feat: Establish AI Gateway Image with OpenSSL_FIPS_MODE enabled
What does this merge request do and why?
Facilitates setup of running the Duo Workflow Service and AI Gateway with FIPS mode enabled. gitlab-org/gitlab#560241
How to set up and validate locally
- Build the docker image
docker buildx build --build-context hardening=docker-image://registry.gitlab.com/gitlab-org/build/cng/gitlab-base:latest -t ai-gateway:latest .
2. Run the Docker image
docker run -d -p 50001:5000 \
-e AIGW_AUTH__BYPASS_EXTERNAL=true \
-e AIGW_AUTH__BYPASS_EXTERNAL_WITH_HEADER=true \
-e AIGW_AUTH__BYPASS_JWT_SIGNATURE=true \
-e ANTHROPIC_KEY=<REDACTED_ANTHROPIC_KEY> \
ai-gateway::latest
3. Query the following image
curl -X POST "http://localhost:50001/v2/chat/agent" \
-H "accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer <REDACTED_ANTHROPIC_KEY>" \
-H "x-gitlab-enabled-feature-flags: expanded_ai_logging" \
-d '{
"messages": [
{
"role": "user",
"content": "Hey, GitLab Duo Chat",
"context": null,
"current_file": null,
"additional_context": []
}
],
"model_metadata": {
"provider": "gitlab",
"identifier": "claude_sonnet_4_20250514",
"feature_setting": "duo_chat"
}
}'
-
Tail the docker container to ensure logs are correctly going to container
docker logs <container_id> -f
Merge request checklist
-
Tests added for new functionality. If not, please raise an issue to follow up. -
Documentation added/updated, if needed. -
If this change requires executor implementation: verified that issues/MRs exist for both Go executor and Node executor or confirmed that changes are backward-compatible and don't break existing executor functionality.
Edited by Nathan Weinshenker