feat(fips): update harvest tests to run for fips packages

Author: rajrohanyadav

build/build.mk

@@ -174,6 +174,12 @@ build-harvest-tests: CGO_ENABLED=0
 build-harvest-tests: deps
 	$(GO_BIN) test -c ./test/harvest -tags="harvest" -v
 
+.PHONY: build-harvest-tests-fips
+build-harvest-tests-fips: CGO_ENABLED=1
+build-harvest-tests-fips: GOEXPERIMENT=boringcrypto
+build-harvest-tests-fips: deps
+	$(GO_BIN) test -c ./test/harvest -tags="harvest,fips" -v
+
 
 .PHONY: proxy-test
 proxy-test:

test/automated/ansible/group_vars/localhost/main.yml

@@ -271,6 +271,16 @@ instances:
     platform: "linux"
     python_interpreter: "/usr/bin/python3"
     launch_template: "LaunchTemplateId=lt-0b00afb3f5110a0e6,Version=3"
+  #################################
+  # amazon linux 2023 amd64 FIPS
+  #################################
+  - ami: "ami-085fa628e46dcb929"
+    type: "t3a.small"
+    name: "amd64:al-2023-fips"
+    username: "ec2-user"
+    platform: "linux"
+    python_interpreter: "/usr/bin/python3"
+    launch_template: "LaunchTemplateId=lt-0b00afb3f5110a0e6,Version=3"
   ############################
   # amazon linux 2023 arm64
   ############################
@@ -281,6 +291,16 @@ instances:
     platform: "linux"
     python_interpreter: "/usr/bin/python3"
     launch_template: "LaunchTemplateId=lt-0b00afb3f5110a0e6,Version=3"
+  #################################
+  # amazon linux 2023 arm64 FIPS
+  #################################
+  - ami: "ami-06014e12b8efb52e2"
+    type: "t4g.small"
+    name: "arm64:al-2023-fips"
+    username: "ec2-user"
+    platform: "linux"
+    python_interpreter: "/usr/bin/python3"
+    launch_template: "LaunchTemplateId=lt-0b00afb3f5110a0e6,Version=3"
   ############################
   # windows amd64
   ############################

test/harvest/ansible/README.md

@@ -10,7 +10,8 @@ localhost ansible_connection=local
 
 [testing_hosts]
 amd64:debian-buster ansible_host=192.168.1.12 ansible_user=admin ansible_python_interpreter=/usr/bin/python3 
-amd64:centos7 ansible_host=192.168.1.13 ansible_user=centos ansible_python_interpreter=/usr/bin/python 
+amd64:centos7 ansible_host=192.168.1.13 ansible_user=centos ansible_python_interpreter=/usr/bin/python
+amd64:al-2023-fips ansible_host=192.168.1.14 ansible_user=ec2-user ansible_python_interpreter=/usr/bin/python3 ansible_ssh_common_args='-o Ciphers=aes256-ctr,aes192-ctr,aes128-ctr -o KexAlgorithms=diffie-hellman-group-exchange-sha256 -o MACs=hmac-sha2-256,hmac-sha2-512'
 ```
 
 ## Playbooks

test/harvest/ansible/roles/build-harvest-tests/tasks/main.yml

@@ -1,21 +1,41 @@
 ---
 
-- name: build harvest tests for every os/arch combination
-  ansible.builtin.shell: "CGO_ENABLED=0 GOOS=linux GOARCH={{item}} make build-harvest-tests && mv {{ default_binary_name }} {{ os_arch_binary_name_tpl | replace('%GOOS%', 'linux') | replace('%GOARCH%', item) }}"
+- name: Build harvest tests for Linux arch combination
+  ansible.builtin.shell: >
+    CGO_ENABLED=0 GOOS=linux GOARCH={{ item }} make build-harvest-tests &&
+    mv {{ default_binary_name }} {{ os_arch_binary_name_tpl | replace('%GOOS%', 'linux') | replace('%GOARCH%', item) }}
   args:
     chdir: "{{ agent_root_dir }}"
+    creates: "{{ os_arch_binary_name_tpl | replace('%GOOS%', 'linux') | replace('%GOARCH%', item) }}"
   loop: "{{ goos_arch.linux }}"
 
-- name: build harvest tests for every os/arch combination
-  ansible.builtin.shell: "GOOS=darwin GOARCH={{item}} make build-harvest-tests && mv {{ default_binary_name }} {{ os_arch_binary_name_tpl | replace('%GOOS%', 'darwin') | replace('%GOARCH%', item) }}"
+- name: Build harvest tests for Linux arch combination - FIPS
+  ansible.builtin.shell: >
+    CGO_ENABLED=1 GOEXPERIMENT=boringcrypto GOOS=linux GOARCH={{ item }}
+    {% if item == 'arm64' %}CC=aarch64-linux-gnu-gcc{% endif %}
+    make build-harvest-tests-fips &&
+    mv {{ default_binary_name }} {{ os_arch_binary_name_tpl_fips | replace('%GOOS%', 'linux') | replace('%GOARCH%', item) }}
   args:
     chdir: "{{ agent_root_dir }}"
+    creates: "{{ os_arch_binary_name_tpl_fips | replace('%GOOS%', 'linux') | replace('%GOARCH%', item) }}"
+  loop: "{{ goos_arch.linux_fips }}"
+
+- name: Build harvest tests for Darwin arch combination
+  ansible.builtin.shell: >
+    GOOS=darwin GOARCH={{ item }} make build-harvest-tests &&
+    mv {{ default_binary_name }} {{ os_arch_binary_name_tpl | replace('%GOOS%', 'darwin') | replace('%GOARCH%', item) }}
+  args:
+    chdir: "{{ agent_root_dir }}"
+    creates: "{{ os_arch_binary_name_tpl | replace('%GOOS%', 'darwin') | replace('%GOARCH%', item) }}"
   loop: "{{ goos_arch.darwin }}"
 
-- name: build harvest tests for every os/arch combination
-  ansible.builtin.shell: "GOOS=windows GOARCH={{item}} make build-harvest-tests && mv {{ default_binary_name }}.exe {{ os_arch_binary_name_tpl | replace('%GOOS%', 'win32nt') | replace('%GOARCH%', item) }}.exe"
+- name: Build harvest tests for Windows arch combination
+  ansible.builtin.shell: >
+    GOOS=windows GOARCH={{ item }} make build-harvest-tests &&
+    mv {{ default_binary_name }}.exe {{ os_arch_binary_name_tpl | replace('%GOOS%', 'win32nt') | replace('%GOARCH%', item) }}.exe
