Make test-suite runnable under FIPS JVM

[beanuwave]

Based on build-tooling changes from 18921 which needs to be resolved first.

Description

Makes required changes to build and test under FIPS-140-3 compliance support. FIPS mode can be activated by adding the -Pcrypto.standard=FIPS-140-3 Gradle parameter.

NOTE: This includes all remaining changes from the original PR#14912

Related Issues

Resolves RFC

Check List

• Functionality includes testing.
• API changes companion pull request created, if applicable.
• Public documentation issue/PR created, if applicable.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[github-actions]

❌ Gradle check result for 9b5da5c: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 986dce7: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[terryquigleysas]

I'd like to raise a general point here to keep in mind with this development, especially as instructions will be required for Java setups other than the bundled version. The Red Hat JDK 21, for example, has a default of fips.keystore.type: PKCS12 - see https://docs.redhat.com/en/documentation/red_hat_build_of_openjdk/21/html/configuring_red_hat_build_of_openjdk_21_on_rhel_with_fips/fips_settings#fips_settings .

We'd like to ensure that code checks aren't so stringent as to prevent this setup from working.

[github-actions]

❌ Gradle check result for 939e6b5: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 11da667: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 9a387a4: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 4e0af75: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 9efd838: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 4fc6b40: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 0139eaa: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for f52e720: null

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[beanuwave]

The Red Hat JDK 21, for example, has a default of fips.keystore.type: PKCS12

@terryquigleysas Thank you for pointing out those limitations.

We'd like to ensure that code checks aren't so stringent as to prevent this setup from working.

We rely on SunPKCS12 provider to load the JVM's default truststore. In case of OpenJKD the default type is the same as RHEL's - so nothing changes for us.

[terryquigleysas]

The Red Hat JDK 21, for example, has a default of fips.keystore.type: PKCS12

@terryquigleysas Thank you for pointing out those limitations.

We'd like to ensure that code checks aren't so stringent as to prevent this setup from working.

We rely on SunPKCS12 provider to load the JVM's default truststore. In case of OpenJKD the default type is the same as RHEL's - so nothing changes for us.

Good news. Thank you for the reply. Much appreciated!

[github-actions]

❌ Gradle check result for cb7949d: null

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 0680de8: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 732e412: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

✅ Gradle check result for 6164088: SUCCESS

[codecov]

Codecov Report

❌ Patch coverage is 22.93578% with 168 lines in your changes missing coverage. Please review.
✅ Project coverage is 72.89%. Comparing base (292407b) to head (ff0e108).
⚠️ Report is 226 commits behind head on main.

Files with missing lines	Patch %	Lines
...arch/bootstrap/MultiProviderTrustStoreHandler.java	8.13%	113 Missing ⚠️
.../opensearch/cloud/gce/GceInstancesServiceImpl.java	7.69%	12 Missing ⚠️
.../org/opensearch/gradle/test/rest/RestTestUtil.java	0.00%	9 Missing ⚠️
...n/java/org/opensearch/common/ssl/KeyStoreUtil.java	70.00%	5 Missing and 4 partials ⚠️
...ch/repositories/gcs/GoogleCloudStorageService.java	28.57%	4 Missing and 1 partial ⚠️
...g/opensearch/common/ssl/DefaultJdkTrustConfig.java	0.00%	3 Missing and 1 partial ⚠️
...va/org/opensearch/common/ssl/SslConfiguration.java	0.00%	3 Missing and 1 partial ⚠️
...g/opensearch/common/ssl/TrustEverythingConfig.java	0.00%	3 Missing and 1 partial ⚠️
...rg/opensearch/common/settings/KeyStoreWrapper.java	50.00%	3 Missing and 1 partial ⚠️
...search/gradle/test/StandaloneRestTestPlugin.groovy	0.00%	3 Missing ⚠️
... and 1 more

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #18491      +/-   ##
============================================
- Coverage     73.02%   72.89%   -0.14%     
+ Complexity    69548    69438     -110     
============================================
  Files          5647     5648       +1     
  Lines        319106   319301     +195     
  Branches      46163    46180      +17     
============================================
- Hits         233034   232753     -281     
- Misses        67232    67684     +452     
- Partials      18840    18864      +24     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

❌ Gradle check result for fea87d0: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for c3002d8: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for ff0e108:

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

✅ Gradle check result for ff0e108: SUCCESS

[opensearch-trigger-bot]

This PR is stalled because it has been open for 30 days with no activity.