Install OpenSSL gem after Ruby

For FIPS packages for OSs that ship OpenSSL 3+ to work properly, the changes made as part of ruby/openssl#603 is required. This is available in v3.2.0 of the OpenSSL gem. Installing it after installing Ruby will cause Ruby to use it instead of the default OpenSSL gem version. Signed-off-by: Balasankar 'Balu' C <[email protected]>
gitlabhq · Oct 14, 2024 · e54cce4 · e54cce4
1 parent d602a49
commit e54cce4
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 0 deletions.
diff --git a/config/software/ruby.rb b/config/software/ruby.rb
@@ -159,4 +159,7 @@
   configure(*configure_command, env: env)
   make "-j #{workers}", env: env
   make "-j #{workers} install", env: env
+
+  # Install OpenSSL gem for FIPS fixes
+  gem "install openssl --version '#{Gitlab::Util.get_env('OPENSSL_GEM_VERSION')}' --force --no-document"
 end
diff --git a/gitlab-ci-config/check-packages.yml b/gitlab-ci-config/check-packages.yml
@@ -180,6 +180,13 @@ AlmaLinux-8-fips-check:
     - .ee-tag-only
   variables:
     USE_SYSTEM_SSL: "true"
+AlmaLinux-9-fips-check:
+  image: "${BUILDER_IMAGE_REGISTRY}/almalinux_9_fips:latest"
+  extends:
+    - .yum-install
+    - .ee-tag-only
+  variables:
+    USE_SYSTEM_SSL: "true"
 AmazonLinux-2-fips-check:
   image: "${BUILDER_IMAGE_REGISTRY}/amazonlinux_2_fips:latest"
   extends:

diff --git a/gitlab-ci-config/dev-gitlab-org.yml b/gitlab-ci-config/dev-gitlab-org.yml
@@ -377,6 +377,9 @@ AmazonLinux-2-fips-branch:
 AlmaLinux-8-fips-branch:
   image: "${BUILDER_IMAGE_REGISTRY}/almalinux_8_fips:${BUILDER_IMAGE_REVISION}"
   extends: .fips_branch_template
+AlmaLinux-9-fips-branch:
+  image: "${BUILDER_IMAGE_REGISTRY}/almalinux_9_fips:${BUILDER_IMAGE_REVISION}"
+  extends: .fips_branch_template
 Ubuntu-20.04-fips-branch:
   image: "${BUILDER_IMAGE_REGISTRY}/ubuntu_20.04_fips:${BUILDER_IMAGE_REVISION}"
   extends: .fips_branch_template
@@ -628,6 +631,9 @@ AmazonLinux-2-fips:
 AlmaLinux-8-fips:
   image: "${BUILDER_IMAGE_REGISTRY}/almalinux_8_fips:${BUILDER_IMAGE_REVISION}"
   extends: .fips_tag_template
+AlmaLinux-9-fips:
+  image: "${BUILDER_IMAGE_REGISTRY}/almalinux_9_fips:${BUILDER_IMAGE_REVISION}"
+  extends: .fips_tag_template
 Ubuntu-20.04-fips:
   image: "${BUILDER_IMAGE_REGISTRY}/ubuntu_20.04_fips:${BUILDER_IMAGE_REVISION}"
   extends: .fips_tag_template
@@ -826,6 +832,13 @@ AlmaLinux-8-fips-staging:
       optional: true
     - job: AlmaLinux-8-fips-branch
       optional: true
+AlmaLinux-9-fips-staging:
+  extends: .fips_staging_upload_template
+  needs:
+    - job: AlmaLinux-9-fips
+      optional: true
+    - job: AlmaLinux-9-fips-branch
+      optional: true
 Ubuntu-20.04-fips-staging:
   extends: .fips_staging_upload_template
   needs:
@@ -953,6 +966,10 @@ AlmaLinux-8-fips-release:
   extends: .fips_release_template
   needs:
     - AlmaLinux-8-fips
+AlmaLinux-9-fips-release:
+  extends: .fips_release_template
+  needs:
+    - AlmaLinux-9-fips
 Ubuntu-20.04-fips-release:
   extends: .fips_release_template
   needs:

diff --git a/gitlab-ci-config/variables.yml b/gitlab-ci-config/variables.yml
@@ -42,3 +42,4 @@ variables:
   QA_TESTS_REF: 'master'
   OPENSSL_VERSION: '1.1.1'
   FF_TIMESTAMPS: true
+  OPENSSL_GEM_VERSION: '~> 3.2.0'