Disable FIPS support within JVM for Puppet

ehelms · ekohl · commit c78916eb4cfb · 2022-03-17T12:27:55.000+01:00
diff --git a/manifests/server/puppetserver.pp b/manifests/server/puppetserver.pp
@@ -60,6 +60,9 @@
 # @param server_multithreaded
 #   Configures the puppetserver to use multithreaded jruby.
 #
+# @param disable_fips
+#   Disables FIPS support within the JVM
+#
 # @example
 #
 #   # configure memory for java < 8
@@ -140,6 +143,7 @@
   $max_open_files                         = $puppet::server::max_open_files,
   $versioned_code_id                      = $puppet::server::versioned_code_id,
   $versioned_code_content                 = $puppet::server::versioned_code_content,
+  $disable_fips                           = $facts['os']['family'] == 'RedHat' and $facts['os']['release']['major'] == '8',
 ) {
   include puppet::server
 
@@ -149,7 +153,12 @@
 
   $puppetserver_package = pick($puppet::server::package, 'puppetserver')
 
-  $jvm_cmd_arr = ["-Xms${jvm_min_heap_size}", "-Xmx${jvm_max_heap_size}", $jvm_extra_args]
+  $jvm_heap_arr = ["-Xms${jvm_min_heap_size}", "-Xmx${jvm_max_heap_size}"]
+  if $disable_fips {
+    $jvm_cmd_arr = $jvm_heap_arr + ['-Dcom.redhat.fips=false', $jvm_extra_args]
+  } else {
+    $jvm_cmd_arr = $jvm_heap_arr + [$jvm_extra_args]
+  }
   $jvm_cmd = strip(join(flatten($jvm_cmd_arr), ' '))
 
   if $facts['os']['family'] == 'FreeBSD' {
diff --git a/spec/classes/puppet_server_puppetserver_spec.rb b/spec/classes/puppet_server_puppetserver_spec.rb
@@ -59,13 +59,23 @@
                      .with_incl('/etc/default/puppetserver')
                      .with_lens('Shellvars.lns')
           }
-          it {
-            should contain_augeas('puppet::server::puppetserver::jvm')
-              .with_changes(['set JAVA_ARGS \'"-Xms2G -Xmx2G"\'', 'set JAVA_BIN /usr/bin/java'])
-              .with_context('/files/etc/default/puppetserver')
-              .with_incl('/etc/default/puppetserver')
-              .with_lens('Shellvars.lns')
-          }
+          if facts[:os]['family'] == 'RedHat' and facts[:os]['release']['major'] == '8'
+            it {
+              should contain_augeas('puppet::server::puppetserver::jvm')
+                .with_changes(['set JAVA_ARGS \'"-Xms2G -Xmx2G -Dcom.redhat.fips=false"\'', 'set JAVA_BIN /usr/bin/java'])
+                .with_context('/files/etc/default/puppetserver')
+                .with_incl('/etc/default/puppetserver')
+                .with_lens('Shellvars.lns')
+            }
+          else
+            it {
+              should contain_augeas('puppet::server::puppetserver::jvm')
+                .with_changes(['set JAVA_ARGS \'"-Xms2G -Xmx2G"\'', 'set JAVA_BIN /usr/bin/java'])
+                .with_context('/files/etc/default/puppetserver')
+                .with_incl('/etc/default/puppetserver')
+                .with_lens('Shellvars.lns')
+            }
+          end
           it do
             should contain_augeas('puppet::server::puppetserver::jruby_jar')
               .with_changes(['rm JRUBY_JAR'])
@@ -374,6 +384,17 @@
               .with_changes(['set puppetserver_java_opts \'"-Xms2G -Xmx2G -XX:foo=bar -XX:bar=foo"\''])
               .with_context('/files/etc/rc.conf')
           }
+        elsif facts[:os]['family'] == 'RedHat' and facts[:os]['release']['major'] == '8'
+          it {
+            should contain_augeas('puppet::server::puppetserver::jvm')
+              .with_changes([
+                              'set JAVA_ARGS \'"-Xms2G -Xmx2G -Dcom.redhat.fips=false -XX:foo=bar -XX:bar=foo"\'',
+                              'set JAVA_BIN /usr/bin/java'
+                            ])
+              .with_context('/files/etc/default/puppetserver')
+              .with_incl('/etc/default/puppetserver')
+              .with_lens('Shellvars.lns')
+          }
         else
           it {
             should contain_augeas('puppet::server::puppetserver::jvm')
@@ -390,16 +411,30 @@
 
       describe 'with cli_args parameter', unless: facts[:osfamily] == 'FreeBSD' do
         let(:params) { super().merge(server_jvm_cli_args: '-Djava.io.tmpdir=/var/puppettmp') }
-        it do
-          should contain_augeas('puppet::server::puppetserver::jvm')
-            .with_changes([
-                            'set JAVA_ARGS \'"-Xms2G -Xmx2G"\'',
-                            'set JAVA_BIN /usr/bin/java',
-                            'set JAVA_ARGS_CLI \'"-Djava.io.tmpdir=/var/puppettmp"\''
-                          ])
-            .with_context('/files/etc/default/puppetserver')
-            .with_incl('/etc/default/puppetserver')
-            .with_lens('Shellvars.lns')
+        if facts[:os]['family'] == 'RedHat' and facts[:os]['release']['major'] == '8'
+          it {
+            should contain_augeas('puppet::server::puppetserver::jvm')
+              .with_changes([
+                              'set JAVA_ARGS \'"-Xms2G -Xmx2G -Dcom.redhat.fips=false"\'',
+                              'set JAVA_BIN /usr/bin/java',
+                              'set JAVA_ARGS_CLI \'"-Djava.io.tmpdir=/var/puppettmp"\''
+                            ])
+              .with_context('/files/etc/default/puppetserver')
+              .with_incl('/etc/default/puppetserver')
+              .with_lens('Shellvars.lns')
+          }
+        else
+          it {
+            should contain_augeas('puppet::server::puppetserver::jvm')
+              .with_changes([
+                              'set JAVA_ARGS \'"-Xms2G -Xmx2G"\'',
+                              'set JAVA_BIN /usr/bin/java',
+                              'set JAVA_ARGS_CLI \'"-Djava.io.tmpdir=/var/puppettmp"\''
+                            ])
+              .with_context('/files/etc/default/puppetserver')
+              .with_incl('/etc/default/puppetserver')
+              .with_lens('Shellvars.lns')
+          }
         end
       end
 
