newrelic · nr-dadams · Jul 24, 2024 · Oct 25, 2024 · Nov 5, 2024 · Nov 8, 2024
@@ -12,6 +12,10 @@ on:
       dest_prefix:
         description: 'Repo prefix'
         required: true
+      BUILD_MODE:
+        description: 'Enable NON-FIPS, FIPS or ALL'
+        required: false
+        default: 'ALL' # "ALL" "NON-FIPS" "FIPS":
 
 env:
   GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -55,10 +59,12 @@ jobs:
           username: ${{ env.DOCKER_HUB_ID }}
           password: ${{ env.DOCKER_HUB_PASSWORD }}
 
-      - name: Preparing all linux packages
+      - name: Preparing all NON-FIPS linux packages
+        if: ${{ inputs.BUILD_MODE == 'ALL' || inputs.BUILD_MODE == 'NON-FIPS' }}
         run: make ci/prerelease/linux
         env:
           TAG: ${{ env.FAKE_TAG }}
+          FIPS: ""
 
       - name: Generate checksum files
         uses: ./.github/actions/generate-checksums
@@ -67,7 +73,8 @@ jobs:
           files_path: 'dist'
           run_sudo: true
 
-      - name: Publish deb to S3 action
+      - name: Publish NON-FIPS deb to S3 action
+        if: ${{ inputs.BUILD_MODE == 'ALL' || inputs.BUILD_MODE == 'NON-FIPS' }}
         uses: newrelic/[email protected]
         with:
           tag: ${{env.FAKE_TAG}}
@@ -92,7 +99,8 @@ jobs:
           local_packages_path:  "/srv/dist/"
           apt_skip_mirror:  true
 
-      - name: Publish rpm to S3 action
+      - name: Publish NON-FIPS rpm to S3 action
+        if: ${{ inputs.BUILD_MODE == 'ALL' || inputs.BUILD_MODE == 'NON-FIPS' }}
         uses: newrelic/[email protected]
         with:
           tag: ${{env.FAKE_TAG}}
@@ -116,7 +124,8 @@ jobs:
           dest_prefix: ${{ env.DEST_PREFIX }}
           local_packages_path:  "/srv/dist/"
 
