github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-23 09:19:04 -04:00
Code Issues Projects Releases Packages Wiki Activity

[8.x] [FIPS][Cloud][Build] Add FIPS cloud image. Convert base image to Wolfi. (#213163) (#216205)

Browse source 
# Backport

This will backport the following commits from `main` to `8.x`:
- [[FIPS][Cloud][Build] Add FIPS cloud image. Convert base image to
Wolfi. (#213163)](https://github.com/elastic/kibana/pull/213163)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Brad
White","email":"Ikuni17@users.noreply.github.com"},"sourceCommit":{"committedDate":"2025-03-27T15:01:08Z","message":"[FIPS][Cloud][Build]
Add FIPS cloud image. Convert base image to Wolfi. (#213163)\n\n##
Summary\n\n- Closes elastic/kibana-operations#245\n- Convert FIPS base
image from UBI to `chainguard-base-fips`\n- Add FIPS base image updates
to Renovate\n- Adjust naming scheme for FIPS image from
`kibana-ubi-fips` to\n`kibana-fips`\n- Adds new image flavor
`kibana-cloud-fips`\n- Adds support for `ci:build-cloud-fips-image`
label\n- Move Cloud image building to its own step instead of being part
of\n`Build Kibana Distribution` step so it will be triggered when the
build\nis reused and the `build` step is
skipped.","sha":"8601ec3072173ed6745fe892000cb4d1ab7fa89b","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Operations","release_note:skip","v9.0.0","ci:build-cloud-image","ci:build-docker-fips","backport:version","v9.1.0","v8.19.0","ci:build-cloud-fips-image"],"title":"[FIPS][Cloud][Build]
Add FIPS cloud image. Convert base image to
Wolfi.","number":213163,"url":"https://github.com/elastic/kibana/pull/213163","mergeCommit":{"message":"[FIPS][Cloud][Build]
Add FIPS cloud image. Convert base image to Wolfi. (#213163)\n\n##
Summary\n\n- Closes elastic/kibana-operations#245\n- Convert FIPS base
image from UBI to `chainguard-base-fips`\n- Add FIPS base image updates
to Renovate\n- Adjust naming scheme for FIPS image from
`kibana-ubi-fips` to\n`kibana-fips`\n- Adds new image flavor
`kibana-cloud-fips`\n- Adds support for `ci:build-cloud-fips-image`
label\n- Move Cloud image building to its own step instead of being part
of\n`Build Kibana Distribution` step so it will be triggered when the
build\nis reused and the `build` step is
skipped.","sha":"8601ec3072173ed6745fe892000cb4d1ab7fa89b"}},"sourceBranch":"main","suggestedTargetBranches":["9.0","8.x"],"targetPullRequestStates":[{"branch":"9.0","label":"v9.0.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/213163","number":213163,"mergeCommit":{"message":"[FIPS][Cloud][Build]
Add FIPS cloud image. Convert base image to Wolfi. (#213163)\n\n##
Summary\n\n- Closes elastic/kibana-operations#245\n- Convert FIPS base
image from UBI to `chainguard-base-fips`\n- Add FIPS base image updates
to Renovate\n- Adjust naming scheme for FIPS image from
`kibana-ubi-fips` to\n`kibana-fips`\n- Adds new image flavor
`kibana-cloud-fips`\n- Adds support for `ci:build-cloud-fips-image`
label\n- Move Cloud image building to its own step instead of being part
of\n`Build Kibana Distribution` step so it will be triggered when the
build\nis reused and the `build` step is
skipped.","sha":"8601ec3072173ed6745fe892000cb4d1ab7fa89b"}},{"branch":"8.x","label":"v8.19.0","branchLabelMappingKey":"^v8.19.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->
This commit is contained in:
Brad White 2025-03-28 11:34:19 -06:00 committed by GitHub
parent 1eb6c33e46
commit 862d42efdd
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
26 changed files with 358 additions and 113 deletions
Download patch file Download diff file Expand all files Collapse all files

20
.buildkite/pipelines/pull_request/build_cloud_fips_image.yml Normal file
View file

@ -0,0 +1,20 @@
steps:
- command: .buildkite/scripts/steps/fips/build_cloud_fips_image.sh
label: 'Build Cloud FIPS Image'
agents:
machineType: n2-standard-2
preemptible: true
depends_on:
- build
- quick_checks
- checks
- linting
- linting_with_types
- check_types
- check_oas_snapshot
timeout_in_minutes: 60
soft_fail: true
retry:
automatic:
- exit_status: '-1'
limit: 3

