## Problem to solve We need to support a FIPS-compliant AI Gateway instance by creating a separate AI Gateway Docker image that operates our Python repository in FIPS mode. ## Background: Why FIPS mode is important **FIPS Mode** ensures that software applications use only FIPS-validated cryptographic algorithms and modules for all security functions. This compliance requirement involves: - **Using validated cryptographic libraries**: Implementing cryptographic libraries (such as OpenSSL) that have been FIPS 140-2/3 validated - **Disabling non-approved algorithms**: Preventing the use of non-compliant algorithms (e.g., MD5 for hashing, DES for encryption) - **Enforcing approved algorithms and key sizes**: Requiring the use of approved cryptographic standards such as: - AES for encryption - SHA-256 for hashing - RSA with 2048-bit keys or greater ## Proposed Solution We can leverage GitLab's existing FIPS-compliant UBI (Universal Base Image) infrastructure that is already used for other GitLab components. GitLab already ships images based on UBI, hardened for FIPS, and relying on Red Hat certifications. ### UBI Image Foundation GitLab's existing FIPS-compliant Python infrastructure includes: - **[gitlab-python](https://gitlab.com/gitlab-org/build/CNG/-/tree/master/gitlab-python)** - Base Python image with FIPS compliance - **[gitlab-sidekiq](https://gitlab.com/gitlab-org/build/CNG/-/blob/master/gitlab-sidekiq/Dockerfile.build.ubi#L15)** - Consumes gitlab-python - **[gitaly](https://gitlab.com/gitlab-org/build/CNG/-/blob/master/gitaly/Dockerfile.build.ubi#L34)** - Consumes gitlab-python These images are built against Red Hat's OpenSSL 3.2+ OpenSSL v3 FIPS provider module, which has been NIST CMVP certified and falls under FedRAMP guidance for maintenance. ### Implementation Approach Build the FIPS-compliant AI Gateway Docker image using GitLab's existing UBI-based Python foundation: ```dockerfile # Use GitLab's existing FIPS-compliant Python base FROM registry.gitlab.com/gitlab-org/build/cng/gitlab-python:latest # AI Gateway specific configurations ARG TAG RUN mkdir "tmp" # Install AI Gateway dependencies with FIPS compliance # ... (AI Gateway specific setup) ``` ### Acceptance criteria - [ ] FIPS-compliant AI Gateway Docker image is created using GitLab's UBI-based Python foundation - [ ] Python environment operates in FIPS mode using Red Hat's certified OpenSSL FIPS provider - [ ] Only FIPS-validated cryptographic algorithms are used - [ ] Image leverages existing GitLab FIPS infrastructure for consistency and compliance ## Security considerations ### Does this feature require an audit event? <!-- Checkout these docs to know more: - https://docs.gitlab.com/ee/development/audit_event_guide/#what-are-audit-events - https://docs.gitlab.com/administration/compliance/audit_event_reports/ --> This feature may require audit events for: - FIPS mode activation/deactivation - Cryptographic algorithm usage tracking - Compliance status changes <!-- Label reminders Make sure to add the appropriate labels for the product stage and/or group (e.g ~"devops::plan") if known and add a comment tagging the appropriate Product Manager. Use the following resources to find the appropriate labels: - Use only one tier label choosing the lowest tier this is intended for - https://gitlab.com/gitlab-org/gitlab/-/labels - https://about.gitlab.com/handbook/product/categories/features/ Examples: /label ~group:: ~section:: ~Category: /label ~"GitLab Free" ~"GitLab Premium" ~"GitLab Ultimate" -->