Add a fips flag to install-config.yaml

Part of: openshift/enhancements#15 We added FIPS to the MCO a while ago: openshift/machine-config-operator#889 However, during some discussion it became clear that the main use case for FIPS is "day 1" - it doesn't make sense to turn it on "day 2" because the standard requires that e.g. long-term key material was created with FIPS enabled. Further, it's unlikely that admins will want to turn it *off* if they ever had it on. This is a good candidate for an install config.
cgwalters · Oct 30, 2019 · 2dce0ae · 2dce0ae
1 parent a845fb4
commit 2dce0ae
Show file tree

Hide file tree

Showing 5 changed files with 45 additions and 0 deletions.
diff --git a/docs/user/customization.md b/docs/user/customization.md
@@ -25,6 +25,7 @@ The following `install-config.yaml` properties are available:
     Valid values are `External` (the default) and `Internal`.
 * `controlPlane` (optional [machine-pool](#machine-pools)): The configuration for the machines that comprise the control plane.
 * `compute` (optional array of [machine-pools](#machine-pools)): The configuration for the machines that comprise the compute nodes.
+* `fips` (optional boolean): Enables FIPS mode (default false).
 * `imageContentSources` (optional array of objects): Sources and repositories for the release-image content.
     Each entry in the array is an object with the following properties:
     * `source` (required string): The repository that users refer to, e.g. in image pull specifications.

diff --git a/pkg/asset/machines/machineconfig/fips.go b/pkg/asset/machines/machineconfig/fips.go
@@ -0,0 +1,34 @@
+package machineconfig
+
+import (
+	"fmt"
+
+	igntypes "github.com/coreos/ignition/config/v2_2/types"
+	mcfgv1 "github.com/openshift/machine-config-operator/pkg/apis/machineconfiguration.openshift.io/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// ForFIPSEnabled creates the MachineConfig to enable FIPS.
+// See also https://github.com/openshift/machine-config-operator/pull/889
+func ForFIPSEnabled(role string) *mcfgv1.MachineConfig {
+	return &mcfgv1.MachineConfig{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "machineconfiguration.openshift.io/v1",
+			Kind:       "MachineConfig",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: fmt.Sprintf("01-%s-fips", role),
+			Labels: map[string]string{
+				"machineconfiguration.openshift.io/role": role,
+			},
+		},
+		Spec: mcfgv1.MachineConfigSpec{
+			Config: igntypes.Config{
+				Ignition: igntypes.Ignition{
+					Version: igntypes.MaxVersion.String(),
+				},
+			},
+			FIPS: true,
+		},
+	}
+}
diff --git a/pkg/asset/machines/master.go b/pkg/asset/machines/master.go
@@ -315,6 +315,10 @@ func (m *Master) Generate(dependencies asset.Parents) error {
 	if ic.SSHKey != "" {
 		machineConfigs = append(machineConfigs, machineconfig.ForAuthorizedKeys(ic.SSHKey, "master"))
 	}
+	if ic.FIPS {
+		machineConfigs = append(machineConfigs, machineconfig.ForFIPSEnabled("master"))
+		fmt.Println("Enabling master fips")
+	}
 
 	m.MachineConfigFiles, err = machineconfig.Manifests(machineConfigs, "master", directory)
 	if err != nil {

diff --git a/pkg/asset/machines/worker.go b/pkg/asset/machines/worker.go
@@ -154,6 +154,9 @@ func (w *Worker) Generate(dependencies asset.Parents) error {
 		if ic.SSHKey != "" {
 			machineConfigs = append(machineConfigs, machineconfig.ForAuthorizedKeys(ic.SSHKey, "worker"))
 		}
+		if ic.FIPS {
+			machineConfigs = append(machineConfigs, machineconfig.ForFIPSEnabled("worker"))
+		}
 		switch ic.Platform.Name() {
 		case awstypes.Name:
 			subnets := map[string]string{}

diff --git a/pkg/types/installconfig.go b/pkg/types/installconfig.go
@@ -105,6 +105,9 @@ type InstallConfig struct {
 	// When no strategy is specified, the strategy is `External`.
 	// +optional
 	Publish PublishingStrategy `json:"publish,omitempty"`
+
+	// FIPS configures https://www.nist.gov/itl/fips-general-information
+	FIPS bool `json:"fips,omitempty"`
 }
 
 // ClusterDomain returns the DNS domain that all records for a cluster must belong to.