Goals

Modify Vector and/or its dependencies to fully rely upon OpenSSL in lieu of the alternatives (e.g. ring)

Non-Goals

Motivation

Product requirements dictate we deliver a product that is both export and FIPS compliant. OpenSSL meets these requirements

Alternatives

Acceptance Criteria

• Vector functions on a FIPS enabled cluster
• Vector is export compliant
• Vector with default feature sets supports architectures: x86_64, s390x, ppc64, arm
• PR are submitted (or accepted) with the proposed changes to any upstream communities
• Able to build vector on x86_64, s390x, ppc64, and arm with default feature set

Risk and Assumptions

We assume the upstream community ultimately has these same goal of being FIPS compliant. The biggest risk is it is not a priority for the community and they may not accept contributions for the changes required. We may need to carry patches of Vector and/or its dependencies

Documentation Considerations

• Update documentation to state the collector runs on FIPS enabled clusters. There should be no need to additional document export compliance given this is an implied legal requirement for any product delivered by RH
• Qualify our FIPS and export compliance until we can satisfy the requirement

Open Questions

• How extensive are the changes required to Vector?
• How extensive are the change required to Vector dependencies?
• Can we design a ring to OpenSSL adapter library to make the runtime swappable?
• Are we blocked from going GA without these changes or can we qualify with documentation.

Additional Notes