Merge remote-tracking branch 'origin/master' into main-jh

.gitlab/ci/fips-verify.gitlab-ci.yml

+# Component versions can be referenced with `@[COMMIT_SHA|tag|branch]`
+# IMAGES NOT CURRENTLY IN UBI/FIPS
+# - ${CI_REGISTRY_IMAGE}/gitlab-zoekt-webserver
+# - ${CI_REGISTRY_IMAGE}/gitlab-zoekt-dynamic-indexserver
+# - ${CI_REGISTRY_IMAGE}/gitlab-zoekt-indexer
+# - ${CI_REGISTRY_IMAGE}/gitaly-init-cgroups
+
+include: 
+  ## This is the configuration of the 
+  - local: .gitlab/ci/fips-verify/com.gitlab-ci.yml
+    rules:
+      # meant to cover any non-Dev host.
+      - if: $CI_SERVER_FQDN != "dev.gitlab.org"
+  - local: .gitlab/ci/fips-verify/dev.gitlab-ci.yml
+    rules:
+      - if: $CI_SERVER_FQDN == "dev.gitlab.org"

.gitlab/ci/fips-verify/com.gitlab-ci.yml

+.fips_verify_inputs: &fips-verify-inputs
+  job_stage: container-scanning
+  allow_failure: true
+  authenticate_registry: false
+
+.fips_verify_component: &fips-verify-component
+  component: gitlab.com/gitlab-org/cloud-native/distroless/container-dependencies-finder/rpm-verify-fips@main
+
+include:
+  - <<: *fips-verify-component
+    inputs:
+      <<: *fips-verify-inputs
+      job_prefix: certificates
+      container_image: ${CI_REGISTRY_IMAGE}/certificates:${CI_COMMIT_REF_SLUG}-fips
+  - <<: *fips-verify-component
+    inputs:
+      <<: *fips-verify-inputs
+      job_prefix: cfssl-self-sign
+      container_image: ${CI_REGISTRY_IMAGE}/cfssl-self-sign:${CI_COMMIT_REF_SLUG}-fips
+  - <<: *fips-verify-component
+    inputs:
+      <<: *fips-verify-inputs
+      job_prefix: gitaly
+      container_image: ${CI_REGISTRY_IMAGE}/gitaly:${CI_COMMIT_REF_SLUG}-fips
+  - <<: *fips-verify-component
+    inputs:
+      <<: *fips-verify-inputs
+      job_prefix: gitlab-base
+      container_image: ${CI_REGISTRY_IMAGE}/gitlab-base:${CI_COMMIT_REF_SLUG}-fips
+  - <<: *fips-verify-component
+    inputs:
+      <<: *fips-verify-inputs
+      job_prefix: gitlab-container-registry
+      container_image: ${CI_REGISTRY_IMAGE}/gitlab-container-registry:${CI_COMMIT_REF_SLUG}-fips
+  - <<: *fips-verify-component
+    inputs:
+      <<: *fips-verify-inputs
+      job_prefix: gitlab-exporter
+      container_image: ${CI_REGISTRY_IMAGE}/gitlab-exporter:${CI_COMMIT_REF_SLUG}-fips
+  - <<: *fips-verify-component
+    inputs:
+      <<: *fips-verify-inputs
