diff --git a/.buildkite/hooks/pre-command b/.buildkite/hooks/pre-command
index 2e4121913..de3e4f687 100755
--- a/.buildkite/hooks/pre-command
+++ b/.buildkite/hooks/pre-command
@@ -26,7 +26,7 @@ check_if_file_exist_in_repo() {
local response=$(curl --fail -s -H "Authorization: token $GITHUB_REPO_TOKEN" https://api.github.com/repos/elastic/${repoName}/contents/${path_to_file}| grep -c "\"path\"\: \"${path_to_file}\"")
if [[ ${response} -ge 1 ]]; then
export FILE_EXISTS_IN_REPO=true
- echo "FILE_EXIST_IN_REPO = true"
+ echo "FILE_EXIST_IN_REPO = true"
else
export FILE_EXISTS_IN_REPO=false
echo "FILE_EXIST_IN_REPO = false"
@@ -73,7 +73,7 @@ if [[ "$BUILDKITE_PIPELINE_SLUG" == "fleet-server" && "$BUILDKITE_STEP_KEY" == "
fi
if [[ "$BUILDKITE_PIPELINE_SLUG" == "fleet-server-package-mbp" ]]; then
- if [[ "$BUILDKITE_STEP_KEY" == package-x86-64* || "$BUILDKITE_STEP_KEY" == package-arm* || "$BUILDKITE_STEP_KEY" == "dra-snapshot" || "$BUILDKITE_STEP_KEY" == "dra-staging" ]]; then
+ if [[ "$BUILDKITE_STEP_KEY" == package-x86-64* || "$BUILDKITE_STEP_KEY" == package-fips-x86_64* || "$BUILDKITE_STEP_KEY" == package-arm* || "$BUILDKITE_STEP_KEY" == package-fips-arm* || "$BUILDKITE_STEP_KEY" == "dra-snapshot" || "$BUILDKITE_STEP_KEY" == "dra-staging" ]]; then
export PRIVATE_CI_GCS_CREDENTIALS_SECRET=$(retry 5 vault kv get -field plaintext -format=json ${PRIVATE_CI_GCS_CREDENTIALS_PATH})
export JOB_GCS_BUCKET
fi
@@ -92,7 +92,7 @@ if [[ "$BUILDKITE_PIPELINE_SLUG" == "fleet-server-package-mbp" ]]; then
fi
if [[ "$BUILDKITE_PIPELINE_SLUG" == "fleet-server-package-mbp" ]]; then
- if [[ "$BUILDKITE_STEP_KEY" == package-x86-64* || "$BUILDKITE_STEP_KEY" == package-arm* ]]; then
+ if [[ "$BUILDKITE_STEP_KEY" == package-x86-64* || "$BUILDKITE_STEP_KEY" == package-fips-x86-64* || "$BUILDKITE_STEP_KEY" == package-arm* || "$BUILDKITE_STEP_KEY" == package-fips-arm* ]]; then
export PRIVATE_CI_GCS_CREDENTIALS_SECRET=$(retry 5 vault kv get -field plaintext -format=json ${PRIVATE_CI_GCS_CREDENTIALS_PATH})
export JOB_GCS_BUCKET
fi
diff --git a/.buildkite/hooks/pre-exit b/.buildkite/hooks/pre-exit
index 378c51643..90265953d 100755
--- a/.buildkite/hooks/pre-exit
+++ b/.buildkite/hooks/pre-exit
@@ -16,7 +16,7 @@ if [[ "$BUILDKITE_PIPELINE_SLUG" == "fleet-server" && "$BUILDKITE_STEP_KEY" == "
fi
if [[ "$BUILDKITE_PIPELINE_SLUG" == "fleet-server-package-mbp" ]]; then
- if [[ "$BUILDKITE_STEP_KEY" == package-x86-64* || "$BUILDKITE_STEP_KEY" == package-arm* || "$BUILDKITE_STEP_KEY" == "dra-snapshot" && "$BUILDKITE_STEP_KEY" == "dra-staging" ]]; then
+ if [[ "$BUILDKITE_STEP_KEY" == package-x86-64* || "$BUILDKITE_STEP_KEY" == package-fips-x86-64* || "$BUILDKITE_STEP_KEY" == package-arm* || "$BUILDKITE_STEP_KEY" == package-fips-arm* || "$BUILDKITE_STEP_KEY" == "dra-snapshot" && "$BUILDKITE_STEP_KEY" == "dra-staging" ]]; then
unset GOOGLE_APPLICATION_CREDENTIALS
unset VAULT_ROLE_ID_SECRET
unset VAULT_ADDR_SECRET
diff --git a/.buildkite/pipeline.package.mbp.yml b/.buildkite/pipeline.package.mbp.yml
index 398a6f032..593167562 100644
--- a/.buildkite/pipeline.package.mbp.yml
