Acabanas pkg test fips (#1931)

* test packages * test packages 2 * POC for FIPS = true on pipelines * Delete .github/workflows/test_pkg.yml --------- Co-authored-by: alvarocabanas <[email protected]>
newrelic · Oct 2, 2024 · 77be0a8 · 77be0a8
1 parent ac4d43b
commit 77be0a8
Show file tree

Hide file tree

Showing 4 changed files with 139 additions and 11 deletions.
diff --git a/.github/workflows/prerelease_linux_on_demand.yml b/.github/workflows/prerelease_linux_on_demand.yml
@@ -12,6 +12,10 @@ on:
  dest_prefix:
  description: 'Repo prefix'
  required: true
+ BUILD_MODE:
+ description: 'Enable Normal, FIPS or ALL'
+ required: false
+ default: '' # "all" "FIPS":
 
 env:
  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -47,7 +51,7 @@ jobs:
  ref: ${{ env.BRANCH }}
 
  - name: "Tag this commit" # required for Goreleaser
- run: git tag ${{ env.FAKE_TAG }}
+ run: git tag
 
  - name: Login to DockerHub
  uses: docker/login-action@v1
@@ -56,10 +60,17 @@ jobs:
  password: ${{ env.DOCKER_HUB_PASSWORD }}
 
  - name: Preparing all linux packages
+ if: ${{ inputs.BUILD_MODE == 'ALL' || inputs.BUILD_MODE == '' }}
  run: make ci/prerelease/linux
  env:
  TAG: ${{ env.FAKE_TAG }}
 
+ - name: Preparing all linux packages
+ if: ${{ inputs.BUILD_MODE == 'ALL' || inputs.BUILD_MODE == 'FIPS' }}
+ run: make ci/prerelease/linux-fips
+ env:
+ TAG: ${{ env.FAKE_TAG }}
+
  - name: Generate checksum files
  uses: ./.github/actions/generate-checksums
  with:
@@ -68,6 +79,7 @@ jobs:
  run_sudo: true
 
  - name: Publish deb to S3 action
+ if: ${{ inputs.BUILD_MODE == 'ALL' || inputs.BUILD_MODE == '' }}
  uses: newrelic/[email protected]
  with:
  tag: ${{env.FAKE_TAG}}
@@ -92,6 +104,33 @@ jobs:
  local_packages_path: "/srv/dist/"
  apt_skip_mirror: true
 
+
+ - name: Publish deb to S3 action
+ if: ${{ inputs.BUILD_MODE == 'ALL' || inputs.BUILD_MODE == 'FIPS' }}
+ uses: newrelic/[email protected]
+ with:
+ tag: ${{env.FAKE_TAG}}
+ app_name: "newrelic-infra"
+ repo_name: "newrelic/infrastructure-agent"
+ schema: "custom"
+ schema_url: "https://raw.githubusercontent.com/newrelic/infrastructure-agent/${{ env.BRANCH }}/build/upload-schema-linux-deb-fips.yml"
+ aws_access_key_id: ${{ env.AWS_ACCESS_KEY_ID }}
+ aws_secret_access_key: ${{ env.AWS_SECRET_ACCESS_KEY }}
+ aws_s3_bucket_name: ${{ env.AWS_S3_BUCKET_NAME }}
+ aws_s3_lock_bucket_name: ${{ env.AWS_S3_LOCK_BUCKET_NAME }}
+ access_point_host: ${{ env.ACCESS_POINT_HOST }}
+ run_id: ${{ env.RUN_ID }}
+ aws_region: ${{ env.AWS_REGION }}
+ aws_role_session_name: ${{ env.AWS_ROLE_SESSION_NAME }}
+ aws_role_arn: ${{ env.AWS_ROLE_ARN }}
+ # used for signing package stuff
+ gpg_passphrase: ${{ env.GPG_PASSPHRASE }}
+ gpg_private_key_base64: ${{ env.GPG_PRIVATE_KEY_BASE64 }}
+ disable_lock: ${{ env.DISABLE_LOCK }}
+ dest_prefix: ${{ env.DEST_PREFIX }}
+ local_packages_path: "/srv/dist/"
+ apt_skip_mirror: true
+
  - name: Publish rpm to S3 action
  uses: newrelic/[email protected]
  with:

diff --git a/build/ci.mk b/build/ci.mk
@@ -1,9 +1,13 @@
 BUILDER_IMG_TAG = infrastructure-agent-builder
+BUILDER_IMG_TAG_FIPS = infrastructure-agent-builder-fips
+MODE=?
 
