[CI / Build / FIPS] Use xpack.security.experimental.fipsMode.enabled …

…in CI and Docker (#187533) ## Summary Closes #188272 A check was added to in #181187 which detects if the environment has FIPS enabled NodeJS, but Kibana is not setup properly. This adds the Kibana setting for FIPS in CI and the Docker image. Note there are still license issues on some tests due to #181187 as well, but this will be handled in another PR.
elastic · Jul 15, 2024 · 333cd20 · 333cd20
1 parent 7045864
commit 333cd20
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 4 deletions.
diff --git a/.buildkite/scripts/common/env.sh b/.buildkite/scripts/common/env.sh
@@ -47,7 +47,6 @@ export MERGE_QUEUE_TARGET_BRANCH
 BUILDKITE_BRANCH_MERGE_QUEUE="${MERGE_QUEUE_TARGET_BRANCH:-${BUILDKITE_BRANCH:-}}"
 export BUILDKITE_BRANCH_MERGE_QUEUE
 
-
 BUILDKITE_AGENT_GCP_REGION=""
 if [[ "$(curl -is metadata.google.internal || true)" ]]; then
   # projects/1003139005402/zones/us-central1-a -> us-central1-a -> us-central1
@@ -133,15 +132,19 @@ export TEST_GROUP_TYPE_FUNCTIONAL="Functional Tests"
 export GH_REPO=github.com/elastic/kibana
 
 FTR_ENABLE_FIPS_AGENT=false
-# used by FIPS agents to link FIPS OpenSSL modules
 if [[ "${KBN_ENABLE_FIPS:-}" == "true" ]] || is_pr_with_label "ci:enable-fips-agent"; then
   FTR_ENABLE_FIPS_AGENT=true
+  # used by FIPS agents to link FIPS OpenSSL modules
   export OPENSSL_MODULES=$HOME/openssl/lib/ossl-modules
 
   if [[ -f "$KIBANA_DIR/config/node.options" ]]; then
     echo -e '\n--enable-fips' >>"$KIBANA_DIR/config/node.options"
     echo "--openssl-config=$HOME/nodejs.cnf" >>"$KIBANA_DIR/config/node.options"
   fi
+
+  if [[ -f "$KIBANA_DIR/config/kibana.yml" ]]; then
+    echo -e '\nxpack.security.experimental.fipsMode.enabled: true' >>"$KIBANA_DIR/config/kibana.yml"
+  fi
 fi
 
 export FTR_ENABLE_FIPS_AGENT
diff --git a/.buildkite/scripts/common/util.sh b/.buildkite/scripts/common/util.sh
@@ -33,7 +33,7 @@ check_for_changed_files() {
 
   SHOULD_AUTO_COMMIT_CHANGES="${2:-}"
   CUSTOM_FIX_MESSAGE="${3:-}"
-  GIT_CHANGES="$(git status --porcelain -- . ':!:.bazelrc' ':!:config/node.options')"
+  GIT_CHANGES="$(git status --porcelain -- . ':!:.bazelrc' ':!:config/node.options' ':!config/kibana.yml')"
 
   if [ "$GIT_CHANGES" ]; then
     if ! is_auto_commit_disabled && [[ "$SHOULD_AUTO_COMMIT_CHANGES" == "true" && "${BUILDKITE_PULL_REQUEST:-}" ]]; then
@@ -56,7 +56,7 @@ check_for_changed_files() {
       git config --global user.name kibanamachine
       git config --global user.email '[email protected]'
       gh pr checkout "${BUILDKITE_PULL_REQUEST}"
-      git add -A -- . ':!.bazelrc' ':!config/node.options'
+      git add -A -- . ':!.bazelrc' ':!config/node.options' ':!config/kibana.yml'
 
       git commit -m "$NEW_COMMIT_MESSAGE"
       git push

diff --git a/src/dev/build/tasks/os_packages/docker_generator/templates/base/Dockerfile b/src/dev/build/tasks/os_packages/docker_generator/templates/base/Dockerfile
@@ -156,6 +156,7 @@ RUN /usr/bin/echo -e '\n--enable-fips' >> config/node.options
 RUN /usr/bin/echo '--openssl-config=/usr/share/kibana/config/nodejs.cnf' >> config/node.options
 COPY --chown=1000:0 openssl/nodejs.cnf "/usr/share/kibana/config/nodejs.cnf"
 ENV OPENSSL_MODULES=/usr/share/kibana/openssl/lib/ossl-modules
+ENV XPACK_SECURITY_EXPERIMENTAL_FIPSMODE_ENABLED=true
 
 {{/fips}}
 RUN ln -s /usr/share/kibana /opt/kibana