Skip to content

Commit

Permalink
Create new FIPS packages on prerelease for linux
Browse files Browse the repository at this point in the history
  • Loading branch information
@alvarocabanas
alvarocabanas committed Dec 30, 2024
1 parent 02bceb3 commit 037e330
Show file tree
Hide file tree
Showing 4 changed files with 118 additions and 101 deletions.
7 changes: 7 additions & 0 deletions .github/workflows/component_linux_packaging.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,10 @@ on:
ARCH:
required: true
type: string
FIPS:
required: false
type: boolean
default: false

env:
GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
Expand All @@ -32,6 +36,7 @@ env:
DOCKER_HUB_ID: ${{ secrets.DOCKER_HUB_ID }}
DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
ARCH: ${{ inputs.ARCH }}
FIPS: ${{ inputs.FIPS == true && '-fips' || '' }}

jobs:
packaging:
Expand All @@ -49,6 +54,8 @@ jobs:

- name: Preparing linux packages
run: make ci/prerelease/linux-${{ env.ARCH }}
env:
FIPS: ${{ env.FIPS }}

- name: Generate checksum files
uses: ./.github/actions/generate-checksums
Expand Down
9 changes: 7 additions & 2 deletions .github/workflows/component_linux_publish.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,9 @@ jobs:
- "targz"
- "deb"
- "rpm"
suffix:
- ""
- "-fips"

steps:
- name: Login to DockerHub
Expand All @@ -89,10 +92,10 @@ jobs:
uses: newrelic/[email protected]
with:
tag: ${{env.TAG}}
app_name: "newrelic-infra"
app_name: "newrelic-infra${{ matrix.suffix }}"
repo_name: "newrelic/infrastructure-agent"
schema: "custom"
schema_url: "https://raw.githubusercontent.com/newrelic/infrastructure-agent/${{ env.SCHEMA_BRANCH }}/build/upload-schema-linux-${{ matrix.assetsType }}.yml"
schema_url: "https://raw.githubusercontent.com/newrelic/infrastructure-agent/${{ env.SCHEMA_BRANCH }}/build/upload-schema-linux-${{ matrix.assetsType }}${{ matrix.suffix }}.yml"
aws_access_key_id: ${{ env.AWS_ACCESS_KEY_ID }}
aws_secret_access_key: ${{ env.AWS_SECRET_ACCESS_KEY }}
aws_s3_bucket_name: ${{ env.AWS_S3_BUCKET_NAME }}
Expand All @@ -106,3 +109,5 @@ jobs:
gpg_passphrase: ${{ env.GPG_PASSPHRASE }}
gpg_private_key_base64: ${{ env.GPG_PRIVATE_KEY_BASE64 }}
disable_lock: ${{ env.DISABLE_LOCK }}
# TODO: remove after testing
dest_prefix: acabanas_complete_fips/
162 changes: 96 additions & 66 deletions .github/workflows/prerelease_linux.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ jobs:
DOCKER_HUB_PASSWORD: ${{secrets.OHAI_DOCKER_HUB_PASSWORD}}

packaging-amd64:
needs: [unit-test, proxy-tests]
# needs: [unit-test, proxy-tests]
uses: ./.github/workflows/component_linux_packaging.yml
secrets:
DOCKER_HUB_ID: ${{secrets.OHAI_DOCKER_HUB_ID}}
Expand All @@ -31,9 +31,24 @@ jobs:
with:
TAG: ${{ github.event.release.tag_name }}
ARCH: 'amd64'

packaging-amd64-fips:
# needs: [unit-test, proxy-tests]
uses: ./.github/workflows/component_linux_packaging.yml
secrets:
DOCKER_HUB_ID: ${{secrets.OHAI_DOCKER_HUB_ID}}
DOCKER_HUB_PASSWORD: ${{secrets.OHAI_DOCKER_HUB_PASSWORD}}
GPG_MAIL: '[email protected]'
GPG_PASSPHRASE: ${{ secrets.OHAI_GPG_PASSPHRASE }}
GPG_PRIVATE_KEY_BASE64: ${{ secrets.OHAI_GPG_PRIVATE_KEY_BASE64 }} # base64 encoded
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
TAG: ${{ github.event.release.tag_name }}
ARCH: 'amd64'
FIPS: true

packaging-arm:
needs: [unit-test, proxy-tests]
# needs: [unit-test, proxy-tests]
uses: ./.github/workflows/component_linux_packaging.yml
secrets:
DOCKER_HUB_ID: ${{secrets.OHAI_DOCKER_HUB_ID}}
Expand All @@ -47,7 +62,7 @@ jobs:
ARCH: 'arm'

packaging-arm64:
needs: [unit-test, proxy-tests]
# needs: [unit-test, proxy-tests]
uses: ./.github/workflows/component_linux_packaging.yml
secrets:
DOCKER_HUB_ID: ${{secrets.OHAI_DOCKER_HUB_ID}}
Expand All @@ -60,8 +75,8 @@ jobs:
TAG: ${{ github.event.release.tag_name }}
ARCH: 'arm64'

packaging-legacy:
needs: [unit-test, proxy-tests]
packaging-arm64-fips:
# needs: [unit-test, proxy-tests]
uses: ./.github/workflows/component_linux_packaging.yml
secrets:
DOCKER_HUB_ID: ${{secrets.OHAI_DOCKER_HUB_ID}}
Expand All @@ -72,11 +87,12 @@ jobs:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
TAG: ${{ github.event.release.tag_name }}
ARCH: 'legacy'
ARCH: 'arm64'
FIPS: true

packaging-docker:
needs: [unit-test, proxy-tests]
uses: ./.github/workflows/component_docker_packaging.yml
packaging-legacy:
# needs: [unit-test, proxy-tests]
uses: ./.github/workflows/component_linux_packaging.yml
secrets:
DOCKER_HUB_ID: ${{secrets.OHAI_DOCKER_HUB_ID}}
DOCKER_HUB_PASSWORD: ${{secrets.OHAI_DOCKER_HUB_PASSWORD}}
Expand All @@ -86,19 +102,33 @@ jobs:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
TAG: ${{ github.event.release.tag_name }}
ARCH: 'legacy'

docker-trivy-critical:
needs: [packaging-docker]
uses: ./.github/workflows/component_trivy.yml
with:
tag: "${{ github.event.release.tag_name }}-rc"
severity: "CRITICAL"
# packaging-docker:
# needs: [unit-test, proxy-tests]
# uses: ./.github/workflows/component_docker_packaging.yml
# secrets:
# DOCKER_HUB_ID: ${{secrets.OHAI_DOCKER_HUB_ID}}
# DOCKER_HUB_PASSWORD: ${{secrets.OHAI_DOCKER_HUB_PASSWORD}}
# GPG_MAIL: '[email protected]'
# GPG_PASSPHRASE: ${{ secrets.OHAI_GPG_PASSPHRASE }}
# GPG_PRIVATE_KEY_BASE64: ${{ secrets.OHAI_GPG_PRIVATE_KEY_BASE64 }} # base64 encoded
# GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# with:
# TAG: ${{ github.event.release.tag_name }}
#
# docker-trivy-critical:
# needs: [packaging-docker]
# uses: ./.github/workflows/component_trivy.yml
# with:
# tag: "${{ github.event.release.tag_name }}-rc"
# severity: "CRITICAL"

publishing-to-s3:
# point to staging after tests
name: Publish linux artifacts into s3 staging bucket
uses: ./.github/workflows/component_linux_publish.yml
needs: [packaging-amd64, packaging-arm, packaging-arm64, packaging-legacy]
needs: [packaging-amd64, packaging-amd64-fips, packaging-arm, packaging-arm64, packaging-arm64-fips, packaging-legacy]
secrets:
DOCKER_HUB_ID: ${{secrets.OHAI_DOCKER_HUB_ID}}
DOCKER_HUB_PASSWORD: ${{secrets.OHAI_DOCKER_HUB_PASSWORD}}
Expand All @@ -117,54 +147,54 @@ jobs:
AWS_S3_LOCK_BUCKET_NAME: "onhost-ci-lock-staging"
ASSETS_TYPE: "all"

molecule-packaging-tests:
uses: ./.github/workflows/component_molecule_packaging.yml
needs: [publishing-to-s3]
with:
TAG: ${{ github.event.release.tag_name }}
REPO_ENDPOINT: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent"

