Analyze FIPS support

[rikatz]

Some folks reached me about FIPS support / compliance specifically when ingress-nginx is used with govt stuff.

I'm not aware on how to deal with this yet (as far as I read we can use some openssl module from specific distro, or compile using BoringSSL) and there is also an nginx inc module to verify this compliance.

Not sure what we should look into here yet, but seems like something that will be requested more in a future :)

/help

/kind feature

[k8s-ci-robot]

@rikatz:
This request has been marked as needing help from a contributor.

Guidelines

Please ensure that the issue body includes answers to the following questions:

• Why are we solving this issue?
• To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
• Does this issue have zero to low barrier of entry?
• How can the assignee reach out to you for help?

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

In response to this:

Some folks reached me about FIPS support / compliance specifically when ingress-nginx is used with govt stuff.

I'm not aware on how to deal with this yet (as far as I read we can use some openssl module from specific distro, or compile using BoringSSL) and there is also an nginx inc module to verify this compliance.

Not sure what we should look into here yet, but seems like something that will be requested more in a future :)

/help

/kind feature

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

@rikatz: This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[aledbf]

@rikatz for inspiration :) aledbf@ead3cba
Without OpenSSL 3, the only option is to use 1.0, which is hard to justify, like no tls1.3 support. That said, the other awful thing is the size of the image :(
Have fun!

[aledbf]

Also check this rancher/rke2#659 (comment)

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[rikatz]

/lifecycle frozen
/assign

[stanhu]

See #3543 for discussions on this. I already have changes that can be upstreamed to provide FIPS support, but we would have to decide whether to make UBI the default base image, or provide a separate image.

[slimm609]

Openssl 3.0 is now certified and also available in alpine 3.16 or later. Nginx also supports openssl 3 in 1.22+ and the go code would just need compiled using goboring.

/ # apk search openssl3
openssl3-doc-3.0.5-r0
openssl3-dev-3.0.5-r0
openssl3-libs-static-3.0.5-r0
openssl3-3.0.5-r0
libcrypto3-3.0.5-r0
openssl3-dbg-3.0.5-r0
libssl3-3.0.5-r0

[mitchnielsen]

Also check this rancher/rke2#659 (comment)

Thanks for linking to this, I see this FIPS fork has been well maintained so far:

• "Hardened" branches in ingress-nginx fork
• Patches for ingress-nginx chart

So to check in as an update to Stan's PR that was closed in April 2022: are there currently any plans to upstream these changes to provide more native FIPS support?

[rikatz]

So, something here:
I know there is an image from NGINX INC that builds alpine with FIPS support: https://github.com/nginxinc/alpine-fips/blob/main/Dockerfile

I'm not sure the implication on it, and also probably we need boringcrypto also for Go builds.

On the PR, I'm not sure we want to move away from Alpine, instead I would like to:

• Have an official Openssl FIPS build from Alpine (maybe someone can reach them and check)
• Verify what else we would need to make ingress-nginx FIPS compliant
  I'm right now all heads down on releasing with NGINX v1.25 + some huge backlog of things we need to fix, but I would be very happy and glad if someone can pick this issue and do some experiments with Alpine :)

[rikatz]

/close

We don't have ppl willing to maintain this, and I wont be able to work on it.

[k8s-ci-robot]

@rikatz: Closing this issue.

In response to this:

/close

We don't have ppl willing to maintain this, and I wont be able to work on it.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.