Deploy a FIPS compatible version of ECK

The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB 140-2), titled "Security Requirements for Cryptographic Modules" is a U.S. government computer security standard used to approve cryptographic modules. Since version 2.6 ECK offers a FIPS-enabled image that is a drop-in replacement for the standard image.

For the ECK operator, adherence to FIPS 140-2 is ensured by:

Using FIPS approved / NIST recommended cryptographic algorithms.
Compiling the operator using the BoringCrypto library for various cryptographic primitives.

Warning

Due to a build configuration issue, ECK operator images published between versions 2.9.0 and 3.3.1 use the standard Go cryptography library instead of BoringCrypto. Standard Go does not use FIPS 140-2/3 validated cryptographic libraries. Upgrade to version 3.3.2 or later to get images built using FIPS 140-2/3 validated cryptographic libraries.

FIPS compatible installation using Helm

Set image.fips=true to install a FIPS-enabled version of the ECK Operator. Refer to Install ECK using the Helm chart for full Helm installation instructions.

		helm install elastic-operator elastic/eck-operator \
  -n elastic-system --create-namespace \
  --set=image.fips=true
		
	

FIPS compatible installation using manifests

The StatefulSet definition within the yaml installation manifest will need to be patched prior to installation to append -fips to the spec.template.spec.containers[*].image to install a FIPS-enabled version of the ECK Operator. Refer to Install ECK using the YAML manifests for full manifest installation instructions.

Note

${ECK_VERSION} in the following command needs to be replaced with the version of the Operator that is to be installed.

		curl -s https://download.elastic.co/downloads/eck/${ECK_VERSION}/operator.yaml | sed -r 's#(image:.*eck-operator)(:.*)#\1-fips\2#' | kubectl apply -f -
		
	

If the Operator has already been installed using the manifests, the installation can be patched instead:

		kubectl patch sts elastic-operator -n elastic-system -p '{"spec":{"template":{"spec":{"containers":[{"name":"manager", "image":"docker.elastic.co/eck/eck-operator-fips:${ECK_VERSION}"}]}}}}'
		
	

Operator-managed Elasticsearch FIPS keystore password

When FIPS mode is enabled in Elasticsearch (xpack.security.fips_mode.enabled: true), Elasticsearch requires a password-protected keystore. Starting with ECK 3.4.0 and Elasticsearch 9.4.0+, the operator automatically manages this for you by generating, storing, and configuring the Elasticsearch keystore password, eliminating the need for manual podTemplate overrides.

The operator creates a Secret named <cluster-name>-es-keystore-password containing the generated password and mounts it into the Elasticsearch pods. The keystore init container uses this password to create a password-protected keystore.

This feature activates automatically when all of the following conditions are met:

xpack.security.fips_mode.enabled: true is set in any NodeSet config or via a StackConfigPolicy
Elasticsearch version is 9.4.0 or later
No user-provided keystore password is detected

If you have already configured a keystore password through environment variables (KEYSTORE_PASSWORD, KEYSTORE_PASSWORD_FILE, or ES_KEYSTORE_PASSPHRASE_FILE) in the podTemplate, the operator respects your configuration and does not generate its own.

When FIPS mode is disabled or the Elasticsearch version is downgraded below 9.4.0, the operator automatically cleans up the managed keystore password Secret.