-      - name: Publish targz to S3 action
+      - name: Publish NON-FIPS targz to S3 action
+        if: ${{ inputs.BUILD_MODE == 'ALL' || inputs.BUILD_MODE == 'NON-FIPS' }}
         uses: newrelic/[email protected]
         with:
           tag: ${{env.FAKE_TAG}}
@@ -139,3 +148,93 @@ jobs:
           disable_lock: ${{ env.DISABLE_LOCK }}
           dest_prefix: ${{ env.DEST_PREFIX }}
           local_packages_path:  "/srv/dist/"
+
+      - name: Preparing all FIPS linux packages
+        if: ${{ inputs.BUILD_MODE == 'ALL' || inputs.BUILD_MODE == 'FIPS' }}
+        run: make ci/prerelease/linux-fips
+        env:
+          TAG: ${{ env.FAKE_TAG }}
+          FIPS: "_fips"
+
+      - name: Generate checksum files
+        uses: ./.github/actions/generate-checksums
+        with:
+          files_regex: '.*\(tar.gz\|deb\|rpm\)'
+          files_path: 'dist'
+          run_sudo: true
+
+      - name: Publish FIPS deb to S3 action
+        if: ${{ inputs.BUILD_MODE == 'ALL' || inputs.BUILD_MODE == 'FIPS' }}
+        uses: newrelic/[email protected]
+        with:
+          tag: ${{env.FAKE_TAG}}
+          app_name: "newrelic-infra"
+          repo_name: "newrelic/infrastructure-agent"
+          schema: "custom"
+          schema_url: "https://raw.githubusercontent.com/newrelic/infrastructure-agent/${{ env.BRANCH }}/build/upload-schema-linux-deb-fips.yml"
+          aws_access_key_id: ${{ env.AWS_ACCESS_KEY_ID }}
+          aws_secret_access_key: ${{ env.AWS_SECRET_ACCESS_KEY }}
+          aws_s3_bucket_name: ${{ env.AWS_S3_BUCKET_NAME }}
+          aws_s3_lock_bucket_name: ${{ env.AWS_S3_LOCK_BUCKET_NAME }}
+          access_point_host: ${{ env.ACCESS_POINT_HOST }}
+          run_id: ${{ env.RUN_ID }}
+          aws_region: ${{ env.AWS_REGION }}
+          aws_role_session_name: ${{ env.AWS_ROLE_SESSION_NAME }}
+          aws_role_arn: ${{ env.AWS_ROLE_ARN }}
+          # used for signing package stuff
+          gpg_passphrase: ${{ env.GPG_PASSPHRASE }}
+          gpg_private_key_base64: ${{ env.GPG_PRIVATE_KEY_BASE64 }}
+          disable_lock: ${{ env.DISABLE_LOCK }}
+          dest_prefix: ${{ env.DEST_PREFIX }}
+          local_packages_path:  "/srv/dist/"
+          apt_skip_mirror:  true
+
+      - name: Publish FIPS rpm to S3 action
+        if: ${{ inputs.BUILD_MODE == 'ALL' || inputs.BUILD_MODE == 'FIPS' }}
+        uses: newrelic/[email protected]
+        with:
+          tag: ${{env.FAKE_TAG}}
+          app_name: "newrelic-infra"
+          repo_name: "newrelic/infrastructure-agent"
+          schema: "custom"
+          schema_url: "https://raw.githubusercontent.com/newrelic/infrastructure-agent/${{ env.BRANCH }}/build/upload-schema-linux-rpm-fips.yml"
+          aws_access_key_id: ${{ env.AWS_ACCESS_KEY_ID }}
+          aws_secret_access_key: ${{ env.AWS_SECRET_ACCESS_KEY }}
+          aws_s3_bucket_name: ${{ env.AWS_S3_BUCKET_NAME }}
+          aws_s3_lock_bucket_name: ${{ env.AWS_S3_LOCK_BUCKET_NAME }}
+          access_point_host: ${{ env.ACCESS_POINT_HOST }}
+          run_id: ${{ env.RUN_ID }}
+          aws_region: ${{ env.AWS_REGION }}
+          aws_role_session_name: ${{ env.AWS_ROLE_SESSION_NAME }}
+          aws_role_arn: ${{ env.AWS_ROLE_ARN }}
+          # used for signing package stuff
+          gpg_passphrase: ${{ env.GPG_PASSPHRASE }}
+          gpg_private_key_base64: ${{ env.GPG_PRIVATE_KEY_BASE64 }}
+          disable_lock: ${{ env.DISABLE_LOCK }}
+          dest_prefix: ${{ env.DEST_PREFIX }}
+          local_packages_path:  "/srv/dist/"
+
+      - name: Publish FIPS targz to S3 action
+        if: ${{ inputs.BUILD_MODE == 'ALL' || inputs.BUILD_MODE == 'FIPS' }}
+        uses: newrelic/[email protected]
+        with:
+          tag: ${{env.FAKE_TAG}}
+          app_name: "newrelic-infra"
+          repo_name: "newrelic/infrastructure-agent"
+          schema: "custom"
+          schema_url: "https://raw.githubusercontent.com/newrelic/infrastructure-agent/${{ env.BRANCH }}/build/upload-schema-linux-targz-fips.yml"
+          aws_access_key_id: ${{ env.AWS_ACCESS_KEY_ID }}
+          aws_secret_access_key: ${{ env.AWS_SECRET_ACCESS_KEY }}
+          aws_s3_bucket_name: ${{ env.AWS_S3_BUCKET_NAME }}
+          aws_s3_lock_bucket_name: ${{ env.AWS_S3_LOCK_BUCKET_NAME }}
+          access_point_host: ${{ env.ACCESS_POINT_HOST }}
+          run_id: ${{ env.RUN_ID }}
+          aws_region: ${{ env.AWS_REGION }}
+          aws_role_session_name: ${{ env.AWS_ROLE_SESSION_NAME }}
+          aws_role_arn: ${{ env.AWS_ROLE_ARN }}
+          # used for signing package stuff
+          gpg_passphrase: ${{ env.GPG_PASSPHRASE }}
+          gpg_private_key_base64: ${{ env.GPG_PRIVATE_KEY_BASE64 }}
+          disable_lock: ${{ env.DISABLE_LOCK }}
+          dest_prefix: ${{ env.DEST_PREFIX }}
+          local_packages_path:  "/srv/dist/"
@@ -1,19 +1,54 @@
-FROM golang:1.22-bullseye
+# Use Ubuntu 16.04 as the base image
+FROM ubuntu:16.04
 
+# Define Go version
+ARG GO_VERSION=1.22.0
+# Define build-time arguments for the GitHub CLI version and architecture
 ARG GH_VERSION='2.0.0'
 ARG GH_ARCH='amd64'
 
-RUN apt-get update \
-    && apt-get -y install \
-        rpm \
-        gnupg2 \
-        gpg-agent \
-        debsigs \
-        unzip \
-        zip
 
-RUN curl -L https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_${GH_ARCH}.deb -o gh_${GH_VERSION}_linux_${GH_ARCH}.deb
-RUN dpkg -i gh_${GH_VERSION}_linux_${GH_ARCH}.deb
+# Install dependencies
+RUN apt-get update && apt-get install -y \
+    curl \
+    wget \
+    expect \
+    git \
+    tar \
+    gcc \
+    g++ \
+    gnupg2 \
+    gnupg-agent \
+    debsigs \
+    rpm \
+    build-essential \
+    software-properties-common \
+    python-software-properties \
+    gcc-arm-linux-gnueabi \
+    dpkg-sig \
+    gcc-aarch64-linux-gnu
 
+
+# # Manually install cross-compilers
+# RUN apt-get install -y \
+# gcc-5-multilib-mips-linux-gnu
+
+# Install Go 1.22.0
+RUN curl -sSL https://golang.org/dl/go${GO_VERSION}.linux-amd64.tar.gz -o go${GO_VERSION}.linux-amd64.tar.gz && \
+    tar -C /usr/local -xzf go${GO_VERSION}.linux-amd64.tar.gz && \
+    rm go${GO_VERSION}.linux-amd64.tar.gz
+
+# Set Go environment variables
+ENV PATH="/usr/local/go/bin:${PATH}"
+ENV GOPATH="/go"
+
+# Download and install the GitHub CLI
+RUN curl -L https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_${GH_ARCH}.deb -o gh_${GH_VERSION}_linux_${GH_ARCH}.deb && \
+    dpkg -i gh_${GH_VERSION}_linux_${GH_ARCH}.deb && \
+    rm gh_${GH_VERSION}_linux_${GH_ARCH}.deb
+
+# Optional: Set Go environment flags
 ENV GOFLAGS="-buildvcs=false"
+
+# Optional: Configure git
 RUN git config --global --add safe.directory /go/src/github.com/newrelic/infrastructure-agent
@@ -1,4 +1,6 @@
 BUILDER_IMG_TAG = infrastructure-agent-builder
+BUILDER_IMG_TAG_FIPS = infrastructure-agent-builder-fips
+MODE=?
 
 .PHONY: ci/deps
 ci/deps:GH_ARCH ?= amd64
@@ -59,6 +61,10 @@ ci/tools-test: ci/deps
 ci/prerelease/linux:
 	TARGET_OS=linux $(MAKE) ci/prerelease
 
+.PHONY : ci/prerelease/linux-fips
+ci/prerelease/linux-fips:
+	TARGET_OS=linux-fips $(MAKE) ci/prerelease
+
 .PHONY : ci/prerelease/linux-amd64
 ci/prerelease/linux-amd64:
 	TARGET_OS=linux-amd64 $(MAKE) ci/prerelease
@@ -91,25 +97,41 @@ else
 	exit 1
 endif
 
-.PHONY : ci/prerelease
+.PHONY: ci/prerelease
 ci/prerelease: ci/deps
 ifdef TAG
-	@docker run --rm -t \
+	@ifdef FIPS; then \
+		docker run --rm -t \
+			--name "infrastructure-agent-prerelease-fips" \
+			-v $(CURDIR):/go/src/github.com/newrelic/infrastructure-agent \
+			-w /go/src/github.com/newrelic/infrastructure-agent \
+			-e PRERELEASE=true \
+			-e GITHUB_TOKEN \
+			-e TAG \
+			-e GPG_MAIL \
+			-e GPG_PASSPHRASE \
+			-e GPG_PRIVATE_KEY_BASE64 \
+			-e SNAPSHOT=false \
+			-e FIPS \
+			$(BUILDER_IMG_TAG) make release-${TARGET_OS}; \
+	else \
+		docker run --rm -t \
 			--name "infrastructure-agent-prerelease" \
 			-v $(CURDIR):/go/src/github.com/newrelic/infrastructure-agent \
-            -w /go/src/github.com/newrelic/infrastructure-agent \
+			-w /go/src/github.com/newrelic/infrastructure-agent \
 			-e PRERELEASE=true \
 			-e GITHUB_TOKEN \
 			-e TAG \
 			-e GPG_MAIL \
 			-e GPG_PASSPHRASE \
 			-e GPG_PRIVATE_KEY_BASE64 \
 			-e SNAPSHOT=false \
-			$(BUILDER_IMG_TAG) make release-${TARGET_OS}
-
+			-e FIPS="" \
+			$(BUILDER_IMG_TAG) make release-${TARGET_OS}; \
+	fi
 else
 	@echo "===> infrastructure-agent ===  [ci/prerelease/linux] TAG env variable expected to be set"
-	exit 1
+	@exit 1
 endif
 
 .PHONY : ci/prerelease-publish

@@ -6,7 +6,7 @@
       - linux-ctl-amd64
       - linux-service-amd64
     package_name: newrelic-infra
-    file_name_template: "newrelic-infra-{{ .Env.TAG }}-1.amazonlinux-2023.{{ .Arch }}"
+    file_name_template: "newrelic-infra-{{ .Env.TAG }}-1.amazonlinux-2023.{{ .Arch }}{{ .Env.FIPS }}"
     vendor: 'New Relic, Inc.'
     homepage: 'https://docs.newrelic.com/docs/release-notes/infrastructure-release-notes/infrastructure-agent-release-notes'
     maintainer: '[email protected]'

@@ -6,7 +6,7 @@
       - linux-ctl-arm64
       - linux-service-arm64
     package_name: newrelic-infra
-    file_name_template: "newrelic-infra-{{ .Env.TAG }}-1.amazonlinux-2023.{{ .Arch }}"
+    file_name_template: "newrelic-infra-{{ .Env.TAG }}-1.amazonlinux-2023.{{ .Arch }}{{ .Env.FIPS }}"
     vendor: 'New Relic, Inc.'
     homepage: 'https://docs.newrelic.com/docs/release-notes/infrastructure-release-notes/infrastructure-agent-release-notes'
     maintainer: '[email protected]'

