Giters

cloudfoundry / cf-deployment

The canonical open source deployment manifest for Cloud Foundry

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

FIPS validation for cf-deployment

jochenehret opened this issue · comments

commented

We want to validate cf-deployment on a FIPS compliant stemcell. The validation pipeline has been set up here:
https://concourse.wg-ard.ci.cloudfoundry.org/teams/main/pipelines/fips-stemcell. PR for validation pipeline is #1135.

The pipeline uploads the stemcell to be validated and then deploys cf-deployment. Next, it runs the CF smoke-tests and the CF acceptance tests. The pipeline is triggered for each cf-deployment release candidate and for each new stemcell version.

This parent issue will be used to track child issues that are raised for the involved BOSH releases.

Issues
Beta Give feedback
  1. pre-start script of uaa-release fails on FIPS stemcell uaa-release#722
    accepted
  2. Support FIPS compliant BC uaa#2230
    accepted
  3. credhub-release fails on FIPS compliant Jammy stemcell pivotal/credhub-release#174
  4. Fix init keystore template for Jammy FIPS stemcell pivotal/credhub-release#177
  5. Bump openssl to v3.2.0 cloud_controller_ng#3541
  6. Bump default key length to 2048 and change fingerprint to SHA1 cloud_controller_ng#3555
  7. Issues running CC with fips stemcells cloud_controller_ng#3542
  8. FIPS validation: OpenSSL::Digest::MD5 cannot be used cloud_controller_ng#3544
  9. Use xxHash in Rate Limiter cloud_controller_ng#3557
  10. Support Content-Digest header in StagingsController cloud_controller_ng#3558
  11. [FIPS] CF-StagerError: 170011: Stager error: Digest initialization failed: initialization error cloud_controller_ng#3561
  12. Use xxhash64 instead of MD5 when calculating buildpack paths cloud_controller_ng#3562
  13. [FIPS] Use xxhash64 to calculate buildpack paths buildpackapplifecycle#65
    winkingturtle-vmw
  14. Use SHA algorithm for content digest in URLUploader diego-release#896
    bug
  15. switch to using digest-xxhash cloud_controller_ng#3609
  16. Ensure proxy app uses golang 1.21 for FIPS 140-3 compatiblity cf-acceptance-tests#1046
  17. fix: Set goversion in app manifests to Go 1.21 cf-acceptance-tests#1047
commented

Is there an ops file somewhere to enable FIPS compatibility (for example, configuring the CAPI property introduced here: cloudfoundry/capi-release#370)?

commented

We don't yet have an ops file for FIPS compatibility. There is a new config parameter to disable MD5 for the cloud controller:
https://github.com/cloudfoundry/capi-release/blob/389aca282ce32865eb4e39dcab48df680e68e69e/jobs/cloud_controller_ng/spec#L1216
We must wait for a new diego-release that supports the new hashing algorithm as well.

commented

The latest FIPS validation runs are now green, e.g.:
https://concourse.wg-ard.ci.cloudfoundry.org/teams/main/pipelines/fips-stemcell/jobs/fips-cats/builds/66
CATs and CF smoke tests are both passing. We are still using the fips-compliance.yml ops file, however. After major releases of capi/diego we should not need this ops file anymore.