Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set fips_mode_enabled in efs-utils.conf #1344

Merged
merged 1 commit into from
Jul 24, 2024
Merged

Set fips_mode_enabled in efs-utils.conf #1344

merged 1 commit into from
Jul 24, 2024

Conversation

mpatlasov
Copy link
Contributor

if env var FIPS_ENABLED is set: #1325 .

Is this a bug fix or adding new feature?

This is a bug: if the driver is run in FIPS-enabled environment, stunnel fails with "Failed to override system-wide FIPS mode" (see src/options.c from stunnel-5.72).

What is this PR about? / Why do we need it?

The PR ensures that if FIPS_ENABLED=true as env var for aws-efs csi driver, it creates efs-utils.conf with fips_mode_enabled = true.

What testing is done?

In the environment where stunnel fails with "Failed to override system-wide FIPS mode", re-create the Pod with aws-efs csi driver adding FIPS_ENABLED=true env var. Made sure that fips_mode_enabled = true is present in config and stunnel succeeds.

Fixes #1325

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels May 5, 2024
@mskanth972
Copy link
Contributor

/ok-to-test

@k8s-ci-robot k8s-ci-robot added the ok-to-test Indicates a non-member PR verified by an org member that is safe to test. label Jul 18, 2024
@seanzatzdev-amazon
Copy link
Contributor

Hey we'll look at this on Monday and try to get this out. Does the bug still arise in the latest (2.0+) versions of the driver which don't use stunnel?

@mpatlasov
Copy link
Contributor Author

@seanzatzdev-amazon ,

Hey we'll look at this on Monday and try to get this out. Does the bug still arise in the latest (2.0+) versions of the driver which don't use stunnel?

Thank you for expediting this. I tested the bug on a latest upstream version a couple of months ago and it didn't arise by default, when rust efs-porxy is being run instead of stunnel. However, it still can bite any customer who try to put stunnel as mountOption to StorageClass:

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: efs-sc
provisioner: efs.csi.aws.com
mountOptions:
  - stunnel

@mskanth972
Copy link
Contributor

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 23, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mpatlasov, mskanth972

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 23, 2024
@mskanth972
Copy link
Contributor

/retest

1 similar comment
@mskanth972
Copy link
Contributor

/retest

@mskanth972
Copy link
Contributor

mskanth972 commented Jul 23, 2024
edited
Loading

Build is failing with the following errors

error: package `tokio-macros v2.4.0` cannot be built because it requires rustc 1.70 or newer, while the currently active rustc version is 1.68.2
#12 237.8 Either upgrade to rustc 1.70 or newer, or use
#12 237.8 cargo update -p [email protected] --precise ver
#12 237.8 where `ver` is the latest version of `tokio-macros` supporting rustc 1.68.2
#12 237.8 
#12 237.8 
#12 237.8 RPM build errors:
#12 237.8 error: Bad exit status from /var/tmp/rpm-tmp.WsVTpk (%build)
#12 237.8     bogus date in %changelog: Mon Apr 23 2024 Ryan Stankiewicz <[email protected]> - 2.0.1
#12 237.8     bogus date in %changelog: Wed Jan 1 2023 Ryan Stankiewicz <[email protected]> - 1.34.5
#12 237.8     Bad exit status from /var/tmp/rpm-tmp.WsVTpk (%build)

@mskanth972
Copy link
Contributor

We released the above error fix to Amazon Linux but not to efs-utils GitHub. Driver pull efs-utils from GitHub, will fix that and will trigger the tests.

@mskanth972
Copy link
Contributor

/retest

@k8s-ci-robot k8s-ci-robot merged commit df6e2ce into kubernetes-sigs:master Jul 24, 2024
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@d-nishi d-nishi Awaiting requested review from d-nishi

@justinsb justinsb Awaiting requested review from justinsb

Assignees

@mskanth972 mskanth972

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Configure FIPS Mode for AWS EFS CSI Driver
4 participants
@mpatlasov @mskanth972 @seanzatzdev-amazon @k8s-ci-robot