WIP - package FIPS-compliant Beats

elastic · Mar 5, 2025 · d836b46 · d836b46
1 parent 354e15b
commit d836b46
Show file tree

Hide file tree

Showing 6 changed files with 135 additions and 6 deletions.
diff --git a/dev-tools/mage/pkg.go b/dev-tools/mage/pkg.go
@@ -50,6 +50,11 @@ func Package() error {
 	var tasks []interface{}
 	for _, target := range platforms {
 		for _, pkg := range Packages {
+
+			if mg.Verbose() {
+				log.Printf("Evaluating package %v for target %s", pkg.Spec, target)
+			}
+
 			if pkg.OS != target.GOOS() || pkg.Arch != "" && pkg.Arch != target.Arch() {
 				continue
 			}
@@ -82,13 +87,19 @@ func Package() error {
 					continue
 				}
 
+				// TODO add filters on fips-enabled beats
+				if pkg.Spec.FIPS && !FIPSBuild {
+					log.Printf("Skipping creation for package type %v because spec.Fips=%b and fips=%b: %v", pkgType, pkg.Spec.FIPS, FIPSBuild)
+					continue
+				}
+
 				agentPackageDrop, _ := os.LookupEnv("AGENT_DROP_PATH")
 
 				spec := pkg.Spec.Clone()
 				spec.OS = target.GOOS()
 				spec.Arch = packageArch
 				spec.Snapshot = Snapshot
-				spec.FIPS = FIPSBuild
+				//spec.FIPS = FIPSBuild
 				spec.evalContext = map[string]interface{}{
 					"GOOS":          target.GOOS(),
 					"GOARCH":        target.GOARCH(),

diff --git a/dev-tools/mage/pkgspecs.go b/dev-tools/mage/pkgspecs.go
@@ -51,6 +51,12 @@ func UseElasticBeatXPackReducedPackaging() {
 	MustUsePackaging("elastic_beat_xpack_reduced", packageSpecFile)
 }
 
+// UseElasticBeatXPackFIPSPackaging configures the package target to build Elastic
+// licensed (X-Pack) packages for agent use.
+func UseElasticBeatXPackFIPSPackaging() {
+	MustUsePackaging("elastic_beat_xpack_fips", packageSpecFile)
+}
+
 // MustUsePackaging will load a named spec from a named file, if any errors
 // occurs when loading the specs it will panic.
 //

diff --git a/dev-tools/mage/pkgtypes.go b/dev-tools/mage/pkgtypes.go
@@ -47,7 +47,7 @@ const (
 	packageStagingDir = "build/package"
 
 	// defaultBinaryName specifies the output file for zip and tar.gz.
-	defaultBinaryName = "{{.Name}}{{if .FIPS}}-fips{{end}}-{{.Version}}{{if .Snapshot}}-SNAPSHOT{{end}}{{if .OS}}-{{.OS}}{{end}}{{if .Arch}}-{{.Arch}}{{end}}"
+	defaultBinaryName = "{{.Name}}-{{.Version}}{{if .Snapshot}}-SNAPSHOT{{end}}{{if .OS}}-{{.OS}}{{end}}{{if .Arch}}-{{.Arch}}{{end}}"
 )
 
 // PackageType defines the file format of the package (e.g. zip, rpm, etc).
@@ -529,7 +529,7 @@ func (s PackageSpec) rootDir() string {
 
 	// NOTE: This uses .BeatName instead of .Name because we wanted the internal
 	// directory to not include "-oss".
-	return s.MustExpand("{{.BeatName}}{{if .FIPS}}-fips{{end}}-{{.Version}}{{if .Snapshot}}-SNAPSHOT{{end}}{{if .OS}}-{{.OS}}{{end}}{{if .Arch}}-{{.Arch}}{{end}}")
+	return s.MustExpand("{{.BeatName}}-{{.Version}}{{if .Snapshot}}-SNAPSHOT{{end}}{{if .OS}}-{{.OS}}{{end}}{{if .Arch}}-{{.Arch}}{{end}}")
 }
 
 // PackageZip packages a zip file.
@@ -728,7 +728,7 @@ func runFPM(spec PackageSpec, packageType PackageType) error {
 	}
 	defer os.Remove(inputTar)
 
-	outputFile, err := spec.Expand("{{.Name}}-{{.Version}}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.Arch}}{{if .FIPS}}-fips{{end}}")
+	outputFile, err := spec.Expand("{{.Name}}-{{.Version}}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.Arch}}")
 	if err != nil {
 		return err
 	}

diff --git a/dev-tools/packaging/packages.yml b/dev-tools/packaging/packages.yml
@@ -138,6 +138,16 @@ shared:
     files:
       <<: *binary_files
 