+      job_prefix: gitlab-geo-logcursor
+      container_image: ${CI_REGISTRY_IMAGE}/gitlab-geo-logcursor:${CI_COMMIT_REF_SLUG}-fips
+  - <<: *fips-verify-component
+    inputs:
+      <<: *fips-verify-inputs
+      job_prefix: gitlab-kas
+      container_image: ${CI_REGISTRY_IMAGE}/gitlab-kas:${CI_COMMIT_REF_SLUG}-fips
+  - <<: *fips-verify-component
+    inputs:
+      <<: *fips-verify-inputs
+      job_prefix: gitlab-mailroom
+      container_image: ${CI_REGISTRY_IMAGE}/gitlab-mailroom:${CI_COMMIT_REF_SLUG}-fips
+  - <<: *fips-verify-component
+    inputs:
+      <<: *fips-verify-inputs
+      job_prefix: gitlab-pages
+      container_image: ${CI_REGISTRY_IMAGE}/gitlab-pages:${CI_COMMIT_REF_SLUG}-fips
+  - <<: *fips-verify-component
+    inputs:
+      <<: *fips-verify-inputs
+      job_prefix: gitlab-rails-ee
+      container_image: ${CI_REGISTRY_IMAGE}/gitlab-rails-ee:${CI_COMMIT_REF_SLUG}-fips
+  - <<: *fips-verify-component
+    inputs:
+      <<: *fips-verify-inputs
+      job_prefix: gitlab-ruby
+      container_image: ${CI_REGISTRY_IMAGE}/gitlab-ruby:${CI_COMMIT_REF_SLUG}-fips
+  - <<: *fips-verify-component
+    inputs:
+      <<: *fips-verify-inputs
+      job_prefix: gitlab-shell
+      container_image: ${CI_REGISTRY_IMAGE}/gitlab-shell:${CI_COMMIT_REF_SLUG}-fips
+  - <<: *fips-verify-component
+    inputs:
+      <<: *fips-verify-inputs
+      job_prefix: gitlab-sidekiq-ee
+      container_image: ${CI_REGISTRY_IMAGE}/gitlab-sidekiq-ee:${CI_COMMIT_REF_SLUG}-fips
+  - <<: *fips-verify-component
+    inputs:
+      <<: *fips-verify-inputs
+      job_prefix: gitlab-toolbox-ee
+      container_image: ${CI_REGISTRY_IMAGE}/gitlab-toolbox-ee:${CI_COMMIT_REF_SLUG}-fips
+  - <<: *fips-verify-component
+    inputs:
+      <<: *fips-verify-inputs
+      job_prefix: gitlab-webservice-ee
+      container_image: ${CI_REGISTRY_IMAGE}/gitlab-webservice-ee:${CI_COMMIT_REF_SLUG}-fips
+  - <<: *fips-verify-component
+    inputs:
+      <<: *fips-verify-inputs
+      job_prefix: gitlab-workhorse-ee
+      container_image: ${CI_REGISTRY_IMAGE}/gitlab-workhorse-ee:${CI_COMMIT_REF_SLUG}-fips
+  - <<: *fips-verify-component
+    inputs:
+      <<: *fips-verify-inputs
+      job_prefix: kubectl
+      container_image: ${CI_REGISTRY_IMAGE}/kubectl:${CI_COMMIT_REF_SLUG}-fips

.gitlab/ci/fips-verify/dev.gitlab-ci.yml

+.fips_verify_inputs: &fips-verify-inputs
+  job_stage: container-scanning
+  allow_failure: true
+  authenticate_registry: true
+
+.fips_verify_component: &fips-verify-component
+  component: dev.gitlab.org/gitlab/cloud-native/container-dependencies-finder/rpm-verify-fips-dev@main
+
+include:
+  - <<: *fips-verify-component
+    inputs:
+      <<: *fips-verify-inputs
+      job_prefix: certificates
+      container_image: ${CI_REGISTRY_IMAGE}/certificates:${CI_COMMIT_REF_SLUG}-fips
+  - <<: *fips-verify-component
+    inputs:
+      <<: *fips-verify-inputs
+      job_prefix: cfssl-self-sign
+      container_image: ${CI_REGISTRY_IMAGE}/cfssl-self-sign:${CI_COMMIT_REF_SLUG}-fips
+  - <<: *fips-verify-component
+    inputs:
+      <<: *fips-verify-inputs
+      job_prefix: gitaly
+      container_image: ${CI_REGISTRY_IMAGE}/gitaly:${CI_COMMIT_REF_SLUG}-fips
+  - <<: *fips-verify-component
+    inputs:
+      <<: *fips-verify-inputs
+      job_prefix: gitlab-base
+      container_image: ${CI_REGISTRY_IMAGE}/gitlab-base:${CI_COMMIT_REF_SLUG}-fips
+  - <<: *fips-verify-component
+    inputs:
+      <<: *fips-verify-inputs
+      job_prefix: gitlab-container-registry
+      container_image: ${CI_REGISTRY_IMAGE}/gitlab-container-registry:${CI_COMMIT_REF_SLUG}-fips
+  - <<: *fips-verify-component
+    inputs:
+      <<: *fips-verify-inputs
+      job_prefix: gitlab-exporter
+      container_image: ${CI_REGISTRY_IMAGE}/gitlab-exporter:${CI_COMMIT_REF_SLUG}-fips
+  - <<: *fips-verify-component
+    inputs:
+      <<: *fips-verify-inputs
+      job_prefix: gitlab-geo-logcursor
+      container_image: ${CI_REGISTRY_IMAGE}/gitlab-geo-logcursor:${CI_COMMIT_REF_SLUG}-fips
+  - <<: *fips-verify-component
+    inputs:
+      <<: *fips-verify-inputs
+      job_prefix: gitlab-kas
+      container_image: ${CI_REGISTRY_IMAGE}/gitlab-kas:${CI_COMMIT_REF_SLUG}-fips
+  - <<: *fips-verify-component
+    inputs:
+      <<: *fips-verify-inputs
+      job_prefix: gitlab-mailroom
+      container_image: ${CI_REGISTRY_IMAGE}/gitlab-mailroom:${CI_COMMIT_REF_SLUG}-fips
+  - <<: *fips-verify-component
+    inputs:
+      <<: *fips-verify-inputs
+      job_prefix: gitlab-pages
+      container_image: ${CI_REGISTRY_IMAGE}/gitlab-pages:${CI_COMMIT_REF_SLUG}-fips
+  - <<: *fips-verify-component
+    inputs:
+      <<: *fips-verify-inputs
+      job_prefix: gitlab-rails-ee
+      container_image: ${CI_REGISTRY_IMAGE}/gitlab-rails-ee:${CI_COMMIT_REF_SLUG}-fips
+  - <<: *fips-verify-component
+    inputs:
+      <<: *fips-verify-inputs
+      job_prefix: gitlab-ruby
+      container_image: ${CI_REGISTRY_IMAGE}/gitlab-ruby:${CI_COMMIT_REF_SLUG}-fips
+  - <<: *fips-verify-component
+    inputs:
+      <<: *fips-verify-inputs
+      job_prefix: gitlab-shell
+      container_image: ${CI_REGISTRY_IMAGE}/gitlab-shell:${CI_COMMIT_REF_SLUG}-fips
+  - <<: *fips-verify-component
+    inputs:
+      <<: *fips-verify-inputs
+      job_prefix: gitlab-sidekiq-ee
+      container_image: ${CI_REGISTRY_IMAGE}/gitlab-sidekiq-ee:${CI_COMMIT_REF_SLUG}-fips
+  - <<: *fips-verify-component
+    inputs:
+      <<: *fips-verify-inputs
+      job_prefix: gitlab-toolbox-ee
+      container_image: ${CI_REGISTRY_IMAGE}/gitlab-toolbox-ee:${CI_COMMIT_REF_SLUG}-fips
+  - <<: *fips-verify-component
+    inputs:
+      <<: *fips-verify-inputs
+      job_prefix: gitlab-webservice-ee
+      container_image: ${CI_REGISTRY_IMAGE}/gitlab-webservice-ee:${CI_COMMIT_REF_SLUG}-fips
+  - <<: *fips-verify-component
+    inputs:
+      <<: *fips-verify-inputs
+      job_prefix: gitlab-workhorse-ee
+      container_image: ${CI_REGISTRY_IMAGE}/gitlab-workhorse-ee:${CI_COMMIT_REF_SLUG}-fips
+  - <<: *fips-verify-component
+    inputs:
+      <<: *fips-verify-inputs
+      job_prefix: kubectl
+      container_image: ${CI_REGISTRY_IMAGE}/kubectl:${CI_COMMIT_REF_SLUG}-fips

