Contour: Does Contour support FIPS-allowed encryption?

Created on 3 Sep 2020  路  10Comments  路  Source: projectcontour/contour

Please describe the problem you have

Some applications like Elasticsearch have a FIPS mode that forces the application to use FIPS-compliant encryption mechanisms (https://www.elastic.co/guide/en/elasticsearch/reference/current/fips-140-compliance.html). I didn't see here (https://projectcontour.io/guides/tls/) if it is possible to allow something similar to Contour. Looking a bit further it seems that Envoy does allow it (https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fips-140-2), could you confirm if that would be enough or it is necessary to enable anything else on the Contour side.

kinquestion

Most helpful comment

I'm not sure (I'm no FIPS expert), but it looks like in order to be able to have a FIPS-compliant Contour install, you need three things:

  • A FIPS compliant Envoy. Looking around, it seems likely that if you're doing FIPS, you'll need to do this yourself. Envoy itself doesn't publish a FIPS-compliant container (see envoyproxy/envoy#8107), nor can you use getenvoy to do it (see tetratelabs/getenvoy-package#20).
  • Contour must be compiled using a FIPS-compliant Go version. Currently we don't provide this, but it looks like we may be able to provide an alternate Docker file (and possibly image) by using the dev.boringcrypto Go branch, which has a Docker build image availabel at goboring/golang.
  • Contour must be able to be configured to only use FIPS-compliant TLS ciphers. This is enabled by #3292.

To wrap this up, we will probably need a guide in the website guides section for what to do to end up with a FIPS-compliant Contour, and possibly have something in the Operator eventually.

All 10 comments

If you bring a FIPS-compliant Envoy image to your deployment, then everything should work fine. The only potential issue that I can think of is whether the cipher suite that Contour configures is allowed in FIPS (I suspect that it should be OK).

I'm not sure (I'm no FIPS expert), but it looks like in order to be able to have a FIPS-compliant Contour install, you need three things:

  • A FIPS compliant Envoy. Looking around, it seems likely that if you're doing FIPS, you'll need to do this yourself. Envoy itself doesn't publish a FIPS-compliant container (see envoyproxy/envoy#8107), nor can you use getenvoy to do it (see tetratelabs/getenvoy-package#20).
  • Contour must be compiled using a FIPS-compliant Go version. Currently we don't provide this, but it looks like we may be able to provide an alternate Docker file (and possibly image) by using the dev.boringcrypto Go branch, which has a Docker build image availabel at goboring/golang.
  • Contour must be able to be configured to only use FIPS-compliant TLS ciphers. This is enabled by #3292.

To wrap this up, we will probably need a guide in the website guides section for what to do to end up with a FIPS-compliant Contour, and possibly have something in the Operator eventually.

I can write up a guide to start with, depending on how that works we can assess if we want to provide more resources (scripts, docker images, etc.)

Or @youngnick if you want go for it since you self assigned!

No, I'm happy for you to take this one @sunjayBhatia!

Started work on this but will not be done for 1.13 so moving to 1.14

See https://github.com/projectcontour/contour/pull/3446 for a guide on Contour and FIPS, please give feedback if you have it!

Was this page helpful?
0 / 5 - 0 ratings

Related issues

annismckenzie picture annismckenzie  路  3Comments

phylake picture phylake  路  7Comments

stevesloka picture stevesloka  路  6Comments

seemiller picture seemiller  路  4Comments

phylake picture phylake  路  4Comments