 .PHONY: ci/deps
 ci/deps:GH_ARCH ?= amd64
 ci/deps:
- @docker build -t $(BUILDER_IMG_TAG) --build-arg GH_ARCH=$(GH_ARCH) -f $(CURDIR)/build/Dockerfile.fips $(CURDIR)
+ @docker build -t $(BUILDER_IMG_TAG) --build-arg GH_ARCH=$(GH_ARCH) -f $(CURDIR)/build/Dockerfile $(CURDIR)
+ci/deps-fips:
+ @docker build -t $(BUILDER_IMG_TAG_FIPS) --build-arg GH_ARCH=$(GH_ARCH) -f $(CURDIR)/build/Dockerfile.fips $(CURDIR)
 
 .PHONY: ci/validate
 ci/validate: ci/deps
@@ -59,6 +63,10 @@ ci/tools-test: ci/deps
 ci/prerelease/linux:
  TARGET_OS=linux $(MAKE) ci/prerelease
 
+.PHONY : ci/prerelease/linux-fips
+ci/prerelease/linux-fips:
+ TARGET_OS=linux-fips $(MAKE) ci/prerelease-fips
+
 .PHONY : ci/prerelease/linux-amd64
 ci/prerelease/linux-amd64:
  TARGET_OS=linux-amd64 $(MAKE) ci/prerelease
@@ -107,6 +115,29 @@ ifdef TAG
  -e SNAPSHOT=false \
  $(BUILDER_IMG_TAG) make release-${TARGET_OS}
 
+
+else
+ @echo "===> infrastructure-agent === [ci/prerelease/linux] TAG env variable expected to be set"
+ exit 1
+endif
+
+.PHONY : ci/prerelease-fips
+ci/prerelease-fips: ci/deps-fips
+ifdef TAG
+ @docker run --rm -t \
+ --name "infrastructure-agent-prerelease" \
+ -v $(CURDIR):/go/src/github.com/newrelic/infrastructure-agent \
+ -w /go/src/github.com/newrelic/infrastructure-agent \
+ -e PRERELEASE=true \
+ -e GITHUB_TOKEN \
+ -e TAG \
+ -e GPG_MAIL \
+ -e GPG_PASSPHRASE \
+ -e GPG_PRIVATE_KEY_BASE64 \
+ -e SNAPSHOT=false \
+ $(BUILDER_IMG_TAG_FIPS) make release-${TARGET_OS}
+
+
 else
  @echo "===> infrastructure-agent === [ci/prerelease/linux] TAG env variable expected to be set"
  exit 1

diff --git a/build/release.mk b/build/release.mk
@@ -69,6 +69,17 @@ release/pkg-linux: release/get-fluentbit-linux-arm64
  @echo "=== [release/pkg-linux] PRE-RELEASE compiling all binaries, creating packages, archives"
  $(GORELEASER_BIN) release --config $(GORELEASER_CONFIG_LINUX) $(PKG_FLAGS)
 
