Update go.mod to 1.26.2 (#6800)

* Update go.mod to 1.26.2

* Update golangci-lint version

* fix fips test run

* change microsoft/go fips test to use fips140=on

* fix test failure

* change test to check enforcement

(cherry picked from commit e689116)

Author: michel-laterman

.buildkite/pipeline.yml

@@ -164,13 +164,14 @@ steps:
           - build/*.xml
           - build/coverage*.out
 
-      - label: ":smartbear-testexecute: Run unit tests with requirefips build tag and FIPS provider"
+      - label: ":smartbear-testexecute: Run fips140=on unit tests with FIPS provider and microsoft/go"
         key: unit-test-fips-tag
         command: ".buildkite/scripts/unit_test.sh"
         env:
           FIPS: "true"
           GOEXPERIMENT: "systemcrypto"
           GO_DISTRO: "microsoft"
+          GODEBUG: "fips140=on,tlsmlkem=0"
         agents:
           provider: "aws"
           imagePrefix: "${IMAGE_UBUNTU_X86_64_FIPS}"
@@ -179,7 +180,7 @@ steps:
           - build/*.xml
           - build/coverage*.out
 
-      - label: ":smartbear-testexecute: Run fips140=only unit tests with FIPS provider"
+      - label: ":smartbear-testexecute: Run fips140=only unit tests with FIPS provider and upstream go"
         key: unit-test-fips140-only
         command: ".buildkite/scripts/unit_test_fipsonly.sh"
         env:

.ci/bump-golang.yml

@@ -79,15 +79,6 @@ targets:
       content: '{{ source "latestGoVersion" }}'
       file: .go-version
       matchpattern: '\d+.\d+.\d+'
-  update-golang.ci:
-    name: "Update .golangci.yml"
-    sourceid: latestGoVersion
-    scmid: githubConfig
-    kind: file
-    spec:
-      content: '{{ source "latestGoVersion" }}'
-      file: .golangci.yml
-      matchpattern: '\d+.\d+.\d+'
   update-gomod:
     name: "Update go.mod"
     sourceid: latestGoVersion

.github/workflows/golangci-lint.yml

@@ -39,7 +39,7 @@ jobs:
         uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20  # v9.2.0
         with:
           # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
-          version: v2.5.0
+          version: v2.11.4
 
           # Give the job more time to execute.
           # Regarding `--whole-files`, the linter is supposed to support linting of changed a patch only but,

.go-version

@@ -1 +1 @@
-1.25.9
+1.26.2

.golangci.yml

@@ -4,7 +4,6 @@ run:
   timeout: 1m
   build-tags:
     - integration
-  go: "1.25.9"
 
 issues:
   # Maximum count of issues with the same text.

changelog/fragments/1775752898-Update-go-to-v1.26.2.yaml

@@ -0,0 +1,32 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: enhancement
+
+# Change summary; a 80ish characters long description of the change.
+summary: Update go to v1.26.2
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+#description:
+
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component: fleet-server
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+#pr: https://github.com/owner/repo/1234
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+#issue: https://github.com/owner/repo/1234

dev-tools/go.mod

@@ -1,6 +1,6 @@
 module github.com/elastic/fleet-server/dev-tools
 
-go 1.25.9
+go 1.26.2
 
 tool (
 	github.com/elastic/go-json-schema-generate/cmd/schema-generate

go.mod

@@ -1,6 +1,6 @@
 module github.com/elastic/fleet-server/v7
 
-go 1.25.9
+go 1.26.2
 
 require (
 	github.com/Pallinder/go-randomdata v1.2.0

internal/pkg/api/server_test.go

@@ -161,7 +161,7 @@ func Test_server_ClientCert(t *testing.T) {
 			break
 		}
 
-		rCtx, rCancel := context.WithTimeout(ctx, time.Second)
+		rCtx, rCancel := context.WithTimeout(ctx, 5*time.Second)
 		defer rCancel()
 		req, err := http.NewRequestWithContext(rCtx, "GET", "https://"+addr+"/api/status", nil)
 		require.NoError(t, err)
@@ -233,7 +233,7 @@ func Test_server_ClientCert(t *testing.T) {
 			break
 		}
 
-		rCtx, rCancel := context.WithTimeout(ctx, time.Second)
+		rCtx, rCancel := context.WithTimeout(ctx, 5*time.Second)
 		defer rCancel()
 		req, err := http.NewRequestWithContext(rCtx, "GET", "https://"+addr+"/api/status", nil)
 		require.NoError(t, err)
@@ -306,7 +306,7 @@ func Test_server_ClientCert(t *testing.T) {
 			break
 		}
 
-		rCtx, rCancel := context.WithTimeout(ctx, time.Second)
+		rCtx, rCancel := context.WithTimeout(ctx, 5*time.Second)
 		defer rCancel()
 		req, err := http.NewRequestWithContext(rCtx, "GET", "https://"+addr+"/api/status", nil)
 		require.NoError(t, err)
@@ -388,7 +388,7 @@ key: %s`,
 			break
 		}
 
-		rCtx, rCancel := context.WithTimeout(ctx, time.Second)
+		rCtx, rCancel := context.WithTimeout(ctx, 5*time.Second)
 		defer rCancel()
 		req, err := http.NewRequestWithContext(rCtx, "GET", "https://"+addr+"/api/status", nil)
 		require.NoError(t, err)

internal/pkg/es/client_test.go

@@ -6,6 +6,7 @@ package es
 
 import (
 	"context"
+	"crypto/fips140"
 	"crypto/tls"
 	"crypto/x509"
 	_ "embed"
@@ -19,7 +20,6 @@ import (
 	"time"
 
 	"github.com/elastic/elastic-agent-libs/transport/tlscommon"
-	"github.com/elastic/fleet-server/v7/internal/pkg/build"
 	"github.com/elastic/fleet-server/v7/internal/pkg/config"
 	"github.com/elastic/fleet-server/v7/internal/pkg/testing/certs"
 	"github.com/stretchr/testify/require"
@@ -205,8 +205,13 @@ func TestConnectionTLS(t *testing.T) {
 
 	_, err = FetchESVersion(ctx, client)
 
-	if build.FIPSDistribution {
-		require.ErrorContains(t, err, "tls: internal error")
+	if fips140.Enforced() {
+		// When FIPS 140 is enforced (GODEBUG=fips140=only), Go's crypto
+		// stack rejects signing with a 1024-bit RSA key. Note: fips140=on
+		// with microsoft/go's systemcrypto backend silently falls back to
+		// stdlib in test binaries (via UnreachableExceptTests), so only
+		// fips140=only reliably enforces this.
+		require.Error(t, err)
 	} else {
 		require.NoError(t, err)
 	}