[ER-444] Enable FIPS configuration at runtime via chef-server.rb #1061
Conversation
| @@ -244,6 +246,7 @@ def generate_hash | |||
| results["private_chef"]["oc-chef-pedant"] = PrivateChef["oc_chef_pedant"] | |||
| results["private_chef"]["notification_email"] = PrivateChef["notification_email"] | |||
| results["private_chef"]["from_email"] = PrivateChef["from_email"] | |||
| results["private_chef"]["fips_enabled"] = PrivateChef["fips"] || PrivateChef["fips_enabled"] | |||
There was a problem hiding this comment.
Why two exposed flags for a single toggle?
There was a problem hiding this comment.
Our Chef configuration expects fips true so I wanted to provide the same interface to all our products that are going to allow fips enabling at runtime. But because Chef Server internally references fips_enabled I thought we could fall back to that.
The more I think about this though, the worse that is. Lets define the interface (fips true) and just stick to that.
| @@ -43,7 +43,7 @@ | |||
| # This requires the chef-server-fips package. If you do not have this, | |||
There was a problem hiding this comment.
Is this comment still true?
There was a problem hiding this comment.
No, we'll update this comment
|
What's the time frame for the fips build card? If we're looking at a long gap it might be best to hold off until that is also ready for merge. |
rmoshier
force-pushed
the
ER-444/enable-fips-runtime
branch
from
773785a to
7f04d10
Compare
|
|
|
cc @chef/chef-server-maintainers |
Instead of at build time. Setting 'fips true' in your chef-server.rb and reconfiguring will run the existing fips recipe. If FIPS is enabled at the Kernel level this value is defaulted to true and can be overridden with 'fips false'. Signed-off-by: tyler-ball <[email protected]> Signed-off-by: rmoshier <[email protected]>
Signed-off-by: tyler-ball <[email protected]>
tyler-ball
force-pushed
the
ER-444/enable-fips-runtime
branch
from
7f04d10 to
efd0fc0
Compare
Signed-off-by: tyler-ball <[email protected]>
tyler-ball
force-pushed
the
ER-444/enable-fips-runtime
branch
from
efd0fc0 to
6b2371f
Compare
| server in FIPS mode. The default value of this flag is `false` except | ||
| on systems where FIPS is enabled at the Kernel where it defaults to `true`. | ||
|
|
||
| The only supported systems at this time for FIPS mode are RHEL. Package for |
There was a problem hiding this comment.
Do we need to specify which versions of RHEL we support?
There was a problem hiding this comment.
No - Chef Server is built for RHEL 5, 6 and 7. We support FIPS in all those versions.
| # your chef-server will probably not work. If you have to manually | ||
| # change this, you're doing it wrong. | ||
| default['private_chef']['fips_enabled'] = false | ||
| default['private_chef']['fips_enabled'] = ChefConfig.fips? |
There was a problem hiding this comment.
When you come back for cleanup tasks, it would be good to add a preflight check that we're on a box that supports fips if it has been enabled in the config.
Instead of at build time. Setting 'fips true' in your chef-server.rb and
reconfiguring will run the existing fips recipe. If FIPS is enabled at
the Kernel level this value is defaulted to true and can be overridden
with 'fips false'.
Signed-off-by: tyler-ball [email protected]
Signed-off-by: rmoshier [email protected]
For the
chef-server-12pipeline this should not cause any differences. Thefips_mode?method was returning false and will keep returning false. It does default thefips_enabledattribute to true if FIPS is enabled in your Kernel. This could potentially break customers until we start including the OpenSSL-FIPS module (the next card in our backlog).fips trueflag available inchef-server.rb