feat: fips distributions (#387)

* feat: create fips versions of distributions

* feat: restructure so that both fips compliant and noncompliant versions of each distro is made

* feat: separate build.sh and .goreleaser.yaml into default and fips versions

* feat: change build-fips.sh so that instead of rebuilding the same thing over, just copy contents of _build into _build-fips

* Revert "feat: change build-fips.sh so that instead of rebuilding the same thing over, just copy contents of _build into _build-fips"

This reverts commit 600e08d.

_build-fips can't just copy over the contents of _build because _build-fips has it's own manifest-fips.yaml

* feat: edit configure.go to include fips

* feat: data agreement

* fix: fix bugs with Docker Images and Manifests

* fix: ran make generate-goreleaser

* feat: add fips version of files for new distro - nrdot-collector

* feat: add fips flag

* feat: add Dockerfile-fips files

* move fips flag further down configure.go stack

* use docker args

* standardize fips in configure.go and manifest files

* make build target dependent on build-fips target

* add ci-fips workflow

* add infrastructure to cross make ocb with cgo enabled

* adjust fips workflow, doesn't need tf

* bug squishing

* remove unnecessary toolchain dir

* chore: fips testing (#373)

* test: fix nightly (#363)

* feat: add e2e tests for core distro (#364)

* feat: add e2e tests for core distro

* chore: merge host config with core collector

* feat: Bump otel component versions from v0.128.0 to v0.131.0 (#357)

* chore: prep release 1.3.0 (#365)

* chore: Add nrdot-collector to release workflows (#366)

* chore: Add missing ec2 nightly deploy (#367)

* chore: Address cancelled deploy step (#370)

* feat: Add spanprocessor to nrdot-collector (#371)

* chore(deps): update helm release nr-k8s-otel-collector to v0.8.40 (#369)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

* feat: Bump otel component versions from v0.131.0 to v0.132.0 (#368)

* chore: fips testing

* chore: test fips docker

* chore: cleaning up fips changes

---------

Co-authored-by: kb-newrelic <121687305+kb-newrelic@users.noreply.github.com>
Co-authored-by: otelcomm-bot <svc-otelcomm-bot@newrelic.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Emilia Ferreyra <110185663+emiliaFer@users.noreply.github.com>

* build details overrides

* git merged badly, fixing it

* update fips workflow

* add back fips configs

* updated goreleaser.yaml files

* add back fips go tags and ldflags

* fix directory in goreleaser-fips

* add boringcrypto validation

* update boring crypto validation

* add manifest-fips.yaml to .gitignore

* remove existing manifest-fips.yaml files

---------

Co-authored-by: mailo-nr <marsac@newrelic.com>
Co-authored-by: kb-newrelic <121687305+kb-newrelic@users.noreply.github.com>
Co-authored-by: otelcomm-bot <svc-otelcomm-bot@newrelic.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Author: 5 people

.github/workflows/ci-base.yaml

@@ -10,6 +10,10 @@ on:
         required: false
         type: boolean
         default: false
+      fips:
+        required: false
+        type: boolean
+        default: false
       test_cluster_name:
         required: false
         type: string
@@ -70,6 +74,18 @@ jobs:
 
       - uses: docker/setup-buildx-action@v2
 
+      - name: Install cross-compilation toolchain
+        if: inputs.fips == true
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y \
+            gcc-aarch64-linux-gnu \
+            g++-aarch64-linux-gnu \
+            gcc-x86-64-linux-gnu \
+            g++-x86-64-linux-gnu \
+            libc6-dev-arm64-cross \
+            libc6-dev-amd64-cross
+
       - name: Import GPG key
         if: ${{github.event.pull_request.user.login != 'dependabot[bot]' }}
         id: import_gpg
@@ -92,6 +108,8 @@ jobs:
         run: |
           if [ ${{ inputs.nightly }} = "true" ]; then
             echo "goreleaser_args=--snapshot --clean --skip=publish,validate --timeout 2h --config .goreleaser-nightly.yaml" >> $GITHUB_ENV
+          elif [ ${{ inputs.fips }} = "true" ]; then
+            echo "goreleaser_args=--snapshot --clean --skip=publish,validate --timeout 2h --config .goreleaser-fips.yaml" >> $GITHUB_ENV
           elif [ ${{github.event.pull_request.user.login == 'dependabot[bot]' }} ]; then
             echo "goreleaser_args=--snapshot --clean --skip=publish,validate,sign --timeout 2h" >> $GITHUB_ENV
           else
@@ -121,6 +139,8 @@ jobs:
           echo "arch=$ARCH" >> $GITHUB_ENV
           if [ ${{ inputs.nightly }} = "true" ]; then
             echo "image_tag=$VERSION-nightly-$ARCH" >> $GITHUB_ENV
+          elif [ ${{ inputs.fips }} = "true" ]; then
+            echo "image_tag=$VERSION-fips-$ARCH" >> $GITHUB_ENV
           else
             echo "image_tag=$VERSION-$ARCH" >> $GITHUB_ENV
           fi
@@ -138,6 +158,22 @@ jobs:
 
       - uses: azure/setup-helm@v4.2.0
 
+      - name: Validate Usage of BoringCrypto
+        if: inputs.fips == true
+        run: |
+          ARCH=$(echo '${{ runner.arch }}' | sed 's/X/amd/g')
+          ARCH=${ARCH@L}
+          OS=$(echo '${{ runner.os }}')
+          OS=${OS@L}
+          printf -v BINARY_PATTERN "distributions/%s/dist/%s-fips_%s_%s*/*" "${{ inputs.distribution}}" "${{ inputs.distribution }}" "${OS}" "${ARCH}"
+          echo "Looking for binary pattern: ${BINARY_PATTERN}"
+          BINARY=$(find ${BINARY_PATTERN} 2>/dev/null | head -1)
+          if [[ -z "${BINARY}" ]]; then
+            echo "Error"
+            exit 1
+          fi
+          go tool nm ${BINARY} | grep '_Cfunc__goboringcrypto_' || (echo 'fips distro should not use standard crypto' && exit 1)
+
       - name: Run local e2e tests
         if: ${{ hashFiles(format('distributions/{0}/test/spec-local.yaml', inputs.distribution)) != '' }}
         uses: newrelic/newrelic-integration-e2e-action@v1

.github/workflows/ci-fips.yaml

@@ -0,0 +1,33 @@
+name: 🔄 CI | FIPS
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  build:
+    name: Build & Validate
+    strategy:
+      matrix:
+        distribution:
+          - nrdot-collector-host
+          - nrdot-collector-k8s
+          - nrdot-collector
+    uses: ./.github/workflows/ci-base.yaml
+    with:
+      fips: true
+      distribution: ${{ matrix.distribution }}
+      # namespace by distro to avoid issues with cleanup (distro 1 still running tests while distro 2 cleans up cluster)
+      test_cluster_name: '${{ matrix.distribution }}-${{ github.run_id }}-${{ github.run_attempt }}'
+    secrets:
+      docker_hub_username: ${{ secrets.OTELCOMM_DOCKER_HUB_USERNAME }}
+      docker_hub_password: ${{ secrets.OTELCOMM_DOCKER_HUB_PASSWORD }}
+      gpg_private_key: ${{ secrets.OTELCOMM_GPG_PRIVATE_KEY_BASE64 }}
+      gpg_passphrase: ${{ secrets.OTELCOMM_GPG_PASSPHRASE }}
+      registry: 'newrelic'
+      nr_backend_url: ${{ secrets.NR_STAGING_BACKEND_URL }}
+      nr_ingest_key: ${{ secrets.OTELCOMM_NR_INGEST_KEY }}
+      nr_account_id: ${{ secrets.OTELCOMM_NR_TEST_ACCOUNT_ID }}
+      nr_api_key: ${{ secrets.OTELCOMM_NR_API_KEY }}

.github/workflows/ci.yaml

@@ -21,6 +21,7 @@ jobs:
           - nrdot-collector
     uses: ./.github/workflows/ci-base.yaml
     with:
+      fips: false
       distribution: ${{ matrix.distribution }}
       # namespace by distro to avoid issues with cleanup (distro 1 still running tests while distro 2 cleans up cluster)
       test_cluster_name: '${{ matrix.distribution }}-${{ github.run_id }}-${{ github.run_attempt }}'

.gitignore

@@ -1,5 +1,6 @@
 vendor
 **/_build
+**/_build-fips
 **/collections
 **/roles
 dist/
@@ -16,10 +17,13 @@ inventory
 *.auto.tfvars
 # rely on pinned provider versions for now to avoid having to deal with multi-platform lock file hashes
 .terraform.lock.hcl
+#fips manifest files
+distributions/**/manifest-fips.yaml
 
 .env
 .secrets
 .input
 .tools
+.scratch
 
-test/**/charts/*.tgz
+test/**/charts/*.tgz

Makefile

@@ -15,13 +15,18 @@ TOOLS_PKG_NAMES := $(shell grep -E $(TOOLS_MOD_REGEX) < $(TOOLS_MOD_DIR)/tools.g
 TOOLS_BIN_NAMES := $(addprefix $(TOOLS_BIN_DIR)/, $(notdir $(shell echo $(TOOLS_PKG_NAMES))))
 GO_LICENCE_DETECTOR        := $(TOOLS_BIN_DIR)/go-licence-detector
 GO_LICENCE_DETECTOR_CONFIG   := $(SRC_ROOT)/internal/assets/license/rules.json
+CGO := 0
 
 DISTRIBUTIONS ?= "nrdot-collector-host,nrdot-collector-k8s,nrdot-collector"
 
 ci: check build version-check licenses-check
 check: ensure-goreleaser-up-to-date
 
-build: go ocb
+build: build-fips
+	@./scripts/build.sh -d "${DISTRIBUTIONS}" -b ${OTELCOL_BUILDER} -f false
+
+build-fips: go
+	@$(MAKE) ocb CGO=1
 	@./scripts/build.sh -d "${DISTRIBUTIONS}" -b ${OTELCOL_BUILDER}
 
 generate: generate-sources generate-goreleaser
@@ -53,13 +58,52 @@ ifeq (, $(shell command -v ocb 2>/dev/null))
 	[ "$${machine}" != x86_64 ] || machine=amd64 ;\
 	echo "Installing ocb ($${os}/$${machine}) at $(OTELCOL_BUILDER_DIR)";\
 	mkdir -p $(OTELCOL_BUILDER_DIR) ;\
-	CGO_ENABLED=0 go install -trimpath -ldflags="-s -w" go.opentelemetry.io/collector/cmd/builder@v$(OTELCOL_BUILDER_VERSION) ;\
+	CGO_ENABLED=${CGO} go install -trimpath -ldflags="-s -w" go.opentelemetry.io/collector/cmd/builder@v$(OTELCOL_BUILDER_VERSION) ;\
 	mv $$(go env GOPATH)/bin/builder $(OTELCOL_BUILDER) ;\
 	}
 else
 OTELCOL_BUILDER=$(shell command -v ocb)
 endif
 
+.PHONY: ocb-version-check
+ocb-version-check:
+	@need_install=false; \
+	if [ -x '$(OTELCOL_BUILDER)' ]; then \
+		current_version=$$($(OTELCOL_BUILDER) version 2>&1 | grep -o 'v[0-9]\+\.[0-9]\+\.[0-9]\+' | sed 's/.*v//') ;\
+		if [ "$${current_version}" != "$(OTELCOL_BUILDER_VERSION)" ]; then \
+			echo "OCB version mismatch: found $${current_version} $(OTELCOL_BUILDER), expected $(OTELCOL_BUILDER_VERSION)" ;\
+			rm -f $(OTELCOL_BUILDER) ;\
+			need_install=true; \
+		else \
+			echo "OCB found correct version $${current_version}" ;\
+		fi \
+	elif command -v ocb 2>&1; then \
+		current_version=$$(ocb version 2>&1 | grep -o 'v[0-9]\+\.[0-9]\+\.[0-9]\+' | sed 's/.*v//') ;\
+		if [ "$${current_version}" != "$(OTELCOL_BUILDER_VERSION)" ]; then \
+			echo "System OCB version mismatch: found $${current_version}, expected $(OTELCOL_BUILDER_VERSION)" ;\
+			echo "Will install local version..." ;\
+			need_install=true; \
+		else \
+			echo "OCB found correct version $${current_version}" ;\
+		fi \
+	else \
+		echo "OCB not found, will install..." ;\
+		need_install=true; \
+	fi; \
+	if [ "$$need_install" = "true" ]; then \
+		set -e ;\
+		os=$$(uname | tr A-Z a-z) ;\
+		machine=$$(uname -m) ;\
+		[ "$${machine}" != x86 ] || machine=386 ;\
+		[ "$${machine}" != x86_64 ] || machine=amd64 ;\
+		echo "Installing ocb ($${os}/$${machine}) at $(OTELCOL_BUILDER_DIR)";\
+		mkdir -p $(OTELCOL_BUILDER_DIR) ;\
+		go clean -modcache; \
+		CGO_ENABLED=0 go install -trimpath -ldflags="-s -w" go.opentelemetry.io/collector/cmd/builder@v$(OTELCOL_BUILDER_VERSION) ;\
+		mv $$(go env GOPATH)/bin/builder $(OTELCOL_BUILDER) ;\
+		echo "OCB installed at $(OTELCOL_BUILDER)"; \
+	fi
+
 .PHONY: go
 go:
 	@{ \

Makefile.dev

@@ -7,7 +7,12 @@ ci_custom_matrix:
 	act push -W .github/workflows/ci.yaml \
 		--matrix distribution:nrdot-collector-k8s
 
+ci_custom_fips_matrix:
+	@# repeat --matrix arg for multiple distros
+	act push -W .github/workflows/ci-fips.yaml \
+		--matrix distribution:nrdot-collector-host
+
 ci_nightly_custom_matrix:
 	@# repeat --matrix arg for multiple distros
 	act schedule -W .github/workflows/ci-nightly.yaml \
-		--matrix distribution:nrdot-collector-host
+		--matrix distribution:nrdot-collector-host