.gitlab/ci/fips.gitlab-ci.yml

 include:
   # use ubi as base
   - local: .gitlab/ci/ubi.gitlab-ci.yml
+  # include CDF rpm-verify
+  - local: .gitlab/ci/fips-verify.gitlab-ci.yml
 
 # Build images
 .build-job-base: &build-job-base

ci_files/variables.yml

@@ -40,13 +40,13 @@ variables:
   OPENSSL_GEM_VERSION: "~>3.2.0"
   RUST_VERSION: 1.73.0
   PYTHON_VERSION: "3.9.20"
-  KUBECTL_VERSION: "1.31.0"
+  KUBECTL_VERSION: "1.31.1"
   YQ_VERSION: "4.44.3"
   PG_VERSION: "16.4"
   CA_PKG_VERSION: "20220614-r0"
   CFSSL_VERSION: "1.6.1"
   CFSSL_CHECKSUM_SHA256: "89e600cd5203a025f8b47c6cd5abb9a74b06e3c7f7f7dd3f5b2a00975b15a491"
-  AWSCLI_VERSION: "1.34.30"
+  AWSCLI_VERSION: "1.35.15"
   S3CMD_VERSION: "2.4.0"
   GM_VERSION: "1.3.36"
   GM_CHECKSUM_SHA256: "5d5b3fde759cdfc307aaf21df9ebd8c752e3f088bb051dd5df8aac7ba7338f46"

gitlab-toolbox/Dockerfile

@@ -13,7 +13,7 @@ FROM --platform=$TARGETPLATFORM ${GITALY_IMAGE} AS gitaly
 FROM --platform=$TARGETPLATFORM ${FROM_IMAGE}:${TAG}
 
 ARG TARGETARCH
-ARG AWSCLI_VERSION="1.34.30"
+ARG AWSCLI_VERSION="1.35.15"
 ARG S3CMD_VERSION="2.4.0"
 ARG GSUTIL_VERSION="5.31"
 ARG AZCOPY_STATIC_URL="https://azcopyvnext.azureedge.net/releases/release-10.26.0-20240731/azcopy_linux_${TARGETARCH}_10.26.0.tar.gz"

gitlab-toolbox/Dockerfile.build.ubi

@@ -3,7 +3,7 @@ ARG BUILD_IMAGE=
 FROM ${BUILD_IMAGE}
 
 ARG TARGETARCH
-ARG AWSCLI_VERSION=1.34.30
+ARG AWSCLI_VERSION=1.35.15
 ARG S3CMD_VERSION=2.4.0
 ARG GSUTIL_VERSION=5.31
 ARG AZCOPY_STATIC_URL="https://azcopyvnext.azureedge.net/releases/release-10.26.0-20240731/azcopy_linux_${TARGETARCH}_10.26.0.tar.gz"

kubectl/Dockerfile

 ## FINAL IMAGE ##
 
 ARG DEBIAN_IMAGE=debian:bookworm-slim
-ARG KUBECTL_VERSION="1.31.0"
+ARG KUBECTL_VERSION="1.31.1"
 ARG YQ_VERSION="4.44.3"
 
 FROM --platform=${TARGETPLATFORM} ${DEBIAN_IMAGE}

kubectl/Dockerfile.build.ubi

@@ -2,7 +2,7 @@ ARG UBI_IMAGE=registry.access.redhat.com/ubi9/ubi-minimal:9.4
 
 FROM ${UBI_IMAGE}
 
-ARG KUBECTL_VERSION=1.31.0
+ARG KUBECTL_VERSION=1.31.1
 ARG YQ_VERSION=4.44.3
 
 ADD https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl /assets/usr/local/bin/kubectl