chore: Add GODEBUG environment variable for FIPS compliance for KLM and Watcher image (#2805)

ruanxin · web-flow · commit ee15efac5660 · 2025-10-13T14:28:58.000+02:00
* chore: Add GODEBUG environment variable for FIPS compliance in manager deployment

* chore: Add GODEBUG environment variable for FIPS compliance in skr-webhook deployment

* fix: Update FIPS mode metric expectation to match new configuration

* chore: Remove GODEBUG environment variable from manager deployment and add FIPS mode patch for local testing

* feat: Add GODEBUG environment variable support in deployment configuration and corresponding test

* test: Add verification for GODEBUG environment variable in SKR Cluster webhook deployment

* feat: Initialize Kyma instance in FIPS Mode metric test

* fix: Replace fmt.Errorf with errors.New for GODEBUG env error handling
diff --git a/config/watcher_local_test/kustomization.yaml b/config/watcher_local_test/kustomization.yaml
@@ -29,6 +29,7 @@ components:
 patches:
   - path: patches/deployment_resources.yaml
   - path: patches/unique_deployment_webhook_patch.yaml
+  - path: patches/fips_only_mode.yaml
   - target:
       kind: Deployment
     patch: |-
diff --git a/config/watcher_local_test/patches/fips_only_mode.yaml b/config/watcher_local_test/patches/fips_only_mode.yaml
@@ -0,0 +1,12 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+spec:
+  template:
+    spec:
+      containers:
+        - name: manager
+          env:
+            - name: GODEBUG
+              value: "fips140=only,tlsmlkem=0"
diff --git a/config/watcher_local_test_gcm/kustomization.yaml b/config/watcher_local_test_gcm/kustomization.yaml
@@ -25,6 +25,7 @@ components:
 patches:
   - path: patches/deployment_resources.yaml
   - path: patches/unique_deployment_webhook_patch.yaml
+  - path: patches/fips_only_mode.yaml
   - target:
       kind: Deployment
     patch: |-
diff --git a/config/watcher_local_test_gcm/patches/fips_only_mode.yaml b/config/watcher_local_test_gcm/patches/fips_only_mode.yaml
@@ -0,0 +1,12 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+spec:
+  template:
+    spec:
+      containers:
+        - name: manager
+          env:
+            - name: GODEBUG
+              value: "fips140=only,tlsmlkem=0"
diff --git a/internal/service/watcher/resources/resource_configurator.go b/internal/service/watcher/resources/resource_configurator.go
@@ -4,6 +4,7 @@ import (
 	"errors"
 	"fmt"
 	"net"
+	"os"
 	"strconv"
 
 	apiappsv1 "k8s.io/api/apps/v1"
@@ -44,6 +45,7 @@ var (
 const (
 	// PodRestartLabelKey is used to trigger a rolling update of the watcher pod when the SKR's certificate changes.
 	PodRestartLabelKey             = shared.OperatorGroup + shared.Separator + "pod-restart-trigger"
+	goDebugEnvName                 = "GODEBUG"
 	kcpAddressEnvName              = "KCP_ADDR"
 	ApiServerNetworkPolicyName     = "kyma-project.io--watcher-to-apiserver"
 	SeedToWatcherNetworkPolicyName = "kyma-project.io--seed-to-watcher"
@@ -136,6 +138,12 @@ func (rc *ResourceConfigurator) ConfigureDeployment(obj *unstructured.Unstructur
 		shared.ManagedBy: shared.ManagedByLabelValue,
 	}))
 
+	goDebug, ok := os.LookupEnv(goDebugEnvName)
+	if ok && goDebug != "" {
+		deployment.Spec.Template.Spec.Containers[0].Env = append(
+			deployment.Spec.Template.Spec.Containers[0].Env,
+			apicorev1.EnvVar{Name: goDebugEnvName, Value: goDebug})
+	}
 	return deployment, nil
 }
 
diff --git a/internal/service/watcher/resources/resource_configurator_test.go b/internal/service/watcher/resources/resource_configurator_test.go
@@ -22,6 +22,62 @@ func toUnstructured(obj interface{}) *unstructured.Unstructured {
 	return &unstructured.Unstructured{Object: m}
 }
 
+func TestResourceConfigurator_ConfigureDeployment_SetsGODEBUG(t *testing.T) {
+	expectedEnvValue := "dummyvalue"
+	expectedEnvName := "GODEBUG"
+	t.Setenv(expectedEnvName, expectedEnvValue)
+
+	testDeploy := toUnstructured(&apiappsv1.Deployment{
+		ObjectMeta: apimetav1.ObjectMeta{
+			Name:   "dbg-deploy",
+			Labels: map[string]string{"dbg": "true"},
+		},
+		Spec: apiappsv1.DeploymentSpec{
+			Template: apicorev1.PodTemplateSpec{
+				ObjectMeta: apimetav1.ObjectMeta{
+					Labels: map[string]string{"app": "dbg"},
+				},
+				Spec: apicorev1.PodSpec{
+					Containers: []apicorev1.Container{
+						{
+							Name:  "main",
+							Image: "old-image",
+						},
+					},
+				},
+			},
+		},
+	})
+
+	configurator := skrwebhookresources.NewResourceConfigurator(
+		"",
+		"",
+		"100m",
+		"128Mi",
+		skrwebhookresources.KCPAddr{Hostname: "dbg-host", Port: 4242},
+	)
+	configurator.SetSecretResVer("v1")
+
+	got, err := configurator.ConfigureDeployment(testDeploy)
+	if err != nil {
+		t.Fatalf("ConfigureDeployment() returned error: %v", err)
+	}
+
+	found := false
+	for _, env := range got.Spec.Template.Spec.Containers[0].Env {
+		if env.Name == expectedEnvName {
+			if env.Value != expectedEnvValue {
+				t.Fatalf("GODEBUG value = %q, want %q", env.Value, expectedEnvValue)
+			}
+			found = true
+			break
+		}
+	}
+	if !found {
+		t.Fatalf("GODEBUG env not found in container env: %+v", got.Spec.Template.Spec.Containers[0].Env)
+	}
+}
+
 //nolint:gocognit // test case is complex
 func TestResourceConfigurator_ConfigureDeployment(t *testing.T) {
 	kcpAddr := skrwebhookresources.KCPAddr{Hostname: "test-host", Port: 8080}
diff --git a/tests/e2e/fipsMode_metric_test.go b/tests/e2e/fipsMode_metric_test.go
@@ -1,21 +1,51 @@
 package e2e_test
 
 import (
+	"errors"
+
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 
+	"github.com/kyma-project/lifecycle-manager/api/v1beta2"
+	. "github.com/kyma-project/lifecycle-manager/pkg/testutils"
 	. "github.com/kyma-project/lifecycle-manager/tests/e2e/commontestutils"
 
 	"github.com/kyma-project/lifecycle-manager/internal/pkg/metrics"
+	skrwebhookresources "github.com/kyma-project/lifecycle-manager/internal/service/watcher/resources"
 )
 
 var _ = Describe("FIPS Mode metric", Ordered, func() {
+	kyma := NewKymaWithNamespaceName("kyma-sample", ControlPlaneNamespace, v1beta2.DefaultChannel)
+	InitEmptyKymaBeforeAll(kyma)
+
 	Context("Given KCP Cluster", func() {
 		It("When KLM is initialized", func() {
-			By("Then fipsMode metrics is set to \"enabled\"")
+			By("Then fipsMode metrics is set to \"FipsModeOnly\"")
 			Eventually(GetFipsModeGauge).
 				WithContext(ctx).
-				Should(Equal(metrics.FipsModeOn))
+				Should(Equal(metrics.FipsModeOnly))
+		})
+	})
+
+	Context("Given SKR Cluster", func() {
+		It("When Runtime Watcher is initialized", func() {
+			By("Then fipsMode env exists in the webhook deployment")
+			Eventually(func() error {
+				skrWebhook, err := GetDeployment(ctx, skrClient, skrwebhookresources.SkrResourceName, RemoteNamespace)
+				if err != nil {
+					return err
+				}
+				for _, container := range skrWebhook.Spec.Template.Spec.Containers {
+					if container.Name == "server" {
+						for _, env := range container.Env {
+							if env.Name == "GODEBUG" && env.Value == "fips140=only,tlsmlkem=0" {
+								return nil
+							}
+						}
+					}
+				}
+				return errors.New("GODEBUG env not found in the webhook deployment")
+			}).Should(Succeed())
 		})
 	})
 })
