[CECO-180] Add FIPS support (#1063)

* Add FIPS support * Review suggestions * Review suggestions * Add crd changes from merging main * Review suggestions
DataDog · Feb 23, 2024 · 4ba13a6 · 4ba13a6
1 parent 3bfd043
commit 4ba13a6
Show file tree

Hide file tree

Showing 24 changed files with 1,500 additions and 22 deletions.
diff --git a/apis/datadoghq/common/const.go b/apis/datadoghq/common/const.go
@@ -284,6 +284,11 @@ const (
 	ClusterAgentCustomConfigVolumeSubPath = "datadog-cluster.yaml"
 
 	HelmCheckConfigVolumeName = "helm-check-config"
+
+	FIPSProxyCustomConfigVolumeName = "fips-proxy-cfg"
+	FIPSProxyCustomConfigFileName   = "datadog-fips-proxy.cfg"
+	FIPSProxyCustomConfigMapName    = "%s-fips-config"
+	FIPSProxyCustomConfigMountPath  = "/etc/datadog-fips-proxy/datadog-fips-proxy.cfg"
 )
 
 const (

diff --git a/apis/datadoghq/common/envvar.go b/apis/datadoghq/common/envvar.go
@@ -65,6 +65,10 @@ const (
 	DDExternalMetricsProviderWPAController            = "DD_EXTERNAL_METRICS_PROVIDER_WPA_CONTROLLER"
 	DDExtraConfigProviders                            = "DD_EXTRA_CONFIG_PROVIDERS"
 	DDExtraListeners                                  = "DD_EXTRA_LISTENERS"
+	DDFIPSEnabled                                     = "DD_FIPS_ENABLED"
+	DDFIPSPortRangeStart                              = "DD_FIPS_PORT_RANGE_START"
+	DDFIPSUseHTTPS                                    = "DD_FIPS_HTTPS"
+	DDFIPSLocalAddress                                = "DD_FIPS_LOCAL_ADDRESS"
 	DDHealthPort                                      = "DD_HEALTH_PORT"
 	DDHostname                                        = "DD_HOSTNAME"
 	DDHostRootEnvVar                                  = "HOST_ROOT"

diff --git a/apis/datadoghq/common/v1/types.go b/apis/datadoghq/common/v1/types.go
@@ -95,4 +95,7 @@ const (
 
 	// ClusterChecksRunnersContainerName is the name of the Agent container in Cluster Checks Runners
 	ClusterChecksRunnersContainerName AgentContainerName = "agent"
+
+	// FIPSProxyContainerName is the name of the FIPS Proxy container
+	FIPSProxyContainerName AgentContainerName = "fips-proxy"
 )
diff --git a/apis/datadoghq/v2alpha1/datadogagent_default.go b/apis/datadoghq/v2alpha1/datadogagent_default.go
@@ -7,7 +7,9 @@ package v2alpha1
 
 import (
 	apicommon "github.com/DataDog/datadog-operator/apis/datadoghq/common"
+	commonv1 "github.com/DataDog/datadog-operator/apis/datadoghq/common/v1"
 	apiutils "github.com/DataDog/datadog-operator/apis/utils"
+	"github.com/DataDog/datadog-operator/pkg/defaulting"
 )
 
 // Default configuration values. These are the recommended settings for monitoring with Datadog in Kubernetes.
@@ -96,6 +98,14 @@ const (
 
 	defaultHelmCheckEnabled       bool = false
 	defaultHelmCheckCollectEvents bool = false
+
+	defaultFIPSEnabled      bool   = false
+	defaultFIPSImageName    string = "fips-proxy"
+	defaultFIPSImageTag     string = defaulting.FIPSProxyLatestVersion
+	defaultFIPSLocalAddress string = "127.0.0.1"
+	defaultFIPSPort         int32  = 9803
+	defaultFIPSPortRange    int32  = 15
+	defaultFIPSUseHTTPS     bool   = false
 )
 
