From 96c705bf94a445445952d669eeff21bee9ac0b33 Mon Sep 17 00:00:00 2001 From: Margo Crawford Date: Mon, 11 Apr 2022 13:53:26 -0700 Subject: [PATCH] document how to use the fips dockerfile on our website Signed-off-by: Margo Crawford --- site/content/docs/reference/fips.md | 34 +++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 site/content/docs/reference/fips.md diff --git a/site/content/docs/reference/fips.md b/site/content/docs/reference/fips.md new file mode 100644 index 00000000..2e012c81 --- /dev/null +++ b/site/content/docs/reference/fips.md @@ -0,0 +1,34 @@ +--- +title: FIPS-compatible builds of Pinniped binaries +description: Reference for FIPS builds of Pinniped binaries +cascade: + layout: docs +menu: + docs: + name: FIPS-compatible builds of Pinniped binaries + weight: 30 + parent: reference +--- +By default, the Pinniped supervisor and concierge use ciphers that +are not supported by FIPS 140-2. If you are deploying Pinniped in an +environment with FIPS compliance requirements, you will have to build +the binaries yourself using the `fips_strict` build tag and Golang's +`go-boringcrypto` fork. + +The Pinniped team provides an [example Dockerfile](https://github.com/vmware-tanzu/pinniped/blob/main/hack/Dockerfile_fips) +demonstrating how you can build Pinniped images in a FIPS compatible way. +However, we do not provide official support for FIPS configuration, and we may not +respond to GitHub issues opened related to FIPS support. +We provide this for informational purposes only. + +To build Pinniped use our example fips Dockerfile, you can run: +```bash +$ git clone git@github.com:vmware-tanzu/pinniped.git +$ cd pinniped +$ git checkout {{< latestversion >}} +$ docker build -f hack/Dockerfile_fips . +``` + +Now you can deploy [the concierge]({{< ref "install-concierge" >}}) and [the supervisor]({{< ref "install-supervisor" >}}) +by specifying this image instead of the standard Pinniped image in your `values.yaml` or `deployment.yaml` file. +