From 80183622154e15459f3010199ad611f7ec5a2d98 Mon Sep 17 00:00:00 2001
From: Brad White <brad.white@elastic.co>
Date: Fri, 10 May 2024 16:22:20 -0600
Subject: [PATCH] target kibana only with opensll. better cleanup. reduce make
 noise

---
 .../resources/fips/openssl/nodejs.cnf         |  2 +-
 .../templates/base/Dockerfile                 | 34 ++++++++++---------
 2 files changed, 19 insertions(+), 17 deletions(-)

diff --git a/src/dev/build/tasks/os_packages/docker_generator/resources/fips/openssl/nodejs.cnf b/src/dev/build/tasks/os_packages/docker_generator/resources/fips/openssl/nodejs.cnf
index bd8fece6674d70..f4f3a076975eb9 100644
--- a/src/dev/build/tasks/os_packages/docker_generator/resources/fips/openssl/nodejs.cnf
+++ b/src/dev/build/tasks/os_packages/docker_generator/resources/fips/openssl/nodejs.cnf
@@ -9,7 +9,7 @@
 ##########################################################################
 
 nodejs_conf = nodejs_init
-.include /usr/local/ssl/fipsmodule.cnf
+.include /usr/share/kibana/openssl/ssl/fipsmodule.cnf
 
 [nodejs_init]
 providers = provider_sect
diff --git a/src/dev/build/tasks/os_packages/docker_generator/templates/base/Dockerfile b/src/dev/build/tasks/os_packages/docker_generator/templates/base/Dockerfile
index e42d2a7ec1dcd1..315af54691f4e6 100644
--- a/src/dev/build/tasks/os_packages/docker_generator/templates/base/Dockerfile
+++ b/src/dev/build/tasks/os_packages/docker_generator/templates/base/Dockerfile
@@ -127,26 +127,28 @@ WORKDIR /usr/share/kibana
 # https://github.com/openssl/openssl/blob/openssl-3.0/README-FIPS.md
 # https://www.openssl.org/docs/man3.0/man7/fips_module.html
 
-# Ideally we would handle this in the builder step, but make is installing over the OS version
-# of OpenSSL and requires linking of many submodules.
+# Ideally we would handle this in the builder step, but OpenSSL requires linking of many submodules.
 RUN set -e ; \
- curl --retry 8 -S -L -O https://www.openssl.org/source/openssl-3.0.8.tar.gz ; \
- curl --retry 8 -S -L -O https://www.openssl.org/source/openssl-3.0.8.tar.gz.sha256  ; \
- echo "$(cat openssl-3.0.8.tar.gz.sha256) openssl-3.0.8.tar.gz" | sha256sum -c ; \
- tar -zxf openssl-3.0.8.tar.gz  ; \
- rm -rf openssl-3.0.8.tar*  ; \
- cd /usr/share/kibana/openssl-3.0.8   ; \
- ./Configure enable-fips  ; \
- make -j $(nproc)  ; \
- make install  ; \
- ldconfig /usr/local/lib64/  ; \
- chown -R 1000:0 /usr/share/kibana/openssl-3.0.8
+ OPENSSL_VERSION='3.0.8'; \
+ OPENSSL_PATH=/usr/share/kibana/openssl ; \
+ mkdir "${OPENSSL_PATH}"; \
+ curl --retry 8 -S -L -O "https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz" ; \
+ curl --retry 8 -S -L -O "https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz.sha256" ; \
+ echo "$(cat openssl-${OPENSSL_VERSION}.tar.gz.sha256) openssl-${OPENSSL_VERSION}.tar.gz" | sha256sum -c ; \
+ tar -zxf "openssl-${OPENSSL_VERSION}.tar.gz" ; \
+ rm -rf openssl-${OPENSSL_VERSION}.tar* ; \
+ cd "/usr/share/kibana/openssl-${OPENSSL_VERSION}" ; \
+ ./Configure --prefix="${OPENSSL_PATH}" --openssldir="${OPENSSL_PATH}/ssl" --libdir="${OPENSSL_PATH}/lib" enable-fips; \
+ make -j $(nproc) > /dev/null ; \
+ make install > /dev/null ; \
+ rm -rf  "/usr/share/kibana/openssl-${OPENSSL_VERSION}" ; \
+ chown -R 1000:0 "${OPENSSL_PATH}";
 
 # Enable FIPS for Kibana only. In the future we can override OS wide with ENV OPENSSL_CONF
 RUN /usr/bin/echo -e '\n--enable-fips' >> config/node.options
-RUN /usr/bin/echo '--openssl-config=/usr/share/kibana/openssl-3.0.8/nodejs.cnf' >> config/node.options
-COPY --chown=1000:0 openssl/nodejs.cnf /usr/share/kibana/openssl-3.0.8/nodejs.cnf
-ENV OPENSSL_MODULES=/usr/local/lib64/ossl-modules
+RUN /usr/bin/echo '--openssl-config=/usr/share/kibana/config/nodejs.cnf' >> config/node.options
+COPY --chown=1000:0 openssl/nodejs.cnf "/usr/share/kibana/config/nodejs.cnf"
+ENV OPENSSL_MODULES=/usr/share/kibana/openssl/lib/ossl-modules
 
 {{/fips}}
 RUN ln -s /usr/share/kibana /opt/kibana