 // DefaultDatadogAgent defaults the DatadogAgentSpec GlobalConfig and Features.
@@ -136,6 +146,27 @@ func defaultGlobalConfig(ddaSpec *DatadogAgentSpec) {
 		dcs := defaultContainerStrategy
 		ddaSpec.Global.ContainerStrategy = &dcs
 	}
+
+	if ddaSpec.Global.FIPS == nil {
+		ddaSpec.Global.FIPS = &FIPSConfig{}
+	}
+	apiutils.DefaultBooleanIfUnset(&ddaSpec.Global.FIPS.Enabled, defaultFIPSEnabled)
+
+	if *ddaSpec.Global.FIPS.Enabled {
+		if ddaSpec.Global.FIPS.Image == nil {
+			ddaSpec.Global.FIPS.Image = &commonv1.AgentImageConfig{}
+		}
+		if ddaSpec.Global.FIPS.Image.Name == "" {
+			ddaSpec.Global.FIPS.Image.Name = defaultFIPSImageName
+		}
+		if ddaSpec.Global.FIPS.Image.Tag == "" {
+			ddaSpec.Global.FIPS.Image.Tag = defaultFIPSImageTag
+		}
+		apiutils.DefaultStringIfUnset(&ddaSpec.Global.FIPS.LocalAddress, defaultFIPSLocalAddress)
+		apiutils.DefaultInt32IfUnset(&ddaSpec.Global.FIPS.Port, defaultFIPSPort)
+		apiutils.DefaultInt32IfUnset(&ddaSpec.Global.FIPS.PortRange, defaultFIPSPortRange)
+		apiutils.DefaultBooleanIfUnset(&ddaSpec.Global.FIPS.UseHTTPS, defaultFIPSUseHTTPS)
+	}
 }
 
 // defaultFeaturesConfig sets default values in DatadogAgentSpec.Features.

diff --git a/apis/datadoghq/v2alpha1/datadogagent_default_test.go b/apis/datadoghq/v2alpha1/datadogagent_default_test.go
@@ -8,11 +8,12 @@ package v2alpha1
 import (
 	"testing"
 
-	"github.com/google/go-cmp/cmp"
-	assert "github.com/stretchr/testify/require"
-
 	apicommon "github.com/DataDog/datadog-operator/apis/datadoghq/common"
+	"github.com/DataDog/datadog-operator/apis/datadoghq/common/v1"
 	apiutils "github.com/DataDog/datadog-operator/apis/utils"
+
+	"github.com/google/go-cmp/cmp"
+	assert "github.com/stretchr/testify/require"
 )
 
 const (
@@ -84,6 +85,50 @@ func Test_defaultGlobal(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "test FIPS defaulting - disabled",
+			ddaSpec: &DatadogAgentSpec{
+				Global: &GlobalConfig{},
+			},
+			want: &DatadogAgentSpec{
+				Global: &GlobalConfig{
+					FIPS: &FIPSConfig{
+						Enabled: apiutils.NewBoolPointer(defaultFIPSEnabled),
+					},
+					Site:     apiutils.NewStringPointer(defaultSite),
+					Registry: apiutils.NewStringPointer(apicommon.DefaultImageRegistry),
+					LogLevel: apiutils.NewStringPointer(defaultLogLevel),
+				},
+			},
+		},
+		{
+			name: "test FIPS defaulting - enabled",
+			ddaSpec: &DatadogAgentSpec{
+				Global: &GlobalConfig{
+					FIPS: &FIPSConfig{
+						Enabled: apiutils.NewBoolPointer(true),
+					},
+				},
+			},
+			want: &DatadogAgentSpec{
+				Global: &GlobalConfig{
+					FIPS: &FIPSConfig{
+						Enabled: apiutils.NewBoolPointer(true),
+						Image: &common.AgentImageConfig{
+							Name: defaultFIPSImageName,
+							Tag:  defaultFIPSImageTag,
+						},
+						LocalAddress: apiutils.NewStringPointer(defaultFIPSLocalAddress),
+						Port:         apiutils.NewInt32Pointer(defaultFIPSPort),
+						PortRange:    apiutils.NewInt32Pointer(defaultFIPSPortRange),
+						UseHTTPS:     apiutils.NewBoolPointer(defaultFIPSUseHTTPS),
+					},
+					Site:     apiutils.NewStringPointer(defaultSite),
+					Registry: apiutils.NewStringPointer(apicommon.DefaultImageRegistry),
+					LogLevel: apiutils.NewStringPointer(defaultLogLevel),
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

