chore(fips): use ubuntu 24.04 fips pkgs & image (#10473)

.github/matrix-full.yml

@@ -40,6 +40,11 @@ build-packages:
   package: deb
   bazel-args: --platforms=//:generic-crossbuild-aarch64
   check-manifest-suite: ubuntu-24.04-arm64
+- label: ubuntu-24.04-fips
+  image: ubuntu:24.04
+  package: deb
+  bazel-args: --//:fips=true
+  check-manifest-suite: ubuntu-24.04-amd64-fips
 
 
 # Debian
@@ -135,9 +140,10 @@ build-images:
   docker-platforms: linux/amd64, linux/arm64
   check-manifest-suite: docker-image-ubuntu-24.04
 - label: ubuntu-fips
-  base-image: ubuntu:22.04
+  base-image: ubuntu:24.04
   package: deb
-  artifact-from: ubuntu-22.04-fips
+  artifact-from: ubuntu-24.04-fips
+  check-manifest-suite: docker-image-ubuntu-24.04
 
 # Debian
 - label: debian
@@ -221,6 +227,12 @@ release-packages:
   artifact-version: 24.04
   artifact-type: ubuntu
   artifact: kong.arm64.deb
+- label: ubuntu-24.04-fips
+  package: deb
+  artifact-from: ubuntu-24.04-fips
+  artifact-version: 24.04
+  artifact-type: ubuntu
+  artifact: kong.amd64.deb
 
 # Debian
 - label: debian-11

changelog/unreleased/kong-ee/ubuntu_fips_is_noble.yml

@@ -0,0 +1,4 @@
+---
+message: Added Ubuntu 24.04 (Noble Numbat) FIPS packages and image.
+type: dependency
+scope: Core

scripts/explain_manifest/config.py

@@ -153,6 +153,7 @@ def transform(f: FileInfo):
                 "libcxx_max_version": "3.4.29",
                 "cxxabi_max_version": "1.3.13",
             },
+            ee_suites: {},
         }
     ),
     "debian-11-amd64": ExpectSuite(
@@ -219,7 +220,7 @@ def transform(f: FileInfo):
         # ubuntu-22.04-arm64
         targets[target.replace("-amd64", "-arm64")] = e
 
-    if target in ("el8-amd64", "el9-amd64", "ubuntu-20.04-amd64", "ubuntu-22.04-amd64"):
+    if target in ("el8-amd64", "el9-amd64", "ubuntu-20.04-amd64", "ubuntu-22.04-amd64", "ubuntu-24.04-amd64"):
         e = deepcopy(targets[target])
         e.manifest = e.manifest.replace("-amd64.txt", "-amd64-fips.txt")
         # Ubuntu 22.04 (amd64) FIPS

