diff --git a/pkg/istiovalues/fips.go b/pkg/istiovalues/fips.go index 846a0d26d..161b7bf56 100644 --- a/pkg/istiovalues/fips.go +++ b/pkg/istiovalues/fips.go @@ -57,8 +57,8 @@ func ApplyFipsValues(values helm.Values) (helm.Values, error) { // ApplyZTunnelFipsValues sets value ztunnel.env.TLS12_ENABLED if FIPS mode is enabled in the system. func ApplyZTunnelFipsValues(values helm.Values) (helm.Values, error) { if FipsEnabled { - if err := values.SetIfAbsent("ztunnel.env.TLS12_ENABLED", "true"); err != nil { - return nil, fmt.Errorf("failed to set ztunnel.env.TLS12_ENABLED: %w", err) + if err := values.SetIfAbsent("env.TLS12_ENABLED", "true"); err != nil { + return nil, fmt.Errorf("failed to set env.TLS12_ENABLED: %w", err) } } return values, nil diff --git a/pkg/istiovalues/fips_test.go b/pkg/istiovalues/fips_test.go index 0ef3e5965..9aaa126c4 100644 --- a/pkg/istiovalues/fips_test.go +++ b/pkg/istiovalues/fips_test.go @@ -120,9 +120,7 @@ func TestApplyZTunnelFipsValues(t *testing.T) { name: "FIPS enabled", fipsEnabled: true, expectValues: helm.Values{ - "ztunnel": map[string]any{ - "env": map[string]any{"TLS12_ENABLED": string("true")}, - }, + "env": map[string]any{"TLS12_ENABLED": string("true")}, }, }, } diff --git a/tests/integration/api/ztunnel_test.go b/tests/integration/api/ztunnel_test.go index c8ca7a516..bfb2840d6 100644 --- a/tests/integration/api/ztunnel_test.go +++ b/tests/integration/api/ztunnel_test.go @@ -23,10 +23,12 @@ import ( v1 "github.com/istio-ecosystem/sail-operator/api/v1" "github.com/istio-ecosystem/sail-operator/api/v1alpha1" "github.com/istio-ecosystem/sail-operator/pkg/enqueuelogger" + "github.com/istio-ecosystem/sail-operator/pkg/istiovalues" "github.com/istio-ecosystem/sail-operator/pkg/istioversion" . "github.com/istio-ecosystem/sail-operator/pkg/test/util/ginkgo" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" + "github.com/onsi/gomega/types" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -174,6 +176,69 @@ var _ = Describe("ZTunnel DaemonSet status changes", Label("ztunnel"), Ordered, } }) +var _ = Describe("ZTunnel FIPS", Label("ztunnel", "fips"), Ordered, func() { + SetDefaultEventuallyPollingInterval(time.Second) + SetDefaultEventuallyTimeout(30 * time.Second) + + ctx := context.Background() + + const fipsZTunnelNamespace = "ztunnel-fips-test" + fipsZTunnelKey := client.ObjectKey{Name: ztunnelName} + daemonsetKey := client.ObjectKey{Name: "ztunnel", Namespace: fipsZTunnelNamespace} + + namespace := &corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: fipsZTunnelNamespace, + }, + } + + BeforeAll(func() { + Expect(k8sClient.Create(ctx, namespace)).To(Succeed()) + }) + + AfterAll(func() { + Expect(k8sClient.Delete(ctx, namespace)).To(Succeed()) + }) + + It("sets TLS12_ENABLED on the ztunnel DaemonSet when FipsEnabled is true", func() { + originalFipsEnabled := istiovalues.FipsEnabled + DeferCleanup(func() { + istiovalues.FipsEnabled = originalFipsEnabled + }) + istiovalues.FipsEnabled = true + + ztunnel := &v1.ZTunnel{ + ObjectMeta: metav1.ObjectMeta{ + Name: ztunnelName, + }, + Spec: v1.ZTunnelSpec{ + Version: istioversion.Default, + Namespace: fipsZTunnelNamespace, + }, + } + Expect(k8sClient.Create(ctx, ztunnel)).To(Succeed()) + DeferCleanup(func() { + Expect(k8sClient.Delete(ctx, ztunnel)).To(Succeed()) + Eventually(k8sClient.Get).WithArguments(ctx, fipsZTunnelKey, &v1.ZTunnel{}).Should(ReturnNotFoundError()) + }) + + ds := &appsv1.DaemonSet{} + Eventually(k8sClient.Get).WithArguments(ctx, daemonsetKey, ds).Should(Succeed()) + + Expect(ds).To(HaveContainersThat(ContainElement(WithTransform(getEnvVars, + ContainElement(corev1.EnvVar{Name: "TLS12_ENABLED", Value: "true"})))), + "Expected TLS12_ENABLED to be set to true on ztunnel DaemonSet when FIPS is enabled") + }) +}) + +func HaveContainersThat(matcher types.GomegaMatcher) types.GomegaMatcher { + return HaveField("Spec.Template.Spec.Containers", matcher) +} + +func getEnvVars(container corev1.Container) []corev1.EnvVar { + return container.Env +} + // expectZTunnelV1Condition on the v1.ZTunnel resource to eventually have a given status. func expectZTunnelV1Condition(ctx context.Context, condition v1.ZTunnelConditionType, status metav1.ConditionStatus, extraChecks ...func(Gomega, *v1.ZTunnelCondition),