diff --git a/apis/datadoghq/v2alpha1/datadogagent_types.go b/apis/datadoghq/v2alpha1/datadogagent_types.go
@@ -813,6 +813,9 @@ type GlobalConfig struct {
 	// Default: 'optimized'
 	// +optional
 	ContainerStrategy *ContainerStrategyType `json:"containerStrategy,omitempty"`
+
+	// FIPS contains configuration used to customize the FIPS proxy sidecar.
+	FIPS *FIPSConfig `json:"fips,omitempty"`
 }
 
 // DatadogCredentials is a generic structure that holds credentials to access Datadog.
@@ -1127,6 +1130,42 @@ type DatadogAgentStatus struct {
 	ClusterChecksRunner *commonv1.DeploymentStatus `json:"clusterChecksRunner,omitempty"`
 }
 
+// FIPSConfig contains the FIPS configuration.
+// +k8s:openapi-gen=true
+type FIPSConfig struct {
+	// Enable FIPS sidecar.
+	// +optional
+	Enabled *bool `json:"enabled,omitempty"`
+	// The container image of the FIPS sidecar.
+	// +optional
+	Image *commonv1.AgentImageConfig `json:"image,omitempty"`
+	// Set the local IP address.
+	// Default: `127.0.0.1`
+	// +optional
+	LocalAddress *string `json:"localAddress,omitempty"`
+	// Port specifies which port is used by the containers to communicate to the FIPS sidecar.
+	// Default: 9803
+	// +optional
+	Port *int32 `json:"port,omitempty"`
+	// PortRange specifies the number of ports used.
+	// Default: 15
+	// +optional
+	PortRange *int32 `json:"portRange,omitempty"`
+	// Resources is the requests and limits for the FIPS sidecar container.
+	// +optional
+	Resources *corev1.ResourceRequirements `json:"resources,omitempty"`
+	// UseHTTPS enables HTTPS.
+	// Default: false
+	// +optional
+	UseHTTPS *bool `json:"useHTTPS,omitempty"`
+	// CustomFIPSConfig configures a custom configMap to provide the FIPS configuration.
+	// Specify custom contents for the FIPS proxy sidecar container config
+	// (/etc/datadog-fips-proxy/datadog-fips-proxy.cfg). If empty, the default FIPS
+	// proxy sidecar container config is used.
+	// +optional
+	CustomFIPSConfig *CustomConfig `json:"customFIPSConfig,omitempty"`
+}
+
 // DatadogAgent Deployment with the Datadog Operator.
 // +kubebuilder:object:root=true
 // +kubebuilder:subresource:status

diff --git a/apis/datadoghq/v2alpha1/test/builder.go b/apis/datadoghq/v2alpha1/test/builder.go
@@ -531,3 +531,14 @@ func (builder *DatadogAgentBuilder) WithComponentOverride(componentName v2alpha1
 	builder.datadogAgent.Spec.Override[componentName] = &override
 	return builder
 }
+
+// FIPS
+
+func (builder *DatadogAgentBuilder) WithFIPS(fipsConfig v2alpha1.FIPSConfig) *DatadogAgentBuilder {
+	if builder.datadogAgent.Spec.Global == nil {
+		builder.datadogAgent.Spec.Global = &v2alpha1.GlobalConfig{}
+	}
+
+	builder.datadogAgent.Spec.Global.FIPS = &fipsConfig
+	return builder
+}
diff --git a/apis/datadoghq/v2alpha1/zz_generated.deepcopy.go b/apis/datadoghq/v2alpha1/zz_generated.deepcopy.go
diff --git a/apis/datadoghq/v2alpha1/zz_generated.openapi.go b/apis/datadoghq/v2alpha1/zz_generated.openapi.go