FIPS Compliance

NetFoundry provides a way for customers to run OpenZiti in FIPS compliant mode for highly regulated environments.

The easiest way to update NetFoundry On-Prem for FIPS compliances is to first run the regular quickstart.sh installer, and then upgrade the system to use the FIPS compliant components.

Updating to FIPS Compliant Ziti images

Copy the yaml file supplied with their customer token for the private docker repo to a file named netfoundry-<customer_name>-secret.yml. This file will be issued from the NetFoundry sales team.

Add this secret to kubernetes with the following command:

kubectl create -f netfoundry-<customer_name>-secret.yml --namespace=ziti

Add the following to the controller-values.yml file.

image:
  # use the fips image instead of default
  repository: quay.io/netfoundry/ziti-controller-fips
  pullSecrets:
    - name: netfoundry-<customer_name>-pull-secret

Add the following to the router-values.yml file:

image:
  # use fips image instead of default
  repository: quay.io/netfoundry/ziti-router-fips
  pullSecrets:
    - name: netfoundry-<customer_name>-pull-secret

Apply changes for both charts, use the "no-hooks" flag when updating the FIPS images
- helm upgrade --no-hooks --install "ziti-controller" openziti/ziti-controller -n ziti --values ./controller-values.yml
- helm upgrade --no-hooks --install "ziti-router-1" openziti/ziti-router -n ziti --values ./router-values.yml

Any updates applied to the controller or router charts should use the --no-hooks flag.

Updating to FIPS Compliant Ziti images​

Updating to FIPS Compliant Ziti images