tigera · rene-dekker · Oct 10, 2024 · Mar 5, 2024 · Jun 7, 2024 · Aug 9, 2024
@@ -181,6 +181,7 @@ type InstallationSpec struct {
 	CalicoNodeWindowsDaemonSet *CalicoNodeWindowsDaemonSet `json:"calicoNodeWindowsDaemonSet,omitempty"`
 
 	// FIPSMode uses images and features only that are using FIPS 140-2 validated cryptographic modules and standards.
+	// Only supported for Variant=Calico.
 	// Default: Disabled
 	// +kubebuilder:validation:Enum=Enabled;Disabled
 	// +optional

@@ -101,13 +101,6 @@ var (
 		Registry: "{{ .Registry }}",
 	}
 {{- end }}
-{{ with .Components.elasticsearch }}
-	ComponentElasticsearchFIPS = Component{
-		Version:  "{{ .Version }}-fips",
-		Image:    "{{ .Image }}",
-		Registry: "{{ .Registry }}",
-	}
-{{- end }}
 {{ with index .Components "eck-elasticsearch-operator" }}
 	ComponentECKElasticsearchOperator = Component{
 		Version:  "{{ .Version }}",
@@ -329,13 +322,6 @@ var (
 		Registry: "{{ .Registry }}",
 	}
 {{- end }}
-{{ with index .Components "tigera-cni" }}
-	ComponentTigeraCNIFIPS = Component{
-		Version:  "{{ .Version }}-fips",
-		Image:    "{{ .Image }}",
-		Registry: "{{ .Registry }}",
-	}
-{{- end }}
 {{ with index .Components "tigera-cni-windows" }}
 	ComponentTigeraCNIWindows = Component{
 		Version:  "{{ .Version }}",
@@ -384,7 +370,6 @@ var (
 		ComponentDeepPacketInspection,
 		ComponentElasticTseeInstaller,
 		ComponentElasticsearch,
-		ComponentElasticsearchFIPS,
 		ComponentElasticsearchOperator,
 		ComponentUIAPIs,
 		ComponentFluentd,
@@ -410,7 +395,6 @@ var (
 		ComponentTigeraNodeWindows,
 		ComponentTigeraTypha,
 		ComponentTigeraCNI,
-		ComponentTigeraCNIFIPS,
 		ComponentTigeraCNIWindows,
 		ComponentElasticsearchMetrics,
 		ComponentESGateway,

@@ -90,12 +90,6 @@ var (
 		Registry: "",
 	}
 
-	ComponentElasticsearchFIPS = Component{
-		Version:  "master-fips",
-		Image:    "tigera/elasticsearch",
-		Registry: "",
-	}
-
 	ComponentECKElasticsearchOperator = Component{
 		Version:  "2.6.1",
 		Registry: "",
@@ -285,12 +279,6 @@ var (
 		Registry: "",
 	}
 
-	ComponentTigeraCNIFIPS = Component{
-		Version:  "master-fips",
-		Image:    "tigera/cni",
-		Registry: "",
-	}
-
 	ComponentTigeraCNIWindows = Component{
 		Version:  "master",
 		Image:    "tigera/cni-windows",
@@ -333,7 +321,6 @@ var (
 		ComponentDeepPacketInspection,
 		ComponentElasticTseeInstaller,
 		ComponentElasticsearch,
-		ComponentElasticsearchFIPS,
 		ComponentElasticsearchOperator,
 		ComponentUIAPIs,
 		ComponentFluentd,
@@ -359,7 +346,6 @@ var (
 		ComponentTigeraNodeWindows,
 		ComponentTigeraTypha,
 		ComponentTigeraCNI,
-		ComponentTigeraCNIFIPS,
 		ComponentTigeraCNIWindows,
 		ComponentElasticsearchMetrics,
 		ComponentESGateway,

@@ -232,12 +232,6 @@ func (r *ReconcileApplicationLayer) Reconcile(ctx context.Context, request recon
 		return reconcile.Result{}, nil
 	}
 
