diff --git a/pkg/apis/machineconfiguration.openshift.io/v1/helpers.go b/pkg/apis/machineconfiguration.openshift.io/v1/helpers.go index a844166549..d4e79aca3a 100644 --- a/pkg/apis/machineconfiguration.openshift.io/v1/helpers.go +++ b/pkg/apis/machineconfiguration.openshift.io/v1/helpers.go @@ -13,6 +13,7 @@ import ( // It sorts all the configs in increasing order of their name. // It uses the Ignition config from first object as base and appends all the rest. // Kernel arguments are concatenated. +// FIPS uses the last specified value. // It uses only the OSImageURL provided by the CVO and ignores any MC provided OSImageURL. func MergeMachineConfigs(configs []*MachineConfig, osImageURL string) *MachineConfig { if len(configs) == 0 { @@ -24,15 +25,18 @@ func MergeMachineConfigs(configs []*MachineConfig, osImageURL string) *MachineCo for idx := 1; idx < len(configs); idx++ { outIgn = ign.Append(outIgn, configs[idx].Spec.Config) } + fips := false kargs := []string{} for _, cfg := range configs { kargs = append(kargs, cfg.Spec.KernelArguments...) + fips = cfg.Spec.FIPS } return &MachineConfig{ Spec: MachineConfigSpec{ OSImageURL: osImageURL, KernelArguments: kargs, + FIPS: fips, Config: outIgn, }, } diff --git a/pkg/apis/machineconfiguration.openshift.io/v1/types.go b/pkg/apis/machineconfiguration.openshift.io/v1/types.go index 1cc2482e8c..cdcd4f08e2 100644 --- a/pkg/apis/machineconfiguration.openshift.io/v1/types.go +++ b/pkg/apis/machineconfiguration.openshift.io/v1/types.go @@ -231,6 +231,8 @@ type MachineConfigSpec struct { Config igntypes.Config `json:"config"` KernelArguments []string `json:"kernelArguments"` + + FIPS bool `json:"FIPS"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object diff --git a/pkg/daemon/update.go b/pkg/daemon/update.go index 85d8d0ec86..1a71049041 100644 --- a/pkg/daemon/update.go +++ b/pkg/daemon/update.go @@ -432,6 +432,26 @@ func (dn *Daemon) updateKernelArguments(oldConfig, newConfig *mcfgv1.MachineConf return exec.Command("rpm-ostree", args...).Run() } +// updateFIPS handles changes in FIPS +func (dn *Daemon) updateFIPS(oldConfig, newConfig *mcfgv1.MachineConfig) error { + if oldConfig.Spec.FIPS != newConfig.Spec.FIPS { + return nil + } + if dn.OperatingSystem != machineConfigDaemonOSRHCOS { + return fmt.Errorf("Updating FIPS on non-RHCOS nodes is not supported") + } + + arg := "enable" + if !newConfig.Spec.FIPS { + arg = "disable" + } + + cmd := "/usr/libexec/rhcos-tools/coreos-fips" + args := []string{arg} + dn.logSystem("Running %s %v", cmd, args) + return exec.Command(cmd, args...).Run() +} + // updateFiles writes files specified by the nodeconfig to disk. it also writes // systemd units. there is no support for multiple filesystems at this point. //