Publish official FIPS-enabled Docker image variant
#45,812 opened on Jun 23, 2026
Repository metrics
- Stars
- (27,997 stars)
- PR merge metrics
- (Avg merge 8d) (303 merged PRs in 30d)
Description
Title: Publish official FIPS-enabled Docker image variant
Description:
The Envoy build system already supports FIPS via --config=boringssl-fips and
--config=aws-lc-fips. The ask is to publish an additional image variant built
with one of those flags as part of the standard release pipeline — no codebase
changes required.
Desired behavior:
A -fips tagged image published alongside each standard release, e.g.:
envoyproxy/envoy:distroless-fips-v1.X.Y
Built with --config=aws-lc-fips (preferred — broader architecture support than
--config=boringssl-fips, which is Linux x86_64 only).
Scenario it enables:
Organizations with FIPS 140 compliance requirements currently have no official
path to a FIPS-enabled Envoy image. Existing options are either EOL (AWS App Mesh
prod-fips, discontinued September 2026), commercial-only (Tetrate, Solo.io), or
require teams to own and maintain a self-build pipeline.
Relevant links:
- FIPS build documentation: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl
- AWS App Mesh FIPS EOL: https://docs.aws.amazon.com/app-mesh/latest/userguide/envoy.html