+  - &fips_binary_spec
+    <<: *common
+    name: '{{.BeatName}}-fips'
+    fips: true
+    files:
+      <<: *binary_files
+      '{{.BeatName}}{{.BinaryExt}}':
+        source: build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}}
+        mode: 0755
+
   # Binary package spec (zip for windows) for community beats.
   - &windows_binary_spec
     <<: *common
@@ -617,3 +627,78 @@ specs:
             source: data/{{.BeatName}}-{{ commit_short }}/{{.BeatName}}{{.BinaryExt}}
             symlink: true
             mode: 0755
+
+  # Elastic Beat with Elastic License and binary taken the current directory.
+  elastic_beat_xpack_fips:
+    ###
+    # Elastic Licensed Packages
+    ###
+    - os: linux
+      types: [tgz]
+      spec:
+        <<: *fips_binary_spec
+        <<: *elastic_license_for_binaries
+#
+#    - os: linux
+#      types: [deb, rpm]
+#      spec:
+#        <<: *deb_rpm_spec
+#        <<: *elastic_license_for_deb_rpm
+#
+#    - os: linux
+#      arch: amd64
+#      types: [docker]
+#      spec:
+#        <<: *docker_spec
+#        <<: *elastic_docker_spec
+#        <<: *elastic_license_for_binaries
+#
+#    - os: linux
+#      arch: amd64
+#      types: [docker]
+#      spec:
+#        <<: *docker_spec
+#        <<: *docker_ubi_spec
+#        <<: *elastic_docker_spec
+#        <<: *elastic_license_for_binaries
+#
+#    - os: linux
+#      arch: amd64
+#      types: [docker]
+#      spec:
+#        <<: *docker_spec
+#        <<: *docker_wolfi_spec
+#        <<: *elastic_docker_spec
+#        <<: *elastic_license_for_binaries
+#
+#    - os: linux
+#      arch: arm64
+#      types: [docker]
+#      spec:
+#        <<: *docker_arm_spec
+#        <<: *elastic_docker_spec
+#        <<: *elastic_license_for_binaries
+#
+#    - os: linux
+#      arch: arm64
+#      types: [docker]
+#      spec:
+#        <<: *docker_arm_spec
+#        <<: *docker_arm_ubi_spec
+#        <<: *elastic_docker_spec
+#        <<: *elastic_license_for_binaries
+#
+#    - os: linux
+#      arch: arm64
+#      types: [docker]
+#      spec:
+#        <<: *docker_arm_spec
+#        <<: *docker_arm_wolfi_spec
+#        <<: *elastic_docker_spec
+#        <<: *elastic_license_for_binaries
+#
+#    - os: aix
+#      types: [tgz]
+#      spec:
+#        <<: *binary_spec
+#        <<: *elastic_license_for_binaries
diff --git a/x-pack/agentbeat/dev-tools/packaging/packages.yml b/x-pack/agentbeat/dev-tools/packaging/packages.yml
@@ -55,6 +55,16 @@ shared:
       <<: *binary_files
       <<: *windows_osquery_files
 
+  - &fips_binary_spec
+    <<: *common
+    name: '{{.BeatName}}-fips'
+    fips: true
+    files:
+      <<: *binary_files
+      '{{.BeatName}}{{.BinaryExt}}':
+        source: build/golang-crossbuild/{{.BeatName}}-{{.GOOS}}-{{.Platform.Arch}}{{.BinaryExt}}
+        mode: 0755
+
   # License modifiers for the Elastic License
   - &elastic_license_for_binaries
     license: "Elastic License"
@@ -102,3 +112,14 @@ specs:
       spec:
         <<: *unix_binary_spec
         <<: *elastic_license_for_binaries
+
+  # Elastic Beat with Elastic License and binary taken the current directory.
+  agentbeat_fips:
+    ###
+    # Elastic Licensed Packages
+    ###
+    - os: linux
+      types: [tgz]
+      spec:
+        <<: *fips_binary_spec
+        <<: *elastic_license_for_binaries
diff --git a/x-pack/agentbeat/magefile.go b/x-pack/agentbeat/magefile.go
@@ -128,8 +128,14 @@ func Package() error {
 	start := time.Now()
 	defer func() { fmt.Println("package ran for", time.Since(start)) }()
 	fmt.Printf(">> Packaging agentbeat that includes %v\n", getIncludedBeats())
-	// specific packaging just for agentbeat
-	devtools.MustUsePackaging("agentbeat", "x-pack/agentbeat/dev-tools/packaging/packages.yml")
+
+	if devtools.FIPSBuild {
+		// FIPS specific packaging spec
+		devtools.MustUsePackaging("agentbeat_fips", "x-pack/agentbeat/dev-tools/packaging/packages.yml")
+	} else {
+		// specific packaging just for agentbeat
+		devtools.MustUsePackaging("agentbeat", "x-pack/agentbeat/dev-tools/packaging/packages.yml")
+	}
 
 	// Add metricbeat lightweight modules.
 	if err := metricbeat.CustomizeLightModulesPackaging(); err != nil {