[CI / Build / FIPS] Use xpack.security.experimental.fipsMode.enabled in CI and Docker (#187533)

## Summary Closes #188272 A check was added to in #181187 which detects if the environment has FIPS enabled NodeJS, but Kibana is not setup properly. This adds the Kibana setting for FIPS in CI and the Docker image. Note there are still license issues on some tests due to #181187 as well, but this will be handled in another PR.
2025-04-23 09:19:04 -04:00 · 2024-07-15 11:11:34 -06:00 · 2024-07-15 11:11:34 -06:00 · 333cd207a3
commit 333cd207a3
parent 70458649dd
3 changed files with 8 additions and 4 deletions
--- a/.buildkite/scripts/common/env.sh
+++ b/.buildkite/scripts/common/env.sh
@ -47,7 +47,6 @@ export MERGE_QUEUE_TARGET_BRANCH
 BUILDKITE_BRANCH_MERGE_QUEUE="${MERGE_QUEUE_TARGET_BRANCH:-${BUILDKITE_BRANCH:-}}"
 export BUILDKITE_BRANCH_MERGE_QUEUE

-
 BUILDKITE_AGENT_GCP_REGION=""
 if [[ "$(curl -is metadata.google.internal || true)" ]]; then
  # projects/1003139005402/zones/us-central1-a -> us-central1-a -> us-central1
@ -133,15 +132,19 @@ export TEST_GROUP_TYPE_FUNCTIONAL="Functional Tests"
 export GH_REPO=github.com/elastic/kibana

 FTR_ENABLE_FIPS_AGENT=false
-# used by FIPS agents to link FIPS OpenSSL modules
 if [[ "${KBN_ENABLE_FIPS:-}" == "true" ]] || is_pr_with_label "ci:enable-fips-agent"; then
  FTR_ENABLE_FIPS_AGENT=true
+  # used by FIPS agents to link FIPS OpenSSL modules
  export OPENSSL_MODULES=$HOME/openssl/lib/ossl-modules

  if [[ -f "$KIBANA_DIR/config/node.options" ]]; then
    echo -e '\n--enable-fips' >>"$KIBANA_DIR/config/node.options"
    echo "--openssl-config=$HOME/nodejs.cnf" >>"$KIBANA_DIR/config/node.options"
  fi
+
+  if [[ -f "$KIBANA_DIR/config/kibana.yml" ]]; then
+    echo -e '\nxpack.security.experimental.fipsMode.enabled: true' >>"$KIBANA_DIR/config/kibana.yml"
+  fi
 fi

 export FTR_ENABLE_FIPS_AGENT
--- a/.buildkite/scripts/common/util.sh
+++ b/.buildkite/scripts/common/util.sh
@ -33,7 +33,7 @@ check_for_changed_files() {

  SHOULD_AUTO_COMMIT_CHANGES="${2:-}"
  CUSTOM_FIX_MESSAGE="${3:-}"
-  GIT_CHANGES="$(git status --porcelain -- . ':!:.bazelrc' ':!:config/node.options')"
+  GIT_CHANGES="$(git status --porcelain -- . ':!:.bazelrc' ':!:config/node.options' ':!config/kibana.yml')"

  if [ "$GIT_CHANGES" ]; then
    if ! is_auto_commit_disabled && [[ "$SHOULD_AUTO_COMMIT_CHANGES" == "true" && "${BUILDKITE_PULL_REQUEST:-}" ]]; then
@ -56,7 +56,7 @@ check_for_changed_files() {
      git config --global user.name kibanamachine
      git config --global user.email '42973632+kibanamachine@users.noreply.github.com'
      gh pr checkout "${BUILDKITE_PULL_REQUEST}"
-      git add -A -- . ':!.bazelrc' ':!config/node.options'
+      git add -A -- . ':!.bazelrc' ':!config/node.options' ':!config/kibana.yml'

      git commit -m "$NEW_COMMIT_MESSAGE"
      git push
--- a/src/dev/build/tasks/os_packages/docker_generator/templates/base/Dockerfile
+++ b/src/dev/build/tasks/os_packages/docker_generator/templates/base/Dockerfile
@ -156,6 +156,7 @@ RUN /usr/bin/echo -e '\n--enable-fips' >> config/node.options
 RUN /usr/bin/echo '--openssl-config=/usr/share/kibana/config/nodejs.cnf' >> config/node.options
 COPY --chown=1000:0 openssl/nodejs.cnf "/usr/share/kibana/config/nodejs.cnf"
 ENV OPENSSL_MODULES=/usr/share/kibana/openssl/lib/ossl-modules
+ENV XPACK_SECURITY_EXPERIMENTAL_FIPSMODE_ENABLED=true

 {{/fips}}
 RUN ln -s /usr/share/kibana /opt/kibana