Synth fails in FIPS-enabled linux #334

gabe-l-hart · 2020-10-07T00:10:41Z

Description of the bug:

Our team is building an operator based on cdk8s and one of our deployment targets is a FIPS-enabled kubernetes cluster. When running cdk8s (and by proxy the constructs library), we encounter the following error when attempting to to run a synth:

Error: error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS

This has been files as a bug against constructs (aws/constructs#272), but we will need a version bump here in cdk8s to take advantage of the fix once it is available in constructs.

Reproduction Steps:

Unfortunately, it's quite hard to reproduce this as you need a FIPS-enabled runtime. If you can get ahold of one, this can easily be reproduced from python with the following snippet:

import cdk8s
a = cdk8s.App()
c = cdk8s.Chart(a, "test")
a.synth()

Error Log:

  Error: error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS\
      at new Hash (internal/crypto/hash.js:33:18)\
      at Object.createHash (crypto.js:101:10)\
      at pathHash (/tmp/jsii-kernel-jiMAAo/node_modules/constructs/lib/private/uniqueid.js:66:24)\
      at Object.makeUniqueId (/tmp/jsii-kernel-jiMAAo/node_modules/constructs/lib/private/uniqueid.js:51:18)\
      at Node.get uniqueId [as uniqueId] (/tmp/jsii-kernel-jiMAAo/node_modules/constructs/lib/construct.js:70:51)\
      at putVertex (/tmp/jsii-kernel-jiMAAo/node_modules/cdk8s/lib/dependency.js:23:50)\
      at new DependencyGraph (/tmp/jsii-kernel-jiMAAo/node_modules/cdk8s/lib/dependency.js:30:13)\
      at chartToKube (/tmp/jsii-kernel-jiMAAo/node_modules/cdk8s/lib/app.js:109:12)\
      at Function._synthChart (/tmp/jsii-kernel-jiMAAo/node_modules/cdk8s/lib/app.js:67:16)\
      at Kernel._wrapSandboxCode (/usr/local/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:8422:19)\
      at ret._ensureSync (/usr/local/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7758:25)\
      at Kernel._ensureSync (/usr/local/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:8395:20)\
      at Kernel.invoke (/usr/local/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7757:26)\
      at KernelHost.processRequest (/usr/local/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7458:28)\
      at KernelHost.run (/usr/local/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7396:14)\
      at Immediate.setImmediate [as _onImmediate] (/usr/local/lib/python3.6/site-packages/jsii/_embedded/jsii/jsii-runtime.js:7399:37)\
      at runCallback (timers.js:705:18)\
      at tryOnImmediate (timers.js:676:5)\
      at processImmediate (timers.js:658:5)\

Environment:

Framework Version: 0.30.0 w/ constructs 3.0.7
OS: FIPS-enabled kubernetes cluster

Other:

I've put up a PR in constructs to fix this: aws/constructs#273

This is 🐛 Bug Report

The text was updated successfully, but these errors were encountered:

The CDK8s name generator (`Names.toLabelValue()` and `Names.toDnsLabel()`) have used sha256, which cannot be used in environments that are FIPS compliant. To fix this, we are now using the [recently introduced](aws/constructs#314) `Node.of(construct).addr` as the hash postfix of generated names. Fixes #334 BREAKING CHANGE: CAUTION! Auto-generated resource names will change with this release. Resource names in manifests synthesized by a previous version of the CDK8s will be invalidated. Deploying new manifests will cause **resources to be replaced**. Temporarily, you can opt to use the legacy hashing mechanism by setting the environment variable `CDK8S_LEGACY_HASH=1`. * **core:** `Names.toDnsLabel()` now accepts a construct scope instead of a string path, and a set of options instead of `maxLen`. * **core:** `Names.toLabelValue()` now accepts a construct scope instead of a string path, and a set of options instead of `maxLen`.

The CDK8s name generator (`Names.toLabelValue()` and `Names.toDnsLabel()`) have used sha256, which cannot be used in environments that are FIPS compliant. To fix this, we are now using the [recently introduced](aws/constructs#314) `Node.of(construct).addr` as the hash postfix of generated names. Fixes #334 BREAKING CHANGE: CAUTION! Auto-generated resource names will change with this release. Resource names in manifests synthesized by a previous version of the CDK8s will be invalidated. Deploying new manifests will cause **resources to be replaced**. Temporarily, you can opt to use the legacy hashing mechanism by setting the environment variable `CDK8S_LEGACY_HASH=1`. * **lib:** `Names.toDnsLabel()` now accepts a construct scope instead of a string path, and a set of options instead of `maxLen`. * **lib:** `Names.toLabelValue()` now accepts a construct scope instead of a string path, and a set of options instead of `maxLen`. *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

gabe-l-hart added bug Something isn't working needs-triage Priority and effort undetermined yet labels Oct 7, 2020

SomayaB assigned iliapolo Oct 7, 2020

iliapolo added p1 effort/small 1 day tops and removed needs-triage Priority and effort undetermined yet labels Oct 10, 2020

eladb mentioned this issue Nov 18, 2020

fix(lib): names generated using non-FIPS compliant algorithm #392

Merged

mergify bot closed this as completed in #392 Nov 19, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Synth fails in FIPS-enabled linux #334

Synth fails in FIPS-enabled linux #334

gabe-l-hart commented Oct 7, 2020

Synth fails in FIPS-enabled linux #334

Synth fails in FIPS-enabled linux #334

Comments

gabe-l-hart commented Oct 7, 2020

Description of the bug:

Reproduction Steps:

Error Log:

Environment:

Other: