From 1c0ba9be48f2f875ec38fcc69a64f87fc0dfe1f7 Mon Sep 17 00:00:00 2001 From: Pavol Loffay Date: Mon, 30 Sep 2024 17:25:31 +0200 Subject: [PATCH 1/6] Add FIPS disabled components flag Signed-off-by: Pavol Loffay --- .chloggen/fips.yaml | 19 ++++ apis/v1beta1/collector_webhook.go | 13 ++- apis/v1beta1/collector_webhook_test.go | 5 + apis/v1beta1/config.go | 4 + controllers/suite_test.go | 3 +- internal/fips/check.go | 102 ++++++++++++++++++ internal/fips/check_test.go | 39 +++++++ .../podmutation/webhookhandler_suite_test.go | 3 +- main.go | 36 ++++++- pkg/collector/upgrade/suite_test.go | 3 +- 10 files changed, 221 insertions(+), 6 deletions(-) create mode 100755 .chloggen/fips.yaml create mode 100644 internal/fips/check.go create mode 100644 internal/fips/check_test.go diff --git a/.chloggen/fips.yaml b/.chloggen/fips.yaml new file mode 100755 index 0000000000..ec572de643 --- /dev/null +++ b/.chloggen/fips.yaml @@ -0,0 +1,19 @@ +# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix' +change_type: enhancement + +# The name of the component, or a single word describing the area of concern, (e.g. collector, target allocator, auto-instrumentation, opamp, github action) +component: collector + +# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). +note: Add flag to disable components when operator runs on FIPS enabled cluster. + +# One or more tracking issues related to the change +issues: [3315] + +# (Optional) One or more lines of additional information to render under the primary note. +# These lines will be padded with 2 spaces and then inserted directly into the document. +# Use pipe (|) for multiline entries. +subtext: | + Flag `--fips-disabled-components=receiver.otlp,exporter.otlp,processor.batch,extension.oidc` can be used to disable + components when operator runs on FIPS enabled cluster. The operator uses `/proc/sys/crypto/fips_enabled` to check + if FIPS is enabled. diff --git a/apis/v1beta1/collector_webhook.go b/apis/v1beta1/collector_webhook.go index 4e783a01df..edaaebf775 100644 --- a/apis/v1beta1/collector_webhook.go +++ b/apis/v1beta1/collector_webhook.go @@ -27,6 +27,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/webhook/admission" "github.com/open-telemetry/opentelemetry-operator/internal/config" + "github.com/open-telemetry/opentelemetry-operator/internal/fips" ta "github.com/open-telemetry/opentelemetry-operator/internal/manifests/targetallocator/adapters" "github.com/open-telemetry/opentelemetry-operator/internal/rbac" ) @@ -48,6 +49,7 @@ type CollectorWebhook struct { reviewer *rbac.Reviewer metrics *Metrics bv BuildValidator + fips fips.FipsCheck } func (c CollectorWebhook) Default(_ context.Context, obj runtime.Object) error { @@ -290,6 +292,11 @@ func (c CollectorWebhook) Validate(ctx context.Context, r *OpenTelemetryCollecto return warnings, fmt.Errorf("the OpenTelemetry Collector mode is set to %s, which does not support the attribute 'deploymentUpdateStrategy'", r.Spec.Mode) } + components := r.Spec.Config.GetEnabledComponents() + if notAllowedComponents := c.fips.Check(components[KindReceiver], components[KindExporter], components[KindProcessor], components[KindExtension]); notAllowedComponents != nil { + return nil, fmt.Errorf("the collector configuration contains not FIPS compliant components: %s. Please remove it from the config", notAllowedComponents) + } + return warnings, nil } @@ -423,6 +430,7 @@ func NewCollectorWebhook( reviewer *rbac.Reviewer, metrics *Metrics, bv BuildValidator, + fips fips.FipsCheck, ) *CollectorWebhook { return &CollectorWebhook{ logger: logger, @@ -431,11 +439,12 @@ func NewCollectorWebhook( reviewer: reviewer, metrics: metrics, bv: bv, + fips: fips, } } -func SetupCollectorWebhook(mgr ctrl.Manager, cfg config.Config, reviewer *rbac.Reviewer, metrics *Metrics, bv BuildValidator) error { - cvw := NewCollectorWebhook(mgr.GetLogger().WithValues("handler", "CollectorWebhook", "version", "v1beta1"), mgr.GetScheme(), cfg, reviewer, metrics, bv) +func SetupCollectorWebhook(mgr ctrl.Manager, cfg config.Config, reviewer *rbac.Reviewer, metrics *Metrics, bv BuildValidator, fipsCheck fips.FipsCheck) error { + cvw := NewCollectorWebhook(mgr.GetLogger().WithValues("handler", "CollectorWebhook", "version", "v1beta1"), mgr.GetScheme(), cfg, reviewer, metrics, bv, fipsCheck) return ctrl.NewWebhookManagedBy(mgr). For(&OpenTelemetryCollector{}). WithValidator(cvw). diff --git a/apis/v1beta1/collector_webhook_test.go b/apis/v1beta1/collector_webhook_test.go index 64ffff48ea..66298cff07 100644 --- a/apis/v1beta1/collector_webhook_test.go +++ b/apis/v1beta1/collector_webhook_test.go @@ -39,6 +39,7 @@ import ( "github.com/open-telemetry/opentelemetry-operator/apis/v1beta1" "github.com/open-telemetry/opentelemetry-operator/internal/config" + "github.com/open-telemetry/opentelemetry-operator/internal/fips" "github.com/open-telemetry/opentelemetry-operator/internal/manifests" collectorManifests "github.com/open-telemetry/opentelemetry-operator/internal/manifests/collector" "github.com/open-telemetry/opentelemetry-operator/internal/rbac" @@ -113,6 +114,7 @@ func TestValidate(t *testing.T) { getReviewer(test.shouldFailSar), nil, bv, + fips.NewFipsCheck(nil, nil, nil, nil), ) t.Run(tt.name, func(t *testing.T) { tt := tt @@ -494,6 +496,7 @@ func TestCollectorDefaultingWebhook(t *testing.T) { getReviewer(test.shouldFailSar), nil, bv, + fips.NewFipsCheck(nil, nil, nil, nil), ) ctx := context.Background() err := cvw.Default(ctx, &test.otelcol) @@ -1285,6 +1288,7 @@ func TestOTELColValidatingWebhook(t *testing.T) { getReviewer(test.shouldFailSar), nil, bv, + fips.NewFipsCheck(nil, nil, nil, nil), ) ctx := context.Background() warnings, err := cvw.ValidateCreate(ctx, &test.otelcol) @@ -1352,6 +1356,7 @@ func TestOTELColValidateUpdateWebhook(t *testing.T) { getReviewer(test.shouldFailSar), nil, bv, + fips.NewFipsCheck(nil, nil, nil, nil), ) ctx := context.Background() warnings, err := cvw.ValidateUpdate(ctx, &test.otelcolOld, &test.otelcolNew) diff --git a/apis/v1beta1/config.go b/apis/v1beta1/config.go index b34601bf05..0eb9af57e9 100644 --- a/apis/v1beta1/config.go +++ b/apis/v1beta1/config.go @@ -112,6 +112,10 @@ func (c *Config) GetEnabledComponents() map[ComponentKind]map[string]interface{} KindExporter: {}, KindExtension: {}, } + for _, extension := range c.Service.Extensions { + toReturn[KindExtension][extension] = struct{}{} + } + for _, pipeline := range c.Service.Pipelines { if pipeline == nil { continue diff --git a/controllers/suite_test.go b/controllers/suite_test.go index 55a3cf3446..de13c80ce8 100644 --- a/controllers/suite_test.go +++ b/controllers/suite_test.go @@ -59,6 +59,7 @@ import ( "github.com/open-telemetry/opentelemetry-operator/internal/autodetect/prometheus" autoRBAC "github.com/open-telemetry/opentelemetry-operator/internal/autodetect/rbac" "github.com/open-telemetry/opentelemetry-operator/internal/config" + "github.com/open-telemetry/opentelemetry-operator/internal/fips" "github.com/open-telemetry/opentelemetry-operator/internal/manifests" "github.com/open-telemetry/opentelemetry-operator/internal/manifests/collector/testdata" "github.com/open-telemetry/opentelemetry-operator/internal/manifests/manifestutils" @@ -178,7 +179,7 @@ func TestMain(m *testing.M) { } reviewer := rbac.NewReviewer(clientset) - if err = v1beta1.SetupCollectorWebhook(mgr, config.New(), reviewer, nil, nil); err != nil { + if err = v1beta1.SetupCollectorWebhook(mgr, config.New(), reviewer, nil, nil, fips.NewFipsCheck(nil, nil, nil, nil)); err != nil { fmt.Printf("failed to SetupWebhookWithManager: %v", err) os.Exit(1) } diff --git a/internal/fips/check.go b/internal/fips/check.go new file mode 100644 index 0000000000..491b1aaf47 --- /dev/null +++ b/internal/fips/check.go @@ -0,0 +1,102 @@ +// Copyright The OpenTelemetry Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package fips + +import ( + "errors" + "fmt" + "os" + "strings" +) + +const fipsFile = "/proc/sys/crypto/fips_enabled" + +// FipsCheck holds configuration for FIPS black list. +type FipsCheck struct { + isFIPSEnabled bool + + receivers map[string]bool + exporters map[string]bool + processors map[string]bool + extensions map[string]bool +} + +// NewFipsCheck creates new FipsCheck. +// It checks if FIPS is enabled on the platform in /proc/sys/crypto/fips_enabled. +func NewFipsCheck(receivers, exporters, processors, extensions []string) FipsCheck { + return FipsCheck{ + isFIPSEnabled: isFipsEnabled(), + receivers: listToMap(receivers), + exporters: listToMap(exporters), + processors: listToMap(processors), + extensions: listToMap(extensions), + } +} + +func listToMap(list []string) map[string]bool { + m := map[string]bool{} + for _, v := range list { + m[v] = true + } + return m +} + +// Check checks if a submitted components are back lister or not. +func (fips FipsCheck) Check(receivers map[string]interface{}, exporters map[string]interface{}, processors map[string]interface{}, extensions map[string]interface{}) []string { + if !fips.isFIPSEnabled { + return nil + } + var disabled []string + if comp := isBlackListed(fips.receivers, receivers); comp != "" { + disabled = append(disabled, comp) + } + if comp := isBlackListed(fips.exporters, exporters); comp != "" { + disabled = append(disabled, comp) + } + if comp := isBlackListed(fips.processors, processors); comp != "" { + disabled = append(disabled, comp) + } + if comp := isBlackListed(fips.extensions, extensions); comp != "" { + disabled = append(disabled, comp) + } + return disabled +} + +func isBlackListed(blackListed map[string]bool, cfg map[string]interface{}) string { + for id := range cfg { + component := strings.Split(id, "/")[0] + if blackListed[component] { + return component + } + } + return "" +} + +func isFipsEnabled() bool { + // check if file exists + if _, err := os.Stat(fipsFile); errors.Is(err, os.ErrNotExist) { + fmt.Println("fips file doesn't exist") + return false + } + content, err := os.ReadFile(fipsFile) + if err != nil { + // file cannot be read, enable FIPS to avoid any violations + fmt.Println("cannot read fips file") + return true + } + contentStr := string(content) + contentStr = strings.TrimSpace(contentStr) + return contentStr == "1" +} diff --git a/internal/fips/check_test.go b/internal/fips/check_test.go new file mode 100644 index 0000000000..58aa12c3e4 --- /dev/null +++ b/internal/fips/check_test.go @@ -0,0 +1,39 @@ +// Copyright The OpenTelemetry Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package fips + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestFipsCheck(t *testing.T) { + fipsCheck := NewFipsCheck([]string{"rec1", "rec2"}, []string{"exp1"}, []string{"processor"}, []string{"ext1"}) + assert.Equal(t, map[string]bool{"rec1": true, "rec2": true}, fipsCheck.receivers) + assert.Equal(t, map[string]bool{"exp1": true}, fipsCheck.exporters) + assert.Equal(t, map[string]bool{"processor": true}, fipsCheck.processors) + assert.Equal(t, map[string]bool{"ext1": true}, fipsCheck.extensions) + + // test machine probably does not have this enabled + fipsCheck.isFIPSEnabled = true + blocked := fipsCheck.Check( + map[string]interface{}{"otlp": true, "rec1/my": true}, + map[string]interface{}{"exp1": true}, + map[string]interface{}{"processor": true}, + map[string]interface{}{"ext1": true}) + + assert.Equal(t, []string{"rec1", "exp1", "processor", "ext1"}, blocked) +} diff --git a/internal/webhook/podmutation/webhookhandler_suite_test.go b/internal/webhook/podmutation/webhookhandler_suite_test.go index 8448762f5d..d6e13b4f35 100644 --- a/internal/webhook/podmutation/webhookhandler_suite_test.go +++ b/internal/webhook/podmutation/webhookhandler_suite_test.go @@ -18,6 +18,7 @@ import ( "context" "crypto/tls" "fmt" + "github.com/open-telemetry/opentelemetry-operator/internal/fips" "net" "os" "path/filepath" @@ -105,7 +106,7 @@ func TestMain(m *testing.M) { } reviewer := rbac.NewReviewer(clientset) - if err = v1beta1.SetupCollectorWebhook(mgr, config.New(), reviewer, nil, nil); err != nil { + if err = v1beta1.SetupCollectorWebhook(mgr, config.New(), reviewer, nil, nil, fips.NewFipsCheck(nil, nil, nil, nil)); err != nil { fmt.Printf("failed to SetupWebhookWithManager: %v", err) os.Exit(1) } diff --git a/main.go b/main.go index 55c754f2fb..2581c44d83 100644 --- a/main.go +++ b/main.go @@ -53,6 +53,7 @@ import ( "github.com/open-telemetry/opentelemetry-operator/internal/autodetect/openshift" "github.com/open-telemetry/opentelemetry-operator/internal/autodetect/prometheus" "github.com/open-telemetry/opentelemetry-operator/internal/config" + "github.com/open-telemetry/opentelemetry-operator/internal/fips" collectorManifests "github.com/open-telemetry/opentelemetry-operator/internal/manifests/collector" openshiftDashboards "github.com/open-telemetry/opentelemetry-operator/internal/openshift/dashboards" "github.com/open-telemetry/opentelemetry-operator/internal/rbac" @@ -141,6 +142,7 @@ func main() { encodeLevelKey string encodeTimeKey string encodeLevelFormat string + fipsDisabledComponents string ) pflag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.") @@ -180,6 +182,7 @@ func main() { pflag.StringVar(&encodeLevelKey, "zap-level-key", "level", "The level key to be used in the customized Log Encoder") pflag.StringVar(&encodeTimeKey, "zap-time-key", "timestamp", "The time key to be used in the customized Log Encoder") pflag.StringVar(&encodeLevelFormat, "zap-level-format", "uppercase", "The level format to be used in the customized Log Encoder") + pflag.StringVar(&fipsDisabledComponents, "fips-disabled-components", "uppercase", "Disabled collector components when operator runs on FIPS enabled platform. Example flag value =receiver.foo,receiver.bar,exporter.baz") pflag.IntVar(&webhookPort, "webhook-port", 9443, "The port the webhook endpoint binds to.") pflag.Parse() @@ -438,7 +441,10 @@ func main() { return warnings } - if err = otelv1beta1.SetupCollectorWebhook(mgr, cfg, reviewer, crdMetrics, bv); err != nil { + receivers, exporters, processors, extensions := parseFipsFlag(fipsDisabledComponents) + fipsCheck := fips.NewFipsCheck(receivers, exporters, processors, extensions) + logger.Info("Fips disabled components", "receivers", receivers, "exporters", exporters, "processors", processors, "extensions", extensions) + if err = otelv1beta1.SetupCollectorWebhook(mgr, cfg, reviewer, crdMetrics, bv, fipsCheck); err != nil { setupLog.Error(err, "unable to create webhook", "webhook", "OpenTelemetryCollector") os.Exit(1) } @@ -535,3 +541,31 @@ func tlsConfigSetting(cfg *tls.Config, tlsOpt tlsConfig) { } cfg.CipherSuites = cipherSuiteIDs } + +func parseFipsFlag(fipsFlag string) ([]string, []string, []string, []string) { + split := strings.Split(fipsFlag, ",") + var receivers []string + var exporters []string + var processors []string + var extensions []string + for _, val := range split { + val = strings.TrimSpace(val) + typeAndName := strings.Split(val, ".") + if len(typeAndName) == 2 { + componentType := typeAndName[0] + name := typeAndName[1] + + switch componentType { + case "receiver": + receivers = append(receivers, name) + case "exporter": + exporters = append(exporters, name) + case "processor": + processors = append(processors, name) + case "extension": + extensions = append(extensions, name) + } + } + } + return receivers, exporters, processors, extensions +} diff --git a/pkg/collector/upgrade/suite_test.go b/pkg/collector/upgrade/suite_test.go index 89a56d8b40..ea90bcb695 100644 --- a/pkg/collector/upgrade/suite_test.go +++ b/pkg/collector/upgrade/suite_test.go @@ -41,6 +41,7 @@ import ( "github.com/open-telemetry/opentelemetry-operator/apis/v1alpha1" "github.com/open-telemetry/opentelemetry-operator/apis/v1beta1" "github.com/open-telemetry/opentelemetry-operator/internal/config" + "github.com/open-telemetry/opentelemetry-operator/internal/fips" "github.com/open-telemetry/opentelemetry-operator/internal/rbac" ) @@ -105,7 +106,7 @@ func TestMain(m *testing.M) { } reviewer := rbac.NewReviewer(clientset) - if err = v1beta1.SetupCollectorWebhook(mgr, config.New(), reviewer, nil, nil); err != nil { + if err = v1beta1.SetupCollectorWebhook(mgr, config.New(), reviewer, nil, nil, fips.NewFipsCheck(nil, nil, nil, nil)); err != nil { fmt.Printf("failed to SetupWebhookWithManager: %v", err) os.Exit(1) } From bda76f21062596bbbd5784444505a9bd1a4478d7 Mon Sep 17 00:00:00 2001 From: Pavol Loffay Date: Tue, 1 Oct 2024 11:02:44 +0200 Subject: [PATCH 2/6] Fix Signed-off-by: Pavol Loffay --- internal/webhook/podmutation/webhookhandler_suite_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/webhook/podmutation/webhookhandler_suite_test.go b/internal/webhook/podmutation/webhookhandler_suite_test.go index d6e13b4f35..6810ca27f4 100644 --- a/internal/webhook/podmutation/webhookhandler_suite_test.go +++ b/internal/webhook/podmutation/webhookhandler_suite_test.go @@ -18,7 +18,6 @@ import ( "context" "crypto/tls" "fmt" - "github.com/open-telemetry/opentelemetry-operator/internal/fips" "net" "os" "path/filepath" @@ -42,6 +41,7 @@ import ( "github.com/open-telemetry/opentelemetry-operator/apis/v1alpha1" "github.com/open-telemetry/opentelemetry-operator/apis/v1beta1" "github.com/open-telemetry/opentelemetry-operator/internal/config" + "github.com/open-telemetry/opentelemetry-operator/internal/fips" "github.com/open-telemetry/opentelemetry-operator/internal/rbac" ) From afc19427d4c624a8298cc655350a4344a8a58309 Mon Sep 17 00:00:00 2001 From: Pavol Loffay Date: Tue, 1 Oct 2024 11:26:14 +0200 Subject: [PATCH 3/6] Fix Signed-off-by: Pavol Loffay --- apis/v1beta1/collector_webhook.go | 8 +-- apis/v1beta1/collector_webhook_test.go | 8 +-- controllers/suite_test.go | 6 +- internal/autodetect/fips/fipsautodetect.go | 39 +++++++++++ internal/autodetect/main.go | 6 ++ internal/config/main_test.go | 4 ++ internal/fips/{check.go => fipscheck.go} | 64 ++++++++----------- .../fips/{check_test.go => fipscheck_test.go} | 11 +--- .../podmutation/webhookhandler_suite_test.go | 2 +- main.go | 2 +- pkg/collector/upgrade/suite_test.go | 2 +- 11 files changed, 93 insertions(+), 59 deletions(-) create mode 100644 internal/autodetect/fips/fipsautodetect.go rename internal/fips/{check.go => fipscheck.go} (51%) rename internal/fips/{check_test.go => fipscheck_test.go} (64%) diff --git a/apis/v1beta1/collector_webhook.go b/apis/v1beta1/collector_webhook.go index edaaebf775..8fb3593bdf 100644 --- a/apis/v1beta1/collector_webhook.go +++ b/apis/v1beta1/collector_webhook.go @@ -49,7 +49,7 @@ type CollectorWebhook struct { reviewer *rbac.Reviewer metrics *Metrics bv BuildValidator - fips fips.FipsCheck + fips fips.FIPSCheck } func (c CollectorWebhook) Default(_ context.Context, obj runtime.Object) error { @@ -293,7 +293,7 @@ func (c CollectorWebhook) Validate(ctx context.Context, r *OpenTelemetryCollecto } components := r.Spec.Config.GetEnabledComponents() - if notAllowedComponents := c.fips.Check(components[KindReceiver], components[KindExporter], components[KindProcessor], components[KindExtension]); notAllowedComponents != nil { + if notAllowedComponents := c.fips.DisabledComponents(components[KindReceiver], components[KindExporter], components[KindProcessor], components[KindExtension]); notAllowedComponents != nil { return nil, fmt.Errorf("the collector configuration contains not FIPS compliant components: %s. Please remove it from the config", notAllowedComponents) } @@ -430,7 +430,7 @@ func NewCollectorWebhook( reviewer *rbac.Reviewer, metrics *Metrics, bv BuildValidator, - fips fips.FipsCheck, + fips fips.FIPSCheck, ) *CollectorWebhook { return &CollectorWebhook{ logger: logger, @@ -443,7 +443,7 @@ func NewCollectorWebhook( } } -func SetupCollectorWebhook(mgr ctrl.Manager, cfg config.Config, reviewer *rbac.Reviewer, metrics *Metrics, bv BuildValidator, fipsCheck fips.FipsCheck) error { +func SetupCollectorWebhook(mgr ctrl.Manager, cfg config.Config, reviewer *rbac.Reviewer, metrics *Metrics, bv BuildValidator, fipsCheck fips.FIPSCheck) error { cvw := NewCollectorWebhook(mgr.GetLogger().WithValues("handler", "CollectorWebhook", "version", "v1beta1"), mgr.GetScheme(), cfg, reviewer, metrics, bv, fipsCheck) return ctrl.NewWebhookManagedBy(mgr). For(&OpenTelemetryCollector{}). diff --git a/apis/v1beta1/collector_webhook_test.go b/apis/v1beta1/collector_webhook_test.go index 66298cff07..0bab77b245 100644 --- a/apis/v1beta1/collector_webhook_test.go +++ b/apis/v1beta1/collector_webhook_test.go @@ -114,7 +114,7 @@ func TestValidate(t *testing.T) { getReviewer(test.shouldFailSar), nil, bv, - fips.NewFipsCheck(nil, nil, nil, nil), + fips.NewFipsCheck(false, nil, nil, nil, nil), ) t.Run(tt.name, func(t *testing.T) { tt := tt @@ -496,7 +496,7 @@ func TestCollectorDefaultingWebhook(t *testing.T) { getReviewer(test.shouldFailSar), nil, bv, - fips.NewFipsCheck(nil, nil, nil, nil), + fips.NewFipsCheck(false, nil, nil, nil, nil), ) ctx := context.Background() err := cvw.Default(ctx, &test.otelcol) @@ -1288,7 +1288,7 @@ func TestOTELColValidatingWebhook(t *testing.T) { getReviewer(test.shouldFailSar), nil, bv, - fips.NewFipsCheck(nil, nil, nil, nil), + fips.NewFipsCheck(false, nil, nil, nil, nil), ) ctx := context.Background() warnings, err := cvw.ValidateCreate(ctx, &test.otelcol) @@ -1356,7 +1356,7 @@ func TestOTELColValidateUpdateWebhook(t *testing.T) { getReviewer(test.shouldFailSar), nil, bv, - fips.NewFipsCheck(nil, nil, nil, nil), + fips.NewFipsCheck(false, nil, nil, nil, nil), ) ctx := context.Background() warnings, err := cvw.ValidateUpdate(ctx, &test.otelcolOld, &test.otelcolNew) diff --git a/controllers/suite_test.go b/controllers/suite_test.go index de13c80ce8..b709bab0e2 100644 --- a/controllers/suite_test.go +++ b/controllers/suite_test.go @@ -103,6 +103,10 @@ type mockAutoDetect struct { RBACPermissionsFunc func(ctx context.Context) (autoRBAC.Availability, error) } +func (m *mockAutoDetect) FIPSEnabled(ctx context.Context) bool { + return false +} + func (m *mockAutoDetect) PrometheusCRsAvailability() (prometheus.Availability, error) { if m.PrometheusCRsAvailabilityFunc != nil { return m.PrometheusCRsAvailabilityFunc() @@ -179,7 +183,7 @@ func TestMain(m *testing.M) { } reviewer := rbac.NewReviewer(clientset) - if err = v1beta1.SetupCollectorWebhook(mgr, config.New(), reviewer, nil, nil, fips.NewFipsCheck(nil, nil, nil, nil)); err != nil { + if err = v1beta1.SetupCollectorWebhook(mgr, config.New(), reviewer, nil, nil, fips.NewFipsCheck(false, nil, nil, nil, nil)); err != nil { fmt.Printf("failed to SetupWebhookWithManager: %v", err) os.Exit(1) } diff --git a/internal/autodetect/fips/fipsautodetect.go b/internal/autodetect/fips/fipsautodetect.go new file mode 100644 index 0000000000..2d54dd8305 --- /dev/null +++ b/internal/autodetect/fips/fipsautodetect.go @@ -0,0 +1,39 @@ +// Copyright The OpenTelemetry Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package fips + +import ( + "errors" + "os" + "strings" +) + +const fipsFile = "/proc/sys/crypto/fips_enabled" + +// IsFipsEnabled checks whether FIPS is enabled on the platform. +func IsFipsEnabled() bool { + // check if file exists + if _, err := os.Stat(fipsFile); errors.Is(err, os.ErrNotExist) { + return false + } + content, err := os.ReadFile(fipsFile) + if err != nil { + // file cannot be read, enable FIPS to avoid any violations + return true + } + contentStr := string(content) + contentStr = strings.TrimSpace(contentStr) + return contentStr == "1" +} diff --git a/internal/autodetect/main.go b/internal/autodetect/main.go index 8682a6c27d..68adf53375 100644 --- a/internal/autodetect/main.go +++ b/internal/autodetect/main.go @@ -18,6 +18,7 @@ package autodetect import ( "context" "fmt" + "github.com/open-telemetry/opentelemetry-operator/internal/autodetect/fips" "k8s.io/client-go/discovery" "k8s.io/client-go/rest" @@ -35,6 +36,7 @@ type AutoDetect interface { OpenShiftRoutesAvailability() (openshift.RoutesAvailability, error) PrometheusCRsAvailability() (prometheus.Availability, error) RBACPermissions(ctx context.Context) (autoRBAC.Availability, error) + FIPSEnabled(ctx context.Context) bool } type autoDetect struct { @@ -122,3 +124,7 @@ func (a *autoDetect) RBACPermissions(ctx context.Context) (autoRBAC.Availability return autoRBAC.Available, nil } + +func (a *autoDetect) FIPSEnabled(_ context.Context) bool { + return fips.IsFipsEnabled() +} diff --git a/internal/config/main_test.go b/internal/config/main_test.go index 1f3886f776..08882a0392 100644 --- a/internal/config/main_test.go +++ b/internal/config/main_test.go @@ -82,6 +82,10 @@ type mockAutoDetect struct { RBACPermissionsFunc func(ctx context.Context) (rbac.Availability, error) } +func (m *mockAutoDetect) FIPSEnabled(_ context.Context) bool { + return false +} + func (m *mockAutoDetect) OpenShiftRoutesAvailability() (openshift.RoutesAvailability, error) { if m.OpenShiftRoutesAvailabilityFunc != nil { return m.OpenShiftRoutesAvailabilityFunc() diff --git a/internal/fips/check.go b/internal/fips/fipscheck.go similarity index 51% rename from internal/fips/check.go rename to internal/fips/fipscheck.go index 491b1aaf47..15be206c95 100644 --- a/internal/fips/check.go +++ b/internal/fips/fipscheck.go @@ -15,16 +15,15 @@ package fips import ( - "errors" - "fmt" - "os" "strings" ) -const fipsFile = "/proc/sys/crypto/fips_enabled" +type FIPSCheck interface { + DisabledComponents(receivers map[string]interface{}, exporters map[string]interface{}, processors map[string]interface{}, extensions map[string]interface{}) []string +} // FipsCheck holds configuration for FIPS black list. -type FipsCheck struct { +type fipsCheck struct { isFIPSEnabled bool receivers map[string]bool @@ -33,15 +32,24 @@ type FipsCheck struct { extensions map[string]bool } +type noopFIPSCheck struct{} + +func (noopFIPSCheck) DisabledComponents(receivers map[string]interface{}, exporters map[string]interface{}, processors map[string]interface{}, extensions map[string]interface{}) []string { + return nil +} + // NewFipsCheck creates new FipsCheck. // It checks if FIPS is enabled on the platform in /proc/sys/crypto/fips_enabled. -func NewFipsCheck(receivers, exporters, processors, extensions []string) FipsCheck { - return FipsCheck{ - isFIPSEnabled: isFipsEnabled(), - receivers: listToMap(receivers), - exporters: listToMap(exporters), - processors: listToMap(processors), - extensions: listToMap(extensions), +func NewFipsCheck(FIPSEnabled bool, receivers, exporters, processors, extensions []string) FIPSCheck { + if !FIPSEnabled { + return &noopFIPSCheck{} + } + + return &fipsCheck{ + receivers: listToMap(receivers), + exporters: listToMap(exporters), + processors: listToMap(processors), + extensions: listToMap(extensions), } } @@ -54,27 +62,24 @@ func listToMap(list []string) map[string]bool { } // Check checks if a submitted components are back lister or not. -func (fips FipsCheck) Check(receivers map[string]interface{}, exporters map[string]interface{}, processors map[string]interface{}, extensions map[string]interface{}) []string { - if !fips.isFIPSEnabled { - return nil - } +func (fips fipsCheck) DisabledComponents(receivers map[string]interface{}, exporters map[string]interface{}, processors map[string]interface{}, extensions map[string]interface{}) []string { var disabled []string - if comp := isBlackListed(fips.receivers, receivers); comp != "" { + if comp := isDisabled(fips.receivers, receivers); comp != "" { disabled = append(disabled, comp) } - if comp := isBlackListed(fips.exporters, exporters); comp != "" { + if comp := isDisabled(fips.exporters, exporters); comp != "" { disabled = append(disabled, comp) } - if comp := isBlackListed(fips.processors, processors); comp != "" { + if comp := isDisabled(fips.processors, processors); comp != "" { disabled = append(disabled, comp) } - if comp := isBlackListed(fips.extensions, extensions); comp != "" { + if comp := isDisabled(fips.extensions, extensions); comp != "" { disabled = append(disabled, comp) } return disabled } -func isBlackListed(blackListed map[string]bool, cfg