Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

host-ctr: support FIPS ECR service endpoints #204

Merged
merged 2 commits into from
Oct 23, 2024
Merged

host-ctr: support FIPS ECR service endpoints #204

merged 2 commits into from
Oct 23, 2024

Conversation

ginglis13
Copy link
Contributor

@ginglis13 ginglis13 commented Oct 17, 2024
edited
Loading

Issue number:

Related: bottlerocket-os/bottlerocket#1667

Description of changes:

Add support to host-ctr for FIPS ECR endpoints.

  • add support for -fips service endpoints in host-ctr
  • modify ecr-prefix to set the fips service endpoint if the variant is in FIPS mode and the region is FIPS supported

Testing done:

On an aws-dev instance in us-west-2 with FIPS mode enabled:

[ssm-user@control]$ apiclient get settings.host-containers.control.source
{
  "settings": {
    "host-containers": {
      "control": {
        "source": "328549459982.dkr.ecr-fips.us-west-2.amazonaws.com/bottlerocket-control:v0.7.17"
      }
    }
  }
}
[ssm-user@control]$ cat /proc/sys/crypto/fips_enabled
1

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

@ginglis13 ginglis13 force-pushed the aws-config-fips-endpoint branch from b5abd25 to 7c8749f Compare October 17, 2024 19:40
@ginglis13
Copy link
Contributor Author

^ specify toml for a codeblock in doc comment so it doesn't get run as a doc test

@ginglis13 ginglis13 force-pushed the aws-config-fips-endpoint branch 2 times, most recently from ed4795e to 8ede63a Compare October 17, 2024 21:52
@ginglis13 ginglis13 changed the title schnauzer: set use_fips_endpoint in FIPS enabled variants, support -fips ECR service endpoint host-ctr: support FIPS ECR service endpoints Oct 17, 2024
@ginglis13 ginglis13 force-pushed the aws-config-fips-endpoint branch from 8ede63a to 282a181 Compare October 17, 2024 22:00
@ginglis13 ginglis13 marked this pull request as ready for review October 17, 2024 22:00
@ginglis13
Copy link
Contributor Author

^ recent force pushes trim this PR's scope down to just FIPS ECR support in ecr-prefix and host-ctr. I took my own advice and decided to make the FIPS supported regions a set in both cases.

@ginglis13 ginglis13 mentioned this pull request Oct 18, 2024
Open
@ginglis13 ginglis13 force-pushed the aws-config-fips-endpoint branch 2 times, most recently from bd131b9 to 67407ab Compare October 21, 2024 02:30
@ginglis13
Copy link
Contributor Author

^ latest force pushes rebase, renamed variable

arnaldo2792
arnaldo2792 reviewed Oct 22, 2024
View reviewed changes
sources/host-ctr/cmd/host-ctr/main.go Outdated Show resolved Hide resolved
sources/host-ctr/cmd/host-ctr/main.go Outdated Show resolved Hide resolved
sources/host-ctr/cmd/host-ctr/main.go Outdated Show resolved Hide resolved
sources/host-ctr/cmd/host-ctr/main.go Outdated Show resolved Hide resolved
sources/api/schnauzer/src/helpers/mod.rs Outdated Show resolved Hide resolved
sources/api/schnauzer/src/helpers/mod.rs Outdated Show resolved Hide resolved
sources/api/schnauzer/src/helpers/mod.rs Outdated Show resolved Hide resolved
@ginglis13
host-ctr: add support for FIPS ECR endpoints
ce098d9 
Support FIPS ECR endpoints for regions which provide such endpoints.

signed-off-by: Gavin Inglis <giinglis@amazon.com>
@ginglis13
schnauzer: set FIPS ECR registry endpoint if in FIPS mode
70a95da 
Extend the ecr-prefix helper to automatically set ECR registry endpoint
to its FIPS equivalent if both in a FIPS supported region and running on
a FIPS enabled variant.

Signed-off-by: Gavin Inglis <giinglis@amazon.com>
@ginglis13 ginglis13 force-pushed the aws-config-fips-endpoint branch from 67407ab to 70a95da Compare October 22, 2024 17:26
@ginglis13 ginglis13 requested a review from arnaldo2792 October 22, 2024 17:26
@ginglis13
Copy link
Contributor Author

^ force push addressed feedback, mostly style.

@ginglis13 ginglis13 merged commit 38b66be into bottlerocket-os:develop Oct 23, 2024
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arnaldo2792 arnaldo2792 arnaldo2792 approved these changes

@bcressey bcressey bcressey approved these changes

@cbgbt cbgbt Awaiting requested review from cbgbt

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ginglis13 @bcressey @arnaldo2792