Merge branch 'enable-kas-in-fips-mode' into 'master'

Robert Marshall · Taka Nishida · Robert Marshall · commit 9f89bce2e7ce · 2024-04-15T19:41:06.000Z
Enable KAS in FIPS mode Closes gitlab-org/build/CNG#1948 See merge request https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7528 Merged-by: Robert Marshall <rmarshall@gitlab.com> Approved-by: Vishal Patel <vpatel@gitlab.com> Approved-by: Andrew Patterson <apatterson@gitlab.com> Approved-by: Robert Marshall <rmarshall@gitlab.com> Co-authored-by: Taka Nishida <tnishida@gitlab.com>
diff --git a/files/gitlab-cookbooks/package/libraries/config/roles/application.rb b/files/gitlab-cookbooks/package/libraries/config/roles/application.rb
@@ -20,13 +20,6 @@ def self.load_role
 
     Gitlab['gitlab_rails']['enable'] = true if Gitlab['gitlab_rails']['enable'].nil?
 
-    service_exclusions = []
-    # Certain services, like KAS doesn't work on FIPS environments. So we
-    # disable it by default on FIPS environments.
-    # Check https://gitlab.com/groups/gitlab-org/-/epics/7933 for details
-    # about KAS.
-    service_exclusions << 'skip_on_fips' if OpenSSL.fips_mode
-
-    Services.enable_group('rails', except: service_exclusions)
+    Services.enable_group('rails')
   end
 end
diff --git a/files/gitlab-cookbooks/package/libraries/config/roles/default.rb b/files/gitlab-cookbooks/package/libraries/config/roles/default.rb
@@ -23,12 +23,6 @@ def load_role
       service_exclusions = []
       service_exclusions << 'rails' if Gitlab['gitlab_rails']['enable'] == false
 
-      # Certain services, like KAS doesn't work on FIPS environments. So we
-      # disable it by default on FIPS environments.
-      # Check https://gitlab.com/groups/gitlab-org/-/epics/7933 for details
-      # about KAS.
-      service_exclusions << 'skip_on_fips' if OpenSSL.fips_mode
-
       Services.enable_group(Services::DEFAULT_GROUP, except: service_exclusions)
     end
 
diff --git a/files/gitlab-cookbooks/package/libraries/config/services.rb b/files/gitlab-cookbooks/package/libraries/config/services.rb
@@ -35,7 +35,7 @@ class BaseServices < ::Services::Config
     service 'alertmanager',       groups: [DEFAULT_GROUP, 'monitoring', 'monitoring_role']
     service 'postgres_exporter',  groups: [DEFAULT_GROUP, 'monitoring', 'postgres', 'postgres_role', 'patroni_role']
     service 'gitlab_pages',       groups: ['pages_role']
-    service 'gitlab_kas',         groups: [DEFAULT_GROUP, 'rails', 'skip_on_fips']
+    service 'gitlab_kas',         groups: [DEFAULT_GROUP, 'rails']
     service 'mailroom'
     service 'mattermost'
     service 'registry'
diff --git a/spec/chef/cookbooks/package/libraries/config/roles_spec.rb b/spec/chef/cookbooks/package/libraries/config/roles_spec.rb
@@ -81,14 +81,6 @@
 
       expect(Services).to have_received(:enable_group).with(Services::DEFAULT_GROUP, hash_including(except: ['rails'])).once
     end
-
-    it 'leaves skip_on_fips services disabled when on FIPS environment' do
-      allow(OpenSSL).to receive(:fips_mode).and_return(true)
-
-      Gitlab.load_roles
-
-      expect(Services).to have_received(:enable_group).with(Services::DEFAULT_GROUP, hash_including(except: ['skip_on_fips'])).once
-    end
   end
 
   describe 'ApplicationRole' do
@@ -103,17 +95,7 @@
 
       expect(ApplicationRole).to have_received(:load_role)
       expect(Gitlab['gitlab_rails']['enable']).to eq true
-      expect(Services).to have_received(:enable_group).with('rails', except: []).once
-    end
-
-    it 'leaves skip_on_fips services disabled when on FIPS environment' do
-      allow(OpenSSL).to receive(:fips_mode).and_return(true)
-
-      stub_gitlab_rb(application_role: { enable: true })
-
-      Gitlab.load_roles
-
-      expect(Services).to have_received(:enable_group).with('rails', except: ['skip_on_fips']).once
+      expect(Services).to have_received(:enable_group).with('rails').once
     end
   end
 
