Adding fips compliant agents to Prerelease on demand workflow (#1942)

* Feat: Adding Fips compliant Infrastructure agents to prerelease build pipeline.
* Ubuntu16 Builder Dockerfile.
* Adding 'FIPS, NON-FIPS and ALL' as a workflow field option for prerelease on demand.
* New signing scripts to overcome the lack of support for Passphrase pinned.
* Edited binary names, and fips variable in linux on demand workflow
* Added fips parameter to the package_name as needed for metadata
* Update goreleaser version (#1960)
* Add step to test fips binaries for fips compliance (#1963)

---------

Co-authored-by: alvarocabanas <[email protected]>
Co-authored-by: Rohan Yadav <[email protected]>

Author: 3 people

.github/workflows/component_linux_build.yml

@@ -28,3 +28,7 @@ jobs:
           password: ${{ secrets.DOCKER_HUB_PASSWORD }}
       - name: Build all platforms:arch
         run: make ci/build
+      - name: Test FIPS binaries for fips compliance
+        uses: newrelic/coreint-automation/test-fips-action@v3
+        with:
+          binaries_path: "./dist"

.github/workflows/prerelease_linux_on_demand.yml

@@ -12,6 +12,10 @@ on:
       dest_prefix:
         description: 'Repo prefix'
         required: true
+      BUILD_MODE:
+        description: 'Enable NON-FIPS, FIPS or ALL'
+        required: false
+        default: 'NON-FIPS' # "ALL" "NON-FIPS" "FIPS":
 
 env:
   GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -55,7 +59,8 @@ jobs:
           username: ${{ env.DOCKER_HUB_ID }}
           password: ${{ env.DOCKER_HUB_PASSWORD }}
 
-      - name: Preparing all linux packages
+      - name: Preparing all NON-FIPS linux packages
+        if: ${{ inputs.BUILD_MODE == 'ALL' || inputs.BUILD_MODE == 'NON-FIPS' }}
         run: make ci/prerelease/linux
         env:
           TAG: ${{ env.FAKE_TAG }}
@@ -67,7 +72,8 @@ jobs:
           files_path: 'dist'
           run_sudo: true
 
-      - name: Publish deb to S3 action
+      - name: Publish NON-FIPS deb to S3 action
+        if: ${{ inputs.BUILD_MODE == 'ALL' || inputs.BUILD_MODE == 'NON-FIPS' }}
         uses: newrelic/[email protected]
         with:
           tag: ${{env.FAKE_TAG}}
@@ -92,7 +98,8 @@ jobs:
           local_packages_path:  "/srv/dist/"
           apt_skip_mirror:  true
 
-      - name: Publish rpm to S3 action
+      - name: Publish NON-FIPS rpm to S3 action
+        if: ${{ inputs.BUILD_MODE == 'ALL' || inputs.BUILD_MODE == 'NON-FIPS' }}
         uses: newrelic/[email protected]
         with:
           tag: ${{env.FAKE_TAG}}
@@ -116,7 +123,8 @@ jobs:
           dest_prefix: ${{ env.DEST_PREFIX }}
           local_packages_path:  "/srv/dist/"
 
