Disable Debian when FIPS mode is enabled
What does this MR do and why?
To be FIPS compliant, GitLab cannot make use of MD5 values. The Debian package registry uses MD5 files extensively in a variety of locations.
This MR disables the Debian registry when FIPS is enabled:
- All API endpoints return
404 Not Found
- Internal services and workers throw a new error. This should never happen since these services and workers are triggered by the API endpoints, but they are added as a safety measure.
There is potential for the Debian registry to be enabled during FIPS mode, but it requires more extensive changes and testing. Given the due date to achieve FIPS compliance (15.2) and the fact that the entire Debian registry feature is behind a feature flag and not yet released, it made sense to simply disable the feature for now so we can spend more time on a version that is enabled in FIPS mode later or when the feature is released.
Screenshots or screen recordings
N/A
How to set up and validate locally
N/A - It is not easy to test with a FIPS environment locally
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #361261 (closed)