Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Helm] Add a setting to deploy FIPS compliant ECK image (#8272) #8275

Merged
merged 1 commit into from
Nov 29, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion deploy/eck-operator/templates/statefulset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- image: "{{ .Values.image.repository }}{{- if .Values.config.ubiOnly -}}-ubi{{- end -}}:{{ default .Chart.AppVersion .Values.image.tag }}"
- image: "{{ .Values.image.repository }}{{- if .Values.config.ubiOnly -}}-ubi{{- end -}}{{- if .Values.image.fips -}}-fips{{- end -}}:{{ default .Chart.AppVersion .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
name: manager
args:
Expand Down
36 changes: 36 additions & 0 deletions deploy/eck-operator/templates/tests/statefulset_test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,42 @@ templates:
- statefulset.yaml
- configmap.yaml
tests:
- it: ECK image, fips + ubi
set:
config.ubiOnly: true
image.fips: true
image.tag: "2.16.0"
asserts:
- template: statefulset.yaml
equal:
path: spec.template.spec.containers[0].image
value: "docker.elastic.co/eck/eck-operator-ubi-fips:2.16.0"
- it: ECK image, no fips, no ubi
set:
image.tag: "2.16.0"
asserts:
- template: statefulset.yaml
equal:
path: spec.template.spec.containers[0].image
value: "docker.elastic.co/eck/eck-operator:2.16.0"
- it: ECK image, fips, no ubi
set:
image.fips: true
image.tag: "2.16.0"
asserts:
- template: statefulset.yaml
equal:
path: spec.template.spec.containers[0].image
value: "docker.elastic.co/eck/eck-operator-fips:2.16.0"
- it: ECK image, no fips, ubi
set:
config.ubiOnly: true
image.tag: "2.16.0"
asserts:
- template: statefulset.yaml
equal:
path: spec.template.spec.containers[0].image
value: "docker.elastic.co/eck/eck-operator-ubi:2.16.0"
- it: should have automount service account tokens set by default
asserts:
- template: statefulset.yaml
Expand Down
4 changes: 4 additions & 0 deletions deploy/eck-operator/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,10 @@ image:
pullPolicy: IfNotPresent
# tag is the container image tag. If not defined, defaults to chart appVersion.
tag: null
# fips specifies whether the operator will use a FIPS compliant container image for its own StatefulSet image.
# This setting does not apply to Elastic Stack applications images.
# Can be combined with config.ubiOnly.
fips: false

# priorityClassName defines the PriorityClass to be used by the operator pods.
priorityClassName: ""
Expand Down
4 changes: 2 additions & 2 deletions docs/advanced-topics/fips.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -18,13 +18,13 @@ For the ECK operator, adherence to FIPS 140-2 is ensured by:

=== FIPS compliant installation using Helm

Modify the `image.repository` Helm chart value to append `-fips` to install a FIPS compliant version of the ECK Operator. Refer to <<{p}-install-helm>> for full Helm installation instructions.
Set `image.fips=true` to install a FIPS-enabled version of the ECK Operator. Refer to <<{p}-install-helm>> for full Helm installation instructions.

[source,sh]
----
helm install elastic-operator elastic/eck-operator \
-n elastic-system --create-namespace \
--set=image.repository=docker.elastic.co/eck/eck-operator-fips
--set=image.fips=true
----

=== FIPS compliant installation using manifests
Expand Down