dt: Handle FIPS config for DT

When RP is not installed to /opt/redpanda, some of the config files will point to non-existant files. This change will make it so one can run Redpanda in FIPS mode in DT. Signed-off-by: Michael Boquard <michael@redpanda.com>
redpanda-data · Jun 4, 2024 · f06b677 · f06b677
1 parent 22181ed
commit f06b677
Showing 1 changed file with 44 additions and 6 deletions.
diff --git a/tests/rptest/services/redpanda.py b/tests/rptest/services/redpanda.py
@@ -1241,6 +1241,7 @@ class RedpandaServiceBase(RedpandaServiceABC, Service):
     BACKTRACE_CAPTURE = os.path.join(PERSISTENT_ROOT, "redpanda_backtrace.log")
     COVERAGE_PROFRAW_CAPTURE = os.path.join(PERSISTENT_ROOT,
                                             "redpanda.profraw")
+    TEMP_OSSL_CONFIG_FILE = "/etc/openssl.cnf"
     DEFAULT_NODE_READY_TIMEOUT_SEC = 20
     NODE_READY_TIMEOUT_MIN_SEC_KEY = "node_ready_timeout_min_sec"
     DEFAULT_CLOUD_STORAGE_SCRUB_TIMEOUT_SEC = 60
@@ -1256,8 +1257,8 @@ class RedpandaServiceBase(RedpandaServiceABC, Service):
 
     FAILURE_INJECTION_CONFIG_PATH = "/etc/redpanda/failure_injection_config.json"
 
-    OPENSSL_CONFIG_FILE = "/opt/redpanda/openssl/openssl.cnf"
-    OPENSSL_MODULES_PATH = "/opt/redpanda/lib/ossl-modules/"
+    OPENSSL_CONFIG_FILE_BASE = "openssl/openssl.cnf"
+    OPENSSL_MODULES_PATH_BASE = "lib/ossl-modules/"
 
     # When configuring multiple listeners for testing, a secondary port to use
     # instead of the default.
@@ -3007,6 +3008,8 @@ def start_node(self,
         node.account.mkdirs(RedpandaService.DATA_DIR)
         node.account.mkdirs(os.path.dirname(RedpandaService.NODE_CONFIG_FILE))
 
+        self.write_openssl_config_file(node)
+
         if write_config:
             self.write_node_conf_file(
                 node,
@@ -3819,6 +3822,9 @@ def clean_node(self,
             node.account.remove(RedpandaService.SYSTEM_TLS_CA_CRT_FILE)
             node.account.ssh(f"update-ca-certificates")
 
+        if node.account.exists(RedpandaService.TEMP_OSSL_CONFIG_FILE):
+            node.account.remove(RedpandaService.TEMP_OSSL_CONFIG_FILE)
+
         if not preserve_current_install or not self._installer._started:
             # Reset the binaries to use the original binaries.
             # NOTE: if the installer hasn't been started, there is no
@@ -3867,6 +3873,38 @@ def get_node_fqdn(node):
             timeout_sec=10).decode('utf-8').split(' ')[0]
         return fqdn
 
+    def write_openssl_config_file(self, node):
+        conf = self.render("openssl.cnf",
+                           fips_conf_file=os.path.join(
+                               self.rp_install_path(),
+                               "openssl/fipsmodule.cnf"))
+        self.logger.debug(
+            f'Writing {RedpandaService.TEMP_OSSL_CONFIG_FILE} to {node.name}:\n{conf}'
+        )
+        node.account.create_file(RedpandaService.TEMP_OSSL_CONFIG_FILE, conf)
+
+    def get_openssl_config_file_path(self) -> str:
+        path = os.path.join(self.rp_install_path(),
+                            self.OPENSSL_CONFIG_FILE_BASE)
+        if self.rp_install_path() != "/opt/redpanda":
+            # If we aren't using an 'installed' Redpanda instance, the openssl config file
+            # located in the install path will not point to the correct location of the FIPS
+            # module config file.  We generate an openssl config file just for this purpose
+            # see write_openssl_config_file above
+            path = RedpandaService.TEMP_OSSL_CONFIG_FILE
+
+        self.logger.debug(
+            f'OpenSSL Config File Path: {path} ({self.rp_install_path()})')
+        return path
+
+    def get_openssl_modules_directory(self) -> str:
+        path = os.path.join(self.rp_install_path(),
+                            self.OPENSSL_MODULES_PATH_BASE)
+
+        self.logger.debug(
+            f'OpenSSL Modules Directory: {path} ({self.rp_install_path()})')
+        return path
+
     def write_node_conf_file(self,
                              node,
                              override_cfg_params=None,
@@ -3920,7 +3958,7 @@ def write_node_conf_file(self,
                            sasl_enabled=self.sasl_enabled(),
                            endpoint_authn_method=self.endpoint_authn_method(),
                            auto_auth=self._security.auto_auth)
-        
+
         def is_fips_capable(node) -> bool:
             cur_ver = self._installer.installed_version(node)
             return cur_ver == RedpandaInstaller.HEAD or cur_ver >= (24, 2, 1)
@@ -3932,9 +3970,9 @@ def is_fips_capable(node) -> bool:
             doc = yaml.full_load(conf)
             doc["redpanda"].update(
                 dict(fips_mode="enabled",
-                     openssl_config_file=RedpandaService.OPENSSL_CONFIG_FILE,
-                     openssl_module_directory=RedpandaService.
-                     OPENSSL_MODULES_PATH))
+                     openssl_config_file=self.get_openssl_config_file_path(),
+                     openssl_module_directory=self.
+                     get_openssl_modules_directory))
             conf = yaml.dump(doc)
 
         if override_cfg_params or node in self._extra_node_conf: