diff --git a/controllers/ztunnel/ztunnel_controller.go b/controllers/ztunnel/ztunnel_controller.go index 284ad4b07..85d82644d 100644 --- a/controllers/ztunnel/ztunnel_controller.go +++ b/controllers/ztunnel/ztunnel_controller.go @@ -157,6 +157,12 @@ func (r *Reconciler) installHelmChart(ctx context.Context, ztunnel *v1.ZTunnel) return fmt.Errorf("failed to apply profile: %w", err) } + // apply FipsValues on top of mergedHelmValues from profile + mergedHelmValues, err = istiovalues.ApplyZTunnelFipsValues(mergedHelmValues) + if err != nil { + return fmt.Errorf("failed to apply FIPS values: %w", err) + } + // Apply any user Overrides configured as part of values.ztunnel // This step was not required for the IstioCNI resource because the Helm templates[*] automatically override values.cni // [*]https://github.com/istio/istio/blob/0200fd0d4c3963a72f36987c2e8c2887df172abf/manifests/charts/istio-cni/templates/zzy_descope_legacy.yaml#L3 diff --git a/pkg/istiovalues/fips.go b/pkg/istiovalues/fips.go index f8a10f5e4..846a0d26d 100644 --- a/pkg/istiovalues/fips.go +++ b/pkg/istiovalues/fips.go @@ -53,3 +53,13 @@ func ApplyFipsValues(values helm.Values) (helm.Values, error) { } return values, nil } + +// ApplyZTunnelFipsValues sets value ztunnel.env.TLS12_ENABLED if FIPS mode is enabled in the system. +func ApplyZTunnelFipsValues(values helm.Values) (helm.Values, error) { + if FipsEnabled { + if err := values.SetIfAbsent("ztunnel.env.TLS12_ENABLED", "true"); err != nil { + return nil, fmt.Errorf("failed to set ztunnel.env.TLS12_ENABLED: %w", err) + } + } + return values, nil +} diff --git a/pkg/istiovalues/fips_test.go b/pkg/istiovalues/fips_test.go index 4cbf5803e..0ef3e5965 100644 --- a/pkg/istiovalues/fips_test.go +++ b/pkg/istiovalues/fips_test.go @@ -87,6 +87,8 @@ func TestApplyFipsValues(t *testing.T) { values := helm.Values{} for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { + originalFipsEnabled := FipsEnabled + t.Cleanup(func() { FipsEnabled = originalFipsEnabled }) FipsEnabled = tt.fipsEnabled actual, err := ApplyFipsValues(values) if (err != nil) != tt.expectErr { @@ -101,3 +103,46 @@ func TestApplyFipsValues(t *testing.T) { }) } } + +func TestApplyZTunnelFipsValues(t *testing.T) { + tests := []struct { + name string + fipsEnabled bool + expectValues helm.Values + expectErr bool + }{ + { + name: "FIPS not enabled", + fipsEnabled: false, + expectValues: helm.Values{}, + }, + { + name: "FIPS enabled", + fipsEnabled: true, + expectValues: helm.Values{ + "ztunnel": map[string]any{ + "env": map[string]any{"TLS12_ENABLED": string("true")}, + }, + }, + }, + } + + values := helm.Values{} + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + originalFipsEnabled := FipsEnabled + t.Cleanup(func() { FipsEnabled = originalFipsEnabled }) + FipsEnabled = tt.fipsEnabled + actual, err := ApplyZTunnelFipsValues(values) + if (err != nil) != tt.expectErr { + t.Errorf("applyFipsValues() error = %v, expectErr %v", err, tt.expectErr) + } + + if err == nil { + if diff := cmp.Diff(tt.expectValues, actual); diff != "" { + t.Errorf("TLS12_ENABLED env wasn't applied properly; diff (-expected, +actual):\n%v", diff) + } + } + }) + } +} diff --git a/pkg/revision/values_test.go b/pkg/revision/values_test.go index 0c6b175dd..1bdb34f0c 100644 --- a/pkg/revision/values_test.go +++ b/pkg/revision/values_test.go @@ -107,6 +107,8 @@ apiVersion: sailoperator.io/v1 kind: IstioRevision spec:`)), 0o644)) + originalFipsEnabled := istiovalues.FipsEnabled + t.Cleanup(func() { istiovalues.FipsEnabled = originalFipsEnabled }) istiovalues.FipsEnabled = true values := &v1.Values{} result, err := ComputeValues(values, namespace, version, config.PlatformOpenShift, "default", "",