Merge pull request #600 from DataDog/hadrien/1.16.6/fips-base

[1.16]: CMPT-2763

.gitlab-ci.yml

@@ -8,10 +8,8 @@ default:
 
 variables:
   DOCKER_CTX: "."
-  DOCKER_BUILD_ARGS: ""
 
   ALPINE_IMAGE: registry.ddbuild.io/images/mirror/library/alpine:3.20.1@sha256:b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0
-  BASE_IMAGE: registry.ddbuild.io/images/base/gbi-distroless:release
   CILIUM_BPFTOOL_IMAGE: registry.ddbuild.io/images/mirror/cilium/cilium-bpftool:0db3a73729ceb42e947d826bb96a655be79e5317@sha256:de23c9546c4eafab33f75d6f5d129947bbbafc132dbd113c0cecc9a61929e6b0
   CILIUM_BUILDER_IMAGE: registry.ddbuild.io/images/mirror/cilium/cilium-builder:714cfc3420a53a154dba0df63a43bc1378bebffd@sha256:13345d46c1a5b24e3b64c46ff4b334c5bbbbf784b769f1adbb8fad094f177f03
   CILIUM_ENVOY_IMAGE: registry.ddbuild.io/images/mirror/cilium/cilium-envoy:v1.31.5-1739264036-958bef243c6c66fcfd73ca319f2eb49fff1eb2ae@sha256:fc708bd36973d306412b2e50c924cd8333de67e0167802c9b48506f9d772f521
@@ -20,7 +18,6 @@ variables:
   FIPS_BASE_IMAGE: registry.ddbuild.io/images/base/gbi-ubuntu_2204-fips:release
   GOLANG_IMAGE: registry.ddbuild.io/images/mirror/library/golang:1.23.6@sha256:927112936d6b496ed95f55f362cc09da6e3e624ef868814c56d55bd7323e0959
   TESTER_IMAGE: registry.ddbuild.io/images/mirror/cilium/image-tester:dd09c8d3ef349a909fbcdc99279516baef153f22@sha256:c056d064cb47c97acd607343db5457e1d49d9338d6d8a87e93e23cc93f052c73
-  UBUNTU_IMAGE: registry.ddbuild.io/images/base/gbi-ubuntu_2204:release
 
 # Force git to remove any reference to the local disk copy of the repository
 before_script:
@@ -37,55 +34,19 @@ before_script:
       aud: image-integrity
   script: .gitlab/build-image.sh
 
-cilium-operator:
-  extends: .build-docker-image
-  variables:
-    DOCKERFILE_PATH: images/operator/Dockerfile
-    DOCKER_BUILD_ARGS: |
-      OPERATOR_VARIANT=operator
-      BASE_IMAGE=$BASE_IMAGE
-      GOLANG_IMAGE=$GOLANG_IMAGE
-      ALPINE_IMAGE=$ALPINE_IMAGE
-      CILIUM_BUILDER_IMAGE=$CILIUM_BUILDER_IMAGE
-    TARGET: release
-
-cilium-operator-fips:
-  extends: .build-docker-image
-  variables:
-    DOCKERFILE_PATH: images/operator/Dockerfile
-    DOCKER_BUILD_ARGS: |
-      OPERATOR_VARIANT=operator
-      BASE_IMAGE=$FIPS_BASE_IMAGE
-      GOLANG_IMAGE=$GOLANG_IMAGE
-      ALPINE_IMAGE=$ALPINE_IMAGE
-      CILIUM_BUILDER_IMAGE=$CILIUM_BUILDER_IMAGE
-    TARGET: release
-
 cilium-operator-generic:
   extends: .build-docker-image
   variables:
     DOCKERFILE_PATH: images/operator/Dockerfile
     DOCKER_BUILD_ARGS: |
       OPERATOR_VARIANT=operator-generic
-      BASE_IMAGE=$BASE_IMAGE
+      BASE_IMAGE=$FIPS_BASE_IMAGE
       GOLANG_IMAGE=$GOLANG_IMAGE
       ALPINE_IMAGE=$ALPINE_IMAGE
       CILIUM_BUILDER_IMAGE=$CILIUM_BUILDER_IMAGE
     TARGET: release
 
