[BARX-792] Provide FedRAMP compliant images for agent and dca FIPS im…

…ages (#34540)

.gitlab/internal_image_deploy/internal_image_deploy.yml

@@ -14,7 +14,7 @@ docker_trigger_internal:
   tags: ["arch:amd64"]
   variables:
     DYNAMIC_BUILD_RENDER_RULES: agent-build-only # fake rule to not trigger the ones in the images repo
-    IMAGE_VERSION: tmpl-v11
+    IMAGE_VERSION: tmpl-v12
     IMAGE_NAME: datadog-agent
     RELEASE_TAG: ${CI_COMMIT_REF_SLUG}-jmx
     BUILD_TAG: ${CI_COMMIT_REF_SLUG}-jmx
@@ -60,7 +60,7 @@ docker_trigger_internal-fips:
   tags: ["arch:amd64"]
   variables:
     DYNAMIC_BUILD_RENDER_RULES: agent-build-only # fake rule to not trigger the ones in the images repo
-    IMAGE_VERSION: tmpl-v11
+    IMAGE_VERSION: tmpl-v12
     IMAGE_NAME: datadog-agent
     RELEASE_TAG: ${CI_COMMIT_REF_SLUG}-fips-jmx
     BUILD_TAG: ${CI_COMMIT_REF_SLUG}-fips-jmx
@@ -106,7 +106,7 @@ docker_trigger_internal-ot:
   tags: ["arch:amd64"]
   variables:
     DYNAMIC_BUILD_RENDER_RULES: agent-build-only # fake rule to not trigger the ones in the images repo
-    IMAGE_VERSION: tmpl-v11
+    IMAGE_VERSION: tmpl-v12
     IMAGE_NAME: datadog-agent
     RELEASE_TAG: ${CI_COMMIT_REF_SLUG}-ot-beta-jmx
     BUILD_TAG: ${CI_COMMIT_REF_SLUG}-ot-beta-jmx
@@ -152,7 +152,7 @@ docker_trigger_cluster_agent_internal:
   tags: ["arch:amd64"]
   variables:
     DYNAMIC_BUILD_RENDER_RULES: agent-build-only # fake rule to not trigger the ones in the images repo
-    IMAGE_VERSION: tmpl-v5
+    IMAGE_VERSION: tmpl-v6
     IMAGE_NAME: datadog-cluster-agent
     RELEASE_TAG: ${CI_COMMIT_REF_SLUG}
     BUILD_TAG: ${CI_COMMIT_REF_SLUG}
@@ -186,3 +186,50 @@ docker_trigger_cluster_agent_internal:
       --variable TARGET_ENV
       --variable DYNAMIC_BUILD_RENDER_TARGET_FORWARD_PARAMETERS"
   retry: 2
+
+docker_trigger_cluster_agent_internal-fips:
+  stage: internal_image_deploy
+  rules: !reference [.on_deploy_internal_or_manual]
+  needs:
+    - job: docker_build_cluster_agent_fips_amd64
+      artifacts: false
+    - job: docker_build_cluster_agent_fips_arm64
+      artifacts: false
+  image: registry.ddbuild.io/ci/datadog-agent-buildimages/deb_x64$DATADOG_AGENT_BUILDIMAGES_SUFFIX:$DATADOG_AGENT_BUILDIMAGES
+  tags: ["arch:amd64"]
+  variables:
+    DYNAMIC_BUILD_RENDER_RULES: agent-build-only # fake rule to not trigger the ones in the images repo
+    IMAGE_VERSION: tmpl-v6
+    IMAGE_NAME: datadog-cluster-agent
+    RELEASE_TAG: ${CI_COMMIT_REF_SLUG}-fips
+    BUILD_TAG: ${CI_COMMIT_REF_SLUG}-fips
+    TMPL_SRC_IMAGE: v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-fips
+    TMPL_SRC_REPO: ci/datadog-agent/cluster-agent
+    RELEASE_STAGING: "true"
+    RELEASE_PROD: "true"
+  script:
+    - GITLAB_TOKEN=$($CI_PROJECT_DIR/tools/ci/fetch_secret.sh $GITLAB_TOKEN write_api) || exit $?; export GITLAB_TOKEN
+    - if [ "$BUCKET_BRANCH" = "beta" ] || [ "$BUCKET_BRANCH" = "stable" ]; then TMPL_SRC_REPO="${TMPL_SRC_REPO}-release"; fi
+    - |
+      if [ "$BUCKET_BRANCH" = "nightly" ]; then
+        RELEASE_TAG="${RELEASE_TAG}-${CI_COMMIT_SHORT_SHA}"
+        TMPL_SRC_REPO="${TMPL_SRC_REPO}-nightly"
+      fi
+    - if [ "$BUCKET_BRANCH" = "dev" ]; then RELEASE_TAG="dev-${RELEASE_TAG}-${CI_COMMIT_SHORT_SHA}"; fi
+    - "inv pipeline.trigger-child-pipeline --project-name DataDog/images --git-ref master --timeout 3600
+      --variable IMAGE_VERSION
+      --variable IMAGE_NAME
+      --variable RELEASE_TAG
+      --variable BUILD_TAG
+      --variable TMPL_SRC_IMAGE
+      --variable TMPL_SRC_REPO
+      --variable RELEASE_STAGING
+      --variable RELEASE_PROD
+      --variable DYNAMIC_BUILD_RENDER_RULES
+      --variable APPS
+      --variable BAZEL_TARGET
+      --variable DDR
+      --variable DDR_WORKFLOW_ID
+      --variable TARGET_ENV
+      --variable DYNAMIC_BUILD_RENDER_TARGET_FORWARD_PARAMETERS"
+  retry: 2