djpbessems
/
ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use klog to make sure FIPS init log is emitted 

We cannot use plog until the log level config has been setup, but
that occurs after this init function has run.

Signed-off-by: Monis Khan <mok@vmware.com>
This commit is contained in:
Monis Khan 2022-04-12 14:27:07 -04:00
parent edf4ffb018
commit 6b4fbb6e0e
No known key found for this signature in database
GPG Key ID: 52C90ADA01B269B8
1 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
internal/crypto/ptls/fips_strict.go
View File

@ -18,8 +18,7 @@ import (
_ "crypto/tls/fipsonly" // restricts all TLS configuration to FIPS-approved settings. _ "crypto/tls/fipsonly" // restricts all TLS configuration to FIPS-approved settings.
"k8s.io/apiserver/pkg/server/options" "k8s.io/apiserver/pkg/server/options"
"k8s.io/klog/v2"
"go.pinniped.dev/internal/plog"
) )
// Always use TLS 1.2 for FIPs // Always use TLS 1.2 for FIPs
@ -27,7 +26,11 @@ const secureServingOptionsMinTLSVersion = "VersionTLS12"
const SecureTLSConfigMinTLSVersion = tls.VersionTLS12 const SecureTLSConfigMinTLSVersion = tls.VersionTLS12
func init() { func init() {
plog.Debug("using boring crypto in fips only mode", "go version", runtime.Version()) // this init runs before we have parsed our config to determine our log level
// thus we must use a log statement that will always print instead of conditionally print
// for plog, that is only error and warning logs, neither of which seem appropriate here
// therefore, just use klog directly with no V level requirement
klog.InfoS("using boring crypto in fips only mode", "go version", runtime.Version())
} }
func Default(rootCAs *x509.CertPool) *tls.Config { func Default(rootCAs *x509.CertPool) *tls.Config {