ci: Add jobs which exercise Gitaly in FIPS modepks-ci-add-fips-testing

While we support building Gitaly in FIPS mode, we don't yet have any
tests to verify that it actually works as intended. Add two new jobs
that exercise Gitaly when FIPS mode is enabled.

Note that these jobs only get executed when part of a merge train. This
has the intent to keep the overhead at bay before the merge request
actually gets merged to its target branch, but to still avoid merging
anything that breaks under FIPS mode.

1 files changed, 22 insertions, 0 deletions

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 0c2b432b7..cdc5b575a 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -254,6 +254,28 @@ test:praefect_smoke:
     - ./_build/bin/praefect -config config.praefect.toml sql-ping
     - ./_build/bin/praefect -config config.praefect.toml sql-migrate
 
+test:fips:
+  <<: *test_definition
+  tags:
+    - fips
+  image: registry.access.redhat.com/ubi8/ubi:8.5
+  before_script:
+    - test "$(cat /proc/sys/crypto/fips_enabled)" = "1" || (echo "System is not running in FIPS mode" && exit 1)
+    - dnf module enable -y ruby:2.7
+    - dnf install -y bzip2 cmake gcc-c++ git go-toolset libcurl-devel libicu-devel make openssl procps-ng redhat-rpm-config ruby-devel rubygems
+    - gem install bundler:2.3.15
+    - *test_before_script
+  parallel:
+    matrix:
+      - TEST_TARGET: [ test, test-with-praefect ]
+        FIPS_MODE: "YesPlease"
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_MERGE_REQUEST_LABELS =~ /FIPS/
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+      when: manual
+      allow_failure: true
+
 verify:
   needs: []
   stage: test