 cilium-operator-aws:
-  extends: .build-docker-image
-  variables:
-    DOCKERFILE_PATH: images/operator/Dockerfile
-    DOCKER_BUILD_ARGS: |
-      OPERATOR_VARIANT=operator-aws
-      BASE_IMAGE=$BASE_IMAGE
-      GOLANG_IMAGE=$GOLANG_IMAGE
-      ALPINE_IMAGE=$ALPINE_IMAGE
-      CILIUM_BUILDER_IMAGE=$CILIUM_BUILDER_IMAGE
-    TARGET: release
-
-cilium-operator-aws-fips:
   extends: .build-docker-image
   variables:
     DOCKERFILE_PATH: images/operator/Dockerfile
@@ -103,7 +64,7 @@ cilium-operator-azure:
     DOCKERFILE_PATH: images/operator/Dockerfile
     DOCKER_BUILD_ARGS: |
       OPERATOR_VARIANT=operator-azure
-      BASE_IMAGE=$BASE_IMAGE
+      BASE_IMAGE=$FIPS_BASE_IMAGE
       GOLANG_IMAGE=$GOLANG_IMAGE
       ALPINE_IMAGE=$ALPINE_IMAGE
       CILIUM_BUILDER_IMAGE=$CILIUM_BUILDER_IMAGE
@@ -116,7 +77,7 @@ cilium-runtime:
     DOCKER_BUILD_ARGS: |
       TESTER_IMAGE=$TESTER_IMAGE
       GOLANG_IMAGE=$GOLANG_IMAGE
-      UBUNTU_IMAGE=$UBUNTU_IMAGE
+      UBUNTU_IMAGE=$FIPS_BASE_IMAGE
       CILIUM_LLVM_IMAGE=$CILIUM_LLVM_IMAGE
       CILIUM_BPFTOOL_IMAGE=$CILIUM_BPFTOOL_IMAGE
       CILIUM_IPTABLES_IMAGE=$CILIUM_IPTABLES_IMAGE
@@ -143,28 +104,17 @@ hubble-relay:
   variables:
     DOCKERFILE_PATH: images/hubble-relay/Dockerfile
     DOCKER_BUILD_ARGS: |
-      BASE_IMAGE=$BASE_IMAGE
+      BASE_IMAGE=$FIPS_BASE_IMAGE
       GOLANG_IMAGE=$GOLANG_IMAGE
       CILIUM_BUILDER_IMAGE=$CILIUM_BUILDER_IMAGE
     TARGET: release
 
-# This job is a duplicate of the clustermesh-apiserver one
-# We keep it until we replaced all image references from kvstoremesh to clustermesh-apiserver
-kvstoremesh:
-  extends: .build-docker-image
-  variables:
-    DOCKERFILE_PATH: images/clustermesh-apiserver/Dockerfile
-    DOCKER_BUILD_ARGS: |
-      BASE_IMAGE=$BASE_IMAGE
-      GOLANG_IMAGE=$GOLANG_IMAGE
-    TARGET: release
-
 cilium-clustermesh-apiserver:
   extends: .build-docker-image
   variables:
     DOCKERFILE_PATH: images/clustermesh-apiserver/Dockerfile
     DOCKER_BUILD_ARGS: |
-      BASE_IMAGE=$BASE_IMAGE
+      BASE_IMAGE=$FIPS_BASE_IMAGE
       GOLANG_IMAGE=$GOLANG_IMAGE
     TARGET: release
 

.gitlab/build-image.sh

@@ -11,15 +11,16 @@ for arg in $DOCKER_BUILD_ARGS; do
 done
 IFS=$' '
 
+IMAGE_NAME=$CI_JOB_NAME
 # Construct the image tag
 IMAGE_TAG="$CI_COMMIT_TAG"
 if [ "$TARGET" = "debug" ]; then
   IMAGE_TAG="${IMAGE_TAG}-debug"
 fi
-IMAGE_REF="registry.ddbuild.io/$CI_JOB_NAME:$IMAGE_TAG"
+IMAGE_REF="registry.ddbuild.io/$IMAGE_NAME:$IMAGE_TAG"
 
 # Find the right Cilium Runtime image to use for the main Cilium image build
-if [ "$CI_JOB_NAME" == "cilium" ]; then
+if [ "$IMAGE_NAME" == "cilium" ]; then
   CILIUM_RUNTIME_IMAGE="registry.ddbuild.io/cilium-runtime:$IMAGE_TAG"
   BUILD_ARGS+=" --build-arg CILIUM_RUNTIME_IMAGE=$CILIUM_RUNTIME_IMAGE"
 fi
@@ -41,7 +42,7 @@ docker buildx build --platform linux/amd64,linux/arm64 \
 ddsign sign "$IMAGE_REF" --docker-metadata-file "$METADATA_FILE"
 
 # Always build the debug version of the Cilium Agent and Operator images
-if [[ $CI_JOB_NAME == "cilium" || $CI_JOB_NAME == "cilium-operator" ]]; then
+if [[ $IMAGE_NAME == "cilium" || $IMAGE_NAME =~ "cilium-operator" ]]; then
   METADATA_FILE_DEBUG=$(mktemp)
   docker buildx build --platform linux/amd64,linux/arm64 \
     --tag "$IMAGE_REF"-debug \