-      - name: Publish targz to S3 action
+      - name: Publish NON-FIPS targz to S3 action
+        if: ${{ inputs.BUILD_MODE == 'ALL' || inputs.BUILD_MODE == 'NON-FIPS' }}
         uses: newrelic/[email protected]
         with:
           tag: ${{env.FAKE_TAG}}
@@ -139,3 +147,98 @@ jobs:
           disable_lock: ${{ env.DISABLE_LOCK }}
           dest_prefix: ${{ env.DEST_PREFIX }}
           local_packages_path:  "/srv/dist/"
+
+      - name: Preparing all FIPS linux packages
+        if: ${{ inputs.BUILD_MODE == 'ALL' || inputs.BUILD_MODE == 'FIPS' }}
+        run: make ci/prerelease/linux-fips
+        env:
+          TAG: ${{ env.FAKE_TAG }}
+          FIPS: "-fips"
+      - name: Test FIPS binaries for fips compliance
+        if: ${{ inputs.BUILD_MODE == 'ALL' || inputs.BUILD_MODE == 'FIPS' }}
+        uses: newrelic/coreint-automation/test-fips-action@v3
+        with:
+          binaries_path: "./dist"
+
+      - name: Generate checksum files
+        uses: ./.github/actions/generate-checksums
+        with:
+          files_regex: '.*\(tar.gz\|deb\|rpm\)'
+          files_path: 'dist'
+          run_sudo: true
+
+      - name: Publish FIPS deb to S3 action
+        if: ${{ inputs.BUILD_MODE == 'ALL' || inputs.BUILD_MODE == 'FIPS' }}
+        uses: newrelic/[email protected]
+        with:
+          tag: ${{env.FAKE_TAG}}
+          app_name: "newrelic-infra-fips"
+          repo_name: "newrelic/infrastructure-agent"
+          schema: "custom"
+          schema_url: "https://raw.githubusercontent.com/newrelic/infrastructure-agent/${{ env.BRANCH }}/build/upload-schema-linux-deb-fips.yml"
+          aws_access_key_id: ${{ env.AWS_ACCESS_KEY_ID }}
+          aws_secret_access_key: ${{ env.AWS_SECRET_ACCESS_KEY }}
+          aws_s3_bucket_name: ${{ env.AWS_S3_BUCKET_NAME }}
+          aws_s3_lock_bucket_name: ${{ env.AWS_S3_LOCK_BUCKET_NAME }}
+          access_point_host: ${{ env.ACCESS_POINT_HOST }}
+          run_id: ${{ env.RUN_ID }}
+          aws_region: ${{ env.AWS_REGION }}
+          aws_role_session_name: ${{ env.AWS_ROLE_SESSION_NAME }}
+          aws_role_arn: ${{ env.AWS_ROLE_ARN }}
+          # used for signing package stuff
+          gpg_passphrase: ${{ env.GPG_PASSPHRASE }}
+          gpg_private_key_base64: ${{ env.GPG_PRIVATE_KEY_BASE64 }}
+          disable_lock: ${{ env.DISABLE_LOCK }}
+          dest_prefix: ${{ env.DEST_PREFIX }}
+          local_packages_path:  "/srv/dist/"
+          apt_skip_mirror:  true
+
+      - name: Publish FIPS rpm to S3 action
+        if: ${{ inputs.BUILD_MODE == 'ALL' || inputs.BUILD_MODE == 'FIPS' }}
+        uses: newrelic/[email protected]
+        with:
+          tag: ${{env.FAKE_TAG}}
+          app_name: "newrelic-infra-fips"
+          repo_name: "newrelic/infrastructure-agent"
+          schema: "custom"
+          schema_url: "https://raw.githubusercontent.com/newrelic/infrastructure-agent/${{ env.BRANCH }}/build/upload-schema-linux-rpm-fips.yml"
+          aws_access_key_id: ${{ env.AWS_ACCESS_KEY_ID }}
+          aws_secret_access_key: ${{ env.AWS_SECRET_ACCESS_KEY }}
+          aws_s3_bucket_name: ${{ env.AWS_S3_BUCKET_NAME }}
+          aws_s3_lock_bucket_name: ${{ env.AWS_S3_LOCK_BUCKET_NAME }}
+          access_point_host: ${{ env.ACCESS_POINT_HOST }}
+          run_id: ${{ env.RUN_ID }}
+          aws_region: ${{ env.AWS_REGION }}
+          aws_role_session_name: ${{ env.AWS_ROLE_SESSION_NAME }}
+          aws_role_arn: ${{ env.AWS_ROLE_ARN }}
+          # used for signing package stuff
+          gpg_passphrase: ${{ env.GPG_PASSPHRASE }}
+          gpg_private_key_base64: ${{ env.GPG_PRIVATE_KEY_BASE64 }}
+          disable_lock: ${{ env.DISABLE_LOCK }}
+          dest_prefix: ${{ env.DEST_PREFIX }}
+          local_packages_path:  "/srv/dist/"
+
+      - name: Publish FIPS targz to S3 action
+        if: ${{ inputs.BUILD_MODE == 'ALL' || inputs.BUILD_MODE == 'FIPS' }}
+        uses: newrelic/[email protected]
+        with:
+          tag: ${{env.FAKE_TAG}}
+          app_name: "newrelic-infra-fips"
+          repo_name: "newrelic/infrastructure-agent"
+          schema: "custom"
+          schema_url: "https://raw.githubusercontent.com/newrelic/infrastructure-agent/${{ env.BRANCH }}/build/upload-schema-linux-targz-fips.yml"
+          aws_access_key_id: ${{ env.AWS_ACCESS_KEY_ID }}
+          aws_secret_access_key: ${{ env.AWS_SECRET_ACCESS_KEY }}
+          aws_s3_bucket_name: ${{ env.AWS_S3_BUCKET_NAME }}
+          aws_s3_lock_bucket_name: ${{ env.AWS_S3_LOCK_BUCKET_NAME }}
+          access_point_host: ${{ env.ACCESS_POINT_HOST }}
+          run_id: ${{ env.RUN_ID }}
+          aws_region: ${{ env.AWS_REGION }}
+          aws_role_session_name: ${{ env.AWS_ROLE_SESSION_NAME }}
+          aws_role_arn: ${{ env.AWS_ROLE_ARN }}
+          # used for signing package stuff
+          gpg_passphrase: ${{ env.GPG_PASSPHRASE }}
+          gpg_private_key_base64: ${{ env.GPG_PRIVATE_KEY_BASE64 }}
+          disable_lock: ${{ env.DISABLE_LOCK }}
+          dest_prefix: ${{ env.DEST_PREFIX }}
+          local_packages_path:  "/srv/dist/"

build/.goreleaser_macos.yml

@@ -1,7 +1,8 @@
+version: 2
 project_name: infrastructure-agent
 
 snapshot:
-  name_template: 0.0.0
+  version_template: 0.0.0
 
 builds:
   - id: darwin-newrelic-infra

build/Dockerfile

@@ -1,19 +1,54 @@
-FROM golang:1.22-bullseye
+# Use Ubuntu 16.04 as the base image
+FROM ubuntu:16.04
 
+# Define Go version
+ARG GO_VERSION=1.22.10
+# Define build-time arguments for the GitHub CLI version and architecture
 ARG GH_VERSION='2.0.0'
 ARG GH_ARCH='amd64'
 
-RUN apt-get update \
-    && apt-get -y install \
-        rpm \
-        gnupg2 \
-        gpg-agent \
-        debsigs \
-        unzip \
-        zip
 
-RUN curl -L https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_${GH_ARCH}.deb -o gh_${GH_VERSION}_linux_${GH_ARCH}.deb
-RUN dpkg -i gh_${GH_VERSION}_linux_${GH_ARCH}.deb
+# Install dependencies
+RUN apt-get update && apt-get install -y \
+    curl \
+    wget \
+    expect \
+    git \
+    tar \
+    gcc \
+    g++ \
+    gnupg2 \
+    gnupg-agent \
+    debsigs \
+    rpm \
+    build-essential \
+    software-properties-common \
+    python-software-properties \
+    gcc-arm-linux-gnueabi \
+    dpkg-sig \
+    gcc-aarch64-linux-gnu
 
+
+# # Manually install cross-compilers
+# RUN apt-get install -y \
+# gcc-5-multilib-mips-linux-gnu
+
+# Install Go 1.22.0
+RUN curl -sSL https://golang.org/dl/go${GO_VERSION}.linux-amd64.tar.gz -o go${GO_VERSION}.linux-amd64.tar.gz && \
+    tar -C /usr/local -xzf go${GO_VERSION}.linux-amd64.tar.gz && \
+    rm go${GO_VERSION}.linux-amd64.tar.gz
+
+# Set Go environment variables
+ENV PATH="/usr/local/go/bin:/go/bin:${PATH}"
+ENV GOPATH="/go"
+
+# Download and install the GitHub CLI
+RUN curl -L https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_${GH_ARCH}.deb -o gh_${GH_VERSION}_linux_${GH_ARCH}.deb && \
+    dpkg -i gh_${GH_VERSION}_linux_${GH_ARCH}.deb && \
+    rm gh_${GH_VERSION}_linux_${GH_ARCH}.deb
+
+# Optional: Set Go environment flags
 ENV GOFLAGS="-buildvcs=false"
+
+# Optional: Configure git
 RUN git config --global --add safe.directory /go/src/github.com/newrelic/infrastructure-agent

build/ci.mk

@@ -1,4 +1,5 @@
 BUILDER_IMG_TAG = infrastructure-agent-builder
+FIPS?=
 
 .PHONY: ci/deps
 ci/deps:GH_ARCH ?= amd64
@@ -59,6 +60,10 @@ ci/tools-test: ci/deps
 ci/prerelease/linux:
 	TARGET_OS=linux $(MAKE) ci/prerelease
 
+.PHONY : ci/prerelease/linux-fips
+ci/prerelease/linux-fips:
+	TARGET_OS=linux-fips $(MAKE) ci/prerelease
+
 .PHONY : ci/prerelease/linux-amd64
 ci/prerelease/linux-amd64:
 	TARGET_OS=linux-amd64 $(MAKE) ci/prerelease
@@ -105,8 +110,8 @@ ifdef TAG
 			-e GPG_PASSPHRASE \
 			-e GPG_PRIVATE_KEY_BASE64 \
 			-e SNAPSHOT=false \
+			-e FIPS=$(FIPS) \
 			$(BUILDER_IMG_TAG) make release-${TARGET_OS}
-
 else
 	@echo "===> infrastructure-agent ===  [ci/prerelease/linux] TAG env variable expected to be set"
 	exit 1

build/container/Makefile

@@ -23,6 +23,14 @@ ifeq ($(AGENT_ARCH), arm)
 	AGENT_ARCH := $(AGENT_ARCH)_6
 endif
 
+ifeq ($(AGENT_ARCH), arm64)
+	AGENT_ARCH := $(AGENT_ARCH)_v8.0
+endif
+
+ifeq ($(AGENT_ARCH), amd64)
+	AGENT_ARCH := $(AGENT_ARCH)_v1
+endif
+
 ifeq ($(DOCKER_PUBLISH), true)
 	DOCKER_BUILDX_EXTRA_ARGS = --push
 	DOCKER_BUILDX_ARGS += $(DOCKER_BUILDX_EXTRA_ARGS)

build/goreleaser/linux/al2023_amd64.yml

@@ -5,8 +5,14 @@
       - linux-agent-amd64
       - linux-ctl-amd64
       - linux-service-amd64
-    package_name: newrelic-infra
-    file_name_template: "newrelic-infra-{{ .Env.TAG }}-1.amazonlinux-2023.{{ .Arch }}"
+    package_name: "newrelic-infra{{ .Env.FIPS }}"
+    file_name_template: >-
+      newrelic-infra{{ .Env.FIPS }}-
+      {{- .Env.TAG }}-1.amazonlinux-2023.
+      {{- if eq .Arch "amd64" -}}x86_64
+      {{- else -}}
+      {{ .Arch }}
+      {{- end }}
     vendor: 'New Relic, Inc.'
     homepage: 'https://docs.newrelic.com/docs/release-notes/infrastructure-release-notes/infrastructure-agent-release-notes'
     maintainer: '[email protected]'
@@ -44,17 +50,21 @@
         dst: '/var/db/newrelic-infra/newrelic-integrations/logging/out_newrelic.so'
       - src: 'assets/examples/logging/parsers.conf'
         dst: '/var/db/newrelic-infra/newrelic-integrations/logging/parsers.conf'
-    empty_folders:
-      - /opt/newrelic-infra/custom-integrations
-      - /opt/newrelic-infra/newrelic-integrations
-      - /var/db/newrelic-infra/custom-integrations
-      - /var/db/newrelic-infra/integrations.d
-      - /var/log/newrelic-infra
-      - /var/run/newrelic-infra
+
+      - dst: /opt/newrelic-infra/custom-integrations
+        type: dir
+      - dst: /opt/newrelic-infra/newrelic-integrations
+        type: dir
+      - dst: /var/db/newrelic-infra/custom-integrations
+        type: dir
+      - dst: /var/db/newrelic-infra/integrations.d
+        type: dir
+      - dst: /var/log/newrelic-infra
+        type: dir
+      - dst: /var/run/newrelic-infra
+        type: dir
     epoch: 0
     release: 1.amazonlinux-2023
-    replacements:
-      amd64: x86_64
 
