Add fips canaries (#1988)

* Add fips canaries
* Condition Fips canary previous to have a second release

Author: alvarocabanas

.github/workflows/component_canaries.yml

@@ -32,10 +32,10 @@ jobs:
     runs-on: ubuntu-20.04
     if: ${{ inputs.PLATFORM == 'macos' }}
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ env.AWS_ASSUME_ROLE }}
           aws-region: us-east-2
@@ -68,10 +68,10 @@ jobs:
     runs-on: ubuntu-20.04
     if: ${{ inputs.PLATFORM == 'linux' }}
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ env.AWS_ASSUME_ROLE }}
           aws-region: us-east-2
@@ -130,10 +130,10 @@ jobs:
     runs-on: ubuntu-20.04
     if: ${{ inputs.PLATFORM == 'windows' }}
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ env.AWS_ASSUME_ROLE }}
           aws-region: us-east-2

test/canaries/deploy_canaries.yml

@@ -19,27 +19,31 @@
       block:
 
         - name: install latest agent on host
-          include_role:
+          ansible.builtin.include_role:
             name: caos.ansible_roles.infra_agent
           vars:
-            target_version: "{{ current_version }}"
             repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent"
+            fips_enabled: "{{ '-fips' in inventory_hostname }}"
 
         - name: install latest agent in container
-          include_role:
+          ansible.builtin.include_role:
             name: caos.ansible_roles.infra_agent
           vars:
             is_containerized: true
             target_version: "{{ current_version }}-rc"
             display_name: "{{ inventory_hostname }}-current"
+            fips_enabled: "{{ '-fips' in inventory_hostname }}"
 
         - name: install previous agent in container
-          include_role:
+          # Remove the "when" condition after second release https://new-relic.atlassian.net/browse/NR-355851
+          when: "'-fips' not in inventory_hostname"
+          ansible.builtin.include_role:
             name: caos.ansible_roles.infra_agent
           vars:
             is_containerized: true
             target_version: "{{ previous_version }}"
             display_name: "{{ inventory_hostname }}-previous"
+            fips_enabled: "{{ '-fips' in inventory_hostname }}"
 
 # Windows
 - name: installation-agent-no-clean

test/packaging/ansible/installation-pinned.yml

@@ -18,22 +18,12 @@
 
       block:
         - name: Install agent
-          # when: "'-fips' not in inventory_hostname"
           ansible.builtin.include_role:
             name: caos.ansible_roles.infra_agent
           vars:
             target_version: "{{ target_agent_version }}"
             repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent"
-
-        # TODO: https://new-relic.atlassian.net/browse/NR-355845 Uncomment when FIPS version is available for the minimum version
-        # - name: Install agent - FIPS
-        #   when: "'-fips' in inventory_hostname"
-        #   ansible.builtin.include_role:
-        #     name: caos.ansible_roles.infra_agent
-        #   vars:
-        #     target_version: "{{ target_agent_version }}"
-        #     repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent"
-        #     fips_enabled: true
+            fips_enabled: "{{ '-fips' in inventory_hostname }}"
 
         - name: Assert version
           ansible.builtin.include_role:

test/packaging/ansible/installation-privileged.yml

@@ -21,19 +21,11 @@
 
       block:
         - name: Install agent
-          when: "'-fips' not in inventory_hostname"
           ansible.builtin.include_role:
             name: caos.ansible_roles.infra_agent
           vars:
             repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent"
-
-        - name: Install agent - FIPS
-          when: "'-fips' in inventory_hostname"
-          ansible.builtin.include_role:
-            name: caos.ansible_roles.infra_agent
-          vars:
-            repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent"
-            fips_enabled: true
+            fips_enabled: "{{ '-fips' in inventory_hostname }}"
 
         - name: Assert privileged caps
           ansible.builtin.include_role:

test/packaging/ansible/installation-root.yml

@@ -21,19 +21,11 @@
       block:
 
         - name: Install agent
-          when: "'-fips' not in inventory_hostname"
           ansible.builtin.include_role:
             name: caos.ansible_roles.infra_agent
           vars:
             repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent"
-
-        - name: Install agent - FIPS
-          when: "'-fips' in inventory_hostname"
-          ansible.builtin.include_role:
-            name: caos.ansible_roles.infra_agent
-          vars:
-            repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent"
-            fips_enabled: true
+            fips_enabled: "{{ '-fips' in inventory_hostname }}"
 
         - name: Assert root
           ansible.builtin.include_role:

test/packaging/ansible/installation-unprivileged.yml

@@ -26,14 +26,7 @@
             name: caos.ansible_roles.infra_agent
           vars:
             repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent"
-
-        - name: Install agent - FIPS
-          when: "'-fips' in inventory_hostname"
-          ansible.builtin.include_role:
-            name: caos.ansible_roles.infra_agent
-          vars:
-            repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent"
-            fips_enabled: true
+            fips_enabled: "{{ '-fips' in inventory_hostname }}"
 
         - name: Assert no privileged caps
           ansible.builtin.include_role:

test/packaging/ansible/shutdown-and-terminate.yml

@@ -16,21 +16,12 @@
 
   tasks:
     - name: Install agent
-      when: "'-fips' not in inventory_hostname"
       ansible.builtin.include_role:
         name: caos.ansible_roles.infra_agent
       vars:
         display_name: "{{ iid }}:{{ inventory_hostname }}"
         repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent"
-
-    - name: Install agent - FIPS
-      when: "'-fips' in inventory_hostname"
-      ansible.builtin.include_role:
-        name: caos.ansible_roles.infra_agent
-      vars:
-        display_name: "{{ iid }}:{{ inventory_hostname }}"
-        repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent"
-        fips_enabled: true
+        fips_enabled: "{{ '-fips' in inventory_hostname }}"
 
 - name: Install agent windows  (HNR)
   hosts: testing_hosts_windows

test/packaging/ansible/test.yml

@@ -2,7 +2,7 @@
 
 - name: Pinned version agent installation
   import_playbook: installation-pinned.yml
-  when: "'-fips' not in inventory_hostname" # TODO: https://new-relic.atlassian.net/browse/NR-355841
+  when: "'-fips' not in inventory_hostname" # TODO: https://new-relic.atlassian.net/browse/NR-355845
 
 - name: Agent installation as root
   import_playbook: installation-root.yml