Skip to content

Disable Filebeat's azure-eventhub input and azure module in FIPS builds #44902

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Disable Filebeat's azure-eventhub input and azure module in FIPS builds #44902

wants to merge 5 commits into from

Conversation

ycombinator
Copy link
Contributor

@ycombinator ycombinator commented Jun 18, 2025
edited
Loading

Proposed commit message

This PR ensures that the Filebeat azure module is only included in non-FIPS builds of Filebeat. It also ensures that the Filebeat azure-eventhub input, which is used by the the azure module, is only included in non-FIPS builds of Filebeat. In other words, neither the azure module nor the azure-eventhub input will be available in FIPS-capable Filebeat artifacts.

The azure-eventhub input depends on the Azure Go SDK. The SDK's code uses the golang.org/x/crypto/pkcs12 package, which is not FIPS-compliant, and the SDK doesn't plan to offer a way to disable the use of this package at compile time (see Azure/azure-sdk-for-go#24336).

As such, we have little choice but to exclude the azure-eventhub input and the only module that uses it, azure, from FIPS-capable Filebeat builds.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Disruptive User Impact

FIPS-capable artifacts of Filebeat will not contain the azure module or the azure-eventhub input.

@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jun 18, 2025
@github-actions GitHub Actions
Copy link
Contributor

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

@mergify Mergify
Copy link
Contributor

mergify bot commented Jun 18, 2025

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @ycombinator? 🙏.
For such, you'll need to label your PR with:

  • The upcoming major version of the Elastic Stack
  • The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
  • backport-active-all is the label that automatically backports to all active branches.
  • backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
  • backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

@ycombinator ycombinator added the backport-8.19 Automated backport to the 8.19 branch label Jun 18, 2025
@ycombinator ycombinator force-pushed the fips-disable-fb-azure branch 2 times, most recently from 1517530 to 2bd14ee Compare June 18, 2025 19:04
@ycombinator ycombinator force-pushed the fips-disable-fb-azure branch from 2bd14ee to b176324 Compare June 18, 2025 20:00
@ycombinator ycombinator mentioned this pull request Jun 18, 2025
Open
6 tasks
@ycombinator ycombinator marked this pull request as ready for review June 19, 2025 00:52
@ycombinator ycombinator requested review from a team as code owners June 19, 2025 00:52
@pierrehilbert pierrehilbert added Team:obs-ds-hosted-services Label for the Observability Hosted Services team Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team labels Jun 20, 2025
@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jun 20, 2025
@elasticmachine
Copy link
Collaborator

Pinging @elastic/obs-ds-hosted-services (Team:obs-ds-hosted-services)

@elasticmachine
Copy link
Collaborator

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

@pierrehilbert pierrehilbert requested a review from zmoog June 20, 2025 07:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rdner rdner Awaiting requested review from rdner rdner is a code owner automatically assigned from elastic/elastic-agent-data-plane

@andrzej-stencel andrzej-stencel Awaiting requested review from andrzej-stencel andrzej-stencel is a code owner automatically assigned from elastic/elastic-agent-data-plane

@simitt simitt Awaiting requested review from simitt

@michel-laterman michel-laterman Awaiting requested review from michel-laterman

@kruskall kruskall Awaiting requested review from kruskall

@zmoog zmoog Awaiting requested review from zmoog

At least 1 approving review is required to merge this pull request.

Assignees

@ycombinator ycombinator

Labels
backport-8.19 Automated backport to the 8.19 branch Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team Team:obs-ds-hosted-services Label for the Observability Hosted Services team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ycombinator @elasticmachine @pierrehilbert