Skip to content

feat: Establish AI Gateway Image with OpenSSL_FIPS_MODE enabled

What does this merge request do and why?

Facilitates setup of running the Duo Workflow Service and AI Gateway with FIPS mode enabled. gitlab-org/gitlab#560241

How to set up and validate locally

  1. Build the docker image
 docker buildx build --build-context hardening=docker-image://registry.gitlab.com/gitlab-org/build/cng/gitlab-base:latest -t ai-gateway:latest .                                     

2. Run the Docker image

docker run -d -p 50001:5000 \
  -e AIGW_AUTH__BYPASS_EXTERNAL=true \
  -e AIGW_AUTH__BYPASS_EXTERNAL_WITH_HEADER=true \
  -e AIGW_AUTH__BYPASS_JWT_SIGNATURE=true \
  -e ANTHROPIC_KEY=<REDACTED_ANTHROPIC_KEY> \
   ai-gateway::latest

3. Query the following image

curl -X POST "http://localhost:50001/v2/chat/agent" \
    -H "accept: application/json" \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer <REDACTED_ANTHROPIC_KEY>" \
    -H "x-gitlab-enabled-feature-flags: expanded_ai_logging" \
    -d '{
          "messages": [
            {
              "role": "user",
              "content": "Hey, GitLab Duo Chat",
              "context": null,
              "current_file": null,
              "additional_context": []
            }
          ],
          "model_metadata": {
            "provider": "gitlab",
            "identifier": "claude_sonnet_4_20250514", 
            "feature_setting": "duo_chat"
          }
        }'
  1. Tail the docker container to ensure logs are correctly going to container

    docker logs <container_id> -f   

Merge request checklist

  • Tests added for new functionality. If not, please raise an issue to follow up.
  • Documentation added/updated, if needed.
  • If this change requires executor implementation: verified that issues/MRs exist for both Go executor and Node executor or confirmed that changes are backward-compatible and don't break existing executor functionality.
Edited by Nathan Weinshenker

Merge request reports

Loading