-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enforce FIPS compatible Sprig functions for template rendering #2708
Conversation
e58caaf
to
4ee32d3
Compare
d39d79a
to
2332c86
Compare
} | ||
|
||
// fipsNonCompliantFuncs is a map of sprig function name to its replacement function. | ||
// Functions identified for Sprig v3.2.3. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How are we ensuring that future bumps of sprig
are analyzed to see whether anything here needs to be added?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The kanister project uses an older v2.22.0
Sprig version but we have vetted against v3.2.3
. I left the comment for easy tracking of when the replacement functions were added but it seems to have triggered fair upgrade concerns :)
Having a runtime error for a mismatch doesn't seem like a great user experience. Wondering if a custom linter rule is possible.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yea, maybe we need to add a file like fips.txt
where we have the name of the package from go.mod
and the version it's vetted too, and if go.mod != fips.txt
then the CI checks throw an error that those packages need to be looked at and the fips.txt
version should be updated. A little like the .tool-versions
file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How do we ensure we use this file in place of sprig
in the future?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can only think of exploring a custom linter rule for this purpose. We need an agreement on the solution and if it needs to be addressed in this PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yea, I don't think this comment or #2708 (comment) should block this PR. I brought it up as a concern but if we agree to address it moving forward then that's fine.
4c953ec
to
b8e8f39
Compare
Co-authored-by: Pavan Navarathna <6504783+pavannd1@users.noreply.github.com>
Co-authored-by: Pavan Navarathna <6504783+pavannd1@users.noreply.github.com>
Co-authored-by: Pavan Navarathna <6504783+pavannd1@users.noreply.github.com>
b8e8f39
to
e5fb492
Compare
Change Overview
This is part of the effort to enable a FIPS-compatible Kanister. The
github.com/Masterminds/sprig
library is used byKanister for rendering blueprint templates. Some of the available sprig template functions are not FIPS-compatible and
therefore their usage has been disallowed.
Pull request type
Test Plan
Verified the newly added unit tests for template rendering pass: