diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 234c10fce39f0..27be5a0a1c046 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -2,19 +2,32 @@ stages:
   - trigger
   - build
 
+default:
+  tags: ["arch:amd64"]
+  image: registry.ddbuild.io/images/docker:24.0.4-gbi-focal
+
 variables:
-  CI_DOCKER_IMAGE: registry.ddbuild.io/images/docker:24.0.4-gbi-focal
   DOCKER_CTX: "."
   DOCKER_BUILD_ARGS: ""
 
+  ALPINE_IMAGE: registry.ddbuild.io/images/mirror/library/alpine:3.19.6@sha256:6380aa6b04faa579332d4c9d1f65bd7093012ba6e01d9bbcd5e2d8a4f9fae38f
+  BASE_IMAGE: registry.ddbuild.io/images/base/gbi-distroless:release
+  CILIUM_BPFTOOL_IMAGE: registry.ddbuild.io/images/mirror/cilium/cilium-bpftool:0db3a73729ceb42e947d826bb96a655be79e5317@sha256:de23c9546c4eafab33f75d6f5d129947bbbafc132dbd113c0cecc9a61929e6b0
+  CILIUM_BUILDER_IMAGE: registry.ddbuild.io/images/mirror/cilium/cilium-builder:28af50e6eba2a75cfc2479fd09a086b750dabd2d@sha256:8698148b447871c87217b4ac5b94926bf4c2493e896ce0abe752f46a17c725fb
+  CILIUM_ENVOY_IMAGE: registry.ddbuild.io/images/mirror/cilium/cilium-envoy:v1.30.9-1734953328-6db0e437ba7ed2169f032ceec25922dd06e0b12b@sha256:5c6d21a908235b697e41951d7aa59cc250642b5b54827e8d13e1bdd345a139f9
+  CILIUM_IPTABLES_IMAGE: registry.ddbuild.io/images/mirror/cilium/iptables:67f517af50e18f64cd12625021f1c39246bb4f92@sha256:d075f03e89aacf51908346ec8ed5d251b8d3ad528ce30a710fcd074cdf91f11d
+  CILIUM_LLVM_IMAGE: registry.ddbuild.io/images/mirror/cilium/cilium-llvm:a8c542efc076b62ba683e7699c0013adb6955f0f@sha256:38e8941107bd19eb30bdde6e478760a22325f38d1f2771dfd1b9af81d74235e7
+  FIPS_BASE_IMAGE: registry.ddbuild.io/images/base/gbi-ubuntu_2204-fips:release
+  GOLANG_IMAGE: registry.ddbuild.io/images/mirror/library/golang:1.22.10@sha256:7761eeedd113a5751a7e1c135c89c4656a661ad73065dd09035ed3770b063c19
+  TESTER_IMAGE: registry.ddbuild.io/images/mirror/cilium/image-tester:dd09c8d3ef349a909fbcdc99279516baef153f22@sha256:c056d064cb47c97acd607343db5457e1d49d9338d6d8a87e93e23cc93f052c73
+  UBUNTU_IMAGE: registry.ddbuild.io/images/base/gbi-ubuntu_2204:release
+
 # Force git to remove any reference to the local disk copy of the repository
 before_script:
   - git repack -a -d && rm -f .git/objects/info/alternates
 
-.build-docker-image: &build-docker-image
+.build-docker-image:
   stage: build
-  image: $CI_DOCKER_IMAGE
-  tags: ["arch:arm64"]
   rules:
     # Run the pipeline for all pushed tags + triggered pipelines
     - if: $CI_COMMIT_TAG
@@ -22,79 +35,141 @@ before_script:
   id_tokens:
     DDSIGN_ID_TOKEN:
       aud: image-integrity
-  script:
-    - .gitlab/build-image.sh
+  script: .gitlab/build-image.sh
 
-build-docker-image-operator:
-  <<: *build-docker-image
+cilium-operator:
+  extends: .build-docker-image
   variables:
-    IMAGE_NAME: cilium-operator
     DOCKERFILE_PATH: images/operator/Dockerfile
     DOCKER_BUILD_ARGS: |
       OPERATOR_VARIANT=operator
-      BASE_IMAGE=registry.ddbuild.io/images/base/gbi-distroless:release
-      GOLANG_IMAGE=registry.ddbuild.io/images/mirror/library/golang:1.22.10@sha256:7761eeedd113a5751a7e1c135c89c4656a661ad73065dd09035ed3770b063c19
-      ALPINE_IMAGE=registry.ddbuild.io/images/mirror/library/alpine:3.19.6@sha256:6380aa6b04faa579332d4c9d1f65bd7093012ba6e01d9bbcd5e2d8a4f9fae38f
-      CILIUM_BUILDER_IMAGE=registry.ddbuild.io/images/mirror/cilium/cilium-builder:28af50e6eba2a75cfc2479fd09a086b750dabd2d@sha256:8698148b447871c87217b4ac5b94926bf4c2493e896ce0abe752f46a17c725fb
+      BASE_IMAGE=$BASE_IMAGE
+      GOLANG_IMAGE=$GOLANG_IMAGE
+      ALPINE_IMAGE=$ALPINE_IMAGE
+      CILIUM_BUILDER_IMAGE=$CILIUM_BUILDER_IMAGE
     TARGET: release
 
-build-docker-image-runtime:
-  <<: *build-docker-image
+cilium-operator-fips:
+  extends: .build-docker-image
+  variables:
+    DOCKERFILE_PATH: images/operator/Dockerfile
+    DOCKER_BUILD_ARGS: |
+      OPERATOR_VARIANT=operator
+      BASE_IMAGE=$FIPS_BASE_IMAGE
+      GOLANG_IMAGE=$GOLANG_IMAGE
+      ALPINE_IMAGE=$ALPINE_IMAGE
+      CILIUM_BUILDER_IMAGE=$CILIUM_BUILDER_IMAGE
+    TARGET: release
+
+cilium-operator-generic:
+  extends: .build-docker-image
+  variables:
+    DOCKERFILE_PATH: images/operator/Dockerfile
+    DOCKER_BUILD_ARGS: |
+      OPERATOR_VARIANT=operator-generic
+      BASE_IMAGE=$BASE_IMAGE
+      GOLANG_IMAGE=$GOLANG_IMAGE
+      ALPINE_IMAGE=$ALPINE_IMAGE
+      CILIUM_BUILDER_IMAGE=$CILIUM_BUILDER_IMAGE
+    TARGET: release
+
+cilium-operator-aws:
+  extends: .build-docker-image
+  variables:
+    DOCKERFILE_PATH: images/operator/Dockerfile
+    DOCKER_BUILD_ARGS: |
+      OPERATOR_VARIANT=operator-aws
+      BASE_IMAGE=$BASE_IMAGE
+      GOLANG_IMAGE=$GOLANG_IMAGE
+      ALPINE_IMAGE=$ALPINE_IMAGE
+      CILIUM_BUILDER_IMAGE=$CILIUM_BUILDER_IMAGE
+    TARGET: release
+
+cilium-operator-aws-fips:
+  extends: .build-docker-image
+  variables:
+    DOCKERFILE_PATH: images/operator/Dockerfile
+    DOCKER_BUILD_ARGS: |
+      OPERATOR_VARIANT=operator-aws
+      BASE_IMAGE=$FIPS_BASE_IMAGE
+      GOLANG_IMAGE=$GOLANG_IMAGE
+      ALPINE_IMAGE=$ALPINE_IMAGE
+      CILIUM_BUILDER_IMAGE=$CILIUM_BUILDER_IMAGE
+    TARGET: release
+
+cilium-operator-azure:
+  extends: .build-docker-image
+  variables:
+    DOCKERFILE_PATH: images/operator/Dockerfile
+    DOCKER_BUILD_ARGS: |
+      OPERATOR_VARIANT=operator-azure
+      BASE_IMAGE=$BASE_IMAGE
+      GOLANG_IMAGE=$GOLANG_IMAGE
+      ALPINE_IMAGE=$ALPINE_IMAGE
+      CILIUM_BUILDER_IMAGE=$CILIUM_BUILDER_IMAGE
+    TARGET: release
+
+cilium-runtime:
+  extends: .build-docker-image
   variables:
-    IMAGE_NAME: cilium-runtime
     DOCKERFILE_PATH: images/runtime/Dockerfile
     DOCKER_BUILD_ARGS: |
-      TESTER_IMAGE=registry.ddbuild.io/images/mirror/cilium/image-tester:dd09c8d3ef349a909fbcdc99279516baef153f22@sha256:c056d064cb47c97acd607343db5457e1d49d9338d6d8a87e93e23cc93f052c73
-      GOLANG_IMAGE=registry.ddbuild.io/images/mirror/library/golang:1.22.10@sha256:7761eeedd113a5751a7e1c135c89c4656a661ad73065dd09035ed3770b063c19
-      UBUNTU_IMAGE=registry.ddbuild.io/images/base/gbi-ubuntu_2204:release
-      CILIUM_LLVM_IMAGE=registry.ddbuild.io/images/mirror/cilium/cilium-llvm:a8c542efc076b62ba683e7699c0013adb6955f0f@sha256:38e8941107bd19eb30bdde6e478760a22325f38d1f2771dfd1b9af81d74235e7
-      CILIUM_BPFTOOL_IMAGE=registry.ddbuild.io/images/mirror/cilium/cilium-bpftool:0db3a73729ceb42e947d826bb96a655be79e5317@sha256:de23c9546c4eafab33f75d6f5d129947bbbafc132dbd113c0cecc9a61929e6b0
-      CILIUM_IPTABLES_IMAGE=registry.ddbuild.io/images/mirror/cilium/iptables:67f517af50e18f64cd12625021f1c39246bb4f92@sha256:d075f03e89aacf51908346ec8ed5d251b8d3ad528ce30a710fcd074cdf91f11d
+      TESTER_IMAGE=$TESTER_IMAGE
+      GOLANG_IMAGE=$GOLANG_IMAGE
+      UBUNTU_IMAGE=$UBUNTU_IMAGE
+      CILIUM_LLVM_IMAGE=$CILIUM_LLVM_IMAGE
+      CILIUM_BPFTOOL_IMAGE=$CILIUM_BPFTOOL_IMAGE
+      CILIUM_IPTABLES_IMAGE=$CILIUM_IPTABLES_IMAGE
     DOCKER_CTX: "./images/runtime"
 
