FIPS-compatible builds of Pinniped binaries

By default, the Pinniped supervisor and concierge use ciphers that are not supported by FIPS 140-2. If you are deploying Pinniped in an environment with FIPS compliance requirements, you will have to build the binaries yourself using the fips_strict build tag and Golang’s go-boringcrypto fork.

The Pinniped team provides an example Dockerfile demonstrating how you can build Pinniped images in a FIPS compatible way. However, we do not provide official support for FIPS configuration, and we may not respond to GitHub issues opened related to FIPS support. We provide this for informational purposes only.

To build Pinniped use our example fips Dockerfile, you can run:

$ git clone git@github.com:vmware-tanzu/pinniped.git
$ cd pinniped
$ git checkout v0.29.0
$ docker build -f hack/Dockerfile_fips .

Now you can deploy the concierge and the supervisor by specifying this image instead of the standard Pinniped image in your values.yaml or deployment.yaml file.