Using the FIPS-compliant AMI (#2623)

uc-cdis · Aug 23, 2024 · e7bc9de · e7bc9de
1 parent 41cadbb
commit e7bc9de
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 59 deletions.
diff --git a/gen3/bin/kube-setup-cluster-level-resources b/gen3/bin/kube-setup-cluster-level-resources
diff --git a/kube/services/argo-events/workflows/configmap.yaml b/kube/services/argo-events/workflows/configmap.yaml
@@ -87,8 +87,8 @@ data:
           cpu: 4000
       providerRef:
         name: workflow-WORKFLOW_NAME
-      # Kill nodes after 30 days to ensure they stay up to date
-      ttlSecondsUntilExpired: 2592000
+      # Kill nodes after 2 days to ensure they stay up to date
+      ttlSecondsUntilExpired: 172800
       ttlSecondsAfterEmpty: 10
 
   nodetemplate.yaml: |
@@ -97,6 +97,9 @@ data:
     metadata:
       name: workflow-WORKFLOW_NAME
     spec:
+      amiSelector:
+        aws::name: EKS-FIPS*
+        aws::owners: "143731057154"
       subnetSelector:
         karpenter.sh/discovery: ENVIRONMENT
       securityGroupSelector:
@@ -129,22 +132,6 @@ data:
 
         sysctl -w fs.inotify.max_user_watches=12000
 
-        sudo yum update -y
-        sudo yum install -y dracut-fips openssl >> /opt/fips-install.log
-        sudo  dracut -f
-        # configure grub
-        sudo /sbin/grubby --update-kernel=ALL --args="fips=1"
-
-        --BOUNDARY
-        Content-Type: text/cloud-config; charset="us-ascii"
-
-        power_state:
-          delay: now
-          mode: reboot
-          message: Powering off
-          timeout: 2
-          condition: true
-
         --BOUNDARY--
       blockDeviceMappings:
         - deviceName: /dev/xvda