Skip to content

Make model-engine FIPS compliant by updating base chainguard image #724

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 28 commits into
base: main
Choose a base branch
from
Open

Make model-engine FIPS compliant by updating base chainguard image #724

wants to merge 28 commits into from

Conversation

@ValentineDragan
Copy link
Collaborator

@ValentineDragan ValentineDragan commented Oct 16, 2025
edited
Loading

Pull Request Summary

This PR upgrades the model-engine Docker base image to use Chainguard's FIPS-compliant Python image, and fixes bugs in the CircleCI integration tests.

FIPS compliance changes:

  • Update Dockerfile to use chainguard base image for FIPS compliance
    • Delete the now identical federal/Dockerfile copy
  • Upgrading SQLAlchemy to 2.0.21 which uses FIPS-compliant md5 hashing
    • This removes the need to monkey patching the hashing library with sitecustomize.py which was making integration tests fail because md5 is still needed for non-security hashing (i.e. generating Git/CircleCI hashes)
  • Set celery_enable_sha256: true in all configs for FIPS compliance

Fixing integration tests:

  • Update integration tests to use the current/latest model-engine image instead of a hardcoded image tag from 2024
  • Update helm chart to mount service configs in CircleCI
  • Add chainctl authentication to CircleCI to enable pulling the chainguard base image

Test Plan and Usage Guide

  • All unit tests and integration tests pass
    • (previously integration tests weren't reflecting the latest repo changes due to using hardcoded image)

@ValentineDragan
Update Dockerfile
cf6c084
@ValentineDragan
Update circleci config to login to chainguard
0201f0c
@ValentineDragan
fix typo in circleci config
8ece2a5
@ValentineDragan
Add code to debug circleci errors
c3ef4e5
@ValentineDragan
Debug missing chainguard token
93f579a
@ValentineDragan
Debug failing oidc token swap
3853517
@ValentineDragan
Update config
9dac2cd
@ValentineDragan
Retry OIDC token swap with updated chainguard identity
8104ff1
@ValentineDragan
Update audience for token exchange request
4ddee82
@ValentineDragan
Simplify chainguard authentication with chainctl
e5642e8
@ValentineDragan
Specify audience cgr.dev in auth login
44b59ed
@ValentineDragan
Update system packages in Dockerfile
82fe322
@ValentineDragan
Update Dockerfile packages for chainguard compatbility
209a34a
@ValentineDragan
update Dockerfile
6f79179
@ValentineDragan
Revert circleci python version to 3.10.14
ae1bb4e
@ValentineDragan
Update hardcoded model-engine image tag used in integration tests
a465e51
@ValentineDragan
Fix CircleCI config trying to use hardcoded model-engine image tag fo…
0eca9cb 
…r batch jobs pod
@ValentineDragan
Mount service_config_circleci.yaml in batch job pods
fe8d764
@ValentineDragan
Fix broken helm template
b53b7c9
@ValentineDragan
Add missing infra config and service template config to batch job pods
b054e67
@ValentineDragan
remove redundant config for batch job pods
c142b27
@ValentineDragan
enable SHA256 checksums for Celery S3 backend to avoid MD5 decoding i…
f312dfe 
…ssues when creating endpoints
@ValentineDragan
Fix failing md5 monkey patch
f742965
@ValentineDragan
bump sqlalchemy to 2.0.21 to address md5 FIPS compliance
c8a2c66
@socket-security
Copy link

socket-security bot commented Oct 28, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedsqlalchemy@​2.0.4 ⏵ 2.0.2197100100100100

View full report

@ValentineDragan ValentineDragan changed the title Update Dockerfile with Chainguard base image Make model-engine FIPS compliant by updating base chainguard image Oct 28, 2025
@ValentineDragan ValentineDragan marked this pull request as ready for review October 28, 2025 23:48
dmchoiboi
dmchoiboi reviewed Oct 29, 2025
View reviewed changes
charts/model-engine/templates/service_template_config_map.yaml
{{- end }}
{{- end }}
{{- if $config_values }}
- name: service-config-volume
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

curious if you needed to add this for specific reason? do you actually use batch-job-orchestration-job

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dmchoiboi dmchoiboi dmchoiboi left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ValentineDragan @dmchoiboi