chore: fips testing (#373)

* test: fix nightly (#363)

* feat: add e2e tests for core distro (#364)

* feat: add e2e tests for core distro

* chore: merge host config with core collector

* feat: Bump otel component versions from v0.128.0 to v0.131.0 (#357)

* chore: prep release 1.3.0 (#365)

* chore: Add nrdot-collector to release workflows (#366)

* chore: Add missing ec2 nightly deploy (#367)

* chore: Address cancelled deploy step (#370)

* feat: Add spanprocessor to nrdot-collector (#371)

* chore(deps): update helm release nr-k8s-otel-collector to v0.8.40 (#369)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

* feat: Bump otel component versions from v0.131.0 to v0.132.0 (#368)

* chore: fips testing

* chore: test fips docker

* chore: cleaning up fips changes

---------

Co-authored-by: kb-newrelic <121687305+kb-newrelic@users.noreply.github.com>
Co-authored-by: otelcomm-bot <svc-otelcomm-bot@newrelic.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Emilia Ferreyra <110185663+emiliaFer@users.noreply.github.com>

Author: 5 people

.github/workflows/ci-base.yaml

@@ -73,18 +73,22 @@ jobs:
       - name: Verify build
         run: make ci DISTRIBUTIONS=${{ inputs.distribution }}
 
-      - name: Login to Docker
-        uses: docker/login-action@v3
-        if: ${{ env.ACT }}
-        with:
-          registry: docker.io
-          username: ${{ secrets.docker_hub_username }}
-          password: ${{ secrets.docker_hub_password }}
-
       - uses: docker/setup-qemu-action@v2
 
       - uses: docker/setup-buildx-action@v2
 
+      - name: Install cross-compilation toolchain
+        if: inputs.fips == true
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y \
+            gcc-aarch64-linux-gnu \
+            g++-aarch64-linux-gnu \
+            gcc-x86-64-linux-gnu \
+            g++-x86-64-linux-gnu \
+            libc6-dev-arm64-cross \
+            libc6-dev-amd64-cross
+
       - name: Import GPG key
         if: ${{github.event.pull_request.user.login != 'dependabot[bot]' }}
         id: import_gpg
@@ -126,7 +130,7 @@ jobs:
         with:
           distribution: goreleaser
           version: '~> v2'
-          args: ${{ env.goreleaser_args }} --verbose
+          args: ${{ env.goreleaser_args }}
           workdir: distributions/${{ inputs.distribution }}
 
       - name: Extract relevant metadata
@@ -138,6 +142,8 @@ jobs:
           echo "arch=$ARCH" >> $GITHUB_ENV
           if [ ${{ inputs.nightly }} = "true" ]; then
             echo "image_tag=$VERSION-nightly-$ARCH" >> $GITHUB_ENV
+          elif [ ${{ inputs.fips }} = "true" ]; then
+            echo "image_tag=$VERSION-fips-$ARCH" >> $GITHUB_ENV
           else
             echo "image_tag=$VERSION-$ARCH" >> $GITHUB_ENV
           fi

.github/workflows/ci-nightly.yaml

@@ -6,6 +6,10 @@ on:
     # Scheduled to run in the morning (PT) on every day-of-week from Monday through Friday.
     - cron: '0 15 * * 1-5'
 
+concurrency:
+  group: ci-nightly
+  cancel-in-progress: false
+
 env:
   REGISTRY: '${{ secrets.OTELCOMM_AWS_TEST_ACC_ACCOUNT_ID }}.dkr.ecr.us-east-1.amazonaws.com'
 
@@ -15,6 +19,7 @@ jobs:
     strategy:
       matrix:
         distribution:
+          - nrdot-collector
           - nrdot-collector-host
           - nrdot-collector-k8s
     uses: ./.github/workflows/ci-base.yaml
@@ -40,6 +45,7 @@ jobs:
     strategy:
       matrix:
         distribution:
+          - nrdot-collector
           - nrdot-collector-host
           - nrdot-collector-k8s
     steps:
@@ -136,11 +142,9 @@ jobs:
     strategy:
       matrix:
         distribution:
+          - nrdot-collector
           - nrdot-collector-host
           - nrdot-collector-k8s
-    concurrency:
-      # concurrency limit of 1 b/c failed tf job cancelling each other causes tf state and locks to corrupt
-      group: deploy-nightly-terraform
     with:
       branch: ${{ github.ref }}
       tf_work_subdir: nightly
@@ -163,6 +167,7 @@ jobs:
     strategy:
       matrix:
         distribution:
+          - nrdot-collector
           - nrdot-collector-host
           - nrdot-collector-k8s
     steps:

.github/workflows/release-draft.yaml

@@ -38,6 +38,7 @@ jobs:
     strategy:
       matrix:
         distribution:
+          - nrdot-collector
           - nrdot-collector-host
           - nrdot-collector-k8s
     steps:

