Ingress-nginx: FIPS Mode

@coreywagehoft you are the first user asking for FIPS support. We need to find out exactly what it requires and how it impacts the nginx image/features

@aledbf Second user with same question 🙋🏾‍♂️

@aledbf Make that 3

@aledbf I'm the 4th one.

Update:
I've been trying to compile OpenSSL with fips support but there is no fips option for 1.1 until the end of the year https://www.openssl.org/blog/blog/2018/09/25/fips/
Also tried to build BoringSSL as a static library but the fips build is broken and BoringSSL itself is not validated FIPS

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

I recently was able to get the ingress controller to compile with OpenSSL with FIPS support on our fork over at manywho/ingress-nginx. It only supports OpenSSL 1.0.2 at the latest though, as 1.1 isn't compatible with the FIPS module.

I've not made a PR yet as it's not been validated in an audit yet, but it might be a start for this?

I've not made a PR yet as it's not been validated in an audit yet, but it might be a start for this?

Please no. We want to support FIPS but only for OpenSSL 1.1
Please check my previous comment https://github.com/kubernetes/ingress-nginx/issues/3543#issuecomment-465626999

@aledbf I am also looking for FIPS enabled in ingress controller. I am 5th one.

also looking for FIPS enabled in ingress controller. What is the current status?

There is no change in the status, FIPS support is not present in OpenSSL 1.1.1.

https://www.openssl.org/blog/blog/2019/02/13/FIPS-update/

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

@fejta-bot: Closing this issue.

Fips compliant openssl can be built on alpine, see example https://github.com/NineFX/alpine-fips/blob/master/Dockerfile

@drewwells right, but that means no TLS1.3 or HTTP/3 (when released in the next nginx iteration). If FIPS support is added, it must support openssl 1.1.X

you can support either for now by having two separate builds. Then the community can help ensure it has proper fips support built in, iterate, help improve it. The images later can be merged when http/3 is available.

you can support either for now by having two separate builds. Then the community can help ensure it has proper fips support built in, iterate, help improve it.

Thank you but I am not interested in that approach.

If someone needs FIPS support right now it can fork ingress-nginx and build a custom nginx image, adding the Openssl compilation just posted in your previous comment in the build.sh script and then point the ingress controller to use that image here

Did anyone ever find a recommended way to do this or is ingress-nginx a non-starter for FIPS right now?