fips

package
v0.0.0-...-866e19f Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 4, 2026 License: Apache-2.0 Imports: 7 Imported by: 0

Documentation

Overview

Package fips holds shared FIPS-policy helpers callable from normalizers, reconcilers, and unit tests. Pure stdlib-only; no imports from pkg/apis or pkg/model so it can be used at any layer without creating cycles.

Index

Constants

This section is empty.

Variables

View Source
var (
	Enabled  = fips140.Enabled
	Enforced = fips140.Enforced
	Version  = fips140.Version
)

Indirection vars so tests can drive the gate down all matrix branches without controlling the Go toolchain. Production paths read crypto/fips140.Enabled / Enforced / Version; tests swap the function pointer.

View Source
var BuildSetting = func(key string) string {
	info, ok := debug.ReadBuildInfo()
	if !ok {
		return ""
	}
	for _, s := range info.Settings {
		if s.Key == key {
			return s.Value
		}
	}
	return ""
}

BuildSetting walks runtime/debug.ReadBuildInfo().Settings and returns the value for the given key (or "" when ReadBuildInfo fails or key is absent). Used to surface DefaultGODEBUG and GOFIPS140 in the FIPS banner.

View Source
var GODEBUGRaw = func() string { return os.Getenv("GODEBUG") }

GODEBUGRaw returns the raw GODEBUG env var. Indirection seam so the FIPS banner can distinguish GODEBUG unset from fips140=on (both produce identical build.enabled=true runtime.enforced=false output otherwise).

Functions

func EvaluateGate

func EvaluateGate(binaryName string, enabled, buildLinked, runtime bool, defaultGODEBUG string) (err error, warn string)

EvaluateGate decides what the FIPS startup gate should report for a given posture triple. Pure — no logging, no chop, no crypto/fips140 — so the chopconf × build × runtime matrix is table-testable in one place.

Semantics per the operator's FIPS scope specification:

  • `enabled` (chopconf knob `security.fips.enforced`): operator should run in FIPS-compatible mode. Requires `buildLinked`=true (binary linked with GOFIPS140; durable property of the image regardless of GODEBUG). The Go runtime mode (`GODEBUG=fips140=on` permissive vs `=only` strict, exposed via `runtime`) is independent — both are sufficient for FIPS compatibility; `=off` is the shipped default since the module is opt-in and a pod-env knob can flip it without a rebuild.
  • `buildLinked` (i.e. BuildSetting("GOFIPS140") != ""): true iff the binary was linked with the FIPS module. This is the durable build signal — independent of GODEBUG. NOTE: `crypto/fips140.Enabled()` is NOT this signal — it reports "module currently active at runtime" and returns false when GODEBUG=fips140=off even on a GOFIPS140-linked binary. The gate must NOT use Enabled() for the build check; that conflates linkage with runtime activation and Fatals the operator on the shipped default image.
  • `runtime` (i.e. crypto/fips140.Enforced()): true iff strict mode (`GODEBUG=fips140=only`) is active. Informational here; never required.
  • `defaultGODEBUG`: the binary's DefaultGODEBUG build setting (set when the linker baked a default via `//go:debug` or equivalent toolchain config). When the image-baked default already selects `fips140=only`, the runtime-strict state is the documented shipped posture, not a configuration mismatch — suppress the warning in that case.

Returns:

  • err != nil : caller must Fatal — chopconf asks for FIPS but the binary was not linked with GOFIPS140 (durable: rebuild required)
  • warn != "" : caller should Warning-log — strict runtime is set but chopconf wants no FIPS, suggesting a configuration mismatch
  • both empty : posture is consistent; caller logs only the banner

binaryName ("clickhouse-operator", "metrics-exporter", …) interpolates into the error string so the user sees which container is the misfit.

func ImageHasFIPSMarker

func ImageHasFIPSMarker(image string) bool

ImageHasFIPSMarker reports whether the image tag (everything after the last ':' in the reference) contains the substring "fips" (case-insensitive).

Intentionally inspects the TAG portion only, not the full reference:

  • false positive risk: a registry path like `fips-registry.example.com/...` would match a naive `strings.Contains(image, "fips")`.
  • Altinity's convention is `<repo>:<version>.altinityfips` (e.g. `altinity/clickhouse-server:25.3.8.30001.altinityfips`).

Digest-only references (`<repo>@sha256:...`) have no tag and therefore always return false. Callers that pin by digest under Required policy must either tag-AND-digest, or rely on the runtime `version()` confirmation.

Empty image returns false.

func PrintInfo

func PrintInfo(w io.Writer, binaryName, version, gitSHA, builtAt string)

PrintInfo writes a human-readable FIPS build + runtime posture dump to w. Surfaces every field a customer or auditor would otherwise retrieve via `go version -m <binary>` (which requires a local Go toolchain) plus the live crypto/fips140 introspection that the startup banner already logs.

Output is line-oriented `key: value` so tests can grep without a parser. Same content the FIPS startup banner emits, but on demand and without having to start the operator's full reconcile loop.

func VersionHasFIPSMarker

func VersionHasFIPSMarker(version string) bool

VersionHasFIPSMarker reports whether the ClickHouse / Keeper runtime version string (the result of `SELECT version()`) contains the substring "fips" (case-insensitive). Altinity FIPS builds bake the tag suffix into the binary's reported version (e.g. `25.3.8.30001.altinityfips`).

Empty version returns false.

Types

This section is empty.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL