Nr 351326 linux prerelease fips (#1976)

* Create new FIPS packages on prerelease for linux
* Add FIPS molecule tests. (#1981)

Author: alvarocabanas

.github/workflows/component_linux_packaging.yml

@@ -22,6 +22,10 @@ on:
       ARCH:
         required: true
         type: string
+      FIPS:
+        required: false
+        type: boolean
+        default: false
 
 env:
   GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
@@ -32,6 +36,7 @@ env:
   DOCKER_HUB_ID: ${{ secrets.DOCKER_HUB_ID }}
   DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
   ARCH: ${{ inputs.ARCH }}
+  FIPS: ${{ inputs.FIPS == true && '-fips' || '' }}
 
 jobs:
   packaging:
@@ -49,6 +54,8 @@ jobs:
 
       - name: Preparing linux packages
         run: make ci/prerelease/linux-${{ env.ARCH }}
+        env:
+          FIPS: ${{ env.FIPS }}
 
       - name: Generate checksum files
         uses: ./.github/actions/generate-checksums

.github/workflows/component_linux_publish.yml

@@ -76,6 +76,9 @@ jobs:
           - "targz"
           - "deb"
           - "rpm"
+        suffix:
+          - ""
+          - "-fips"
 
     steps:
       - name: Login to DockerHub
@@ -89,10 +92,10 @@ jobs:
         uses: newrelic/[email protected]
         with:
           tag: ${{env.TAG}}
-          app_name: "newrelic-infra"
+          app_name: "newrelic-infra${{ matrix.suffix }}"
           repo_name: "newrelic/infrastructure-agent"
           schema: "custom"
-          schema_url: "https://raw.githubusercontent.com/newrelic/infrastructure-agent/${{ env.SCHEMA_BRANCH }}/build/upload-schema-linux-${{ matrix.assetsType }}.yml"
+          schema_url: "https://raw.githubusercontent.com/newrelic/infrastructure-agent/${{ env.SCHEMA_BRANCH }}/build/upload-schema-linux-${{ matrix.assetsType }}${{ matrix.suffix }}.yml"
           aws_access_key_id: ${{ env.AWS_ACCESS_KEY_ID }}
           aws_secret_access_key: ${{ env.AWS_SECRET_ACCESS_KEY }}
           aws_s3_bucket_name: ${{ env.AWS_S3_BUCKET_NAME }}

.github/workflows/component_molecule_packaging.yml

@@ -21,10 +21,19 @@ jobs:
     name: Test package installation
     runs-on: ubuntu-latest
     steps:
-      - uses: newrelic/pkg-installation-testing-action@v1
+      - name: Test NON-FIPS package installation
+        uses: newrelic/pkg-installation-testing-action@v1
         with:
           gpg_key: 'https://download.newrelic.com/infrastructure_agent/gpg/newrelic-infra.gpg'
           repo_base_url: ${{ inputs.REPO_ENDPOINT }}
           package_name: 'newrelic-infra'
           package_version: ${{ inputs.TAG }}
           platforms: "al2,al2023,debian-bullseye,debian-bookworm,redhat8,redhat9,suse15.3,suse15.4,suse15.5,suse15.6,ubuntu1604,ubuntu1804,ubuntu2004,ubuntu2204,ubuntu2404"
+      - name: Test FIPS package installation
+        uses: newrelic/pkg-installation-testing-action@v1
+        with:
+          gpg_key: 'https://download.newrelic.com/infrastructure_agent/gpg/newrelic-infra.gpg'
+          repo_base_url: ${{ inputs.REPO_ENDPOINT }}
+          package_name: 'newrelic-infra-fips'
+          package_version: ${{ inputs.TAG }}
+          platforms: "al2,al2023,debian-bullseye,debian-bookworm,redhat8,redhat9,suse15.3,suse15.4,suse15.5,suse15.6,ubuntu1604,ubuntu1804,ubuntu2004,ubuntu2204,ubuntu2404"

.github/workflows/prerelease_linux.yml

@@ -31,6 +31,21 @@ jobs:
     with:
       TAG:  ${{ github.event.release.tag_name }}
       ARCH: 'amd64'
+  
+  packaging-amd64-fips:
+    needs: [unit-test, proxy-tests]
+    uses: ./.github/workflows/component_linux_packaging.yml
+    secrets:
+      DOCKER_HUB_ID: ${{secrets.OHAI_DOCKER_HUB_ID}}
+      DOCKER_HUB_PASSWORD: ${{secrets.OHAI_DOCKER_HUB_PASSWORD}}
+      GPG_MAIL: '[email protected]'
+      GPG_PASSPHRASE: ${{ secrets.OHAI_GPG_PASSPHRASE }}
+      GPG_PRIVATE_KEY_BASE64: ${{ secrets.OHAI_GPG_PRIVATE_KEY_BASE64 }} # base64 encoded
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    with:
+      TAG:  ${{ github.event.release.tag_name }}
+      ARCH: 'amd64'
+      FIPS: true
 
   packaging-arm:
     needs: [unit-test, proxy-tests]
@@ -60,6 +75,21 @@ jobs:
       TAG:  ${{ github.event.release.tag_name }}
       ARCH: 'arm64'
 
+  packaging-arm64-fips:
+    needs: [unit-test, proxy-tests]
+    uses: ./.github/workflows/component_linux_packaging.yml
+    secrets:
+      DOCKER_HUB_ID: ${{secrets.OHAI_DOCKER_HUB_ID}}
+      DOCKER_HUB_PASSWORD: ${{secrets.OHAI_DOCKER_HUB_PASSWORD}}
+      GPG_MAIL: '[email protected]'
+      GPG_PASSPHRASE: ${{ secrets.OHAI_GPG_PASSPHRASE }}
+      GPG_PRIVATE_KEY_BASE64: ${{ secrets.OHAI_GPG_PRIVATE_KEY_BASE64 }} # base64 encoded
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    with:
+      TAG:  ${{ github.event.release.tag_name }}
+      ARCH: 'arm64'
+      FIPS: true
+
   packaging-legacy:
     needs: [unit-test, proxy-tests]
     uses: ./.github/workflows/component_linux_packaging.yml
@@ -98,7 +128,7 @@ jobs:
     # point to staging after tests
     name: Publish linux artifacts into s3 staging bucket
     uses: ./.github/workflows/component_linux_publish.yml
-    needs: [packaging-amd64, packaging-arm, packaging-arm64, packaging-legacy]
+    needs: [packaging-amd64, packaging-amd64-fips, packaging-arm, packaging-arm64, packaging-arm64-fips, packaging-legacy]
     secrets:
       DOCKER_HUB_ID: ${{secrets.OHAI_DOCKER_HUB_ID}}
       DOCKER_HUB_PASSWORD: ${{secrets.OHAI_DOCKER_HUB_PASSWORD}}

build/release.mk

@@ -71,12 +71,10 @@ release/pkg-linux: release/get-fluentbit-linux-arm64
 
 .PHONY : release/pkg-linux-fips
 release/pkg-linux-fips: release/deps release/clean generate-goreleaser-multiarch-fips
-release/pkg-linux-fips: release/get-integrations-amd64 #NO FIPS ASSETS AVAILABLE FOR NOW
-release/pkg-linux-fips: release/get-integrations-arm64 #NO FIPS ASSETS AVAILABLE FOR NOW
-# release/pkg-linux-fips: release/get-integrations-arm #NO FIPS ASSETS AVAILABLE FOR NOW
-release/pkg-linux-fips: release/get-fluentbit-linux-amd64 #NO FIPS ASSETS AVAILABLE FOR NOW
-# #release/pkg-linux: release/get-fluentbit-linux-arm
-release/pkg-linux-fips: release/get-fluentbit-linux-arm64 #NO FIPS ASSETS AVAILABLE FOR NOW
+release/pkg-linux-fips: release/get-integrations-amd64
+release/pkg-linux-fips: release/get-integrations-arm64
+release/pkg-linux-fips: release/get-fluentbit-linux-amd64
+release/pkg-linux-fips: release/get-fluentbit-linux-arm64
 	@echo "=== [release/pkg-linux-fips] PRE-RELEASE compiling all binaries, creating packages, archives"
 	$(GORELEASER_BIN) release --config $(GORELEASER_CONFIG_LINUX) $(PKG_FLAGS)
 
@@ -178,7 +176,7 @@ release-macos: release/pkg-macos release/fix-tarballs-macos
 .PHONY : generate-goreleaser-amd64
 generate-goreleaser-amd64:
 	cat $(CURDIR)/build/goreleaser/linux/header.yml\
-		$(CURDIR)/build/goreleaser/linux/build_amd64.yml\
+		$(CURDIR)/build/goreleaser/linux/build_amd64$(subst -,_,$(FIPS)).yml\
 		$(CURDIR)/build/goreleaser/linux/archives_header.yml\
 		$(CURDIR)/build/goreleaser/linux/archives_amd64.yml\
 		$(CURDIR)/build/goreleaser/linux/nfpms_header.yml\
@@ -232,7 +230,7 @@ generate-goreleaser-amd64:
 .PHONY : generate-goreleaser-arm64
 generate-goreleaser-arm64:
 	cat $(CURDIR)/build/goreleaser/linux/header.yml\
-		$(CURDIR)/build/goreleaser/linux/build_arm64.yml\
+		$(CURDIR)/build/goreleaser/linux/build_arm64$(subst -,_,$(FIPS)).yml\
 		$(CURDIR)/build/goreleaser/linux/archives_header.yml\
 		$(CURDIR)/build/goreleaser/linux/archives_arm64.yml\
 		$(CURDIR)/build/goreleaser/linux/nfpms_header.yml\