feat(fips): update tests to run for fips packages (#1980)

* update harvest tests to run for fips packages
* chore: update action versions
* update packaging tests
* assume role for 2 hours as tests can take longer than 1 hour

Author: rajrohanyadav

.github/workflows/component_prerelease_testing.yml

@@ -39,10 +39,10 @@ jobs:
   provision:
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ env.AWS_ASSUME_ROLE }}
           aws-region: us-east-2
@@ -79,10 +79,10 @@ jobs:
     needs: [ provision ]
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ env.AWS_ASSUME_ROLE }}
           aws-region: us-east-2
@@ -120,13 +120,14 @@ jobs:
     needs: [ harvest-tests ]
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ env.AWS_ASSUME_ROLE }}
           aws-region: us-east-2
+          role-duration-seconds: 7200
 
       - name: Set branch name
         run: |
@@ -154,10 +155,10 @@ jobs:
     needs: [ harvest-tests ]
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ env.AWS_ASSUME_ROLE }}
           aws-region: us-east-2
@@ -188,10 +189,10 @@ jobs:
     needs: [ packaging-tests-linux ]
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ env.AWS_ASSUME_ROLE }}
           aws-region: us-east-2
@@ -229,10 +230,10 @@ jobs:
       needs: [ packaging-tests-windows ]
       runs-on: ubuntu-20.04
       steps:
-        - uses: actions/checkout@v2
+        - uses: actions/checkout@v4
 
         - name: Configure AWS Credentials
-          uses: aws-actions/configure-aws-credentials@v1
+          uses: aws-actions/configure-aws-credentials@v4
           with:
             role-to-assume: ${{ env.AWS_ASSUME_ROLE }}
             aws-region: us-east-2

build/build.mk

@@ -174,6 +174,12 @@ build-harvest-tests: CGO_ENABLED=0
 build-harvest-tests: deps
 	$(GO_BIN) test -c ./test/harvest -tags="harvest" -v
 
+.PHONY: build-harvest-tests-fips
+build-harvest-tests-fips: CGO_ENABLED=1
+build-harvest-tests-fips: GOEXPERIMENT=boringcrypto
+build-harvest-tests-fips: deps
+	$(GO_BIN) test -c ./test/harvest -tags="harvest,fips" -v
+
 
 .PHONY: proxy-test
 proxy-test:

test/automated/ansible/group_vars/localhost/main.yml

@@ -271,6 +271,16 @@ instances:
     platform: "linux"
     python_interpreter: "/usr/bin/python3"
     launch_template: "LaunchTemplateId=lt-0b00afb3f5110a0e6,Version=3"
+  #################################
+  # amazon linux 2023 amd64 FIPS
+  #################################
+  - ami: "ami-085fa628e46dcb929"
+    type: "t3a.small"
+    name: "amd64:al-2023-fips"
+    username: "ec2-user"
+    platform: "linux"
+    python_interpreter: "/usr/bin/python3"
+    launch_template: "LaunchTemplateId=lt-0b00afb3f5110a0e6,Version=3"
   ############################
   # amazon linux 2023 arm64
   ############################
@@ -281,6 +291,16 @@ instances:
     platform: "linux"
     python_interpreter: "/usr/bin/python3"
     launch_template: "LaunchTemplateId=lt-0b00afb3f5110a0e6,Version=3"
+  #################################
+  # amazon linux 2023 arm64 FIPS
+  #################################
+  - ami: "ami-06014e12b8efb52e2"
+    type: "t4g.small"
+    name: "arm64:al-2023-fips"
+    username: "ec2-user"
+    platform: "linux"
+    python_interpreter: "/usr/bin/python3"
+    launch_template: "LaunchTemplateId=lt-0b00afb3f5110a0e6,Version=3"
   ############################
   # windows amd64
   ############################

test/harvest/ansible/README.md

@@ -10,7 +10,8 @@ localhost ansible_connection=local
 
 [testing_hosts]
 amd64:debian-buster ansible_host=192.168.1.12 ansible_user=admin ansible_python_interpreter=/usr/bin/python3 
-amd64:centos7 ansible_host=192.168.1.13 ansible_user=centos ansible_python_interpreter=/usr/bin/python 
+amd64:centos7 ansible_host=192.168.1.13 ansible_user=centos ansible_python_interpreter=/usr/bin/python
+amd64:al-2023-fips ansible_host=192.168.1.14 ansible_user=ec2-user ansible_python_interpreter=/usr/bin/python3 ansible_ssh_common_args='-o Ciphers=aes256-ctr,aes192-ctr,aes128-ctr -o KexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -o MACs=hmac-sha2-256,hmac-sha2-512'
 ```
 
 ## Playbooks

test/harvest/ansible/roles/build-harvest-tests/tasks/main.yml

@@ -1,21 +1,41 @@
 ---
 
-- name: build harvest tests for every os/arch combination
-  ansible.builtin.shell: "CGO_ENABLED=0 GOOS=linux GOARCH={{item}} make build-harvest-tests && mv {{ default_binary_name }} {{ os_arch_binary_name_tpl | replace('%GOOS%', 'linux') | replace('%GOARCH%', item) }}"
+- name: Build harvest tests for Linux arch combination
+  ansible.builtin.shell: >
+    CGO_ENABLED=0 GOOS=linux GOARCH={{ item }} make build-harvest-tests &&
+    mv {{ default_binary_name }} {{ os_arch_binary_name_tpl | replace('%GOOS%', 'linux') | replace('%GOARCH%', item) }}
   args:
     chdir: "{{ agent_root_dir }}"
+    creates: "{{ os_arch_binary_name_tpl | replace('%GOOS%', 'linux') | replace('%GOARCH%', item) }}"
   loop: "{{ goos_arch.linux }}"
 
-- name: build harvest tests for every os/arch combination
-  ansible.builtin.shell: "GOOS=darwin GOARCH={{item}} make build-harvest-tests && mv {{ default_binary_name }} {{ os_arch_binary_name_tpl | replace('%GOOS%', 'darwin') | replace('%GOARCH%', item) }}"
+- name: Build harvest tests for Linux arch combination - FIPS
+  ansible.builtin.shell: >
+    CGO_ENABLED=1 GOEXPERIMENT=boringcrypto GOOS=linux GOARCH={{ item }}
+    {% if item == 'arm64' %}CC=aarch64-linux-gnu-gcc{% endif %}
+    make build-harvest-tests-fips &&
+    mv {{ default_binary_name }} {{ os_arch_binary_name_tpl_fips | replace('%GOOS%', 'linux') | replace('%GOARCH%', item) }}
   args:
     chdir: "{{ agent_root_dir }}"
+    creates: "{{ os_arch_binary_name_tpl_fips | replace('%GOOS%', 'linux') | replace('%GOARCH%', item) }}"
+  loop: "{{ goos_arch.linux_fips }}"
+
+- name: Build harvest tests for Darwin arch combination
+  ansible.builtin.shell: >
+    GOOS=darwin GOARCH={{ item }} make build-harvest-tests &&
+    mv {{ default_binary_name }} {{ os_arch_binary_name_tpl | replace('%GOOS%', 'darwin') | replace('%GOARCH%', item) }}
+  args:
+    chdir: "{{ agent_root_dir }}"
+    creates: "{{ os_arch_binary_name_tpl | replace('%GOOS%', 'darwin') | replace('%GOARCH%', item) }}"
   loop: "{{ goos_arch.darwin }}"
 
-- name: build harvest tests for every os/arch combination
-  ansible.builtin.shell: "GOOS=windows GOARCH={{item}} make build-harvest-tests && mv {{ default_binary_name }}.exe {{ os_arch_binary_name_tpl | replace('%GOOS%', 'win32nt') | replace('%GOARCH%', item) }}.exe"
+- name: Build harvest tests for Windows arch combination
+  ansible.builtin.shell: >
+    GOOS=windows GOARCH={{ item }} make build-harvest-tests &&
+    mv {{ default_binary_name }}.exe {{ os_arch_binary_name_tpl | replace('%GOOS%', 'win32nt') | replace('%GOARCH%', item) }}.exe
   args:
     chdir: "{{ agent_root_dir }}"
+    creates: "{{ os_arch_binary_name_tpl | replace('%GOOS%', 'win32nt') | replace('%GOARCH%', item) }}.exe"
   loop: "{{ goos_arch.windows }}"
 
 

test/harvest/ansible/roles/build-harvest-tests/vars/main.yml

@@ -3,11 +3,15 @@
 agent_root_dir: ""
 default_binary_name: "harvest.test"
 os_arch_binary_name_tpl: "harvest_%GOOS%_%GOARCH%.test"
+os_arch_binary_name_tpl_fips: "harvest_%GOOS%-fips_%GOARCH%.test"
 goos_arch:
   linux:
     - "amd64"
     - "arm"
     - "arm64"
+  linux_fips:
+    - "amd64"
+    - "arm64"
   darwin:
     - "amd64"
     - "arm64"

test/harvest/ansible/roles/run-harvest-tests/tasks/main.yml

@@ -1,15 +1,26 @@
 ---
 
-- name: register os/arch specific binary name
-  set_fact:
-    os_arch_binary_name: "{{ os_arch_binary_name_tpl | replace('%GOOS%',ansible_system|lower) | replace('%GOARCH%',architecture_map[ansible_architecture]) }}"
+- name: Register os/arch specific binary name
+  ansible.builtin.set_fact:
+    os_arch_binary_name: "{{ os_arch_binary_name_tpl
+      | replace('%GOOS%', ansible_system | lower)
+      | replace('%GOARCH%', architecture_map[ansible_architecture]) }}"
+  when: "'-fips' not in inventory_hostname"
 
-- name: copy binary
+- name: Register os/arch specific binary name - FIPS
+  ansible.builtin.set_fact:
+    os_arch_binary_name: "{{ os_arch_binary_name_tpl_fips
+      | replace('%GOOS%', ansible_system | lower)
+      | replace('%GOARCH%', architecture_map[ansible_architecture]) }}"
+  when: "'-fips' in inventory_hostname"
+
+- name: Copy binary
   ansible.builtin.copy:
     src: "{{ agent_root_dir }}/{{ os_arch_binary_name }}"
     dest: "{{ ansible_user_dir }}/{{ os_arch_binary_name }}"
     mode: '0755'
 
-- include_tasks: "execute-tests-{{ ansible_system }}.yaml"
+- name: Include OS-specific test tasks
+  ansible.builtin.include_tasks: "execute-tests-{{ ansible_system }}.yaml"
 
 ...

test/harvest/ansible/roles/run-harvest-tests/vars/main.yml

@@ -6,4 +6,5 @@ architecture_map:
   64-bit: "amd64"
 
 os_arch_binary_name_tpl: "harvest_%GOOS%_%GOARCH%.test{{ '.exe' if ansible_system == 'Win32NT' else '' }}"
+os_arch_binary_name_tpl_fips: "harvest_%GOOS%-fips_%GOARCH%.test{{ '.exe' if ansible_system == 'Win32NT' else '' }}"
 tests_to_run_regex: ".*"

test/harvest/ansible/test.yml

@@ -4,22 +4,24 @@
 # It will build the harvest tests binaries for specified architectures/os combinations
 # and copy and run them in the testing_hosts hosts
 
-- hosts: localhost
+- name: Build harvest tests on localhost
+  hosts: localhost
   become: false
-  gather_facts: no
+  gather_facts: false
 
   tasks:
-    - name: build harvest tests
-      include_role:
+    - name: Build harvest tests
+      ansible.builtin.include_role:
         name: build-harvest-tests
 
 
-- hosts: testing_hosts
-  gather_facts: yes
+- name: Copy and run harvest tests on testing hosts
+  hosts: testing_hosts
+  gather_facts: true
 
   tasks:
-    - name: copy and run harvest tests
-      include_role:
+    - name: Copy and run harvest tests
+      ansible.builtin.include_role:
         name: run-harvest-tests
 
 ...

test/packaging/ansible/README.md

@@ -9,7 +9,8 @@ localhost ansible_connection=local
 
 [testing_hosts]
 amd64:debian-buster ansible_host=192.168.1.12 ansible_user=admin ansible_python_interpreter=/usr/bin/python3 
-amd64:centos7 ansible_host=192.168.1.13 ansible_user=centos ansible_python_interpreter=/usr/bin/python 
+amd64:centos7 ansible_host=192.168.1.13 ansible_user=centos ansible_python_interpreter=/usr/bin/python
+amd64:al-2023-fips ansible_host=192.168.1.14 ansible_user=ec2-user ansible_python_interpreter=/usr/bin/python3 ansible_ssh_common_args='-o Ciphers=aes256-ctr,aes192-ctr,aes128-ctr -o KexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 -o MACs=hmac-sha2-256,hmac-sha2-512'
 ```
 
 ## Playbooks

test/packaging/ansible/agent-upgrade.yml

@@ -14,6 +14,8 @@
 
   tasks:
     - name: agent upgrade tests suite
+      # TODO: https://new-relic.atlassian.net/browse/NR-355851 Update when two releases with FIPS are done
+      # Also add FIPS tests
       vars:
         target_agent_version: "1.57.1"
 

test/packaging/ansible/installation-pinned.yml

@@ -1,13 +1,12 @@
 ---
-
-- name: installation-pinned
+- name: Installation-pinned
   hosts: testing_hosts_linux
   become: true
-  gather_facts: yes
+  gather_facts: true
 
   pre_tasks:
     - name: Initial cleanup
-      include_role:
+      ansible.builtin.include_role:
         name: caos.ansible_roles.infra_agent
       vars:
         uninstall: true
@@ -18,16 +17,26 @@
         target_agent_version: "1.57.1" # minimum version for ubuntu sles 15.6
 
       block:
-
-        - name: install agent
-          include_role:
+        - name: Install agent
+          # when: "'-fips' not in inventory_hostname"
+          ansible.builtin.include_role:
             name: caos.ansible_roles.infra_agent
           vars:
             target_version: "{{ target_agent_version }}"
             repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent"
 
+        # TODO: https://new-relic.atlassian.net/browse/NR-355845 Uncomment when FIPS version is available for the minimum version
+        # - name: Install agent - FIPS
+        #   when: "'-fips' in inventory_hostname"
+        #   ansible.builtin.include_role:
+        #     name: caos.ansible_roles.infra_agent
+        #   vars:
+        #     target_version: "{{ target_agent_version }}"
+        #     repo_endpoint: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent"
+        #     fips_enabled: true
+
         - name: Assert version
-          include_role:
+          ansible.builtin.include_role:
             name: caos.ansible_roles.assert_version
           vars:
             target_versions: