From 880f7ebcd92800f818134fe2f05aef79763347ad Mon Sep 17 00:00:00 2001 From: Rohan Yadav Date: Mon, 3 Feb 2025 14:38:56 +0530 Subject: [PATCH] feat(fips): add fips compliant packages (#155) * feat(fips): add fips compliant packages * udpate dependence on fips agent --- .github/workflows/on_prerelease.yml | 1 + .github/workflows/on_release.yml | 1 + CHANGELOG.md | 3 + Makefile | 2 + build/.goreleaser.yml | 94 +++++++++++++++++++++++++++-- build/Dockerfile | 17 ------ build/ci.mk | 15 ++--- build/nix/sign.sh | 47 --------------- build/release.mk | 8 +-- src/fips.go | 11 ++++ 10 files changed, 120 insertions(+), 79 deletions(-) delete mode 100644 build/Dockerfile delete mode 100755 build/nix/sign.sh create mode 100644 src/fips.go diff --git a/.github/workflows/on_prerelease.yml b/.github/workflows/on_prerelease.yml index 8db0288..77d8ff2 100644 --- a/.github/workflows/on_prerelease.yml +++ b/.github/workflows/on_prerelease.yml @@ -13,4 +13,5 @@ jobs: with: tag: ${{ github.event.release.tag_name }} integration: "mongodb" + upload_fips_packages: true secrets: inherit diff --git a/.github/workflows/on_release.yml b/.github/workflows/on_release.yml index 2f9a90a..a293c0c 100644 --- a/.github/workflows/on_release.yml +++ b/.github/workflows/on_release.yml @@ -13,4 +13,5 @@ jobs: with: integration: mongodb tag: ${{ github.event.release.tag_name }} + upload_fips_packages: true secrets: inherit diff --git a/CHANGELOG.md b/CHANGELOG.md index ca26f3f..149d69c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,9 @@ Unreleased section should follow [Release Toolkit](https://github.com/newrelic/r ## Unreleased +### enhancements +- Add FIPS compliant packages + ## v2.9.2 - 2025-01-21 ### ⛓️ Dependencies diff --git a/Makefile b/Makefile index 3503567..9f2c165 100644 --- a/Makefile +++ b/Makefile @@ -6,6 +6,8 @@ BINARY_NAME = nri-$(INTEGRATION) GO_PKGS := $(shell go list ./... | grep -v "/vendor/") GO_FILES := ./src/ GOFLAGS = -mod=readonly +GO_VERSION ?= $(shell grep '^go ' go.mod | awk '{print $$2}') +BUILDER_IMAGE ?= "ghcr.io/newrelic/coreint-automation:latest-go$(GO_VERSION)-ubuntu16.04" all: build diff --git a/build/.goreleaser.yml b/build/.goreleaser.yml index 3a2a3fc..598ba82 100644 --- a/build/.goreleaser.yml +++ b/build/.goreleaser.yml @@ -1,3 +1,6 @@ +--- +version: 2 +project_name: nri-mongodb builds: - id: nri-nix main: ./src @@ -17,6 +20,26 @@ builds: ignore: - goos: darwin goarch: 386 + + - id: nri-nix-fips + main: ./src + binary: nri-mongodb + ldflags: + - -s -w -X main.integrationVersion={{.Version}} -X main.gitCommit={{.Commit}} -X main.buildDate={{.Date}} + env: + - CGO_ENABLED=1 + - GOEXPERIMENT=boringcrypto + - >- + {{- if eq .Arch "arm64" -}} + CC=aarch64-linux-gnu-gcc + {{- end }} + goos: + - linux + goarch: + - amd64 + - arm64 + tags: + - fips - id: nri-win main: ./src @@ -35,7 +58,8 @@ builds: nfpms: - id: linux - file_name_template: "{{ .ProjectName }}_{{ .Version }}-1_{{ .Arch }}" + package_name: nri-mongodb + file_name_template: "{{ .PackageName }}_{{ .Version }}-1_{{ .Arch }}" vendor: "New Relic, Inc." homepage: "https://www.newrelic.com/infrastructure" maintainer: "New Relic Infrastructure Team " @@ -67,9 +91,60 @@ nfpms: overrides: rpm: - file_name_template: "{{ .ProjectName }}-{{ .Version }}-1.{{ .Arch }}" - replacements: - amd64: x86_64 + file_name_template: >- + {{- .ProjectName }}- + {{- .Version }}-1. + {{- if eq .Arch "amd64" -}}x86_64 + {{- else -}} + {{ .Arch }} + {{- end }} + + # Formats to be generated. + formats: + - deb + - rpm + + - id: linux-fips + package_name: nri-mongodb-fips + file_name_template: "{{ .PackageName }}_{{ .Version }}-1_{{ .Arch }}" + vendor: "New Relic, Inc." + homepage: "https://www.newrelic.com/infrastructure" + maintainer: "New Relic Infrastructure Team " + description: "New Relic Infrastructure mongodb Integration extend the core New Relic\nInfrastructure agent's capabilities to allow you to collect metric and\nlive state data from mongodb components." + license: "https://newrelic.com/terms (also see LICENSE installed with this package)" + + builds: + - nri-nix-fips + + dependencies: + - newrelic-infra-fips (>= 1.60.0) + + bindir: "/var/db/newrelic-infra/newrelic-integrations/bin" + + contents: + - src: "mongodb-config.yml.sample" + dst: "/etc/newrelic-infra/integrations.d/mongodb-config.yml.sample" + - src: "mongodb-log.yml.example" + dst: "/etc/newrelic-infra/logging.d/mongodb-log.yml.example" + - src: "CHANGELOG.md" + dst: "/usr/share/doc/nri-mongodb/CHANGELOG.md" + - src: "README.md" + dst: "/usr/share/doc/nri-mongodb/README.md" + - src: "LICENSE" + dst: "/usr/share/doc/nri-mongodb/LICENSE" + - src: "legacy/mongodb-definition.yml" + dst: "/var/db/newrelic-infra/newrelic-integrations/mongodb-definition.yml" + type: config + + overrides: + rpm: + file_name_template: >- + {{- .ProjectName }}-fips- + {{- .Version }}-1. + {{- if eq .Arch "amd64" -}}x86_64 + {{- else -}} + {{ .Arch }} + {{- end }} # Formats to be generated. formats: @@ -87,6 +162,17 @@ archives: dst: . strip_parent: true format: tar.gz + + - id: nri-nix-fips + builds: + - nri-nix-fips + name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Version }}_{{ .Arch }}_dirty" + files: + - mongodb-config.yml.sample + - src: 'legacy/mongodb-definition.yml' + dst: . + strip_parent: true + format: tar.gz - id: nri-win builds: diff --git a/build/Dockerfile b/build/Dockerfile deleted file mode 100644 index 1cef5f1..0000000 --- a/build/Dockerfile +++ /dev/null @@ -1,17 +0,0 @@ -FROM golang:1.23.5-bookworm - -ARG GH_VERSION='1.9.2' - -RUN apt-get update \ - && apt-get -y install \ - rpm \ - gnupg2 \ - gpg-agent \ - debsigs \ - unzip \ - zip -# Since the user does not match the owners of the repo "git rev-parse --is-inside-work-tree" fails and goreleaser does not populate projectName -# https://stackoverflow.com/questions/72978485/git-submodule-update-failed-with-fatal-detected-dubious-ownership-in-repositor -RUN git config --global --add safe.directory '*' -RUN curl -L https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_amd64.deb -o gh_${GH_VERSION}_linux_amd64.deb -RUN dpkg -i gh_${GH_VERSION}_linux_amd64.deb diff --git a/build/ci.mk b/build/ci.mk index 3d087fb..a6e1188 100644 --- a/build/ci.mk +++ b/build/ci.mk @@ -1,8 +1,9 @@ -BUILDER_TAG ?= nri-$(INTEGRATION)-builder +.PHONY : ci/pull-builder-image +ci/pull-builder-image: + @docker pull $(BUILDER_IMAGE) .PHONY : ci/deps -ci/deps: - @docker build -t $(BUILDER_TAG) -f $(CURDIR)/build/Dockerfile $(CURDIR) +ci/deps: ci/pull-builder-image .PHONY : ci/debug-container ci/debug-container: ci/deps @@ -17,7 +18,7 @@ ci/debug-container: ci/deps -e GPG_MAIL \ -e GPG_PASSPHRASE \ -e GPG_PRIVATE_KEY_BASE64 \ - $(BUILDER_TAG) bash + $(BUILDER_IMAGE) bash .PHONY : ci/test ci/test: ci/deps @@ -25,7 +26,7 @@ ci/test: ci/deps --name "nri-$(INTEGRATION)-test" \ -v $(CURDIR):/go/src/github.com/newrelic/nri-$(INTEGRATION) \ -w /go/src/github.com/newrelic/nri-$(INTEGRATION) \ - $(BUILDER_TAG) make test + $(BUILDER_IMAGE) make test .PHONY : ci/snyk-test ci/snyk-test: @@ -46,7 +47,7 @@ ifdef TAG -w /go/src/github.com/newrelic/nri-$(INTEGRATION) \ -e INTEGRATION \ -e TAG \ - $(BUILDER_TAG) make release/build + $(BUILDER_IMAGE) make release/build else @echo "===> $(INTEGRATION) === [ci/build] TAG env variable expected to be set" exit 1 @@ -67,7 +68,7 @@ ifdef TAG -e GPG_MAIL \ -e GPG_PASSPHRASE \ -e GPG_PRIVATE_KEY_BASE64 \ - $(BUILDER_TAG) make release + $(BUILDER_IMAGE) make release else @echo "===> $(INTEGRATION) === [ci/prerelease] TAG env variable expected to be set" exit 1 diff --git a/build/nix/sign.sh b/build/nix/sign.sh deleted file mode 100755 index 3ec8021..0000000 --- a/build/nix/sign.sh +++ /dev/null @@ -1,47 +0,0 @@ -#!/usr/bin/env sh -set -e -# -# -# -# Sign RPM's & DEB's in /dist artifacts -# -# -# - -# Sign RPM's -echo "===> Create .rpmmacros to sign rpm's from Goreleaser" -echo "%_gpg_name ${GPG_MAIL}" >> ~/.rpmmacros -echo "%_signature gpg" >> ~/.rpmmacros -echo "%_gpg_path /root/.gnupg" >> ~/.rpmmacros -echo "%_gpgbin /usr/bin/gpg" >> ~/.rpmmacros -echo "%__gpg_sign_cmd %{__gpg} gpg --no-verbose --no-armor --batch --pinentry-mode loopback --passphrase ${GPG_PASSPHRASE} --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename}" >> ~/.rpmmacros - -echo "===> Importing GPG private key from GHA secrets..." -printf %s ${GPG_PRIVATE_KEY_BASE64} | base64 -d | gpg --batch --import - - -echo "===> Importing GPG signature, needed from Goreleaser to verify signature" -gpg --export -a ${GPG_MAIL} > /tmp/RPM-GPG-KEY-${GPG_MAIL} -rpm --import /tmp/RPM-GPG-KEY-${GPG_MAIL} - -cd dist - -find . -regex ".*\.\(rpm\)" | while read rpm_file; do - echo "===> Signing $rpm_file" - rpm --addsign "$rpm_file" - echo "===> Sign verification $rpm_file" - rpm -v --checksig $rpm_file -done - -# Sign DEB's -GNUPGHOME="/root/.gnupg" -echo "${GPG_PASSPHRASE}" > "${GNUPGHOME}/gpg-passphrase" -echo "passphrase-file ${GNUPGHOME}/gpg-passphrase" >> "$GNUPGHOME/gpg.conf" -echo 'allow-loopback-pinentry' >> "${GNUPGHOME}/gpg-agent.conf" -echo 'pinentry-mode loopback' >> "${GNUPGHOME}/gpg.conf" -echo 'use-agent' >> "${GNUPGHOME}/gpg.conf" -echo RELOADAGENT | gpg-connect-agent - -find . -regex ".*\.\(deb\)" | while read deb_file; do - echo "===> Signing $deb_file" - debsigs --sign=origin --verify --check -v -k ${GPG_MAIL} $deb_file -done diff --git a/build/release.mk b/build/release.mk index 0204c03..d0478ef 100644 --- a/build/release.mk +++ b/build/release.mk @@ -1,5 +1,5 @@ BUILD_DIR := ./bin/ -GORELEASER_VERSION := v0.174.1 +GORELEASER_VERSION := v2.4.4 GORELEASER_BIN ?= bin/goreleaser bin: @@ -27,10 +27,10 @@ release/deps: $(GORELEASER_BIN) release/build: release/deps release/clean ifeq ($(PRERELEASE), true) @echo "===> $(INTEGRATION) === [release/build] PRE-RELEASE compiling all binaries, creating packages, archives" - @$(GORELEASER_BIN) release --config $(CURDIR)/build/.goreleaser.yml --rm-dist + @$(GORELEASER_BIN) release --config $(CURDIR)/build/.goreleaser.yml --clean else @echo "===> $(INTEGRATION) === [release/build] build compiling all binaries" - @$(GORELEASER_BIN) build --config $(CURDIR)/build/.goreleaser.yml --snapshot --rm-dist + @$(GORELEASER_BIN) build --config $(CURDIR)/build/.goreleaser.yml --snapshot --clean endif .PHONY : release/fix-archive @@ -43,7 +43,7 @@ release/fix-archive: .PHONY : release/sign/nix release/sign/nix: @echo "===> $(INTEGRATION) === [release/sign] signing packages" - @bash $(CURDIR)/build/nix/sign.sh + @bash sign.sh .PHONY : release/publish diff --git a/src/fips.go b/src/fips.go new file mode 100644 index 0000000..dd0c32f --- /dev/null +++ b/src/fips.go @@ -0,0 +1,11 @@ +// Copyright 2025 New Relic Corporation. All rights reserved. +// SPDX-License-Identifier: Apache-2.0 + +//go:build fips +// +build fips + +package main + +import ( + _ "crypto/tls/fipsonly" +)