djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #1114 from enj/enj/i/fips_init_log

Browse Source 
Use klog to make sure FIPS init log is emitted
This commit is contained in:
Mo Khan 2022-04-12 16:23:38 -04:00 committed by GitHub
commit 6af1aaeb20
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
internal/crypto/ptls/fips_strict.go
View File

@ -18,8 +18,7 @@ import (
_ "crypto/tls/fipsonly" // restricts all TLS configuration to FIPS-approved settings. _ "crypto/tls/fipsonly" // restricts all TLS configuration to FIPS-approved settings.
"k8s.io/apiserver/pkg/server/options" "k8s.io/apiserver/pkg/server/options"
"k8s.io/klog/v2"
"go.pinniped.dev/internal/plog"
) )
// Always use TLS 1.2 for FIPs // Always use TLS 1.2 for FIPs
@ -27,7 +26,11 @@ const secureServingOptionsMinTLSVersion = "VersionTLS12"
const SecureTLSConfigMinTLSVersion = tls.VersionTLS12 const SecureTLSConfigMinTLSVersion = tls.VersionTLS12
func init() { func init() {
plog.Debug("using boring crypto in fips only mode", "go version", runtime.Version()) // this init runs before we have parsed our config to determine our log level
// thus we must use a log statement that will always print instead of conditionally print
// for plog, that is only error and warning logs, neither of which seem appropriate here
// therefore, just use klog directly with no V level requirement
klog.InfoS("using boring crypto in fips only mode", "go version", runtime.Version())
} }
func Default(rootCAs *x509.CertPool) *tls.Config { func Default(rootCAs *x509.CertPool) *tls.Config {