-
Notifications
You must be signed in to change notification settings - Fork 612
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[fips] Propagate the FIPS boolean to the manager, raft storage layer, and raft DEK management #2586
Conversation
Codecov Report
@@ Coverage Diff @@
## master #2586 +/- ##
==========================================
- Coverage 67.34% 61.84% -5.51%
==========================================
Files 98 134 +36
Lines 14554 21829 +7275
==========================================
+ Hits 9802 13500 +3698
- Misses 3743 6892 +3149
- Partials 1009 1437 +428 |
Rebased! The first commit is the main change, and a lot of it is a test refactor. The other two changes are:
This should be ready for review now. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor comments. Didn't review test code yet btw.
@@ -112,6 +118,7 @@ func compareKEKs(oldKEK, candidateKEK ca.KEKData) (bool, bool, error) { | |||
type RaftDEKManager struct { | |||
kw ca.KeyWriter | |||
rotationCh chan struct{} | |||
FIPS bool |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: add a comment on what this flag indicates.
@@ -156,8 +165,9 @@ func (r *RaftDEKManager) NeedsRotation() bool { | |||
} | |||
|
|||
// GetKeys returns the current set of DEKs. If NeedsRotation is true, and there | |||
// is no existing PendingDEK, it will try to create one. If there are any errors | |||
// doing so, just return the original. | |||
// is no existing PendingDEK, it will try to create one. If it successfully creates |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The name 'GetKeys' implies a read-only operation so I would suggest avoid doing operations within this function that have side effects.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd be happy to revisit this at a later point, but that's probably beyond the scope of this PR.
manager/manager.go
Outdated
@@ -121,6 +121,9 @@ type Config struct { | |||
|
|||
// PluginGetter provides access to docker's plugin inventory. | |||
PluginGetter plugingetter.PluginGetter | |||
|
|||
// FIPS specifies whether the manager should run in FIPS-compliant mode. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: does it make sense to say that the mode is specified during startup and can't be changed ?
To confirm, the diff on the test is only huge because it basically takes every test and wraps them in a loop to check both fips and non-fips, right? LGTM. |
@dperny Yes pretty much. For |
Thanks @anshulpundir and @dperny. I've think I've addressed @anshulpundir's comments, except for https://github.com/docker/swarmkit/pull/2586/files/04230609c0ddb58a391bfa9defb837f6ac532299#diff-c837f367ebb298ae3e59a7a95ab64429, since that'd be a pretty big change and we might want to do that in another PR. I'd also have to think about it some more - it's mutating to avoid having to do a bunch of extra rotations. |
LGTM |
Needs a rebase, then LGTM |
…crypted using fernet. Signed-off-by: Ying Li <ying.li@docker.com>
cfd0d07
to
14b04a2
Compare
…he raft storage layer. Also propagate it to the RaftDEKData objects in node.go and to the RaftDEKManager in the manager. Signed-off-by: Ying Li <ying.li@docker.com>
Changes included: - moby/swarmkit#2594 [fips] Support a flag that indicates that the cluster requires mandatory FIPS mode on all nodes - moby/swarmkit#2586 [fips] Propagate the FIPS boolean to the manager, raft storage layer, and raft DEK management Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This PR
is based on #2562, andpropagates the FIPS boolean to other parts of the manager that need it. This also documents theKeyReadWriter
andRaftDEKManager
better, so that reviewers can understand how they interact.To view these changes alone, please see https://github.com/docker/swarmkit/pull/2586/files/b2da71c62612e2109d563fa05a764284caf0ec74..7003b358d8051bce2615d2ae5cd1e30c585250b4.(no need, #2562 was merged)The code changes are actually fairly small
- most of the change is comments and a prose doc about raft encryption. There are also some test changes to make sure that the fips boolean is handled properly, and a refactor to make one particular test more readable (table-driven).Docs for how raft encryption works, which may help reviewers, has been cherry-picked into #2622