Skip to content

CSL-9309: Fix logger set to info for 'tls.defaults.verify_incoming' in FIPS mode #22987

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
+14 −4
Open

CSL-9309: Fix logger set to info for 'tls.defaults.verify_incoming' in FIPS mode #22987

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b05c323
fips logger set to info for tls.defaults incoming
vdinesh4738 Oct 27, 2025
a1bbeb6
Create 22987.txt
vdinesh4738 Oct 27, 2025
962089b
Merge branch 'main' into CSL-9309-fips-logger
vdinesh4738 Oct 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .changelog/22987.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:logger
fips: Fix logger set to info for 'tls.defaults.verify_incoming' in FIPS mode
```
11 changes: 9 additions & 2 deletions agent/agent.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ import (
"path/filepath"
"reflect"
"regexp"
"slices"
"strconv"
"strings"
"sync"
Expand Down Expand Up @@ -640,10 +641,16 @@ func (a *Agent) Start(ctx context.Context) error {
// regular and on-demand state synchronizations (anti-entropy).
a.sync = ae.NewStateSyncer(a.State, c.AEInterval, a.shutdownCh, a.logger)

err = validateFIPSConfig(a.config)
missingFields, err := validateFIPSConfig(a.config)
if err != nil {
// Log warning, rather than force breaking
a.logger.Warn("FIPS 140-2 Compliance", "issue", err)
if slices.Contains(missingFields, "tls.defaults.verify_incoming") {
a.logger.Info("FIPS 140-2 Compliance", "issue", "`tls.defaults.verify_incoming` is not set at HTTPS")
Copy link
Contributor

@anandmukul93 anandmukul93 Oct 30, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should this check not be for all tls defaults ?
why are we explicitly handling verify_incoming and hardcoded logging it.

why cant we return multi-error if required instead and handle commonly for FIPS here with print delegate or whatever way you want.

we are only putting printing logic for this case explicitly. what functionality change did we achieve here. if its just logging rather push logging for all cases in the called layer and handle common errors here.

Copy link
Author

@vdinesh4738 vdinesh4738 Oct 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why specific to default tls.defaults.incoming_verify?
`"defaults": {
{{- if .Values.global.tls.verify }}

      "verify_outgoing": true,
      {{- end }}
      {{- if .Values.global.secretsBackend.vault.enabled }}
      "ca_file": "/vault/secrets/serverca.crt",
      "cert_file": "/vault/secrets/servercert.crt",
      "key_file": "/vault/secrets/servercert.key"
      {{- else }}
      "ca_file": "/consul/tls/ca/tls.crt",
      "cert_file": "/consul/tls/server/tls.crt",
      "key_file": "/consul/tls/server/tls.key"
      {{- end }}
    }`

Is the defaults section which we use as part of config map. and we are checking for the verify_outgoing in the code.

why cant we return multi-error if required instead and handle commonly for FIPS here with print delegate or whatever way you want.

We can do whatever way we need to, just using the minimal changes to print logger. That is all.

It is not the functionality we are interested in here, FIPS complaint is already met with the mTLS between the services with autoEnableEncrypt flag set to true. And FIPS basically looks for Cryptographic encryption.

setting that flag in helm will enable enable mTLS at the env level, requires the cert to be passed for UI, HTTPs and CLI too. Along with that we need to make changes not only in the helm, but in control plane and data plane code. This will be an enhancement.feature request, but no customer has asked for it.

please have a look at https://hashicorp.atlassian.net/browse/CSL-9309 for more details.

index := slices.Index(missingFields, "tls.defaults.verify_incoming")
missingFields = append(missingFields[:index], missingFields[index+1:]...)
}
e := fmt.Errorf("%v: %v", err, missingFields)
a.logger.Warn("FIPS 140-2 Compliance", "issue", e)
}

// create the config for the rpc server/client
Expand Down
4 changes: 2 additions & 2 deletions agent/agent_ce.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,8 +40,8 @@ func enterpriseConsulConfig(_ *consul.Config, _ *config.RuntimeConfig) {
}

// validateFIPSConfig is a noop stub for the func defined in agent_ent.go
func validateFIPSConfig(_ *config.RuntimeConfig) error {
return nil
func validateFIPSConfig(_ *config.RuntimeConfig) ([]string, error) {
return []string{}, nil
}

// WriteEvent is a noop stub for the func defined agent_ent.go
Expand Down
Loading