Fix test-release and docker image

michel-laterman · michel-laterman · commit 0267fe63c2cb · 2025-03-17T10:35:22.000-07:00
diff --git a/.buildkite/scripts/test-release.sh b/.buildkite/scripts/test-release.sh
@@ -3,16 +3,16 @@
 set -euo pipefail
 
 FLEET_SERVER_VERSION=${1:?"Fleet Server version is needed"}
+FILE_PREFIX="build/distributions/fleet-server-${FLEET_SERVER_VERSION}-"
 
 PLATFORM_FILES=(darwin-aarch64.tar.gz darwin-x86_64.tar.gz linux-arm64.tar.gz linux-x86_64.tar.gz windows-x86_64.zip)
 if [ "$FIPS" = "true" ] ; then
     PLATFORM_FILES=(linux-arm64.tar.gz linux-x86_64.tar.gz)
+    FILE_PREFIX="build/distributions/fleet-server-fips-${FLEET_SERVER_VERSION}-"
 fi
 
 #make release
 
-FILE_PREFIX="build/distributions/fleet-server-${FLEET_SERVER_VERSION}-"
-
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 NO_COLOR='\033[0m'
diff --git a/Dockerfile.fips b/Dockerfile.fips
@@ -40,6 +40,6 @@ USER fleet-server
 COPY --chown=fleet-server:fleet-server --chmod=644 fleet-server.yml /etc/fleet-server.yml
 COPY --chown=fleet-server:fleet-server --chmod=555 --from=builder /go/src/github.com/elastic/fleet-server/build/binaries/fleet-server-fips-${VERSION}-${TARGETOS:-linux}-*/fleet-server /usr/bin/fleet-server
 
-ENV GOFIPS=1
+ENV GODEBUG=fips140=on
 
 CMD [ "/usr/bin/fleet-server", "-c", "/etc/fleet-server.yml" ]
diff --git a/Makefile b/Makefile
@@ -56,6 +56,7 @@ DOCKER_PLATFORMS ?= linux/amd64 linux/arm64
 # only want to define the tag if none is specified, this allows an invocation like
 #    FIPS=true make test-e2e
 # to use a tag like X.Y.Z-fips and not X.Y.Z-fips-fips as the test-e2e target calls into make
+# TODO: We should change FIPS stand-alone/e2e images to use fleet-server-fips:TAG instead of fleet-server:TAG-fips
 ifndef DOCKER_IMAGE_TAG
 DOCKER_IMAGE_TAG?=${VERSION}
 ifeq "${DEV}" "true"
diff --git a/dev-tools/e2e/Dockerfile b/dev-tools/e2e/Dockerfile
@@ -2,18 +2,16 @@ ARG ELASTIC_AGENT_IMAGE # e.g. docker.elastic.co/cloud-release/elastic-agent-clo
 
 FROM --platform=linux/amd64 ${ELASTIC_AGENT_IMAGE} as elastic_agent_amd64
 ARG STACK_VERSION # e.g. 8.5.0-SNAPSHOT
-ARG FLEET_SUFFIX # e.g. -linux-x86_64
 ARG FLEET_FIPS="" # should be -fips if a fips distribution will be used
 ARG VCS_REF_SHORT # e.g. abc123
-ONBUILD COPY --chmod=0755 --chown=elastic-agent cover/fleet-server${FLEET_FIPS}-${STACK_VERSION}${FLEET_SUFFIX}/fleet-server \
+ONBUILD COPY --chmod=0755 --chown=elastic-agent cover/fleet-server${FLEET_FIPS}-${STACK_VERSION}-linux-x86_64/fleet-server \
              ./data/elastic-agent-${VCS_REF_SHORT}/components/fleet-server
 
 FROM --platform=linux/arm64 ${ELASTIC_AGENT_IMAGE} as elastic_agent_arm64
 ARG STACK_VERSION # e.g. 8.5.0-SNAPSHOT
-ARG FLEET_SUFFIX # e.g. -linux-x86_64
 ARG FLEET_FIPS="" # should be -fips if a fips distribution will be used
 ARG VCS_REF_SHORT # e.g. abc123
-ONBUILD COPY --chmod=0755 --chown=elastic-agent cover/fleet-server${FLEET_FIPS}-${STACK_VERSION}${FLEET_SUFFIX}/fleet-server \
+ONBUILD COPY --chmod=0755 --chown=elastic-agent cover/fleet-server${FLEET_FIPS}-${STACK_VERSION}-linux-arm64/fleet-server \
              ./data/elastic-agent-${VCS_REF_SHORT}/components/fleet-server
 
 FROM elastic_agent_${TARGETARCH}
diff --git a/dev-tools/e2e/build.sh b/dev-tools/e2e/build.sh
@@ -24,10 +24,6 @@ VCS_REF=$(docker inspect -f '{{index .Config.Labels "org.label-schema.vcs-ref"}}
 
 CUSTOM_IMAGE_TAG=${STACK_VERSION}-e2e-${COMMIT}-$(date +%s)
 
-FLEET_SUFFIX="-linux-x86_64"
-if [[ "$GOARCH" == "arm64" ]]; then
-    FLEET_SUFFIX="-linux-arm64"
-fi
 FLEET_FIPS=""
 if [[ "$FIPS" == "true" ]]; then
     FLEET_FIPS="-fips"
@@ -37,7 +33,6 @@ docker build \
 	-f $REPO_ROOT/dev-tools/e2e/Dockerfile \
 	--build-arg ELASTIC_AGENT_IMAGE=$BASE_IMAGE \
 	--build-arg STACK_VERSION=${FLEET_VERSION} \
-	--build-arg FLEET_SUFFIX=${FLEET_SUFFIX} \
 	--build-arg FLEET_FIPS=${FLEET_FIPS} \
 	--build-arg VCS_REF_SHORT=${VCS_REF:0:6} \
 	--platform linux/$GOARCH \
diff --git a/docs/fips.md b/docs/fips.md
@@ -36,7 +36,7 @@ The following make commands have different behaviour when FIPS is enabled:
 A Multipass VM created with `FIPS=true make multipass` is able to compile FIPS enabled golang programs, but is not able to run them.
 When you try to run one the following error occurs:
 ```
-GOFIPS=1 ./bin/fleet-server -c fleet-server.yml
+GODEBUG=fips140=on ./bin/fleet-server -c fleet-server.yml
 panic: opensslcrypto: can't enable FIPS mode for OpenSSL 3.0.13 30 Jan 2024: openssl: FIPS mode not supported by any provider
 
 goroutine 1 [running]:
@@ -92,14 +92,14 @@ activate = 1
 default_properties = fips=yes
 ```
 
-4. Run the program with the `OPENSSL_CONF=openssl.cnf` and `GOFIPS=1` env vars, i.e.,
+4. Run the program with the `OPENSSL_CONF=openssl.cnf` and `GODEBUG=fips140=on` env vars, i.e.,
 ```
-OPENSSL_CONF=./openssl.cnf GOFIPS=1 ./bin/fleet-server -c fleet-server.yml
+OPENSSL_CONF=./openssl.cnf GODEBUG=fips140=on ./bin/fleet-server -c fleet-server.yml
 23:48:47.871 INF Boot fleet-server args=["-c","fleet-server.yml"] commit=55104f6f ecs.version=1.6.0 exe=./bin/fleet-server pid=65037 ppid=5642 service.name=fleet-server service.type=fleet-server version=9.0.0
 i...
 ```
 
 ## Usage
 
-A FIPS enabled binary should be ran with the env var `GOFIPS=1` set.
+A FIPS enabled binary should be ran with the env var `GODEBUG=fips140=on` set.
 The system/image is required to have a FIPS compliant provider available.
