-
Notifications
You must be signed in to change notification settings - Fork 612
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[18.03] FIPS #2625
[18.03] FIPS #2625
Commits on May 7, 2018
-
Vendor in fernet-go to provide AES-128-CBC
Signed-off-by: cyli <cyli@twistedmatrix.com> (cherry picked from commit 0f21845)
Configuration menu - View commit details
-
Copy full SHA for 6306b4c - Browse repository at this point
Copy the full SHA 6306b4cView commit details -
Add fernet encryption mechanism for raft WAL and snapshots.
Signed-off-by: cyli <cyli@twistedmatrix.com> (cherry picked from commit 25c6575)
Configuration menu - View commit details
-
Copy full SHA for 80c7df1 - Browse repository at this point
Copy the full SHA 80c7df1View commit details -
Move MultiDecrypter to encryption package and provide some niceties a…
…round constructing one. Also make it a map instead of a list so that as available algorithms increase not every single algorithm needs to be tried to decrypt. Signed-off-by: Ying Li <ying.li@docker.com> (cherry picked from commit 34ac12e)
Configuration menu - View commit details
-
Copy full SHA for 96129bd - Browse repository at this point
Copy the full SHA 96129bdView commit details -
Move fips environment variable check to its own package, so we can ch…
…eck it from the encryption package to determine the encryption defaults. Signed-off-by: Ying Li <ying.li@docker.com> (cherry picked from commit 899202e)
Configuration menu - View commit details
-
Copy full SHA for 9bcceab - Browse repository at this point
Copy the full SHA 9bcceabView commit details -
Stop encrypting the raft root CA key entirely based on env vars, since
that feature was deprecated almost a year ago. Rely on MTLS for encryption in transit and raft log encryption for encryption at rest. Signed-off-by: Ying Li <ying.li@docker.com> (cherry picked from commit 9369c1e)
Configuration menu - View commit details
-
Copy full SHA for 3aebbb2 - Browse repository at this point
Copy the full SHA 3aebbb2View commit details -
Rather than use an environment variable to determine whether somethin…
…g requires FIPS: (1) require that users of the keyutil package instead use a key formatter object, which could either be the default non-FIPS utility or the FIPS utility. (2) require that users that request encryption defaults specify whether FIPS compliance is needed Signed-off-by: Ying Li <ying.li@docker.com> (cherry picked from commit 2a31867)
Configuration menu - View commit details
-
Copy full SHA for 110e8db - Browse repository at this point
Copy the full SHA 110e8dbView commit details -
Use the default keyutil formatter for tests, and remove fips checks f…
…or the root CA because we no longer support encrypting the root CA key, and PKCS8 vs PKCS1 only matters for fips if we encrypt. We want to keep the root key PKCS1 so that mixed version clusters will continue to work. Signed-off-by: Ying Li <ying.li@docker.com> (cherry picked from commit 971930e)
Configuration menu - View commit details
-
Copy full SHA for 48128f5 - Browse repository at this point
Copy the full SHA 48128f5View commit details -
Add a key formatter parameter to the NewKeyReadWriter, and use that t…
…o encrypt and decrypt keys. It can be set using a setter function. Signed-off-by: Ying Li <ying.li@docker.com> (cherry picked from commit 4ffb0ec)
Configuration menu - View commit details
-
Copy full SHA for 790696f - Browse repository at this point
Copy the full SHA 790696fView commit details -
Add a FIPS bool to the node object, and propagate that boolean to the
KeyReadWriter used in the node object. Signed-off-by: Ying Li <ying.li@docker.com> (cherry picked from commit 43f607a)
Configuration menu - View commit details
-
Copy full SHA for 45e5892 - Browse repository at this point
Copy the full SHA 45e5892View commit details -
Add a fips boolean to the node config.
Signed-off-by: Ying Li <ying.li@docker.com> (cherry picked from commit 6847b6c)
Configuration menu - View commit details
-
Copy full SHA for 02ae7c1 - Browse repository at this point
Copy the full SHA 02ae7c1View commit details -
The agent now reports its FIPS status as part of the node description.
Signed-off-by: Ying Li <ying.li@docker.com> (cherry picked from commit 7c61add)
Configuration menu - View commit details
-
Copy full SHA for c142f4f - Browse repository at this point
Copy the full SHA c142f4fView commit details -
Add a FIPS boolean to the cluster object and the node description. Wh…
…en a cluster is first created, the FIPS value should be set and it should not be changed through the lifetime of the cluster, because converting from non-FIPS to FIPS should not be possible (to avoid compliance issues, even if there were a migration process, we'd have to provide a validation tool to ensure that the migration was complete across the cluster). Signed-off-by: Ying Li <ying.li@docker.com> (cherry picked from commit 6197cc5)
Configuration menu - View commit details
-
Copy full SHA for 0e8fc3a - Browse repository at this point
Copy the full SHA 0e8fc3aView commit details -
If the cluster requires FIPS, the cluster ID and join token will also…
… reflect this property. So all TLS certs will have the cluster ID, which says whether the cluster is FIPS, in the Org field. If a node loads up its TLS cert, sees that that the cluster requires FIPS, and FIPS mode is not enabled on that node, the node will shut down. If a non-FIPS node gets a join token that indicate that the cluster mandates FIPS, it will refuse to join. Signed-off-by: Ying Li <ying.li@docker.com> (cherry picked from commit 9943770)
Configuration menu - View commit details
-
Copy full SHA for 3688812 - Browse repository at this point
Copy the full SHA 3688812View commit details -
Propagate the FIPS bool to the raft DEK manager so that the DEK is en…
…crypted using fernet. Signed-off-by: Ying Li <ying.li@docker.com> (cherry picked from commit 905d35b)
Configuration menu - View commit details
-
Copy full SHA for 1a9dd8e - Browse repository at this point
Copy the full SHA 1a9dd8eView commit details -
Propagate the FIPS boolean from node.go to the manager and hence to t…
…he raft storage layer. Also propagate it to the RaftDEKData objects in node.go and to the RaftDEKManager in the manager. Signed-off-by: Ying Li <ying.li@docker.com> (cherry picked from commit ba11e51)
Configuration menu - View commit details
-
Copy full SHA for 1194ebd - Browse repository at this point
Copy the full SHA 1194ebdView commit details