Added HTTP Check for FIPS endpoint #1990
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Yeah, that could be the case. I need to test to make sure its not throwing an error, and is always using the non FIPS endpoint. |
|
This is going to be obsolete after #2000, which removes the dependency on ECR entirely. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue #, if available:
#1984
Description of changes:
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
There is a bug when you have enabled FIPS on the image, in a region with FIPS endpoints, and have VPC endpoints enabled. The issue is that the check implemented in #1524 , checks to see if the FIPS endpoint resolves. In an isolated environment, the endpoint does resolve. But, there is not a FIPS enabled ECR VPC endpoint available. I switched the check from being a DNS request, to a HTTP call.
Testing Done
I used packer to build an Al2023 node with FIPS enabled to test. I also used the same code in a RHEL build downstream.
See this guide for recommended testing for PRs. Some tests may not apply. Completing tests and providing additional validation steps are not required, but it is recommended and may reduce review time and time to merge.