aws-efs-csi-driver icon indicating copy to clipboard operation
aws-efs-csi-driver copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

Set `fips_mode_enabled` in `efs-utils.conf`

Open mpatlasov opened this issue 9 months ago • 1 comments

if env var FIPS_ENABLED is set: https://github.com/kubernetes-sigs/aws-efs-csi-driver/issues/1325 .

Is this a bug fix or adding new feature?

This is a bug: if the driver is run in FIPS-enabled environment, stunnel fails with "Failed to override system-wide FIPS mode" (see src/options.c from stunnel-5.72).

What is this PR about? / Why do we need it?

The PR ensures that if FIPS_ENABLED=true as env var for aws-efs csi driver, it creates efs-utils.conf with fips_mode_enabled = true.

What testing is done?

In the environment where stunnel fails with "Failed to override system-wide FIPS mode", re-create the Pod with aws-efs csi driver adding FIPS_ENABLED=true env var. Made sure that fips_mode_enabled = true is present in config and stunnel succeeds.

Fixes https://github.com/kubernetes-sigs/aws-efs-csi-driver/issues/1325

mpatlasov avatar May 05 '24 20:05 mpatlasov

/ok-to-test

mskanth972 avatar Jul 18 '24 17:07 mskanth972

Hey we'll look at this on Monday and try to get this out. Does the bug still arise in the latest (2.0+) versions of the driver which don't use stunnel?

seanzatzdev-amazon avatar Jul 19 '24 20:07 seanzatzdev-amazon

@seanzatzdev-amazon ,

Hey we'll look at this on Monday and try to get this out. Does the bug still arise in the latest (2.0+) versions of the driver which don't use stunnel?

Thank you for expediting this. I tested the bug on a latest upstream version a couple of months ago and it didn't arise by default, when rust efs-porxy is being run instead of stunnel. However, it still can bite any customer who try to put stunnel as mountOption to StorageClass:

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: efs-sc
provisioner: efs.csi.aws.com
mountOptions:
  - stunnel

mpatlasov avatar Jul 21 '24 23:07 mpatlasov

/lgtm /approve

mskanth972 avatar Jul 23 '24 15:07 mskanth972

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mpatlasov, mskanth972

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

k8s-ci-robot avatar Jul 23 '24 15:07 k8s-ci-robot

/retest

mskanth972 avatar Jul 23 '24 15:07 mskanth972

/retest

mskanth972 avatar Jul 23 '24 17:07 mskanth972

Build is failing with the following errors

error: package `tokio-macros v2.4.0` cannot be built because it requires rustc 1.70 or newer, while the currently active rustc version is 1.68.2
#12 237.8 Either upgrade to rustc 1.70 or newer, or use
#12 237.8 cargo update -p [email protected] --precise ver
#12 237.8 where `ver` is the latest version of `tokio-macros` supporting rustc 1.68.2
#12 237.8 
#12 237.8 
#12 237.8 RPM build errors:
#12 237.8 error: Bad exit status from /var/tmp/rpm-tmp.WsVTpk (%build)
#12 237.8     bogus date in %changelog: Mon Apr 23 2024 Ryan Stankiewicz <[email protected]> - 2.0.1
#12 237.8     bogus date in %changelog: Wed Jan 1 2023 Ryan Stankiewicz <[email protected]> - 1.34.5
#12 237.8     Bad exit status from /var/tmp/rpm-tmp.WsVTpk (%build)

mskanth972 avatar Jul 23 '24 17:07 mskanth972

We released the above error fix to Amazon Linux but not to efs-utils GitHub. Driver pull efs-utils from GitHub, will fix that and will trigger the tests.

mskanth972 avatar Jul 23 '24 17:07 mskanth972

/retest

mskanth972 avatar Jul 24 '24 15:07 mskanth972