[ci] Run Go unit tests with GODEBUG=fips140=only

[ycombinator]

Description

This PR runs all Golang unit tests in this repository with the GODEBUG=fips140=only environment set. This is useful to detect any FIPS-140 violations of code covered by these unit tests.

Link to tracking issue

Relates to #13925

Testing

Documentation

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.65%. Comparing base (14a7832) to head (a1e292e).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #13926      +/-   ##
==========================================
- Coverage   91.66%   91.65%   -0.01%     
==========================================
  Files         652      652              
  Lines       42516    42516              
==========================================
- Hits        38973    38970       -3     
- Misses       2734     2736       +2     
- Partials      809      810       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ycombinator]

Running make gotest-fips140-only fails fast, so instead I'm running make test-fips140-only in each module like so:

$ for m in $(find . -iname go.mod); do d=$(dirname $m); cd $d; make test-fips140-only; cd -; done

Ignore passing and skipped tests, here are the failures:

=== Failed
=== FAIL: . TestHttpReception/TLS (2.01s)
    configgrpc_test.go:754:
        	Error Trace:	/Users/shaunak/development/github/opentelemetry-collector/config/configgrpc/configgrpc_test.go:754
        	Error:      	Received unexpected error:
        	            	rpc error: code = DeadlineExceeded desc = latest balancer error: connection error: desc = "transport: authentication handshake failed: crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode"
        	Test:       	TestHttpReception/TLS

=== FAIL: . TestHttpReception/mTLS (2.02s)
    configgrpc_test.go:754:
        	Error Trace:	/Users/shaunak/development/github/opentelemetry-collector/config/configgrpc/configgrpc_test.go:754
        	Error:      	Received unexpected error:
        	            	rpc error: code = DeadlineExceeded desc = latest balancer error: connection error: desc = "transport: authentication handshake failed: crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode"
        	Test:       	TestHttpReception/mTLS

=== FAIL: . TestHttpReception (10.06s)

DONE 73 tests, 3 failures in 10.793s
make: *** [test-fips140-only] Error 1
...
=== Failed
=== FAIL: . TestHttpReception/TLS (0.00s)
    server_test.go:267:
        	Error Trace:	/Users/shaunak/development/github/opentelemetry-collector/config/confighttp/server_test.go:267
        	Error:      	Received unexpected error:
        	            	Get "https://127.0.0.1:53253": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
        	Test:       	TestHttpReception/TLS

=== FAIL: . TestHttpReception/TLS_(HTTP/1.1) (0.00s)
    server_test.go:267:
        	Error Trace:	/Users/shaunak/development/github/opentelemetry-collector/config/confighttp/server_test.go:267
        	Error:      	Received unexpected error:
        	            	Get "https://127.0.0.1:53255": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
        	Test:       	TestHttpReception/TLS_(HTTP/1.1)

=== FAIL: . TestHttpReception/mTLS (0.00s)
    server_test.go:267:
        	Error Trace:	/Users/shaunak/development/github/opentelemetry-collector/config/confighttp/server_test.go:267
        	Error:      	Received unexpected error:
        	            	Get "https://127.0.0.1:53259": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
        	Test:       	TestHttpReception/mTLS

=== FAIL: . TestHttpReception (0.02s)

DONE 156 tests, 4 failures in 0.571s
...
=== FAIL: provider/internal/configurablehttpprovider TestFunctionalityDownloadFileHTTPS (0.02s)
panic: crypto/sha1: use of SHA-1 is not allowed in FIPS 140-only mode [recovered, repanicked]

goroutine 4 [running]:
testing.tRunner.func1.2({0x1048c0a20, 0x1049564c0})
	/Users/shaunak/.gvm/gos/go1.25.1/src/testing/testing.go:1872 +0x2b4
testing.tRunner.func1()
	/Users/shaunak/.gvm/gos/go1.25.1/src/testing/testing.go:1875 +0x460
panic({0x1048c0a20?, 0x1049564c0?})
	/Users/shaunak/.gvm/gos/go1.25.1/src/runtime/panic.go:783 +0x120
crypto/sha1.Sum({0xc0002d0240, 0x10e, 0x10e})
	/Users/shaunak/.gvm/gos/go1.25.1/src/crypto/sha1/sha1.go:278 +0x154
crypto/x509.CreateCertificate({0x104958b20, 0xc00011c250}, 0xc0002c2e58, 0xc0002c2e58, {0x1048e2160, 0xc000280230}, {0x104925f00, 0xc000280230})
	/Users/shaunak/.gvm/gos/go1.25.1/src/crypto/x509/x509.go:1738 +0x5a4
go.opentelemetry.io/collector/confmap/provider/internal/configurablehttpprovider.generateCertificate(0xc000005180, {0x1047c868d, 0x9})
	/Users/shaunak/development/github/opentelemetry-collector/confmap/provider/internal/configurablehttpprovider/provider_test.go:81 +0x510
go.opentelemetry.io/collector/confmap/provider/internal/configurablehttpprovider.TestFunctionalityDownloadFileHTTPS(0xc000005180)
	/Users/shaunak/development/github/opentelemetry-collector/confmap/provider/internal/configurablehttpprovider/provider_test.go:126 +0x40
testing.tRunner(0xc000005180, 0x1049535d0)
	/Users/shaunak/.gvm/gos/go1.25.1/src/testing/testing.go:1934 +0x168
created by testing.(*T).Run in goroutine 1
	/Users/shaunak/.gvm/gos/go1.25.1/src/testing/testing.go:1997 +0x6e4

DONE 243 tests, 1 skipped, 1 failure in 3.058s
...
=== Failed
=== FAIL: . TestSendTracesWhenEndpointHasHttpScheme/Use_https_scheme (10.01s)
    otlp_test.go:461:
        	Error Trace:	/Users/shaunak/development/github/opentelemetry-collector/exporter/otlpexporter/otlp_test.go:461
        	Error:      	Condition never satisfied
        	Test:       	TestSendTracesWhenEndpointHasHttpScheme/Use_https_scheme

=== FAIL: . TestSendTracesWhenEndpointHasHttpScheme (10.02s)

=== FAIL: . TestSendProfilesWhenEndpointHasHttpScheme/Use_https_scheme (10.01s)
    otlp_test.go:1034:
        	Error Trace:	/Users/shaunak/development/github/opentelemetry-collector/exporter/otlpexporter/otlp_test.go:1034
        	Error:      	Condition never satisfied
        	Test:       	TestSendProfilesWhenEndpointHasHttpScheme/Use_https_scheme

=== FAIL: . TestSendProfilesWhenEndpointHasHttpScheme (10.03s)

DONE 62 tests, 4 failures in 28.041s
...

---

That's a total of 8 test cases that fail when GODEBUG=fips140=only is set. Of these 8 failures, 5 are due to this error:

crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode

I will investigate each of these failures first to check if the HTTPS calls are indeed being made only by the test code itself; if that is the case for all such failures, we can safely add GODEBUG=tlsmlkem=0 to the go test command to ignore these failures. That will then leave us 3 failures that will need further investigation for FIPS-compliance.

[atoulme]

I think you can just set GODEBUG as an env var before running make.

GODEBUG=fips140=only make test

Please feel free to open issues for each test occurrence failing, and request fips140-3 be considered for support.

[ycombinator]

Thanks @atoulme, I'll run the Go unit tests as you suggested.

The goal would be to eventually run these unit tests with GODEBUG=fips140=only in CI so we can detect any regressions once all the test failures are addressed. I'll amend this PR accordingly and file separate issues for each failing test. Once those issues are resolved, we can return to this PR, rebasing it on main, and making sure it passes CI.