Install FIPS-validated builds of Tetrate Enterprise Gateway for Envoy (TEG) distribution
Tetrate Enterprise Gateway for Envoy (TEG) images are available to TEG Subscription customers. These images are hosted in a special FIPS repository. To access the FIPS repository, you will need a username and password, which you can obtain from your Tetrate representative.
Note: The FIPS-validated builds of Tetrate Enterprise Gateway for Envoy (TEG) is not available for the latest version. It's only provided for specific versions after 1.1.0. This guide uses version 1.1.0 as an example.
Before you begin
You need a Kubernetes cluster along with the kubectl
and helm
command-line tools installed and configured to connect to the cluster.
Note: Refer to the Compatibility Matrix for supported Kubernetes versions.
You will also need credentials from Tetrate to access Tetrate's FIPS repository.
Install Tetrate Enterprise Gateway for Envoy (TEG) using Helm
Create a kubernetes secret with your Tetrate FIPS registry credentials
We'll create a secret named tetrate-fips-creds to access the Tetrate FIPS images repository, using the username and password provided by Tetrate.
Make sure that you have set the credentials as environment variable:
export TEG_USER="<teg-username>"
export TEG_PASS="<teg-password>"
kubectl create namespace envoy-gateway-system
kubectl create secret docker-registry tetrate-fips-creds \
--docker-server="fips-containers.teg.tetratelabs.com" \
--docker-username=${TEG_USER} \
--docker-password=${TEG_PASS} \
--docker-email="${USER}@" \
-n envoy-gateway-system
Create a values file for the TEG Helm chart to use the FIPS images
Create a file named values.yaml with the following content, or add the content to your existing values file:
deployment:
tegEnvoyGateway:
image:
repository: fips-containers.teg.tetratelabs.com/teg-envoy-gateway
tag: v1.1.3
pullSecrets:
- name: tetrate-fips-creds
config:
envoyProxy:
provider:
kubernetes:
envoyDeployment:
container:
image: "fips-containers.teg.tetratelabs.com/envoy:distroless-v1.31.3"
pod:
imagePullSecrets:
- name: tetrate-fips-creds
gateway-helm:
global:
images:
envoyGateway:
image: "fips-containers.teg.tetratelabs.com/gateway:v1.1.3-tetrate"
pullSecrets:
- name: tetrate-fips-creds
ratelimit:
image: "fips-containers.teg.tetratelabs.com/ratelimit:master-fips"
pullSecrets:
- name: tetrate-fips-creds
Install Tetrate Enterprise Gateway for Envoy (TEG)
Install the Tetrate Enterprise Gateway for Envoy (TEG) Helm chart using the values file you created:
export REGISTRY="oci://docker.io/tetrate"
export CHART_VERSION="v1.1.3"
helm install teg ${REGISTRY}/teg-envoy-gateway-helm \
--version ${CHART_VERSION} \
--values values.yaml \
-n envoy-gateway-system
FIPS-approved TLS cipher suites
The FIPS-validated builds of TEG use TLS v1.2 with FIPS-approved cipher suites for internal communication between TEG components and external communication with clients. This is because FIPS TEG uses Google’s BoringCrypto project to perform its cryptographic functions, and the Security Policy only covers TLS 1.2. The Cipher Suites used are listed below:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
Please note that while TLS version and cipher suites for client connections can be configured using ClientTrafficPolicy
, and those for connections to backend services can be configured using EnvoyProxy
, the FIPS-validated builds of TEG will override these configurations, enforcing TLS v1.2 and the FIPS-approved cipher suites.
Verification
To verify the FIPS compliance of the installed artifacts, see Verify FIPS Image.