Add prerelease for FIPS with testing and image creation (#1992)

* feat(fips): add fips integrations when building fips infra-agent (#1969)

* Nr 351326 linux prerelease fips (#1976)

* Create new FIPS packages on prerelease for linux
* Add FIPS molecule tests. (#1981)

* Create new docker FIPS images (#1982)

* feat(fips): update tests to run for fips packages (#1980)

* update harvest tests to run for fips packages
* chore: update action versions
* update packaging tests
* assume role for 2 hours as tests can take longer than 1 hour

* Add conflicts to the newrelic-infra packages to not allow having both fips and non fips installed at the same time (#1987)

* Add fips canaries (#1988)

* Add fips canaries
* Condition Fips canary previous to have a second release

---------

Co-authored-by: Rohan Yadav <[email protected]>

Author: alvarocabanas

.github/workflows/component_canaries.yml

@@ -32,10 +32,10 @@ jobs:
     runs-on: ubuntu-20.04
     if: ${{ inputs.PLATFORM == 'macos' }}
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ env.AWS_ASSUME_ROLE }}
           aws-region: us-east-2
@@ -68,10 +68,10 @@ jobs:
     runs-on: ubuntu-20.04
     if: ${{ inputs.PLATFORM == 'linux' }}
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ env.AWS_ASSUME_ROLE }}
           aws-region: us-east-2
@@ -130,10 +130,10 @@ jobs:
     runs-on: ubuntu-20.04
     if: ${{ inputs.PLATFORM == 'windows' }}
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ env.AWS_ASSUME_ROLE }}
           aws-region: us-east-2

.github/workflows/component_docker_packaging.yml

@@ -19,6 +19,10 @@ on:
       TAG:
         required: true
         type: string
+      FIPS:
+        required: false
+        type: boolean
+        default: false
 
 env:
   GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
@@ -29,6 +33,7 @@ env:
   DOCKER_HUB_ID: ${{ secrets.DOCKER_HUB_ID }}
   DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
   DOCKER_PUBLISH: true
+  FIPS: ${{ inputs.FIPS == true && '-fips' || '' }}
 
 jobs:
   packaging:
@@ -47,7 +52,7 @@ jobs:
           password: ${{ env.DOCKER_HUB_PASSWORD }}
 
       - name: Compiling binaries for linux amd64, arm, arm64
-        run: make ci/prerelease/linux-for-docker
+        run: make ci/prerelease/linux-for-docker${{env.FIPS}}
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v1
@@ -58,10 +63,10 @@ jobs:
           version: v0.9.1
 
       - name: Build and publish Release Candidate (RC) of base Docker image
-        run: AGENT_VERSION=${{env.TAG}} make -C build/container/ clean publish/multi-arch-base-rc
+        run: AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}} make -C build/container/ clean publish/multi-arch-base-rc
 
       - name: Build and publish Release Candidate (RC) of forwarder Docker image
-        run: AGENT_VERSION=${{env.TAG}} make -C build/container/ clean publish/multi-arch-forwarder-rc
+        run: AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}} make -C build/container/ clean publish/multi-arch-forwarder-rc
 
       - name: Build and publish Release Candidate (RC) of k8s-events-forwarders Docker image
-        run: AGENT_VERSION=${{env.TAG}} make -C build/container/ clean publish/multi-arch-k8s-events-forwarder-rc
+        run: AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}} make -C build/container/ clean publish/multi-arch-k8s-events-forwarder-rc

.github/workflows/component_docker_publish.yml

@@ -53,4 +53,22 @@ jobs:
         run: make -C build/container/ clean publish/multi-arch-k8s-events-forwarder-tag AGENT_VERSION=${{env.TAG}}
 