   args:
     chdir: "{{ agent_root_dir }}"
+    creates: "{{ os_arch_binary_name_tpl | replace('%GOOS%', 'win32nt') | replace('%GOARCH%', item) }}.exe"
   loop: "{{ goos_arch.windows }}"
 
 

test/harvest/ansible/roles/build-harvest-tests/vars/main.yml

@@ -3,11 +3,15 @@
 agent_root_dir: ""
 default_binary_name: "harvest.test"
 os_arch_binary_name_tpl: "harvest_%GOOS%_%GOARCH%.test"
+os_arch_binary_name_tpl_fips: "harvest_%GOOS%-fips_%GOARCH%.test"
 goos_arch:
   linux:
     - "amd64"
     - "arm"
     - "arm64"
+  linux_fips:
+    - "amd64"
+    - "arm64"
   darwin:
     - "amd64"
     - "arm64"

test/harvest/ansible/roles/run-harvest-tests/tasks/main.yml

@@ -1,15 +1,26 @@
 ---
 
-- name: register os/arch specific binary name
-  set_fact:
-    os_arch_binary_name: "{{ os_arch_binary_name_tpl | replace('%GOOS%',ansible_system|lower) | replace('%GOARCH%',architecture_map[ansible_architecture]) }}"
+- name: Register os/arch specific binary name
+  ansible.builtin.set_fact:
+    os_arch_binary_name: "{{ os_arch_binary_name_tpl
+      | replace('%GOOS%', ansible_system | lower)
+      | replace('%GOARCH%', architecture_map[ansible_architecture]) }}"
+  when: "'-fips' not in inventory_hostname"
 
-- name: copy binary
+- name: Register os/arch specific binary name - FIPS
+  ansible.builtin.set_fact:
+    os_arch_binary_name: "{{ os_arch_binary_name_tpl_fips
+      | replace('%GOOS%', ansible_system | lower)
+      | replace('%GOARCH%', architecture_map[ansible_architecture]) }}"
+  when: "'-fips' in inventory_hostname"
+
+- name: Copy binary
   ansible.builtin.copy:
     src: "{{ agent_root_dir }}/{{ os_arch_binary_name }}"
     dest: "{{ ansible_user_dir }}/{{ os_arch_binary_name }}"
     mode: '0755'
 
-- include_tasks: "execute-tests-{{ ansible_system }}.yaml"
+- name: Include OS-specific test tasks
+  ansible.builtin.include_tasks: "execute-tests-{{ ansible_system }}.yaml"
 
 ...

test/harvest/ansible/roles/run-harvest-tests/vars/main.yml

@@ -6,4 +6,5 @@ architecture_map:
   64-bit: "amd64"
 
 os_arch_binary_name_tpl: "harvest_%GOOS%_%GOARCH%.test{{ '.exe' if ansible_system == 'Win32NT' else '' }}"
+os_arch_binary_name_tpl_fips: "harvest_%GOOS%-fips_%GOARCH%.test{{ '.exe' if ansible_system == 'Win32NT' else '' }}"
 tests_to_run_regex: ".*"

test/harvest/ansible/test.yml

@@ -4,22 +4,24 @@
 # It will build the harvest tests binaries for specified architectures/os combinations
 # and copy and run them in the testing_hosts hosts
 
-- hosts: localhost
+- name: Build harvest tests on localhost
+  hosts: localhost
   become: false
-  gather_facts: no
+  gather_facts: false
 
   tasks:
-    - name: build harvest tests
-      include_role:
+    - name: Build harvest tests
+      ansible.builtin.include_role:
         name: build-harvest-tests
 
 
-- hosts: testing_hosts
-  gather_facts: yes
+- name: Copy and run harvest tests on testing hosts
+  hosts: testing_hosts
+  gather_facts: true
 
   tasks:
-    - name: copy and run harvest tests
-      include_role:
+    - name: Copy and run harvest tests
+      ansible.builtin.include_role:
         name: run-harvest-tests
 
 ...

test/provision/terraform/caos.auto.tfvars.dist

@@ -2,9 +2,9 @@ ec2_prefix = "PREFIX:TAG_OR_UNIQUE_NAME"
 
 windows_ec2 = ["windows_2016", "windows_2019", "windows_2022"]
 
