release: do not install openssl in FIPS mode

Previously, our Dockerfile for deployment would install the `openssl`
package when FIPS mode was enabled. However, this is unnecessary because
the current implementation of FIPS mode does not rely on the system's
OpenSSL library. This allows us to unify the Dockerfile for both
variants.

Additionally, install `ca-certificates` to ensure that TLS certificates
can be properly validated, without implicitly using
`x509.SetFallbackRoots`.

Epic: none
Release note: none

Author: rail

build/deploy/Dockerfile

@@ -1,30 +1,20 @@
 # We use a docker image mirror to avoid pulling from 3rd party repos, which sometimes have reliability issues.
 # See https://cockroachlabs.atlassian.net/wiki/spaces/devinf/pages/3462594561/Docker+image+sync for the details.
 FROM us-east1-docker.pkg.dev/crl-docker-sync/registry-access-redhat-com/ubi10/ubi-minimal
-ARG fips_enabled
 
-# For deployment, we need the following additionally installed:
-# tzdata - for time zone functions
+# For deployment, we need the following additional packages:
+# ca-certificates - to validate TLS certs
 # hostname - used in cockroach k8s manifests
-# tar - used by kubectl cp
-RUN microdnf update -y \
-    && microdnf install tzdata hostname tar gzip xz -y \
+# tar, gzip, xz - used by kubectl cp
+# tzdata - for time zone functions
+RUN microdnf update -y && microdnf install -y \
+      ca-certificates \
+      tzdata \
+      hostname \
+      tar \
+      gzip \
+      xz \
     && rm -rf /var/cache/yum
-# FIPS mode requires the `openssl` package installed. Also we need to temporarily
-# install the `crypto-policies-scripts` packege to tweak some configs. Because
-# `microdnf` doesn't support `autoremove`, we need to record the list of
-# packages before and after, and remove the installed ones afterward.
-RUN if [ "$fips_enabled" == "1" ]; then \
-    microdnf install -y openssl && \
-    rpm -qa | sort > /before.txt && \
-    microdnf install -y crypto-policies-scripts && \
-    update-crypto-policies --set FIPS && \
-    rpm -qa | sort > /after.txt && \
-    microdnf remove -y $(comm -13 /before.txt /after.txt) && \
-    microdnf clean all && \
-    rm -rf /var/cache/yum /before.txt /after.txt; \
-    fi
-
 
 RUN mkdir /usr/local/lib/cockroach /cockroach /licenses /docker-entrypoint-initdb.d
 COPY cockroach.sh cockroach /cockroach/

build/release/teamcity-support.sh

@@ -76,7 +76,7 @@ verify_docker_image(){
   build_type=$(grep "^Build Type:" <<< "$output" | cut -d: -f2 | sed 's/ //g')
   sha=$(grep "^Build Commit ID:" <<< "$output" | cut -d: -f2 | sed 's/ //g')
   build_tag=$(grep "^Build Tag:" <<< "$output" | cut -d: -f2 | sed 's/ //g')
-  go_version=$(grep "^Go Version:" <<< "$output" | cut -d: -f2 | sed 's/ //g')
+  fips_enabled=$(grep '^FIPS enabled:\s*true' <<< "$output")
 
   # Build Type should always be "release"
   if [ "$build_type" != "release" ]; then
@@ -97,16 +97,9 @@ verify_docker_image(){
     echo "ERROR: Build tag from 'cockroach version --build-tag' mismatch, expected '$expected_build_tag', got '$build_tag_output'"
     error=1
   fi
-  if [[ $fips_build == true ]]; then
-    if [[ "$go_version" != *"fips"* ]]; then
-      echo "ERROR: Go version '$go_version' does not contain 'fips'"
-      error=1
-    fi
-    openssl_version_output=$(docker run --platform="$docker_platform" "$img" shell -c "openssl version -f")
-    if [[ $openssl_version_output != *"FIPS_VERSION"* ]]; then
-      echo "ERROR: openssl version '$openssl_version_output' does not contain 'FIPS_VERSION'"
-      error=1
-    fi
+  if [[ $fips_build == true  && -z $fips_enabled ]]; then
+    echo "ERROR: FIPS is not enabled"
+    error=1
   fi
   if [[ $docker_platform == "linux/amd64" ]]; then
     # Running arm64 `cockroach demo` on amd64 times out.

build/teamcity/internal/release/process/build-cockroach-release-per-platform.sh

@@ -106,10 +106,8 @@ if [[ $platform == "linux-amd64" || $platform == "linux-arm64" || $platform == "
   build_docker_tag="${gcr_staged_repository}:${arch}-${version}"
   if [[ $platform == "linux-amd64-fips" ]]; then
     build_docker_tag="${gcr_staged_repository}:${version}-fips"
-    docker build --label version="$version_label" --no-cache --pull --platform="linux/${arch}" --tag="${build_docker_tag}" --build-arg fips_enabled=1 "build/deploy-${platform}"
-  else
-    docker build --label version="$version_label" --no-cache --pull --platform="linux/${arch}" --tag="${build_docker_tag}" "build/deploy-${platform}"
   fi
+  docker build --label version="$version_label" --no-cache --pull --platform="linux/${arch}" --tag="${build_docker_tag}" "build/deploy-${platform}"
   docker push "$build_docker_tag"
   tc_end_block "Make and push docker image"
 fi

build/teamcity/internal/release/process/make-and-publish-build-artifacts-per-platform.sh

@@ -133,10 +133,8 @@ if [[ $platform == "linux-amd64" || $platform == "linux-arm64" || $platform == "
   build_docker_tag="${gcr_repository}:${arch}-${build_name}"
   if [[ $platform == "linux-amd64-fips" ]]; then
     build_docker_tag="${gcr_repository}:${build_name}-fips"
-    docker build --no-cache --pull --platform "linux/${arch}" --tag="${build_docker_tag}" --build-arg fips_enabled=1 "build/deploy-${platform}"
-  else
-    docker build --no-cache --pull --platform "linux/${arch}" --tag="${build_docker_tag}" "build/deploy-${platform}"
   fi
+  docker build --no-cache --pull --platform "linux/${arch}" --tag="${build_docker_tag}" "build/deploy-${platform}"
   docker push "$build_docker_tag"
 
   tc_end_block "Make and push docker images"