FIPS Build

[michel-laterman]

Proposed commit message

Enable FIPS compliant builds when the env var FIPS=true is set.

Artifacts are built with the microsfot/go toolchain with the env var GOEXPERIMENT=systemcrypto and the build tag "-tags=requirefips".
In order to run the resulting binary, the system must have a FIPS compliant crypto provider.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Disruptive User Impact

None

How to test this PR locally

TODO

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @michel-laterman? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit

[mergify]

backport-8.x has been added to help with the transition to the new branch 8.x.
If you don't need it please use backport-skip label and remove the backport-8.x label.

[michel-laterman]

Currently FIPS binaries built with FIPS=true mage build do not behave as expected.

For reference, I can build elastic-agent binaries with the changes in elastic/elastic-agent#6565 in a VM using the microsoft/go toolchain, and when I try to run them with no provider it will immediatly panic with the error panic: opensslcrypto: can't enable FIPS mode for OpenSSL 3.0.13 30 Jan 2024: openssl: FIPS mode not supported by any provider

The beats I build with these changes do not panic (and I expect it to in this case).

EDIT: running the binary with the env var GOFIPS=1 yeilds the expected error

[michel-laterman]

When building agentbeat without this parsing, it results in two -tags= values being sent to the go build command. one tag gets ignored; this resulted in the behaviour in my previous comment where I then had to adjust a runtime env var to get the binary in compliance.

Parsing the extra flags to join all -tags= flags is required in order to send -tags=agentbeat,requirefips which produced a binary that works as expected.

[leehinman]

How does this interact with the build tags for testing? I'm thinking of "integration" as an example. I'm assuming we will need tests that require both a testing build tag and the fips build tag.

beats/dev-tools/mage/gotest.go

Line 297 in 1473ae9

testArgs = append(testArgs, "-tags", params)

[elasticmachine]

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

[cmacknz]

Similar to the agent PR, this needs to be built as part of CI and we need to have a test that confirms the binary is actually FIPS compliant and links in the FIPS OpenSSL in the expected way.