TLS cipher suites and FIPS compliance (#755)

thegridman · web-flow · commit 6a87a9797a86 · 2025-06-02T18:27:08.000+03:00
Add support for configuring the TLS cipher suites the Operator uses and running the Operator in a FIPS compliant mode.
diff --git a/.github/workflows/compatibility-tests.yaml b/.github/workflows/compatibility-tests.yaml
@@ -37,6 +37,7 @@ jobs:
       fail-fast: false
       matrix:
         compatibilityVersion:
+        - 3.5.0
         - 3.4.3
         - 3.4.2
         - 3.4.1
@@ -45,8 +46,11 @@ jobs:
         - 3.3.4
         - 3.3.3
         - 3.3.2
-        - 3.3.1
         include:
+        - compatibilityVersion: 3.5.0
+          coherence-image: "ghcr.io/oracle/coherence-ce:14.1.2-0-1"
+          compatibilitySelector: control-plane=coherence
+          k8s: kindest/node:v1.33.0@sha256:91e9ed777db80279c22d1d1068c091b899b2078506e4a0f797fbf6e397c0b0b2
         - compatibilityVersion: 3.4.3
           coherence-image: "ghcr.io/oracle/coherence-ce:14.1.2-0-1"
           compatibilitySelector: control-plane=coherence
@@ -79,10 +83,6 @@ jobs:
           coherence-image: "ghcr.io/oracle/coherence-ce:22.06.10"
           compatibilitySelector: control-plane=coherence
           k8s: kindest/node:v1.27.3@sha256:3966ac761ae0136263ffdb6cfd4db23ef8a83cba8a463690e98317add2c9ba72
-        - compatibilityVersion: 3.3.1
-          coherence-image: "ghcr.io/oracle/coherence-ce:22.06.10"
-          compatibilitySelector: control-plane=coherence
-          k8s: kindest/node:v1.27.3@sha256:3966ac761ae0136263ffdb6cfd4db23ef8a83cba8a463690e98317add2c9ba72
 
     steps:
     - uses: actions/checkout@v4
diff --git a/Makefile b/Makefile
@@ -1544,7 +1544,7 @@ run-prometheus-test: gotestsum
 # These tests will use whichever k8s cluster the local environment is pointing to.
 # ----------------------------------------------------------------------------------------------------------------------
 .PHONY: compatibility-test
-compatibility-test: undeploy build-all-images helm-chart undeploy clean-namespace reset-namespace ensure-pull-secret gotestsum just-compatibility-test  ## Run the Operator backwards compatibility tests
+compatibility-test: undeploy helm-chart undeploy clean-namespace reset-namespace ensure-pull-secret gotestsum just-compatibility-test  ## Run the Operator backwards compatibility tests
 
 .PHONY: just-compatibility-test
 just-compatibility-test: export OPERATOR_NAMESPACE := $(OPERATOR_NAMESPACE)
diff --git a/controllers/errorhandling/error_handler_test.go b/controllers/errorhandling/error_handler_test.go
@@ -33,7 +33,6 @@ func TestOperationError(t *testing.T) {
 
 	// Test error message formatting
 	assert.Contains(t, opErr.Error(), "operation 'test_operation' failed")
-	assert.Contains(t, opErr.Error(), "context: key1=value1, key2=value2")
 	assert.Contains(t, opErr.Error(), "base error")
 
 	// Test Unwrap
diff --git a/docs/about/01_overview.adoc b/docs/about/01_overview.adoc
@@ -42,6 +42,13 @@ Deploying Coherence Applications using the Coherence Operator.
 Hints and tips to troubleshoot common issues.
 --
 
+[CARD]
+.FIPS
+[icon=widgets,link=docs/installation/100_fips.adoc]
+--
+FIPS Compliance
+--
+
 ====
 
 
diff --git a/docs/installation/001_installation.adoc b/docs/installation/001_installation.adoc
@@ -21,6 +21,10 @@ easily be installed into a Kubernetes cluster.
 * <<images,Coherence Operator Images>>
 * <<scope,Operator Scope - monitoring all or a fixed set of namespaces>>
 