+++ b/.buildkite/pipeline.package.mbp.yml
@@ -28,6 +28,29 @@ steps:
image: "${IMAGE_UBUNTU_X86_64}"
machineType: "c2-standard-16"
+ - label: "Package FIPS x86_64 snapshot"
+ if: "build.env('VERSION_QUALIFIER') == null"
+ key: "package-fips-x86-64-snapshot"
+ command: ".buildkite/scripts/package.sh snapshot"
+ env:
+ FIPS: "true"
+ agents:
+ provider: "gcp"
+ image: "${IMAGE_UBUNTU_X86_64}"
+ machineType: "c2-standard-16"
+
+ - label: "Package FIPS x86_64 staging"
+ key: "package-fips-x86-64-staging"
+ command: |
+ source .buildkite/scripts/version_qualifier.sh
+ .buildkite/scripts/package.sh staging
+ env:
+ FIPS: "true"
+ agents:
+ provider: "gcp"
+ image: "${IMAGE_UBUNTU_X86_64}"
+ machineType: "c2-standard-16"
+
- label: "Package aarch64 snapshot"
if: "build.env('VERSION_QUALIFIER') == null"
key: "package-arm-snapshot"
@@ -47,6 +70,29 @@ steps:
imagePrefix: "${IMAGE_UBUNTU_ARM_64}"
instanceType: "t4g.2xlarge"
+ - label: "Package FIPS aarch64 snapshot"
+ if: "build.env('VERSION_QUALIFIER') == null"
+ key: "package-fips-arm-snapshot"
+ command: ".buildkite/scripts/package.sh snapshot"
+ env:
+ FIPS: "true"
+ agents:
+ provider: "aws"
+ imagePrefix: "${IMAGE_UBUNTU_ARM_64}"
+ instanceType: "t4g.2xlarge"
+
+ - label: "Package FIPS aarch64 staging"
+ key: "package-fips-arm-staging"
+ command: |
+ source .buildkite/scripts/version_qualifier.sh
+ .buildkite/scripts/package.sh staging
+ env:
+ FIPS: "true"
+ agents:
+ provider: "aws"
+ imagePrefix: "${IMAGE_UBUNTU_ARM_64}"
+ instanceType: "t4g.2xlarge"
+
- label: "DRA snapshot"
if: "${FILE_EXISTS_IN_REPO} && build.env('VERSION_QUALIFIER') == null"
key: "dra-snapshot"
@@ -58,8 +104,12 @@ steps:
depends_on:
- step: "package-x86-64-snapshot"
allow_failure: false
+ - step: "package-fips-x86-64-snapshot"
+ allow_failure: false
- step: "package-arm-snapshot"
allow_failure: false
+ - step: "package-fips-arm-snapshot"
+ allow_failure: false
- label: "DRA release staging"
# we don't usually build staging from the main branch, but we exceptionally allow it for prereleases
@@ -76,5 +126,9 @@ steps:
depends_on:
- step: "package-x86-64-staging"
allow_failure: false
+ - step: "package-fips-x86-64-staging"
+ allow_failure: false
- step: "package-arm-staging"
allow_failure: false
+ - step: "package-fips-arm-staging"
+ allow_failure: false
diff --git a/.buildkite/scripts/common.sh b/.buildkite/scripts/common.sh
index a90016aba..d36cb3b2f 100755
--- a/.buildkite/scripts/common.sh
+++ b/.buildkite/scripts/common.sh
@@ -51,6 +51,18 @@ with_go() {
export PATH="${PATH}:$(go env GOPATH):$(go env GOPATH)/bin"
}
+with_msft_go() {
+ echo "Setting up microsoft/go"
+ create_workspace
+ check_platform_architeture
+ MSFT_DOWNLOAD_URL=https://aka.ms/golang/release/latest/go$(cat .go-version)-1.${platform_type}-${arch_type}.tar.gz
+ retry 5 $(curl -sL -o - $MSFT_DOWNLOAD_URL | tar -xz -f - -C ${WORKSPACE})
+ export PATH="${PATH}:${WORKSPACE}/go/bin"
+ go version
+ which go
+ export PATH="${PATH}:$(go env GOPATH)/bin"
+}
+
with_docker_compose() {
echo "Setting up the Docker-compose environment..."
create_workspace
@@ -160,4 +172,4 @@ cleanup() {
echo "Deleting temporary files..."
rm -rf ${WORKSPACE}/${TMP_FOLDER_TEMPLATE_BASE}.*
echo "Done."
-}
\ No newline at end of file
+}
diff --git a/.buildkite/scripts/local_build.sh b/.buildkite/scripts/local_build.sh
index 1db25eb14..1371adcd5 100755
--- a/.buildkite/scripts/local_build.sh
+++ b/.buildkite/scripts/local_build.sh
@@ -5,6 +5,10 @@ set -euo pipefail
source .buildkite/scripts/common.sh
add_bin_path
-with_go
+if [[ "${FIPS:-false}" == "true" ]]; then
+ with_msft_go
+else
+ with_go
+fi
-make local
\ No newline at end of file
+make local
diff --git a/.buildkite/scripts/package.sh b/.buildkite/scripts/package.sh
index a3ac5cfec..dc02d27da 100755
--- a/.buildkite/scripts/package.sh
+++ b/.buildkite/scripts/package.sh
@@ -14,14 +14,22 @@ if [[ ${BUILDKITE_BRANCH} == "main" && ${TYPE} == "staging" && -z ${VERSION_QUAL
fi
PLATFORMS=""
-PACKAGES=""
if [[ ${PLATFORM_TYPE} == "arm" || ${PLATFORM_TYPE} == "aarch64" ]]; then
PLATFORMS="linux/arm64"
- PACKAGES="docker"
fi
add_bin_path
-with_go
+
+if [[ ${FIPS:-false} == "true" ]]; then
+ with_msft_go
+ if [[ ${PLATFORM_TYPE} == "arm" || ${PLATFORM_TYPE} == "aarch64" ]]; then
+ export PLATFORMS="linux/arm64"
+ else
+ export PLATFORMS="linux/amd64"
+ fi
+else
+ with_go
+fi
with_mage
case "${TYPE}" in
diff --git a/.buildkite/scripts/test-release.sh b/.buildkite/scripts/test-release.sh
index 9bd9bb1c5..b467df69c 100755
--- a/.buildkite/scripts/test-release.sh
+++ b/.buildkite/scripts/test-release.sh
@@ -3,16 +3,16 @@
set -euo pipefail
FLEET_SERVER_VERSION=${1:?"Fleet Server version is needed"}
+FILE_PREFIX="build/distributions/fleet-server-${FLEET_SERVER_VERSION}-"
PLATFORM_FILES=(darwin-aarch64.tar.gz darwin-x86_64.tar.gz linux-arm64.tar.gz linux-x86_64.tar.gz windows-x86_64.zip)
-if [ "$FIPS" = "true" ] ; then
- PLATFORM_FILES=(linux-arm64-fips.tar.gz linux-x86_64-fips.tar.gz)
+if [[ "${FIPS:-false}" == "true" ]] ; then
+ PLATFORM_FILES=(linux-arm64.tar.gz linux-x86_64.tar.gz)
+ FILE_PREFIX="build/distributions/fleet-server-fips-${FLEET_SERVER_VERSION}-"
fi
#make release
-FILE_PREFIX="build/distributions/fleet-server-${FLEET_SERVER_VERSION}-"
-
RED='\033[0;31m'
GREEN='\033[0;32m'
NO_COLOR='\033[0m'
