[ci / FIPS] Dynamic agent selection. Add FIPS agents (#183777)

## Summary - Closes https://github.com/elastic/kibana-operations/issues/100 - Utilizes FIPS agent from elastic/ci-agent-images#686 - Adds dynamic agent selection during PR pipeline upload - FIPS agents can be used with `FTR_ENABLE_FIPS_AGENT` env variable or `ci:enable-fips-agent` label - Removes agent image config from individual steps in favor of image config for the whole pipeline. - Steps can still override this config by adding `image`, `imageProject` etc - Adds a conditional assertion to `Check` CI step which validates that FIPS is working properly ### Testing - [Pipeline run using FIPS agents](https://buildkite.com/elastic/kibana-pull-request/builds/215332) - Failures are expected and this possibly ran with flaky tests
2025-04-23 17:28:26 -04:00 · 2024-06-20 14:09:45 -06:00 · 2024-06-20 14:09:45 -06:00 · 324673c8d6
commit 324673c8d6
parent d7e4cc44c9
40 changed files with 108 additions and 179 deletions
--- a/.buildkite/pipeline-utils/agent_images.ts
+++ b/.buildkite/pipeline-utils/agent_images.ts
@ -0,0 +1,55 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0 and the Server Side Public License, v 1; you may not use this file except
+ * in compliance with, at your election, the Elastic License 2.0 or the Server
+ * Side Public License, v 1.
+ */
+
+import { dump } from 'js-yaml';
+import { BuildkiteClient, BuildkiteCommandStep } from './buildkite';
+
+type AgentImageConfig = BuildkiteCommandStep['agents'];
+
+const DEFAULT_AGENT_IMAGE_CONFIG: AgentImageConfig = {
+  provider: 'gcp',
+  image: 'family/kibana-ubuntu-2004',
+  imageProject: 'elastic-images-prod',
+};
+
+const FIPS_AGENT_IMAGE_CONFIG: AgentImageConfig = {
+  provider: 'gcp',
+  image: 'family/kibana-fips-ubuntu-2004',
+  imageProject: 'elastic-images-qa',
+};
+
+const GITHUB_PR_LABELS = process.env.GITHUB_PR_LABELS ?? '';
+const FTR_ENABLE_FIPS_AGENT = process.env.FTR_ENABLE_FIPS_AGENT?.toLowerCase() === 'true';
+
+// Narrow the return type with overloads
+function getAgentImageConfig(): AgentImageConfig;
+function getAgentImageConfig(options: { returnYaml: true }): string;
+function getAgentImageConfig({ returnYaml = false } = {}): string | AgentImageConfig {
+  const bk = new BuildkiteClient();
+  let config: AgentImageConfig;
+
+  if (FTR_ENABLE_FIPS_AGENT || GITHUB_PR_LABELS.includes('ci:enable-fips-agent')) {
+    config = FIPS_AGENT_IMAGE_CONFIG;
+
+    bk.setAnnotation(
+      'agent image config',
+      'info',
+      '#### FIPS Agents Enabled<br />\nFIPS mode can produce new test failures. If you did not intend this remove ```KBN_ENABLE_FIPS``` environment variable and/or the ```ci:enable-fips-agent``` Github label.'
+    );
+  } else {
+    config = DEFAULT_AGENT_IMAGE_CONFIG;
+  }
+
+  if (returnYaml) {
+    return dump({ agents: config });
+  }
+
+  return config;
+}
+
+export { getAgentImageConfig };
--- a/.buildkite/pipeline-utils/ci-stats/pick_test_group_run_order.ts
+++ b/.buildkite/pipeline-utils/ci-stats/pick_test_group_run_order.ts
@ -16,6 +16,7 @@ import { BuildkiteClient, BuildkiteStep } from '../buildkite';
 import { CiStatsClient, TestGroupRunOrderResponse } from './client';

 import DISABLED_JEST_CONFIGS from '../../disabled_jest_configs.json';
+import { getAgentImageConfig } from '#pipeline-utils';

 type RunGroup = TestGroupRunOrderResponse['types'][0];

