feat: add configurable FIPS 140-3 mode across all microservices

Make FIPS enforcement opt-in via a `fips_mode` config property delivered
through user-provided services, consistent with how all other config is
transported. Default is off so non-FIPS deployments are unaffected.

Go services: add FipsMode to config structs, make AssertFIPSMode()
conditional, log activation status, expose autoscaler_fips_enabled
Prometheus gauge (0/1) on health endpoints.

Java scheduler: add isFipsModeEnabled() reading VCAP_SERVICES, make
FipsSecurityProviderConfig.initialize() conditional, register
autoscaler_fips_enabled gauge in HealthExporter.

Deployment: remove GOFIPS140 from default mta.yaml, add
build-extension-file-fips Make target generating a FIPS MTA extension
that sets GOFIPS140/GODEBUG on Go modules and fips_mode in service
configs. mta-deploy auto-applies the FIPS extension when present.

MTA: add provides sections to service modules for URL sharing, add
acceptance-tests-config user-provided service resource, refactor
acceptance config to load from VCAP_SERVICES.

CI: add acceptance_tests_fips_mta.yaml workflow, extend reusable
workflow with build_fips_extension input. Add fips acceptance test
suite that validates autoscaler_fips_enabled metric on all services.

Author: silvestre

.github/workflows/acceptance_tests_fips.yaml

@@ -0,0 +1,26 @@
+name: Acceptance Tests - FIPS
+on:
+  workflow_dispatch:
+  pull_request:
+    types: [ opened, synchronize ]
+    paths:
+      - '**/*fips*'
+      - '**/*Fips*'
+      - 'startup/startup.go'
+      - 'scheduler/src/main/java/**/SchedulerApplication.java'
+      - '.github/workflows/acceptance_tests_fips.yaml'
+
+concurrency:
+  group: "${{ github.workflow }}/${{ github.ref }}"
+  cancel-in-progress: true
+
+jobs:
+  acceptance_tests_fips:
+    name: "${{ github.workflow }}"
+    uses: ./.github/workflows/acceptance_tests_reusable.yaml
+    with:
+      deployment_name: "autoscaler-fips-${{ github.event.pull_request.number || github.run_number }}"
+      build_fips_extension: true
+      suites: "[ 'api', 'app', 'broker', 'fips' ]"
+    secrets:
+      bbl_ssh_key: "${{ secrets.BBL_SSH_KEY }}"

.github/workflows/acceptance_tests_reusable.yaml

@@ -9,6 +9,10 @@ on:
       deployment_name:
         required: true
         type: string
+      build_fips_extension:
+        required: false
+        type: boolean
+        default: false
     secrets:
       bbl_ssh_key:
         required: true
@@ -58,6 +62,9 @@ jobs:
         shell: bash
         run: |
           make --directory="${AUTOSCALER_DIR}" build-extension-file
+          if [ "${{ inputs.build_fips_extension }}" = "true" ]; then
+            make --directory="${AUTOSCALER_DIR}" build-extension-file-fips
+          fi
           make --directory="${AUTOSCALER_DIR}" mta-build
           make --directory="${AUTOSCALER_DIR}" mta-deploy
 

Makefile

@@ -299,6 +299,9 @@ mta-undeploy:
 build-extension-file:
 	$(MAKEFILE_DIR)/scripts/build-extension-file.sh
 
+build-extension-file-fips:
+	$(MAKEFILE_DIR)/scripts/build-extension-file-fips.sh
+
 mta-logs:
 	rm -rf mta-*
 	cf dmol --mta com.github.cloudfoundry.app-autoscaler-release --last 1
@@ -507,7 +510,7 @@ scheduler.test: check-db_type scheduler.test-certificates init-db
 scheduler.test-certificates:
 	make --directory=scheduler test-certificates
 
-lint: lint-go lint-actions lint-markdown
+lint: lint-go lint-actions lint-markdown lint-shell
 .PHONY: lint-go
 lint-go: generate-openapi-generated-clients-and-servers generate-fakes acceptance.lint test-app.lint gorouterproxy.lint
 	readonly GOVERSION='${GO_VERSION}' ;\
@@ -520,6 +523,11 @@ lint-actions:
 	@echo " - linting GitHub actions"
 	actionlint
 
+.PHONY: lint-shell
+lint-shell:
+	@echo " - linting shell scripts"
+	shellcheck scripts/*.sh
+
 acceptance.lint:
 	@echo 'Linting acceptance-tests …'
 	make --directory='acceptance' lint

acceptance/config/config.go

@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"os"
 	"path/filepath"
+	"slices"
 	"strings"
 	"time"
 
@@ -82,10 +83,14 @@ type Config struct {
 
 	HealthEndpointsBasicAuthEnabled bool `json:"health_endpoints_basic_auth_enabled"`
 
+	HealthEndpoints map[string]HealthEndpointConfig `json:"health_endpoints"`
+
 	CPUUpperThreshold int64 `json:"cpu_upper_threshold"`
 
 	CPUUtilScalingPolicyTest CPUUtilScalingPolicyTest `json:"cpuutil_scaling_policy_test"`
 
+	FipsModeExpected bool `json:"fips_mode_expected"`
+
 	Performance PerformanceConfig `json:"performance"`
 }
 
@@ -94,6 +99,12 @@ type CPUUtilScalingPolicyTest struct {
 	AppCPUEntitlement int    `json:"app_cpu_entitlement"`
 }
 
+type HealthEndpointConfig struct {
+	Endpoint string `json:"endpoint"`
+	Username string `json:"username"`
+	Password string `json:"password"`
+}
+
 var defaults = Config{
 	AddExistingUserToExistingSpace: true,
 
@@ -152,20 +163,18 @@ type TerminateSuite func(message string, callerSkip ...int)
 var DefaultTerminateSuite TerminateSuite = ginkgo.AbortSuite
 
 func LoadConfig(terminateSuite TerminateSuite) *Config {
-	// First check for direct JSON config in environment variable
-	configJSON := os.Getenv("ACCEPTANCE_CONFIG_JSON")
-
 	config := defaults
 	var err error
 
-	if configJSON != "" {
-		// Parse JSON directly from env var
+	// Priority: VCAP_SERVICES (CF deployment) > ACCEPTANCE_CONFIG_JSON (env) > CONFIG file
+	if configJSON := loadConfigFromVCAPServices(); configJSON != "" {
+		err = loadConfigFromJSON(configJSON, &config)
+	} else if configJSON := os.Getenv("ACCEPTANCE_CONFIG_JSON"); configJSON != "" {
 		err = loadConfigFromJSON(configJSON, &config)
 	} else {
-		// Fall back to file-based config (existing behavior)
 		path := os.Getenv("CONFIG")
 		if path == "" {
-			terminateSuite("Must set $CONFIG to point to a json file or $ACCEPTANCE_CONFIG_JSON with JSON content")
+			terminateSuite("Must set $CONFIG to point to a json file, $ACCEPTANCE_CONFIG_JSON with JSON content, or bind an acceptance-tests-config service")
 		}
 		err = loadConfigFromPath(path, &config)
 	}
@@ -280,6 +289,61 @@ func loadConfigFromJSON(jsonContent string, config *Config) error {
 	return decoder.Decode(config)
 }
 
+// loadConfigFromVCAPServices extracts acceptance test config from the
+// acceptance-tests-config user-provided service in VCAP_SERVICES.
+// Returns the credentials JSON string, or "" if not found.
+func loadConfigFromVCAPServices() string {
+	vcapServices := os.Getenv("VCAP_SERVICES")
+	if vcapServices == "" {
+		return ""
+	}
+
+	var services map[string][]struct {
+		Tags        []string               `json:"tags"`
+		Credentials map[string]interface{} `json:"credentials"`
+	}
+	if err := json.Unmarshal([]byte(vcapServices), &services); err != nil {
+		return ""
+	}
+
+	svc, found := findServiceByTag(services, "acceptance-tests-config")
+	if !found {
+		return ""
+	}
+
+	creds, ok := svc.Credentials["acceptance-tests-config"]
+	if !ok {
+		return ""
+	}
+
+	credBytes, err := json.Marshal(creds)
+	if err != nil {
+		return ""
+	}
+	return string(credBytes)
+}
+
+func findServiceByTag(services map[string][]struct {
+	Tags        []string               `json:"tags"`
+	Credentials map[string]interface{} `json:"credentials"`
+}, tag string) (struct {
+	Tags        []string               `json:"tags"`
+	Credentials map[string]interface{} `json:"credentials"`
+}, bool) {
+	for _, instances := range services {
+		for _, svc := range instances {
+			if slices.Contains(svc.Tags, tag) {
+				return svc, true
+			}
+		}
+	}
+	var zero struct {
+		Tags        []string               `json:"tags"`
+		Credentials map[string]interface{} `json:"credentials"`
+	}
+	return zero, false
+}
+
 func (c *Config) Protocol() string {
 	if c.UseHttp {
 		return "http://"

acceptance/config/config_test.go

@@ -19,7 +19,7 @@ func TestConfigSuite(t *testing.T) {
 var _ = Describe("LoadConfig", func() {
 	When("CONFIG env var not set", func() {
 		It("terminates suite", func() {
-			loadConfigExpectSuiteTerminationWith("Must set $CONFIG to point to a json file or $ACCEPTANCE_CONFIG_JSON with JSON content")
+			loadConfigExpectSuiteTerminationWith("Must set $CONFIG to point to a json file, $ACCEPTANCE_CONFIG_JSON with JSON content, or bind an acceptance-tests-config service")
 		})
 	})
 

acceptance/fips/fips_mode_test.go

@@ -0,0 +1,99 @@
+package fips_test
+
+import (
+	"bufio"
+	"crypto/tls"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"strconv"
+	"strings"
+	"time"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("FIPS Mode Verification", func() {
+	var client *http.Client
+
+	BeforeEach(func() {
+		client = &http.Client{
+			Transport: &http.Transport{
+				Proxy: http.ProxyFromEnvironment,
+				DialContext: (&net.Dialer{
+					Timeout:   30 * time.Second,
+					KeepAlive: 30 * time.Second,
+				}).DialContext,
+				TLSHandshakeTimeout: 10 * time.Second,
+				DisableCompression:  true,
+				DisableKeepAlives:   true,
+				TLSClientConfig: &tls.Config{
+					InsecureSkipVerify: cfg.SkipSSLValidation,
+				},
+			},
+			Timeout: 30 * time.Second,
+		}
+	})
+
+	It("verifies FIPS mode status on all configured health endpoints", func() {
+		Expect(cfg.HealthEndpoints).NotTo(BeEmpty(),
+			"No health_endpoints configured — cannot verify FIPS mode")
+
+		expectedValue := float64(0)
+		if cfg.FipsModeExpected {
+			expectedValue = 1
+		}
+
+		for name, ep := range cfg.HealthEndpoints {
+			url := ep.Endpoint
+			if !strings.HasPrefix(url, "http") {
+				url = "https://" + url
+			}
+
+			By(fmt.Sprintf("Checking FIPS status on %s at %s", name, url))
+
+			req, err := http.NewRequest("GET", url, nil)
+			Expect(err).NotTo(HaveOccurred())
+
+			if ep.Username != "" {
+				req.SetBasicAuth(ep.Username, ep.Password)
+			}
+
+			resp, err := client.Do(req)
+			Expect(err).NotTo(HaveOccurred(), "Failed to reach %s health endpoint", name)
+			defer resp.Body.Close()
+
+			Expect(resp.StatusCode).To(Equal(http.StatusOK),
+				"Health endpoint for %s returned status %d", name, resp.StatusCode)
+
+			fipsValue, found := parseFipsMetric(resp.Body)
+			Expect(found).To(BeTrue(),
+				"autoscaler_fips_enabled metric not found on %s", name)
+			Expect(fipsValue).To(Equal(expectedValue),
+				"FIPS mode mismatch on %s: expected %v, got %v", name, expectedValue, fipsValue)
+		}
+	})
+})
+
+// parseFipsMetric scans Prometheus text output for the autoscaler_fips_enabled metric.
+func parseFipsMetric(body io.Reader) (float64, bool) {
+	scanner := bufio.NewScanner(body)
+	for scanner.Scan() {
+		line := scanner.Text()
+		if strings.HasPrefix(line, "#") {
+			continue
+		}
+		if strings.HasPrefix(line, "autoscaler_fips_enabled") {
+			parts := strings.Fields(line)
+			if len(parts) >= 2 {
+				val, err := strconv.ParseFloat(parts[1], 64)
+				if err == nil {
+					return val, true
+				}
+			}
+		}
+	}
+	return 0, false
+}

acceptance/fips/fips_suite_test.go

@@ -0,0 +1,25 @@
+package fips_test
+
+import (
+	"testing"
+
+	"acceptance/config"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+var (
+	cfg *config.Config
+)
+
+const componentName = "FIPS Mode Suite"
+
+func TestAcceptance(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, componentName)
+}
+
+var _ = BeforeSuite(func() {
+	cfg = config.LoadConfig(config.DefaultTerminateSuite)
+})

api/cmd/api/main.go

@@ -28,7 +28,7 @@ func main() {
 		os.Exit(1)
 	}
 
-	startup.SetupEnvironment()
+	startup.SetupEnvironment(conf.FipsMode)
 
 	logger := startup.InitLogger(&conf.Logging, "api")
 

api/config/config.go

@@ -121,6 +121,7 @@ type Config struct {
 	StoredProcedureConfig              *models.StoredProcedureConfig `yaml:"stored_procedure_binding_credential_config" json:"stored_procedure_binding_credential_config"`
 	ScalingRules                       ScalingRulesConfig            `yaml:"scaling_rules" json:"scaling_rules"`
 	DefaultCustomMetricsCredentialType string                        `yaml:"default_credential_type" json:"default_credential_type"`
+	FipsMode                           bool                          `yaml:"fips_mode" json:"fips_mode"`
 }
 
 func (c *Config) SetLoggingLevel() {
@@ -132,6 +133,11 @@ func (c *Config) GetLogging() *helpers.LoggingConfig {
 	return &c.Logging
 }
 
+// GetFipsMode returns whether FIPS 140-3 mode is configured
+func (c *Config) GetFipsMode() bool {
+	return c.FipsMode
+}
+
 type PlanCheckConfig struct {
 	PlanDefinitions map[string]PlanDefinition `yaml:"plan_definitions" json:"plan_definitions"`
 }

api/publicapiserver/public_api_server.go

@@ -180,6 +180,7 @@ func (s *PublicApiServer) createPrometheusRegistry() *prometheus.Registry {
 			healthendpoint.NewDatabaseStatusCollector("autoscaler", "golangapiserver", "policyDB", s.policyDB),
 			healthendpoint.NewDatabaseStatusCollector("autoscaler", "golangapiserver", "bindingDB", s.bindingDB),
 			s.httpStatusCollector,
+			helpers.FipsEnabledGauge,
 		},
 		true, s.logger.Session("golangapiserver-prometheus"))
 	return promRegistry