) { |
Collaborator
There was a problem hiding this comment.
do we still need Test_AzureLinux3OSGuard and Test_Flatcar if we have the ACL test?
Contributor
Author
There was a problem hiding this comment.
Flatcar is being retired on June 8th so we'll do a cleanup pass then once we can stop building images. Similarly, OS Guard is still supported in preview but we'll clean up the testing once we've migrated the security features into ACL.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
This PR adds two FIPS enabled image builds (AMD64 and ARM64) for Azure Container Linux. Distinct images are required because FIPS enablement must be determined pre-boot, in-line with other AKS distros.
Which issue(s) this PR fixes:
Fixes #