FIPS validation for cf-deployment
jochenehret opened this issue · comments
We want to validate cf-deployment on a FIPS compliant stemcell. The validation pipeline has been set up here:
https://concourse.wg-ard.ci.cloudfoundry.org/teams/main/pipelines/fips-stemcell. PR for validation pipeline is #1135.
The pipeline uploads the stemcell to be validated and then deploys cf-deployment. Next, it runs the CF smoke-tests and the CF acceptance tests. The pipeline is triggered for each cf-deployment release candidate and for each new stemcell version.
This parent issue will be used to track child issues that are raised for the involved BOSH releases.
Is there an ops file somewhere to enable FIPS compatibility (for example, configuring the CAPI property introduced here: cloudfoundry/capi-release#370)?
We don't yet have an ops file for FIPS compatibility. There is a new config parameter to disable MD5 for the cloud controller:
https://github.com/cloudfoundry/capi-release/blob/389aca282ce32865eb4e39dcab48df680e68e69e/jobs/cloud_controller_ng/spec#L1216
We must wait for a new diego-release that supports the new hashing algorithm as well.
The latest FIPS validation runs are now green, e.g.:
https://concourse.wg-ard.ci.cloudfoundry.org/teams/main/pipelines/fips-stemcell/jobs/fips-cats/builds/66
CATs and CF smoke tests are both passing. We are still using the fips-compliance.yml ops file, however. After major releases of capi/diego we should not need this ops file anymore.