diff --git a/Dockerfile.fips b/Dockerfile.fips
index fdaa7de4a..e16995413 100644
--- a/Dockerfile.fips
+++ b/Dockerfile.fips
@@ -38,8 +38,8 @@ RUN addgroup --gid 1000 fleet-server && \
USER fleet-server
COPY --chown=fleet-server:fleet-server --chmod=644 fleet-server.yml /etc/fleet-server.yml
-COPY --chown=fleet-server:fleet-server --chmod=555 --from=builder /go/src/github.com/elastic/fleet-server/build/binaries/fleet-server-${VERSION}-${TARGETOS:-linux}-*-fips/fleet-server /usr/bin/fleet-server
+COPY --chown=fleet-server:fleet-server --chmod=555 --from=builder /go/src/github.com/elastic/fleet-server/build/binaries/fleet-server-fips-${VERSION}-${TARGETOS:-linux}-*/fleet-server /usr/bin/fleet-server
-ENV GOFIPS=1
+ENV GODEBUG=fips140=on
CMD [ "/usr/bin/fleet-server", "-c", "/etc/fleet-server.yml" ]
diff --git a/Makefile b/Makefile
index 58d883ac2..ccaad8710 100644
--- a/Makefile
+++ b/Makefile
@@ -9,9 +9,18 @@
SHELL=/usr/bin/env bash
GO_VERSION=$(shell cat '.go-version')
DEFAULT_VERSION=$(shell awk '/const DefaultVersion/{print $$NF}' version/version.go | tr -d '"')
+
+# Set FIPS=true to force FIPS compliance when building
+FIPS?=false
+
+ifeq "${FIPS}" "true"
+PLATFORMS ?= linux/amd64 linux/arm64
+else
+PLATFORMS ?= darwin/amd64 darwin/arm64 linux/amd64 linux/arm64 windows/amd64
+endif
+
TARGET_ARCH_amd64=x86_64
TARGET_ARCH_arm64=arm64
-PLATFORMS ?= darwin/amd64 darwin/arm64 linux/amd64 linux/arm64 windows/amd64
BUILDMODE_linux_amd64=-buildmode=pie
BUILDMODE_linux_arm64=-buildmode=pie
BUILDMODE_windows_amd64=-buildmode=pie
@@ -51,6 +60,7 @@ else
VERSION=${DEFAULT_VERSION}
endif
+DOCKER_IMAGE?=docker.elastic.co/fleet-server/fleet-server
DOCKER_PLATFORMS ?= linux/amd64 linux/arm64
# defing the docker image tag used for stand-alone fleet-server images
# only want to define the tag if none is specified, this allows an invocation like
@@ -61,11 +71,7 @@ DOCKER_IMAGE_TAG?=${VERSION}
ifeq "${DEV}" "true"
DOCKER_IMAGE_TAG:=${DOCKER_IMAGE_TAG}-dev
endif
-ifeq "${FIPS}" "true"
-DOCKER_IMAGE_TAG:=${DOCKER_IMAGE_TAG}-fips
endif
-endif
-DOCKER_IMAGE?=docker.elastic.co/fleet-server/fleet-server
PLATFORM_TARGETS=$(addprefix release-, $(PLATFORMS))
COVER_TARGETS=$(addprefix cover-, $(PLATFORMS))
@@ -87,17 +93,15 @@ GOBIN=$(shell go env GOPATH)/bin/
