Support FIPS 140-2 based deployment of Contour

[BretFisher]

Feature Request: kURL supports the option to deploy Contour/Envoy in FIPS 140-2 mode.

Contour and Envoy support a custom build option to use BoringSSL as the cryptographic module for both tools. According to the Contour documentation:

For a fully FIPS compliant deployment of Contour a few things are required:

• Contour must be compiled with a FIPS validated cryptographic module
• Envoy must be compiled with a FIPS validated cryptographic module
• Contour must be configured to use FIPS-approved cryptographic algorithms

References https://projectcontour.io/guides/fips/ https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl https://boringssl.googlesource.com/boringssl/

[kwsorensen]

Thank you for filing an issue on GitHub.

Are you interested in contributing a PR to fix this issue?

If not do you have any additional information that would be helpful in prioritization?

[BretFisher]

I'm happy to look at the add-on model for submitting a PR, but first I think it's worth discussing If that would even help. This ticket isn't as easy as "simply add a 2nd Contour option"... it requires new custom builds of Envoy and Contour with those FIPS crypto modules.

I don't know enough about the kURL project yet to know where it's pulling project images from, or if Replicated is hosting any custom-built forks of CNCF projects like this. I'd be happy to work on implementing the documentation references I linked to above, but I wouldn't want to host the forks or images myself.

[kwsorensen]

I'm going to bring this up at our community meeting this Friday. You are more than welcome to join - https://hackmd.io/0D8FO93JT9mIhmHz2okaww?view.

[BretFisher]

Sure!

[emosbaugh]

Hi @BretFisher.

Work is being done to allow for overriding images in the kurl spec. This should cover the first two bullets. It is still not possible to patch the contour container definition to configure it to use FIPS-approved cryptographic algorithms.

https://github.com/replicatedhq/ekco/pull/33 https://github.com/replicatedhq/kURL/pull/2107 https://github.com/replicatedhq/kURL/pull/2109

[BretFisher]

Great, any doc updates on how to use overrides?

[emosbaugh]

There is no public facing documentation as of now but I will get that work prioritized.

You will have to enable the ekco addon.

Below is example yaml:

apiVersion: "cluster.kurl.sh/v1beta1"
kind: "Installer"
metadata:
  name: "imageoverride"
spec:
  ekco:
    podImageOverrides:
      - projectcontour/contour:v1.18.0=myregistry/contour:v1.18.0-fips

[BretFisher]

@emosbaugh bump on the docs request for podImageOverrides.

[emosbaugh]

2753 Adding podImageOverrides to tests in anticipation of documenting.

[emosbaugh]

Apologies @BretFisher . I was off on family leave for an extended period of time. I've got a PR https://github.com/replicatedhq/kurl.sh/pull/737 which I will merge once I am happy with tests.

[emosbaugh]

Docs have been released https://kurl.sh/docs/add-ons/ekco#pod-image-overrides

[camilamacedo86]

Hi @emosbaugh,

I am closing this one because all shows sorted out. However, if you see that has anything else that we should to do here, please re-open this one.