FIPS AI Gateway Docker Image

Problem to solve

We need to support a FIPS-compliant AI Gateway instance by creating a separate AI Gateway Docker image that operates our Python repository in FIPS mode.

Background: Why FIPS mode is important

FIPS Mode ensures that software applications use only FIPS-validated cryptographic algorithms and modules for all security functions. This compliance requirement involves:

Using validated cryptographic libraries: Implementing cryptographic libraries (such as OpenSSL) that have been FIPS 140-2/3 validated
Disabling non-approved algorithms: Preventing the use of non-compliant algorithms (e.g., MD5 for hashing, DES for encryption)
Enforcing approved algorithms and key sizes: Requiring the use of approved cryptographic standards such as:
- AES for encryption
- SHA-256 for hashing
- RSA with 2048-bit keys or greater

Proposed Solution

We can leverage GitLab's existing FIPS-compliant UBI (Universal Base Image) infrastructure that is already used for other GitLab components. GitLab already ships images based on UBI, hardened for FIPS, and relying on Red Hat certifications.

UBI Image Foundation

GitLab's existing FIPS-compliant Python infrastructure includes:

gitlab-python - Base Python image with FIPS compliance
gitlab-sidekiq - Consumes gitlab-python
gitaly - Consumes gitlab-python

These images are built against Red Hat's OpenSSL 3.2+ OpenSSL v3 FIPS provider module, which has been NIST CMVP certified and falls under FedRAMP guidance for maintenance.

Implementation Approach

Build the FIPS-compliant AI Gateway Docker image using GitLab's existing UBI-based Python foundation:

# Use GitLab's existing FIPS-compliant Python base
FROM registry.gitlab.com/gitlab-org/build/cng/gitlab-python:latest

# AI Gateway specific configurations
ARG TAG
RUN mkdir "tmp"

# Install AI Gateway dependencies with FIPS compliance
# ... (AI Gateway specific setup)

Acceptance criteria

FIPS-compliant AI Gateway Docker image is created using GitLab's UBI-based Python foundation
Python environment operates in FIPS mode using Red Hat's certified OpenSSL FIPS provider
Only FIPS-validated cryptographic algorithms are used
Image leverages existing GitLab FIPS infrastructure for consistency and compliance

Security considerations

Does this feature require an audit event?

This feature may require audit events for:

FIPS mode activation/deactivation
Cryptographic algorithm usage tracking
Compliance status changes

Edited Aug 15, 2025 by Nathan Weinshenker