[Filebeat] Allow v2 inputs to opt out of FIPS distributions

[ycombinator]

Proposed commit message

This PR adds a new boolean field, ExcludeFromFIPS to the v2.Plugin struct for optional use by v2 inputs. Inputs that set this field to true are indicating that they should NOT be usable in FIPS-capable distributions of Filebeat. If an input that sets this field to true is configured in a FIPS-capable Filebeat distribution, Filebeat will exit with an error like so:

{"log.level":"error","@timestamp":"2025-06-25T11:22:14.686-0700","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.handleError","file.name":"instance/beat.go","file.line":1355},"message":"Exiting: Failed to start crawler: starting input failed: error while initializing input: running a FIPS-capable distribution but input [o365audit] is not FIPS capable","service.name":"filebeat","ecs.version":"1.6.0"}
Exiting: Failed to start crawler: starting input failed: error while initializing input: running a FIPS-capable distribution but input [o365audit] is not FIPS capable

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works~
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Disruptive User Impact

None; the changes in this PR merely allow for Filebeat v2 inputs to be excluded from FIPS-capable Filebeat artifacts; there are no inputs actually being excluded in this PR.

How to test this PR locally

$ go test ./filebeat/input/v2/ -test.run TestLoader_ConfigureFIPS -test.count 1 -test.v
=== RUN   TestLoader_ConfigureFIPS
    loader_test.go:209: FIPS mode = false; err = <nil>
--- PASS: TestLoader_ConfigureFIPS (0.00s)
PASS
ok  	github.com/elastic/beats/v7/filebeat/input/v2	0.006s

In an environment configured for FIPS, i.e. with the Microsoft Go fork installed and with the OpenSSL FIPS provider installed:

$ GOEXPERIMENT=systemcrypto go test -tags requirefips ./filebeat/input/v2/ -test.run TestLoader_ConfigureFIPS -test.count 1 -test.v
=== RUN   TestLoader_ConfigureFIPS
    loader_test.go:209: FIPS mode = true; err = running a FIPS-capable distribution but input [a] is not FIPS capable
--- PASS: TestLoader_ConfigureFIPS (0.00s)
PASS
ok  	github.com/elastic/beats/v7/filebeat/input/v2	0.014s

Related issues

This PR replaces the implementation done in #44920

[elasticmachine]

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

[github-actions]

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

• run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

[ycombinator]

@Mergifyio backport 9.1

[mergify]

backport 9.1

✅ Backports have been created

Details

• Backport to branch 9.1 not needed, change already in branch 9.1