map[string]interface{}) string { +func isDisabled(blackListed map[string]bool, cfg map[string]interface{}) string { for id := range cfg { component := strings.Split(id, "/")[0] if blackListed[component] { @@ -83,20 +88,3 @@ func isBlackListed(blackListed map[string]bool, cfg map[string]interface{}) stri } return "" } - -func isFipsEnabled() bool { - // check if file exists - if _, err := os.Stat(fipsFile); errors.Is(err, os.ErrNotExist) { - fmt.Println("fips file doesn't exist") - return false - } - content, err := os.ReadFile(fipsFile) - if err != nil { - // file cannot be read, enable FIPS to avoid any violations - fmt.Println("cannot read fips file") - return true - } - contentStr := string(content) - contentStr = strings.TrimSpace(contentStr) - return contentStr == "1" -} diff --git a/internal/fips/check_test.go b/internal/fips/fipscheck_test.go similarity index 64% rename from internal/fips/check_test.go rename to internal/fips/fipscheck_test.go index 58aa12c3e4..99d77e714c 100644 --- a/internal/fips/check_test.go +++ b/internal/fips/fipscheck_test.go @@ -21,15 +21,8 @@ import ( ) func TestFipsCheck(t *testing.T) { - fipsCheck := NewFipsCheck([]string{"rec1", "rec2"}, []string{"exp1"}, []string{"processor"}, []string{"ext1"}) - assert.Equal(t, map[string]bool{"rec1": true, "rec2": true}, fipsCheck.receivers) - assert.Equal(t, map[string]bool{"exp1": true}, fipsCheck.exporters) - assert.Equal(t, map[string]bool{"processor": true}, fipsCheck.processors) - assert.Equal(t, map[string]bool{"ext1": true}, fipsCheck.extensions) - - // test machine probably does not have this enabled - fipsCheck.isFIPSEnabled = true - blocked := fipsCheck.Check( + fipsCheck := NewFipsCheck(true, []string{"rec1", "rec2"}, []string{"exp1"}, []string{"processor"}, []string{"ext1"}) + blocked := fipsCheck.DisabledComponents( map[string]interface{}{"otlp": true, "rec1/my": true}, map[string]interface{}{"exp1": true}, map[string]interface{}{"processor": true}, diff --git a/internal/webhook/podmutation/webhookhandler_suite_test.go b/internal/webhook/podmutation/webhookhandler_suite_test.go index 6810ca27f4..84b4699333 100644 --- a/internal/webhook/podmutation/webhookhandler_suite_test.go +++ b/internal/webhook/podmutation/webhookhandler_suite_test.go @@ -106,7 +106,7 @@ func TestMain(m *testing.M) { } reviewer := rbac.NewReviewer(clientset) - if err = v1beta1.SetupCollectorWebhook(mgr, config.New(), reviewer, nil, nil, fips.NewFipsCheck(nil, nil, nil, nil)); err != nil { + if err = v1beta1.SetupCollectorWebhook(mgr, config.New(), reviewer, nil, nil, fips.NewFipsCheck(false, nil, nil, nil, nil)); err != nil { fmt.Printf("failed to SetupWebhookWithManager: %v", err) os.Exit(1) } diff --git a/main.go b/main.go index 2581c44d83..3fadcc7f88 100644 --- a/main.go +++ b/main.go @@ -442,8 +442,8 @@ func main() { } receivers, exporters, processors, extensions := parseFipsFlag(fipsDisabledComponents) - fipsCheck := fips.NewFipsCheck(receivers, exporters, processors, extensions) logger.Info("Fips disabled components", "receivers", receivers, "exporters", exporters, "processors", processors, "extensions", extensions) + fipsCheck := fips.NewFipsCheck(ad.FIPSEnabled(ctx), receivers, exporters, processors, extensions) if err = otelv1beta1.SetupCollectorWebhook(mgr, cfg, reviewer, crdMetrics, bv, fipsCheck); err != nil { setupLog.Error(err, "unable to create webhook", "webhook", "OpenTelemetryCollector") os.Exit(1) diff --git a/pkg/collector/upgrade/suite_test.go b/pkg/collector/upgrade/suite_test.go index ea90bcb695..652d1873ac 100644 --- a/pkg/collector/upgrade/suite_test.go +++ b/pkg/collector/upgrade/suite_test.go @@ -106,7 +106,7 @@ func TestMain(m *testing.M) { } reviewer := rbac.NewReviewer(clientset) - if err = v1beta1.SetupCollectorWebhook(mgr, config.New(), reviewer, nil, nil, fips.NewFipsCheck(nil, nil, nil, nil)); err != nil { + if err = v1beta1.SetupCollectorWebhook(mgr, config.New(), reviewer, nil, nil, fips.NewFipsCheck(false, nil, nil, nil, nil)); err != nil { fmt.Printf("failed to SetupWebhookWithManager: %v", err) os.Exit(1) } From 6db0df92311630a0ffc854ea60d252790643fd2c Mon Sep 17 00:00:00 2001 From: Pavol Loffay Date: Tue, 1 Oct 2024 11:38:50 +0200 Subject: [PATCH 4/6] Fix Signed-off-by: Pavol Loffay --- internal/autodetect/main.go | 2 +- internal/fips/fipscheck.go | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/internal/autodetect/main.go b/internal/autodetect/main.go index 68adf53375..27c368f3f5 100644 --- a/internal/autodetect/main.go +++ b/internal/autodetect/main.go @@ -18,11 +18,11 @@ package autodetect import ( "context" "fmt" - "github.com/open-telemetry/opentelemetry-operator/internal/autodetect/fips" "k8s.io/client-go/discovery" "k8s.io/client-go/rest" + "github.com/open-telemetry/opentelemetry-operator/internal/autodetect/fips" "github.com/open-telemetry/opentelemetry-operator/internal/autodetect/openshift" "github.com/open-telemetry/opentelemetry-operator/internal/autodetect/prometheus" autoRBAC "github.com/open-telemetry/opentelemetry-operator/internal/autodetect/rbac" diff --git a/internal/fips/fipscheck.go b/internal/fips/fipscheck.go index 15be206c95..8c910aa894 100644 --- a/internal/fips/fipscheck.go +++ b/internal/fips/fipscheck.go @@ -24,8 +24,6 @@ type FIPSCheck interface { // FipsCheck holds configuration for FIPS black list. type fipsCheck struct { - isFIPSEnabled bool - receivers map[string]bool exporters map[string]bool processors map[string]bool From e85b9027b2753f0050d4c3bec0888133b65d610a Mon Sep 17 00:00:00 2001 From: Pavol Loffay Date: Wed, 2 Oct 2024 10:32:21 +0200 Subject: [PATCH 5/6] Fix Signed-off-by: Pavol Loffay --- apis/v1beta1/collector_webhook.go | 8 +++++--- apis/v1beta1/collector_webhook_test.go | 9 ++++----- controllers/suite_test.go | 3 +-- internal/fips/fipscheck.go | 17 +++++------------ .../podmutation/webhookhandler_suite_test.go | 3 +-- pkg/collector/upgrade/suite_test.go | 3 +-- 6 files changed, 17 insertions(+), 26 deletions(-) diff --git a/apis/v1beta1/collector_webhook.go b/apis/v1beta1/collector_webhook.go index 8fb3593bdf..b1f8ddd91e 100644 --- a/apis/v1beta1/collector_webhook.go +++ b/apis/v1beta1/collector_webhook.go @@ -292,9 +292,11 @@ func (c CollectorWebhook) Validate(ctx context.Context, r *OpenTelemetryCollecto return warnings, fmt.Errorf("the OpenTelemetry Collector mode is set to %s, which does not support the attribute 'deploymentUpdateStrategy'", r.Spec.Mode) } - components := r.Spec.Config.GetEnabledComponents() - if notAllowedComponents := c.fips.DisabledComponents(components[KindReceiver], components[KindExporter], components[KindProcessor], components[KindExtension]); notAllowedComponents != nil { - return nil, fmt.Errorf("the collector configuration contains not FIPS compliant components: %s. Please remove it from the config", notAllowedComponents) + if c.fips != nil { + components := r.Spec.Config.GetEnabledComponents() + if notAllowedComponents := c.fips.DisabledComponents(components[KindReceiver], components[KindExporter], components[KindProcessor], components[KindExtension]); notAllowedComponents != nil { + return nil, fmt.Errorf("the collector configuration contains not FIPS compliant components: %s. Please remove it from the config", notAllowedComponents) + } } return warnings, nil diff --git a/apis/v1beta1/collector_webhook_test.go b/apis/v1beta1/collector_webhook_test.go index 0bab77b245..9ce9cd3c90 100644 --- a/apis/v1beta1/collector_webhook_test.go +++ b/apis/v1beta1/collector_webhook_test.go @@ -39,7 +39,6 @@ import ( "github.com/open-telemetry/opentelemetry-operator/apis/v1beta1" "github.com/open-telemetry/opentelemetry-operator/internal/config" - "github.com/open-telemetry/opentelemetry-operator/internal/fips" "github.com/open-telemetry/opentelemetry-operator/internal/manifests" collectorManifests "github.com/open-telemetry/opentelemetry-operator/internal/manifests/collector" "github.com/open-telemetry/opentelemetry-operator/internal/rbac" @@ -114,7 +113,7 @@ func TestValidate(t *testing.T) { getReviewer(test.shouldFailSar), nil, bv, - fips.NewFipsCheck(false, nil, nil, nil, nil), + nil, ) t.Run(tt.name, func(t *testing.T) { tt := tt @@ -496,7 +495,7 @@ func TestCollectorDefaultingWebhook(t *testing.T) { getReviewer(test.shouldFailSar), nil, bv, - fips.NewFipsCheck(false, nil, nil, nil, nil), + nil, ) ctx := context.Background() err := cvw.Default(ctx, &test.otelcol) @@ -1288,7 +1287,7 @@ func TestOTELColValidatingWebhook(t *testing.T) { getReviewer(test.shouldFailSar), nil, bv, - fips.NewFipsCheck(false, nil, nil, nil, nil), + nil, ) ctx := context.Background() warnings, err := cvw.ValidateCreate(ctx, &test.otelcol) @@ -1356,7 +1355,7 @@ func TestOTELColValidateUpdateWebhook(t *testing.T) { getReviewer(test.shouldFailSar), nil, bv, - fips.NewFipsCheck(false, nil, nil, nil, nil), + nil, ) ctx := context.Background() warnings, err := cvw.ValidateUpdate(ctx, &test.otelcolOld, &test.otelcolNew) diff --git a/controllers/suite_test.go b/controllers/suite_test.go index b709bab0e2..4e56fb16de 100644 --- a/controllers/suite_test.go +++ b/controllers/suite_test.go @@ -59,7 +59,6 @@ import ( "github.com/open-telemetry/opentelemetry-operator/internal/autodetect/prometheus" autoRBAC "github.com/open-telemetry/opentelemetry-operator/internal/autodetect/rbac" "github.com/open-telemetry/opentelemetry-operator/internal/config" - "github.com/open-telemetry/opentelemetry-operator/internal/fips" "github.com/open-telemetry/opentelemetry-operator/internal/manifests" "github.com/open-telemetry/opentelemetry-operator/internal/manifests/collector/testdata" "github.com/open-telemetry/opentelemetry-operator/internal/manifests/manifestutils" @@ -183,7 +182,7 @@ func TestMain(m *testing.M) { } reviewer := rbac.NewReviewer(clientset) - if err = v1beta1.SetupCollectorWebhook(mgr, config.New(), reviewer, nil, nil, fips.NewFipsCheck(false, nil, nil, nil, nil)); err != nil { + if err = v1beta1.SetupCollectorWebhook(mgr, config.New(), reviewer, nil, nil, nil); err != nil { fmt.Printf("failed to SetupWebhookWithManager: %v", err) os.Exit(1) } diff --git a/internal/fips/fipscheck.go b/internal/fips/fipscheck.go index 8c910aa894..276c7dc23f 100644 --- a/internal/fips/fipscheck.go +++ b/internal/fips/fipscheck.go @@ -19,10 +19,11 @@ import ( ) type FIPSCheck interface { + // DisabledComponents checks if a submitted components are denied or not. DisabledComponents(receivers map[string]interface{}, exporters map[string]interface{}, processors map[string]interface{}, extensions map[string]interface{}) []string } -// FipsCheck holds configuration for FIPS black list. +// FipsCheck holds configuration for FIPS deny list. type fipsCheck struct { receivers map[string]bool exporters map[string]bool @@ -30,17 +31,10 @@ type fipsCheck struct { extensions map[string]bool } -type noopFIPSCheck struct{} - -func (noopFIPSCheck) DisabledComponents(receivers map[string]interface{}, exporters map[string]interface{}, processors map[string]interface{}, extensions map[string]interface{}) []string { - return nil -} - // NewFipsCheck creates new FipsCheck. -// It checks if FIPS is enabled on the platform in /proc/sys/crypto/fips_enabled. func NewFipsCheck(FIPSEnabled bool, receivers, exporters, processors, extensions []string) FIPSCheck { if !FIPSEnabled { - return &noopFIPSCheck{} + return nil } return &fipsCheck{ @@ -59,7 +53,6 @@ func listToMap(list []string) map[string]bool { return m } -// Check checks if a submitted components are back lister or not. func (fips fipsCheck) DisabledComponents(receivers map[string]interface{}, exporters map[string]interface{}, processors map[string]interface{}, extensions map[string]interface{}) []string { var disabled []string if comp := isDisabled(fips.receivers, receivers); comp != "" { @@ -77,10 +70,10 @@ func (fips fipsCheck) DisabledComponents(receivers map[string]interface{}, expor return disabled } -func isDisabled(blackListed map[string]bool, cfg map[string]interface{}) string { +func isDisabled(denyList map[string]bool, cfg map[string]interface{}) string { for id := range cfg { component := strings.Split(id, "/")[0] - if blackListed[component] { + if denyList[component] { return component } } diff --git a/internal/webhook/podmutation/webhookhandler_suite_test.go b/internal/webhook/podmutation/webhookhandler_suite_test.go index 84b4699333..7490a57579 100644 --- a/internal/webhook/podmutation/webhookhandler_suite_test.go +++ b/internal/webhook/podmutation/webhookhandler_suite_test.go @@ -41,7 +41,6 @@ import ( "github.com/open-telemetry/opentelemetry-operator/apis/v1alpha1" "github.com/open-telemetry/opentelemetry-operator/apis/v1beta1" "github.com/open-telemetry/opentelemetry-operator/internal/config" - "github.com/open-telemetry/opentelemetry-operator/internal/fips" "github.com/open-telemetry/opentelemetry-operator/internal/rbac" ) @@ -106,7 +105,7 @@ func TestMain(m *testing.M) { } reviewer := rbac.NewReviewer(clientset) - if err = v1beta1.SetupCollectorWebhook(mgr, config.New(), reviewer, nil, nil, fips.NewFipsCheck(false, nil, nil, nil, nil)); err != nil { + if err = v1beta1.SetupCollectorWebhook(mgr, config.New(), reviewer, nil, nil, nil); err != nil { fmt.Printf("failed to SetupWebhookWithManager: %v", err) os.Exit(1) } diff --git a/pkg/collector/upgrade/suite_test.go b/pkg/collector/upgrade/suite_test.go index 652d1873ac..c5e5cdbd23 100644 --- a/pkg/collector/upgrade/suite_test.go +++ b/pkg/collector/upgrade/suite_test.go @@ -41,7 +41,6 @@ import ( "github.com/open-telemetry/opentelemetry-operator/apis/v1alpha1" "github.com/open-telemetry/opentelemetry-operator/apis/v1beta1" "github.com/open-telemetry/opentelemetry-operator/internal/config" - "github.com/open-telemetry/opentelemetry-operator/internal/fips" "github.com/open-telemetry/opentelemetry-operator/internal/rbac" ) @@ -106,7 +105,7 @@ func TestMain(m *testing.M) { } reviewer := rbac.NewReviewer(clientset) - if err = v1beta1.SetupCollectorWebhook(mgr, config.New(), reviewer, nil, nil, fips.NewFipsCheck(false, nil, nil, nil, nil)); err != nil { + if err = v1beta1.SetupCollectorWebhook(mgr, config.New(), reviewer, nil, nil, nil); err != nil { fmt.Printf("failed to SetupWebhookWithManager: %v", err) os.Exit(1) } From fcd3eecfda13467f529f75492e59a0910f295353 Mon Sep 17 00:00:00 2001 From: Pavol Loffay Date: Wed, 2 Oct 2024 15:42:38 +0200 Subject: [PATCH 6/6] Fix Signed-off-by: Pavol Loffay --- internal/fips/fipscheck.go | 6 +----- internal/fips/fipscheck_test.go | 2 +- main.go | 9 ++++++--- 3 files changed, 8 insertions(+), 9 deletions(-) diff --git a/internal/fips/fipscheck.go b/internal/fips/fipscheck.go index 276c7dc23f..499df12fcc 100644 --- a/internal/fips/fipscheck.go +++ b/internal/fips/fipscheck.go @@ -32,11 +32,7 @@ type fipsCheck struct { } // NewFipsCheck creates new FipsCheck. -func NewFipsCheck(FIPSEnabled bool, receivers, exporters, processors, extensions []string) FIPSCheck { - if !FIPSEnabled { - return nil - } - +func NewFipsCheck(receivers, exporters, processors, extensions []string) FIPSCheck { return &fipsCheck{ receivers: listToMap(receivers), exporters: listToMap(exporters), diff --git a/internal/fips/fipscheck_test.go b/internal/fips/fipscheck_test.go index 99d77e714c..c52d7b1e3d 100644 --- a/internal/fips/fipscheck_test.go +++ b/internal/fips/fipscheck_test.go @@ -21,7 +21,7 @@ import ( ) func TestFipsCheck(t *testing.T) { - fipsCheck := NewFipsCheck(true, []string{"rec1", "rec2"}, []string{"exp1"}, []string{"processor"}, []string{"ext1"}) + fipsCheck := NewFipsCheck([]string{"rec1", "rec2"}, []string{"exp1"}, []string{"processor"}, []string{"ext1"}) blocked := fipsCheck.DisabledComponents( map[string]interface{}{"otlp": true, "rec1/my": true}, map[string]interface{}{"exp1": true}, diff --git a/main.go b/main.go index 3fadcc7f88..1d3471898f 100644 --- a/main.go +++ b/main.go @@ -441,9 +441,12 @@ func main() { return warnings } - receivers, exporters, processors, extensions := parseFipsFlag(fipsDisabledComponents) - logger.Info("Fips disabled components", "receivers", receivers, "exporters", exporters, "processors", processors, "extensions", extensions) - fipsCheck := fips.NewFipsCheck(ad.FIPSEnabled(ctx), receivers, exporters, processors, extensions) + var fipsCheck fips.FIPSCheck + if ad.FIPSEnabled(ctx) { + receivers, exporters, processors, extensions := parseFipsFlag(fipsDisabledComponents) + logger.Info("Fips disabled components", "receivers", receivers, "exporters", exporters, "processors", processors, "extensions", extensions) + fipsCheck = fips.NewFipsCheck(receivers, exporters, processors, extensions) + } if err = otelv1beta1.SetupCollectorWebhook(mgr, cfg, reviewer, crdMetrics, bv, fipsCheck); err != nil { setupLog.Error(err, "unable to create webhook", "webhook", "OpenTelemetryCollector") os.Exit(1)