Add FIPS disabled components flag

Signed-off-by: Pavol Loffay <[email protected]>

Author: pavolloffay

.chloggen/fips.yaml

@@ -0,0 +1,19 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. collector, target allocator, auto-instrumentation, opamp, github action)
+component: collector
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Add flag to disable components when operator runs on FIPS enabled cluster.
+
+# One or more tracking issues related to the change
+issues: [3315]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext: |
+  Flag `--fips-disabled-components=receiver.otlp,exporter.otlp,processor.batch,extension.oidc` can be used to disable
+  components when operator runs on FIPS enabled cluster. The operator uses `/proc/sys/crypto/fips_enabled` to check
+  if FIPS is enabled.

apis/v1beta1/collector_webhook.go

@@ -27,6 +27,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 	"github.com/open-telemetry/opentelemetry-operator/internal/config"
+	"github.com/open-telemetry/opentelemetry-operator/internal/fips"
 	ta "github.com/open-telemetry/opentelemetry-operator/internal/manifests/targetallocator/adapters"
 	"github.com/open-telemetry/opentelemetry-operator/internal/rbac"
 )
@@ -48,6 +49,7 @@ type CollectorWebhook struct {
 	reviewer *rbac.Reviewer
 	metrics  *Metrics
 	bv       BuildValidator
+	fips     fips.FipsCheck
 }
 
 func (c CollectorWebhook) Default(_ context.Context, obj runtime.Object) error {
@@ -290,6 +292,11 @@ func (c CollectorWebhook) Validate(ctx context.Context, r *OpenTelemetryCollecto
 		return warnings, fmt.Errorf("the OpenTelemetry Collector mode is set to %s, which does not support the attribute 'deploymentUpdateStrategy'", r.Spec.Mode)
 	}
 
+	components := r.Spec.Config.GetEnabledComponents()
+	if notAllowedComponents := c.fips.Check(components[KindReceiver], components[KindExporter], components[KindProcessor], components[KindExtension]); notAllowedComponents != nil {
+		return nil, fmt.Errorf("the collector configuration contains not FIPS compliant components: %s. Please remove it from the config", notAllowedComponents)
+	}
+
 	return warnings, nil
 }
 
@@ -423,6 +430,7 @@ func NewCollectorWebhook(
 	reviewer *rbac.Reviewer,
 	metrics *Metrics,
 	bv BuildValidator,
+	fips fips.FipsCheck,
 ) *CollectorWebhook {
 	return &CollectorWebhook{
 		logger:   logger,
@@ -431,11 +439,12 @@ func NewCollectorWebhook(
 		reviewer: reviewer,
 		metrics:  metrics,
 		bv:       bv,
+		fips:     fips,
 	}
 }
 
-func SetupCollectorWebhook(mgr ctrl.Manager, cfg config.Config, reviewer *rbac.Reviewer, metrics *Metrics, bv BuildValidator) error {
-	cvw := NewCollectorWebhook(mgr.GetLogger().WithValues("handler", "CollectorWebhook", "version", "v1beta1"), mgr.GetScheme(), cfg, reviewer, metrics, bv)
+func SetupCollectorWebhook(mgr ctrl.Manager, cfg config.Config, reviewer *rbac.Reviewer, metrics *Metrics, bv BuildValidator, fipsCheck fips.FipsCheck) error {
+	cvw := NewCollectorWebhook(mgr.GetLogger().WithValues("handler", "CollectorWebhook", "version", "v1beta1"), mgr.GetScheme(), cfg, reviewer, metrics, bv, fipsCheck)
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(&OpenTelemetryCollector{}).
 		WithValidator(cvw).

apis/v1beta1/collector_webhook_test.go

@@ -39,6 +39,7 @@ import (
 
 	"github.com/open-telemetry/opentelemetry-operator/apis/v1beta1"
 	"github.com/open-telemetry/opentelemetry-operator/internal/config"
+	"github.com/open-telemetry/opentelemetry-operator/internal/fips"
 	"github.com/open-telemetry/opentelemetry-operator/internal/manifests"
 	collectorManifests "github.com/open-telemetry/opentelemetry-operator/internal/manifests/collector"
 	"github.com/open-telemetry/opentelemetry-operator/internal/rbac"
@@ -113,6 +114,7 @@ func TestValidate(t *testing.T) {
 			getReviewer(test.shouldFailSar),
 			nil,
 			bv,
+			fips.NewFipsCheck(nil, nil, nil, nil),
 		)
 		t.Run(tt.name, func(t *testing.T) {
 			tt := tt
@@ -494,6 +496,7 @@ func TestCollectorDefaultingWebhook(t *testing.T) {
 				getReviewer(test.shouldFailSar),
 				nil,
 				bv,
+				fips.NewFipsCheck(nil, nil, nil, nil),
 			)
 			ctx := context.Background()
 			err := cvw.Default(ctx, &test.otelcol)
@@ -1285,6 +1288,7 @@ func TestOTELColValidatingWebhook(t *testing.T) {
 				getReviewer(test.shouldFailSar),
 				nil,
 				bv,
+				fips.NewFipsCheck(nil, nil, nil, nil),
 			)
 			ctx := context.Background()
 			warnings, err := cvw.ValidateCreate(ctx, &test.otelcol)
@@ -1352,6 +1356,7 @@ func TestOTELColValidateUpdateWebhook(t *testing.T) {
 				getReviewer(test.shouldFailSar),
 				nil,
 				bv,
+				fips.NewFipsCheck(nil, nil, nil, nil),
 			)
 			ctx := context.Background()
 			warnings, err := cvw.ValidateUpdate(ctx, &test.otelcolOld, &test.otelcolNew)

apis/v1beta1/config.go

@@ -112,6 +112,10 @@ func (c *Config) GetEnabledComponents() map[ComponentKind]map[string]interface{}
 		KindExporter:  {},
 		KindExtension: {},
 	}
+	for _, extension := range c.Service.Extensions {
+		toReturn[KindExtension][extension] = struct{}{}
+	}
+
 	for _, pipeline := range c.Service.Pipelines {
 		if pipeline == nil {
 			continue

controllers/suite_test.go

@@ -59,6 +59,7 @@ import (
 	"github.com/open-telemetry/opentelemetry-operator/internal/autodetect/prometheus"
 	autoRBAC "github.com/open-telemetry/opentelemetry-operator/internal/autodetect/rbac"
 	"github.com/open-telemetry/opentelemetry-operator/internal/config"
+	"github.com/open-telemetry/opentelemetry-operator/internal/fips"
 	"github.com/open-telemetry/opentelemetry-operator/internal/manifests"
 	"github.com/open-telemetry/opentelemetry-operator/internal/manifests/collector/testdata"
 	"github.com/open-telemetry/opentelemetry-operator/internal/manifests/manifestutils"
@@ -178,7 +179,7 @@ func TestMain(m *testing.M) {
 	}
 	reviewer := rbac.NewReviewer(clientset)
 
-	if err = v1beta1.SetupCollectorWebhook(mgr, config.New(), reviewer, nil, nil); err != nil {
+	if err = v1beta1.SetupCollectorWebhook(mgr, config.New(), reviewer, nil, nil, fips.NewFipsCheck(nil, nil, nil, nil)); err != nil {
 		fmt.Printf("failed to SetupWebhookWithManager: %v", err)
 		os.Exit(1)
 	}

internal/fips/check.go

@@ -0,0 +1,102 @@
+// Copyright The OpenTelemetry Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package fips
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"strings"
+)
+
+const fipsFile = "/proc/sys/crypto/fips_enabled"
+
+// FipsCheck holds configuration for FIPS black list.
+type FipsCheck struct {
+	isFIPSEnabled bool
+
+	receivers  map[string]bool
+	exporters  map[string]bool
+	processors map[string]bool
+	extensions map[string]bool
+}
+
+// NewFipsCheck creates new FipsCheck.
+// It checks if FIPS is enabled on the platform in /proc/sys/crypto/fips_enabled.
+func NewFipsCheck(receivers, exporters, processors, extensions []string) FipsCheck {
+	return FipsCheck{
+		isFIPSEnabled: isFipsEnabled(),
+		receivers:     listToMap(receivers),
+		exporters:     listToMap(exporters),
+		processors:    listToMap(processors),
+		extensions:    listToMap(extensions),
+	}
+}
+
+func listToMap(list []string) map[string]bool {
+	m := map[string]bool{}
+	for _, v := range list {
+		m[v] = true
+	}
+	return m
+}
+
+// Check checks if a submitted components are back lister or not.
+func (fips FipsCheck) Check(receivers map[string]interface{}, exporters map[string]interface{}, processors map[string]interface{}, extensions map[string]interface{}) []string {
+	if !fips.isFIPSEnabled {
+		return nil
+	}
+	var disabled []string
+	if comp := isBlackListed(fips.receivers, receivers); comp != "" {
+		disabled = append(disabled, comp)
+	}
+	if comp := isBlackListed(fips.exporters, exporters); comp != "" {
+		disabled = append(disabled, comp)
+	}
+	if comp := isBlackListed(fips.processors, processors); comp != "" {
+		disabled = append(disabled, comp)
+	}
+	if comp := isBlackListed(fips.extensions, extensions); comp != "" {
+		disabled = append(disabled, comp)
+	}
+	return disabled
+}
+
+func isBlackListed(blackListed map[string]bool, cfg map[string]interface{}) string {
+	for id := range cfg {
+		component := strings.Split(id, "/")[0]
+		if blackListed[component] {
+			return component
+		}
+	}
+	return ""
+}
+
+func isFipsEnabled() bool {
+	// check if file exists
+	if _, err := os.Stat(fipsFile); errors.Is(err, os.ErrNotExist) {
+		fmt.Println("fips file doesn't exist")
+		return false
+	}
+	content, err := os.ReadFile(fipsFile)
+	if err != nil {
+		// file cannot be read, enable FIPS to avoid any violations
+		fmt.Println("cannot read fips file")
+		return true
+	}
+	contentStr := string(content)
+	contentStr = strings.TrimSpace(contentStr)
+	return contentStr == "1"
+}

internal/fips/check_test.go

@@ -0,0 +1,39 @@
+// Copyright The OpenTelemetry Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package fips
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestFipsCheck(t *testing.T) {
+	fipsCheck := NewFipsCheck([]string{"rec1", "rec2"}, []string{"exp1"}, []string{"processor"}, []string{"ext1"})
+	assert.Equal(t, map[string]bool{"rec1": true, "rec2": true}, fipsCheck.receivers)
+	assert.Equal(t, map[string]bool{"exp1": true}, fipsCheck.exporters)
+	assert.Equal(t, map[string]bool{"processor": true}, fipsCheck.processors)
+	assert.Equal(t, map[string]bool{"ext1": true}, fipsCheck.extensions)
+
+	// test machine probably does not have this enabled
+	fipsCheck.isFIPSEnabled = true
+	blocked := fipsCheck.Check(
+		map[string]interface{}{"otlp": true, "rec1/my": true},
+		map[string]interface{}{"exp1": true},
+		map[string]interface{}{"processor": true},
+		map[string]interface{}{"ext1": true})
+
+	assert.Equal(t, []string{"rec1", "exp1", "processor", "ext1"}, blocked)
+}

internal/webhook/podmutation/webhookhandler_suite_test.go

@@ -18,6 +18,7 @@ import (
 	"context"
 	"crypto/tls"
 	"fmt"
+	"github.com/open-telemetry/opentelemetry-operator/internal/fips"
 	"net"
 	"os"
 	"path/filepath"
@@ -105,7 +106,7 @@ func TestMain(m *testing.M) {
 	}
 	reviewer := rbac.NewReviewer(clientset)
 
-	if err = v1beta1.SetupCollectorWebhook(mgr, config.New(), reviewer, nil, nil); err != nil {
+	if err = v1beta1.SetupCollectorWebhook(mgr, config.New(), reviewer, nil, nil, fips.NewFipsCheck(nil, nil, nil, nil)); err != nil {
 		fmt.Printf("failed to SetupWebhookWithManager: %v", err)
 		os.Exit(1)
 	}

