Add fips config to jvm.options for observabilitySRE (#17958)

donoghuc · web-flow · commit 64e64625e877 · 2025-08-12T08:53:28.000-07:00
* Add fips config to jvm.options for observabilitySRE

In addition to setting `LS_JAVA_OPTS` we now include the fips config java
options in the `/usr/share/logstash/config/jvm.options` file. This ensures that
if consumers of the image overwrite `LS_JAVA_OPTS` the fips config is still
respected from `jvm.options`.

* *only* set jvm opts via jvm.options

Stop setting LS_JAVA_OPTS in favor of jvm.options.

* Use subshell to clean up file concat

Codereview suggestion
diff --git a/docker/templates/Dockerfile.erb b/docker/templates/Dockerfile.erb
@@ -115,6 +115,16 @@ RUN mkdir -p /usr/share/logstash/config/security
 RUN cp /usr/share/logstash/x-pack/distributions/internal/observabilitySRE/config/security/java.security /usr/share/logstash/config/security/ && \
     chown --recursive logstash:root /usr/share/logstash/config/security/
 
+# Copy additional JVM options and append to existing jvm.options
+RUN cp /usr/share/logstash/x-pack/distributions/internal/observabilitySRE/config/fips-jvm.options /tmp/fips-jvm.options && \
+    chown logstash:root /tmp/fips-jvm.options
+# echos are for ensuring that the file ends with a newline
+RUN ( \
+      echo ""; echo ""; \
+      cat /tmp/fips-jvm.options \
+    ) >> /usr/share/logstash/config/jvm.options && \
+    rm /tmp/fips-jvm.options
+
 # list the classes provided by the fips BC
 RUN find /usr/share/logstash -name *.jar | grep lib
 
@@ -132,17 +142,6 @@ RUN /usr/share/logstash/jdk/bin/keytool -importkeystore \
     -deststorepass changeit \
     -srcstorepass changeit \
     -noprompt
-
-# Set Java security properties through LS_JAVA_OPTS
-ENV LS_JAVA_OPTS="\
-    -Djava.security.properties=/usr/share/logstash/config/security/java.security \
-    -Djavax.net.ssl.trustStore=/usr/share/logstash/config/security/cacerts.bcfks \
-    -Djavax.net.ssl.trustStoreType=BCFKS \
-    -Djavax.net.ssl.trustStoreProvider=BCFIPS \
-    -Djavax.net.ssl.trustStorePassword=changeit \
-    -Dssl.KeyManagerFactory.algorithm=PKIX \
-    -Dssl.TrustManagerFactory.algorithm=PKIX \
-    -Dorg.bouncycastle.fips.approved_only=true"
 <% end -%>
 
 WORKDIR /usr/share/logstash
diff --git a/x-pack/distributions/internal/observabilitySRE/config/fips-jvm.options b/x-pack/distributions/internal/observabilitySRE/config/fips-jvm.options
@@ -0,0 +1,9 @@
+# FIPS config to be appended to /usr/share/logstash/config/jvm.options
+-Djava.security.properties=/usr/share/logstash/config/security/java.security
+-Djavax.net.ssl.trustStore=/usr/share/logstash/config/security/cacerts.bcfks
+-Djavax.net.ssl.trustStoreType=BCFKS
+-Djavax.net.ssl.trustStoreProvider=BCFIPS
+-Djavax.net.ssl.trustStorePassword=changeit
+-Dssl.KeyManagerFactory.algorithm=PKIX
+-Dssl.TrustManagerFactory.algorithm=PKIX
+-Dorg.bouncycastle.fips.approved_only=true