test-prerelease-linux:
needs: [molecule-packaging-tests]
uses: ./.github/workflows/component_prerelease_testing.yml
with:
PLATFORM: "linux"
TAG: ${{ github.event.release.tag_name }}
TAG_OR_UNIQUE_NAME: "${{ github.event.release.tag_name }}-linux"
secrets:
AWS_VPC_SUBNET: ${{secrets.AWS_VPC_SUBNET}}
CROWDSTRIKE_CLIENT_ID: ${{secrets.CROWDSTRIKE_CLIENT_ID}}
CROWDSTRIKE_CLIENT_SECRET: ${{secrets.CROWDSTRIKE_CLIENT_SECRET}}
CROWDSTRIKE_CUSTOMER_ID: ${{secrets.CROWDSTRIKE_CUSTOMER_ID}}

canaries-linux:
needs: [test-prerelease-linux]
uses: ./.github/workflows/component_canaries.yml
with:
PLATFORM: "linux"
TAG: ${{ github.event.release.tag_name }}
secrets:
AWS_VPC_SUBNET: ${{secrets.AWS_VPC_SUBNET}}
CROWDSTRIKE_CLIENT_ID: ${{secrets.CROWDSTRIKE_CLIENT_ID}}
CROWDSTRIKE_CLIENT_SECRET: ${{secrets.CROWDSTRIKE_CLIENT_SECRET}}
CROWDSTRIKE_CUSTOMER_ID: ${{secrets.CROWDSTRIKE_CUSTOMER_ID}}

get_previous_tag:
runs-on: ubuntu-latest
outputs:
previous_tag: ${{ steps.previous_tag_step.outputs.PREVIOUS_TAG }}
steps:
- uses: actions/checkout@v2

- id: previous_tag_step
run: ./.github/workflows/scripts/previous_version.sh ${{ github.event.release.tag_name }} >> "$GITHUB_OUTPUT"

prune-previous-canaries-linux:
needs: [canaries-linux, get_previous_tag]
uses: ./.github/workflows/component_canaries_prune.yml
with:
PLATFORM: "linux"
TAG: ${{ needs.get_previous_tag.outputs.previous_tag }}
secrets:
AWS_VPC_SUBNET: ${{secrets.AWS_VPC_SUBNET}}
# molecule-packaging-tests:
# uses: ./.github/workflows/component_molecule_packaging.yml
# needs: [publishing-to-s3]
# with:
# TAG: ${{ github.event.release.tag_name }}
# REPO_ENDPOINT: "http://nr-downloads-ohai-staging.s3-website-us-east-1.amazonaws.com/infrastructure_agent"
#
# test-prerelease-linux:
# needs: [molecule-packaging-tests]
# uses: ./.github/workflows/component_prerelease_testing.yml
# with:
# PLATFORM: "linux"
# TAG: ${{ github.event.release.tag_name }}
# TAG_OR_UNIQUE_NAME: "${{ github.event.release.tag_name }}-linux"
# secrets:
# AWS_VPC_SUBNET: ${{secrets.AWS_VPC_SUBNET}}
# CROWDSTRIKE_CLIENT_ID: ${{secrets.CROWDSTRIKE_CLIENT_ID}}
# CROWDSTRIKE_CLIENT_SECRET: ${{secrets.CROWDSTRIKE_CLIENT_SECRET}}
# CROWDSTRIKE_CUSTOMER_ID: ${{secrets.CROWDSTRIKE_CUSTOMER_ID}}
#
# canaries-linux:
# needs: [test-prerelease-linux]
# uses: ./.github/workflows/component_canaries.yml
# with:
# PLATFORM: "linux"
# TAG: ${{ github.event.release.tag_name }}
# secrets:
# AWS_VPC_SUBNET: ${{secrets.AWS_VPC_SUBNET}}
# CROWDSTRIKE_CLIENT_ID: ${{secrets.CROWDSTRIKE_CLIENT_ID}}
# CROWDSTRIKE_CLIENT_SECRET: ${{secrets.CROWDSTRIKE_CLIENT_SECRET}}
# CROWDSTRIKE_CUSTOMER_ID: ${{secrets.CROWDSTRIKE_CUSTOMER_ID}}
#
# get_previous_tag:
# runs-on: ubuntu-latest
# outputs:
# previous_tag: ${{ steps.previous_tag_step.outputs.PREVIOUS_TAG }}
# steps:
# - uses: actions/checkout@v2
#
# - id: previous_tag_step
# run: ./.github/workflows/scripts/previous_version.sh ${{ github.event.release.tag_name }} >> "$GITHUB_OUTPUT"
#
# prune-previous-canaries-linux:
# needs: [canaries-linux, get_previous_tag]
# uses: ./.github/workflows/component_canaries_prune.yml
# with:
# PLATFORM: "linux"
# TAG: ${{ needs.get_previous_tag.outputs.previous_tag }}
# secrets:
# AWS_VPC_SUBNET: ${{secrets.AWS_VPC_SUBNET}}

41 changes: 8 additions & 33 deletions build/release.mk
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,12 +71,10 @@ release/pkg-linux: release/get-fluentbit-linux-arm64

.PHONY : release/pkg-linux-fips
release/pkg-linux-fips: release/deps release/clean generate-goreleaser-multiarch-fips
release/pkg-linux-fips: release/get-integrations-amd64 #NO FIPS ASSETS AVAILABLE FOR NOW
release/pkg-linux-fips: release/get-integrations-arm64 #NO FIPS ASSETS AVAILABLE FOR NOW
# release/pkg-linux-fips: release/get-integrations-arm #NO FIPS ASSETS AVAILABLE FOR NOW
release/pkg-linux-fips: release/get-fluentbit-linux-amd64 #NO FIPS ASSETS AVAILABLE FOR NOW
# #release/pkg-linux: release/get-fluentbit-linux-arm
release/pkg-linux-fips: release/get-fluentbit-linux-arm64 #NO FIPS ASSETS AVAILABLE FOR NOW
release/pkg-linux-fips: release/get-integrations-amd64
release/pkg-linux-fips: release/get-integrations-arm64
release/pkg-linux-fips: release/get-fluentbit-linux-amd64
release/pkg-linux-fips: release/get-fluentbit-linux-arm64
@echo "=== [release/pkg-linux-fips] PRE-RELEASE compiling all binaries, creating packages, archives"
$(GORELEASER_BIN) release --config $(GORELEASER_CONFIG_LINUX) $(PKG_FLAGS)

Expand Down Expand Up @@ -178,25 +176,20 @@ release-macos: release/pkg-macos release/fix-tarballs-macos
.PHONY : generate-goreleaser-amd64
generate-goreleaser-amd64:
cat $(CURDIR)/build/goreleaser/linux/header.yml\
$(CURDIR)/build/goreleaser/linux/build_amd64.yml\
$(CURDIR)/build/goreleaser/linux/build_amd64$(subst -,_,$(FIPS)).yml\
$(CURDIR)/build/goreleaser/linux/archives_header.yml\
$(CURDIR)/build/goreleaser/linux/archives_amd64.yml\
$(CURDIR)/build/goreleaser/linux/nfpms_header.yml\
$(CURDIR)/build/goreleaser/linux/al2023_amd64.yml\
$(CURDIR)/build/goreleaser/linux/al2_amd64.yml\
$(CURDIR)/build/goreleaser/linux/centos_6_amd64.yml\
$(CURDIR)/build/goreleaser/linux/centos_7_amd64.yml\
$(CURDIR)/build/goreleaser/linux/centos_8_amd64.yml\
$(CURDIR)/build/goreleaser/linux/rhel_9_amd64.yml\
$(CURDIR)/build/goreleaser/linux/debian_systemd_amd64.yml\
$(CURDIR)/build/goreleaser/linux/debian_upstart_amd64.yml\
$(CURDIR)/build/goreleaser/linux/sles_114_amd64.yml\
$(CURDIR)/build/goreleaser/linux/sles_121_amd64.yml\
$(CURDIR)/build/goreleaser/linux/sles_122_amd64.yml\
$(CURDIR)/build/goreleaser/linux/sles_123_amd64.yml\
$(CURDIR)/build/goreleaser/linux/sles_124_amd64.yml\
$(CURDIR)/build/goreleaser/linux/sles_125_amd64.yml\
$(CURDIR)/build/goreleaser/linux/sles_151_amd64.yml\
$(CURDIR)/build/goreleaser/linux/sles_125_amd64.yml\
$(CURDIR)/build/goreleaser/linux/sles_151_amd64.yml\
$(CURDIR)/build/goreleaser/linux/sles_152_amd64.yml\
$(CURDIR)/build/goreleaser/linux/sles_153_amd64.yml\
$(CURDIR)/build/goreleaser/linux/sles_154_amd64.yml\
Expand All @@ -217,9 +210,6 @@ generate-goreleaser-amd64:
$(CURDIR)/build/goreleaser/linux/centos_8_arm.yml\
$(CURDIR)/build/goreleaser/linux/rhel_9_arm.yml\
$(CURDIR)/build/goreleaser/linux/debian_systemd_arm.yml\
$(CURDIR)/build/goreleaser/linux/sles_122_arm.yml\
$(CURDIR)/build/goreleaser/linux/sles_123_arm.yml\
$(CURDIR)/build/goreleaser/linux/sles_124_arm.yml\
$(CURDIR)/build/goreleaser/linux/sles_125_arm.yml\
$(CURDIR)/build/goreleaser/linux/sles_151_arm.yml\
$(CURDIR)/build/goreleaser/linux/sles_152_arm.yml\
Expand All @@ -232,7 +222,7 @@ generate-goreleaser-amd64:
.PHONY : generate-goreleaser-arm64
generate-goreleaser-arm64:
cat $(CURDIR)/build/goreleaser/linux/header.yml\
$(CURDIR)/build/goreleaser/linux/build_arm64.yml\
$(CURDIR)/build/goreleaser/linux/build_arm64$(subst -,_,$(FIPS)).yml\
$(CURDIR)/build/goreleaser/linux/archives_header.yml\
$(CURDIR)/build/goreleaser/linux/archives_arm64.yml\
$(CURDIR)/build/goreleaser/linux/nfpms_header.yml\
Expand All @@ -242,9 +232,6 @@ generate-goreleaser-arm64:
$(CURDIR)/build/goreleaser/linux/centos_8_arm64.yml\
$(CURDIR)/build/goreleaser/linux/rhel_9_arm64.yml\
$(CURDIR)/build/goreleaser/linux/debian_systemd_arm64.yml\
$(CURDIR)/build/goreleaser/linux/sles_122_arm64.yml\
$(CURDIR)/build/goreleaser/linux/sles_123_arm64.yml\
$(CURDIR)/build/goreleaser/linux/sles_124_arm64.yml\
$(CURDIR)/build/goreleaser/linux/sles_125_arm64.yml\
$(CURDIR)/build/goreleaser/linux/sles_151_arm64.yml\
$(CURDIR)/build/goreleaser/linux/sles_152_arm64.yml\
Expand Down Expand Up @@ -281,7 +268,6 @@ generate-goreleaser-multiarch:
$(CURDIR)/build/goreleaser/linux/al2_amd64.yml\
$(CURDIR)/build/goreleaser/linux/al2_arm.yml\
$(CURDIR)/build/goreleaser/linux/al2_arm64.yml\
$(CURDIR)/build/goreleaser/linux/centos_6_amd64.yml\
$(CURDIR)/build/goreleaser/linux/centos_7_amd64.yml\
$(CURDIR)/build/goreleaser/linux/centos_7_arm.yml\
$(CURDIR)/build/goreleaser/linux/centos_7_arm64.yml\
Expand All @@ -295,17 +281,6 @@ generate-goreleaser-multiarch:
$(CURDIR)/build/goreleaser/linux/debian_systemd_arm.yml\
$(CURDIR)/build/goreleaser/linux/debian_systemd_arm64.yml\
$(CURDIR)/build/goreleaser/linux/debian_upstart_amd64.yml\
$(CURDIR)/build/goreleaser/linux/sles_114_amd64.yml\
$(CURDIR)/build/goreleaser/linux/sles_121_amd64.yml\
$(CURDIR)/build/goreleaser/linux/sles_122_amd64.yml\
$(CURDIR)/build/goreleaser/linux/sles_122_arm.yml\
$(CURDIR)/build/goreleaser/linux/sles_122_arm64.yml\
$(CURDIR)/build/goreleaser/linux/sles_123_amd64.yml\
$(CURDIR)/build/goreleaser/linux/sles_123_arm.yml\
$(CURDIR)/build/goreleaser/linux/sles_123_arm64.yml\
$(CURDIR)/build/goreleaser/linux/sles_124_amd64.yml\
$(CURDIR)/build/goreleaser/linux/sles_124_arm.yml\
$(CURDIR)/build/goreleaser/linux/sles_124_arm64.yml\
$(CURDIR)/build/goreleaser/linux/sles_125_amd64.yml\
$(CURDIR)/build/goreleaser/linux/sles_125_arm.yml\
$(CURDIR)/build/goreleaser/linux/sles_125_arm64.yml\
Expand Down

0 comments on commit 037e330

Please sign in to comment.