envoyproxy · ggreenway · Jan 21, 2021 · Jan 15, 2021 · Jan 15, 2021 · Jan 16, 2021
diff --git a/docs/root/configuration/observability/statistics.rst b/docs/root/configuration/observability/statistics.rst
@@ -33,4 +33,5 @@ Server related statistics are rooted at *server.* with following statistics:
   envoy_bug_failures, Counter, Number of envoy bug failures detected in a release build. File or report the issue if this increments as this may be serious.
   static_unknown_fields, Counter, Number of messages in static configuration with unknown fields
   dynamic_unknown_fields, Counter, Number of messages in dynamic configuration with unknown fields
+  fips_mode, Gauge, Integer representing whether the envoy build is FIPS compliant or not
 
diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst
@@ -37,6 +37,7 @@ New Features
 * access log: added the :ref:`formatters <envoy_v3_api_field_config.core.v3.SubstitutionFormatString.formatters>` extension point for custom formatters (command operators).
 * http: added support for :ref:`:ref:`preconnecting <envoy_v3_api_msg_config.cluster.v3.Cluster.PreconnectPolicy>`. Preconnecting is off by default, but recommended for clusters serving latency-sensitive traffic, especially if using HTTP/1.1.
 * http: change frame flood and abuse checks to the upstream HTTP/2 codec to ON by default. It can be disabled by setting the `envoy.reloadable_features.upstream_http2_flood_checks` runtime key to false.
+* server: added :ref:`fips_mode <statistics>` statistic.
 * tcp_proxy: add support for converting raw TCP streams into HTTP/1.1 CONNECT requests. See :ref:`upgrade documentation <tunneling-tcp-over-http>` for details.
 
 Deprecated

diff --git a/source/common/version/version.h b/source/common/version/version.h
@@ -22,14 +22,14 @@ class VersionInfo {
   static const std::string& revisionStatus();
   // Repository information and build type.
   static const std::string& version();
+  static const std::string& sslVersion();
 
   static const envoy::config::core::v3::BuildVersion& buildVersion();
 
 private:
   friend class Envoy::VersionInfoTestPeer;
   // RELEASE or DEBUG
   static const std::string& buildType();
-  static const std::string& sslVersion();
   static envoy::config::core::v3::BuildVersion makeBuildVersion(const char* version);
 };
 

diff --git a/source/server/server.cc b/source/server/server.cc
@@ -385,6 +385,10 @@ void InstanceImpl::initialize(const Options& options,
     }
   }
   server_stats_->version_.set(version_int);
+  const std::string fips_ssl_version = "BoringSSL-FIPS";
+  if (VersionInfo::sslVersion() == fips_ssl_version) {
+    server_stats_->fips_mode_.set(1);
+  }
 
   bootstrap_.mutable_node()->set_hidden_envoy_deprecated_build_version(VersionInfo::version());
   bootstrap_.mutable_node()->set_user_agent_name("envoy");

diff --git a/source/server/server.h b/source/server/server.h
@@ -74,6 +74,7 @@ namespace Server {
   GAUGE(total_connections, Accumulate)                                                             \
   GAUGE(uptime, Accumulate)                                                                        \
   GAUGE(version, NeverImport)                                                                      \
+  GAUGE(fips_mode, NeverImport)                                                                    \
   HISTOGRAM(initialization_time_ms, Milliseconds)
 
 struct ServerStats {

diff --git a/test/server/server_test.cc b/test/server/server_test.cc
@@ -362,6 +362,22 @@ TEST_P(ServerInstanceImplTest, ProxyVersionOveridesFromBootstrap) {
   server_thread->join();
 }
 
+// Validates that the "server.fips_mode" stat indicates the FIPS compliance from the Envoy Build
+TEST_P(ServerInstanceImplTest, ValidateFIPSModeStat) {
+  auto server_thread =
+      startTestServer("test/server/test_data/server/proxy_version_bootstrap.yaml", true);
+
+  const std::string fips_ssl_version = "BoringSSL-FIPS";
+  if (VersionInfo::sslVersion() == fips_ssl_version) {
+    EXPECT_EQ(1L, TestUtility::findGauge(stats_store_, "server.fips_mode")->value());
+  } else {
+    EXPECT_EQ(0L, TestUtility::findGauge(stats_store_, "server.fips_mode")->value());
+  }
+
+  server_->dispatcher().post([&] { server_->shutdown(); });
+  server_thread->join();
+}
+
 TEST_P(ServerInstanceImplTest, EmptyShutdownLifecycleNotifications) {
   auto server_thread = startTestServer("test/server/test_data/server/node_bootstrap.yaml", false);
   server_->dispatcher().post([&] { server_->shutdown(); });