feat(fips): add fips compliant packages (#345)

Added FIPS compliance for nri-kafka

Author: rahulreddy15

.github/workflows/on_prerelease.yaml

@@ -12,7 +12,7 @@ jobs:
       ORIGINAL_REPO_NAME: ${{ github.event.repository.full_name }}
       CONSUMER_PRODUCER_DOCKER_IMAGE_NAME: ghcr.io/newrelic/kafka-consumer-producer
     name: Build and push consumer-producer image to use in our canaries
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
         with:
@@ -33,10 +33,10 @@ jobs:
   # This is currently not covered by reusable workflow due to the retry mechanism
   test-integration-nix:
     name: Run integration tests on *Nix
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     env:
       ORIGINAL_REPO_NAME: ${{ github.event.repository.full_name }}
-      NRJMX_VERSION: '2.3.2' ## this is needed in the makefile
+      NRJMX_VERSION: '2.10.1' ## this is needed in the makefile
     defaults:
       run:
         working-directory: src/github.com/${{env.ORIGINAL_REPO_NAME}}
@@ -65,6 +65,6 @@ jobs:
       windows_goarch_matrix: '["amd64"]' # 386 is not supported in jmx integrations
       windows_download_nrjmx: true
       win_package_type: exe
+      upload_fips_packages: true
+      test_package: false
     secrets: inherit
-
-

.github/workflows/on_push_pr.yaml

@@ -20,10 +20,10 @@ jobs:
 # This is currently not covered by reusable workflow due to the retry mechanism
   test-integration-nix:
     name: Run integration tests on *Nix
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     env:
       ORIGINAL_REPO_NAME: ${{ github.event.repository.full_name }}
-      NRJMX_VERSION: '2.3.2' ## this is needed in the makefile
+      NRJMX_VERSION: '2.10.1' ## this is needed in the makefile
     defaults:
       run:
         working-directory: src/github.com/${{env.ORIGINAL_REPO_NAME}}

.github/workflows/on_release.yaml

@@ -14,4 +14,5 @@ jobs:
       integration: kafka
       tag: ${{ github.event.release.tag_name }}
       publish_schema: "ohi-jmx"
+      upload_fips_packages: true
     secrets: inherit

CHANGELOG.md

@@ -7,6 +7,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 
 ## Unreleased
 
+### enhancements
+- Add FIPS compliant packages
+
 ## v3.13.3 - 2025-08-13
 
 ### ⛓️ Dependencies

Makefile

@@ -8,6 +8,8 @@ BINARY_NAME   = nri-$(INTEGRATION)
 GO_PKGS      := $(shell go list ./... | grep -v "/vendor/")
 GO_FILES     := ./src/
 GOFLAGS       = -mod=readonly
+GO_VERSION 		?= $(shell grep '^go ' go.mod | awk '{print $$2}')
+BUILDER_IMAGE 	?= "ghcr.io/newrelic/coreint-automation:latest-go$(GO_VERSION)-ubuntu16.04"
 
 all: build
 

build/.goreleaser.yml

@@ -1,3 +1,6 @@
+---
+version: 2
+project_name: nri-kafka
 builds:
   - id: nri-nix
     main: ./src
@@ -17,6 +20,26 @@ builds:
     ignore:
       - goos: darwin
         goarch: 386
+  
+  - id: nri-nix-fips
+    main: ./src
+    binary: nri-kafka
+    ldflags:
+      - -s -w -X main.integrationVersion={{.Version}} -X main.gitCommit={{.Commit}} -X main.buildDate={{.Date}}
+    env:
+      - CGO_ENABLED=1
+      - GOEXPERIMENT=boringcrypto
+      - >-
+        {{- if eq .Arch "arm64" -}}
+        CC=aarch64-linux-gnu-gcc
+        {{- end }}
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+    tags:
+      - fips
 
   - id: nri-win
     main: ./src
@@ -34,7 +57,8 @@ builds:
 
 nfpms:
   - id: linux
-    file_name_template: "{{ .ProjectName }}_{{ .Version }}-1_{{ .Arch }}"
+    package_name: nri-kafka
+    file_name_template: "{{ .PackageName }}_{{ .Version }}-1_{{ .Arch }}"
     vendor: "New Relic, Inc."
     homepage: "https://www.newrelic.com/infrastructure"
     maintainer: "New Relic Infrastructure Team <infrastructure-eng@newrelic.com>"
@@ -45,8 +69,8 @@ nfpms:
       - nri-nix
 
     dependencies:
-      - newrelic-infra
-      - nrjmx
+      - newrelic-infra (>= 1.20.0)
+      - nrjmx (>= 2.3.2)
 
     bindir: "/var/db/newrelic-infra/newrelic-integrations/bin"
 
@@ -64,17 +88,60 @@ nfpms:
         type: config
 
     overrides:
-      deb:
-        dependencies:
-          - newrelic-infra (>= 1.20.0)
-          - nrjmx (>= 2.3.2)
       rpm:
-        file_name_template: "{{ .ProjectName }}-{{ .Version }}-1.{{ .Arch }}"
-        replacements:
-          amd64: x86_64
-        dependencies:
-          - newrelic-infra >= 1.20.0
-          - nrjmx >= 2.3.2
+        file_name_template: >-
+          {{- .ProjectName }}-
+          {{- .Version }}-1.
+          {{- if eq .Arch "amd64" -}}x86_64
+          {{- else -}}
+          {{ .Arch }}
+          {{- end }}
+
+    # Formats to be generated.
+    formats:
+      - deb
+      - rpm
+  
+  - id: linux-fips
+    package_name: nri-kafka-fips
+    file_name_template: "{{ .PackageName }}_{{ .Version }}-1_{{ .Arch }}"
+    vendor: "New Relic, Inc."
+    homepage: "https://www.newrelic.com/infrastructure"
+    maintainer: "New Relic Infrastructure Team <infrastructure-eng@newrelic.com>"
+    description: "New Relic Infrastructure kafka Integration extend the core New Relic\nInfrastructure agent's capabilities to allow you to collect metric and\nlive state data from kafka components."
+    license: "https://newrelic.com/terms (also see LICENSE installed with this package)"
+
+    builds:
+      - nri-nix-fips
+
+    dependencies:
+      - newrelic-infra-fips (>= 1.60.0)
+      - nrjmx-fips (>= 2.10.1)
+
+    bindir: "/var/db/newrelic-infra/newrelic-integrations/bin"
+
+    contents:
+      - src: "kafka-config.yml.sample"
+        dst: "/etc/newrelic-infra/integrations.d/kafka-config.yml.sample"
+      - src: "CHANGELOG.md"
+        dst: "/usr/share/doc/nri-kafka/CHANGELOG.md"
+      - src: "README.md"
+        dst: "/usr/share/doc/nri-kafka/README.md"
+      - src: "LICENSE"
+        dst: "/usr/share/doc/nri-kafka/LICENSE"
+      - src: "legacy/kafka-definition.yml"
+        dst: "/var/db/newrelic-infra/newrelic-integrations/kafka-definition.yml"
+        type: config
+
+    overrides:
+      rpm:
+        file_name_template: >-
+          {{- .ProjectName }}-fips-
+          {{- .Version }}-1.
+          {{- if eq .Arch "amd64" -}}x86_64
+          {{- else -}}
+          {{ .Arch }}
+          {{- end }}
 
     # Formats to be generated.
     formats:
@@ -92,6 +159,17 @@ archives:
         dst: .
         strip_parent: true
     format: tar.gz
+  
+  - id: nri-nix-fips
+    builds:
+      - nri-nix-fips
+    name_template: "{{ .ProjectName }}-fips_{{ .Os }}_{{ .Version }}_{{ .Arch }}_dirty"
+    files:
+      - kafka-config.yml.sample
+      - src: 'legacy/kafka-definition.yml'
+        dst: .
+        strip_parent: true
+    format: tar.gz
 
   - id: nri-win
     builds:

build/Dockerfile

@@ -1,8 +1,9 @@
-BUILDER_TAG ?= nri-$(INTEGRATION)-builder
+.PHONY : ci/pull-builder-image
+ci/pull-builder-image:
+	@docker pull $(BUILDER_IMAGE)
 
 .PHONY : ci/deps
-ci/deps:
-	@docker build -t $(BUILDER_TAG) -f $(CURDIR)/build/Dockerfile $(CURDIR)
+ci/deps: ci/pull-builder-image
 
 .PHONY : ci/debug-container
 ci/debug-container: ci/deps
@@ -17,15 +18,15 @@ ci/debug-container: ci/deps
 			-e GPG_MAIL \
 			-e GPG_PASSPHRASE \
 			-e GPG_PRIVATE_KEY_BASE64 \
-			$(BUILDER_TAG) bash
+			$(BUILDER_IMAGE) bash
 
 .PHONY : ci/test
 ci/test: ci/deps
 	@docker run --rm -t \
 			--name "nri-$(INTEGRATION)-test" \
 			-v $(CURDIR):/go/src/github.com/newrelic/nri-$(INTEGRATION) \
 			-w /go/src/github.com/newrelic/nri-$(INTEGRATION) \
-			$(BUILDER_TAG) make test
+			$(BUILDER_IMAGE) make test
 
 .PHONY : ci/build
 ci/build: ci/deps
@@ -36,7 +37,7 @@ ifdef TAG
 			-w /go/src/github.com/newrelic/nri-$(INTEGRATION) \
 			-e INTEGRATION \
 			-e TAG \
-			$(BUILDER_TAG) make release/build
+			$(BUILDER_IMAGE) make release/build
 else
 	@echo "===> $(INTEGRATION) ===  [ci/build] TAG env variable expected to be set"
 	exit 1
@@ -57,7 +58,7 @@ ifdef TAG
 			-e GPG_MAIL \
 			-e GPG_PASSPHRASE \
 			-e GPG_PRIVATE_KEY_BASE64 \
-			$(BUILDER_TAG) make release
+			$(BUILDER_IMAGE) make release
 else
 	@echo "===> $(INTEGRATION) ===  [ci/prerelease] TAG env variable expected to be set"
 	exit 1

build/ci.mk

@@ -1,5 +1,5 @@
 BUILD_DIR    := ./bin/
-GORELEASER_VERSION := v0.174.1
+GORELEASER_VERSION := v2.4.4
 GORELEASER_BIN ?= bin/goreleaser
 
 bin:
@@ -27,10 +27,10 @@ release/deps: $(GORELEASER_BIN)
 release/build: release/deps release/clean
 ifeq ($(PRERELEASE), true)
 	@echo "===> $(INTEGRATION) === [release/build] PRE-RELEASE compiling all binaries, creating packages, archives"
-	@$(GORELEASER_BIN) release --config $(CURDIR)/build/.goreleaser.yml --rm-dist
+	@$(GORELEASER_BIN) release --config $(CURDIR)/build/.goreleaser.yml --clean
 else
 	@echo "===> $(INTEGRATION) === [release/build] build compiling all binaries"
-	@$(GORELEASER_BIN) build --config $(CURDIR)/build/.goreleaser.yml --snapshot --rm-dist
+	@$(GORELEASER_BIN) build --config $(CURDIR)/build/.goreleaser.yml --snapshot --clean
 endif
 
 .PHONY : release/fix-archive
@@ -43,7 +43,7 @@ release/fix-archive:
 .PHONY : release/sign/nix
 release/sign/nix:
 	@echo "===> $(INTEGRATION) === [release/sign] signing packages"
-	@bash $(CURDIR)/build/nix/sign.sh
+	@bash sign.sh
 
 
 .PHONY : release/publish