[fips] Propagate the FIPS boolean to the manager, raft storage layer, and raft DEK management #2586
Conversation
Codecov Report
@@ Coverage Diff @@
## master #2586 +/- ##
==========================================
- Coverage 67.34% 61.84% -5.51%
==========================================
Files 98 134 +36
Lines 14554 21829 +7275
==========================================
+ Hits 9802 13500 +3698
- Misses 3743 6892 +3149
- Partials 1009 1437 +428 |
cyli
changed the title
|
Rebased! The first commit is the main change, and a lot of it is a test refactor. The other two changes are:
This should be ready for review now. |
| @@ -112,6 +118,7 @@ func compareKEKs(oldKEK, candidateKEK ca.KEKData) (bool, bool, error) { | |||
| type RaftDEKManager struct { | |||
| kw ca.KeyWriter | |||
| rotationCh chan struct{} | |||
| FIPS bool | |||
There was a problem hiding this comment.
nit: add a comment on what this flag indicates.
| @@ -156,8 +165,9 @@ func (r *RaftDEKManager) NeedsRotation() bool { | |||
| } | |||
|
|
|||
| // GetKeys returns the current set of DEKs. If NeedsRotation is true, and there | |||
| // is no existing PendingDEK, it will try to create one. If there are any errors | |||
| // doing so, just return the original. | |||
| // is no existing PendingDEK, it will try to create one. If it successfully creates | |||
There was a problem hiding this comment.
The name 'GetKeys' implies a read-only operation so I would suggest avoid doing operations within this function that have side effects.
There was a problem hiding this comment.
I'd be happy to revisit this at a later point, but that's probably beyond the scope of this PR.
manager/manager.go
Outdated
| @@ -121,6 +121,9 @@ type Config struct { | |||
|
|
|||
| // PluginGetter provides access to docker's plugin inventory. | |||
| PluginGetter plugingetter.PluginGetter | |||
|
|
|||
| // FIPS specifies whether the manager should run in FIPS-compliant mode. | |||
There was a problem hiding this comment.
nit: does it make sense to say that the mode is specified during startup and can't be changed ?
|
To confirm, the diff on the test is only huge because it basically takes every test and wraps them in a loop to check both fips and non-fips, right? LGTM. |
|
@dperny Yes pretty much. For |
|
Thanks @anshulpundir and @dperny. I've think I've addressed @anshulpundir's comments, except for https://github.com/docker/swarmkit/pull/2586/files/04230609c0ddb58a391bfa9defb837f6ac532299#diff-c837f367ebb298ae3e59a7a95ab64429, since that'd be a pretty big change and we might want to do that in another PR. I'd also have to think about it some more - it's mutating to avoid having to do a bunch of extra rotations. |
|
LGTM |
|
Needs a rebase, then LGTM |
…crypted using fernet. Signed-off-by: Ying Li <ying.li@docker.com>
cyli
force-pushed
the
fips-in-raft
branch
3 times, most recently
from
cfd0d07
to
14b04a2
Compare
…he raft storage layer. Also propagate it to the RaftDEKData objects in node.go and to the RaftDEKManager in the manager. Signed-off-by: Ying Li <ying.li@docker.com>
Changes included: - moby/swarmkit#2594 [fips] Support a flag that indicates that the cluster requires mandatory FIPS mode on all nodes - moby/swarmkit#2586 [fips] Propagate the FIPS boolean to the manager, raft storage layer, and raft DEK management Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This PR
is based on #2562, andpropagates the FIPS boolean to other parts of the manager that need it. This also documents theKeyReadWriterandRaftDEKManagerbetter, so that reviewers can understand how they interact.To view these changes alone, please see https://github.com/docker/swarmkit/pull/2586/files/b2da71c62612e2109d563fa05a764284caf0ec74..7003b358d8051bce2615d2ae5cd1e30c585250b4.(no need, #2562 was merged)The code changes are actually fairly small
- most of the change is comments and a prose doc about raft encryption. There are also some test changes to make sure that the fips boolean is handled properly, and a refactor to make one particular test more readable (table-driven).Docs for how raft encryption works, which may help reviewers, has been cherry-picked into #2622