Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FIPS Build #6565

Merged
merged 20 commits into from
Feb 28, 2025
Merged

FIPS Build #6565

merged 20 commits into from
Feb 28, 2025
+298 −28

Conversation

michel-laterman
Copy link
Contributor

What does this PR do?

Adds FIPS env var to magefile to enable FIPS compliant builds using the microsoft/go toolchain.

This PR will not be sufficient to ensure that every artifact made with these changes are compliant, we still need to verify our crypto use.

Why is it important?

FIPS artifacts must be built with compliant toolchains.

Checklist

  • I have read and understood the pull request guidelines of this project.
  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in ./changelog/fragments using the changelog tool
  • I have added an integration test or an E2E test

Disruptive User Impact

None

How to test this PR locally

Assuming microsoft go is available, run FIPS=true mage build:binary

@michel-laterman michel-laterman added Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team technical debt labels Jan 22, 2025
@mergify Mergify
Copy link
Contributor

mergify bot commented Jan 22, 2025

This pull request does not have a backport label. Could you fix it @michel-laterman? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-./d./d is the label to automatically backport to the 8./d branch. /d is the digit

@mergify Mergify
Copy link
Contributor

mergify bot commented Jan 22, 2025

backport-v8.x has been added to help with the transition to the new branch 8.x.
If you don't need it please use backport-skip label and remove the backport-8.x label.

@mergify mergify bot added the backport-8.x Automated backport to the 8.x branch with mergify label Jan 22, 2025
@michel-laterman michel-laterman mentioned this pull request Jan 22, 2025
Open
4 tasks
@michel-laterman michel-laterman marked this pull request as ready for review February 12, 2025 18:05
@michel-laterman michel-laterman requested a review from a team as a code owner February 12, 2025 18:05
@elasticmachine
Copy link
Contributor

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

@cmacknz
Copy link
Member

cmacknz commented Feb 12, 2025

This should come with a test that the binary we produce actually works, ideally one that can confirm it properly uses the FIPS OpenSSL in the expected way.

You'll also need to update CI to actually build the FIPS variant, the package steps for testing are in

elastic-agent/.buildkite/integration.pipeline.yml

Line 8 in a29af64

- group: "Integration tests: packaging"
right now

simitt
simitt reviewed Feb 18, 2025
View reviewed changes
simitt
simitt reviewed Feb 18, 2025
View reviewed changes
Copy link
Contributor

@simitt simitt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similar to what @cmacknz already suggested, there should be some tests. IMO there would ideally also be some unit tests for the mage functionality, which shouldn't be too hard given it is regular go code.

@michel-laterman
Review feedback
d5294d8 
Cleanup/fix build tag deduplication. Only set FIPS env when true is
passed. Add FIPS binary verification test and attempt to add to
pipeline.
@michel-laterman michel-laterman added the backport-8.18 Automated backport to the 8.18 branch label Feb 18, 2025
@mergify Mergify
Copy link
Contributor

mergify bot commented Feb 18, 2025

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b fips-build upstream/fips-build
git merge upstream/main
git push upstream fips-build

@michel-laterman michel-laterman requested a review from a team as a code owner February 19, 2025 00:42
dliappis
dliappis reviewed Feb 19, 2025
View reviewed changes
simitt
simitt reviewed Feb 19, 2025
View reviewed changes
Copy link
Contributor

@simitt simitt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left some more comments, mostly trying to follow the complexity in the mage/release logic or seeing whether it can be reduced a bit to reduce the surface for bugs.

@simitt simitt requested a review from pchila February 20, 2025 18:12
@simitt
Copy link
Contributor

simitt commented Feb 20, 2025

Let's wait for a review from @pchila as this is related to packaging.

@dliappis dliappis self-requested a review February 20, 2025 18:17
dliappis
dliappis reviewed Feb 20, 2025
View reviewed changes
Copy link
Contributor

@dliappis dliappis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for iterating.
There seem to be a few failing tests in CI e.g. https://buildkite.com/elastic/elastic-agent-extended-testing/builds/7357#019520ad-6465-47f3-8b18-7fca000d61ba could you please take a look?

@michel-laterman
Copy link
Contributor Author

The current failure error is:

.../elastic-agent-9.0.0-SNAPSHOT-linux-x86_64-fips/manifest.yaml: no such file or directory

When I download the artifact and extract it, i can see the folder it creates is missing the -fips suffix; i'll try to get this working but I'm having issues stemming from running package on an arm macbook

pchila
pchila approved these changes Feb 25, 2025
View reviewed changes
Copy link
Member

@pchila pchila left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good enough to get a first FIPS compliant agent package in order to start testing.
There are some parts that will need modification to integrate with elastic-agent packaging code but that will be done in a follow-up PR that will produce FIPS artifacts along with the current ones.

Left a couple of comments as a reminder of what needs modifying

@michel-laterman
Copy link
Contributor Author

buildkite test this

@michel-laterman michel-laterman enabled auto-merge (squash) February 25, 2025 23:40
@michel-laterman
Copy link
Contributor Author

buildkite test this

swiatekm
swiatekm approved these changes Feb 27, 2025
View reviewed changes
@elasticmachine
Copy link
Contributor

elasticmachine commented Feb 27, 2025
edited
Loading

💛 Build succeeded, but was flaky

Failed CI Steps

History

cc @michel-laterman

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@michel-laterman
Copy link
Contributor Author

@dliappis, @v1v can I please get a review?

dliappis
dliappis approved these changes Feb 28, 2025
View reviewed changes
Copy link
Contributor

@dliappis dliappis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@michel-laterman michel-laterman merged commit b20efc1 into elastic:main Feb 28, 2025
14 checks passed
mergify bot pushed a commit that referenced this pull request Feb 28, 2025
@michel-laterman @mergify
FIPS Build (#6565)
12c957e 
Adds FIPS env var to magefile to enable FIPS compliant
binary builds using the microsoft/go toolchain.

(cherry picked from commit b20efc1)
@mergify mergify bot mentioned this pull request Feb 28, 2025
Open
4 tasks
mergify bot pushed a commit that referenced this pull request Feb 28, 2025
@michel-laterman @mergify
FIPS Build (#6565)
7c7567b 
Adds FIPS env var to magefile to enable FIPS compliant
binary builds using the microsoft/go toolchain.

(cherry picked from commit b20efc1)
@mergify mergify bot mentioned this pull request Feb 28, 2025
Open
4 tasks
@michel-laterman michel-laterman deleted the fips-build branch February 28, 2025 16:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simitt simitt simitt approved these changes

@dliappis dliappis dliappis approved these changes

@swiatekm swiatekm swiatekm approved these changes

@pchila pchila pchila approved these changes

@andrzej-stencel andrzej-stencel Awaiting requested review from andrzej-stencel andrzej-stencel is a code owner automatically assigned from elastic/elastic-agent-control-plane

Assignees

@michel-laterman michel-laterman

Labels
backport-8.x Automated backport to the 8.x branch with mergify backport-8.18 Automated backport to the 8.18 branch skip-changelog Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team technical debt
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@michel-laterman @elasticmachine @cmacknz @simitt @dliappis @swiatekm @pchila