Implement UBI based, FIPS capable fork of ingress-nginx/controller
Summary
As a result of findings in #3251:
We will begin the work to produce and maintaine a stable fork of https://github.com/kubernetes/ingress-nginx (the containers housed there). We will build upon @stanhu's existing work
Details
In order to complete this work, we will need to setup appropriate parts so that we can stay up to date with the upstream code, as well as ensure regular security updates are included from the UBI images underlying. I believe this container should stem from a fork of the upstream repository, and the container should be generated from that repository. The upstream repository does not currently include a .gitlab
folder, so it may be possible for us to "simply" overlay upon it.
This will also provide us distinct impetus to more regularly upgrade this NGINX container.
Related Issues
- https://github.com/kubernetes/ingress-nginx/issues/7781
- https://github.com/kubernetes/ingress-nginx/issues/3543
- #3384 (closed)
Acceptance
-
A code repository exists at an appropriate location -
UBI-derived, FIPS-compatible image patch is applied to the fork (Apply UBI changes to NGINX Chart fork (#3384 - closed)) -
That code repository have CI which generates UBI derived, FIPS compatible binaries and/or containers (NGINX: Implement CI for UBI container generation (#3382 - closed)) -
A container with these binaries is consumed by the GitLab Helm chart, in our fork of ingress-nginx
(NGINX: Consume our UBI variant of ingress-nginx... (#3383 - closed)) -
As the final step, a complete FIPS compliant deployment is possible with documented values (Add FIPS builds (gitlab-org/cloud-native/charts/gitlab-ingress-nginx#2 - closed)) -
FIPS implementation above is documented. (Document FIPS-compatible deployment (!2678 - merged))