OCS should be disabled when Gitlab-Agent is on fips mode
Proposal
Gitlab-agent can work in -fips mode. Right now Operational Container Scanning (OCS) is always enabled by default. OCS works by running the trivy-k8s-wrapper that is not -fips compliant. For that reason we need to disable OCS when gitlab-agent runs in fips mode.
Implementation plan
-
Add to the list of unsupported fips item the OCS functionality -
Add conditional building to gitlab-agent -
Introduce new build tag
Related links
Edited by Nick Ilieskou