-	if operatorv1.IsFIPSModeEnabled(installation.FIPSMode) {
-		msg := errors.New("ApplicationLayer features cannot be used in combination with FIPSMode=Enabled")
-		r.status.SetDegraded(operatorv1.ResourceValidationError, msg.Error(), nil, reqLogger)
-		return reconcile.Result{}, nil
-	}
-
 	pullSecrets, err := utils.GetNetworkingPullSecrets(installation, r.client)
 	if err != nil {
 		r.status.SetDegraded(operatorv1.ResourceReadError, "Error retrieving pull secrets", err, reqLogger)

@@ -22,25 +22,25 @@ import (
 	. "github.com/onsi/gomega"
 	"github.com/stretchr/testify/mock"
 
+	appsv1 "k8s.io/api/apps/v1"
+	batchv1 "k8s.io/api/batch/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+
 	operatorv1 "github.com/tigera/operator/api/v1"
 	"github.com/tigera/operator/pkg/apis"
 	crdv1 "github.com/tigera/operator/pkg/apis/crd.projectcalico.org/v1"
 	"github.com/tigera/operator/pkg/common"
 	"github.com/tigera/operator/pkg/components"
 	"github.com/tigera/operator/pkg/controller/status"
 	"github.com/tigera/operator/pkg/controller/utils"
+	ctrlrfake "github.com/tigera/operator/pkg/ctrlruntime/client/fake"
 	"github.com/tigera/operator/pkg/render/applicationlayer"
 	"github.com/tigera/operator/test"
-
-	ctrlrfake "github.com/tigera/operator/pkg/ctrlruntime/client/fake"
-	appsv1 "k8s.io/api/apps/v1"
-	batchv1 "k8s.io/api/batch/v1"
-	rbacv1 "k8s.io/api/rbac/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/types"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 )
 
 var _ = Describe("Application layer controller tests", func() {
@@ -529,25 +529,5 @@ var _ = Describe("Application layer controller tests", func() {
 				Expect(instance.Status.Conditions[2].ObservedGeneration).To(Equal(generation))
 			})
 		})
-		It("should not work in combination with FIPS", func() {
-			fipsEnabled := operatorv1.FIPSModeEnabled
-			installation.Spec.FIPSMode = &fipsEnabled
-			Expect(c.Create(ctx, installation)).NotTo(HaveOccurred())
-			mockStatus.On("SetDegraded", operatorv1.ResourceValidationError, "ApplicationLayer features cannot be used in combination with FIPSMode=Enabled", mock.Anything, mock.Anything).Return()
-			mockStatus.On("SetMetaData", mock.Anything).Return()
-			By("applying the ApplicationLayer CR to the fake cluster")
-			enabled := operatorv1.L7LogCollectionEnabled
-			Expect(c.Create(ctx, &operatorv1.ApplicationLayer{
-				ObjectMeta: metav1.ObjectMeta{Name: "tigera-secure"},
-				Spec: operatorv1.ApplicationLayerSpec{
-					LogCollection: &operatorv1.LogCollectionSpec{
-						CollectLogs: &enabled,
-					},
-				},
-			})).NotTo(HaveOccurred())
-			_, err := r.Reconcile(ctx, reconcile.Request{})
-			Expect(err).ShouldNot(HaveOccurred())
-			mockStatus.AssertExpectations(GinkgoT())
-		})
 	})
 })
@@ -30,8 +30,8 @@ import (
 	"github.com/tigera/operator/pkg/controller/k8sapi"
 	"github.com/tigera/operator/pkg/controller/utils"
 	"github.com/tigera/operator/pkg/render"
-	appsv1 "k8s.io/api/apps/v1"
 
+	appsv1 "k8s.io/api/apps/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 )
 
@@ -411,6 +411,10 @@ func validateCustomResource(instance *operatorv1.Installation) error {
 		}
 	}
 
+	if operatorv1.IsFIPSModeEnabled(instance.Spec.FIPSMode) && instance.Spec.Variant == operatorv1.TigeraSecureEnterprise {
+		return fmt.Errorf("Installation spec.FIPSMode=%v combined with spec.Variant=%s is not supported", *instance.Spec.FIPSMode, instance.Spec.Variant)
+	}
+
 	return nil
 }
 

