fix(fips): ensure custom registries cannot use HTTP without TLS BE-12511 (#1885)

Co-authored-by: andres-portainer <andres-portainer@users.noreply.github.com>

api/crypto/tls.go

@@ -92,7 +92,9 @@ func CreateTLSConfigurationFromDisk(config portainer.TLSConfiguration) (*tls.Con
 }
 
 func createTLSConfigurationFromDisk(fipsEnabled bool, config portainer.TLSConfiguration) (*tls.Config, error) { //nolint:forbidigo
-	if !config.TLS {
+	if !config.TLS && fipsEnabled {
+		return nil, fips.ErrTLSRequired
+	} else if !config.TLS {
 		return nil, nil
 	}
 

pkg/fips/fips.go

@@ -2,6 +2,7 @@ package fips
 
 import (
 	"crypto/fips140"
+	"errors"
 	"sync"
 
 	"github.com/rs/zerolog/log"
@@ -11,6 +12,8 @@ var fipsMode, isInitialised bool
 
 var once sync.Once
 
+var ErrTLSRequired = errors.New("TLS configuration is required in FIPS mode")
+
 func InitFIPS(enabled bool) {
 	once.Do(func() {
 		isInitialised = true

pkg/registryhttp/transport.go

@@ -5,6 +5,7 @@ import (
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/crypto"
+	"github.com/portainer/portainer/pkg/fips"
 )
 
 // BuildTransportAndSchemeFromTLSConfig returns a base HTTP transport configured
@@ -22,7 +23,9 @@ func BuildTransportAndSchemeFromTLSConfig(tlsCfg portainer.TLSConfiguration) (*h
 
 	baseTransport.TLSClientConfig = tlsConfig
 
-	if tlsConfig == nil {
+	if tlsConfig == nil && fips.FIPSMode() {
+		return nil, "", fips.ErrTLSRequired
+	} else if tlsConfig == nil {
 		return baseTransport, "http", nil
 	}