@@ -6,7 +6,7 @@
       - linux-ctl-amd64
       - linux-service-amd64
     package_name: newrelic-infra
-    file_name_template: "newrelic-infra-{{ .Env.TAG }}-1.amazonlinux-2.{{ .Arch }}"
+    file_name_template: "newrelic-infra-{{ .Env.TAG }}-1.amazonlinux-2.{{ .Arch }}{{ .Env.FIPS }}"
     vendor: 'New Relic, Inc.'
     homepage: 'https://docs.newrelic.com/docs/release-notes/infrastructure-release-notes/infrastructure-agent-release-notes'
     maintainer: '[email protected]'

@@ -6,7 +6,7 @@
       - linux-ctl-arm64
       - linux-service-arm64
     package_name: newrelic-infra
-    file_name_template: "newrelic-infra-{{ .Env.TAG }}-1.amazonlinux-2.{{ .Arch }}"
+    file_name_template: "newrelic-infra-{{ .Env.TAG }}-1.amazonlinux-2.{{ .Arch }}{{ .Env.FIPS }}"
     vendor: 'New Relic, Inc.'
     homepage: 'https://docs.newrelic.com/docs/release-notes/infrastructure-release-notes/infrastructure-agent-release-notes'
     maintainer: '[email protected]'

@@ -4,7 +4,7 @@
       - linux-agent-amd64
       - linux-ctl-amd64
       - linux-service-amd64
-    name_template: "newrelic-infra_{{.Os}}_{{ .Env.TAG }}_{{ .Arch }}_dirty"
+    name_template: "newrelic-infra_{{.Os}}_{{ .Env.TAG }}_{{ .Arch }}{{ .Env.FIPS }}_dirty"
     wrap_in_directory: false
     format: tar.gz
     files:

@@ -4,7 +4,7 @@
       - linux-agent-arm64
       - linux-ctl-arm64
       - linux-service-arm64
-    name_template: "newrelic-infra_{{.Os}}_{{ .Env.TAG }}_{{ .Arch }}_dirty"
+    name_template: "newrelic-infra_{{.Os}}_{{ .Env.TAG }}_{{ .Arch }}{{ .Env.FIPS }}_dirty"
     wrap_in_directory: false
     format: tar.gz
     files:

@@ -0,0 +1,52 @@
+  # build amd64
+  - id: linux-agent-amd64
+    main: ./cmd/newrelic-infra
+    binary: newrelic-infra
+    env:
+      - CGO_ENABLED=1
+      - GOEXPERIMENT=boringcrypto
+    goos:
+      - linux
+    ldflags:
+      - -s -w -X main.buildVersion={{.Version}}
+      - -s -w -X main.gitCommit={{.Commit}}
+      - -s -w -X main.buildDate={{.Date}}
+    goarch:
+      - amd64
+    tags:
+      - fips
+
+  - id: linux-ctl-amd64
+    main: ./cmd/newrelic-infra-ctl
+    binary: newrelic-infra-ctl
+    env:
+      - CGO_ENABLED=1
+      - GOEXPERIMENT=boringcrypto
+    goos:
+      - linux
+    ldflags:
+      - -s -w -X main.buildVersion={{.Version}}
+      - -s -w -X main.gitCommit={{.Commit}}
+      - -s -w -X main.buildDate={{.Date}}
+    goarch:
+      - amd64
+    tags:
+      - fips
+
+  - id: linux-service-amd64
+    main: ./cmd/newrelic-infra-service
+    binary: newrelic-infra-service
+    env:
+      - CGO_ENABLED=1
+      - GOEXPERIMENT=boringcrypto
+    goos:
+      - linux
+    ldflags:
+      - -s -w -X main.buildVersion={{.Version}}
+      - -s -w -X main.gitCommit={{.Commit}}
+      - -s -w -X main.buildDate={{.Date}}
+    goarch:
+      - amd64
+    tags:
+      - fips
+  # end build amd64
@@ -40,4 +40,4 @@
       - -s -w -X main.buildDate={{.Date}}
     goarch:
       - arm64
-  # end build arm64
+  # end build arm64