Set fips_mode_enabled in efs-utils.conf

if env var `FIPS_ENABLED` is set: kubernetes-sigs#1325 .

pkg/driver/efs_watch_dog.go

@@ -64,6 +64,13 @@ stunnel_check_cert_hostname = true
 # Use OCSP to check certificate validity. This option is not supported by certain stunnel versions.
 stunnel_check_cert_validity = false
 
+# Enable FIPS mode. stunnel complains if FIPS is available and enabled system-wide, but not set here.
+{{if .FipsEnabled -}}
+fips_mode_enabled = {{.FipsEnabled -}}
+{{else -}}
+#fips_mode_enabled = false
+{{- end}}
+
 # Define the port range that the TLS tunnel will choose from
 port_range_lower_bound = 20049
 port_range_upper_bound = 20449
@@ -163,6 +170,7 @@ type execWatchdog struct {
 type efsUtilsConfig struct {
 	EfsClientSource string
 	Region          string
+	FipsEnabled     string
 }
 
 func newExecWatchdog(efsUtilsCfgPath, efsUtilsStaticFilesPath, cmd string, arg ...string) Watchdog {
@@ -264,7 +272,8 @@ func (w *execWatchdog) updateConfig(efsClientSource string) error {
 	defer f.Close()
 	// used on Fargate, IMDS queries suffice otherwise
 	region := os.Getenv("AWS_DEFAULT_REGION")
-	efsCfg := efsUtilsConfig{EfsClientSource: efsClientSource, Region: region}
+	fipsEnabled := os.Getenv("FIPS_ENABLED")
+	efsCfg := efsUtilsConfig{EfsClientSource: efsClientSource, Region: region, FipsEnabled: fipsEnabled}
 	if err = efsCfgTemplate.Execute(f, efsCfg); err != nil {
 		return fmt.Errorf("cannot update config %s for efs-utils. Error: %v", w.efsUtilsCfgPath, err)
 	}

pkg/driver/efs_watch_dog_test.go

@@ -54,6 +54,9 @@ stunnel_check_cert_hostname = true
 # Use OCSP to check certificate validity. This option is not supported by certain stunnel versions.
 stunnel_check_cert_validity = false
 
+# Enable FIPS mode. stunnel complains if FIPS is available and enabled system-wide, but not set here.
+#fips_mode_enabled = false
+
 # Define the port range that the TLS tunnel will choose from
 port_range_lower_bound = 20049
 port_range_upper_bound = 20449