@ -25,9 +26,7 @@ const getAgentRule = (queueName: string = 'n2-4-spot') => {
  if (process.env?.BUILDKITE_AGENT_META_DATA_QUEUE === 'gobld') {
    const [kind, cores, spot] = queueName.split('-');
    return {
-      provider: 'gcp',
-      image: 'family/kibana-ubuntu-2004',
-      imageProject: 'elastic-images-prod',
+      ...getAgentImageConfig(),
      machineType: `${kind}-standard-${cores}`,
      preemptible: spot === 'spot',
    };
--- a/.buildkite/pipeline-utils/index.ts
+++ b/.buildkite/pipeline-utils/index.ts
@ -6,6 +6,7 @@
 * Side Public License, v 1.
 */

+export * from './agent_images';
 export * from './buildkite';
 export * as CiStats from './ci-stats';
 export * from './github';
--- a/.buildkite/pipelines/pull_request/apm_cypress.yml
+++ b/.buildkite/pipelines/pull_request/apm_cypress.yml
@ -2,9 +2,6 @@ steps:
  - command: .buildkite/scripts/steps/functional/apm_cypress.sh
    label: 'APM Cypress Tests'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    depends_on:
--- a/.buildkite/pipelines/pull_request/base.yml
+++ b/.buildkite/pipelines/pull_request/base.yml
@ -3,9 +3,6 @@ steps:
    label: Pre-Build
    timeout_in_minutes: 10
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-2

  - wait
@ -13,9 +10,6 @@ steps:
  - command: .buildkite/scripts/steps/build_kibana.sh
    label: Build Kibana Distribution and Plugins
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-16
      preemptible: true
    key: build
@ -29,9 +23,6 @@ steps:
  - command: .buildkite/scripts/steps/quick_checks.sh
    label: 'Quick Checks'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-2
      preemptible: true
    key: quick_checks
@ -46,9 +37,6 @@ steps:
  - command: .buildkite/scripts/steps/ci_stats_ready.sh
    label: Mark CI Stats as ready
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-2
    timeout_in_minutes: 10
    depends_on:
@ -62,9 +50,6 @@ steps:
  - command: .buildkite/scripts/steps/test/pick_test_group_run_order.sh
    label: 'Pick Test Group Run Order'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-2
    timeout_in_minutes: 10
    env:
@ -79,9 +64,6 @@ steps:
  - command: .buildkite/scripts/steps/lint.sh
    label: 'Linting'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-8
      preemptible: true
    key: linting
@ -94,9 +76,6 @@ steps:
  - command: .buildkite/scripts/steps/check_types.sh
    label: 'Check Types'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    key: check_types
@ -109,9 +88,6 @@ steps:
  - command: .buildkite/scripts/steps/lint_with_types.sh
    label: 'Linting (with types)'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-16
      preemptible: true
    key: linting_with_types
@ -125,9 +101,6 @@ steps:
    label: 'Checks'
    key: checks
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-2
      preemptible: true
    timeout_in_minutes: 60
@ -139,9 +112,6 @@ steps:
  - command: .buildkite/scripts/steps/api_docs/build_api_docs.sh
    label: 'Build API Docs'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    key: build_api_docs
--- a/.buildkite/pipelines/pull_request/build_project.yml
+++ b/.buildkite/pipelines/pull_request/build_project.yml
@ -2,9 +2,6 @@ steps:
  - command: .buildkite/scripts/steps/artifacts/docker_image.sh
    label: 'Build Project Image'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-16
      preemptible: true
    timeout_in_minutes: 60
--- a/.buildkite/pipelines/pull_request/check_next_docs.yml
+++ b/.buildkite/pipelines/pull_request/check_next_docs.yml
@ -2,9 +2,6 @@ steps:
  - command: .buildkite/scripts/steps/next_docs/build_and_validate_docs.sh
    label: 'Build and Validate Next Docs'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    timeout_in_minutes: 30
--- a/.buildkite/pipelines/pull_request/deploy_cloud.yml
+++ b/.buildkite/pipelines/pull_request/deploy_cloud.yml
@ -2,9 +2,6 @@ steps:
  - command: .buildkite/scripts/steps/cloud/build_and_deploy.sh
    label: 'Build and Deploy to Cloud'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-2
      preemptible: true
    depends_on:
--- a/.buildkite/pipelines/pull_request/deploy_project.yml
+++ b/.buildkite/pipelines/pull_request/deploy_project.yml
@ -3,9 +3,6 @@ steps:
    label: 'Build Project Image'
    key: build_project_image
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-16
      preemptible: true
    timeout_in_minutes: 60
@ -16,9 +13,6 @@ steps:
  - command: .buildkite/scripts/steps/serverless/deploy.sh
    label: 'Deploy Project'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    timeout_in_minutes: 10
--- a/.buildkite/pipelines/pull_request/exploratory_view_plugin.yml
+++ b/.buildkite/pipelines/pull_request/exploratory_view_plugin.yml
@ -2,9 +2,6 @@ steps:
  - command: .buildkite/scripts/steps/functional/exploratory_view_plugin.sh
    label: 'Exploratory View @elastic/synthetics Tests'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    depends_on:
--- a/.buildkite/pipelines/pull_request/fips.yml
+++ b/.buildkite/pipelines/pull_request/fips.yml
@ -2,9 +2,6 @@ steps:
  - command: .buildkite/scripts/steps/fips/build.sh
    label: 'Build FIPS Image'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-2
      preemptible: true
    depends_on:
--- a/.buildkite/pipelines/pull_request/fleet_cypress.yml
+++ b/.buildkite/pipelines/pull_request/fleet_cypress.yml
@ -2,9 +2,6 @@ steps:
  - command: .buildkite/scripts/steps/functional/fleet_cypress.sh
    label: 'Fleet Cypress Tests'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    depends_on:
--- a/.buildkite/pipelines/pull_request/kbn_handlebars.yml
+++ b/.buildkite/pipelines/pull_request/kbn_handlebars.yml
@ -2,9 +2,6 @@ steps:
  - command: .buildkite/scripts/steps/test/kbn_handlebars.sh
    label: 'Check @kbn/handlebars for upstream differences'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-2
      preemptible: true
    depends_on:
--- a/.buildkite/pipelines/pull_request/observability_onboarding_cypress.yml
+++ b/.buildkite/pipelines/pull_request/observability_onboarding_cypress.yml
@ -2,9 +2,6 @@ steps:
  - command: .buildkite/scripts/steps/functional/observability_onboarding_cypress.sh
    label: 'Observability onboarding Cypress Tests'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    depends_on:
--- a/.buildkite/pipelines/pull_request/post_build.yml
+++ b/.buildkite/pipelines/pull_request/post_build.yml
@ -5,7 +5,4 @@ steps:
  - command: .buildkite/scripts/lifecycle/post_build.sh
    label: Post-Build
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-2
--- a/.buildkite/pipelines/pull_request/profiling_cypress.yml
+++ b/.buildkite/pipelines/pull_request/profiling_cypress.yml
@ -2,9 +2,6 @@ steps:
  - command: .buildkite/scripts/steps/functional/profiling_cypress.sh
    label: 'Profiling Cypress Tests'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    depends_on:
--- a/.buildkite/pipelines/pull_request/response_ops.yml
+++ b/.buildkite/pipelines/pull_request/response_ops.yml
@ -2,9 +2,6 @@ steps:
  - command: .buildkite/scripts/steps/functional/response_ops.sh
    label: 'Rules, Alerts and Exceptions ResponseOps Cypress Tests on Security Solution'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    depends_on:
--- a/.buildkite/pipelines/pull_request/response_ops_cases.yml
+++ b/.buildkite/pipelines/pull_request/response_ops_cases.yml
@ -2,9 +2,6 @@ steps:
  - command: .buildkite/scripts/steps/functional/response_ops_cases.sh
    label: 'Cases Cypress Tests on Security Solution'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    depends_on:
--- a/.buildkite/pipelines/pull_request/security_solution/ai_assistant.yml
+++ b/.buildkite/pipelines/pull_request/security_solution/ai_assistant.yml
@ -2,9 +2,6 @@ steps:
  - command: .buildkite/scripts/steps/functional/security_serverless_ai_assistant.sh
    label: 'Serverless AI Assistant - Security Solution Cypress Tests'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    depends_on:
@ -20,9 +17,6 @@ steps:
  - command: .buildkite/scripts/steps/functional/security_solution_ai_assistant.sh
    label: 'AI Assistant - Security Solution Cypress Tests'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    depends_on:
--- a/.buildkite/pipelines/pull_request/security_solution/cypress_burn.yml
+++ b/.buildkite/pipelines/pull_request/security_solution/cypress_burn.yml
@ -2,9 +2,6 @@ steps:
  - command: .buildkite/scripts/steps/functional/defend_workflows_burn.sh
    label: '[Soft fail] Defend Workflows Cypress Tests, burning changed specs'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      enableNestedVirtualization: true
      localSsds: 1
      localSsdInterface: nvme
@ -21,9 +18,6 @@ steps:
  - command: .buildkite/scripts/steps/functional/defend_workflows_serverless_burn.sh
    label: '[Soft fail] Defend Workflows Cypress Tests on Serverless, burning changed specs'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      enableNestedVirtualization: true
      localSsds: 1
      localSsdInterface: nvme
@ -40,9 +34,6 @@ steps:
  - command: .buildkite/scripts/steps/functional/security_solution_burn.sh
    label: '[Soft fail] Security Solution Cypress tests, burning changed specs'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    depends_on:
@ -57,9 +48,6 @@ steps:
  - command: .buildkite/scripts/steps/functional/osquery_cypress_burn.sh
    label: '[Soft fail] Osquery Cypress Tests, burning changed specs'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    depends_on:
--- a/.buildkite/pipelines/pull_request/security_solution/defend_workflows.yml
+++ b/.buildkite/pipelines/pull_request/security_solution/defend_workflows.yml
@ -2,9 +2,6 @@ steps:
  - command: .buildkite/scripts/steps/functional/defend_workflows.sh
    label: 'Defend Workflows Cypress Tests'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      enableNestedVirtualization: true
      localSsds: 1
      localSsdInterface: nvme
@ -22,9 +19,6 @@ steps:
  - command: .buildkite/scripts/steps/functional/defend_workflows_serverless.sh
    label: 'Defend Workflows Cypress Tests on Serverless'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      enableNestedVirtualization: true
      localSsds: 1
      localSsdInterface: nvme
@ -38,14 +32,10 @@ steps:
      automatic:
        - exit_status: '-1'
          limit: 1
-
 #   status_exception: Native role management is not enabled in this Elasticsearch instance
 #  - command: .buildkite/scripts/steps/functional/security_serverless_defend_workflows.sh
 #    label: 'Serverless Security Defend Workflows Cypress Tests'
 #    agents:
-#      image: family/kibana-ubuntu-2004
-#      imageProject: elastic-images-prod
-#      provider: gcp
 #      machineType: n2-standard-4
 #      preemptible: true
 #    depends_on: build
--- a/.buildkite/pipelines/pull_request/security_solution/detection_engine.yml
+++ b/.buildkite/pipelines/pull_request/security_solution/detection_engine.yml
@ -2,9 +2,6 @@ steps:
  - command: .buildkite/scripts/steps/functional/security_serverless_detection_engine.sh
    label: 'Serverless Detection Engine - Security Solution Cypress Tests'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    depends_on:
@ -20,9 +17,6 @@ steps:
  - command: .buildkite/scripts/steps/functional/security_serverless_detection_engine_exceptions.sh
    label: 'Serverless Detection Engine - Exceptions - Security Solution Cypress Tests'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    depends_on:
@ -38,9 +32,6 @@ steps:
  - command: .buildkite/scripts/steps/functional/security_solution_detection_engine.sh
    label: 'Detection Engine - Security Solution Cypress Tests'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    depends_on:
@ -56,9 +47,6 @@ steps:
  - command: .buildkite/scripts/steps/functional/security_solution_detection_engine_exceptions.sh
    label: 'Detection Engine - Exceptions - Security Solution Cypress Tests'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    depends_on:
--- a/.buildkite/pipelines/pull_request/security_solution/entity_analytics.yml
+++ b/.buildkite/pipelines/pull_request/security_solution/entity_analytics.yml
@ -2,9 +2,6 @@ steps:
  - command: .buildkite/scripts/steps/functional/security_serverless_entity_analytics.sh
    label: 'Serverless Entity Analytics - Security Cypress Tests'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    depends_on:
@ -20,9 +17,6 @@ steps:
  - command: .buildkite/scripts/steps/functional/security_solution_entity_analytics.sh
    label: 'Entity Analytics - Security Solution Cypress Tests'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    depends_on:
--- a/.buildkite/pipelines/pull_request/security_solution/explore.yml
+++ b/.buildkite/pipelines/pull_request/security_solution/explore.yml
@ -2,9 +2,6 @@ steps:
  - command: .buildkite/scripts/steps/functional/security_solution_explore.sh
    label: 'Explore - Security Solution Cypress Tests'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    depends_on:
@ -20,9 +17,6 @@ steps:
  - command: .buildkite/scripts/steps/functional/security_serverless_explore.sh
    label: 'Serverless Explore - Security Solution Cypress Tests'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    depends_on:
--- a/.buildkite/pipelines/pull_request/security_solution/investigations.yml
+++ b/.buildkite/pipelines/pull_request/security_solution/investigations.yml
@ -2,9 +2,6 @@ steps:
  - command: .buildkite/scripts/steps/functional/security_solution_investigations.sh
    label: 'Investigations - Security Solution Cypress Tests'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    depends_on:
@ -20,9 +17,6 @@ steps:
  - command: .buildkite/scripts/steps/functional/security_serverless_investigations.sh
    label: 'Serverless Investigations - Security Solution Cypress Tests'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    depends_on:
--- a/.buildkite/pipelines/pull_request/security_solution/osquery_cypress.yml
+++ b/.buildkite/pipelines/pull_request/security_solution/osquery_cypress.yml
@ -2,9 +2,6 @@ steps:
  - command: .buildkite/scripts/steps/functional/osquery_cypress.sh
    label: 'Osquery Cypress Tests'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    depends_on:
@ -20,9 +17,6 @@ steps:
  - command: .buildkite/scripts/steps/functional/security_serverless_osquery.sh
    label: 'Serverless Osquery Cypress Tests'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    depends_on:
--- a/.buildkite/pipelines/pull_request/security_solution/rule_management.yml
+++ b/.buildkite/pipelines/pull_request/security_solution/rule_management.yml
@ -2,9 +2,6 @@ steps:
  - command: .buildkite/scripts/steps/functional/security_serverless_rule_management.sh
    label: 'Serverless Rule Management - Security Solution Cypress Tests'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    depends_on:
@ -20,9 +17,6 @@ steps:
  - command: .buildkite/scripts/steps/functional/security_serverless_rule_management_prebuilt_rules.sh
    label: 'Serverless Rule Management - Prebuilt Rules - Security Solution Cypress Tests'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    depends_on:
@ -38,9 +32,6 @@ steps:
  - command: .buildkite/scripts/steps/functional/security_solution_rule_management.sh
    label: 'Rule Management - Security Solution Cypress Tests'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    depends_on:
@ -56,9 +47,6 @@ steps:
  - command: .buildkite/scripts/steps/functional/security_solution_rule_management_prebuilt_rules.sh
    label: 'Rule Management - Prebuilt Rules - Security Solution Cypress Tests'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    depends_on:
--- a/.buildkite/pipelines/pull_request/security_solution/threat_intelligence.yml
+++ b/.buildkite/pipelines/pull_request/security_solution/threat_intelligence.yml
@ -2,9 +2,6 @@ steps:
  - command: .buildkite/scripts/steps/functional/threat_intelligence.sh
    label: 'Threat Intelligence Cypress Tests'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    depends_on:
--- a/.buildkite/pipelines/pull_request/slo_plugin_e2e.yml
+++ b/.buildkite/pipelines/pull_request/slo_plugin_e2e.yml
@ -2,9 +2,6 @@ steps:
  - command: .buildkite/scripts/steps/functional/slo_plugin_e2e.sh
    label: 'SLO Plugin @elastic/synthetics Tests'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    depends_on:
--- a/.buildkite/pipelines/pull_request/storybooks.yml
+++ b/.buildkite/pipelines/pull_request/storybooks.yml
@ -2,9 +2,6 @@ steps:
  - command: .buildkite/scripts/steps/storybooks/build_and_upload.sh
    label: 'Build Storybooks'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-8
      preemptible: true
    key: storybooks
--- a/.buildkite/pipelines/pull_request/synthetics_plugin.yml
+++ b/.buildkite/pipelines/pull_request/synthetics_plugin.yml
@ -2,9 +2,6 @@ steps:
  - command: .buildkite/scripts/steps/functional/synthetics_plugin.sh
    label: 'Synthetics @elastic/synthetics Tests'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    depends_on:
--- a/.buildkite/pipelines/pull_request/uptime_plugin.yml
+++ b/.buildkite/pipelines/pull_request/uptime_plugin.yml
@ -2,9 +2,6 @@ steps:
  - command: .buildkite/scripts/steps/functional/uptime_plugin.sh
    label: 'Uptime @elastic/synthetics Tests'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    depends_on:
--- a/.buildkite/pipelines/pull_request/ux_plugin_e2e.yml
+++ b/.buildkite/pipelines/pull_request/ux_plugin_e2e.yml
@ -2,9 +2,6 @@ steps:
  - command: .buildkite/scripts/steps/functional/ux_synthetics_e2e.sh
    label: 'UX Plugin @elastic/synthetics Tests'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    depends_on:
--- a/.buildkite/pipelines/pull_request/webpack_bundle_analyzer.yml
+++ b/.buildkite/pipelines/pull_request/webpack_bundle_analyzer.yml
@ -2,9 +2,6 @@ steps:
  - command: .buildkite/scripts/steps/webpack_bundle_analyzer/build_and_upload.sh
    label: 'Build Webpack Bundle Analyzer reports'
    agents:
-      image: family/kibana-ubuntu-2004
-      imageProject: elastic-images-prod
-      provider: gcp
      machineType: n2-standard-4
      preemptible: true
    key: webpack_bundle_analyzer
--- a/.buildkite/scripts/common/env.sh
+++ b/.buildkite/scripts/common/env.sh
@ -131,3 +131,17 @@ export TEST_GROUP_TYPE_FUNCTIONAL="Functional Tests"

 # tells the gh command what our default repo is
 export GH_REPO=github.com/elastic/kibana
+
+FTR_ENABLE_FIPS_AGENT=false
+# used by FIPS agents to link FIPS OpenSSL modules
+if [[ "${KBN_ENABLE_FIPS:-}" == "true" ]] || is_pr_with_label "ci:enable-fips-agent"; then
+  FTR_ENABLE_FIPS_AGENT=true
+  export OPENSSL_MODULES=$HOME/openssl/lib/ossl-modules
+
+  if [[ -f "$KIBANA_DIR/config/node.options" ]]; then
+    echo -e '\n--enable-fips' >>"$KIBANA_DIR/config/node.options"
+    echo "--openssl-config=$HOME/nodejs.cnf" >>"$KIBANA_DIR/config/node.options"
+  fi
+fi
+
+export FTR_ENABLE_FIPS_AGENT
--- a/.buildkite/scripts/common/util.sh
+++ b/.buildkite/scripts/common/util.sh
@ -33,7 +33,7 @@ check_for_changed_files() {

  SHOULD_AUTO_COMMIT_CHANGES="${2:-}"
  CUSTOM_FIX_MESSAGE="${3:-}"
-  GIT_CHANGES="$(git status --porcelain -- . ':!:.bazelrc')"
+  GIT_CHANGES="$(git status --porcelain -- . ':!:.bazelrc' ':!:config/node.options')"

  if [ "$GIT_CHANGES" ]; then
    if ! is_auto_commit_disabled && [[ "$SHOULD_AUTO_COMMIT_CHANGES" == "true" && "${BUILDKITE_PULL_REQUEST:-}" ]]; then
@ -56,7 +56,7 @@ check_for_changed_files() {
      git config --global user.name kibanamachine
      git config --global user.email '42973632+kibanamachine@users.noreply.github.com'
      gh pr checkout "${BUILDKITE_PULL_REQUEST}"
-      git add -A -- . ':!.bazelrc'
+      git add -A -- . ':!.bazelrc' ':!config/node.options'

      git commit -m "$NEW_COMMIT_MESSAGE"
      git push
--- a/.buildkite/scripts/pipelines/pull_request/pipeline.ts
+++ b/.buildkite/scripts/pipelines/pull_request/pipeline.ts
@ -9,7 +9,7 @@
 import { execSync } from 'child_process';
 import fs from 'fs';
 import prConfigs from '../../../pull_requests.json';
-import { areChangesSkippable, doAnyChangesMatch } from '#pipeline-utils';
+import { areChangesSkippable, doAnyChangesMatch, getAgentImageConfig } from '#pipeline-utils';

 const prConfig = prConfigs.jobs.find((job) => job.pipelineSlug === 'kibana-pull-request');

@ -43,6 +43,7 @@ const getPipeline = (filename: string, removeSteps = true) => {

    const pipeline = [];

+    pipeline.push(getAgentImageConfig({ returnYaml: true }));
    pipeline.push(getPipeline('.buildkite/pipelines/pull_request/base.yml', false));

    if (await doAnyChangesMatch([/^packages\/kbn-handlebars/])) {
--- a/.buildkite/scripts/steps/checks.sh
+++ b/.buildkite/scripts/steps/checks.sh
@ -5,6 +5,9 @@ set -euo pipefail
 export DISABLE_BOOTSTRAP_VALIDATION=false
 .buildkite/scripts/bootstrap.sh

+if [[ "${FIPS_ENABLED:-}" == "true" ]]; then
+  .buildkite/scripts/steps/checks/verify_fips_enabled.sh
+fi
 .buildkite/scripts/steps/checks/saved_objects_compat_changes.sh
 .buildkite/scripts/steps/checks/saved_objects_definition_change.sh
 .buildkite/scripts/steps/capture_oas_snapshot.sh
--- a/.buildkite/scripts/steps/checks/verify_fips_enabled.sh
+++ b/.buildkite/scripts/steps/checks/verify_fips_enabled.sh
@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+source .buildkite/scripts/common/util.sh
+
+.buildkite/scripts/download_build_artifacts.sh
+
+echo --- Verify FIPS enabled
+
+NODE_BINARY="$KIBANA_BUILD_LOCATION/node/glibc-217/bin/node"
+
+if [[ -x "$NODE_BINARY" ]]; then
+  # sed is used to remove invisible ANSI color codes from the output
+  FIPS_STATUS=$("$NODE_BINARY" --enable-fips --openssl-config="$HOME/nodejs.cnf" -p 'crypto.getFips()' | sed 's/\x1b\[[0-9;]*m//g' | tr -d \\n)
+  echo "$FIPS_STATUS" | od -c
+
+  if [[ "$FIPS_STATUS" == "1" ]]; then
+    echo "FIPS enabled successfully"
+    exit 0
+  else
+    echo "Failed to enable FIPS: $FIPS_STATUS"
+    exit 1
+  fi
+else
+  echo "Node binary not found at $NODE_BINARY"
+  exit 1
+fi
--- a/test/package/roles/assert_fips_enabled/tasks/main.yml
+++ b/test/package/roles/assert_fips_enabled/tasks/main.yml
@ -1,6 +1,6 @@
 - name: register kibana node getFips
  shell: 
-    cmd: "source /home/vagrant/.profile && {{ kibana_dist_path }}/node/bin/node --enable-fips --openssl-config={{ kibana_dist_path }}/config/nodejs.cnf -p 'crypto.getFips()'"
+    cmd: "source /home/vagrant/.profile && {{ kibana_dist_path }}/node/glibc-217/bin/node --enable-fips --openssl-config={{ kibana_dist_path }}/config/nodejs.cnf -p 'crypto.getFips()'"
    executable: /bin/bash
  register: kibana_node_fips