OS_NAME:=$(shell uname -s)
-# Set FIPS=true to force FIPS compliance when building
-FIPS?=
# NOTE: We are assuming that the only GOEXPIREMENT flag will be associated with FIPS
GOFIPSEXPERIMENT?=
FIPSSUFFIX=
ifeq "${FIPS}" "true"
BUILDER_IMAGE=fleet-server-fips-builder:${GO_VERSION}
+DOCKER_IMAGE:=docker.elastic.co/fleet-server/fleet-server-fips
STANDALONE_DOCKERFILE=Dockerfile.fips
-PLATFORMS = linux/amd64 linux/arm64
gobuildtags += requirefips
-GOFIPSEXPERIMENT=GOEXPERIMENT=systemcrypto
+GOFIPSEXPERIMENT=GOEXPERIMENT=systemcrypto CGO_ENABLED=1
FIPSSUFFIX=-fips
endif
@@ -148,7 +152,7 @@ $(COVER_TARGETS): cover-%: ## - Build a binary with the -cover flag for integrat
$(eval $@_GO_ARCH := $(lastword $(subst /, ,$(lastword $(subst cover-, ,$@)))))
$(eval $@_ARCH := $(TARGET_ARCH_$($@_GO_ARCH)))
$(eval $@_BUILDMODE:= $(BUILDMODE_$($@_OS)_$($@_GO_ARCH)))
- GOOS=$($@_OS) GOARCH=$($@_GO_ARCH) ${GOFIPSEXPERIMENT} go build -tags=${GOBUILDTAGS} -cover -coverpkg=./... -gcflags="${GCFLAGS}" -ldflags="${LDFLAGS}" $($@_BUILDMODE) -o build/cover/fleet-server-$(VERSION)-$($@_OS)-$($@_ARCH)$(FIPSSUFFIX)/fleet-server$(if $(filter windows,$($@_OS)),.exe,) .
+ GOOS=$($@_OS) GOARCH=$($@_GO_ARCH) ${GOFIPSEXPERIMENT} go build -tags=${GOBUILDTAGS} -cover -coverpkg=./... -gcflags="${GCFLAGS}" -ldflags="${LDFLAGS}" $($@_BUILDMODE) -o build/cover/fleet-server$(FIPSSUFFIX)-$(VERSION)-$($@_OS)-$($@_ARCH)/fleet-server$(if $(filter windows,$($@_OS)),.exe,) .
.PHONY: clean
clean: ## - Clean up build artifacts
@@ -263,7 +267,7 @@ $(PLATFORM_TARGETS): release-%:
$(eval $@_GO_ARCH := $(lastword $(subst /, ,$(lastword $(subst release-, ,$@)))))
$(eval $@_ARCH := $(TARGET_ARCH_$($@_GO_ARCH)))
$(eval $@_BUILDMODE:= $(BUILDMODE_$($@_OS)_$($@_GO_ARCH)))
- GOOS=$($@_OS) GOARCH=$($@_GO_ARCH) ${GOFIPSEXPERIMENT} go build -tags=${GOBUILDTAGS} -gcflags="${GCFLAGS}" -ldflags="${LDFLAGS}" $($@_BUILDMODE) -o build/binaries/fleet-server-$(VERSION)-$($@_OS)-$($@_ARCH)$(FIPSSUFFIX)/fleet-server .
+ GOOS=$($@_OS) GOARCH=$($@_GO_ARCH) ${GOFIPSEXPERIMENT} go build -tags=${GOBUILDTAGS} -gcflags="${GCFLAGS}" -ldflags="${LDFLAGS}" $($@_BUILDMODE) -o build/binaries/fleet-server$(FIPSSUFFIX)-$(VERSION)-$($@_OS)-$($@_ARCH)/fleet-server .
@$(MAKE) OS=$($@_OS) ARCH=$($@_ARCH) package-target
.PHONY: build-docker
@@ -307,8 +311,8 @@ else ifeq ($(OS)-$(ARCH),darwin-arm64)
@tar -C build/binaries -zcf build/distributions/fleet-server-$(VERSION)-$(OS)-aarch64.tar.gz fleet-server-$(VERSION)-$(OS)-aarch64
@cd build/distributions && sha512sum fleet-server-$(VERSION)-$(OS)-aarch64.tar.gz > fleet-server-$(VERSION)-$(OS)-aarch64.tar.gz.sha512
else
- @tar -C build/binaries -zcf build/distributions/fleet-server-$(VERSION)-$(OS)-$(ARCH)$(FIPSSUFFIX).tar.gz fleet-server-$(VERSION)-$(OS)-$(ARCH)$(FIPSSUFFIX)
- @cd build/distributions && sha512sum fleet-server-$(VERSION)-$(OS)-$(ARCH)$(FIPSSUFFIX).tar.gz > fleet-server-$(VERSION)-$(OS)-$(ARCH)$(FIPSSUFFIX).tar.gz.sha512
+ @tar -C build/binaries -zcf build/distributions/fleet-server$(FIPSSUFFIX)-$(VERSION)-$(OS)-$(ARCH).tar.gz fleet-server$(FIPSSUFFIX)-$(VERSION)-$(OS)-$(ARCH)
+ @cd build/distributions && sha512sum fleet-server$(FIPSSUFFIX)-$(VERSION)-$(OS)-$(ARCH).tar.gz > fleet-server$(FIPSSUFFIX)-$(VERSION)-$(OS)-$(ARCH).tar.gz.sha512
endif
build-releaser: ## - Build a Docker image to run make package including all build tools
diff --git a/dev-tools/e2e/Dockerfile b/dev-tools/e2e/Dockerfile
index 0b7436dda..b404cb2f1 100644
--- a/dev-tools/e2e/Dockerfile
+++ b/dev-tools/e2e/Dockerfile
@@ -2,16 +2,16 @@ ARG ELASTIC_AGENT_IMAGE # e.g. docker.elastic.co/cloud-release/elastic-agent-clo
FROM --platform=linux/amd64 ${ELASTIC_AGENT_IMAGE} as elastic_agent_amd64
ARG STACK_VERSION # e.g. 8.5.0-SNAPSHOT
-ARG FLEET_SUFFIX # e.g. -linux-x86_64
+ARG FLEET_FIPS="" # should be -fips if a fips distribution will be used
ARG VCS_REF_SHORT # e.g. abc123
-ONBUILD COPY --chmod=0755 --chown=elastic-agent cover/fleet-server-${STACK_VERSION}${FLEET_SUFFIX}/fleet-server \
+ONBUILD COPY --chmod=0755 --chown=elastic-agent cover/fleet-server${FLEET_FIPS}-${STACK_VERSION}-linux-x86_64/fleet-server \
./data/elastic-agent-${VCS_REF_SHORT}/components/fleet-server
FROM --platform=linux/arm64 ${ELASTIC_AGENT_IMAGE} as elastic_agent_arm64
ARG STACK_VERSION # e.g. 8.5.0-SNAPSHOT
-ARG FLEET_SUFFIX # e.g. -linux-x86_64
+ARG FLEET_FIPS="" # should be -fips if a fips distribution will be used
ARG VCS_REF_SHORT # e.g. abc123
-ONBUILD COPY --chmod=0755 --chown=elastic-agent cover/fleet-server-${STACK_VERSION}${FLEET_SUFFIX}/fleet-server \
+ONBUILD COPY --chmod=0755 --chown=elastic-agent cover/fleet-server${FLEET_FIPS}-${STACK_VERSION}-linux-arm64/fleet-server \
./data/elastic-agent-${VCS_REF_SHORT}/components/fleet-server
FROM elastic_agent_${TARGETARCH}
diff --git a/dev-tools/e2e/build.sh b/dev-tools/e2e/build.sh
index 64d6babb7..ead5c39f1 100755
--- a/dev-tools/e2e/build.sh
+++ b/dev-tools/e2e/build.sh
@@ -24,19 +24,16 @@ VCS_REF=$(docker inspect -f '{{index .Config.Labels "org.label-schema.vcs-ref"}}
CUSTOM_IMAGE_TAG=${STACK_VERSION}-e2e-${COMMIT}-$(date +%s)
-FLEET_SUFFIX="-linux-x86_64"
-if [[ "$GOARCH" == "arm64" ]]; then
- FLEET_SUFFIX="-linux-arm64"
-fi
-if [[ "$FIPS" == "true" ]]; then
- FLEET_SUFFIX="${FLEET_SUFFIX}-fips"
+FLEET_FIPS=""
+if [[ "${FIPS:-false}" == "true" ]]; then
+ FLEET_FIPS="-fips"
fi
docker build \
-f $REPO_ROOT/dev-tools/e2e/Dockerfile \
--build-arg ELASTIC_AGENT_IMAGE=$BASE_IMAGE \
--build-arg STACK_VERSION=${FLEET_VERSION} \
- --build-arg FLEET_SUFFIX=${FLEET_SUFFIX} \
+ --build-arg FLEET_FIPS=${FLEET_FIPS} \
--build-arg VCS_REF_SHORT=${VCS_REF:0:6} \
--platform linux/$GOARCH \
-t ${CI_ELASTIC_AGENT_DOCKER_IMAGE}:${CUSTOM_IMAGE_TAG} \
diff --git a/docs/fips.md b/docs/fips.md
index c15456787..fcd239791 100644
--- a/docs/fips.md
+++ b/docs/fips.md
@@ -36,7 +36,7 @@ The following make commands have different behaviour when FIPS is enabled:
A Multipass VM created with `FIPS=true make multipass` is able to compile FIPS enabled golang programs, but is not able to run them.
When you try to run one the following error occurs:
```
-GOFIPS=1 ./bin/fleet-server -c fleet-server.yml
+GODEBUG=fips140=on ./bin/fleet-server -c fleet-server.yml
panic: opensslcrypto: can't enable FIPS mode for OpenSSL 3.0.13 30 Jan 2024: openssl: FIPS mode not supported by any provider
goroutine 1 [running]:
@@ -92,14 +92,14 @@ activate = 1
default_properties = fips=yes
```
-4. Run the program with the `OPENSSL_CONF=openssl.cnf` and `GOFIPS=1` env vars, i.e.,
+4. Run the program with the `OPENSSL_CONF=openssl.cnf` and `GODEBUG=fips140=on` env vars, i.e.,
```
-OPENSSL_CONF=./openssl.cnf GOFIPS=1 ./bin/fleet-server -c fleet-server.yml
+OPENSSL_CONF=./openssl.cnf GODEBUG=fips140=on ./bin/fleet-server -c fleet-server.yml
23:48:47.871 INF Boot fleet-server args=["-c","fleet-server.yml"] commit=55104f6f ecs.version=1.6.0 exe=./bin/fleet-server pid=65037 ppid=5642 service.name=fleet-server service.type=fleet-server version=9.0.0
i...
```
## Usage
-A FIPS enabled binary should be ran with the env var `GOFIPS=1` set.
+A FIPS enabled binary should be ran with the env var `GODEBUG=fips140=on` set.
The system/image is required to have a FIPS compliant provider available.
diff --git a/testing/e2e/fips_test.go b/testing/e2e/fips_test.go
index 993fe7f59..ddb860fe8 100644
--- a/testing/e2e/fips_test.go
+++ b/testing/e2e/fips_test.go
@@ -39,7 +39,7 @@ func (suite *FIPSStandAlone) SetupSuite() {
arch = "x86_64"
}
// NOTE the path checked is hardcoded to linux as we currently only support linux for FIPS builds
- path, err := filepath.Abs(filepath.Join("..", "..", "build", "cover", fmt.Sprintf("fleet-server-%s-SNAPSHOT-linux-%s-fips", version.DefaultVersion, arch), binaryName))
+ path, err := filepath.Abs(filepath.Join("..", "..", "build", "cover", fmt.Sprintf("fleet-server-fips-%s-SNAPSHOT-linux-%s", version.DefaultVersion, arch), binaryName))
suite.Require().NoError(err)
suite.binaryPath = path
_, err = os.Stat(suite.binaryPath)