@@ -1160,4 +1160,23 @@ var _ = Describe("Installation validation tests", func() {
 			Expect(err).NotTo(HaveOccurred())
 		})
 	})
+	Describe("validate FIPSMode combined with Variant", func() {
+		DescribeTable("test that FIPSMode is not allowed in combination with Enterprise",
+			func(variant operator.ProductVariant, fipsMode operator.FIPSMode, expectErr bool) {
+				instance.Spec.Variant = variant
+				instance.Spec.FIPSMode = &fipsMode
+				err := validateCustomResource(instance)
+				if expectErr {
+					Expect(err).To(HaveOccurred())
+				} else {
+					Expect(err).NotTo(HaveOccurred())
+				}
+			},
+
+			Entry("Product: Calico FipsMode: Disabled", operator.Calico, operator.FIPSModeDisabled, false),
+			Entry("Product: Calico FipsMode: Enabled", operator.Calico, operator.FIPSModeEnabled, false),
+			Entry("Product: TigeraSecureEnterprise FipsMode: Disabled", operator.TigeraSecureEnterprise, operator.FIPSModeDisabled, false),
+			Entry("Product: TigeraSecureEnterprise FipsMode: Enabled", operator.TigeraSecureEnterprise, operator.FIPSModeEnabled, true),
+		)
+	})
 })
@@ -369,7 +369,7 @@ func (r *ElasticSubController) Reconcile(ctx context.Context, request reconcile.
 		return reconcile.Result{}, err
 	}
 
-	kibanaEnabled := !operatorv1.IsFIPSModeEnabled(install.FIPSMode) && !r.multiTenant
+	kibanaEnabled := !r.multiTenant
 
 	// Wait for dependencies to exist.
 	if elasticKeyPair == nil {
@@ -384,8 +384,6 @@ func (r *ElasticSubController) Reconcile(ctx context.Context, request reconcile.
 	// Define variables to be filled in below, conditional on cluster type.
 	var esLicenseType render.ElasticsearchLicenseType
 	var clusterConfig *relasticsearch.ClusterConfig
-	var applyTrial bool
-	var keyStoreSecret *corev1.Secret
 	var esAdminUserSecret *corev1.Secret
 
 	flowShards := logstoragecommon.CalculateFlowShards(ls.Spec.Nodes, logstoragecommon.DefaultElasticsearchShards)
@@ -402,26 +400,6 @@ func (r *ElasticSubController) Reconcile(ctx context.Context, request reconcile.
 		return reconcile.Result{}, err
 	}
 
