feat(fips): add fips compliant packages (#187)

* added FIPS image release to the Dockerfile and workflow

* Build FIPS compatible nri-ecs

* Added FIPS build step

* Changelog

* changelog

* split the release into two steps

Author: rahulreddy15

.github/workflows/release.yml

@@ -34,11 +34,49 @@ jobs:
           docker buildx build --push --platform=$DOCKER_PLATFORMS \
             -t $DOCKER_IMAGE_NAME:latest \
             .
+
         fi
         
         # Upload configuration files
         make upload_manifests RELEASE_VERSION=$VERSION NRI_ECS_IMAGE_TAG=$DOCKER_IMAGE_TAG
 
+    secrets:
+      docker_username: ${{ secrets.FSI_DOCKERHUB_USERNAME }}
+      docker_password: ${{ secrets.FSI_DOCKERHUB_TOKEN }}
+      bot_token: ${{ secrets.COREINT_BOT_TOKEN }}
+      aws_access_key_id: ${{ secrets.COREINT_AWS_ACCESS_KEY_ID }}
+      aws_access_key_secret: ${{ secrets.COREINT_AWS_SECRET_ACCESS_KEY }}
+      slack_channel: ${{ secrets.COREINT_SLACK_CHANNEL }}
+      slack_token: ${{ secrets.COREINT_SLACK_TOKEN }}
+
+  fips-release-pipeline:
+    name: Release Pipeline for FIPS compatible image
+    uses: newrelic/coreint-automation/.github/workflows/reusable_image_release.yaml@v3
+    with:
+      original_repo_name: "newrelic/nri-ecs"
+      docker_image_name: "newrelic/nri-ecs-fips"
+      docker_platforms: "linux/amd64,linux/arm64"
+
+      release_command_sh: |
+        
+        # Build the integration
+        make compile-multiarch-fips RELEASE_VERSION=$VERSION
+
+        # Build and push FIPS image with / without "-pre" suffix based on if its a pre release
+        docker buildx build --push --platform=$DOCKER_PLATFORMS \
+          -t $DOCKER_IMAGE_NAME:$DOCKER_IMAGE_TAG \
+          -f Dockerfile.fips \
+          .
+        
+        # Push latest tag if its a release
+        if [[ "${{ github.event.release.prerelease }}" == "false" ]]; then
+          # Push latest for FIPS image
+          docker buildx build --push --platform=$DOCKER_PLATFORMS \
+            -t $DOCKER_IMAGE_NAME:latest \
+            -f Dockerfile.fips \
+            .
+        fi
+        
     secrets:
       docker_username: ${{ secrets.FSI_DOCKERHUB_USERNAME }}
       docker_password: ${{ secrets.FSI_DOCKERHUB_TOKEN }}

CHANGELOG.md

@@ -10,6 +10,9 @@ Unreleased section should follow
 
 ## Unreleased
 
+### enhancements
+- Added FIPS compliant image 
+
 ## v1.12.27 - 2025-09-22
 
 ### ⛓️ Dependencies

Dockerfile.fips

@@ -0,0 +1,23 @@
+ARG BASE_IMAGE=newrelic/infrastructure-bundle-fips:3.3.2
+
+FROM $BASE_IMAGE AS base
+
+# Set by docker automatically
+# If building with `docker build`, make sure to set GOOS/GOARCH explicitly when calling make:
+# `make compile GOOS=something GOARCH=something`
+# Otherwise the makefile will not append them to the binary name and docker build will fail.
+ARG TARGETOS
+ARG TARGETARCH
+
+# Add the nri-ecs integration binary to the default folders.
+ADD --chmod=755 bin/nri-ecs-fips-${TARGETOS}-${TARGETARCH} /var/db/newrelic-infra/newrelic-integrations/bin/
+RUN mv /var/db/newrelic-infra/newrelic-integrations/bin/nri-ecs-fips-${TARGETOS}-${TARGETARCH} \
+    /var/db/newrelic-infra/newrelic-integrations/bin/nri-ecs
+
+RUN rm /etc/newrelic-infra/integrations.d/docker-config.yml
+
+# Activates the nri-ecs integration in the image by default.
+# Some Envars needed to configure the integration are set in the deployment task
+# and added to NRIA_PASSTHROUGH_ENVIRONMENT.
+ADD nri-ecs-config.yml /var/db/newrelic-infra/integrations.d/nri-ecs-config.yml
+ADD nri-docker-config.yml /var/db/newrelic-infra/integrations.d/nri-docker-config.yml

Makefile

@@ -8,6 +8,10 @@ RELEASE_STRING := ${RELEASE_VERSION}
 COMMIT ?= $(shell git rev-parse HEAD || echo "unknown")
 LD_FLAGS ?= "-X 'main.integrationVersion=$(RELEASE_VERSION)' -X 'main.gitCommit=$(COMMIT)'"
 
+# FIPS builder image configuration
+GO_VERSION 		?= $(shell grep '^go ' go.mod | awk '{print $$2}')
+BUILDER_IMAGE 	?= "ghcr.io/newrelic/coreint-automation:latest-go$(GO_VERSION)-ubuntu16.04"
+
 NRI_ECS_IMAGE_REPO ?= newrelic/nri-ecs
 NRI_ECS_IMAGE_TAG ?= "dev"
 NRI_ECS_IMAGE := $(NRI_ECS_IMAGE_REPO):$(NRI_ECS_IMAGE_TAG)
@@ -86,6 +90,43 @@ compile-multiarch:
 	$(MAKE) compile GOOS=linux GOARCH=arm64
 	$(MAKE) compile GOOS=linux GOARCH=arm
 
+compile-multiarch-fips:
+	$(MAKE) compile-fips-docker-amd64
+	$(MAKE) compile-fips-docker-arm64
+	@echo "All FIPS binaries compiled."
+
+compile-all-multiarch:
+	$(MAKE) compile-multiarch
+	$(MAKE) compile-multiarch-fips
+
+compile-fips-docker-amd64:
+	@echo "=== $(INTEGRATION) === [ compile-fips-docker-amd64 ]: Building FIPS binary for linux/amd64 using builder image..."
+	docker run --rm \
+		--platform linux/amd64 \
+		-v $(PWD):/src \
+		-w /src \
+		-e GOOS=linux \
+		-e GOARCH=amd64 \
+		-e CGO_ENABLED=1 \
+		-e CC=gcc \
+		-e GOEXPERIMENT=boringcrypto \
+		$(BUILDER_IMAGE) \
+		go build -o bin/$(BINARY_NAME)-fips-linux-amd64 -ldflags $(LD_FLAGS) -tags fips ./cmd
+
+compile-fips-docker-arm64:
+	@echo "=== $(INTEGRATION) === [ compile-fips-docker-arm64 ]: Building FIPS binary for linux/arm64 using builder image..."
+	docker run --rm \
+		--platform linux/amd64 \
+		-v $(PWD):/src \
+		-w /src \
+		-e GOOS=linux \
+		-e GOARCH=arm64 \
+		-e CGO_ENABLED=1 \
+		-e CC=aarch64-linux-gnu-gcc \
+		-e GOEXPERIMENT=boringcrypto \
+		$(BUILDER_IMAGE) \
+		go build -o bin/$(BINARY_NAME)-fips-linux-arm64 -ldflags $(LD_FLAGS) -tags fips ./cmd
+
 ## GOOS and GOARCH are manually set so the output BINARY_NAME includes them as suffixes.
 ## Additionally, DOCKER_BUILDKIT is set since it's needed for Docker to populate TARGETOS and TARGETARCH ARGs.
 ## Here we call $(MAKE) build instead of using a dependency because the latter would, for some reason, prevent
@@ -119,4 +160,4 @@ buildThirdPartyNotice:
 rt-update-changelog:
 	curl "https://raw.githubusercontent.com/newrelic/release-toolkit/v1/contrib/ohi-release-notes/run.sh" | bash -s -- $(filter-out $@,$(MAKECMDGOALS))
 
-.PHONY: all build clean image compile compile-multiarch test buildLicenseNotice
+.PHONY: all build clean image compile compile-multiarch compile-multiarch-fips compile-all-multiarch compile-fips-docker-amd64 compile-fips-docker-arm64 test buildLicenseNotice

cmd/fips.go

@@ -0,0 +1,11 @@
+// Copyright 2025 New Relic Corporation. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+//go:build fips
+// +build fips
+
+package main
+
+import (
+	_ "crypto/tls/fipsonly"
+)