scripts/explain_manifest/fixtures/ubuntu-24.04-amd64-fips.txt

@@ -0,0 +1,285 @@
+- Path      : /etc/kong/kong.logrotate
+
+- Path      : /etc/logrotate.d/kong-enterprise-edition
+  Link      : /etc/kong/kong.logrotate
+  Type      : link
+
+- Path      : /lib/systemd/system/kong-enterprise-edition.service
+
+- Path      : /usr/local/kong/gui
+  Type      : directory
+
+- Path      : /usr/local/kong/include/google
+  Type      : directory
+
+- Path      : /usr/local/kong/include/kong
+  Type      : directory
+
+- Path      : /usr/local/kong/lib/engines-3/afalg.so
+  Needed    :
+  - libcrypto.so.3
+  - libc.so.6
+  Runpath   : /usr/local/kong/lib
+
+- Path      : /usr/local/kong/lib/engines-3/capi.so
+  Needed    :
+  - libcrypto.so.3
+  - libc.so.6
+  Runpath   : /usr/local/kong/lib
+
+- Path      : /usr/local/kong/lib/engines-3/loader_attic.so
+  Needed    :
+  - libcrypto.so.3
+  - libc.so.6
+  Runpath   : /usr/local/kong/lib
+
+- Path      : /usr/local/kong/lib/engines-3/padlock.so
+  Needed    :
+  - libcrypto.so.3
+  - libc.so.6
+  Runpath   : /usr/local/kong/lib
+
+- Path      : /usr/local/kong/lib/libada.so
+  Needed    :
+  - libstdc++.so.6
+  - libgcc_s.so.1
+  - libc.so.6
+
+- Path      : /usr/local/kong/lib/libcrypto.so.3
+  Needed    :
+  - libc.so.6
+  Runpath   : /usr/local/kong/lib
+
+- Path      : /usr/local/kong/lib/libexpat.so.1.9.2
+  Needed    :
+  - libc.so.6
+
+- Path      : /usr/local/kong/lib/libexslt.so.0.8.23
+  Needed    :
+  - libxslt.so.1
+  - libxml2.so.2
+  - libm.so.6
+  - libc.so.6
+  Runpath   : /usr/local/kong/lib
+
+- Path      : /usr/local/kong/lib/libjq.so.1.0.4
+  Needed    :
+  - libm.so.6
+  - libonig.so.5
+  - libc.so.6
+  Runpath   : /usr/local/kong/lib
+
+- Path      : /usr/local/kong/lib/liblicense_utils.so
+  Needed    :
+  - libcrypto.so.3
+  - libc.so.6
+  Runpath   : /usr/local/kong/lib
+
+- Path      : /usr/local/kong/lib/libonig.so.5.3.0
+  Needed    :
+  - libc.so.6
+  Runpath   : /usr/local/kong/lib
+
+- Path      : /usr/local/kong/lib/libpasswdqc.so.1
+  Needed    :
+  - libc.so.6
+
+- Path      : /usr/local/kong/lib/libsnappy.so
+  Needed    :
+  - libstdc++.so.6
+  - libgcc_s.so.1
+  - libc.so.6
+
+- Path      : /usr/local/kong/lib/libssl.so.3
+  Needed    :
+  - libcrypto.so.3
+  - libc.so.6
+  Runpath   : /usr/local/kong/lib
+
+- Path      : /usr/local/kong/lib/libxml2.so.2.12.9
+  Needed    :
+  - libz.so.1
+  - libm.so.6
+  - libc.so.6
+
+- Path      : /usr/local/kong/lib/libxslt.so.1.1.42
+  Needed    :
+  - libxml2.so.2
+  - libm.so.6
+  - libc.so.6
+  Runpath   : /usr/local/kong/lib
+
+- Path      : /usr/local/kong/lib/ossl-modules/fips.so
+  Needed    :
+  - libc.so.6
+  Runpath   : /usr/local/kong/lib
+
+- Path      : /usr/local/kong/lib/ossl-modules/legacy.so
+  Needed    :
+  - libcrypto.so.3
+  - libc.so.6
+  Runpath   : /usr/local/kong/lib
+
+- Path      : /usr/local/kong/portal
+  Type      : directory
+
+- Path      : /usr/local/kong-tools/bin/curl
+  Needed    :
+  - libstdc++.so.6
+  - libm.so.6
+  - libssl.so.3
+  - libcrypto.so.3
+  - libz.so.1
+  - libc.so.6
+  Runpath   : /usr/local/kong/lib
+
+- Path      : /usr/local/lib/lua/5.1/bcrypt.so
+  Needed    :
+  - libc.so.6
+  Runpath   : /usr/local/kong/lib
+
+- Path      : /usr/local/lib/lua/5.1/lfs.so
+  Needed    :
+  - libc.so.6
+  Runpath   : /usr/local/kong/lib
+
+- Path      : /usr/local/lib/lua/5.1/lpeg.so
+  Needed    :
+  - libc.so.6
+  Runpath   : /usr/local/kong/lib
+
+- Path      : /usr/local/lib/lua/5.1/lsyslog.so
+  Needed    :
+  - libc.so.6
+  Runpath   : /usr/local/kong/lib
+
+- Path      : /usr/local/lib/lua/5.1/lua-utf8.so
+  Needed    :
+  - libc.so.6
+  Runpath   : /usr/local/kong/lib
+
+- Path      : /usr/local/lib/lua/5.1/lua_pack.so
+  Needed    :
+  - libc.so.6
+  Runpath   : /usr/local/kong/lib
+
+- Path      : /usr/local/lib/lua/5.1/lua_system_constants.so
+  Runpath   : /usr/local/kong/lib
+
+- Path      : /usr/local/lib/lua/5.1/lxp.so
+  Needed    :
+  - libexpat.so.1
+  - libc.so.6
+  Runpath   : /usr/local/kong/lib
+
+- Path      : /usr/local/lib/lua/5.1/mime/core.so
+  Needed    :
+  - libc.so.6
+  Runpath   : /usr/local/kong/lib
+
+- Path      : /usr/local/lib/lua/5.1/pb.so
+  Needed    :
+  - libc.so.6
+  Runpath   : /usr/local/kong/lib
+
+- Path      : /usr/local/lib/lua/5.1/socket/core.so
+  Needed    :
+  - libc.so.6
+  Runpath   : /usr/local/kong/lib
+
+- Path      : /usr/local/lib/lua/5.1/socket/serial.so
+  Needed    :
+  - libc.so.6
+  Runpath   : /usr/local/kong/lib
+
+- Path      : /usr/local/lib/lua/5.1/socket/unix.so
+  Needed    :
+  - libc.so.6
+  Runpath   : /usr/local/kong/lib
+
+- Path      : /usr/local/lib/lua/5.1/ssl.so
+  Needed    :
+  - libssl.so.3
+  - libcrypto.so.3
+  - libc.so.6
+  Runpath   : /usr/local/kong/lib
+
+- Path      : /usr/local/lib/lua/5.1/yaml.so
+  Needed    :
+  - libyaml-0.so.2
+  - libc.so.6
+
+- Path      : /usr/local/openresty/lualib/cjson.so
+  Needed    :
+  - libc.so.6
+
+- Path      : /usr/local/openresty/lualib/librestysignal.so
+
+- Path      : /usr/local/openresty/lualib/rds/parser.so
+  Needed    :
+  - libc.so.6
+
+- Path      : /usr/local/openresty/lualib/redis/parser.so
+  Needed    :
+  - libc.so.6
+
+- Path      : /usr/local/openresty/nginx/modules/ngx_wasmx_module.so
+  Needed    :
+  - libm.so.6
+  - libgcc_s.so.1
+  - libc.so.6
+  - ld-linux-x86-64.so.2
+  Runpath   : /usr/local/openresty/luajit/lib:/usr/local/kong/lib:/usr/local/openresty/lualib
+
+- Path      : /usr/local/openresty/nginx/sbin/nginx
+  Needed    :
+  - libcrypt.so.1
+  - libluajit-5.1.so.2
+  - libm.so.6
+  - libssl.so.3
+  - libcrypto.so.3
+  - libz.so.1
+  - libc.so.6
+  Runpath   : /usr/local/openresty/luajit/lib:/usr/local/kong/lib:/usr/local/openresty/lualib
+  Modules   :
+  - lua-kong-nginx-module
+  - lua-kong-nginx-module/stream
+  - lua-resty-events
+  - lua-resty-lmdb
+  - ngx_brotli
+  - ngx_wasmx_module
+  OpenSSL   : OpenSSL 3.2.3 3 Sep 2024
+  DWARF     : True
+  DWARF - ngx_http_request_t related DWARF DIEs: True
+
+- Path      : /usr/local/openresty/site/lualib/libatc_router.so
+  Needed    :
+  - libgcc_s.so.1
+  - libc.so.6
+  - ld-linux-x86-64.so.2
+
+- Path      : /usr/local/openresty/site/lualib/libjson_threat_protection.so
+  Needed    :
+  - libgcc_s.so.1
+  - libc.so.6
+  - ld-linux-x86-64.so.2
+
+- Path      : /usr/local/openresty/site/lualib/liblua_resty_jsonschema_rs.so
+  Needed    :
+  - libgcc_s.so.1
+  - libm.so.6
+  - libc.so.6
+  - ld-linux-x86-64.so.2
+
+- Path      : /usr/local/openresty/site/lualib/libsimdjson_ffi.so
+  Needed    :
+  - libstdc++.so.6
+  - libgcc_s.so.1
+  - libc.so.6
+
+- Path      : /usr/local/share/lua/5.1/kong/portal
+  Type      : directory
+
+- Path      : /usr/local/share/xml/xsd
+  Type      : directory
+