Skip to main content
logoTetrate Enterprise Gateway for Envoy (TEG)Version: v1.1.x

Verify FIPS Image

This guide explains how to verify the FIPS compliance of the installed artifacts in Tetrate Enterprise Gateway for Envoy (TEG).

Tetrate Envoy Gateway

For teg-envoy-gateway, you can verify the FIPS compliance by checking the presence of GOLANG_VERSION: go1.21.11 X:boringcrypto in the version command output.

kubectl exec -it -n envoy-gateway-system deployment/teg-envoy-gateway -- /usr/local/bin/teg-envoy-gateway version

Output:

TEG_ENVOY_GATEWAY_VERSION: v1.1.0
GIT_COMMIT_ID: afd3bc3bb1d1708f4401b82bae3ceb3fb7b5b71b
GOLANG_VERSION: go1.21.12 X:boringcrypto

Envoy Gateway

For envoy-gateway, you can verify the FIPS compliance by checking the presence of GOLANG_VERSION: go1.21.11 X:boringcrypto in the version command output.

kubectl exec -it -n envoy-gateway-system deployment/envoy-gateway -- /usr/local/bin/envoy-gateway version

Output:

ENVOY_GATEWAY_VERSION: v1.1.0
ENVOY_PROXY_VERSION: distroless-v1.31.0
GATEWAYAPI_VERSION: v1.1.0
GIT_COMMIT_ID: 8db8fa7cc4bbe1c747f5798637100878acb0555c
GOLANG_VERSION: go1.22.5 X:boringcrypto

Envoy Proxy

Note: The envoy proxy will only be deployed if a Gateway resource is created. You can follow the Expose Your Application guide to create a Gateway resource and deploy the envoy proxy.

For the envoy binary, the correctness of the FIPS build can be verified by checking the presence of BoringSSL-FIPS in the --version output.

kubectl -n envoy-gateway-system exec -it deployments/envoy-httpbin-dedicated-gateway-c4239473 -c envoy -- /usr/local/bin/envoy --version

Output:

/usr/local/bin/envoy  version: 7b8baff1758f0a584dcc3cb657b5032000bcb3d7/1.31.0/Distribution/envoyproxy/envoy/RELEASE/BoringSSL-FIPS

Ratelimit

For ratelimit, you can verify the FIPS compliance by checking the presence of go1.22.2 X:boringcrypto in the go version ratelimit command output.

First, you can check the image used in the envoy-ratelimit deployment is fips-containers.teg.tetratelabs.com/ratelimit:master-fips.

kubectl -n envoy-gateway-system get deployment  envoy-ratelimit -o jsonpath="{.spec.template.spec.containers[0].image}"

Output:

fips-containers.teg.tetratelabs.com/ratelimit:master-fips

Then, pull the ratelimit image, run a container from the image, copy the binary out of the container, and run the go version ratelimit command to verify the FIPS compliance.

Note: You need to login to the Tetrate Container Registry before pulling the image.

#pull image
docker pull fips-containers.teg.tetratelabs.com/ratelimit:master-fips

# copy binary out of image
id=$(docker create fips-containers.teg.tetratelabs.com/ratelimit:master-fips)
docker cp $id:/bin/ratelimit ./

# verify that the binary is fips compatible
go version ratelimit

Output:

ratelimit: go1.22.4 X:boringcrypto

TLS Version and Cipher Suite

You can verify the TLS version and cipher suite are FIPS-compliant by connecting to the Envoy Gateway xDS server using the openssl CLI.

First, port-forward the Envoy Gateway xDS server to your local machine.

kubectl -n envoy-gateway-system port-forward  services/envoy-gateway 18000:18000 &

Next, connect to the Envoy Gateway xDS server using the openssl CLI.

If specifying the TLS version to tls1_3, the connection will fail because the FIPS-compliant build only supports TLS 1.2.

openssl s_client -connect 127.0.0.1:18000 -tls1_3

You will see the following output, indicating the server does not support the TLS version requested by the client.

... output truncated ...

140525267232064:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1552:SSL alert number 70

... output truncated ...
---

Now, specify the TLS version to tls1_2, and the connection will succeed.

 openssl s_client -connect 127.0.0.1:18000 -tls1_2

You will see the cipher suite used in the output is one of the FIPS-approved cipher suites.

... output truncated ...

New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported

... output truncated ...

The FIPS-compliant build of TEG enforces TLS 1.2 and the FIPS-approved cipher suites for both control plane and data plane communications. You can verify the TLS version and cipher suite used in client and backend connections using the same method. Since the verification steps are similar, they are not repeated here.