Tetrate is thrilled to announce a strategic partnership with CloudBees, bringing together our Tetrate Istio Subscription (TIS) with CloudBees CI to provide a comprehensive FIPS-compliant continuous integration solution for organizations operating in highly regulated environments. CloudBees CI has officially tested and certified Tetrate Istio Subscription for their customers’ FedRAMP environments, marking a significant milestone in our collaborative efforts to serve government agencies and other organizations with stringent security requirements. This certification is particularly noteworthy as CloudBees CI is now actively recommending TIS to customers requiring FIPS compliance, recognizing Tetrate’s unique position as the provider of the industry’s only fully upstream, FIPS-verified distribution of Istio and Envoy. Through this partnership, we’re enabling organizations to accelerate their FedRAMP journey while maintaining the highest standards of security and compliance in their CI/CD pipelines.
The Critical Importance of FIPS Compliance in Modern Infrastructure
For U.S. federal agencies, contractors, and organizations serving the government sector, Federal Information Processing Standards (FIPS) compliance is not optional – it’s a regulatory requirement. FIPS sets forth security standards established by the National Institute of Standards and Technology (NIST) that define how cryptographic modules must be implemented to protect sensitive information. Any software system used by federal information systems must utilize FIPS 140–2 compliant modules for encryption functions to receive Federal Risk and Authorization Management Program (FedRAMP) approval for authority to operate. Without this compliance, organizations cannot legally deploy their applications and services in government environments, creating a significant barrier for technology adoption in the public sector. The challenge has been particularly acute in cloud-native and containerized environments, where community builds of essential infrastructure tools like Istio and Envoy are not built against validated cryptographic modules by default.
Tetrate Istio Subscription: The Foundation for FIPS-Compliant Service Mesh
Tetrate Istio Subscription (TIS) stands alone in the industry as the only 100% upstream distribution of Istio and Envoy that has been verified for FIPS compliance and meets FedRAMP authorization requirements. Unlike approaches that fork cryptographic libraries and potentially introduce security risks, Tetrate compiles Istio and Envoy to use BoringSSL with the FIPS 140–2 validated Boring Crypto module (Certificate #4407). This approach ensures that customers receive a fully FIPS-compliant build without the risks associated with maintaining a separate cryptographic codebase. As part of our subscription, customers receive a certificate of compliance along with access to our FIPS-certified builds, providing the documentation needed to satisfy FedRAMP’s stringent requirements for authority to operate. Additionally, TIS provides extended protection against Common Vulnerabilities and Exposures (CVEs) for up to 14 months, covering four prior versions – significantly longer than the standard open source support windows.
CloudBees CI and Istio: Powering Modern CI/CD in Regulated Environments
CloudBees CI is a leading enterprise continuous integration solution that scales with organizations’ growing needs while maintaining rigorous security standards. In regulated environments, particularly those requiring FedRAMP authorization, CloudBees CI leverages Istio as a critical component of its architecture. The integration works through Istio’s service mesh capabilities, which manage the communication between services transparently while enforcing security policies and providing observability. Specifically, CloudBees CI on modern cloud platforms utilizes Istio for secure traffic management, providing the mutual Transport Layer Security (mTLS) encryption required to implement a Zero Trust security posture. This architecture is particularly valuable in Kubernetes environments, where CloudBees CI deployments benefit from Istio’s ability to manage complex networking challenges without modifying application code.
How CloudBees CI Implements FIPS-Compliant Istio
CloudBees CI’s implementation of FIPS mode on modern cloud platforms, particularly in AWS GovCloud environments, requires a carefully orchestrated setup that begins with establishing a FIPS-compliant foundation. Organizations must first obtain an AWS GovCloud account and create a FIPS-compliant Amazon Machine Image (AMI), as AWS does not provide a FIPS-compliant AMI for EKS nodes by default. The process involves cloning the amazon-eks-ami repository and running specific commands to build a FIPS-enabled AMI that can be used for node groups in the EKS cluster. Additionally, CloudBees CI requires a FIPS-compliant Istio implementation, which is where Tetrate Istio Subscription becomes essential as the recommended solution for achieving compliance.
The Integration Process: Deploying CloudBees CI with TIS
The integration of CloudBees CI with Tetrate Istio Subscription follows a well-defined process. After creating a FIPS-compliant EKS cluster, organizations must configure their environment by enforcing Istio mTLS (mutual Transport Layer Security) and creating a gateway for incoming traffic. The configuration involves creating a file named values.yaml that includes the critical setting fips140: true, which tells CloudBees CI to operate in FIPS mode. Organizations also have the option to use AWS Elastic Container Registry (ECR) to store CloudBees CI container images, adding another layer of security and control in regulated environments. With Tetrate Istio Subscription, customers receive FIPS-verified builds of Istio that seamlessly integrate with this deployment process, ensuring that the entire stack remains FIPS-compliant without additional configuration burden.
Benefits for Government Agencies and Regulated Industries
This partnership delivers significant benefits for government agencies and organizations in regulated industries that need to maintain FIPS compliance. By combining CloudBees CI with Tetrate Istio Subscription, organizations can implement enterprise-grade continuous integration with the confidence that their infrastructure meets the stringent requirements for FedRAMP authorization. The solution eliminates the need for organizations to build and maintain their own FIPS-compliant versions of Istio, saving significant time and resources while reducing security risks. Additionally, Tetrate’s approach of using validated modules rather than forking cryptographic code ensures that security-critical components remain aligned with well-maintained upstream projects, avoiding the drift that can occur with customized forks. This integrated solution enables organizations to modernize their development practices with containerized applications and microservices architecture while maintaining the highest standards of security and compliance.
Technical Deep Dive: How Istio Enables Secure Communication in CloudBees CI
The integration of Istio within CloudBees CI leverages the full power of Istio’s architecture to create a secure communication layer. Istio’s architecture consists of two primary components: the control plane managed by istiod, which handles configuration and policy enforcement, and the data plane consisting of Envoy proxies that manage actual traffic between services. In CloudBees CI deployments, Istio proxies are injected as sidecars alongside application containers, intercepting all network communication to and from the service. This architecture enables critical security features like automatic mTLS encryption, which encrypts all service-to-service communication without requiring changes to application code. For FIPS-compliant deployments, Tetrate’s distribution ensures that all cryptographic operations performed by Istio and Envoy use only FIPS-approved algorithms and modules, maintaining compliance throughout the entire communication stack. The comprehensive security model extends to external traffic as well, with Istio gateways configured to process all external traffic while enforcing consistent security policies.
Getting Started with CloudBees CI and Tetrate Istio Subscription
Organizations interested in implementing this FIPS-compliant solution can follow CloudBees’ comprehensive documentation for installing CloudBees CI in FIPS mode. The process begins with creating a FIPS-compliant EKS cluster on AWS GovCloud. With Tetrate Istio Subscription, customers receive everything needed to run Istio and Envoy in highly regulated and mission-critical production environments, including access to FIPS-verified builds and detailed implementation guidance. Tetrate’s expert support team is available to assist with the implementation and ensure that the service mesh is properly configured for optimal performance and compliance. The combination of detailed documentation from both CloudBees and Tetrate, along with dedicated support teams, ensures that organizations can successfully implement this solution even in the most complex environments.
Looking Forward: The Future of Secure CI/CD in Regulated Environments
This partnership between Tetrate and CloudBees represents an important step forward in enabling secure, modern development practices in highly regulated environments. As government agencies and regulated industries continue their digital transformation journeys, the need for FIPS-compliant, cloud-native infrastructure will only grow. Together, Tetrate and CloudBees are committed to evolving our solutions to meet these changing needs, providing a foundation for innovation that doesn’t compromise on security or compliance. We look forward to expanding this partnership and continuing to serve organizations that operate under the strictest security requirements, helping them achieve their technology goals while maintaining compliance with regulations like FedRAMP. The combination of CloudBees CI’s scalable enterprise continuous integration capabilities and Tetrate’s FIPS-verified Istio distribution creates a powerful platform for the future of secure software delivery in government and regulated industries.
To sum it up: A Milestone for Secure, Compliant DevOps
The certification of Tetrate Istio Subscription by CloudBees for their customers’ FedRAMP environments marks a significant milestone in bringing modern DevOps practices to highly regulated environments. By addressing the critical need for FIPS compliance in service mesh implementations, this partnership enables organizations to build and deploy applications with greater speed and security than ever before. Government agencies and regulated organizations no longer need to choose between modern development practices and compliance requirements – with CloudBees CI and Tetrate Istio Subscription, they can have both. We invite organizations seeking to implement FIPS-compliant CI/CD pipelines to explore this integrated solution and experience the benefits of secure, compliant, and efficient software delivery. Together, Tetrate and CloudBees are setting a new standard for security and compliance in enterprise CI/CD, enabling the next generation of digital government services and applications in regulated industries.
###
If you’re new to service mesh, Tetrate has a bunch of free online courses available at Tetrate Academy that will quickly get you up to speed with Istio and Envoy.
Are you using Kubernetes? Tetrate Enterprise Gateway for Envoy (TEG) is the easiest way to get started with Envoy Gateway for production use cases. Get the power of Envoy Proxy in an easy-to-consume package managed by the Kubernetes Gateway API. Learn more ›
Getting started with Istio? If you’re looking for the surest way to get to production with Istio, check out Tetrate Istio Subscription. Tetrate Istio Subscription has everything you need to run Istio and Envoy in highly regulated and mission-critical production environments. It includes Tetrate Istio Distro, a 100% upstream distribution of Istio and Envoy that is FIPS-verified and FedRAMP ready. For teams requiring open source Istio and Envoy without proprietary vendor dependencies, Tetrate offers the ONLY 100% upstream Istio enterprise support offering.
Need global visibility for Istio? TIS+ is a hosted Day 2 operations solution for Istio designed to simplify and enhance the workflows of platform and support teams. Key features include: a global service dashboard, multi-cluster visibility, service topology visualization, and workspace-based access control.
Get a Demo