     # Scripts to execute during the installation of the package.
     scripts:

build/goreleaser/linux/al2023_arm.yml

@@ -45,13 +45,19 @@
     #        dst: '/var/db/newrelic-infra/newrelic-integrations/logging/out_newrelic.so'
     #      - src: 'assets/examples/logging/parsers.conf'
     #        dst: '/var/db/newrelic-infra/newrelic-integrations/logging/parsers.conf'
-    empty_folders:
-      - /opt/newrelic-infra/custom-integrations
-      - /opt/newrelic-infra/newrelic-integrations
-      - /var/db/newrelic-infra/custom-integrations
-      - /var/db/newrelic-infra/integrations.d
-      - /var/log/newrelic-infra
-      - /var/run/newrelic-infra
+
+      - dst: /opt/newrelic-infra/custom-integrations
+        type: dir
+      - dst: /opt/newrelic-infra/newrelic-integrations
+        type: dir
+      - dst: /var/db/newrelic-infra/custom-integrations
+        type: dir
+      - dst: /var/db/newrelic-infra/integrations.d
+        type: dir
+      - dst: /var/log/newrelic-infra
+        type: dir
+      - dst: /var/run/newrelic-infra
+        type: dir
     epoch: 0
     release: 1.amazonlinux-2023
 

build/goreleaser/linux/al2023_arm64.yml

@@ -5,8 +5,8 @@
       - linux-agent-arm64
       - linux-ctl-arm64
       - linux-service-arm64
-    package_name: newrelic-infra
-    file_name_template: "newrelic-infra-{{ .Env.TAG }}-1.amazonlinux-2023.{{ .Arch }}"
+    package_name: "newrelic-infra{{ .Env.FIPS }}"
+    file_name_template: "newrelic-infra{{ .Env.FIPS }}-{{ .Env.TAG }}-1.amazonlinux-2023.{{ .Arch }}"
     vendor: 'New Relic, Inc.'
     homepage: 'https://docs.newrelic.com/docs/release-notes/infrastructure-release-notes/infrastructure-agent-release-notes'
     maintainer: '[email protected]'
@@ -44,13 +44,19 @@
         dst: '/var/db/newrelic-infra/newrelic-integrations/logging/out_newrelic.so'
       - src: 'assets/examples/logging/parsers.conf'
         dst: '/var/db/newrelic-infra/newrelic-integrations/logging/parsers.conf'
-    empty_folders:
-      - /opt/newrelic-infra/custom-integrations
-      - /opt/newrelic-infra/newrelic-integrations
-      - /var/db/newrelic-infra/custom-integrations
-      - /var/db/newrelic-infra/integrations.d
-      - /var/log/newrelic-infra
-      - /var/run/newrelic-infra
+
+      - dst: /opt/newrelic-infra/custom-integrations
+        type: dir
+      - dst: /opt/newrelic-infra/newrelic-integrations
+        type: dir
+      - dst: /var/db/newrelic-infra/custom-integrations
+        type: dir
+      - dst: /var/db/newrelic-infra/integrations.d
+        type: dir
+      - dst: /var/log/newrelic-infra
+        type: dir
+      - dst: /var/run/newrelic-infra
+        type: dir
     epoch: 0
     release: 1.amazonlinux-2023