Skip to main content

Enable FIPS compliance

NetFoundry provides a way for customers to run OpenZiti in FIPS-compliant mode for highly regulated environments.

The easiest way to update NetFoundry Self-Hosted for FIPS compliance is to first run the regular nf-quickstart installer, and then upgrade the system to use the FIPS-compliant components.

Update to FIPS-compliant Ziti images

  1. Copy the YAML file supplied with your customer token for the private docker repo to a file named netfoundry-<customer_name>-secret.yml. This file is issued by the NetFoundry sales team.

  2. Add the secret to Kubernetes:

    kubectl create -f netfoundry-<customer_name>-secret.yml --namespace=ziti

  3. Add this to the controller-values.yml file:

    image:
      # use the fips image instead of default
      repository: quay.io/netfoundry/ziti-controller-fips
      pullSecrets:
        - name: netfoundry-<customer_name>-pull-secret

  4. Add this to the router-values.yml file:

    image:
      # use fips image instead of default
      repository: quay.io/netfoundry/ziti-router-fips
      pullSecrets:
        - name: netfoundry-<customer_name>-pull-secret

  5. Apply changes for both charts:

    • helm upgrade --install "ziti-controller" openziti/ziti-controller -n ziti --values ./controller-values.yml
    • helm upgrade --install "ziti-router-1" openziti/ziti-router -n ziti --values ./router-values.yml