fix for setting GODEBUG environment variable to fips140=on in a FIPS cluster (#1822)

* Added FIPS checker which sets the GODEBUG flag with appropriate fips140 value

Signed-off-by: Anand Francis Joseph <[email protected]>

* Fixed golint errors and warnings

Signed-off-by: Anand Francis Joseph <[email protected]>

* Fixed go lint errors in cmd/main.go

Signed-off-by: Anand Francis Joseph <[email protected]>

---------

Signed-off-by: Anand Francis Joseph <[email protected]>

Author: anandf

cmd/main.go

@@ -38,6 +38,7 @@ import (
 	"github.com/argoproj-labs/argocd-operator/common"
 	"github.com/argoproj-labs/argocd-operator/controllers/argocd"
 	"github.com/argoproj-labs/argocd-operator/controllers/argocdexport"
+	"github.com/argoproj-labs/argocd-operator/controllers/argoutil"
 
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 
@@ -243,9 +244,10 @@ func main() {
 	}
 
 	if err = (&argocd.ReconcileArgoCD{
-		Client:        mgr.GetClient(),
-		Scheme:        mgr.GetScheme(),
-		LabelSelector: labelSelectorFlag,
+		Client:            mgr.GetClient(),
+		Scheme:            mgr.GetScheme(),
+		LabelSelector:     labelSelectorFlag,
+		FipsConfigChecker: argoutil.NewLinuxFipsConfigChecker(),
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "ArgoCD")
 		os.Exit(1)

controllers/argocd/argocd_controller.go

@@ -24,6 +24,7 @@ import (
 	"github.com/prometheus/client_golang/prometheus"
 
 	argoproj "github.com/argoproj-labs/argocd-operator/api/v1beta1"
+	"github.com/argoproj-labs/argocd-operator/controllers/argoutil"
 
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -51,6 +52,8 @@ type ReconcileArgoCD struct {
 	ManagedApplicationSetSourceNamespaces map[string]string
 	// Stores label selector used to reconcile a subset of ArgoCD
 	LabelSelector string
+	// FipsConfigChecker checks if the deployment needs FIPS specific environment variables set.
+	FipsConfigChecker argoutil.FipsConfigChecker
 }
 
 var log = logr.Log.WithName("controller_argocd")
@@ -99,9 +102,9 @@ func (r *ReconcileArgoCD) Reconcile(ctx context.Context, request ctrl.Request) (
 		message = err.Error()
 	}
 
-	if error := updateStatusConditionOfArgoCD(ctx, createCondition(message), argocd, r.Client, log); error != nil {
-		log.Error(error, "unable to update status of ArgoCD")
-		return reconcile.Result{}, error
+	if err := updateStatusConditionOfArgoCD(ctx, createCondition(message), argocd, r.Client, log); err != nil {
+		log.Error(err, "unable to update status of ArgoCD")
+		return reconcile.Result{}, err
 	}
 
 	return result, err

controllers/argocd/deployment.go

@@ -982,6 +982,21 @@ func (r *ReconcileArgoCD) reconcileRepoDeployment(cr *argoproj.ArgoCD, useTLSFor
 		repoEnv = argoutil.EnvMerge(repoEnv, []corev1.EnvVar{{Name: "ARGOCD_EXEC_TIMEOUT", Value: fmt.Sprintf("%ds", *cr.Spec.Repo.ExecTimeout)}}, true)
 	}
 
+	// if running in a FIPS enabled host, set the GODEBUG env wit appropriate value
+	fipsConfigChecker := r.FipsConfigChecker
+	if fipsConfigChecker != nil {
+		fipsEnabled, err := fipsConfigChecker.IsFipsEnabled()
+		if err != nil {
+			return err
+		}
+		if fipsEnabled {
+			repoEnv = append(repoEnv, corev1.EnvVar{
+				Name:  "GODEBUG",
+				Value: "fips140=on",
+			})
+		}
+	}
+
 	AddSeccompProfileForOpenShift(r.Client, &deploy.Spec.Template.Spec)
 
 	deploy.Spec.Template.Spec.InitContainers = []corev1.Container{{

controllers/argocd/deployment_test.go

@@ -41,6 +41,18 @@ var (
 		"argocd-server"}
 )
 
+type MockTrueFipsChecker struct{}
+
+func (a *MockTrueFipsChecker) IsFipsEnabled() (bool, error) {
+	return true, nil
+}
+
+type MockFalseFipsChecker struct{}
+
+func (a *MockFalseFipsChecker) IsFipsEnabled() (bool, error) {
+	return false, nil
+}
+
 func TestReconcileArgoCD_reconcileRepoDeployment_replicas(t *testing.T) {
 	logf.SetLogger(ZapLogger(true))
 
@@ -2875,3 +2887,72 @@ func TestSetReplicasAndEnvVar_WhenServerReplicasIsDefined(t *testing.T) {
 	})
 
