FIPS validation for cf-deployment

[jochenehret]

We want to validate cf-deployment on a FIPS compliant stemcell. The validation pipeline has been set up here:
https://concourse.wg-ard.ci.cloudfoundry.org/teams/main/pipelines/fips-stemcell. PR for validation pipeline is #1135.

The pipeline uploads the stemcell to be validated and then deploys cf-deployment. Next, it runs the CF smoke-tests and the CF acceptance tests. The pipeline is triggered for each cf-deployment release candidate and for each new stemcell version.

This parent issue will be used to track child issues that are raised for the involved BOSH releases.

Issues

Beta Give feedback

1. pre-start script of uaa-release fails on FIPS stemcell uaa-release#722
   accepted +1
2. Support FIPS compliant BC uaa#2230
   accepted +1
3. credhub-release fails on FIPS compliant Jammy stemcell pivotal/credhub-release#174
   +0
4. Fix init keystore template for Jammy FIPS stemcell pivotal/credhub-release#177
   +0
5. Bump openssl to v3.2.0 cloud_controller_ng#3541
   +0
6. Bump default key length to 2048 and change fingerprint to SHA1 cloud_controller_ng#3555
   +0
7. Issues running CC with fips stemcells cloud_controller_ng#3542
   +0
8. FIPS validation: OpenSSL::Digest::MD5 cannot be used cloud_controller_ng#3544
   +0
9. Use xxHash in Rate Limiter cloud_controller_ng#3557
   +0
10. Support Content-Digest header in StagingsController cloud_controller_ng#3558
    +0
11. [FIPS] CF-StagerError: 170011: Stager error: Digest initialization failed: initialization error cloud_controller_ng#3561
    +0
12. Use xxhash64 instead of MD5 when calculating buildpack paths cloud_controller_ng#3562
    +0
13. [FIPS] Use xxhash64 to calculate buildpack paths buildpackapplifecycle#65
    +0
    
14. Use SHA algorithm for content digest in URLUploader diego-release#896
    bug +1
15. switch to using digest-xxhash cloud_controller_ng#3609
    +0
16. Ensure proxy app uses golang 1.21 for FIPS 140-3 compatiblity cf-acceptance-tests#1046
    +0
17. fix: Set goversion in app manifests to Go 1.21 cf-acceptance-tests#1047
    +0

[Gerg]

Is there an ops file somewhere to enable FIPS compatibility (for example, configuring the CAPI property introduced here: cloudfoundry/capi-release#370)?

[jochenehret]

We don't yet have an ops file for FIPS compatibility. There is a new config parameter to disable MD5 for the cloud controller:
https://github.com/cloudfoundry/capi-release/blob/389aca282ce32865eb4e39dcab48df680e68e69e/jobs/cloud_controller_ng/spec#L1216
We must wait for a new diego-release that supports the new hashing algorithm as well.

[jochenehret]

The latest FIPS validation runs are now green, e.g.:
https://concourse.wg-ard.ci.cloudfoundry.org/teams/main/pipelines/fips-stemcell/jobs/fips-cats/builds/66
CATs and CF smoke tests are both passing. We are still using the fips-compliance.yml ops file, however. After major releases of capi/diego we should not need this ops file anymore.