Closed im-konge closed 1 week ago
@im-konge thanks for reporting this issue. Looking at the stacktrace seems that this is triggered by the SDKs (AWS SDK in this case). We may need to check what options are provided by the SDKs, e.g. for AWS found this: https://docs.aws.amazon.com/sdkref/latest/guide/feature-endpoints.html
Unlike standard AWS endpoints, FIPS endpoints use a TLS software library that complies with FIPS 140-2. If this setting is enabled and a FIPS endpoint does not exist for the service in your AWS Region, the AWS call may fail.
Could you check if adding AWS_USE_FIPS_ENDPOINT
is enough?
Will try that and I'll let you know, thanks for checking it :)
After investigation, I found it's because the secret key length we set is too short, which is not compliant with FIPS. After increasing the secret key size, everything works fine. We can close this issue now. Thanks.
What happened?
During our testing of Kafka TieredStorage feature with the Aiven plugin, S3 bucket and Minio, we discovered that when we try to use the plugin on OCP cluster where is FIPS enabled, the plugin throws exceptions about issues around security. After investigation done by @showuon it seems that the issue is with the FIPS and the whole security behind it. We are getting the following exception:
For the full log from the Kafka broker, please see the attachment - logs-pod-cluster-def7af46-b-f2b5e74c-0-container-kafka.log
The plugin works perfectly on any other cluster that doesn't have FIPS enabled.
What did you expect to happen?
The expected output is to have data stored on the particular S3 storage even when the FIPS is enabled.
What else do we need to know?
OCP - 4.15 Kafka - 3.7.1 Aiven plugin version -
2024-04-02-1712056402
Thanks a lot for looking into this :)