emissary icon indicating copy to clipboard operation
emissary copied to clipboard

Published 20 hours ago verified publisher icon emissary-ingress

Enable fips mode when building envoy

Open bathina2 opened this issue 2 years ago • 2 comments

Description

The following PR enables building envoy/emissary in FIPS mode. This will ensure that the envoy uses FIPS certified cryptographic algorithms when decrypting data. Developers can set this by using the export FIPS_MODE=true option before doing make update-base.

Related Issues

https://github.com/emissary-ingress/emissary/issues/4277

Testing

After adding my changes I was able to to build envoy using make update-base. The resulting image was tagged as a FIPS enabled image-

# docker run -it --entrypoint envoy-static-stripped  emissaryingress/base-envoy:envoy-0.-.opt --version

envoy-static-stripped  version: 4ce93dc3ace00ae9108b179d0afaceac13f4602a/1.17.4/Modified/RELEASE/BoringSSL-FIPS

Checklist

  • [x] I made sure to update CHANGELOG.md. Not required

    Remember, the CHANGELOG needs to mention:

    • Any new features
    • Any changes to our included version of Envoy
    • Any non-backward-compatible changes
    • Any deprecations

  • [x] This is unlikely to impact how Ambassador performs at scale.

    Remember, things that might have an impact at scale include:

    • Any significant changes in memory use that might require adjusting the memory limits
    • Any significant changes in CPU use that might require adjusting the CPU limits
    • Anything that might change how many replicas users should use
    • Changes that impact data-plane latency/scalability

  • [x] My change is adequately tested. Not sure exactly how I can Unit test my changes. I have automations in place that follow the described build steps to create an Envoy image. These images do contain the FIPS suffix at the end of the version. When omitting the option, it generates the appropriate image with out the suffix.

    Remember when considering testing:

    • Your change needs to be specifically covered by tests.
      • Tests need to cover all the states where your change is relevant: for example, if you add a behavior that can be enabled or disabled, you'll need tests that cover the enabled case and tests that cover the disabled case. It's not sufficient just to test with the behavior enabled.
    • You also need to make sure that the entire area being changed has adequate test coverage.
      • If existing tests don't actually cover the entire area being changed, add tests.
      • This applies even for aspects of the area that you're not changing – check the test coverage, and improve it if needed!
    • We should lean on the bulk of code being covered by unit tests, but...
    • ... an end-to-end test should cover the integration points

  • [x] I updated DEVELOPING.md with any any special dev tricks I had to use to work on this code efficiently.

  • [x] The changes in this PR have been reviewed for security concerns and adherence to security best practices.

bathina2 avatar Jun 13 '22 21:06 bathina2

@LukeShu I updated DEVELOPING.md with better messaging around what is supported. Also removed the release note.

bathina2 avatar Jul 07 '22 21:07 bathina2

@bathina2 @kflynn

I had made a change in https://github.com/emissary-ingress/emissary/pull/4377/commits/38f9fd62d324efddb151e9d61b6e6000d1df25c4 in order for CI to pass.

I noticed that if .$(if $(FIPS_MODE),FIPS,noFIPS) was set we would be looking for builds with .noFIPS which we don't have. I modified this to $(if $(FIPS_MODE),.FIPS) to prevent CI failures.

@bathina2 Could you please pull in this change and also revise your commit history to a single commit?

ddymko avatar Aug 05 '22 18:08 ddymko

@ddymko Thanks for the review and suggestions. I added your changes and squashed everything into a single commit.

bathina2 avatar Aug 26 '22 00:08 bathina2