-	if operatorv1.IsFIPSModeEnabled(install.FIPSMode) {
-		applyTrial, err = r.applyElasticTrialSecret(ctx, install)
-		if err != nil {
-			r.status.SetDegraded(operatorv1.ResourceReadError, "Failed to get eck trial license", err, reqLogger)
-			return reconcile.Result{}, err
-		}
-
-		keyStoreSecret = &corev1.Secret{}
-		if err := r.client.Get(ctx, types.NamespacedName{Name: render.ElasticsearchKeystoreSecret, Namespace: render.ElasticsearchNamespace}, keyStoreSecret); err != nil {
-			if errors.IsNotFound(err) {
-				// We need to render a new one.
-				keyStoreSecret = render.CreateElasticsearchKeystoreSecret()
-			} else {
-				log.Error(err, "failed to read the Elasticsearch keystore secret")
-				r.status.SetDegraded(operatorv1.ResourceReadError, "Failed to read the Elasticsearch keystore secret", err, reqLogger)
-				return reconcile.Result{}, err
-			}
-		}
-	}
-
 	// Get the admin user secret to copy to the operator namespace.
 	esAdminUserSecret, err = utils.GetSecret(ctx, r.client, render.ElasticsearchAdminUserSecret, render.ElasticsearchNamespace)
 	if err != nil {
@@ -527,7 +505,6 @@ func (r *ElasticSubController) Reconcile(ctx context.Context, request reconcile.
 			PullSecrets:        pullSecrets,
 			Provider:           r.provider,
 			ElasticLicenseType: esLicenseType,
-			ApplyTrial:         applyTrial,
 		}),
 		render.LogStorage(&render.ElasticsearchConfiguration{
 			LogStorage:              ls,
@@ -544,7 +521,6 @@ func (r *ElasticSubController) Reconcile(ctx context.Context, request reconcile.
 			ElasticLicenseType:      esLicenseType,
 			TrustedBundle:           trustedBundle,
 			UnusedTLSSecret:         unusedTLSSecret,
-			KeyStoreSecret:          keyStoreSecret,
 		}),
 		kibana.Kibana(&kibana.Configuration{
 			LogStorage:      ls,
@@ -727,21 +703,3 @@ func (r *ElasticSubController) getKibanaService(ctx context.Context) (*corev1.Se
 	}
 	return &svc, nil
 }
-
-// applyElasticTrialSecret returns true if we want to apply a new trial license.
-// Overwriting an existing trial license will invalidate the old trial, and revert the cluster back to basic. When a user
-// installs a valid Elastic license, the trial will be ignored.
-func (r *ElasticSubController) applyElasticTrialSecret(ctx context.Context, installation *operatorv1.InstallationSpec) (bool, error) {
-	if !operatorv1.IsFIPSModeEnabled(installation.FIPSMode) {
-		return false, nil
-	}
-	// FIPS mode is a licensed feature for Elasticsearch.
-	if err := r.client.Get(ctx, types.NamespacedName{Name: eck.EnterpriseTrial, Namespace: eck.OperatorNamespace}, &corev1.Secret{}); err != nil {
-		if errors.IsNotFound(err) {
-			return true, nil
-		} else {
-			return false, err
-		}
-	}
-	return false, nil
-}
@@ -212,9 +212,6 @@ func (r *LogStorageInitializer) Reconcile(ctx context.Context, request reconcile
 		return reconcile.Result{}, err
 	}
 
-	// Determine if Kibana is enabled for this cluster.
-	kibanaEnabled := !operatorv1.IsFIPSModeEnabled(install.FIPSMode) && !r.multiTenant
-
 	// Check if there is a management cluster connection. ManagementClusterConnection is a managed cluster only resource.
 	if err = r.client.Get(ctx, utils.DefaultTSEEInstanceKey, &operatorv1.ManagementClusterConnection{}); err == nil {
 		// LogStorage isn't valid for managed clusters.
@@ -248,8 +245,9 @@ func (r *LogStorageInitializer) Reconcile(ctx context.Context, request reconcile
 		r.status.SetDegraded(operatorv1.ResourceUpdateError, "Error creating / updating resource", err, reqLogger)
 		return reconcile.Result{}, err
 	}
-	if kibanaEnabled {
-		// Create the Namespace.
+
+	// Multitenant clusters do not get kibana, so namespace creation can be skipped.
+	if !r.multiTenant {
 		kbNamespace := render.CreateNamespace(kibana.Namespace, install.KubernetesProvider, render.PSSBaseline)
 		if err = hdler.CreateOrUpdateOrDelete(ctx, render.NewPassthrough(kbNamespace), r.status); err != nil {
 			r.status.SetDegraded(operatorv1.ResourceUpdateError, "Error creating / updating resource", err, reqLogger)

@@ -261,9 +261,6 @@ func (r *SecretSubController) Reconcile(ctx context.Context, request reconcile.R
 	// Provision secrets and the trusted bundle into the cluster.
 	hdler := utils.NewComponentHandler(reqLogger, r.client, r.scheme, ls)
 
-	// Determine if Kibana should be enabled for this cluster.
-	kibanaEnabled := !operatorv1.IsFIPSModeEnabled(install.FIPSMode) && !r.multiTenant
-
 	// Internal ES modes:
 	// - Zero-tenant: everything installed in tigera-elasticsearch/tigera-kibana Namespaces. We need a single trusted bundle in each.
 	// - Single-tenant: everything installed in tigera-elasticsearch/tigera-kibana Namespaces. We need a single trusted bundle in each.
@@ -277,7 +274,7 @@ func (r *SecretSubController) Reconcile(ctx context.Context, request reconcile.R
 		// needs to include the public certificates from other Tigera components.
 
