Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add buildkite step to run unit tests that require fips provider #4617

Draft
wants to merge 11 commits into
base: main
Choose a base branch
from
Draft

Add buildkite step to run unit tests that require fips provider #4617

wants to merge 11 commits into from
+42 −3

Conversation

michel-laterman
Copy link
Contributor

What is the problem this PR solves?

We need to be able to run tests on VMs that have a FIPS provider.

How does this PR solve the problem?

As a PoC, a buildkite step that runs FIPS=true make test-unit has been added to run on a new VM. Running this target requires msft/go (gathered by the new with_msft_go func added to common.sh) and a FIPS provider (supplied by VM).

Design Checklist

  • I have ensured my design is stateless and will work when multiple fleet-server instances are behind a load balancer.
  • I have or intend to scale test my changes, ensuring it will work reliably with 100K+ agents connected.
  • I have included fail safe mechanisms to limit the load on fleet-server: rate limiting, circuit breakers, caching, load shedding, etc.

Checklist

  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in ./changelog/fragments using the changelog tool

@michel-laterman
Add buildkite step to run unit tests that require fips provider
39e2741 
Add a buildkite step that runs FIPS=true make test-unit as these tests
require msft/go and a FIPS provider.
@michel-laterman michel-laterman added enhancement New feature or request Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team backport-8.x Automated backport to the 8.x branch with mergify backport-9.0 Automated backport to the 9.0 branch labels Mar 21, 2025
@michel-laterman michel-laterman requested a review from simitt March 21, 2025 17:49
v1v
v1v reviewed Mar 27, 2025
View reviewed changes
@mergify Mergify
Copy link
Contributor

mergify bot commented Mar 27, 2025

This pull request is now in conflicts. Could you fix it @michel-laterman? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b fips-provider-tests upstream/fips-provider-tests
git merge upstream/main
git push upstream fips-provider-tests

v1v
v1v reviewed Mar 27, 2025
View reviewed changes
simitt
simitt reviewed Mar 27, 2025
View reviewed changes
Copy link
Contributor

@simitt simitt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@michel-laterman can you explain what is the goal of this PR is? Maybe I am not seeing what this setup would cover which isn't already covered with:

  • Unit tests running with the strict go-1.24 FIPS mode enabled
  • Plan to test more involved settings, eg. upgrade, gpg, TLS functionality through system tests with the platform-ingest-fleet-server-ubuntu-2204-fips image.

When running unit tests with go-microsoft, it would still fall back to std lib functionality rather than fail if non compliant algorithms are used.

@michel-laterman
Copy link
Contributor Author

michel-laterman commented Mar 27, 2025
edited
Loading

This runs the unit tests with the microsoft/go toolchain that uses the FIPS enabled OpenSSL, this is basically a sanity check that everything will work on the VM and we can start enabling/developing more FIPS related e2e tests

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@v1v v1v

@simitt simitt

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
backport-8.x Automated backport to the 8.x branch with mergify backport-9.0 Automated backport to the 9.0 branch enhancement New feature or request Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@michel-laterman @v1v @simitt