 # Caveats:
 # * The build image is single-arch amd64 and we're doing cross-compilation, so the dlv copy is only valid on amd64. In
 #   other words, the arm64 image does not work.
-build-docker-image-cilium:
-  <<: *build-docker-image
+cilium:
+  extends: .build-docker-image
   needs:
     # The cilium image depends on the runtime image
-    - build-docker-image-runtime
+    - cilium-runtime
   variables:
-    IMAGE_NAME: cilium
     DOCKERFILE_PATH: images/cilium/Dockerfile
     DOCKER_BUILD_ARGS: |
-      CILIUM_BUILDER_IMAGE=registry.ddbuild.io/images/mirror/cilium/cilium-builder:28af50e6eba2a75cfc2479fd09a086b750dabd2d@sha256:8698148b447871c87217b4ac5b94926bf4c2493e896ce0abe752f46a17c725fb
-      CILIUM_ENVOY_IMAGE=registry.ddbuild.io/images/mirror/cilium/cilium-envoy:v1.30.9-1734953328-6db0e437ba7ed2169f032ceec25922dd06e0b12b@sha256:5c6d21a908235b697e41951d7aa59cc250642b5b54827e8d13e1bdd345a139f9
+      CILIUM_BUILDER_IMAGE=$CILIUM_BUILDER_IMAGE
+      CILIUM_ENVOY_IMAGE=$CILIUM_ENVOY_IMAGE
     TARGET: release
     NOSTRIP: 0
 
-build-docker-image-hubble-relay:
-  <<: *build-docker-image
+hubble-relay:
+  extends: .build-docker-image
   variables:
-    IMAGE_NAME: hubble-relay
     DOCKERFILE_PATH: images/hubble-relay/Dockerfile
     DOCKER_BUILD_ARGS: |
-      BASE_IMAGE=registry.ddbuild.io/images/base/gbi-distroless:release
-      GOLANG_IMAGE=registry.ddbuild.io/images/mirror/library/golang:1.22.10@sha256:7761eeedd113a5751a7e1c135c89c4656a661ad73065dd09035ed3770b063c19
-      CILIUM_BUILDER_IMAGE=registry.ddbuild.io/images/mirror/cilium/cilium-builder:28af50e6eba2a75cfc2479fd09a086b750dabd2d@sha256:8698148b447871c87217b4ac5b94926bf4c2493e896ce0abe752f46a17c725fb
+      BASE_IMAGE=$BASE_IMAGE
+      GOLANG_IMAGE=$GOLANG_IMAGE
+      CILIUM_BUILDER_IMAGE=$CILIUM_BUILDER_IMAGE
+    TARGET: release
+
+# This job is a duplicate of the clustermesh-apiserver one
+# We keep it until we replaced all image references from kvstoremesh to clustermesh-apiserver
+kvstoremesh:
+  extends: .build-docker-image
+  variables:
+    DOCKERFILE_PATH: images/clustermesh-apiserver/Dockerfile
+    DOCKER_BUILD_ARGS: |
+      BASE_IMAGE=$BASE_IMAGE
+      GOLANG_IMAGE=$GOLANG_IMAGE
     TARGET: release
 
-build-docker-image-clustermesh-apiserver:
-  <<: *build-docker-image
+cilium-clustermesh-apiserver:
+  extends: .build-docker-image
   variables:
-    IMAGE_NAME: kvstoremesh
     DOCKERFILE_PATH: images/clustermesh-apiserver/Dockerfile
     DOCKER_BUILD_ARGS: |
-      BASE_IMAGE=registry.ddbuild.io/images/base/gbi-distroless:release
-      GOLANG_IMAGE=registry.ddbuild.io/images/mirror/library/golang:1.22.10@sha256:7761eeedd113a5751a7e1c135c89c4656a661ad73065dd09035ed3770b063c19
+      BASE_IMAGE=$BASE_IMAGE
+      GOLANG_IMAGE=$GOLANG_IMAGE
     TARGET: release
 
 trigger-builds:
   stage: trigger
-  image: $CI_DOCKER_IMAGE
-  tags: ["arch:arm64"]
   rules:
     - if: $CI_PIPELINE_SOURCE == "schedule"
-  script:
-    - .gitlab/trigger-builds.sh
+  script: .gitlab/trigger-builds.sh
diff --git a/.gitlab/build-image.sh b/.gitlab/build-image.sh
index 4fd1a49a24243..fec8f0c472b24 100755
--- a/.gitlab/build-image.sh
+++ b/.gitlab/build-image.sh
@@ -16,10 +16,10 @@ IMAGE_TAG="$CI_COMMIT_TAG"
 if [ "$TARGET" = "debug" ]; then
   IMAGE_TAG="${IMAGE_TAG}-debug"
 fi
-IMAGE_REF="registry.ddbuild.io/$IMAGE_NAME:$IMAGE_TAG"
+IMAGE_REF="registry.ddbuild.io/$CI_JOB_NAME:$IMAGE_TAG"
 
 # Find the right Cilium Runtime image to use for the main Cilium image build
-if [ "$IMAGE_NAME" == "cilium" ]; then
+if [ "$CI_JOB_NAME" == "cilium" ]; then
   CILIUM_RUNTIME_IMAGE="registry.ddbuild.io/cilium-runtime:$IMAGE_TAG"
   BUILD_ARGS+=" --build-arg CILIUM_RUNTIME_IMAGE=$CILIUM_RUNTIME_IMAGE"
 fi
@@ -41,7 +41,7 @@ docker buildx build --platform linux/amd64,linux/arm64 \
 ddsign sign "$IMAGE_REF" --docker-metadata-file "$METADATA_FILE"
 
 # Always build the debug version of the Cilium image
-if [ "$IMAGE_NAME" == "cilium" ]; then
+if [ "$CI_JOB_NAME" == "cilium" ]; then
   METADATA_FILE_DEBUG=$(mktemp)
   docker buildx build --platform linux/amd64,linux/arm64 \
     --tag "$IMAGE_REF"-debug \