-linux_ec2_amd = ["amd64:ubuntu24.04", "amd64:ubuntu22.04", "amd64:ubuntu20.04", "amd64:ubuntu18.04", "amd64:ubuntu16.04", "amd64:centos-stream", "amd64:sles-12.5", "amd64:sles-15.3",  "amd64:sles-15.4", "amd64:sles-15.5", "amd64:sles-15.6", "amd64:redhat-8.4", "amd64:redhat-9.0", "amd64:debian-bookworm", "amd64:al-2", "amd64:al-2023"]
+linux_ec2_amd = ["amd64:ubuntu24.04", "amd64:ubuntu22.04", "amd64:ubuntu20.04", "amd64:ubuntu18.04", "amd64:ubuntu16.04", "amd64:centos-stream", "amd64:sles-12.5", "amd64:sles-15.3",  "amd64:sles-15.4", "amd64:sles-15.5", "amd64:sles-15.6", "amd64:redhat-8.4", "amd64:redhat-9.0", "amd64:debian-bookworm", "amd64:al-2", "amd64:al-2023", "amd64:al-2023-fips"]
 
-linux_ec2_arm = ["arm64:ubuntu24.04", "arm64:ubuntu22.04", "arm64:ubuntu20.04", "arm64:ubuntu18.04", "arm64:ubuntu16.04", "arm64:centos-stream", "arm64:sles-15.3",  "arm64:sles-15.4", "arm64:sles-15.5", "arm64:sles-15.6", "arm64:redhat-9.0", "arm64:debian-bookworm", "arm64:al-2", "arm64:al-2023"]
+linux_ec2_arm = ["arm64:ubuntu24.04", "arm64:ubuntu22.04", "arm64:ubuntu20.04", "arm64:ubuntu18.04", "arm64:ubuntu16.04", "arm64:centos-stream", "arm64:sles-15.3",  "arm64:sles-15.4", "arm64:sles-15.5", "arm64:sles-15.6", "arm64:redhat-9.0", "arm64:debian-bookworm", "arm64:al-2", "arm64:al-2023", "arm64:al-2023-fips"]
 
 ssh_pub_key      = "AAAAB3NzaC1yc2EAAAADAQABAAABAQDH9C7BS2XrtXGXFFyL0pNku/Hfy84RliqvYKpuslJFeUivf5QY6Ipi8yXfXn6TsRDbdxfGPi6oOR60Fa+4cJmCo6N5g57hBS6f2IdzQBNrZr7i1I/a3cFeK6XOc1G1tQaurx7Pu+qvACfJjLXKG66tHlaVhAHd/1l2FocgFNUDFFuKS3mnzt9hKys7sB4aO3O0OdohN/0NJC4ldV8/OmeXqqfkiPWcgPx3C8bYyXCX7QJNBHKrzbX1jW51Px7SIDWFDV6kxGwpQGGBMJg/k79gjjM+jhn4fg1/VP/Fx37mAnfLqpcTfiOkzSE80ORGefQ1XfGK/Dpa3ITrzRYW8xlR caos-dev-arm"
 pvt_key          = "~/.ssh/caos-dev-arm.cer"

test/provision/terraform/inventory.tmpl

@@ -15,12 +15,12 @@ windows_amd64
 
 [linux_amd64]
 %{ for index, vms in agent-ids ~}
-%{ if platform[index] == "linux" && strcontains(vms, "amd64") }${vms} ansible_user=${agent-user[index]} ansible_host=${agent-private-ip[index]} ansible_python_interpreter=${agent-python[index]} iid=${instance-id[index]}%{ endif }
+%{ if platform[index] == "linux" && strcontains(vms, "amd64") }${vms} ansible_user=${agent-user[index]} ansible_host=${agent-private-ip[index]} ansible_python_interpreter=${agent-python[index]} iid=${instance-id[index]}%{ if strcontains(vms, "fips") } ansible_ssh_common_args='-o Ciphers=aes256-ctr,aes192-ctr,aes128-ctr -o KexAlgorithms=diffie-hellman-group-exchange-sha256 -o MACs=hmac-sha2-256,hmac-sha2-512'%{ endif }%{ endif }
 %{ endfor ~}
 
 [linux_arm64]
 %{ for index, vms in agent-ids ~}
-%{ if platform[index] == "linux" && strcontains(vms, "arm64") }${vms} ansible_user=${agent-user[index]} ansible_host=${agent-private-ip[index]} ansible_python_interpreter=${agent-python[index]} iid=${instance-id[index]}%{ endif }
+%{ if platform[index] == "linux" && strcontains(vms, "arm64") }${vms} ansible_user=${agent-user[index]} ansible_host=${agent-private-ip[index]} ansible_python_interpreter=${agent-python[index]} iid=${instance-id[index]}%{ if strcontains(vms, "fips") } ansible_ssh_common_args='-o Ciphers=aes256-ctr,aes192-ctr,aes128-ctr -o KexAlgorithms=diffie-hellman-group-exchange-sha256 -o MACs=hmac-sha2-256,hmac-sha2-512'%{ endif }%{ endif }
 %{ endfor ~}
 
 [windows_amd64]