+.PHONY : release/pkg-linux-fips
+release/pkg-linux: release/deps release/clean generate-goreleaser-multiarch-fips
+release/pkg-linux: release/get-integrations-amd64 #NO FIPS ASSETS AVAILABLE FOR NOW
+release/pkg-linux: release/get-integrations-arm64 #NO FIPS ASSETS AVAILABLE FOR NOW
+release/pkg-linux: release/get-integrations-arm #NO FIPS ASSETS AVAILABLE FOR NOW
+release/pkg-linux: release/get-fluentbit-linux-amd64 #NO FIPS ASSETS AVAILABLE FOR NOW
+#release/pkg-linux: release/get-fluentbit-linux-arm
+release/pkg-linux: release/get-fluentbit-linux-arm64 #NO FIPS ASSETS AVAILABLE FOR NOW
+ @echo "=== [release/pkg-linux] PRE-RELEASE compiling all binaries, creating packages, archives"
+ $(GORELEASER_BIN) release --config $(GORELEASER_CONFIG_LINUX) $(PKG_FLAGS)
+
 .PHONY : release/pkg-linux-amd64
 release/pkg-linux-amd64: release/deps release/clean
 release/pkg-linux-amd64: generate-goreleaser-amd64
@@ -84,11 +95,11 @@ release/pkg-linux-arm: release/get-integrations-arm
  @echo "=== [release/pkg-linux-arm] PRE-RELEASE compiling all binaries, creating packages, archives"
  $(GORELEASER_BIN) release --config $(GORELEASER_CONFIG_LINUX) $(PKG_FLAGS)
 
-.PHONY : release/pkg-linux-arm64
-release/pkg-linux-arm64: release/deps release/clean generate-goreleaser-arm64
-release/pkg-linux-arm64: release/get-integrations-arm64
-release/pkg-linux-arm64: release/get-fluentbit-linux-arm64
- @echo "=== [release/pkg-linux-arm64] PRE-RELEASE compiling all binaries, creating packages, archives"
+.PHONY : release/pkg-linux-fips-arm64
+release/pkg-linux-fips-arm64: release/deps release/clean generate-goreleaser-fips-arm64
+release/pkg-linux-fips-arm64: release/get-integrations-arm64
+release/pkg-linux-fips-arm64: release/get-fluentbit-linux-arm64
+ @echo "=== [release/pkg-linux-arm64] PRE-RELEASE compiling all fips binaries, creating packages, archives"
  $(GORELEASER_BIN) release --config $(GORELEASER_CONFIG_LINUX) $(PKG_FLAGS)
 
 .PHONY : release/pkg-linux-legacy
@@ -148,6 +159,10 @@ release-linux-arm: release/pkg-linux-arm release/fix-tarballs-linux release/sign
 release-linux-arm64: release/pkg-linux-arm64 release/fix-tarballs-linux release/sign
  @echo "=== [release-linux-arm64] full pre-release cycle complete for nix"
 
+.PHONY : release-linux-fips-arm64
+release-linux-fips-arm64: release/pkg-linux-arm64 release/fix-tarballs-linux release/sign
+ @echo "=== [release-linux-arm64] full pre-release cycle complete for nix"
+
 .PHONY : release-linux-legacy
  release-linux-legacy: release/pkg-linux-legacy release/fix-tarballs-linux release/sign
  @echo "=== [release-linux-legacy] full pre-release cycle complete for nix"
@@ -287,6 +302,49 @@ generate-goreleaser-multiarch:
  $(CURDIR)/build/goreleaser/linux/sles_155_arm64.yml\
  > $(GORELEASER_CONFIG_LINUX)
 
+.PHONY : generate-goreleaser-multiarch-fips
+generate-goreleaser-multiarch-fips:
+ cat $(CURDIR)/build/goreleaser/linux/header.yml\
+ $(CURDIR)/build/goreleaser/linux/build_amd64.yml\
+ $(CURDIR)/build/goreleaser/linux/build_arm.yml\
+ $(CURDIR)/build/goreleaser/linux/build_arm64.yml\
+ $(CURDIR)/build/goreleaser/linux/archives_header.yml\
+ $(CURDIR)/build/goreleaser/linux/archives_amd64.yml\
+ $(CURDIR)/build/goreleaser/linux/archives_arm.yml\
+ $(CURDIR)/build/goreleaser/linux/archives_arm64.yml\
+ $(CURDIR)/build/goreleaser/linux/nfpms_header.yml\
+ $(CURDIR)/build/goreleaser/linux/al2023_amd64.yml\
+ $(CURDIR)/build/goreleaser/linux/al2023_arm.yml\
+ $(CURDIR)/build/goreleaser/linux/al2023_arm64.yml\
+ $(CURDIR)/build/goreleaser/linux/al2_amd64.yml\
+ $(CURDIR)/build/goreleaser/linux/al2_arm.yml\
+ $(CURDIR)/build/goreleaser/linux/al2_arm64.yml\
+ $(CURDIR)/build/goreleaser/linux/centos_6_amd64.yml\
+ $(CURDIR)/build/goreleaser/linux/centos_7_amd64.yml\
+ $(CURDIR)/build/goreleaser/linux/centos_7_arm.yml\
+ $(CURDIR)/build/goreleaser/linux/centos_7_arm64.yml\
+ $(CURDIR)/build/goreleaser/linux/centos_8_amd64.yml\
+ $(CURDIR)/build/goreleaser/linux/centos_8_arm.yml\
+ $(CURDIR)/build/goreleaser/linux/centos_8_arm64.yml\
+ $(CURDIR)/build/goreleaser/linux/rhel_9_amd64.yml\
+ $(CURDIR)/build/goreleaser/linux/rhel_9_arm.yml\
+ $(CURDIR)/build/goreleaser/linux/rhel_9_arm64.yml\
+ $(CURDIR)/build/goreleaser/linux/debian_systemd_amd64.yml\
+ $(CURDIR)/build/goreleaser/linux/debian_systemd_arm.yml\
+ $(CURDIR)/build/goreleaser/linux/debian_systemd_arm64.yml\
+ $(CURDIR)/build/goreleaser/linux/debian_upstart_amd64.yml\
+ $(CURDIR)/build/goreleaser/linux/sles_125_amd64.yml\
+ $(CURDIR)/build/goreleaser/linux/sles_125_arm64.yml\
+ $(CURDIR)/build/goreleaser/linux/sles_152_amd64.yml\
+ $(CURDIR)/build/goreleaser/linux/sles_152_arm64.yml\
+ $(CURDIR)/build/goreleaser/linux/sles_153_amd64.yml\
+ $(CURDIR)/build/goreleaser/linux/sles_153_arm64.yml\
+ $(CURDIR)/build/goreleaser/linux/sles_154_amd64.yml\
+ $(CURDIR)/build/goreleaser/linux/sles_154_arm64.yml\
+ $(CURDIR)/build/goreleaser/linux/sles_155_amd64.yml\
+ $(CURDIR)/build/goreleaser/linux/sles_155_arm64.yml\
+ > $(GORELEASER_CONFIG_LINUX)
+
 .PHONY : generate-goreleaser-for-docker
 generate-goreleaser-for-docker:
  cat $(CURDIR)/build/goreleaser/linux/header.yml\

diff --git a/build/upload-schema-linux-deb.yml b/build/upload-schema-linux-deb.yml
@@ -1,5 +1,5 @@
 ---
-- src: "newrelic-infra_systemd_{version}_{arch}.deb"
+- src: "newrelic-infra_systemd_{version}_{arch}_fips.deb"
  arch:
  - amd64
  - arm64
@@ -22,7 +22,7 @@
  - bullseye
  - bookworm
 
-- src: "newrelic-infra_upstart_{version}_{arch}.deb"
+- src: "newrelic-infra_upstart_{version}_{arch}_fips.deb"
  arch:
  - amd64
  uploads:
@@ -37,15 +37,15 @@
  # UPLOAD CHECKSUMS #
 #########################
 
-- src: "newrelic-infra_systemd_{version}_{arch}.deb.sum"
+- src: "newrelic-infra_systemd_{version}_{arch}_fips.deb.sum"
  arch:
  - amd64
  - arm64
  - arm
  uploads:
  - type: file
  dest: "{dest_prefix}linux/apt/pool/main/n/newrelic-infra/{src}"
-- src: "newrelic-infra_upstart_{version}_{arch}.deb.sum"
+- src: "newrelic-infra_upstart_{version}_{arch}_fips.deb.sum"
  arch:
  - amd64
  uploads: