ci: fips docker compose overrides

cardoso · cardoso · commit 8a7c97184964 · 2026-03-10T09:01:08.000-03:00
diff --git a/.github/actions/build-docker/action.yml b/.github/actions/build-docker/action.yml
@@ -86,6 +86,10 @@ runs:
       run: |
         set -o xtrace
         export DENO_VERSION="${{ inputs.deno-version }}"
+        compose_files=(-f docker-compose-ci.yml)
+        if [[ "${{ inputs.type }}" == 'fips' ]]; then
+          compose_files+=(-f docker-compose-ci.fips.yml)
+        fi
 
         # Removes unnecessary swc cores and sharp binaries to reduce image size
         swc_arch='x64'
@@ -111,11 +115,11 @@ runs:
           LOAD_OR_PUSH="--load"
         fi
 
-        # Get image name from docker-compose-ci.yml since rocketchat image is different from service name (rocket.chat)
-        IMAGE=$(docker compose -f docker-compose-ci.yml config --format json 2>/dev/null | jq -r --arg s "${{ inputs.service }}" '.services[$s].image')
+        # Get image name from compose config since rocketchat image is different from service name (rocket.chat)
+        IMAGE=$(docker compose "${compose_files[@]}" config --format json 2>/dev/null | jq -r --arg s "${{ inputs.service }}" '.services[$s].image')
 
         docker buildx bake \
-          -f docker-compose-ci.yml \
+          "${compose_files[@]}" \
           ${LOAD_OR_PUSH} \
           --allow=fs.read=/tmp/build \
           --set "*.tags+=${IMAGE}-gha-run-${{ github.run_id }}" \
@@ -156,9 +160,13 @@ runs:
       shell: bash
       run: |
         set -o xtrace
+        compose_files=(-f docker-compose-ci.yml)
+        if [[ "${{ inputs.type }}" == 'fips' ]]; then
+          compose_files+=(-f docker-compose-ci.fips.yml)
+        fi
 
-        # Get image name from docker-compose-ci.yml
-        IMAGE=$(docker compose -f docker-compose-ci.yml config --format json 2>/dev/null | jq -r --arg s "${{ inputs.service }}" '.services[$s].image')
+        # Get image name from compose config
+        IMAGE=$(docker compose "${compose_files[@]}" config --format json 2>/dev/null | jq -r --arg s "${{ inputs.service }}" '.services[$s].image')
 
         # Create directory for image archives
         mkdir -p /tmp/docker-images
diff --git a/.github/workflows/ci-test-e2e.yml b/.github/workflows/ci-test-e2e.yml
@@ -73,7 +73,6 @@ jobs:
     env:
       # if building for production on develop branch or release, add suffix for coverage images
       DOCKER_TAG_SUFFIX_ROCKETCHAT: ${{ inputs.coverage == matrix.mongodb-version && (github.event_name == 'release' || github.ref == 'refs/heads/develop') && '-cov' || '' }}
-      DOCKER_TAG_SUFFIX_FIPS: ${{ inputs.release == 'fips' && '-fips' || '' }}
       MONGODB_VERSION: ${{ matrix.mongodb-version }}
       COVERAGE_DIR: '/tmp/coverage/${{ startsWith(inputs.type, ''api'') && ''api'' || inputs.type }}'
       COVERAGE_FILE_NAME: '${{ inputs.type }}-${{ matrix.shard }}.json'
@@ -88,6 +87,16 @@ jobs:
     name: MongoDB ${{ matrix.mongodb-version }}${{ inputs.coverage == matrix.mongodb-version && ' coverage' || '' }} (${{ matrix.shard }}/${{ inputs.total-shard }})
 
     steps:
+      - name: Set compose files
+        run: |
+          if [[ '${{ inputs.release }}' == 'fips' ]]; then
+            echo 'COMPOSE_FILES=-f docker-compose-ci.yml -f docker-compose-ci.fips.yml' >> $GITHUB_ENV
+            echo 'COMPOSE_FILES_METEOR=-f ../../docker-compose-ci.yml -f ../../docker-compose-ci.fips.yml' >> $GITHUB_ENV
+          else
+            echo 'COMPOSE_FILES=-f docker-compose-ci.yml' >> $GITHUB_ENV
+            echo 'COMPOSE_FILES_METEOR=-f ../../docker-compose-ci.yml' >> $GITHUB_ENV
+          fi
+
       - name: Collect Workflow Telemetry
         if: inputs.type == 'perf'
         uses: catchpoint/workflow-telemetry-action@v2
@@ -172,7 +181,7 @@ jobs:
       - name: Start httpbin container and wait for it to be ready
         if: inputs.type == 'api' || inputs.type == 'api-livechat'
         run: |
-          docker compose -f docker-compose-ci.yml up -d httpbin
+          docker compose $COMPOSE_FILES up -d httpbin
 
       - name: Prepare code coverage directory
         run: |
@@ -185,15 +194,15 @@ jobs:
         if: inputs.release == 'ce'
         run: |
           # when we are testing CE, we only need to start the rocketchat container
-          DEBUG_LOG_LEVEL=${DEBUG_LOG_LEVEL:-0} docker compose -f docker-compose-ci.yml up -d rocketchat --wait
+          DEBUG_LOG_LEVEL=${DEBUG_LOG_LEVEL:-0} docker compose $COMPOSE_FILES up -d rocketchat --wait
 
       - name: Start containers for EE
         if: inputs.release == 'ee' || inputs.release == 'fips'
         env:
           ENTERPRISE_LICENSE: ${{ inputs.enterprise-license }}
           TRANSPORTER: ${{ inputs.transporter }}
         run: |
-          DEBUG_LOG_LEVEL=${DEBUG_LOG_LEVEL:-0} docker compose -f docker-compose-ci.yml up -d --wait
+          DEBUG_LOG_LEVEL=${DEBUG_LOG_LEVEL:-0} docker compose $COMPOSE_FILES up -d --wait
 
       - uses: ./.github/actions/setup-playwright
         if: inputs.type == 'ui'
@@ -203,9 +212,9 @@ jobs:
         run: |
           docker ps
 
-          until echo "$(docker compose -f docker-compose-ci.yml logs ddp-streamer-service)" | grep -q "NetworkBroker started successfully"; do
+          until echo "$(docker compose $COMPOSE_FILES logs ddp-streamer-service)" | grep -q "NetworkBroker started successfully"; do
             echo "Waiting 'ddp-streamer' to start up"
-            ((c++)) && ((c==10)) && docker compose -f docker-compose-ci.yml logs ddp-streamer-service && exit 1
+            ((c++)) && ((c==10)) && docker compose $COMPOSE_FILES logs ddp-streamer-service && exit 1
             sleep 10
           done;
 
@@ -223,7 +232,7 @@ jobs:
 
           npm run testapi
 
-          docker compose -f ../../docker-compose-ci.yml stop
+          docker compose $COMPOSE_FILES_METEOR stop
 
           ls -la $COVERAGE_DIR
           exit $s
@@ -239,7 +248,7 @@ jobs:
 
           npm run testapi:livechat
 
-          docker compose -f ../../docker-compose-ci.yml stop
+          docker compose $COMPOSE_FILES_METEOR stop
 
           ls -la $COVERAGE_DIR
           exit $s
@@ -288,11 +297,11 @@ jobs:
 
       - name: Show server logs if E2E test failed
         if: failure()
-        run: docker compose -f docker-compose-ci.yml logs rocketchat authorization-service queue-worker-service ddp-streamer-service account-service presence-service omnichannel-transcript-service
+        run: docker compose $COMPOSE_FILES logs rocketchat authorization-service queue-worker-service ddp-streamer-service account-service presence-service omnichannel-transcript-service
 
       - name: Show mongo logs if E2E test failed
         if: failure()
-        run: docker compose -f docker-compose-ci.yml logs mongo
+        run: docker compose $COMPOSE_FILES logs mongo
 
       - name: Store coverage
         if: inputs.coverage == matrix.mongodb-version
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -20,7 +20,6 @@ concurrency:
 
 env:
   TOOL_NODE_FLAGS: ${{ vars.TOOL_NODE_FLAGS }}
-  FIPS_ENABLED_SERVICES: '["ddp-streamer-service","presence-service"]'
 
 jobs:
   release-versions:
@@ -319,8 +318,6 @@ jobs:
         env:
           # add suffix for the extra images with coverage if building for production
           DOCKER_TAG_SUFFIX_ROCKETCHAT: ${{ matrix.type == 'coverage' && (github.event_name == 'release' || github.ref == 'refs/heads/develop') && '-cov' || '' }}
-          DOCKER_TAG_SUFFIX_FIPS: ${{ contains(fromJSON(env.FIPS_ENABLED_SERVICES), matrix.service[0]) && matrix.type == 'fips' && '-fips' || '' }}
-          BUILD_TARGET: ${{ contains(fromJSON(env.FIPS_ENABLED_SERVICES), matrix.service[0]) && matrix.type == 'fips' && 'release-fips' || '' }}
         with:
           CR_USER: ${{ secrets.CR_USER }}
           CR_PAT: ${{ secrets.CR_PAT }}
@@ -337,8 +334,6 @@ jobs:
         if: matrix.service[1] && github.actor != 'dependabot[bot]'
         env:
           DOCKER_TAG_SUFFIX_ROCKETCHAT: ${{ matrix.type == 'coverage' && '-cov' || '' }}
-          DOCKER_TAG_SUFFIX_FIPS: ${{ contains(fromJSON(env.FIPS_ENABLED_SERVICES), matrix.service[1]) && matrix.type == 'fips' && '-fips' || '' }}
-          BUILD_TARGET: ${{ contains(fromJSON(env.FIPS_ENABLED_SERVICES), matrix.service[1]) && matrix.type == 'fips' && 'release-fips' || '' }}
         with:
           CR_USER: ${{ secrets.CR_USER }}
           CR_PAT: ${{ secrets.CR_PAT }}
@@ -356,8 +351,6 @@ jobs:
         if: matrix.service[2] && github.actor != 'dependabot[bot]'
         env:
           DOCKER_TAG_SUFFIX_ROCKETCHAT: ${{ matrix.type == 'coverage' && '-cov' || '' }}
-          DOCKER_TAG_SUFFIX_FIPS: ${{ contains(fromJSON(env.FIPS_ENABLED_SERVICES), matrix.service[2]) && matrix.type == 'fips' && '-fips' || '' }}
-          BUILD_TARGET: ${{ contains(fromJSON(env.FIPS_ENABLED_SERVICES), matrix.service[2]) && matrix.type == 'fips' && 'release-fips' || '' }}
         with:
           CR_USER: ${{ secrets.CR_USER }}
           CR_PAT: ${{ secrets.CR_PAT }}
@@ -375,8 +368,6 @@ jobs:
         if: matrix.service[3] && github.actor != 'dependabot[bot]'
         env:
           DOCKER_TAG_SUFFIX_ROCKETCHAT: ${{ matrix.type == 'coverage' && '-cov' || '' }}
-          DOCKER_TAG_SUFFIX_FIPS: ${{ contains(fromJSON(env.FIPS_ENABLED_SERVICES), matrix.service[3]) && matrix.type == 'fips' && '-fips' || '' }}
-          BUILD_TARGET: ${{ contains(fromJSON(env.FIPS_ENABLED_SERVICES), matrix.service[3]) && matrix.type == 'fips' && 'release-fips' || '' }}
         with:
           CR_USER: ${{ secrets.CR_USER }}
           CR_PAT: ${{ secrets.CR_PAT }}
@@ -404,6 +395,7 @@ jobs:
         with:
           sparse-checkout: |
             docker-compose-ci.yml
+            docker-compose-ci.fips.yml
           sparse-checkout-cone-mode: false
           ref: ${{ github.ref }}
 
@@ -980,6 +972,7 @@ jobs:
         with:
           sparse-checkout: |
             docker-compose-ci.yml
+            docker-compose-ci.fips.yml
           sparse-checkout-cone-mode: false
           ref: ${{ github.ref }}
 
@@ -1062,8 +1055,15 @@ jobs:
               IMAGE_NAME="${{ needs.release-versions.outputs.lowercase-repo }}/${service}"
             fi
 
-            # Get image name from docker-compose-ci.yml since rocketchat image is different from service name (rocket.chat)
-            SRC=$(docker compose -f docker-compose-ci.yml config --format json 2>/dev/null | jq -r --arg s "${service}" '.services[$s].image')
+            # Get image name from compose config since rocketchat image is different from service name (rocket.chat)
+            if [ "$service" == "rocketchat-cov" ]; then
+              SRC=$(docker compose -f docker-compose-ci.yml config --format json 2>/dev/null | jq -r --arg s "rocketchat" '.services[$s].image')-cov
+            elif [[ "$service" == *"-fips" ]]; then
+              base_service="${service%-fips}"
+              SRC=$(docker compose -f docker-compose-ci.yml -f docker-compose-ci.fips.yml config --format json 2>/dev/null | jq -r --arg s "$base_service" '.services[$s].image')
+            else
+              SRC=$(docker compose -f docker-compose-ci.yml config --format json 2>/dev/null | jq -r --arg s "${service}" '.services[$s].image')
+            fi
             DEST_REPO="docker.io/${IMAGE_NAME}"
 
             echo "Copying $SRC to ${DEST_REPO}:${PRIMARY}"
diff --git a/docker-compose-ci.fips.yml b/docker-compose-ci.fips.yml
@@ -0,0 +1,10 @@
+services:
+  presence-service:
+    build:
+      target: release-fips
+    image: ghcr.io/${LOWERCASE_REPOSITORY}/presence-service:${DOCKER_TAG}-fips
+
+  ddp-streamer-service:
+    build:
+      target: release-fips
+    image: ghcr.io/${LOWERCASE_REPOSITORY}/ddp-streamer-service:${DOCKER_TAG}-fips
diff --git a/docker-compose-ci.yml b/docker-compose-ci.yml
@@ -88,14 +88,13 @@ services:
     build:
       dockerfile: ee/apps/presence-service/Dockerfile
       context: .
-      target: ${BUILD_TARGET:-release-standard}
       x-bake:
         platforms:
           - linux/amd64
           - linux/arm64
       args:
         SERVICE: presence-service
-    image: ghcr.io/${LOWERCASE_REPOSITORY}/presence-service:${DOCKER_TAG}${DOCKER_TAG_SUFFIX_FIPS:-}
+    image: ghcr.io/${LOWERCASE_REPOSITORY}/presence-service:${DOCKER_TAG}
     environment:
       - MONGO_URL=mongodb://mongo:27017/rocketchat?replicaSet=rs0
       - 'TRANSPORTER=${TRANSPORTER:-}'
@@ -109,14 +108,13 @@ services:
     build:
       dockerfile: ee/apps/ddp-streamer/Dockerfile
       context: .
-      target: ${BUILD_TARGET:-release-standard}
       x-bake:
         platforms:
           - linux/amd64
           - linux/arm64
       args:
         SERVICE: ddp-streamer
-    image: ghcr.io/${LOWERCASE_REPOSITORY}/ddp-streamer-service:${DOCKER_TAG}${DOCKER_TAG_SUFFIX_FIPS:-}
+    image: ghcr.io/${LOWERCASE_REPOSITORY}/ddp-streamer-service:${DOCKER_TAG}
     environment:
       - MONGO_URL=mongodb://mongo:27017/rocketchat?replicaSet=rs0
       - 'TRANSPORTER=${TRANSPORTER:-}'