 		// Generate Elasticsearch / Kibana secrets for the tigera-elasticsearch and tigera-kibana namespaces.
-		elasticKeys, err := r.generateInternalElasticSecrets(reqLogger, kibanaEnabled, operatorSigner)
+		elasticKeys, err := r.generateInternalElasticSecrets(reqLogger, operatorSigner)
 		if err != nil {
 			return reconcile.Result{}, err
 		}
@@ -288,7 +285,8 @@ func (r *SecretSubController) Reconcile(ctx context.Context, request reconcile.R
 			return reconcile.Result{}, err
 		}
 
-		if kibanaEnabled {
+		// Multitenant clusters do not get kibana, so TLS assets creation can be skipped.
+		if !r.multiTenant {
 			// Render the key pair and trusted bundle into the Kibana namespace.
 			if err = hdler.CreateOrUpdateOrDelete(ctx, elasticKeys.internalKibanaComponent(elasticKeys.trustedBundle(operatorSigner)), r.status); err != nil {
 				r.status.SetDegraded(operatorv1.ResourceUpdateError, "Error creating / updating resource", err, reqLogger)
@@ -336,7 +334,7 @@ func (r *SecretSubController) Reconcile(ctx context.Context, request reconcile.R
 
 // generateInternalElasticSecrets generates key pairs for the internal ES cluster and Kibana managed by tigera-operator via ECK
 // when configured to use an internal ES.
-func (r *SecretSubController) generateInternalElasticSecrets(log logr.Logger, kibanaEnabled bool, cm certificatemanager.CertificateManager) (*elasticKeyPairCollection, error) {
+func (r *SecretSubController) generateInternalElasticSecrets(log logr.Logger, cm certificatemanager.CertificateManager) (*elasticKeyPairCollection, error) {
 	collection := elasticKeyPairCollection{log: log}
 
 	// Generate a keypair for elasticsearch.
@@ -353,7 +351,8 @@ func (r *SecretSubController) generateInternalElasticSecrets(log logr.Logger, ki
 	}
 	collection.elastic = elasticKeyPair
 
-	if kibanaEnabled {
+	// Multitenant clusters do not get kibana, so TLS assets creation can be skipped.
+	if !r.multiTenant {
 		// Generate a keypair for Kibana.
 		//
 		// This fetches the existing key pair from the tigera-operator namespace if it exists, or generates a new one in-memory otherwise.

@@ -6264,6 +6264,7 @@ spec:
               fipsMode:
                 description: |-
                   FIPSMode uses images and features only that are using FIPS 140-2 validated cryptographic modules and standards.
+                  Only supported for Variant=Calico.
                   Default: Disabled
                 enum:
                 - Enabled
@@ -14444,6 +14445,7 @@ spec:
                   fipsMode:
                     description: |-
                       FIPSMode uses images and features only that are using FIPS 140-2 validated cryptographic modules and standards.
+                      Only supported for Variant=Calico.
                       Default: Disabled
                     enum:
                     - Enabled

@@ -1231,7 +1231,6 @@ func (c *apiServerComponent) queryServerContainer() corev1.Container {
 		{Name: "LISTEN_ADDR", Value: fmt.Sprintf(":%d", QueryServerPort)},
 		{Name: "TLS_CERT", Value: fmt.Sprintf("/%s/tls.crt", ProjectCalicoAPIServerTLSSecretName(c.cfg.Installation.Variant))},
 		{Name: "TLS_KEY", Value: fmt.Sprintf("/%s/tls.key", ProjectCalicoAPIServerTLSSecretName(c.cfg.Installation.Variant))},
-		{Name: "FIPS_MODE_ENABLED", Value: operatorv1.IsFIPSModeEnabledString(c.cfg.Installation.FIPSMode)},
 	}
 	if c.cfg.TrustedBundle != nil {
 		env = append(env, corev1.EnvVar{Name: "TRUSTED_BUNDLE_PATH", Value: c.cfg.TrustedBundle.MountPath()})