Add FIPS flag #3315
Add FIPS flag #3315
Conversation
| @@ -180,6 +182,7 @@ func main() { | |||
| pflag.StringVar(&encodeLevelKey, "zap-level-key", "level", "The level key to be used in the customized Log Encoder") | |||
| pflag.StringVar(&encodeTimeKey, "zap-time-key", "timestamp", "The time key to be used in the customized Log Encoder") | |||
| pflag.StringVar(&encodeLevelFormat, "zap-level-format", "uppercase", "The level format to be used in the customized Log Encoder") | |||
| pflag.StringVar(&fipsDisabledComponents, "fips-disabled-components", "uppercase", "Disabled collector components when operator runs on FIPS enabled platform. Example flag value =receiver.foo,receiver.bar,exporter.baz") | |||
There was a problem hiding this comment.
should we name this disabled-components? I thought we had discussed wanting this for non-fips users?
There was a problem hiding this comment.
should we name this disabled-components? I thought we had discussed wanting this for non-fips users?
I don't want to make this feature generic for the follow up reasons:
If we wanted to make this generic we would have to introduce another flag that would conditionally enable the disabled components flag. Such flag could check env var, however users would need to rebuild the operator image and introduce init script that would set the env var based on the content of /proc/sys/crypto/fips_enabled
The FIPS feature on k8s is a well-defined concept. See the links in the PR descriptions. Making its own configuration option on the operator makes sense to me, rather than allowing the use case with generic option that require no trivial configuration.
There was a problem hiding this comment.
why would need another flag to conditionally enable the disable components flag? wouldn't just not setting it mean that it's not enabled?
There was a problem hiding this comment.
no, that would not work
There was a problem hiding this comment.
The operator needs to be shipped with preset fips-disabled-components and the components should be disabled only when running on FIPS platform. Customers don't have option to modify this flag when the operator is installed via OLM.
There was a problem hiding this comment.
is the worry that if it's always settable that a user could override the disabled components? I'm trying to understand why it should only be disabled on FIPS Platform vs a user trying to disable components on any platform. I don't quite understand the distinction/requirement. And in this case if it's going to be shipped with preset components should this be a build argument?
There was a problem hiding this comment.
And in this case if it's going to be shipped with preset components should this be a build argument?
It is going to be shipped with preset flag in the bundle/CSV.
There was a problem hiding this comment.
ah i see. okay. I'm still not sure why this means we can't just have it be disabled-components and have it be required if FIPS is true and optional if its set for the rest of the bundle though. I don't think it's blocking though.
|
@jaronoff97 I have updated the PR with the requested changes |
|
@jaronoff97 PR updated. I have removed the |
Signed-off-by: Pavol Loffay <[email protected]>
Signed-off-by: Pavol Loffay <[email protected]>
Signed-off-by: Pavol Loffay <[email protected]>
Signed-off-by: Pavol Loffay <[email protected]>
Signed-off-by: Pavol Loffay <[email protected]>
Signed-off-by: Pavol Loffay <[email protected]>
Description:
Link to tracking Issue(s):
Testing:
Documentation:
Fips enablement is install time configuration on the cluster