[pull] main from DataDog:main

.github/CODEOWNERS

@@ -250,6 +250,7 @@
 /Dockerfiles/agent/entrypoint.ps1        @DataDog/container-integrations @DataDog/windows-agent
 /Dockerfiles/agent/windows/              @DataDog/container-integrations @DataDog/windows-agent
 /Dockerfiles/agent-ot                    @DataDog/opentelemetry
+/Dockerfiles/agent/bouncycastle-fips     @DataDog/agent-metrics-logs
 
 /docs/                                  @DataDog/documentation @DataDog/agent-devx-loops
 /docs/dev/checks/                       @DataDog/documentation @DataDog/agent-metrics-logs
@@ -317,6 +318,7 @@
 /comp/trace/etwtracer @DataDog/windows-agent
 /comp/autoscaling/datadogclient @DataDog/container-integrations
 /comp/etw @DataDog/windows-agent
+/comp/haagent @DataDog/ndm-core
 /comp/languagedetection/client @DataDog/container-platform
 /comp/rdnsquerier @DataDog/ndm-integrations
 /comp/serializer/compression @DataDog/agent-metrics-logs

.github/dependabot.yaml

@@ -183,3 +183,11 @@ updates:
     schedule:
       interval: weekly
     open-pull-requests-limit: 100
+  - package-ecosystem: maven
+    directory: Dockerfiles/agent/bouncycastle-fips
+    labels:
+      - dependencies
+      - team/agent-metrics-logs
+      - changelog/no-changelog
+    schedule:
+      interval: weekly

Dockerfiles/agent/Dockerfile

@@ -51,7 +51,7 @@ WORKDIR /output
 ENV S6_VERSION="v2.2.0.3"
 ENV JUST_CONTAINERS_DOWNLOAD_LOCATION=${GENERAL_ARTIFACTS_CACHE_BUCKET_URL:+${GENERAL_ARTIFACTS_CACHE_BUCKET_URL}/s6-overlay}
 ENV JUST_CONTAINERS_DOWNLOAD_LOCATION=${JUST_CONTAINERS_DOWNLOAD_LOCATION:-https://github.com/just-containers/s6-overlay/releases/download}
-RUN apt install --no-install-recommends -y curl ca-certificates
+RUN apt install --no-install-recommends -y curl ca-certificates maven
 RUN S6ARCH=$([ "$TARGETARCH" = "amd64" ] && echo "amd64" || echo "aarch64") && curl -L ${JUST_CONTAINERS_DOWNLOAD_LOCATION}/${S6_VERSION}/s6-overlay-${S6ARCH}.tar.gz -o /output/s6.tgz
 COPY s6.$TARGETARCH.sha256 /output/s6.$TARGETARCH.sha256
 # To calculate S6_SHA256SUM for a specific version, run:
@@ -104,6 +104,10 @@ COPY datadog*.yaml etc/datadog-agent/
 # Installation information
 COPY install_info etc/datadog-agent/
 
+# Download BouncyCastle FIPS provider jar files.
+COPY bouncycastle-fips/pom.xml /opt/bouncycastle-fips/
+RUN if [ -n "$WITH_JMX" ]; then cd /opt/bouncycastle-fips && mvn dependency:copy-dependencies; else mkdir -p /opt/bouncycastle-fips/target/dependency; fi
+
 ######################################
 #  Actual docker image construction  #
 ######################################
@@ -209,6 +213,12 @@ RUN  mv /etc/s6/init/init-stage3 /etc/s6/init/init-stage3-original
 COPY init-stage3          /etc/s6/init/init-stage3
 COPY init-stage3-host-pid /etc/s6/init/init-stage3-host-pid
 
+# Copy BouncyCastle Java FIPS provider binaries and configuration
+COPY --from=extract /opt/bouncycastle-fips/target/dependency/*.jar /opt/bouncycastle-fips/
+COPY bouncycastle-fips/java.security /opt/bouncycastle-fips/
+COPY bouncycastle-fips/bc-fips.policy /opt/bouncycastle-fips/
+RUN if [ -z "$WITH_JMX" ]; then rm -rf /opt/bouncycastle-fips; fi
+
 # Update if optional OTel Agent process should not run
 RUN if [ ! -f /opt/datadog-agent/embedded/bin/otel-agent ]; then \
   rm -rf /etc/services.d/otel ; \

Dockerfiles/agent/bouncycastle-fips/bc-fips.policy

@@ -0,0 +1,5 @@
+grant {
+permission java.lang.RuntimePermission "getProtectionDomain";
+permission java.util.PropertyPermission "java.runtime.name", "read";
+permission java.lang.RuntimePermission "accessDeclaredMembers";
+}