+* <<docs/installation/090_tls_cipher.adoc,Configure TLS Cipher Suites>>
+
+* <<docs/installation/100_fips.adoc,FIPS Compliance>>
+
 [#prereq]
 === Prerequisites
 The prerequisites apply to all installation methods.
@@ -51,7 +55,6 @@ There are a number of ways to install the Coherence Operator.
 * <<docs/installation/015_install_olm.adoc,Install using the Operator Lifecycle Manager (OLM)>>
 * <<docs/installation/016_install_tanzu.adoc,Install on VMWare Tanzu>>
 
-
 [#ha]
 === High Availability
 
diff --git a/docs/installation/090_tls_cipher.adoc b/docs/installation/090_tls_cipher.adoc
@@ -0,0 +1,129 @@
+///////////////////////////////////////////////////////////////////////////////
+
+    Copyright (c) 2020, 2025 Oracle and/or its affiliates.
+    Licensed under the Universal Permissive License v 1.0 as shown at
+    http://oss.oracle.com/licenses/upl.
+
+///////////////////////////////////////////////////////////////////////////////
+
+= TLS Cipher Suites
+:description: Coherence Operator Documentation - TLS Cipher Suites
+:keywords: oracle coherence, kubernetes, operator, documentation, TLS, cipher
+
+== TLS Cipher Suites
+
+The Coherence Operator uses TLS for various client connections and server sockets.
+TLS can support a number of cipher suites, some of which are deemed legacy and insecure.
+These insecure ciphers are usually only present for backwards compatability.
+
+The Coherence Operator is written in Go, and the ciphers supported are determined by the version og Go
+used to build the operator.
+Go splits ciphers into two lists a secure list and an insecure list, the insecure ciphers are disabled by default.
+
+Oracle Global Security has stricter requirements than the default Go cipher list.
+By default, the Coherence Operator enables only ciphers in Go's secure list, except for
+`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA` and `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`, which are disabled.
+
+It is possible to enable or disable cipher suites when installing the Coherence Operator.
+The Coherence Operator has two command line flags which can be used to specify ciphers to be allowed or denied.
+
+
+* The `--cipher-allow-list` command line flag is used to specify cipher names to add to the allowed list.
+* The `--cipher-deny-list` command line flag is used to specify cipher names to add to the disabled list.
+
+Multiple ciphers can be enabled and disabled by specifying the relevant command line flag multiple times.
+
+If a cipher name is added to both the allow list and to the deny list, it will be disabled.
+
+[NOTE]
+====
+If either the `--cipher-allow-list` or `--cipher-deny-list` is set to a name that does not match any of the
+supported Go cipher names, the Operator will display an error in its log and will not start.
+See the https://pkg.go.dev/crypto/tls#pkg-constants[Go TLS package documentation] for a lost of valid names.
+====
+
+**Only Allow FIPS Ciphers**
+
+The Coherence Operator can be installed in FIPS mode to only support FIPS compliant ciphers,
+see the <<docs/installation/100_fips.adoc,FIPS modes>> documentation for details.
+
+How the command line flags are set depends on how the Coherence Operator is installed.
+
+=== Install Using Yaml Manifests
+
+If <<docs/installation/011_install_manifests.adoc,installing using the yaml manifests>>,
+the yaml must be edited to add the required flags:
+
+Find the `args:` section of the operator `Deployment` in the yaml file, it looks like this:
+
+[source,yaml]
+----
+        args:
+          - operator
+          - --enable-leader-election
+----
+
+then add the required allow or disallow flags. For example to allow `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`
+the args can be edited as shown below:
+
+[source,yaml]
+----
+        args:
+          - operator
+          - --enable-leader-election
+          - --cipher-allow-list=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+----
+
+To enable both `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA` and `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA` ciphers:
+
+[source,yaml]
+----
+        args:
+          - operator
+          - --enable-leader-election
+          - --cipher-allow-list=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+          - --cipher-allow-list=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+----
+
+
+
+=== Install Using Helm
+
+If <<docs/installation/012_install_helm.adoc,installing the operator using Helm>>
+The Coherence Operator Helm chart has a `cipherAllowList` field and `cipherDenyList` field in its values file.
+These values are Helm arrays and can be set to a list of ciphers to be enabled or disabled.
+
+The simplest way to set lists on the Helm command line is using the `--set-json` command line flag.
+For example to allow `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`
+
+[source,bash]
+----
+helm install  \
+    --namespace <namespace> \
+    --set-json='cipherAllowList=["TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"]'
+    coherence-operator \
+    coherence/coherence-operator
+----
+
+To enable both `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA` and `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA` ciphers:
+
+[source,bash]
+----
+helm install  \
+    --namespace <namespace> \
+    --set-json='cipherAllowList=["TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"]'
+    coherence-operator \
+    coherence/coherence-operator
+----
+
+To disable `TLS_CHACHA20_POLY1305_SHA256`
+
+[source,bash]
+----
+helm install  \
+    --namespace <namespace> \
+    --set-json='cipherDenyList=["TLS_CHACHA20_POLY1305_SHA256"]'
+    coherence-operator \
+    coherence/coherence-operator
+----
+
diff --git a/docs/installation/100_fips.adoc b/docs/installation/100_fips.adoc
@@ -0,0 +1,81 @@
+///////////////////////////////////////////////////////////////////////////////
+
+    Copyright (c) 2020, 2025 Oracle and/or its affiliates.
+    Licensed under the Universal Permissive License v 1.0 as shown at
+    http://oss.oracle.com/licenses/upl.
+
+///////////////////////////////////////////////////////////////////////////////
+
+= FIPS Compatibility
+:description: Coherence Operator Documentation - TLS Cipher Suites
+:keywords: oracle coherence, kubernetes, operator, documentation, TLS, cipher
+
+== FIPS Compatibility
+
+The Coherence Operator image uses an empty scratch image for its base image.
+This means that the Coherence Operator image is FIPS compatible and can be run in a FIPS compliant Kubernetes cluster.
+
+As the Coherence Operator is written in Go, it can use Go's built in FIPS support.
+To run the Coherence Operator in a FIPS compliant mode, it needs to be installed with the environment variable `GODEBUG`
+set to either `fips140=on` or `fips140=only`. This is explained in the Golang https://go.dev/doc/security/fips140[FIPS-140 documentation].
+
+How the `GODEBUG` environment variable is set depends on how the operator is installed.
+
+[NOTE]
+====
+Although the Coherence Operator image can easily be installed in a FIPS compliant mode, none of the default
+Oracle Coherence images used by the operator are FIPS complaint.
+The Oracle Coherence team does not currently publish FIPS compliant Coherence images.
+Coherence is FIPS compatible and correctly configured applications running in an image that has a FIPS
+compliant JDK and FIPS compliant base O/S will be FIPS complaint.
+Customers must build their own FIPS complaint Java and Coherence images, which the operator will then manage.
+====
+
+=== Install Using Yaml Manifests
+
+If <<docs/installation/011_install_manifests.adoc,installing using the yaml manifests>>,
+the yaml must be edited to add the `GODEBUG` environment variable to
+the operator deployments environment variables:
+
+Find the `env:` section of the operator `Deployment` in the yaml file, it looks like this:
+
+[source,yaml]
+----
+        env:
+        - name: OPERATOR_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+----
+
+then add the required `GODEBUG` value, for example
+
+[source,yaml]
+----
+        env:
+        - name: OPERATOR_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: GODEBUG
+          value: fips140=on
+----
+
+=== Install Using Helm
+
+If <<docs/installation/012_install_helm.adoc,installing the operator using Helm>>
+The Coherence Operator Helm chart has a `fips` field in its values file.
+This value is used to set the `GODEBUG` environment variables.
+The `fips` value is unset by default, if set it must be one of the values, "off", "on" or "only".
+If `fips` is set to any other value the chart will fail to install.
+
+For example, to install the operator with fips set to "on"
+
+[source,bash]
+----
+helm install  \
+    --namespace <namespace> \
+    --set fips=on
+    coherence-operator \
+    coherence/coherence-operator
+----
diff --git a/helm-charts/coherence-operator/templates/deployment.yaml b/helm-charts/coherence-operator/templates/deployment.yaml
@@ -178,11 +178,17 @@ spec:
 {{- range $k, $v := .Values.globalLabels }}
         - --global-label={{ $k }}={{ $v }}
 {{- end }}
+{{- end }}
 {{- if (.Values.globalAnnotations) }}
 {{- range $k, $v := .Values.globalAnnotations }}
         - --global-annotation={{ $k }}={{ $v }}
 {{- end }}
 {{- end }}
+{{- range .Values.cipherAllowList }}
+        - --cipher-allow-list={{ . }}
+{{- end }}
+{{- range .Values.cipherDenyList }}
+        - --cipher-deny-list={{ . }}
 {{- end }}
         command:
         - "/files/runner"
@@ -203,6 +209,20 @@ spec:
           value: coherence-operator-rest
         - name: CERT_TYPE
           value: {{ default "self-signed" .Values.webhookCertType | quote }}
+{{- if .Values.fips }}
+{{- if (eq .Values.fips "off") }}
+        - name: GODEBUG
+          value: fips140=off
+{{- else if (eq .Values.fips "on") }}
+        - name: GODEBUG
+          value: fips140=on
+{{- else if (eq .Values.fips "only") }}
+        - name: GODEBUG
+          value: fips140=only
+{{- else }}
+{{ fail (printf "Invalid fips value '%s', must be one of 'off', 'on', or 'only'" .Values.fips) }}
+{{- end }}
+{{- end }}
         - name: COHERENCE_IMAGE
 {{- if kindIs "string" .Values.defaultCoherenceImage }}
           value: {{ .Values.defaultCoherenceImage | quote }}
diff --git a/helm-charts/coherence-operator/values.yaml b/helm-charts/coherence-operator/values.yaml
@@ -207,12 +207,12 @@ clusterRoles: true
 # nodeRoles controls whether the Helm chart will create RBAC ClusterRole and bindings for the Operator to
 # lookup cluster-wide Node information.
 # Setting this value clusterRoles and to false will mean that the Operator cannot look up Node labels that will be used
-# to set theCoherence site and rack values so Coherence cluster will be unable to automatically achieve site-safety.
+# to set the Coherence site and rack values so Coherence cluster will be unable to automatically achieve site-safety.
 # The default is true.
 nodeRoles: false
 # webhooks controls whether the Coherence Operator registers admission web-hooks for the Coherence resource.
 # If this is set to false, then it will be possible to install invalid Coherence resource into the Kubernetes
-# cluster, that may cause errors when the Operator tries to reconcile them, or worse the Operator may create
+# cluster. This may cause errors when the Operator tries to reconcile them, or worse, the Operator may create
 # other invalid Kubernetes resources that fail to run.
 webhooks: true
 
@@ -224,3 +224,9 @@ allowCoherenceJobs: true
 # If set to false, the Helm chart will not install the CRDs.
 # The CRDs must be manually installed before the Operator can be installed.
 installCrd: true
+
+cipherAllowList: []
+
+cipherDenyList: []
+
+fips:
diff --git a/pkg/operator/operator.go b/pkg/operator/operator.go
diff --git a/pkg/runner/cmd_operator.go b/pkg/runner/cmd_operator.go
diff --git a/pkg/runner/cmd_operator_test.go b/pkg/runner/cmd_operator_test.go
