[PLAT-17482] allow enabling fips with helm

shubin-yb · shubin-yb · commit 72e1088bcf50 · 2025-06-17T22:43:35.000Z
Summary: fips enabled will pass in `-Dorg.bouncycastle.ips.approved_only=true` to YBA Test Plan: new ut helm template . --set yugaware.fips.enabled=true args: [ "bin/yugaware", "-Dorg.bouncycastle.fips.approved_only=true", "-Dconfig.file=/data/application.docker.conf" ] helm template . args: [ "bin/yugaware", "-Dconfig.file=/data/application.docker.conf" ] helm template . --set yugaware.fips.enabled=false args: [ "bin/yugaware", "-Dconfig.file=/data/application.docker.conf" ] helm deployment with fips enabled, see logs: ``` YW 2025-06-17T22:41:10.343Z [INFO] from AppInit in main - FipsStatus.isReady = true YW 2025-06-17T22:41:10.343Z [INFO] from AppInit in main - CryptoServicesRegistrar.isInApprovedOnlyMode = true YW 2025-06-17T22:41:10.343Z [INFO] from AppInit in main - Following providers are installed: YW 2025-06-17T22:41:10.343Z [INFO] from AppInit in main - 0: BCFIPS YW 2025-06-17T22:41:10.343Z [INFO] from AppInit in main - 1: BCJSSE YW 2025-06-17T22:41:10.343Z [INFO] from AppInit in main - 2: SUN YW 2025-06-17T22:41:10.343Z [INFO] from AppInit in main - AppInit completed ``` Reviewers: anijhawan, amalyshev Reviewed By: anijhawan, amalyshev Subscribers: yugaware Differential Revision: https://phorge.dev.yugabyte.com/D44756
diff --git a/stable/yugaware/templates/statefulset.yaml b/stable/yugaware/templates/statefulset.yaml
@@ -537,7 +537,13 @@ spec:
           resources:
 {{ toYaml .Values.yugaware.resources | indent 12 }}
           {{- end }}
-          args: ["bin/yugaware","-Dconfig.file=/data/application.docker.conf"]
+          args: [
+            "bin/yugaware",
+            {{- if .Values.yugaware.fips.enabled }}
+            "-Dorg.bouncycastle.fips.approved_only=true",
+            {{- end }}
+            "-Dconfig.file=/data/application.docker.conf"
+            ]
           env:
           # Conditionally set these env variables, if runAsUser is not 0(root)
           # or 10001(yugabyte).
diff --git a/stable/yugaware/tests/README.md b/stable/yugaware/tests/README.md
@@ -0,0 +1,19 @@
+# Unit Testing Helm charts
+Unit tests for the yugaware helm charts, which can be used to validate helm templates
+gives us our expected results.
+
+This is leveraging https://github.com/helm-unittest/helm-unittest
+
+See https://github.com/quintush/helm-unittest/blob/master/DOCUMENT.md for details on creating new
+tests
+
+## Install
+```
+$ helm plugin install https://github.com/helm-unittest/helm-unittest.git
+```
+
+## Run tests
+```
+$ cd stable/yugabyte
+$ helm unittest -f "tests/test_*.yaml" .
+```
diff --git a/stable/yugaware/tests/test_fips.yaml b/stable/yugaware/tests/test_fips.yaml
@@ -0,0 +1,24 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/quintush/helm-unittest/master/schema/helm-testsuite.json
+suite: fips enable and disable
+templates:
+- templates/statefulset.yaml
+tests:
+- it: FIPS enabled
+  set:
+    yugaware:
+      fips:
+        enabled: true
+  asserts:
+  - contains: 
+      path: spec.template.spec.containers[?(@.name == "yugaware")].args
+      content: "-Dorg.bouncycastle.fips.approved_only=true"
+- it: FIPS disabled
+  set:
+    yugaware:
+      fips:
+        enabled: false
+  asserts:
+  - contains: 
+      path: spec.template.spec.containers[?(@.name == "yugaware")].args
+      content: "-Dorg.bouncycastle.fips.approved_only=true"
+    not: true
diff --git a/stable/yugaware/values.yaml b/stable/yugaware/values.yaml
@@ -130,6 +130,10 @@ yugaware:
   # Crash YBA if operator thread is not initialised correctly
   kubernetesOperatorCrashOnFailure: true
 
+  fips:
+    # Enable FIPS mode for YugabyteDB Anywhere.
+    enabled: false
+
   # Create an initial user for YugabyteDB Anywhere. A user is required for YBA workflows.
   defaultUser:
     enabled: false
