Skip to content

Operator panic in FIPS mode due to MD5 usage in SCRAM credential generation #1709

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tip226 opened this issue Apr 16, 2025 · 0 comments
Open

Operator panic in FIPS mode due to MD5 usage in SCRAM credential generation #1709

tip226 opened this issue Apr 16, 2025 · 0 comments

Comments

@tip226
Copy link

tip226 commented Apr 16, 2025
edited
Loading

What did you do to encounter the bug?
Steps to reproduce the behavior:

  1. Followed this guide up until "Create the MongoDB deployment".
  2. Deployed a MongoDBCommunity resource with TLS and SCRAM-SHA-256 enabled: 
    apiVersion: mongodbcommunity.mongodb.com/v1
kind: MongoDBCommunity
metadata:
  name: mongodb-replica-set
spec:
  type: ReplicaSet
  members: 3
  version: "6.0.20-dev"
  security:
    tls:
      enabled: true
      certificateKeySecretRef: 
        name: mongodb-tls
      caConfigMapRef: 
        name: ca-config-map
    authentication:
      modes: ["SCRAM-SHA-256"]
  users:
    - name: my-user
      db: admin
      passwordSecretRef:
        name: my-user-password
      scramCredentialsSecretName: my-scram
      roles:
        - { name: clusterAdmin,           db: admin }
        - { name: userAdminAnyDatabase,   db: admin }
        - { name: readWriteAnyDatabase,   db: admin }
        - { name: dbAdminAnyDatabase,     db: admin }
  statefulSet:
    spec:
      template:
        spec:
          containers:
            - name: mongodb-agent
              env:
                - name: GODEBUG
                  value: "fips140=off"
  3. On deployment, the operator crashed with an OpenSSL FIPS error during SCRAM credential generation.

What did you expect?
The operator should successfully generate SCRAM credentials and bring up a functional MongoDB replica set with TLS and authentication enabled.

What happened instead?
The operator panicked while generating credentials using MD5, which is disallowed in FIPS mode. This caused the controller to crash with OpenSSL EVP_DigestInit_ex errors.

Relevant Logs

panic: EVP_DigestInit_ex
openssl error(s):
error:0308010C:digital envelope routines::unsupported
error:03000086:digital envelope routines::initialization error

goroutine 242 [running]:
...
github.com/mongodb/mongodb-kubernetes-operator/pkg/authentication/scramcredentials.md5Hex

Operator Information

  • Operator Version: 0.13.0
  • MongoDB Image: quay.io/mongodb/mongodb-kubernetes-operator (FIPS-variant)

Kubernetes Cluster Information

  • Distribution: k3d
  • Version: v5.8.3
  • Image Registry: Internal registry

Additional context
To work around this, we patched the operator code to use SHA-256 instead of MD5 in SCRAM credential generation. TLS and authentication then worked as expected under FIPS mode.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tip226