.github/workflows/release-publish.yaml

@@ -16,6 +16,7 @@ jobs:
     strategy:
       matrix:
         distribution:
+          - nrdot-collector
           - nrdot-collector-host
           - nrdot-collector-k8s
 

.github/workflows/security.yaml

@@ -18,6 +18,7 @@ jobs:
     strategy:
       matrix:
         image:
+          - nrdot-collector
           - nrdot-collector-host
           - nrdot-collector-k8s
     steps:

.gitignore

@@ -1,5 +1,6 @@
 vendor
 **/_build
+**/_build-fips
 **/collections
 **/roles
 dist/
@@ -21,5 +22,6 @@ inventory
 .secrets
 .input
 .tools
+.scratch
 
-test/**/charts/*.tgz
+test/**/charts/*.tgz

Makefile

@@ -9,7 +9,7 @@ GOTAGS := $(GOTAGS) netgo
 
 # SRC_ROOT is the top of the source tree.
 SRC_ROOT := $(shell git rev-parse --show-toplevel)
-OTELCOL_BUILDER_VERSION ?= 0.128.0
+OTELCOL_BUILDER_VERSION ?= 0.132.0
 OTELCOL_BUILDER_DIR ?= ${HOME}/bin
 OTELCOL_BUILDER ?= ${OTELCOL_BUILDER_DIR}/ocb
 
@@ -33,7 +33,7 @@ build: build-fips
 
 build-fips: go
 	@$(MAKE) ocb CGO=1
-	@./scripts/build.sh -d "${DISTRIBUTIONS}" -b ${OTELCOL_BUILDER} -c 1
+	@./scripts/build.sh -d "${DISTRIBUTIONS}" -b ${OTELCOL_BUILDER}
 
 generate: generate-sources generate-goreleaser
 

Makefile.dev

@@ -7,7 +7,12 @@ ci_custom_matrix:
 	act push -W .github/workflows/ci-fips.yaml \
 		--matrix distribution:nrdot-collector-k8s
 
+ci_custom_fips_matrix:
+	@# repeat --matrix arg for multiple distros
+	act push -W .github/workflows/ci-fips.yaml \
+		--matrix distribution:nrdot-collector-k8s
+
 ci_nightly_custom_matrix:
 	@# repeat --matrix arg for multiple distros
 	act schedule -W .github/workflows/ci-nightly.yaml \
-		--matrix distribution:nrdot-collector-host
+		--matrix distribution:nrdot-collector-host

cmd/goreleaser/internal/configure.go

@@ -56,8 +56,8 @@ var (
 	K8sDockerSkipArchs = map[string]bool{"arm": true, "386": true}
 	K8sGoos            = []string{"linux"}
 	K8sArchs           = []string{"amd64", "arm64"}
-	FipsLdflags		   = []string{"-w", "-linkmode external", "-extldflags '-static'"}
-	FipsGoTags		   = []string{"netgo"}
+	FipsLdflags        = []string{"-w", "-linkmode external", "-extldflags '-static'"}
+	FipsGoTags         = []string{"netgo"}
 )
 
 func Generate(dist string, nightly bool, fips bool) config.Project {
@@ -182,6 +182,33 @@ func Build(dist string, fips bool) config.Build {
 		}
 	}
 
+	var buildDetailsOverrides []config.BuildDetailsOverride
+
+	cc := map[string]string{
+		"amd64": "x86_64-linux-gnu-gcc",
+		"arm64": "aarch64-linux-gnu-gcc",
+	}
+
+	cxx := map[string]string{
+		"amd64": "x86_64-linux-gnu-g++",
+		"arm64": "aarch64-linux-gnu-g++",
+	}
+
+	if fips {
+		for _, arch := range archs {
+			buildDetailsOverrides = append(buildDetailsOverrides, config.BuildDetailsOverride{
+				Goos:   goos[0],
+				Goarch: arch,
+				BuildDetails: config.BuildDetails{
+					Env: []string{
+						fmt.Sprint("CC=", cc[arch]),
+						fmt.Sprint("CXX=", cxx[arch]),
+					},
+				},
+			})
+		}
+	}
+
 	return config.Build{
 		ID:     dist,
 		Dir:    dir,
@@ -190,12 +217,12 @@ func Build(dist string, fips bool) config.Build {
 			Env:     []string{fmt.Sprint("CGO_ENABLED=", cgo), fmt.Sprint("GOEXPERIMENT=", goexperiment)},
 			Flags:   []string{"-trimpath"},
 			Ldflags: ldflags,
-			Tags: gotags,
+			Tags:    gotags,
 		},
-		Goos:   goos,
-		Goarch: archs,
-		Ignore: ignoreBuild,
-		BuildDetailsOverrides: overrides,
+		BuildDetailsOverrides: buildDetailsOverrides,
+		Goos:                  goos,
+		Goarch:                archs,
+		Ignore:                ignoreBuild,
 	}
 }
 