 }
+
+func TestReconcileArgoCD_reconcileRepoServerWithFipsEnabled(t *testing.T) {
+	cr := makeTestArgoCD()
+
+	resObjs := []client.Object{cr}
+	subresObjs := []client.Object{cr}
+	runtimeObjs := []runtime.Object{}
+	sch := makeTestReconcilerScheme(argoproj.AddToScheme)
+	cl := makeTestReconcilerClient(sch, resObjs, subresObjs, runtimeObjs)
+	r := makeTestReconciler(cl, sch)
+	r.FipsConfigChecker = &MockTrueFipsChecker{}
+	repoServerRemote := "https://remote.repo-server.instance"
+
+	cr.Spec.Repo.Remote = &repoServerRemote
+	assert.NoError(t, r.reconcileRepoDeployment(cr, false))
+
+	d := &appsv1.Deployment{}
+
+	assert.ErrorContains(t, r.Client.Get(context.TODO(), types.NamespacedName{Name: cr.Name + "-repo-server", Namespace: cr.Namespace}, d),
+		"deployments.apps \""+cr.Name+"-repo-server\" not found")
+
+	// once remote is set to nil, reconciliation should trigger deployment resource creation
+	cr.Spec.Repo.Remote = nil
+
+	assert.NoError(t, r.reconcileRepoDeployment(cr, false))
+	assert.NoError(t, r.Client.Get(context.TODO(), types.NamespacedName{Name: cr.Name + "-repo-server", Namespace: cr.Namespace}, d))
+	foundEnv := false
+	for _, env := range d.Spec.Template.Spec.Containers[0].Env {
+		if env.Name == "GODEBUG" {
+			foundEnv = true
+			assert.Equal(t, env.Value, "fips140=on", "GODEBUG environment must be set to fips140=on when fips is enabled")
+		}
+	}
+	assert.True(t, foundEnv, "environment GODEBUG must be set when FIPS is enabled")
+}
+
+func TestReconcileArgoCD_reconcileRepoServerWithFipsDisabled(t *testing.T) {
+	cr := makeTestArgoCD()
+
+	resObjs := []client.Object{cr}
+	subresObjs := []client.Object{cr}
+	runtimeObjs := []runtime.Object{}
+	sch := makeTestReconcilerScheme(argoproj.AddToScheme)
+	cl := makeTestReconcilerClient(sch, resObjs, subresObjs, runtimeObjs)
+	r := makeTestReconciler(cl, sch)
+	r.FipsConfigChecker = &MockFalseFipsChecker{}
+	repoServerRemote := "https://remote.repo-server.instance"
+
+	cr.Spec.Repo.Remote = &repoServerRemote
+	assert.NoError(t, r.reconcileRepoDeployment(cr, false))
+
+	d := &appsv1.Deployment{}
+
+	assert.ErrorContains(t, r.Client.Get(context.TODO(), types.NamespacedName{Name: cr.Name + "-repo-server", Namespace: cr.Namespace}, d),
+		"deployments.apps \""+cr.Name+"-repo-server\" not found")
+
+	// once remote is set to nil, reconciliation should trigger deployment resource creation
+	cr.Spec.Repo.Remote = nil
+
+	assert.NoError(t, r.reconcileRepoDeployment(cr, false))
+	assert.NoError(t, r.Client.Get(context.TODO(), types.NamespacedName{Name: cr.Name + "-repo-server", Namespace: cr.Namespace}, d))
+	foundEnv := false
+	for _, env := range d.Spec.Template.Spec.Containers[0].Env {
+		if env.Name == "GODEBUG" {
+			foundEnv = true
+		}
+	}
+	assert.False(t, foundEnv, "environment GODEBUG must NOT be set when FIPS is disabled")
+}

controllers/argoutil/fips.go

@@ -0,0 +1,50 @@
+package argoutil
+
+import (
+	"os"
+)
+
+// FipsConfigChecker defines the behavior for reading the FIPS config.
+type FipsConfigChecker interface {
+	IsFipsEnabled() (bool, error)
+}
+
+// LinuxFipsConfigChecker implements the config reader for checking if the Linux based host is running in FIPS enabled mode.
+type LinuxFipsConfigChecker struct {
+	ConfigFilePath string
+}
+
+// NewLinuxFipsConfigChecker returns a Linux based config checker
+func NewLinuxFipsConfigChecker() *LinuxFipsConfigChecker {
+	return &LinuxFipsConfigChecker{
+		ConfigFilePath: "/proc/sys/crypto/fips_enabled",
+	}
+}
+
+// IsFipsEnabled reads the specified FIPS config file in a Linux based host and returns true FIPS is enabled, false otherwise.
+func (l *LinuxFipsConfigChecker) IsFipsEnabled() (bool, error) {
+	found, err := fileExists(l.ConfigFilePath)
+	if err != nil {
+		return false, err
+	}
+	if !found {
+		return false, nil
+	}
+	b, err := os.ReadFile(l.ConfigFilePath)
+	if err != nil {
+		return false, err
+	}
+	return b[0] == '1', err
+}
+
+// fileExists checks if a file with the given path exists
+func fileExists(path string) (bool, error) {
+	info, err := os.Stat(path)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return false, nil
+		}
+		return false, err
+	}
+	return !info.IsDir(), nil
+}