Auth enforces FIPS STS endpoints for IAM join method when in FIPS mode#16124
Auth enforces FIPS STS endpoints for IAM join method when in FIPS mode#16124
Conversation
|
To play the devil's advocate on release version here, does this not need to be introduced in v12 ? Our versioning promise is 1 major version either way, do we insist that they need to be running the newest version of the previous major version for it to be compatible with a release of the next major version (or, in the interest of getting this released soon, perhaps we just bite the bullet on customers potentially having issues onboarding older v10 nodes and just tell them to update to a newer version of v10 for it to work with a v11 auth server when using FIPS?) |
Yeah, that's a good point, I've updated the code to check |
|
@fspmarshall @ravicious can one of you guys take another look at this one? |
| log.Warnf("Non-FIPS STS endpoint (%s) was used by a node joining "+ | ||
| "the cluster with the IAM join method. "+ | ||
| "Ensure that all nodes joining the cluster are up to date and also run in FIPS mode. "+ | ||
| "This will be an error in Teleport 12.0.0.", | ||
| stsHost) |
There was a problem hiding this comment.
Kinda unfortunate that this will only be shown in the logs but there doesn't seem to be any place closer to the actual user interaction where we could show this. As far as I understand the Joining Nodes via AWS IAM Role guide, this code path will be triggered only when a Teleport agent tries to join the cluster, won't it?
There was a problem hiding this comment.
That is correct. I'm not sure there's any better place to warn about it, but in theory nothing should break as long as everything is within 1 major version.
|
@nklaassen See the table below for backport results.
|
3 participants
This PR builds on the previous PR #16123 which enables nodes to select FIPS STS endpoints for the IAM join method. With this PR, the when the Auth server is running in FIPS mode it will enforce that FIPS endpoints are used by all nodes joining the cluster.
This will be a backward-incompatible change, as nodes which do not use FIPS endpoints will not be able to join. For this reason, this change will not be backported and will only go to master and be released in 11.0.
re: #15927