From 12815d619573492e1fed6ed7461059beb9dfcc60 Mon Sep 17 00:00:00 2001 From: Branden Clark Date: Fri, 6 Dec 2024 11:59:19 -0500 Subject: [PATCH] Build Windows FIPS Agent containers (#31727) --- .gitlab/container_build/docker_windows.yml | 16 ++ .../container_build/docker_windows_agent7.yml | 20 ++- .../dev_container_deploy/docker_windows.yml | 155 ++++++------------ Dockerfiles/agent/install-fips.ps1 | 19 ++- Dockerfiles/agent/windows/amd64/Dockerfile | 1 + 5 files changed, 101 insertions(+), 110 deletions(-) diff --git a/.gitlab/container_build/docker_windows.yml b/.gitlab/container_build/docker_windows.yml index 5beeea220c02e..f2402de687d30 100644 --- a/.gitlab/container_build/docker_windows.yml +++ b/.gitlab/container_build/docker_windows.yml @@ -62,5 +62,21 @@ BUILD_ARG: "--build-arg BASE_IMAGE=mcr.microsoft.com/powershell:windowsservercore-${VARIANT} --build-arg WITH_JMX=${WITH_JMX} --build-arg VARIANT=${VARIANT} --build-arg INSTALL_INFO=core-${VARIANT}" SERVERCORE: "-servercore" +.docker_build_fips_agent7_windows_common: + extends: + - .docker_build_agent7_windows_common + needs: + ["windows_msi_and_bosh_zip_x64-a7-fips", "build_windows_container_entrypoint"] + variables: + AGENT_ZIP: "datadog-fips-agent-7*-x86_64.zip" + BUILD_ARG: "--build-arg BASE_IMAGE=mcr.microsoft.com/powershell:lts-nanoserver-${VARIANT} --build-arg WITH_JMX=${WITH_JMX} --build-arg WITH_FIPS=true --build-arg VARIANT=${VARIANT} --build-arg INSTALL_INFO=nano-${VARIANT}-fips" + +.docker_build_fips_agent7_windows_servercore_common: + extends: + - .docker_build_fips_agent7_windows_common + variables: + BUILD_ARG: "--build-arg BASE_IMAGE=mcr.microsoft.com/powershell:windowsservercore-${VARIANT} --build-arg WITH_JMX=${WITH_JMX} --build-arg WITH_FIPS=true --build-arg VARIANT=${VARIANT} --build-arg INSTALL_INFO=core-${VARIANT}-fips" + SERVERCORE: "-servercore" + include: - .gitlab/container_build/docker_windows_agent7.yml diff --git a/.gitlab/container_build/docker_windows_agent7.yml b/.gitlab/container_build/docker_windows_agent7.yml index e8bf47cbba812..4a3c9393d5ba1 100644 --- a/.gitlab/container_build/docker_windows_agent7.yml +++ b/.gitlab/container_build/docker_windows_agent7.yml @@ -21,7 +21,6 @@ docker_build_agent7_windows2022_jmx: extends: - .docker_build_agent7_windows_common tags: ["runner:windows-docker", "windowsversion:2022"] - needs: ["windows_msi_and_bosh_zip_x64-a7", "build_windows_container_entrypoint"] variables: VARIANT: ltsc2022 TAG_SUFFIX: -7-jmx @@ -67,8 +66,25 @@ docker_build_agent7_windows2022_core_jmx: extends: - .docker_build_agent7_windows_servercore_common tags: ["runner:windows-docker", "windowsversion:2022"] - needs: ["windows_msi_and_bosh_zip_x64-a7", "build_windows_container_entrypoint"] variables: VARIANT: ltsc2022 TAG_SUFFIX: -7-jmx WITH_JMX: "true" + +docker_build_fips_agent7_windows2022_core: + extends: + - .docker_build_fips_agent7_windows_servercore_common + tags: ["runner:windows-docker", "windowsversion:2022"] + variables: + VARIANT: ltsc2022 + TAG_SUFFIX: "-7-fips" + WITH_JMX: "false" + +docker_build_fips_agent7_windows2022_core_jmx: + extends: + - .docker_build_fips_agent7_windows_servercore_common + tags: ["runner:windows-docker", "windowsversion:2022"] + variables: + VARIANT: ltsc2022 + TAG_SUFFIX: -7-fips-jmx + WITH_JMX: "true" diff --git a/.gitlab/dev_container_deploy/docker_windows.yml b/.gitlab/dev_container_deploy/docker_windows.yml index 734c81cacd36c..c219f4b7a44ec 100644 --- a/.gitlab/dev_container_deploy/docker_windows.yml +++ b/.gitlab/dev_container_deploy/docker_windows.yml @@ -2,11 +2,9 @@ include: - .gitlab/common/container_publish_job_templates.yml -dev_branch-a7-windows: +.dev_a7-windows-common: extends: .docker_publish_job_definition stage: dev_container_deploy - rules: - !reference [.manual] needs: - docker_build_agent7_windows1809 - docker_build_agent7_windows1809_jmx @@ -23,16 +21,16 @@ dev_branch-a7-windows: # Multi-arch - IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7" IMG_SOURCES: "%BASE%-win1809-amd64,%BASE%-winltsc2022-amd64" - IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-win + IMG_DESTINATIONS: agent-dev:${IMG_DESTINATION_SLUG}-py3-win - IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7-jmx" IMG_SOURCES: "%BASE%-win1809-amd64,%BASE%-winltsc2022-amd64" - IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-jmx-win + IMG_DESTINATIONS: agent-dev:${IMG_DESTINATION_SLUG}-py3-jmx-win - IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7" IMG_SOURCES: "%BASE%-win1809-servercore-amd64,%BASE%-winltsc2022-servercore-amd64" - IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-win-servercore + IMG_DESTINATIONS: agent-dev:${IMG_DESTINATION_SLUG}-py3-win-servercore - IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7-jmx" IMG_SOURCES: "%BASE%-win1809-servercore-amd64,%BASE%-winltsc2022-servercore-amd64" - IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-jmx-win-servercore + IMG_DESTINATIONS: agent-dev:${IMG_DESTINATION_SLUG}-py3-jmx-win-servercore # ltsc2019 - IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7" IMG_SOURCES: "%BASE%-win1809-amd64" @@ -60,118 +58,63 @@ dev_branch-a7-windows: IMG_SOURCES: "%BASE%-winltsc2022-servercore-amd64" IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-jmx-win-servercore-ltsc2022 +dev_branch-a7-windows: + extends: .dev_a7-windows-common + rules: + !reference [.manual] + variables: + IMG_DESTINATION_SLUG: ${CI_COMMIT_REF_SLUG} + dev_master-a7-windows: - extends: .docker_publish_job_definition - stage: dev_container_deploy + extends: .dev_a7-windows-common rules: !reference [.on_main] - needs: - - docker_build_agent7_windows1809 - - docker_build_agent7_windows1809_jmx - - docker_build_agent7_windows1809_core - - docker_build_agent7_windows1809_core_jmx - - docker_build_agent7_windows2022 - - docker_build_agent7_windows2022_jmx - - docker_build_agent7_windows2022_core - - docker_build_agent7_windows2022_core_jmx variables: - IMG_REGISTRIES: dev - parallel: - matrix: - # Multi-arch - - IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7" - IMG_SOURCES: "%BASE%-win1809-amd64,%BASE%-winltsc2022-amd64" - IMG_DESTINATIONS: agent-dev:master-py3-win - - IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7-jmx" - IMG_SOURCES: "%BASE%-win1809-amd64,%BASE%-winltsc2022-amd64" - IMG_DESTINATIONS: agent-dev:master-py3-jmx-win - - IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7" - IMG_SOURCES: "%BASE%-win1809-servercore-amd64,%BASE%-winltsc2022-servercore-amd64" - IMG_DESTINATIONS: agent-dev:master-py3-win-servercore - - IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7-jmx" - IMG_SOURCES: "%BASE%-win1809-servercore-amd64,%BASE%-winltsc2022-servercore-amd64" - IMG_DESTINATIONS: agent-dev:master-py3-jmx-win-servercore - # ltsc2019 - - IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7" - IMG_SOURCES: "%BASE%-win1809-amd64" - IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-win-ltsc2019 - - IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7-jmx" - IMG_SOURCES: "%BASE%-win1809-amd64" - IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-jmx-win-ltsc2019 - - IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7" - IMG_SOURCES: "%BASE%-win1809-servercore-amd64" - IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-win-servercore-ltsc2019 - - IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7-jmx" - IMG_SOURCES: "%BASE%-win1809-servercore-amd64" - IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-jmx-win-servercore-ltsc2019 - # ltsc2022 - - IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7" - IMG_SOURCES: "%BASE%-winltsc2022-amd64" - IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-win-ltsc2022 - - IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7-jmx" - IMG_SOURCES: "%BASE%-winltsc2022-amd64" - IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-jmx-win-ltsc2022 - - IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7" - IMG_SOURCES: "%BASE%-winltsc2022-servercore-amd64" - IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-win-servercore-ltsc2022 - - IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7-jmx" - IMG_SOURCES: "%BASE%-winltsc2022-servercore-amd64" - IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-jmx-win-servercore-ltsc2022 + IMG_DESTINATION_SLUG: master dev_nightly-a7-windows: - extends: .docker_publish_job_definition - stage: dev_container_deploy + extends: .dev_a7-windows-common rules: !reference [.on_deploy_nightly_repo_branch] + variables: + IMG_DESTINATION_SLUG: nightly + +.dev_fips-a7-windows-common: + extends: .docker_publish_job_definition + stage: dev_container_deploy needs: - - docker_build_agent7_windows1809 - - docker_build_agent7_windows1809_jmx - - docker_build_agent7_windows1809_core - - docker_build_agent7_windows1809_core_jmx - - docker_build_agent7_windows2022 - - docker_build_agent7_windows2022_jmx - - docker_build_agent7_windows2022_core - - docker_build_agent7_windows2022_core_jmx + - docker_build_fips_agent7_windows2022_core + - docker_build_fips_agent7_windows2022_core_jmx variables: IMG_REGISTRIES: dev + # Only publish ltsc2022 servercore for now, that's all that's used by the integrations testing parallel: matrix: - # Multi-arch - - IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7" - IMG_SOURCES: "%BASE%-win1809-amd64,%BASE%-winltsc2022-amd64" - IMG_DESTINATIONS: agent-dev:nightly-${CI_COMMIT_SHORT_SHA}-py3-win - - IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7-jmx" - IMG_SOURCES: "%BASE%-win1809-amd64,%BASE%-winltsc2022-amd64" - IMG_DESTINATIONS: agent-dev:nightly-${CI_COMMIT_SHORT_SHA}-py3-jmx-win - - IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7" - IMG_SOURCES: "%BASE%-win1809-servercore-amd64,%BASE%-winltsc2022-servercore-amd64" - IMG_DESTINATIONS: agent-dev:nightly-${CI_COMMIT_SHORT_SHA}-py3-win-servercore - - IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7-jmx" - IMG_SOURCES: "%BASE%-win1809-servercore-amd64,%BASE%-winltsc2022-servercore-amd64" - IMG_DESTINATIONS: agent-dev:nightly-${CI_COMMIT_SHORT_SHA}-py3-jmx-win-servercore - # ltsc2019 - - IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7" - IMG_SOURCES: "%BASE%-win1809-amd64" - IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-win-ltsc2019 - - IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7-jmx" - IMG_SOURCES: "%BASE%-win1809-amd64" - IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-jmx-win-ltsc2019 - - IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7" - IMG_SOURCES: "%BASE%-win1809-servercore-amd64" - IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-win-servercore-ltsc2019 - - IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7-jmx" - IMG_SOURCES: "%BASE%-win1809-servercore-amd64" - IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-jmx-win-servercore-ltsc2019 # ltsc2022 - - IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7" - IMG_SOURCES: "%BASE%-winltsc2022-amd64" - IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-win-ltsc2022 - - IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7-jmx" - IMG_SOURCES: "%BASE%-winltsc2022-amd64" - IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-jmx-win-ltsc2022 - - IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7" + - IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7-fips" IMG_SOURCES: "%BASE%-winltsc2022-servercore-amd64" - IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-win-servercore-ltsc2022 - - IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7-jmx" + IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-fips-win-servercore-ltsc2022 + - IMG_VARIABLES: "BASE=${SRC_AGENT}:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-7-fips-jmx" IMG_SOURCES: "%BASE%-winltsc2022-servercore-amd64" - IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-jmx-win-servercore-ltsc2022 + IMG_DESTINATIONS: agent-dev:${CI_COMMIT_REF_SLUG}-py3-fips-jmx-win-servercore-ltsc2022 + +dev_branch-fips-a7-windows: + extends: .dev_fips-a7-windows-common + rules: + !reference [.manual] + variables: + IMG_DESTINATION_SLUG: ${CI_COMMIT_REF_SLUG} + +dev_master-fips-a7-windows: + extends: .dev_fips-a7-windows-common + rules: + !reference [.on_main] + variables: + IMG_DESTINATION_SLUG: master + +dev_nightly-fips-a7-windows: + extends: .dev_fips-a7-windows-common + rules: + !reference [.on_deploy_nightly_repo_branch] + variables: + IMG_DESTINATION_SLUG: nightly diff --git a/Dockerfiles/agent/install-fips.ps1 b/Dockerfiles/agent/install-fips.ps1 index 70be3b0da44bb..05324776e9dda 100644 --- a/Dockerfiles/agent/install-fips.ps1 +++ b/Dockerfiles/agent/install-fips.ps1 @@ -1,5 +1,16 @@ $ErrorActionPreference = 'Stop' +# Removes temporary files for FIPS setup +function Remove-TempFiles { + Remove-Item -Force -Recurse \fips-build +} + +if ("$env:WITH_FIPS" -ne "true") { + # If FIPS is not enabled, skip the FIPS setup + Remove-TempFiles + exit 0 +} + $maven_sha512 = '8BEAC8D11EF208F1E2A8DF0682B9448A9A363D2AD13CA74AF43705549E72E74C9378823BF689287801CBBFC2F6EA9596201D19CCACFDFB682EE8A2FF4C4418BA' if ("$env:WITH_JMX" -ne "false") { @@ -18,6 +29,10 @@ if ("$env:WITH_JMX" -ne "false") { if (!$?) { Write-Error ("BouncyCastle self check failed with exit code: {0}" -f $LASTEXITCODE) } + cd \ } -cd \ -Remove-Item -Force -Recurse \fips-build + +# TODO: Run openssl fipsinstall command here when embedded Python work is completed +# HERE + +Remove-TempFiles diff --git a/Dockerfiles/agent/windows/amd64/Dockerfile b/Dockerfiles/agent/windows/amd64/Dockerfile index 275801062f047..72c7060810838 100755 --- a/Dockerfiles/agent/windows/amd64/Dockerfile +++ b/Dockerfiles/agent/windows/amd64/Dockerfile @@ -7,6 +7,7 @@ ARG WITH_JMX="false" ARG VARIANT="unknown" ARG INSTALL_INFO="unknown" ARG GENERAL_ARTIFACTS_CACHE_BUCKET_URL +ARG WITH_FIPS="false" LABEL maintainer "Datadog "