Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set fips_mode_enabled in efs-utils.conf #1344

Merged
merged 1 commit into from
Jul 24, 2024
Merged

Set fips_mode_enabled in efs-utils.conf #1344

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
11 changes: 10 additions & 1 deletion pkg/driver/efs_watch_dog.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,13 @@ stunnel_check_cert_hostname = true
# Use OCSP to check certificate validity. This option is not supported by certain stunnel versions.
stunnel_check_cert_validity = false

# Enable FIPS mode. stunnel complains if FIPS is available and enabled system-wide, but not set here.
{{if .FipsEnabled -}}
fips_mode_enabled = {{.FipsEnabled -}}
{{else -}}
#fips_mode_enabled = false
{{- end}}

# Define the port range that the TLS tunnel will choose from
port_range_lower_bound = 20049
port_range_upper_bound = 20449
Expand Down Expand Up @@ -163,6 +170,7 @@ type execWatchdog struct {
type efsUtilsConfig struct {
EfsClientSource string
Region string
FipsEnabled string
}

func newExecWatchdog(efsUtilsCfgPath, efsUtilsStaticFilesPath, cmd string, arg ...string) Watchdog {
Expand Down Expand Up @@ -264,7 +272,8 @@ func (w *execWatchdog) updateConfig(efsClientSource string) error {
defer f.Close()
// used on Fargate, IMDS queries suffice otherwise
region := os.Getenv("AWS_DEFAULT_REGION")
efsCfg := efsUtilsConfig{EfsClientSource: efsClientSource, Region: region}
fipsEnabled := os.Getenv("FIPS_ENABLED")
efsCfg := efsUtilsConfig{EfsClientSource: efsClientSource, Region: region, FipsEnabled: fipsEnabled}
if err = efsCfgTemplate.Execute(f, efsCfg); err != nil {
return fmt.Errorf("cannot update config %s for efs-utils. Error: %v", w.efsUtilsCfgPath, err)
}
Expand Down
3 changes: 3 additions & 0 deletions pkg/driver/efs_watch_dog_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,9 @@ stunnel_check_cert_hostname = true
# Use OCSP to check certificate validity. This option is not supported by certain stunnel versions.
stunnel_check_cert_validity = false

# Enable FIPS mode. stunnel complains if FIPS is available and enabled system-wide, but not set here.
#fips_mode_enabled = false

# Define the port range that the TLS tunnel will choose from
port_range_lower_bound = 20049
port_range_upper_bound = 20449
Expand Down