20
.buildkite/pipelines/pull_request/build_cloud_image.yml Normal file
View file

@ -0,0 +1,20 @@
steps:
- command: .buildkite/scripts/steps/cloud/build_cloud_image.sh
label: 'Build Cloud Image'
agents:
machineType: n2-standard-2
preemptible: true
depends_on:
- build
- quick_checks
- checks
- linting
- linting_with_types
- check_types
- check_oas_snapshot
timeout_in_minutes: 60
soft_fail: true
retry:
automatic:
- exit_status: '-1'
limit: 3

24
.buildkite/scripts/build_kibana.sh
View file

@ -19,30 +19,6 @@ is_pr_with_label "ci:build-cdn-assets" || BUILD_ARGS+=("--skip-cdn-assets")
echo "> node scripts/build" "${BUILD_ARGS[@]}"
node scripts/build "${BUILD_ARGS[@]}"
if is_pr_with_label "ci:build-cloud-image"; then
node scripts/build \
--skip-initialize \
--skip-generic-folders \
--skip-platform-folders \
--skip-cdn-assets \
--skip-archives \
--docker-images \
--docker-tag-qualifier="$GIT_COMMIT" \
--docker-push \
--skip-docker-ubi \
--skip-docker-fips \
--skip-docker-ubuntu \
--skip-docker-wolfi \
--skip-docker-serverless \
--skip-docker-contexts
CLOUD_IMAGE=$(docker images --format "{{.Repository}}:{{.Tag}}" docker.elastic.co/kibana-ci/kibana-cloud)
cat << EOF | buildkite-agent annotate --style "info" --context kibana-cloud-image
Kibana cloud image: \`$CLOUD_IMAGE\`
EOF
fi
echo "--- Archive Kibana Distribution"
version="$(jq -r '.version' package.json)"
linuxBuild="$KIBANA_DIR/target/kibana-$version-SNAPSHOT-linux-x86_64.tar.gz"

18
.buildkite/scripts/pipelines/pull_request/pipeline.ts
View file

@ -179,6 +179,24 @@ const getPipeline = (filename: string, removeSteps = true) => {
pipeline.push(getPipeline('.buildkite/pipelines/pull_request/ai_infra_gen_ai.yml'));
}
if (
GITHUB_PR_LABELS.includes('ci:build-cloud-image') &&
!GITHUB_PR_LABELS.includes('ci:deploy-cloud') &&
!GITHUB_PR_LABELS.includes('ci:cloud-deploy') &&
!GITHUB_PR_LABELS.includes('ci:cloud-redeploy')
) {
pipeline.push(getPipeline('.buildkite/pipelines/pull_request/build_cloud_image.yml'));
}
if (
GITHUB_PR_LABELS.includes('ci:build-cloud-fips-image') &&
!GITHUB_PR_LABELS.includes('ci:deploy-cloud') &&
!GITHUB_PR_LABELS.includes('ci:cloud-deploy') &&
!GITHUB_PR_LABELS.includes('ci:cloud-redeploy')
) {
pipeline.push(getPipeline('.buildkite/pipelines/pull_request/build_cloud_fips_image.yml'));
}
if (
GITHUB_PR_LABELS.includes('ci:deploy-cloud') ||
GITHUB_PR_LABELS.includes('ci:cloud-deploy') ||

2
.buildkite/scripts/pipelines/security_solution_quality_gate/create_periodic_test_docker_image.sh
View file

@ -38,6 +38,8 @@ node scripts/build \
--skip-docker-wolfi \
--skip-docker-ubi \
--skip-docker-cloud \
--skip-docker-cloud-fips \
--skip-docker-fips \
--skip-docker-contexts \
--skip-cdn-assets

2
.buildkite/scripts/steps/artifacts/build.sh
View file

@ -7,7 +7,7 @@ set -euo pipefail
source .buildkite/scripts/steps/artifacts/env.sh
echo "--- Build Kibana artifacts"
node scripts/build --all-platforms --debug --docker-cross-compile --skip-docker-fips --skip-docker-serverless --skip-cdn-assets "${BUILD_ARGS[@]}"
node scripts/build --all-platforms --debug --docker-cross-compile --skip-docker-fips --skip-docker-cloud-fips --skip-docker-serverless --skip-cdn-assets "${BUILD_ARGS[@]}"
echo "--- Extract default i18n messages"
mkdir -p target/i18n

1
.buildkite/scripts/steps/cloud/build_and_deploy.sh
View file

@ -43,6 +43,7 @@ else
--skip-docker-ubi \
--skip-docker-fips \
--skip-docker-ubuntu \
--skip-docker-cloud-fips \
--skip-docker-wolfi \
--skip-docker-serverless \
--skip-docker-contexts

41
.buildkite/scripts/steps/cloud/build_cloud_image.sh Executable file
View file

@ -0,0 +1,41 @@
#!/usr/bin/env bash
set -euo pipefail
source .buildkite/scripts/common/util.sh
.buildkite/scripts/bootstrap.sh
export KBN_NP_PLUGINS_BUILT=true
VERSION="$(jq -r '.version' package.json)-SNAPSHOT"
echo "--- Download Kibana Distribution"
mkdir -p ./target
download_artifact "kibana-$VERSION-linux-x86_64.tar.gz" ./target --build "${KIBANA_BUILD_ID:-$BUILDKITE_BUILD_ID}"
echo "--- Build Cloud Distribution"
node scripts/build \
--skip-initialize \
--skip-generic-folders \
--skip-platform-folders \
--skip-cdn-assets \
--skip-archives \
--docker-images \
--docker-tag-qualifier="$GIT_COMMIT" \
--docker-push \
--skip-docker-ubi \
--skip-docker-ubuntu \
--skip-docker-cloud-fips \
--skip-docker-fips \
--skip-docker-wolfi \
--skip-docker-serverless \
--skip-docker-contexts
CLOUD_IMAGE=$(docker images --format "{{.Repository}}:{{.Tag}}" docker.elastic.co/kibana-ci/kibana-cloud)
cat <<EOF | buildkite-agent annotate --style "info" --context kibana-cloud-image
Kibana cloud image: \`$CLOUD_IMAGE\`
EOF

2
.buildkite/scripts/steps/demo_env/kibana.sh
View file

@ -11,7 +11,7 @@ source "$(dirname "${0}")/config.sh"
export KIBANA_IMAGE="gcr.io/elastic-kibana-184716/demo/kibana:$DEPLOYMENT_NAME-$(git rev-parse HEAD)"
echo '--- Build Kibana'
node scripts/build --debug --docker-images --example-plugins --skip-docker-ubi --skip-docker-fips --skip-docker-cloud --skip-docker-serverless --skip-docker-contexts
node scripts/build --debug --docker-images --example-plugins --skip-docker-ubi --skip-docker-fips --skip-docker-cloud-fips --skip-docker-cloud --skip-docker-serverless --skip-docker-contexts
echo '--- Build Docker image with example plugins'
cd target/example_plugins

10
.buildkite/scripts/steps/fips/build.sh
View file

@ -25,6 +25,7 @@ node scripts/build \
--skip-docker-ubuntu \
--skip-docker-wolfi \
--skip-docker-cloud \
--skip-docker-cloud-fips \
--skip-docker-serverless \
--skip-docker-contexts
@ -32,13 +33,12 @@ node scripts/build \
cd "$KIBANA_DIR/target"
buildkite-agent artifact upload "./*docker-image*.tar.gz"
KIBANA_UBI_FIPS_IMAGE="docker.elastic.co/kibana-ci/kibana-ubi-fips:$FULL_VERSION-$BUILDKITE_COMMIT"
KIBANA_FIPS_IMAGE="docker.elastic.co/kibana-ci/kibana-fips:$FULL_VERSION-$BUILDKITE_COMMIT"
cat <<EOF | buildkite-agent annotate --style "info" --context fips
### Kibana FIPS Image
cat <<EOF | buildkite-agent annotate --style "info" --context kibana-fips-image
UBI image: \`$KIBANA_UBI_FIPS_IMAGE\`
Kibana FIPS image: \`$KIBANA_FIPS_IMAGE\`
EOF
buildkite-agent meta-data set pr_comment:build_fips:head "* Kibana UBI FIPS Image: \`$KIBANA_UBI_FIPS_IMAGE\`"
buildkite-agent meta-data set pr_comment:build_fips:head "* Kibana FIPS Image: \`$KIBANA_FIPS_IMAGE\`"
buildkite-agent meta-data set pr_comment:early_comment_job_id "$BUILDKITE_JOB_ID"

41
.buildkite/scripts/steps/fips/build_cloud_fips_image.sh Executable file
View file

@ -0,0 +1,41 @@
#!/usr/bin/env bash
set -euo pipefail
source .buildkite/scripts/common/util.sh
.buildkite/scripts/bootstrap.sh
export KBN_NP_PLUGINS_BUILT=true
VERSION="$(jq -r '.version' package.json)-SNAPSHOT"
echo "--- Download Kibana Distribution"
mkdir -p ./target
download_artifact "kibana-$VERSION-linux-x86_64.tar.gz" ./target --build "${KIBANA_BUILD_ID:-$BUILDKITE_BUILD_ID}"
echo "--- Build Cloud FIPS Distribution"
node scripts/build \
--skip-initialize \
--skip-generic-folders \
--skip-platform-folders \
--skip-cdn-assets \
--skip-archives \
--docker-images \
--docker-tag-qualifier="$GIT_COMMIT" \
--docker-push \
--skip-docker-ubi \
--skip-docker-ubuntu \
--skip-docker-cloud \
--skip-docker-fips \
--skip-docker-wolfi \
--skip-docker-serverless \
--skip-docker-contexts
CLOUD_FIPS_IMAGE=$(docker images --format "{{.Repository}}:{{.Tag}}" docker.elastic.co/kibana-ci/kibana-cloud-fips)
cat <<EOF | buildkite-agent annotate --style "info" --context kibana-cloud-fips-image
Kibana cloud FIPS image: \`$CLOUD_FIPS_IMAGE\`
EOF

2
.buildkite/scripts/steps/package_testing/build.sh
View file

@ -4,7 +4,7 @@ set -euo pipefail
.buildkite/scripts/bootstrap.sh
node scripts/build --all-platforms --debug --skip-docker-cloud --skip-docker-serverless --skip-docker-ubi --skip-docker-fips --skip-docker-contexts --skip-cdn-assets
node scripts/build --all-platforms --debug --skip-docker-cloud --skip-docker-serverless --skip-docker-ubi --skip-docker-fips --skip-docker-cloud-fips --skip-docker-contexts --skip-cdn-assets
DOCKER_FILE="kibana-$KIBANA_PKG_VERSION-SNAPSHOT-docker-image.tar.gz"

6
dev_docs/tutorials/ci.mdx
View file

@ -51,9 +51,13 @@ Build an archive that can be used to serve Kibana's static assets.
Build cloud Docker images that can be used for testing deployments on Elastic Cloud.
#### `ci:build-cloud-fips-image`
Build FIPS cloud Docker images that can be used for testing deployments on Elastic Cloud.
#### `ci:build-docker-fips`
Build Docker UBI x64 image with FIPS enabled.
Build Docker Wolfi image with FIPS enabled.
#### `ci:build-os-packages`

33
renovate.json
View file

@ -96,6 +96,28 @@
],
"enabled": true
},
{
"groupName": "chainguard-fips",
"matchPackageNames": [
"docker.elastic.co/wolfi/chainguard-base-fips"
],
"reviewers": [
"team:kibana-operations"
],
"matchBaseBranches": [
"main",
"/^[9].*/",
"8.x",
"8.18"
],
"labels": [
"Team:Operations",
"release_note:skip",
"backport:skip",
"ci:build-docker-fips"
],
"enabled": true
},
{
"groupName": "operations actions",
"matchManagers": [
@ -1199,6 +1221,17 @@
],
"datasourceTemplate": "docker"
},
{
"description": "Update Wolfi FIPS base image",
"customType": "regex",
"fileMatch": [
"^src/dev/build/tasks/os_packages/docker_generator/run\\.ts$"
],
"matchStrings": [
"(?<depName>docker\\.elastic\\.co/wolfi/chainguard-base-fips):(?<currentValue>[-a-zA-Z0-9.]+)?(?:@(?<currentDigest>sha256:[a-fA-F0-9]+))?"
],
"datasourceTemplate": "docker"
},
{
"description": "Update pipelib image",
"customType": "regex",

