CSL-9309: Fix logger set to info for 'tls.defaults.verify_incoming' in FIPS mode #22987
Conversation
| // Log warning, rather than force breaking | ||
| a.logger.Warn("FIPS 140-2 Compliance", "issue", err) | ||
| if slices.Contains(missingFields, "tls.defaults.verify_incoming") { | ||
| a.logger.Info("FIPS 140-2 Compliance", "issue", "`tls.defaults.verify_incoming` is not set at HTTPS") |
There was a problem hiding this comment.
should this check not be for all tls defaults ?
why are we explicitly handling verify_incoming and hardcoded logging it.
why cant we return multi-error if required instead and handle commonly for FIPS here with print delegate or whatever way you want.
we are only putting printing logic for this case explicitly. what functionality change did we achieve here. if its just logging rather push logging for all cases in the called layer and handle common errors here.
There was a problem hiding this comment.
Why specific to default tls.defaults.incoming_verify?
`"defaults": {
{{- if .Values.global.tls.verify }}
"verify_outgoing": true,
{{- end }}
{{- if .Values.global.secretsBackend.vault.enabled }}
"ca_file": "/vault/secrets/serverca.crt",
"cert_file": "/vault/secrets/servercert.crt",
"key_file": "/vault/secrets/servercert.key"
{{- else }}
"ca_file": "/consul/tls/ca/tls.crt",
"cert_file": "/consul/tls/server/tls.crt",
"key_file": "/consul/tls/server/tls.key"
{{- end }}
}`
Is the defaults section which we use as part of config map. and we are checking for the verify_outgoing in the code.
why cant we return multi-error if required instead and handle commonly for FIPS here with print delegate or whatever way you want.
We can do whatever way we need to, just using the minimal changes to print logger. That is all.
It is not the functionality we are interested in here, FIPS complaint is already met with the mTLS between the services with autoEnableEncrypt flag set to true. And FIPS basically looks for Cryptographic encryption.
setting that flag in helm will enable enable mTLS at the env level, requires the cert to be passed for UI, HTTPs and CLI too. Along with that we need to make changes not only in the helm, but in control plane and data plane code. This will be an enhancement.feature request, but no customer has asked for it.
please have a look at https://hashicorp.atlassian.net/browse/CSL-9309 for more details.
2 participants
https://hashicorp.atlassian.net/browse/CSL-9309
we decided to set the logger to info for tls.defaults.verfiy_incoming at global level since this requires the mTLS at all levels, which is not a FIPS mandatory requirement, anyhow if there is customer requirement it should come through enhancement request.
But we still have mTLS at other levels.
To have the mTLS enabled at global level we need a feature/enhancement request ticket.