Does Contour support FIPS-allowed encryption?

[javsalgar]

Please describe the problem you have

Some applications like Elasticsearch have a FIPS mode that forces the application to use FIPS-compliant encryption mechanisms (https://www.elastic.co/guide/en/elasticsearch/reference/current/fips-140-compliance.html). I didn't see here (https://projectcontour.io/guides/tls/) if it is possible to allow something similar to Contour. Looking a bit further it seems that Envoy does allow it (https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fips-140-2), could you confirm if that would be enough or it is necessary to enable anything else on the Contour side.

[jpeach]

If you bring a FIPS-compliant Envoy image to your deployment, then everything should work fine. The only potential issue that I can think of is whether the cipher suite that Contour configures is allowed in FIPS (I suspect that it should be OK).

[sunjayBhatia]

See #3347

[youngnick]

I'm not sure (I'm no FIPS expert), but it looks like in order to be able to have a FIPS-compliant Contour install, you need three things:

• A FIPS compliant Envoy. Looking around, it seems likely that if you're doing FIPS, you'll need to do this yourself. Envoy itself doesn't publish a FIPS-compliant container (see FIPS compliant version of docker image in docker repository envoyproxy/envoy#8107), nor can you use getenvoy to do it (see FIPS Compliant Envoy Build for centos 7 & ubuntu tetratelabs-attic/getenvoy-package#20).
• Contour must be compiled using a FIPS-compliant Go version. Currently we don't provide this, but it looks like we may be able to provide an alternate Docker file (and possibly image) by using the dev.boringcrypto Go branch, which has a Docker build image availabel at goboring/golang.
• Contour must be able to be configured to only use FIPS-compliant TLS ciphers. This is enabled by Add global TLS cipher suites configurability #3292.

To wrap this up, we will probably need a guide in the website guides section for what to do to end up with a FIPS-compliant Contour, and possibly have something in the Operator eventually.

[sunjayBhatia]

I can write up a guide to start with, depending on how that works we can assess if we want to provide more resources (scripts, docker images, etc.)

[sunjayBhatia]

Or @youngnick if you want go for it since you self assigned!

[youngnick]

No, I'm happy for you to take this one @sunjayBhatia!

[sunjayBhatia]

Started work on this but will not be done for 1.13 so moving to 1.14

[sunjayBhatia]

One step: #3406

[sunjayBhatia]

See #3446 for a guide on Contour and FIPS, please give feedback if you have it!

[sunjayBhatia]

See https://projectcontour.io/guides/fips/