52
src/dev/build/args.test.ts
View file

@ -33,6 +33,7 @@ it('build default and oss dist for current platform, without packages, by defaul
"createCdnAssets": true,
"createDebPackage": false,
"createDockerCloud": false,
"createDockerCloudFIPS": false,
"createDockerContexts": true,
"createDockerFIPS": false,
"createDockerServerless": false,
@ -75,6 +76,7 @@ it('builds packages if --all-platforms is passed', () => {
"createCdnAssets": true,
"createDebPackage": true,
"createDockerCloud": true,
"createDockerCloudFIPS": true,
"createDockerContexts": true,
"createDockerFIPS": true,
"createDockerServerless": true,
@ -117,6 +119,7 @@ it('limits packages if --rpm passed with --all-platforms', () => {
"createCdnAssets": true,
"createDebPackage": false,
"createDockerCloud": false,
"createDockerCloudFIPS": false,
"createDockerContexts": true,
"createDockerFIPS": false,
"createDockerServerless": false,
@ -159,6 +162,7 @@ it('limits packages if --deb passed with --all-platforms', () => {
"createCdnAssets": true,
"createDebPackage": true,
"createDockerCloud": false,
"createDockerCloudFIPS": false,
"createDockerContexts": true,
"createDockerFIPS": false,
"createDockerServerless": false,
@ -202,6 +206,7 @@ it('limits packages if --docker passed with --all-platforms', () => {
"createCdnAssets": true,
"createDebPackage": false,
"createDockerCloud": true,
"createDockerCloudFIPS": true,
"createDockerContexts": true,
"createDockerFIPS": true,
"createDockerServerless": true,
@ -252,6 +257,7 @@ it('limits packages if --docker passed with --skip-docker-ubi and --all-platform
"createCdnAssets": true,
"createDebPackage": false,
"createDockerCloud": true,
"createDockerCloudFIPS": true,
"createDockerContexts": true,
"createDockerFIPS": true,
"createDockerServerless": true,
@ -295,6 +301,7 @@ it('limits packages if --all-platforms passed with --skip-docker-ubuntu', () =>
"createCdnAssets": true,
"createDebPackage": true,
"createDockerCloud": true,
"createDockerCloudFIPS": true,
"createDockerContexts": true,
"createDockerFIPS": true,
"createDockerServerless": true,
@ -338,6 +345,7 @@ it('limits packages if --all-platforms passed with --skip-docker-fips', () => {
"createCdnAssets": true,
"createDebPackage": true,
"createDockerCloud": true,
"createDockerCloudFIPS": true,
"createDockerContexts": true,
"createDockerFIPS": false,
"createDockerServerless": true,
@ -370,3 +378,47 @@ it('limits packages if --all-platforms passed with --skip-docker-fips', () => {
}
`);
});
it('limits packages if --all-platforms passed with --skip-docker-cloud-fips', () => {
expect(readCliArgs(['node', 'scripts/build', '--all-platforms', '--skip-docker-cloud-fips']))
.toMatchInlineSnapshot(`
Object {
"buildOptions": Object {
"buildCanvasShareableRuntime": true,
"createArchives": true,
"createCdnAssets": true,
"createDebPackage": true,
"createDockerCloud": true,
"createDockerCloudFIPS": false,
"createDockerContexts": true,
"createDockerFIPS": true,
"createDockerServerless": true,
"createDockerUBI": true,
"createDockerUbuntu": true,
"createDockerWolfi": true,
"createGenericFolders": true,
"createPlatformFolders": true,
"createRpmPackage": true,
"dockerContextUseLocalArtifact": null,
"dockerCrossCompile": false,
"dockerNamespace": null,
"dockerPush": false,
"dockerTag": null,
"dockerTagQualifier": null,
"downloadCloudDependencies": true,
"downloadFreshNode": true,
"eprRegistry": "snapshot",
"initialize": true,
"isRelease": false,
"targetAllPlatforms": true,
"targetServerlessPlatforms": false,
"versionQualifier": "",
"withExamplePlugins": false,
"withTestPlugins": false,
},
"log": <ToolingLog>,
"showHelp": false,
"unknownFlags": Array [],
}
`);
});

3
src/dev/build/args.ts
View file

@ -34,6 +34,7 @@ export function readCliArgs(argv: string[]) {
'skip-docker-ubuntu',
'skip-docker-wolfi',
'skip-docker-cloud',
'skip-docker-cloud-fips',
'skip-docker-serverless',
'skip-docker-fips',
'release',
@ -144,6 +145,8 @@ export function readCliArgs(argv: string[]) {
isOsPackageDesired('docker-images') && !Boolean(flags['skip-docker-ubuntu']),
createDockerWolfi: isOsPackageDesired('docker-images') && !Boolean(flags['skip-docker-wolfi']),
createDockerCloud: isOsPackageDesired('docker-images') && !Boolean(flags['skip-docker-cloud']),
createDockerCloudFIPS:
isOsPackageDesired('docker-images') && !Boolean(flags['skip-docker-cloud-fips']),
createDockerServerless:
(isOsPackageDesired('docker-images') && !Boolean(flags['skip-docker-serverless'])) ||
Boolean(flags.serverless),

10
src/dev/build/build_distributables.ts
View file

@ -34,6 +34,7 @@ export interface BuildOptions {
createDockerUbuntu: boolean;
createDockerWolfi: boolean;
createDockerCloud: boolean;
createDockerCloudFIPS: boolean;
createDockerServerless: boolean;
createDockerContexts: boolean;
createDockerFIPS: boolean;
@ -174,6 +175,15 @@ export async function buildDistributables(log: ToolingLog, options: BuildOptions
await run(Tasks.CreateDockerFIPS);
}
if (options.createDockerCloudFIPS) {
// control w/ --docker-images and --skip-docker-cloud-fips
if (options.downloadCloudDependencies) {
// control w/ --skip-cloud-dependencies-download
await run(Tasks.DownloadCloudDependencies);
}
await run(Tasks.CreateDockerCloudFIPS);
}
if (options.createDockerContexts) {
// control w/ --skip-docker-contexts
await run(Tasks.CreateDockerContexts);

36
src/dev/build/cli.ts
View file

@ -34,30 +34,42 @@ if (showHelp) {
build the Kibana distributable
options:
--skip-archives {dim Don't produce tar/zip archives}
--skip-os-packages {dim Don't produce rpm/deb/docker packages}
--all-platforms {dim Produce archives for all platforms, not just this one}
--rpm {dim Only build the rpm packages}
--deb {dim Only build the deb packages}
--serverless {dim Only build the serverless packages}
--docker-images {dim Only build the Docker images}
--docker-context-use-local-artifact {dim Use a local artifact when building the Docker context}
--docker-cross-compile {dim Produce arm64 and amd64 Docker images}
--docker-contexts {dim Only build the Docker build contexts}
--docker-cross-compile {dim Produce arm64 and amd64 Docker images}
--docker-images {dim Only build the Docker images}
--docker-namespace {dim Specify the registry namespace for image pushing}
--docker-push {dim Enable pushing after building each docker image}
--docker-tag {dim Specify the tag to use for the images, default is version}
--docker-tag-qualifier {dim Qualifier to append to the docker tag}
--epr-registry {dim Specify the EPR registry to use for Fleet packages, 'production' or 'snapshot'}
--no-debug {dim Turn off debug logging}
--release {dim Produce a release-ready distributable}
--rpm {dim Only build the rpm packages}
--serverless {dim Only build the serverless packages}
--skip-archives {dim Don't produce tar/zip archives}
--skip-canvas-shareable-runtime {dim Don't build the Canvas shareable runtime}
--skip-cloud-dependencies-download {dim Don't download cloud dependencies (beats)}
--skip-cdn-assets {dim Don't build CDN assets}
--skip-docker-cloud {dim Don't build the docker cloud image}
--skip-docker-cloud-fips {dim Don't build the docker cloud fips image}
--skip-docker-contexts {dim Don't produce docker image contexts}
--skip-docker-fips {dim Don't build the docker fips image}
--skip-docker-serverless {dim Don't build the docker serverless image}
--skip-docker-ubi {dim Don't build the docker ubi image}
--skip-docker-ubuntu {dim Don't build the docker ubuntu image}
--skip-docker-wolfi {dim Don't build the docker wolfi image}
--skip-docker-fips {dim Don't build the docker fips image}
--release {dim Produce a release-ready distributable}
--version-qualifier {dim Suffix version with a qualifier}
--skip-initialize {dim Skip environment cleanup and verification}
--skip-generic-folders {dim Skip building package, plugins, etc from source}
--skip-platform-folders {dim Skip platform specific folder creation and operations}
--skip-node-download {dim Reuse existing downloads of node.js}
--skip-os-packages {dim Don't produce rpm/deb/docker packages}
--verbose,-v {dim Turn on verbose logging}
--no-debug {dim Turn off debug logging}
--epr-registry {dim Specify the EPR registry to use for Fleet packages, 'production' or 'snapshot'}
--with-test-plugins {dim Pass to include test plugins in the build output}
--version-qualifier {dim Suffix version with a qualifier}
--with-example-plugins {dim Pass to include example plugins in the build output}
--with-test-plugins {dim Pass to include test plugins in the build output}
`) + '\n'
);
process.exit(1);

1
src/dev/build/lib/build.test.ts
View file

@ -44,6 +44,7 @@ const config = new Config(
false,
true,
true,
{},
{}
);

7
src/dev/build/lib/config.ts
View file

@ -26,6 +26,7 @@ import {
ALL_PLATFORMS,
SERVERLESS_PLATFORMS,
} from './platform';
import { BuildOptions } from '../build_distributables';
interface Options {
isRelease: boolean;
@ -72,7 +73,8 @@ export class Config {
{
examples: opts.withExamplePlugins,
testPlugins: opts.withTestPlugins,
}
},
opts
);
}
@ -93,7 +95,8 @@ export class Config {
private readonly dockerPush: boolean,
public readonly isRelease: boolean,
public readonly downloadFreshNode: boolean,
public readonly pluginSelector: PluginSelector
public readonly pluginSelector: PluginSelector,
public readonly buildOptions: Partial<BuildOptions>
) {
this.pluginFilter = getPluginPackagesFilter(this.pluginSelector);
}

15
src/dev/build/tasks/download_cloud_dependencies.ts
View file

@ -19,8 +19,8 @@ export const DownloadCloudDependencies: Task = {
async run(config, log, build) {
const subdomain = config.isRelease ? 'artifacts-staging' : 'artifacts-snapshot';
const downloadBeat = async (beat: string, id: string) => {
const version = config.getBuildVersion();
const downloadBeat = async (beat: string, id: string, variant?: string) => {
const version = variant ? `${variant}-${config.getBuildVersion()}` : config.getBuildVersion();
const localArchitecture = [process.arch === 'arm64' ? 'arm64' : 'x86_64'];
const allArchitectures = ['arm64', 'x86_64'];
const architectures = config.getDockerCrossCompile() ? allArchitectures : localArchitecture;
@ -79,8 +79,15 @@ export const DownloadCloudDependencies: Task = {
await del([config.resolveFromRepo('.beats')]);
await downloadBeat('metricbeat', buildId);
await downloadBeat('filebeat', buildId);
if (config.buildOptions.createDockerCloud) {
await downloadBeat('metricbeat', buildId);
await downloadBeat('filebeat', buildId);
}
if (config.buildOptions.createDockerCloudFIPS) {
await downloadBeat('metricbeat', buildId, 'fips');
await downloadBeat('filebeat', buildId, 'fips');
}
await writeManifest(manifestUrl, manifestJSON);
},

1
src/dev/build/tasks/fetch_agent_versions_list.test.ts
View file

@ -49,6 +49,7 @@ const config = new Config(
false,
true,
true,
{},
{}
);

26
src/dev/build/tasks/os_packages/create_os_package_tasks.ts
View file

@ -163,13 +163,28 @@ export const CreateDockerCloud: Task = {
},
};
export const CreateDockerCloudFIPS: Task = {
description: 'Creating Docker Cloud FIPS image',
async run(config, log, build) {
await runDockerGenerator(config, log, build, {
architecture: 'x64',
baseImage: 'wolfi',
context: false,
image: true,
fips: true,
cloud: true,
});
},
};
export const CreateDockerFIPS: Task = {
description: 'Creating Docker FIPS image',
async run(config, log, build) {
await runDockerGenerator(config, log, build, {
architecture: 'x64',
baseImage: 'ubi',
baseImage: 'wolfi',
context: false,
image: true,
fips: true,
@ -217,10 +232,17 @@ export const CreateDockerContexts: Task = {
image: false,
});
await runDockerGenerator(config, log, build, {
baseImage: 'ubi',
baseImage: 'wolfi',
context: true,
image: false,
fips: true,
});
await runDockerGenerator(config, log, build, {
baseImage: 'wolfi',
context: true,
image: false,
fips: true,
cloud: true,
});
},
};

36
src/dev/build/tasks/os_packages/docker_generator/resources/fips/openssl/nodejs.cnf
View file

@ -1,28 +1,20 @@
##########################################################################
## ##
## This OpenSSL config is only loaded when running Kibana in FIPS mode. ##
## ##
## See: ##
## https://github.com/openssl/openssl/blob/openssl-3.0/README-FIPS.md ##
## https://www.openssl.org/docs/man3.0/man7/fips_module.html ##
## ##
##########################################################################
#######################################################################
## ##
## This config is referenced by ENV variables in the Docker images. ##
## It is required to start Kibana in FIPS mode. ##
## It must be a separate cnf file. ##
## ##
## See: ##
## https://nodejs.org/docs/latest-v20.x/api/crypto.html#fips-mode ##
## ##
#######################################################################
nodejs_conf = nodejs_init
.include /usr/share/kibana/openssl/ssl/fipsmodule.cnf
# Default location on Wolfi image.
# This file will load the FIPS configuration
.include /etc/ssl/openssl.cnf
[nodejs_init]
providers = provider_sect
alg_section = algorithm_sect
[provider_sect]
default = default_sect
# The fips section name should match the section name inside the
# included fipsmodule.cnf.
fips = fips_sect
[default_sect]
activate = 1
[algorithm_sect]
default_properties = fips=yes

19
src/dev/build/tasks/os_packages/docker_generator/run.ts
View file

@ -44,7 +44,7 @@ export async function runDockerGenerator(
if (flags.baseImage === 'ubuntu') baseImageName = 'ubuntu:20.04';
if (flags.baseImage === 'ubi') baseImageName = 'docker.elastic.co/ubi9/ubi-minimal:latest';
/**
* Renovate config contains a regex manager to automatically updates this Chainguard reference
* Renovate config contains a regex manager to automatically update both Chainguard references
*
* If this logic moves to another file or under another name, then the Renovate regex manager
* for automatic Chainguard updates will break.
@ -55,11 +55,16 @@ export async function runDockerGenerator(
let imageFlavor = '';
if (flags.baseImage === 'ubi') imageFlavor += `-ubi`;
if (flags.baseImage === 'wolfi' && !flags.serverless && !flags.cloud) imageFlavor += `-wolfi`;
if (flags.baseImage === 'wolfi' && !flags.serverless && !flags.cloud && !flags.fips)
imageFlavor += `-wolfi`;
if (flags.ironbank) imageFlavor += '-ironbank';
if (flags.cloud) imageFlavor += '-cloud';
if (flags.serverless) imageFlavor += '-serverless';
if (flags.fips) imageFlavor += '-fips';
if (flags.fips) {
imageFlavor += '-fips';
baseImageName =
'docker.elastic.co/wolfi/chainguard-base-fips:latest@sha256:d70e92385f4faf961d2e5d23664578de44fe536945918e641383af53f0aca544';
}
// General docker var config
const license = 'Elastic License';
@ -77,8 +82,12 @@ export async function runDockerGenerator(
const artifactPrefix = `kibana${artifactVariant}-${version}-linux`;
const artifactTarball = `${artifactPrefix}-${artifactArchitecture}.tar.gz`;
const beatsArchitecture = flags.architecture === 'aarch64' ? 'arm64' : 'x86_64';
const metricbeatTarball = `metricbeat-${version}-linux-${beatsArchitecture}.tar.gz`;
const filebeatTarball = `filebeat-${version}-linux-${beatsArchitecture}.tar.gz`;
const metricbeatTarball = `metricbeat${
flags.fips ? '-fips' : ''
}-${version}-linux-${beatsArchitecture}.tar.gz`;
const filebeatTarball = `filebeat${
flags.fips ? '-fips' : ''
}-${version}-linux-${beatsArchitecture}.tar.gz`;
const artifactsDir = config.resolveFromTarget('.');
const beatsDir = config.resolveFromRepo('.beats');
const dockerBuildDate = flags.dockerBuildDate || new Date().toISOString();

43
src/dev/build/tasks/os_packages/docker_generator/templates/base/Dockerfile
View file

@ -12,7 +12,7 @@
FROM {{{baseImageName}}} AS builder
{{#ubi}}
RUN microdnf install -y findutils tar gzip{{#fips}} perl make gcc{{/fips}}
RUN microdnf install -y findutils tar gzip
{{/ubi}}
{{#ubuntu}}
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y curl
@ -38,29 +38,6 @@ RUN tar \
--strip-components=1 \
-zxf /tmp/kibana.tar.gz
{{#fips}}
# OpenSSL requires specific versions that are FIPS certified.
#
# See:
# https://github.com/openssl/openssl/blob/openssl-3.0/README-FIPS.md
# https://www.openssl.org/docs/man3.0/man7/fips_module.html
RUN set -e ; \
OPENSSL_VERSION='3.0.8'; \
OPENSSL_PATH=/usr/share/kibana/openssl ; \
mkdir "${OPENSSL_PATH}"; \
curl --retry 8 -S -L -O "https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz" ; \
curl --retry 8 -S -L -O "https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz.sha256" ; \
echo "$(cat openssl-${OPENSSL_VERSION}.tar.gz.sha256) openssl-${OPENSSL_VERSION}.tar.gz" | sha256sum -c ; \
tar -zxf "openssl-${OPENSSL_VERSION}.tar.gz" ; \
rm -rf openssl-${OPENSSL_VERSION}.tar* ; \
cd "/usr/share/kibana/openssl-${OPENSSL_VERSION}" ; \
./Configure --prefix="${OPENSSL_PATH}" --openssldir="${OPENSSL_PATH}/ssl" --libdir="${OPENSSL_PATH}/lib" enable-fips; \
make -j $(nproc) > /dev/null ; \
make install > /dev/null ; \
rm -rf "/usr/share/kibana/openssl-${OPENSSL_VERSION}" ; \
chown -R 1000:0 "${OPENSSL_PATH}";
{{/fips}}
# Ensure that group permissions are the same as user permissions.
# This will help when relying on GID-0 to run Kibana, rather than UID-1000.
# OpenShift does this, for example.
@ -149,16 +126,7 @@ COPY --from=builder --chown=0:0 /usr/share/fonts/local/NotoSansCJK-Regular.ttc /
RUN fc-cache -v
{{/serverless}}
WORKDIR /usr/share/kibana
{{#fips}}
# Enable FIPS for Kibana only. In the future we can override OS wide with ENV OPENSSL_CONF
RUN /bin/echo -e '\n--enable-fips' >> config/node.options
RUN echo '--openssl-config=/usr/share/kibana/config/nodejs.cnf' >> config/node.options
COPY --chown=1000:0 openssl/nodejs.cnf "/usr/share/kibana/config/nodejs.cnf"
ENV OPENSSL_MODULES=/usr/share/kibana/openssl/lib/ossl-modules
ENV XPACK_SECURITY_FIPSMODE_ENABLED=true
{{/fips}}
RUN ln -s /usr/share/kibana /opt/kibana
{{! Please notify @elastic/kibana-security if you want to remove or change this environment variable. }}
@ -174,6 +142,15 @@ ENV PROFILER_SIGNAL=SIGUSR1
{{^opensslLegacyProvider}}
RUN sed 's/\(--openssl-legacy-provider\)/#\1/' -i config/node.options
{{/opensslLegacyProvider}}
{{#fips}}
RUN /bin/echo -e '\n--enable-fips' >> config/node.options
COPY --chown=1000:0 openssl/nodejs.cnf "/usr/share/kibana/config/nodejs.cnf"
ENV OPENSSL_CONF=/usr/share/kibana/config/nodejs.cnf
ENV OPENSSL_MODULES=/usr/lib64/ossl-modules
RUN /bin/echo -e '\nxpack.security.fipsMode.enabled: true' >> config/kibana.yml
{{/fips}}
# Add the launcher/wrapper script. It knows how to interpret environment
# variables and translate them to Kibana CLI options.