Add RHEL/UBI amd64 FIPS support
What does this MR do?
The first iteration of supporting FIPS for GitLab Runner
- Builds a FIPS enabled Go compiler docker image
- Runner and Helper binaries are built with fips enabled
- Only amd64
- Docker images use RedHat's UBI images as base
- Binaries are also intended to be used in RHEL OSes only
- Separate FIPS RPM packages are also build which only include the FIPS amd64 helper image
- Users should be able to specify the flavour of the helper image with "FIPS", just like they do with "alpine3.13" for example
- Docs to come
Why was this MR needed?
For initial support for FIPS in GitLab Runner
What's the best way to test this MR?
Compile the FIPS binaries locally with:
make go-fips-docker
make runner-bin-fips-docker
make out/binaries/gitlab-runner-helper/gitlab-runner-helper-fips-dockerVerify that the binaries are running in FIPS mode by checking for the BoringSSL enabled message in the logs and by running the nm tool for the binaries:
go tool nm out/binaries/gitlab-runner-helper/gitlab-runner-helper.x86_64-fips |grep goboringcrypto
go tool nm out/binaries/gitlab-runner-linux-amd64-fips|grep goboringcryptoWhat are the relevant issue numbers?
Related to #27886 (closed)
Edited by Arran Walker