Adding Envoy variable in order to use FIPS endpoint

config/helm/appmesh-controller/templates/deployment.yaml

@@ -73,6 +73,7 @@ spec:
         - --envoy-admin-access-log-file={{ .Values.sidecar.envoyAdminAccessLogFile }}
         - --envoy-admin-access-enable-ipv6={{ .Values.sidecar.envoyAdminAccessEnableIPv6 }}
         - --dual-stack-endpoint={{ .Values.sidecar.useDualStackEndpoint }}
+        - --fips-endpoint={{ .Values.sidecar.useFipsEndpoint }}
         - --preview={{ .Values.preview }}
         - --enable-sds={{ .Values.sds.enabled }}
         - --sds-uds-path={{ .Values.sds.udsPath }}

config/helm/appmesh-controller/test.yaml

@@ -23,6 +23,7 @@ sidecar:
   envoyAdminAccessLogFile: /tmp/envoy_admin_access.log
   envoyAdminAccessEnableIPv6: false
   useDualStackEndpoint: false
+  useFipsEndpoint: false
   resources:
     # sidecar.resources.requests: Envoy CPU and memory requests
     requests:

config/helm/appmesh-controller/values.yaml

@@ -24,6 +24,7 @@ sidecar:
   envoyAdminAccessLogFile: /tmp/envoy_admin_access.log
   envoyAdminAccessEnableIPv6: false
   useDualStackEndpoint: false
+  useFipsEndpoint: false
   resources:
     # sidecar.resources.requests: Envoy CPU and memory requests
     requests:

pkg/inject/config.go

@@ -31,6 +31,7 @@ const (
 	flagEnvoyAdminAccessEnableIpv6 = "envoy-admin-access-enable-ipv6"
 	flagDualStackEndpoint          = "dual-stack-endpoint"
 	flagWaitUntilProxyReady        = "wait-until-proxy-ready"
+	flagFipsEndpoint               = "fips-endpoint"
 
 	flagInitImage  = "init-image"
 	flagIgnoredIPs = "ignored-ips"
@@ -88,6 +89,7 @@ type Config struct {
 	DualStackEndpoint          bool
 	EnvoyAdminAccessEnableIPv6 bool
 	WaitUntilProxyReady        bool
+	FipsEndpoint               bool
 
 	// Init container settings
 	InitImage  string
@@ -207,6 +209,7 @@ func (cfg *Config) BindFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&cfg.ClusterName, flagClusterName, "", "ClusterName in context")
 	fs.BoolVar(&cfg.WaitUntilProxyReady, flagWaitUntilProxyReady, false,
 		"Enable pod postStart hook to delay application startup until proxy is ready to accept traffic")
+	fs.BoolVar(&cfg.FipsEndpoint, flagFipsEndpoint, false, "Use Fips Endpoint")
 }
 
 func (cfg *Config) BindEnv() error {

pkg/inject/envoy.go

@@ -52,6 +52,7 @@ type envoyMutatorConfig struct {
 	k8sVersion                 string
 	useDualStackEndpoint       bool
 	enableAdminAccessIPv6      bool
+	useFipsEndpoint            bool
 }
 
 func newEnvoyMutator(mutatorConfig envoyMutatorConfig, ms *appmesh.Mesh, vn *appmesh.VirtualNode) *envoyMutator {
@@ -127,6 +128,7 @@ func (m *envoyMutator) buildTemplateVariables(pod *corev1.Pod) EnvoyTemplateVari
 	virtualNodeName := aws.StringValue(m.vn.Spec.AWSName)
 	preview := m.getPreview(pod)
 	useDualStackEndpoint := m.getUseDualStackEndpoint(m.mutatorConfig.useDualStackEndpoint)
+	useFipsEndpoint := m.getUseFipsEndpoint(m.mutatorConfig.useFipsEndpoint)
 	sdsEnabled := m.mutatorConfig.enableSDS
 	if m.mutatorConfig.enableSDS && isSDSDisabled(pod) {
 		sdsEnabled = false
@@ -166,6 +168,7 @@ func (m *envoyMutator) buildTemplateVariables(pod *corev1.Pod) EnvoyTemplateVari
 		UseDualStackEndpoint:     useDualStackEndpoint,
 		EnableAdminAccessForIpv6: m.mutatorConfig.enableAdminAccessIPv6,
 		WaitUntilProxyReady:      m.mutatorConfig.waitUntilProxyReady,
+		UseFipsEndpoint:          useFipsEndpoint,
 	}
 }
 
@@ -274,3 +277,11 @@ func (m *envoyMutator) getUseDualStackEndpoint(useDualStackEndpoint bool) string
 		return "0"
 	}
 }
+
+func (m *envoyMutator) getUseFipsEndpoint(useFipsEndpoint bool) string {
+	if useFipsEndpoint {
+		return "1"
+	} else {
+		return "0"
+	}
+}

pkg/inject/envoy_test.go

@@ -294,6 +294,10 @@ func Test_envoyMutator_mutate(t *testing.T) {
 									Name:  "ENVOY_ADMIN_ACCESS_ENABLE_IPV6",
 									Value: "false",
 								},
+								{
+									Name:  "APPMESH_FIPS_ENDPOINT",
+									Value: "0",
+								},
 								{
 									Name:  "APPNET_AGENT_ADMIN_MODE",
 									Value: "uds",
@@ -433,6 +437,10 @@ func Test_envoyMutator_mutate(t *testing.T) {
 									Name:  "ENVOY_ADMIN_ACCESS_ENABLE_IPV6",
 									Value: "false",
 								},
+								{
+									Name:  "APPMESH_FIPS_ENDPOINT",
+									Value: "0",
+								},
 								{
 									Name:  "APPNET_AGENT_ADMIN_MODE",
 									Value: "uds",
@@ -583,6 +591,10 @@ func Test_envoyMutator_mutate(t *testing.T) {
 									Name:  "ENVOY_ADMIN_ACCESS_ENABLE_IPV6",
 									Value: "false",
 								},
+								{
+									Name:  "APPMESH_FIPS_ENDPOINT",
+									Value: "0",
+								},
 								{
 									Name:  "APPNET_AGENT_ADMIN_MODE",
 									Value: "uds",
@@ -761,6 +773,10 @@ func Test_envoyMutator_mutate(t *testing.T) {
 									Name:  "ENVOY_ADMIN_ACCESS_ENABLE_IPV6",
 									Value: "false",
 								},
+								{
+									Name:  "APPMESH_FIPS_ENDPOINT",
+									Value: "0",
+								},
 								{
 									Name:  "APPNET_AGENT_ADMIN_MODE",
 									Value: "uds",
@@ -910,6 +926,10 @@ func Test_envoyMutator_mutate(t *testing.T) {
 									Name:  "ENVOY_ADMIN_ACCESS_ENABLE_IPV6",
 									Value: "false",
 								},
+								{
+									Name:  "APPMESH_FIPS_ENDPOINT",
+									Value: "0",
+								},
 								{
 									Name:  "APPNET_AGENT_ADMIN_MODE",
 									Value: "uds",
@@ -1050,6 +1070,10 @@ func Test_envoyMutator_mutate(t *testing.T) {
 									Name:  "ENVOY_ADMIN_ACCESS_ENABLE_IPV6",
 									Value: "false",
 								},
+								{
+									Name:  "APPMESH_FIPS_ENDPOINT",
+									Value: "0",
+								},
 								{
 									Name:  "APPNET_AGENT_ADMIN_MODE",
 									Value: "uds",
@@ -1205,6 +1229,10 @@ func Test_envoyMutator_mutate(t *testing.T) {
 									Name:  "ENVOY_ADMIN_ACCESS_ENABLE_IPV6",
 									Value: "false",
 								},
+								{
+									Name:  "APPMESH_FIPS_ENDPOINT",
+									Value: "0",
+								},
 								{
 									Name:  "APPNET_AGENT_ADMIN_MODE",
 									Value: "uds",
@@ -1343,6 +1371,10 @@ func Test_envoyMutator_mutate(t *testing.T) {
 									Name:  "ENVOY_ADMIN_ACCESS_ENABLE_IPV6",
 									Value: "false",
 								},
+								{
+									Name:  "APPMESH_FIPS_ENDPOINT",
+									Value: "0",
+								},
 								{
 									Name:  "APPNET_AGENT_ADMIN_MODE",
 									Value: "uds",
@@ -1526,6 +1558,10 @@ func Test_envoyMutator_mutate(t *testing.T) {
 									Name:  "ENVOY_ADMIN_ACCESS_ENABLE_IPV6",
 									Value: "false",
 								},
+								{
+									Name:  "APPMESH_FIPS_ENDPOINT",
+									Value: "0",
+								},
 								{
 									Name:  "APPNET_AGENT_ADMIN_MODE",
 									Value: "uds",
@@ -1683,6 +1719,10 @@ func Test_envoyMutator_mutate(t *testing.T) {
 									Name:  "ENVOY_ADMIN_ACCESS_ENABLE_IPV6",
 									Value: "false",
 								},
+								{
+									Name:  "APPMESH_FIPS_ENDPOINT",
+									Value: "0",
+								},
 								{
 									Name:  "APPNET_AGENT_ADMIN_MODE",
 									Value: "uds",
@@ -1834,6 +1874,10 @@ func Test_envoyMutator_mutate(t *testing.T) {
 									Name:  "ENVOY_ADMIN_ACCESS_ENABLE_IPV6",
 									Value: "false",
 								},
+								{
+									Name:  "APPMESH_FIPS_ENDPOINT",
+									Value: "0",
+								},
 								{
 									Name:  "APPNET_AGENT_ADMIN_MODE",
 									Value: "uds",
@@ -1988,6 +2032,10 @@ func Test_envoyMutator_mutate(t *testing.T) {
 									Name:  "ENVOY_ADMIN_ACCESS_ENABLE_IPV6",
 									Value: "false",
 								},
+								{
+									Name:  "APPMESH_FIPS_ENDPOINT",
+									Value: "0",
+								},
 								{
 									Name:  "APPNET_AGENT_ADMIN_MODE",
 									Value: "uds",
@@ -2149,6 +2197,10 @@ func Test_envoyMutator_mutate(t *testing.T) {
 									Name:  "ENVOY_ADMIN_ACCESS_ENABLE_IPV6",
 									Value: "false",
 								},
+								{
+									Name:  "APPMESH_FIPS_ENDPOINT",
+									Value: "0",
+								},
 								{
 									Name:  "APPNET_AGENT_ADMIN_MODE",
 									Value: "uds",
@@ -2349,6 +2401,10 @@ func Test_envoyMutator_mutate(t *testing.T) {
 									Name:  "ENVOY_ADMIN_ACCESS_ENABLE_IPV6",
 									Value: "false",
 								},
+								{
+									Name:  "APPMESH_FIPS_ENDPOINT",
+									Value: "0",
+								},
 								{
 									Name:  "APPNET_AGENT_ADMIN_MODE",
 									Value: "uds",
@@ -2504,6 +2560,10 @@ func Test_envoyMutator_mutate(t *testing.T) {
 									Name:  "ENVOY_ADMIN_ACCESS_ENABLE_IPV6",
 									Value: "false",
 								},
+								{
+									Name:  "APPMESH_FIPS_ENDPOINT",
+									Value: "0",
+								},
 								{
 									Name:  "APPNET_AGENT_ADMIN_MODE",
 									Value: "uds",
@@ -2674,6 +2734,10 @@ func Test_envoyMutator_mutate(t *testing.T) {
 									Name:  "ENVOY_ADMIN_ACCESS_ENABLE_IPV6",
 									Value: "false",
 								},
+								{
+									Name:  "APPMESH_FIPS_ENDPOINT",
+									Value: "0",
+								},
 								{
 									Name:  "APPNET_AGENT_ADMIN_MODE",
 									Value: "uds",
@@ -2818,6 +2882,10 @@ func Test_envoyMutator_mutate(t *testing.T) {
 									Name:  "ENVOY_ADMIN_ACCESS_ENABLE_IPV6",
 									Value: "false",
 								},
+								{
+									Name:  "APPMESH_FIPS_ENDPOINT",
+									Value: "0",
+								},
 								{
 									Name:  "APPMESH_PLATFORM_K8S_POD_UID",
 									Value: "",
@@ -2965,6 +3033,10 @@ func Test_envoyMutator_mutate(t *testing.T) {
 									Name:  "ENVOY_ADMIN_ACCESS_ENABLE_IPV6",
 									Value: "false",
 								},
+								{
+									Name:  "APPMESH_FIPS_ENDPOINT",
+									Value: "0",
+								},
 								{
 									Name:  "APPNET_AGENT_ADMIN_MODE",
 									Value: "uds",
@@ -3487,3 +3559,57 @@ func Test_envoyMutator_getUseDualStackEndpoints(t *testing.T) {
 		})
 	}
 }
+
+func Test_envoyMutator_getUseFipsEndpoints(t *testing.T) {
+	type fields struct {
+		ms            *appmesh.Mesh
+		mutatorConfig envoyMutatorConfig
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		want   string
+	}{
+		{
+			name: "disable using fips endpoint",
+			fields: fields{
+				ms: &appmesh.Mesh{
+					Spec: appmesh.MeshSpec{
+						AWSName: aws.String("my-mesh"),
+					},
+				},
+				mutatorConfig: envoyMutatorConfig{
+					accountID:       "000000000000",
+					useFipsEndpoint: false,
+				},
+			},
+			want: "0",
+		},
+		{
+			name: "enable using fips endpoint",
+			fields: fields{
+				ms: &appmesh.Mesh{
+					Spec: appmesh.MeshSpec{
+						AWSName:   aws.String("my-mesh"),
+						MeshOwner: aws.String("000000000000"),
+					},
+				},
+				mutatorConfig: envoyMutatorConfig{
+					accountID:       "000000000000",
+					useFipsEndpoint: true,
+				},
+			},
+			want: "1",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			m := &envoyMutator{
+				ms:            tt.fields.ms,
+				mutatorConfig: tt.fields.mutatorConfig,
+			}
+			got := m.getUseFipsEndpoint(m.mutatorConfig.useFipsEndpoint)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}

