Fix for #3398 chef-server-ctl test in failing in FIPS enabled Amazon Linux 2 system #3399
Conversation
…ith localhost setting in chef-server.rb
chef#3398: Fix for FIPS enabled in bookshelf using bookshelf s3 url with …
|
Kudos, SonarCloud Quality Gate passed!
|
👷 Deploy Preview for chef-server processing.
|
| {s3_url, "http://<%= node['private_chef']['bookshelf']['listen'] %>:<%= node['private_chef']['bookshelf']['port'] %>"}, | ||
| %% chef server can talk to bookshelf. We can give provide bookshelf['url'] = 'http://127.0.0.1:4321' for naking it work for FIPS enabled | ||
| %% {s3_url, "http://<%= node['private_chef']['bookshelf']['listen'] %>:<%= node['private_chef']['bookshelf']['port'] %>"}, | ||
| {s3_url, "<%= @helper.bookshelf_s3_url %>"}, |
There was a problem hiding this comment.
do we have a TLS implementation for Erlang when we turn on FIPS? Tracing this back - it looks like the helper still calls https(x_forwarded_proto defaults to https)
There was a problem hiding this comment.
Also if this were the right path, I would remove the if clause instead.
There was a problem hiding this comment.
I think that part is not there . Is the TLS implementation of Erlang has relation with following issue #2088.
There was a problem hiding this comment.
currently the workaround allows to communicate with external s3 even in FIPS enabled chef server.
Description
Please find changes done for fixing of FIPS issue for following issue. #3398. Code changes is done for following file oc_erchef.config.erb
{chef_objects, [
<% if node['private_chef']['fips_enabled'] -%>
%% When we're using a fips openssl, we default to using http for bookshelf.
%% The reason for this is because we do not have a TLS implementation for
%% Erlang when we turn on fips.
%%
%% This is the reason that the only supported configuration for the fips
%% package is standalone. We will allow http over localhost so that the
%% chef server can talk to bookshelf. We can give provide bookshelf['url'] = 'http://127.0.0.1:4321' for making it work for FIPS enabled
%% {s3_url, "http://<%= node['private_chef']['bookshelf']['listen'] %>:<%= node['private_chef']['bookshelf']['port'] %>"},
{s3_url, "<%= @helper.bookshelf_s3_url %>"},
<% else -%>
{s3_url, "<%= @helper.bookshelf_s3_url %>"},
<% end %>
Issues Resolved
#3398 : chef-server-ctl test in failing in FIPS enabled Amazon Linux 2 system
Check List