fix: add fips tests and downgrade 2004 containerd (#8380)

Author: awesomenix

e2e/config/vhd.go

@@ -60,6 +60,17 @@ var (
 		Distro:  datamodel.AKSUbuntuContainerd2204Gen2,
 		Gallery: imageGalleryLinux,
 	}
+	VHDUbuntu2004FIPSContainerd = &Image{
+		Name:                "2004fipscontainerd",
+		OS:                  OSUbuntu,
+		Arch:                "amd64",
+		Distro:              datamodel.AKSUbuntuFipsContainerd2004,
+		Gallery:             imageGalleryLinux,
+		UnsupportedLocalDns: true,
+		// Secure TLS Bootstrapping isn't currently supported on FIPS-enabled VHDs
+		UnsupportedSecureTLSBootstrapping: true,
+		UnsupportedGen2:                   true,
+	}
 	VHDUbuntu2204FIPSContainerd = &Image{
 		Name:                "2204fipscontainerd",
 		OS:                  OSUbuntu,

e2e/scenario_test.go

@@ -686,6 +686,23 @@ func Test_Ubuntu2204FIPS(t *testing.T) {
 	})
 }
 
+func Test_Ubuntu2004FIPS(t *testing.T) {
+	RunScenario(t, &Scenario{
+		Description: "Tests that a node using the Ubuntu 2004 FIPS Gen1 VHD can be properly bootstrapped",
+		Config: Config{
+			Cluster: ClusterKubenet,
+			VHD:     config.VHDUbuntu2004FIPSContainerd,
+			BootstrapConfigMutator: func(nbc *datamodel.NodeBootstrappingConfiguration) {
+			},
+			VMConfigMutator: func(vmss *armcompute.VirtualMachineScaleSet) {
+			},
+			Validator: func(ctx context.Context, s *Scenario) {
+				ValidateSSHServiceEnabled(ctx, s)
+			},
+		},
+	})
+}
+
 func Test_Ubuntu2204Gen2FIPS(t *testing.T) {
 	RunScenario(t, &Scenario{
 		Description: "Tests that a node using the Ubuntu 2204 FIPS Gen2 VHD can be properly bootstrapped",

parts/common/components.json

@@ -1137,7 +1137,7 @@
             "versionsV2": [
               {
                 "renovateTag": "name=moby-containerd, repository=production, os=ubuntu, release=20.04",
-                "latestVersion": "1.7.31-ubuntu20.04u1"
+                "latestVersion": "1.7.30-ubuntu20.04u3"
               }
             ]
           }

vhdbuilder/packer/test/linux-vhd-content-test.sh

@@ -607,33 +607,18 @@ testLtsKernel() {
   if [[ "$os_sku" == "Ubuntu" && ${enable_fips,,} != "true" ]] ; then
     echo "OS is Ubuntu, FIPS is not enabled, check LTS kernel version"
     # Check the Ubuntu version and set the expected kernel version
-    # CVM builds use linux-image-azure-fde-lts-* (different flavor), skip exact pin check
-    local is_cvm=false
-    if grep -q "cvm" <<< "$FEATURE_FLAGS"; then
-      is_cvm=true
-    fi
-
-    if [ "$os_version" = "22.04" ] && [ "$is_cvm" = "false" ]; then
-      # Pinned to exact version to avoid regression in 5.15.0-1103-azure
-      expected_kernel="5.15.0-1102-azure"
-    elif [ "$os_version" = "22.04" ] || [ "$os_version" = "24.04" ]; then
-      expected_kernel=$([ "$os_version" = "22.04" ] && echo "5.15" || echo "6.8")
+    if [ "$os_version" = "22.04" ]; then
+      expected_kernel="5.15"
+    elif [ "$os_version" = "24.04" ]; then
+      expected_kernel="6.8"
     else
-      echo "LTS kernel not installed for: $os_version, skipping check"
-      echo "$test:Finish"
-      return
+      echo "LTS kernel not installed for: $os_version"
     fi
 
     kernel=$(uname -r)
     echo "Current kernel version: $kernel"
     # shellcheck disable=SC3010
-    if [ "$os_version" = "22.04" ] && [ "$is_cvm" = "false" ]; then
-      if [[ "$kernel" == "$expected_kernel" ]]; then
-        echo "Kernel version matches pinned version ($expected_kernel)."
-      else
-        err $test "Kernel version does not match pinned version. Expected exactly $expected_kernel, found $kernel."
-      fi
-    elif [[ "$kernel" == *"$expected_kernel"* ]]; then
+    if [[ "$kernel" == *"$expected_kernel"* ]]; then
       echo "Kernel version is as expected ($expected_kernel)."
     else
       err $test "Kernel version is not as expected. Expected $expected_kernel, found $kernel."