[Integration Test] Ensure that upgrading a FIPS-capable Agent results in a FIPS-capable Agent

[ycombinator]

⚠️ Currently blocked on https://github.com/elastic/ingest-dev/issues/5264 and #8035 for CI being able to actually run these tests on a FIPS-configured VM. ⚠️

What does this PR do?

This PR allows a FIPS-capable Agent to upgrade to another FIPS-capable Agent.

It also adds three integration tests:

• TestStandaloneUpgradeFIPStoFIPS: to check that a standalone FIPS-capable Agent will upgrade only to another FIPS-capable Agent. This test tests upgrades from and to various FIPS-capable Agent versions.
• TestFleetManagedUpgradeUnprivilegedFIPS: to check that a Fleet-managed FIPS-capable unprivileged Agent will upgrade only to another FIPS-capable Agent.
• TestFleetManagedUpgradePrivilegedFIPS: to check that a Fleet-managed FIPS-capable privileged Agent will upgrade only to another FIPS-capable Agent.

Why is it important?

To preserve FIPS-compliance across upgrades.

Checklist

• I have read and understood the pull request guidelines of this project.
• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in ./changelog/fragments using the changelog tool
• I have added an integration test or an E2E test

Disruptive User Impact

None; this PR adds an integration test.

[mergify]

This pull request does not have a backport label. Could you fix it @ycombinator? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-./d./d is the label that automatically backports to the 8./d branch. /d is the digit
• backport-active-all is the label that automatically backports to all active branches.
• backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
• backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

[elasticmachine]

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

[michel-laterman]

testing looks good; should we also test a scenario where a failure is expected?

[ycombinator]

It turns out we currently have no way of upgrade a FIPS-capable Agent to another version of a FIPS-capable Agent. I just tried this manually and it doesn't work:

$ sudo elastic-agent version
Binary: 9.0.0-SNAPSHOT (build: 4da779d1fac682d7189ab14f7e058e84d82c653a fips-distribution: true at 2025-04-25 12:38:25 +0000 UTC)
Daemon: 9.0.0-SNAPSHOT (build: 4da779d1fac682d7189ab14f7e058e84d82c653a at 2025-04-25 12:38:25 +0000 UTC)

$ sudo elastic-agent status
┌─ fleet
│  └─ status: (STOPPED) Not enrolled into Fleet
└─ elastic-agent
   └─ status: (HEALTHY) Running

$ pwd
/home/shaunak

$ ls -al elastic-agent-fips-9.1.0-SNAPSHOT-linux-arm64.tar.gz*
-rw-r--r-- 1 shaunak shaunak 207491829 Apr 25 07:35 elastic-agent-fips-9.1.0-SNAPSHOT-linux-arm64.tar.gz
-rw-r--r-- 1 shaunak shaunak       182 Apr 25 07:35 elastic-agent-fips-9.1.0-SNAPSHOT-linux-arm64.tar.gz.sha512

$ sudo elastic-agent upgrade --source-uri file:///home/shaunak/ --skip-verify 9.1.0-SNAPSHOT
Error: Failed trigger upgrade of daemon: failed download of agent binary: unable to download package: package '/home/shaunak/elastic-agent-9.1.0-SNAPSHOT-linux-arm64.tar.gz' not found: open /home/shaunak/elastic-agent-9.1.0-SNAPSHOT-linux-arm64.tar.gz: no such file or directory
For help, please see our troubleshooting guide at https://www.elastic.co/guide/en/fleet/9.0/fleet-troubleshooting.html

Moving this PR into draft while I implement the missing capability.

[ycombinator]

The TestStandaloneUpgradeFIPStoNonFIPS/Upgrade_8.19.0-SNAPSHOT_to_9.0.0-SNAPSHOT_(privileged) and TestStandaloneUpgradeFIPStoNonFIPS/Upgrade_8.19.0-SNAPSHOT_to_9.0.0-SNAPSHOT_(unprivileged) FIPS upgrade integration tests are failing CI. The failures look like this:

upgrade_standalone_test.go:78:
--
  | Error Trace:	/opt/buildkite-agent/builds/bk-agent-prod-gcp-1745886251557149484/elastic/elastic-agent/testing/integration/upgrade_standalone_test.go:78
  | /opt/buildkite-agent/builds/bk-agent-prod-gcp-1745886251557149484/elastic/elastic-agent/testing/integration/upgrade_standalone_test.go:58
  | /opt/buildkite-agent/builds/bk-agent-prod-gcp-1745886251557149484/elastic/elastic-agent/testing/integration/upgrade_standalone_fips_test.go:146
  | Error:      	Received unexpected error:
  | could not unmarshal agent version output: error: exit status 2, output: panic: opensslcrypto: FIPS mode requested (requirefips tag set) but not available in OpenSSL 3.0.13 30 Jan 2024
  |  
  | goroutine 1 [running]:
  | crypto/internal/backend.init.1()
  | crypto/internal/backend/openssl_linux.go:40 +0x9f
  |  
  | yaml: mapping values are not allowed in this context
  | Test:       	TestStandaloneUpgradeFIPStoNonFIPS/Upgrade_8.19.0-SNAPSHOT_to_9.0.0-SNAPSHOT_(privileged)

@michel-laterman @simitt I think we need https://github.com/elastic/ingest-dev/issues/5264 for these tests?

[simitt]

@michel-laterman @simitt I think we need https://github.com/elastic/ingest-dev/issues/5264 for these tests?

Agree

[elastic-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
77.8% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[elasticmachine]

💔 Build Failed

• Buildkite Build
• Commit: 142ec35

Failed CI Steps

• Serverless integration test
• Serverless integration test
• x86_64:sudo: standalone-upgrade
• x86_64:sudo: standalone-upgrade
• x86_64:sudo: fleet
• x86_64:sudo: fleet
• x86_64:sudo: fleet-privileged
• x86_64:sudo: fleet-privileged
• arm:sudo: standalone-upgrade
• arm:sudo: standalone-upgrade
• arm:sudo: fleet
• arm:sudo: fleet
• x86_64:sudo: standalone-upgrade
• x86_64:sudo: standalone-upgrade
• x86_64:sudo: fleet
• x86_64:sudo: fleet
• x86_64:sudo: fleet-privileged
• x86_64:sudo: fleet-privileged

History

• 💔 Build #21064 failed 0f2c12a
• 💔 Build #21061 failed 2a0c837
• 💔 Build #21047 failed 7b43bbd
• 💔 Build #21030 failed 8bc5730

cc @ycombinator

[ycombinator]

The TestFleetManagedUpgradeUnprivilegedFIPS integration test is failing in CI like so:

=== FAIL: testing/integration TestFleetManagedUpgradeUnprivilegedFIPS (0.17s)
--
  | upgrade_fleet_test.go:157:
  | Error Trace:	/opt/buildkite-agent/builds/bk-agent-prod-gcp-1746743140257113053/elastic/elastic-agent/testing/integration/upgrade_fleet_test.go:157
  | /opt/buildkite-agent/builds/bk-agent-prod-gcp-1746743140257113053/elastic/elastic-agent/testing/integration/upgrade_fleet_test.go:103
  | Error:      	Received unexpected error:
  | failed to find build at /opt/buildkite-agent/builds/bk-agent-prod-gcp-1746743140257113053/elastic/elastic-agent/build/distributions: stat /opt/buildkite-agent/builds/bk-agent-prod-gcp-1746743140257113053/elastic/elastic-agent/build/distributions/elastic-agent-fips-9.1.0-SNAPSHOT-linux-x86_64.tar.gz: no such file or directory
  | Test:       	TestFleetManagedUpgradeUnprivilegedFIPS

The TestFleetManagedUpgradePrivilegedFIPS integration test also fails with the same error.

If I look at the build artifacts from the "Packaging: Ubuntu x86_64 FIPS" CI step, I see that build/distributions/elastic-agent-fips-9.1.0-SNAPSHOT-linux-x86_64.tar.gz artifact is being built.

But I think this build artifact is on a different Buildkite Agent from the ones that are running the TestFleetManagedUpgradeUnprivilegedFIPS and TestFleetManagedUpgradePrivilegedFIPS tests, as seen in the log output of the packaging step:

--
~/builds/bk-agent-prod-gcp-1746738804551933315/elastic/elastic-agent

@michel-laterman is this gap something the BK pipeline changes in #8035 will address?

[cmacknz]

The tests are still failing trying to find the FIPS artifacts, but just going off the description I think we are over testing this between all three of these cases:

• TestStandaloneUpgradeFIPStoFIPS: to check that a standalone FIPS-capable Agent will upgrade only to another FIPS-capable Agent. This test tests upgrades from and to various FIPS-capable Agent versions.
• TestFleetManagedUpgradeUnprivilegedFIPS: to check that a Fleet-managed FIPS-capable unprivileged Agent will upgrade only to another FIPS-capable Agent.
• TestFleetManagedUpgradePrivilegedFIPS: to check that a Fleet-managed FIPS-capable privileged Agent will upgrade only to another FIPS-capable Agent.

What coverage are we gaining by testing this in privileged and unprivileged mode? Is there even any difference between privileged and unprivileged with respect to FIPS?

What are we gaining by testing Fleet and Standalone? I would expect if we do a single Fleet managed upgrade test we would have effectively smoke tested all of this.

All FIPS does is substitute out the implementation of crypto package and change crypto related code. Why do we need to test three variants of an upgrade because of this?

[cmacknz]

Instead of duplicating all the test cases from TestLess, maybe easier to just test both things in the same test? Maybe with a different sub-test?

I think maintaining the test cases is most of the work in here so we are better off duplicating them less.