@@ -370,16 +397,22 @@ func DockerImage(dist string, nightly bool, arch string, armVersion string, fips
 	}
 
 	if fips {
-		dist = fmt.Sprint(dist, "-fips")
+		prefixFormat = "%s/%s:{{ .Version }}-fips-%s"
 	}
 
 	for _, prefix := range imagePrefixes {
 		dockerArchTag := strings.ReplaceAll(dockerArchName, "/", "")
 		imageTemplates = append(
 			imageTemplates,
 			fmt.Sprintf(prefixFormat, prefix, imageName(dist), dockerArchTag),
-			fmt.Sprintf(latestPrefixFormat, prefix, imageName(dist), dockerArchTag),
 		)
+
+		if !fips {
+			imageTemplates = append(
+				imageTemplates,
+				fmt.Sprintf(latestPrefixFormat, prefix, imageName(dist), dockerArchTag),
+			)
+		}
 	}
 
 	label := func(name, template string) string {
@@ -391,6 +424,12 @@ func DockerImage(dist string, nightly bool, arch string, armVersion string, fips
 			files = append(files, configFile)
 		}
 	}
+
+	distName := dist
+	if fips {
+		distName = fmt.Sprintf("%s-fips", dist)
+	}
+
 	return config.Docker{
 		ImageTemplates: imageTemplates,
 		Dockerfile:     dockerFile,
@@ -405,7 +444,7 @@ func DockerImage(dist string, nightly bool, arch string, armVersion string, fips
 			label("version", ".Version"),
 			label("source", ".GitURL"),
 			"--label=org.opencontainers.image.licenses=Apache-2.0",
-			fmt.Sprint("--build-arg=DIST_NAME=", dist),
+			fmt.Sprint("--build-arg=DIST_NAME=", distName),
 		},
 		Files:  files,
 		Goos:   "linux",
@@ -424,7 +463,9 @@ func DockerManifests(dist string, nightly bool, fips bool) []config.DockerManife
 			r = append(r, DockerManifest(prefix, "nightly", dist, nightly, fips))
 		} else {
 			r = append(r, DockerManifest(prefix, `{{ .Version }}`, dist, nightly, fips))
-			r = append(r, DockerManifest(prefix, "latest", dist, nightly, fips))
+			if !fips {
+				r = append(r, DockerManifest(prefix, "latest", dist, nightly, fips))
+			}
 		}
 	}
 
@@ -436,14 +477,17 @@ func DockerManifests(dist string, nightly bool, fips bool) []config.DockerManife
 func DockerManifest(prefix, version, dist string, nightly bool, fips bool) config.DockerManifest {
 	var imageTemplates []string
 	prefixFormat := "%s/%s:%s-%s"
+	nameFormat := "%s/%s:%s"
 	k8sDistro := dist == K8sDistro
 
 	//if nightly {
 	//	prefixFormat = "%s/%s:%s-nightly-%s"
 	//}
 
 	if fips {
-		dist = fmt.Sprint(dist, "-fips")
+		// dist = fmt.Sprint(dist, "-fips")
+		prefixFormat = "%s/%s:%s-fips-%s"
+		nameFormat = "%s/%s:%s-fips"
 	}
 
 	for _, arch := range Architectures {
@@ -470,7 +514,7 @@ func DockerManifest(prefix, version, dist string, nightly bool, fips bool) confi
 	}
 
 	return config.DockerManifest{
-		NameTemplate:   fmt.Sprintf("%s/%s:%s", prefix, imageName(dist), version),
+		NameTemplate:   fmt.Sprintf(nameFormat, prefix, imageName(dist), version),
 		ImageTemplates: imageTemplates,
 	}
 }

distributions/README.md

@@ -78,7 +78,7 @@ If a distribution provides linux packages (refer to its README), you can follow
 ##### DEB Installation
 ```bash
 export collector_distro="nrdot-collector-host"
-export collector_version="1.2.0"
+export collector_version="1.3.0"
 export collector_arch="amd64" # or arm64
 export license_key="YOUR_LICENSE_KEY"
 
@@ -91,7 +91,7 @@ sudo systemctl reload-or-restart "${collector_distro}.service"
 ### RPM Installation
 ```bash
 export collector_distro="nrdot-collector-host"
-export collector_version="1.2.0"
+export collector_version="1.3.0"
 export collector_arch="x86_64" # or arm64
 export license_key="YOUR_LICENSE_KEY"
 
@@ -105,7 +105,7 @@ sudo systemctl reload-or-restart "${collector_distro}.service"
 Archives contain the binary and the default configuration which is usually `config.yaml` unless the distro packages multiple defaults, e.g. `nrdot-collector-k8s`.
 ```bash
 export collector_distro="nrdot-collector-host"
-export collector_version="1.2.0"
+export collector_version="1.3.0"
 export collector_arch="amd64" # or arm64
 export license_key="YOUR_LICENSE_KEY"
 curl "https://github.com/newrelic/nrdot-collector-releases/releases/download/${collector_version}/${collector_distro}_${collector_version}_linux_${collector_arch}.tar.gz" --location --output collector.tar.gz