[18.03] FIPS #2625
Merged
[18.03] FIPS #2625
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: cyli <cyli@twistedmatrix.com> (cherry picked from commit 0f21845)
Signed-off-by: cyli <cyli@twistedmatrix.com> (cherry picked from commit 25c6575)
…round constructing one. Also make it a map instead of a list so that as available algorithms increase not every single algorithm needs to be tried to decrypt. Signed-off-by: Ying Li <ying.li@docker.com> (cherry picked from commit 34ac12e)
…eck it from the encryption package to determine the encryption defaults. Signed-off-by: Ying Li <ying.li@docker.com> (cherry picked from commit 899202e)
that feature was deprecated almost a year ago. Rely on MTLS for encryption in transit and raft log encryption for encryption at rest. Signed-off-by: Ying Li <ying.li@docker.com> (cherry picked from commit 9369c1e)
…g requires FIPS:
(1) require that users of the keyutil package instead use a key formatter object,
which could either be the default non-FIPS utility or the FIPS utility.
(2) require that users that request encryption defaults specify whether FIPS compliance
is needed
Signed-off-by: Ying Li <ying.li@docker.com>
(cherry picked from commit 2a31867)
…or the root CA because we no longer support encrypting the root CA key, and PKCS8 vs PKCS1 only matters for fips if we encrypt. We want to keep the root key PKCS1 so that mixed version clusters will continue to work. Signed-off-by: Ying Li <ying.li@docker.com> (cherry picked from commit 971930e)
…o encrypt and decrypt keys. It can be set using a setter function. Signed-off-by: Ying Li <ying.li@docker.com> (cherry picked from commit 4ffb0ec)
KeyReadWriter used in the node object. Signed-off-by: Ying Li <ying.li@docker.com> (cherry picked from commit 43f607a)
Signed-off-by: Ying Li <ying.li@docker.com> (cherry picked from commit 6847b6c)
Signed-off-by: Ying Li <ying.li@docker.com> (cherry picked from commit 7c61add)
…en a cluster is first created, the FIPS value should be set and it should not be changed through the lifetime of the cluster, because converting from non-FIPS to FIPS should not be possible (to avoid compliance issues, even if there were a migration process, we'd have to provide a validation tool to ensure that the migration was complete across the cluster). Signed-off-by: Ying Li <ying.li@docker.com> (cherry picked from commit 6197cc5)
… reflect this property. So all TLS certs will have the cluster ID, which says whether the cluster is FIPS, in the Org field. If a node loads up its TLS cert, sees that that the cluster requires FIPS, and FIPS mode is not enabled on that node, the node will shut down. If a non-FIPS node gets a join token that indicate that the cluster mandates FIPS, it will refuse to join. Signed-off-by: Ying Li <ying.li@docker.com> (cherry picked from commit 9943770)
…crypted using fernet. Signed-off-by: Ying Li <ying.li@docker.com> (cherry picked from commit 905d35b)
…he raft storage layer. Also propagate it to the RaftDEKData objects in node.go and to the RaftDEKManager in the manager. Signed-off-by: Ying Li <ying.li@docker.com> (cherry picked from commit ba11e51)
Codecov Report
@@ Coverage Diff @@
## bump_v18.03 #2625 +/- ##
===============================================
+ Coverage 61.48% 61.64% +0.15%
===============================================
Files 133 134 +1
Lines 21770 21774 +4
===============================================
+ Hits 13386 13422 +36
+ Misses 6936 6911 -25
+ Partials 1448 1441 -7 |
anshulpundir
approved these changes
May 7, 2018
nishanttotla
approved these changes
May 11, 2018
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Thanks all for reviewing and getting the FIPS PRs merged!!
This PR just backports the following FIPS PRs to the 18.03 branch (in merge order):
cc @andrewhsu
cc @nishanttotla @anshulpundir @dperny