Skip to main content
logoTetrate Enterprise Gateway for Envoy (TEG)Version: v0.0.0-latest

Install FIPS-validated builds of Tetrate Enterprise Gateway for Envoy (TEG) distribution

Tetrate Enterprise Gateway for Envoy (TEG) images are available to TEG Subscription customers. These images are hosted in a special FIPS repository. To access the FIPS repository, you will need a username and password, which you can obtain from your Tetrate representative.

Note: The FIPS-validated builds of Tetrate Enterprise Gateway for Envoy (TEG) is not available for the latest version. It's only provided for specific versions after 1.1.0. This guide uses version 1.1.0 as an example.

Before you begin

You need a Kubernetes cluster along with the kubectl and helm command-line tools installed and configured to connect to the cluster.

Note: Refer to the Compatibility Matrix for supported Kubernetes versions.

You will also need credentials from Tetrate to access Tetrate's FIPS repository.

Install Tetrate Enterprise Gateway for Envoy (TEG) using Helm

Create a kubernetes secret with your Tetrate FIPS registry credentials

We'll create a secret named tetrate-fips-creds to access the Tetrate FIPS images repository, using the username and password provided by Tetrate.

Make sure that you have set the credentials as environment variable:

export TEG_USER="<teg-username>"
export TEG_PASS="<teg-password>"
kubectl create namespace envoy-gateway-system

kubectl create secret docker-registry tetrate-fips-creds \
--docker-server="fips-containers.teg.tetratelabs.com" \
--docker-username=${TEG_USER} \
--docker-password=${TEG_PASS} \
--docker-email="${USER}@" \
-n envoy-gateway-system

Create a values file for the TEG Helm chart to use the FIPS images

Create a file named values.yaml with the following content, or add the content to your existing values file:

deployment:
tegEnvoyGateway:
image:
repository: fips-containers.teg.tetratelabs.com/teg-envoy-gateway
tag: v1.1.0
pullSecrets:
- name: tetrate-fips-creds
config:
envoyProxy:
provider:
kubernetes:
envoyDeployment:
container:
image: "fips-containers.teg.tetratelabs.com/envoy:distroless-v1.31.0"
pod:
imagePullSecrets:
- name: tetrate-fips-creds

gateway-helm:
global:
images:
envoyGateway:
image: "fips-containers.teg.tetratelabs.com/gateway:v1.1.0-tetrate"
pullSecrets:
- name: tetrate-fips-creds
ratelimit:
image: "fips-containers.teg.tetratelabs.com/ratelimit:master-fips"
pullSecrets:
- name: tetrate-fips-creds

Install Tetrate Enterprise Gateway for Envoy (TEG)

Install the Tetrate Enterprise Gateway for Envoy (TEG) Helm chart using the values file you created:

export REGISTRY="oci://docker.io/tetrate"
export CHART_VERSION="v1.1.0"
helm install teg ${REGISTRY}/teg-envoy-gateway-helm \
--version ${CHART_VERSION} \
--values values.yaml \
-n envoy-gateway-system

FIPS-approved TLS cipher suites

The FIPS-validated builds of TEG use TLS v1.2 with FIPS-approved cipher suites for internal communication between TEG components and external communication with clients. This is because FIPS TEG uses Google’s BoringCrypto project to perform its cryptographic functions, and the Security Policy only covers TLS 1.2. The Cipher Suites used are listed below:

  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-GCM-SHA384

Please note that while TLS version and cipher suites for client connections can be configured using ClientTrafficPolicy, and those for connections to backend services can be configured using EnvoyProxy, the FIPS-validated builds of TEG will override these configurations, enforcing TLS v1.2 and the FIPS-approved cipher suites.

Verification

To verify the FIPS compliance of the installed artifacts, see Verify FIPS Image.