       - name: Publish latest of k8s-events-forwarders Docker image
-        run: make -C build/container/ clean publish/multi-arch-k8s-events-forwarder-latest AGENT_VERSION=${{env.TAG}}
+        run: make -C build/container/ clean publish/multi-arch-k8s-events-forwarder-latest AGENT_VERSION=${{env.TAG}}
+
+      - name: Publish tag of base Docker image FIPS
+        run: make -C build/container/ clean publish/multi-arch-base-tag AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}}
+
+      - name: Publish latest of base Docker image FIPS
+        run: make -C build/container/ clean publish/multi-arch-base-latest AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}}
+
+      - name: Publish tag of forwarder Docker image FIPS
+        run: make -C build/container/ clean publish/multi-arch-forwarder-tag AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}}
+
+      - name: Publish latest of forwarder Docker image FIPS
+        run: make -C build/container/ clean publish/multi-arch-forwarder-latest AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}}
+
+      - name: Publish tag of k8s-events-forwarders Docker image FIPS
+        run: make -C build/container/ clean publish/multi-arch-k8s-events-forwarder-tag AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}}
+
+      - name: Publish latest of k8s-events-forwarders Docker image FIPS
+        run: make -C build/container/ clean publish/multi-arch-k8s-events-forwarder-latest AGENT_VERSION=${{env.TAG}} FIPS=${{env.FIPS}}

.github/workflows/component_linux_packaging.yml

@@ -22,6 +22,10 @@ on:
       ARCH:
         required: true
         type: string
+      FIPS:
+        required: false
+        type: boolean
+        default: false
 
 env:
   GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
@@ -32,6 +36,7 @@ env:
   DOCKER_HUB_ID: ${{ secrets.DOCKER_HUB_ID }}
   DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
   ARCH: ${{ inputs.ARCH }}
+  FIPS: ${{ inputs.FIPS == true && '-fips' || '' }}
 
 jobs:
   packaging:
@@ -49,6 +54,8 @@ jobs:
 
       - name: Preparing linux packages
         run: make ci/prerelease/linux-${{ env.ARCH }}
+        env:
+          FIPS: ${{ env.FIPS }}
 
       - name: Generate checksum files
         uses: ./.github/actions/generate-checksums

.github/workflows/component_linux_publish.yml

@@ -76,6 +76,9 @@ jobs:
           - "targz"
           - "deb"
           - "rpm"
+        suffix:
+          - ""
+          - "-fips"
 
     steps:
       - name: Login to DockerHub
@@ -89,10 +92,10 @@ jobs:
         uses: newrelic/[email protected]
         with:
           tag: ${{env.TAG}}
-          app_name: "newrelic-infra"
+          app_name: "newrelic-infra${{ matrix.suffix }}"
           repo_name: "newrelic/infrastructure-agent"
           schema: "custom"
-          schema_url: "https://raw.githubusercontent.com/newrelic/infrastructure-agent/${{ env.SCHEMA_BRANCH }}/build/upload-schema-linux-${{ matrix.assetsType }}.yml"
+          schema_url: "https://raw.githubusercontent.com/newrelic/infrastructure-agent/${{ env.SCHEMA_BRANCH }}/build/upload-schema-linux-${{ matrix.assetsType }}${{ matrix.suffix }}.yml"
           aws_access_key_id: ${{ env.AWS_ACCESS_KEY_ID }}
           aws_secret_access_key: ${{ env.AWS_SECRET_ACCESS_KEY }}
           aws_s3_bucket_name: ${{ env.AWS_S3_BUCKET_NAME }}

.github/workflows/component_molecule_packaging.yml

@@ -21,10 +21,20 @@ jobs:
     name: Test package installation
     runs-on: ubuntu-latest
     steps:
-      - uses: newrelic/pkg-installation-testing-action@v1
+      - name: Test NON-FIPS package installation
+        uses: newrelic/pkg-installation-testing-action@v1
         with:
           gpg_key: 'https://download.newrelic.com/infrastructure_agent/gpg/newrelic-infra.gpg'
           repo_base_url: ${{ inputs.REPO_ENDPOINT }}
           package_name: 'newrelic-infra'
           package_version: ${{ inputs.TAG }}
           platforms: "al2,al2023,debian-bullseye,debian-bookworm,redhat8,redhat9,suse15.3,suse15.4,suse15.5,suse15.6,ubuntu1604,ubuntu1804,ubuntu2004,ubuntu2204,ubuntu2404"
+      - name: Test FIPS package installation
+        uses: newrelic/pkg-installation-testing-action@v1
+        with:
+          gpg_key: 'https://download.newrelic.com/infrastructure_agent/gpg/newrelic-infra.gpg'
+          repo_base_url: ${{ inputs.REPO_ENDPOINT }}
+          package_name: 'newrelic-infra-fips'
+          exec_name: 'newrelic-infra'
+          package_version: ${{ inputs.TAG }}
+          platforms: "al2,al2023,debian-bullseye,debian-bookworm,redhat8,redhat9,suse15.3,suse15.4,suse15.5,suse15.6,ubuntu1604,ubuntu1804,ubuntu2004,ubuntu2204,ubuntu2404"

.github/workflows/component_prerelease_testing.yml

@@ -39,10 +39,10 @@ jobs:
   provision:
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ env.AWS_ASSUME_ROLE }}
           aws-region: us-east-2
@@ -79,10 +79,10 @@ jobs:
     needs: [ provision ]
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ env.AWS_ASSUME_ROLE }}
           aws-region: us-east-2
@@ -120,13 +120,14 @@ jobs:
     needs: [ harvest-tests ]
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ env.AWS_ASSUME_ROLE }}
           aws-region: us-east-2
+          role-duration-seconds: 7200
 
       - name: Set branch name
         run: |
@@ -154,10 +155,10 @@ jobs:
     needs: [ harvest-tests ]
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ env.AWS_ASSUME_ROLE }}
           aws-region: us-east-2
@@ -188,10 +189,10 @@ jobs:
     needs: [ packaging-tests-linux ]
     runs-on: ubuntu-20.04
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ env.AWS_ASSUME_ROLE }}
           aws-region: us-east-2
@@ -229,10 +230,10 @@ jobs:
       needs: [ packaging-tests-windows ]
       runs-on: ubuntu-20.04
       steps:
-        - uses: actions/checkout@v2
+        - uses: actions/checkout@v4
 
         - name: Configure AWS Credentials
-          uses: aws-actions/configure-aws-credentials@v1
+          uses: aws-actions/configure-aws-credentials@v4
           with:
             role-to-assume: ${{ env.AWS_ASSUME_ROLE }}
             aws-region: us-east-2

.github/workflows/component_trivy.yml

@@ -12,6 +12,13 @@ on:
       severity:
         required: true
         type: string
+      FIPS:
+        required: false
+        type: boolean
+        default: false
+
+env:
+  FIPS: ${{ inputs.FIPS == true && '-fips' || '' }}
 
 jobs:
   trivy_scanner:
@@ -22,7 +29,7 @@ jobs:
       - name: newrelic/infrastructure
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "docker.io/newrelic/infrastructure:${{ inputs.tag }}"
+          image-ref: "docker.io/newrelic/infrastructure${{ env.FIPS }}:${{ inputs.tag }}"
           format: 'table'
           exit-code: '1'
           ignore-unfixed: true
@@ -35,7 +42,7 @@ jobs:
       - name: newrelic/k8s-events-forwarder
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "docker.io/newrelic/k8s-events-forwarder:${{ inputs.tag }}"
+          image-ref: "docker.io/newrelic/k8s-events-forwarder${{ env.FIPS }}:${{ inputs.tag }}"
           format: 'table'
           exit-code: '1'
           ignore-unfixed: true
@@ -48,7 +55,7 @@ jobs:
       - name: newrelic/nri-forwarder
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "docker.io/newrelic/nri-forwarder:${{ inputs.tag }}"
+          image-ref: "docker.io/newrelic/nri-forwarder${{ env.FIPS }}:${{ inputs.tag }}"
           format: 'table'
           exit-code: '1'
           ignore-unfixed: true
@@ -69,7 +76,7 @@ jobs:
       - name: Sarif newrelic/infrastructure
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "docker.io/newrelic/infrastructure:${{ inputs.tag }}"
+          image-ref: "docker.io/newrelic/infrastructure${{ env.FIPS }}:${{ inputs.tag }}"
           format: 'sarif'
           output: 'trivy-results.sarif'
           vuln-type: 'os,library'

.github/workflows/prerelease_linux.yml

@@ -31,6 +31,21 @@ jobs:
     with:
       TAG:  ${{ github.event.release.tag_name }}
       ARCH: 'amd64'
+  
+  packaging-amd64-fips:
+    needs: [unit-test, proxy-tests]
+    uses: ./.github/workflows/component_linux_packaging.yml
+    secrets:
+      DOCKER_HUB_ID: ${{secrets.OHAI_DOCKER_HUB_ID}}
+      DOCKER_HUB_PASSWORD: ${{secrets.OHAI_DOCKER_HUB_PASSWORD}}
+      GPG_MAIL: '[email protected]'
+      GPG_PASSPHRASE: ${{ secrets.OHAI_GPG_PASSPHRASE }}
+      GPG_PRIVATE_KEY_BASE64: ${{ secrets.OHAI_GPG_PRIVATE_KEY_BASE64 }} # base64 encoded
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    with:
+      TAG:  ${{ github.event.release.tag_name }}
+      ARCH: 'amd64'
+      FIPS: true
 
   packaging-arm:
     needs: [unit-test, proxy-tests]
@@ -60,6 +75,21 @@ jobs:
       TAG:  ${{ github.event.release.tag_name }}
       ARCH: 'arm64'
 
+  packaging-arm64-fips:
+    needs: [unit-test, proxy-tests]
+    uses: ./.github/workflows/component_linux_packaging.yml
+    secrets:
+      DOCKER_HUB_ID: ${{secrets.OHAI_DOCKER_HUB_ID}}
+      DOCKER_HUB_PASSWORD: ${{secrets.OHAI_DOCKER_HUB_PASSWORD}}
+      GPG_MAIL: '[email protected]'
+      GPG_PASSPHRASE: ${{ secrets.OHAI_GPG_PASSPHRASE }}
+      GPG_PRIVATE_KEY_BASE64: ${{ secrets.OHAI_GPG_PRIVATE_KEY_BASE64 }} # base64 encoded
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    with:
+      TAG:  ${{ github.event.release.tag_name }}
+      ARCH: 'arm64'
+      FIPS: true
+
   packaging-legacy:
     needs: [unit-test, proxy-tests]
     uses: ./.github/workflows/component_linux_packaging.yml
@@ -94,11 +124,33 @@ jobs:
       tag: "${{ github.event.release.tag_name }}-rc"
       severity: "CRITICAL"
 
+  packaging-docker-fips:
+    needs: [unit-test, proxy-tests]
+    uses: ./.github/workflows/component_docker_packaging.yml
+    secrets:
+      DOCKER_HUB_ID: ${{secrets.OHAI_DOCKER_HUB_ID}}
+      DOCKER_HUB_PASSWORD: ${{secrets.OHAI_DOCKER_HUB_PASSWORD}}
+      GPG_MAIL: '[email protected]'
+      GPG_PASSPHRASE: ${{ secrets.OHAI_GPG_PASSPHRASE }}
+      GPG_PRIVATE_KEY_BASE64: ${{ secrets.OHAI_GPG_PRIVATE_KEY_BASE64 }} # base64 encoded
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    with:
+      TAG:  ${{ github.event.release.tag_name }}
+      FIPS: true
+
+  docker-fips-trivy-critical:
+    needs: [packaging-docker-fips]
+    uses: ./.github/workflows/component_trivy.yml
+    with:
+      tag: "${{ github.event.release.tag_name }}-rc"
+      severity: "CRITICAL"
+      FIPS: true
+
   publishing-to-s3:
     # point to staging after tests
     name: Publish linux artifacts into s3 staging bucket
     uses: ./.github/workflows/component_linux_publish.yml
-    needs: [packaging-amd64, packaging-arm, packaging-arm64, packaging-legacy]
+    needs: [packaging-amd64, packaging-amd64-fips, packaging-arm, packaging-arm64, packaging-arm64-fips, packaging-legacy]
     secrets:
       DOCKER_HUB_ID: ${{secrets.OHAI_DOCKER_HUB_ID}}
       DOCKER_HUB_PASSWORD: ${{secrets.OHAI_DOCKER_HUB_PASSWORD}}