We see an certificate issue when using fips docker image creating searchable snapshots in aws
and gcs. This is likely related to a configuration issue not explicitly setting the trust store
type for our bcfks cacerts
* Delegated authorization using Microsoft Graph (SDK)
---------
Co-authored-by: elasticsearchmachine <infra-root+elasticsearchmachine@elastic.co>
Co-authored-by: Johannes Freden Jansson <johannes.freden@elastic.co>
Co-authored-by: Johannes Fredén <109296772+jfreden@users.noreply.github.com>
Restructures docker files for docker distributions
- Put Dockerfiles in specific distro specific folders keeping "Dockerfile" naming convention
- Allows better ide support
- Allows easier renovate integration
- Explicitly set base image in dockerfile
- simplify renovate configuration
- Cleanup DockerBase file to not contain ess fips base image information
This lives now in the Dockerfile content directly
* Workaround docker test issue
* Fix labels for fips image
This addresses feedback we got for our default image at https://github.com/docker-library/official-images/pull/18692
This also introduces separate docker source files to make maintaining those easier.
We cannot take over all suggested changes as we require certain settings to have our packaging tests pass as expected.
- Adds docker image based on chainguard base fips image
- x86 only for now as the base image is x86 only
- the image does not provide any elasticsearch.yml configuration. for testing purposes you can follow the elasticsearch fips guide available at https://github.com/elastic/FIPSGuide/tree/main/elasticsearch
The image is shipped with:
- org.bouncycastle:bc-fips:1.0.2.5 and org.bouncycastle:bctls-fips:1.0.19 in Elasticsearch libs folder
- config/jvm.options.d/fips.options for fips specific JVM options
- fips_java.security file
- fips_java.policy
Out of scope:
- Add packaging test coverage (part of later PR as we want to provide that image for testing early and packaging tests require more general restructuring for support fips scenarios)
This commit fix the IronBank hardening_manifest CI test that expect the
hardening_manifest.yaml values to match `'^(?!\\s*$)[ -~|]*$'` regex:
```
| hardening_manifest | ERROR | Hardening Manifest failed jsonschema validation
| hardening_manifest | ERROR | Verify Hardening Manifest content
| hardening_manifest | ERROR | 'Rene Gröschke' does not match '^(?!\\s*$)[ -~|]*$'
```
43219286
cc @breskeby
<!-- Thank you for your interest in and contributing to Elasticsearch!
There are a few simple things to check before submitting your pull
request that can help with the review process. You should delete these
items from your submission, but they are here to help bring them to your
attention. -->
- Have you signed the [contributor license agreement](https://www.elastic.co/contributor-agreement)?
- Have you followed the [contributor guidelines](https://github.com/elastic/elasticsearch/blob/main/CONTRIBUTING.md)?
- If submitting code, have you built your formula locally prior to submission with `gradle check`?
- If submitting code, is your pull request against main? Unless there is a good reason otherwise, we prefer pull requests against main and will backport as needed.
- If submitting code, have you checked that your submission is for an [OS and architecture that we support](https://www.elastic.co/support/matrix#show_os)?
- If you are submitting this code for a class then read our [policy](https://github.com/elastic/elasticsearch/blob/main/CONTRIBUTING.md#contributing-as-part-of-a-class) for that.
* Fix Gradle Deprecation warning as declaring an is- property with a Boolean type has been deprecated.
* Make use of new layout.settingsFolder api to address some cross project references
* Fix buildParams snapshot check for multiprojet projects
This updates the gradle wrapper to 8.12
We addressed deprecation warnings due to the update that includes:
- Fix change in TestOutputEvent api
- Fix deprecation in groovy syntax
- Use latest ospackage plugin containing our fix
- Remove project usages at execution time
- Fix deprecated project references in repository-old-versions
<Actions> <action
id="ad27da7f660d61c82c61599e0e6945827ced1590f4bf36a5f74db07e99c04215">
<h3>deps: Bump ironbank version</h3> <details
id="c8ee27cd13736547d240c88751dee86bddfbda339d0ee25795d0cc066ff6ea01">
<summary>deps(ironbank): Bump ubi version to 9.5</summary>
<p>change detected:
	* key "$.args.BASE_TAG" updated
from "\"9.4\"" to "\"9.5\"", in file
"distribution/docker/src/docker/iron_bank/hardening_manifest.yaml"</p>
</details> <details
id="ddfe323476a100a4fecf1aab633e1209ffebe2f0e55366500df03a529b067050">
<summary>deps(ironbank): Bump ubi version to 9.5</summary>
<p>changed lines [25] of file
"/tmp/updatecli/github/elastic/elasticsearch/distribution/docker/src/docker/Dockerfile"</p>
</details> <a
href="1240723046">GitHub
Action workflow link</a> </action> </Actions>
---
<table> <tr> <td width="77"> <img
src="https://www.updatecli.io/images/updatecli.png" alt="Updatecli logo"
width="50" height="50"> </td> <td> <p> Created
automatically by <a href="https://www.updatecli.io/">Updatecli</a>
</p> <details><summary>Options:</summary> <br />
<p>Most of Updatecli configuration is done via <a
href="https://www.updatecli.io/docs/prologue/quick-start/">its
manifest(s)</a>.</p> <ul> <li>If you close this pull
request, Updatecli will automatically reopen it, the next time it
runs.</li> <li>If you close this pull request and delete the
base branch, Updatecli will automatically recreate it, erasing all
previous commits made.</li> </ul> <p> Feel
free to report any issues at <a
href="https://github.com/updatecli/updatecli/issues">github.com/updatecli/updatecli</a>.<br
/> If you find this tool useful, do not hesitate to star <a
href="https://github.com/updatecli/updatecli/stargazers">our GitHub
repository</a> as a sign of appreciation, and/or to tell us directly on
our <a
href="https://matrix.to/#/#Updatecli_community:gitter.im">chat</a>!
</p> </details> </td> </tr> </table>
Static fields dont do well in Gradle with configuration cache enabled.
- Use buildParams extension in build scripts
- Keep BuildParams.ci for now for easy serverless migration
- Tweak testing doc
* Replace cloud-ess docker image with wolfi-ess
We just replaced the existing implementation of cloud-ess with what was wolfi-ess which is a wolfi based ess image.
The cloud image itself will be removed in a future commit it was not used anywhere
* Switch to test cloud docker image instead of default docker in packaging pr tests.
This adds way more coverage than the default docker image which is also barely touched
* Add more missing wolfi references to fix tests
* packaging tests require access to docker registry
* Fix symlink for es distributions jdk cacerts in wolfi docker
* Fix native support on wolfi images
* Fix provided keystore packaging tests for wolfi
* Add utils used for testing to wolfi image
* Explicitly set default shell to bash in docker images
* Fix docker config issues
* Apply review feedback around docker login
---------
Co-authored-by: Rene Groeschke <rene@elastic.co>