main.go

@@ -53,6 +53,7 @@ import (
 	"github.com/open-telemetry/opentelemetry-operator/internal/autodetect/openshift"
 	"github.com/open-telemetry/opentelemetry-operator/internal/autodetect/prometheus"
 	"github.com/open-telemetry/opentelemetry-operator/internal/config"
+	"github.com/open-telemetry/opentelemetry-operator/internal/fips"
 	collectorManifests "github.com/open-telemetry/opentelemetry-operator/internal/manifests/collector"
 	openshiftDashboards "github.com/open-telemetry/opentelemetry-operator/internal/openshift/dashboards"
 	"github.com/open-telemetry/opentelemetry-operator/internal/rbac"
@@ -141,6 +142,7 @@ func main() {
 		encodeLevelKey                   string
 		encodeTimeKey                    string
 		encodeLevelFormat                string
+		fipsDisabledComponents           string
 	)
 
 	pflag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
@@ -180,6 +182,7 @@ func main() {
 	pflag.StringVar(&encodeLevelKey, "zap-level-key", "level", "The level key to be used in the customized Log Encoder")
 	pflag.StringVar(&encodeTimeKey, "zap-time-key", "timestamp", "The time key to be used in the customized Log Encoder")
 	pflag.StringVar(&encodeLevelFormat, "zap-level-format", "uppercase", "The level format to be used in the customized Log Encoder")
+	pflag.StringVar(&fipsDisabledComponents, "fips-disabled-components", "uppercase", "Disabled collector components when operator runs on FIPS enabled platform. Example flag value =receiver.foo,receiver.bar,exporter.baz")
 	pflag.IntVar(&webhookPort, "webhook-port", 9443, "The port the webhook endpoint binds to.")
 	pflag.Parse()
 
@@ -438,7 +441,10 @@ func main() {
 			return warnings
 		}
 
-		if err = otelv1beta1.SetupCollectorWebhook(mgr, cfg, reviewer, crdMetrics, bv); err != nil {
+		receivers, exporters, processors, extensions := parseFipsFlag(fipsDisabledComponents)
+		fipsCheck := fips.NewFipsCheck(receivers, exporters, processors, extensions)
+		logger.Info("Fips disabled components", "receivers", receivers, "exporters", exporters, "processors", processors, "extensions", extensions)
+		if err = otelv1beta1.SetupCollectorWebhook(mgr, cfg, reviewer, crdMetrics, bv, fipsCheck); err != nil {
 			setupLog.Error(err, "unable to create webhook", "webhook", "OpenTelemetryCollector")
 			os.Exit(1)
 		}
@@ -535,3 +541,31 @@ func tlsConfigSetting(cfg *tls.Config, tlsOpt tlsConfig) {
 	}
 	cfg.CipherSuites = cipherSuiteIDs
 }
+
+func parseFipsFlag(fipsFlag string) ([]string, []string, []string, []string) {
+	split := strings.Split(fipsFlag, ",")
+	var receivers []string
+	var exporters []string
+	var processors []string
+	var extensions []string
+	for _, val := range split {
+		val = strings.TrimSpace(val)
+		typeAndName := strings.Split(val, ".")
+		if len(typeAndName) == 2 {
+			componentType := typeAndName[0]
+			name := typeAndName[1]
+
+			switch componentType {
+			case "receiver":
+				receivers = append(receivers, name)
+			case "exporter":
+				exporters = append(exporters, name)
+			case "processor":
+				processors = append(processors, name)
+			case "extension":
+				extensions = append(extensions, name)
+			}
+		}
+	}
+	return receivers, exporters, processors, extensions
+}

pkg/collector/upgrade/suite_test.go

@@ -41,6 +41,7 @@ import (
 	"github.com/open-telemetry/opentelemetry-operator/apis/v1alpha1"
 	"github.com/open-telemetry/opentelemetry-operator/apis/v1beta1"
 	"github.com/open-telemetry/opentelemetry-operator/internal/config"
+	"github.com/open-telemetry/opentelemetry-operator/internal/fips"
 	"github.com/open-telemetry/opentelemetry-operator/internal/rbac"
 )
 
@@ -105,7 +106,7 @@ func TestMain(m *testing.M) {
 	}
 	reviewer := rbac.NewReviewer(clientset)
 
-	if err = v1beta1.SetupCollectorWebhook(mgr, config.New(), reviewer, nil, nil); err != nil {
+	if err = v1beta1.SetupCollectorWebhook(mgr, config.New(), reviewer, nil, nil, fips.NewFipsCheck(nil, nil, nil, nil)); err != nil {
 		fmt.Printf("failed to SetupWebhookWithManager: %v", err)
 		os.Exit(1)
 	}