Skip to content

[ANSIENG-5777] Add FIPS mode configuration and kernel-level FIPS support #2394

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rrbadiani wants to merge 6 commits into
base: 8.2.x
Choose a base branch
from
Open

[ANSIENG-5777] Add FIPS mode configuration and kernel-level FIPS support #2394

rrbadiani wants to merge 6 commits into from

Conversation

@rrbadiani
Copy link
Member

@rrbadiani rrbadiani commented Dec 18, 2025

Summary

This PR adds support for configuring FIPS mode level (140-2 or 140-3) and kernel-level FIPS enforcement.

Changes

  • Added fips_mode variable to configure FIPS 140-2 or FIPS 140-3 (defaults to fips-140-3 for CP 8.2+)
  • Added fips_kernel_level_enabled flag for kernel-level FIPS enforcement (defaults to false)
  • Added fips_reboot_timeout variable for reboot timeout configuration (defaults to 600 seconds)
  • Added validation for fips_mode values to ensure only valid values (fips-140-2, fips-140-3) are accepted
  • Implemented kernel-level FIPS setup with fips-mode-setup --enable command
  • Added automatic reboot and wait logic when kernel FIPS is enabled
  • Configured enable.fips.mode property for kafka_controller and kafka_broker

Testing

  • Verify FIPS mode configuration with valid values
  • Test kernel-level FIPS setup and reboot process
  • Validate that invalid fips_mode values are rejected

JIRA

https://confluentinc.atlassian.net/browse/ANSIENG-5777

@rrbadiani
[ANSIENG-5777] | Add FIPS mode configuration and kernel-level FIPS su…
6152bc4 
…pport

- Add fips_mode variable to configure FIPS 140-2 or FIPS 140-3
- Add fips_kernel_level_enabled flag for kernel-level FIPS enforcement
- Add fips_reboot_timeout variable for reboot timeout configuration
- Add validation for fips_mode values (fips-140-2, fips-140-3)
- Implement kernel-level FIPS setup with fips-mode-setup command
- Add automatic reboot and wait logic when kernel FIPS is enabled
- Configure enable.fips.mode property for kafka_controller and kafka_broker
@rrbadiani rrbadiani requested a review from a team as a code owner December 18, 2025 13:03
rrbadiani and others added 5 commits December 18, 2025 21:02
@rrbadiani @claude
[ANSIENG-5777] | [ANSIENG-5777] Remove kernel-level FIPS enforcement …
9ab5110 
…block

Remove kernel-level FIPS setup that required system reboot and fips-mode-setup --enable command. This simplifies FIPS configuration by only managing crypto policies without kernel-level enforcement.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>
@rrbadiani
[ANSIENG-5777] Enable LDAPS for LDAP integration in FIPS molecule tests
fa52ac7 
Updates FIPS molecule test scenarios to use LDAPS (ldaps://ldap1:636) instead of plain LDAP (ldap://ldap1:389) for enhanced security. Configures custom SSL certificates for LDAP server and updates verification tests accordingly.
@rrbadiani
[ANSIENG-5777] | Merge branch '8.2.x' into fips-140-3-ANSIENG-5777
3f2cb6b
@rrbadiani
[ANSIENG-5777] | fix connect with temp workaround, fixx ldaps tests
93f95a7
@rrbadiani
[ANSIENG-5777] | [ANSIENG-5777] Add certificate-hosts for co-located …
a1b0127 
…broker/controller to prevent cert overwrite
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rrbadiani