pkg/inject/inject.go

@@ -152,6 +152,7 @@ func (m *SidecarInjector) injectAppMeshPatches(ms *appmesh.Mesh, vn *appmesh.Vir
 				enableAdminAccessIPv6:      m.config.EnvoyAdminAccessEnableIPv6,
 				postStartTimeout:           m.config.PostStartTimeout,
 				postStartInterval:          m.config.PostStartInterval,
+				useFipsEndpoint:            m.config.FipsEndpoint,
 			}, ms, vn),
 			newXrayMutator(xrayMutatorConfig{
 				awsRegion:             m.awsRegion,
@@ -204,6 +205,7 @@ func (m *SidecarInjector) injectAppMeshPatches(ms *appmesh.Mesh, vn *appmesh.Vir
 			k8sVersion:                 m.k8sVersion,
 			useDualStackEndpoint:       m.config.DualStackEndpoint,
 			enableAdminAccessIPv6:      m.config.EnvoyAdminAccessEnableIPv6,
+			useFipsEndpoint:            m.config.FipsEndpoint,
 		}, ms, vg),
 			newXrayMutator(xrayMutatorConfig{
 				awsRegion:             m.awsRegion,

pkg/inject/sidecar_builder.go

@@ -50,6 +50,7 @@ type EnvoyTemplateVariables struct {
 	EnableAdminAccessForIpv6 bool
 	UseDualStackEndpoint     string
 	WaitUntilProxyReady      bool
+	UseFipsEndpoint          string
 }
 
 func updateEnvMapForEnvoy(vars EnvoyTemplateVariables, env map[string]string, vname string) error {
@@ -63,6 +64,7 @@ func updateEnvMapForEnvoy(vars EnvoyTemplateVariables, env map[string]string, vn
 
 	env["APPMESH_DUALSTACK_ENDPOINT"] = vars.UseDualStackEndpoint
 
+	env["APPMESH_FIPS_ENDPOINT"] = vars.UseFipsEndpoint
 	// Set the value to 1 to connect to the App Mesh Preview Channel endpoint.
 	// See https://docs.aws.amazon.com/app-mesh/latest/userguide/preview.html
 	env["APPMESH_PREVIEW"] = vars.Preview