enhance: enable OpenSSL FIPS mode for Milvus

[XuanYang-cn]

Layer 2 (OpenSSL FIPS) changes:

• Add programmatic FIPS activation via OSSL_LIB_CTX_load_config in boring_enabled.go (gated by //go:build boringcrypto)
• Add openssl-fips.cnf with fips + default providers and default_properties = fips=yes
• Use absolute .include path for fipsmodule.cnf — OpenSSL resolves relative .include from the process working directory, not the config file's directory, causing silent FIPS provider load failure
• Add RAND_bytes probe after config load to verify the FIPS provider is truly functional (EVP_default_properties_is_fips_enabled only checks the property string, not whether the provider loaded)
• Dockerfiles: add openssl fipsinstall + OPENSSL_MODULES env var
• Log OpenSSL FIPS status from C++ via EVP_default_properties_is_fips_enabled

Layer 1 (Go BoringCrypto) changes:

• Add GOEXPERIMENT=boringcrypto build flag (conditional on MILVUS_FIPS_ENABLED=ON)
• Add boringEnabled() build-tagged functions for startup logging

s2n-tls upgrade:

• Override s2n 1.4.1 (from aws-c-io) to 1.6.0 in conanfile.py. s2n 1.4.1 only detects FIPS via the legacy OPENSSL_FIPS define (not set by OpenSSL 3.x). s2n 1.6.0 adds EVP_default_properties_is_fips_enabled() detection so s2n enters FIPS mode and uses RAND_bytes() through the FIPS provider.

See also: #48202, #48301
pr: #48331

[sre-ci-robot]

[ci-v2-notice]
Notice: New ci-v2 system is enabled for this PR.

To rerun ci-v2 checks, comment with:

• /ci-rerun-code-check // for ci-v2/code-check
• /ci-rerun-build // for ci-v2/build
• /ci-rerun-build-all // for ci-v2/build-all (multi-arch builds)
• /ci-rerun-build-env // for ci-v2/build-env (build milvus-env builder images)
• /ci-rerun-ut-integration // for ci-v2/ut-integration, will rerun ci-v2/build
• /ci-rerun-ut-go // for ci-v2/ut-go, will rerun ci-v2/build
• /ci-rerun-ut-cpp // for ci-v2/ut-cpp
• /ci-rerun-ut // for all ci-v2/ut-integration, ci-v2/ut-go, ci-v2/ut-cpp, will rerun ci-v2/build
• /ci-rerun-e2e-arm // for ci-v2/e2e-arm
• /ci-rerun-e2e-default // for ci-v2/e2e-default
• /ci-rerun-ciloop // for ci-v2/ciloop (build + unit tests in one pipeline)

If you have any questions or requests, please contact @zhikunyao.

[sre-ci-robot]

[INFO] PR Label Summary by Default
[FAILED] PR #48331 not merged

• Title: enhance: enable OpenSSL FIPS mode for Milvus
• Status: OPEN
• Link: enhance: enable OpenSSL FIPS mode for Milvus #48331

[WARNING] Milestone not set

• PR: enhance: enable OpenSSL FIPS mode for Milvus #48332
• Title: enhance: enable OpenSSL FIPS mode for Milvus
  Please set a milestone for better release tracking

You can set milestone by commenting:
/set-milestone
Example:
/set-milestone 2.5.0

Use /refresh-label to update related check and label manually

[codecov]

Codecov Report

❌ Patch coverage is 23.96694% with 92 lines in your changes missing coverage. Please review.
✅ Project coverage is 77.10%. Comparing base (c0dfe97) to head (2e22ceb).
⚠️ Report is 4 commits behind head on 2.6.

Files with missing lines	Patch %	Lines
internal/core/src/storage/MinioChunkManager.h	0.00%	26 Missing ⚠️
internal/core/src/storage/MinioChunkManager.cpp	0.00%	25 Missing ⚠️
internal/storagev2/packed/ffi_common.go	0.00%	11 Missing ⚠️
internal/core/src/storage/ChunkManager.cpp	0.00%	10 Missing ⚠️
internal/core/src/common/init_c.cpp	0.00%	5 Missing ⚠️
internal/core/src/storage/loon_ffi/util.cpp	0.00%	5 Missing ⚠️
internal/core/src/clustering/analyze_c.cpp	0.00%	2 Missing ⚠️
internal/core/src/segcore/packed_writer_c.cpp	0.00%	2 Missing ⚠️
internal/core/src/segcore/arrow_fs_c.cpp	0.00%	1 Missing ⚠️
internal/core/src/segcore/packed_reader_c.cpp	0.00%	1 Missing ⚠️
... and 4 more

Additional details and impacted files

@@            Coverage Diff             @@
##              2.6   #48332      +/-   ##
==========================================
+ Coverage   74.73%   77.10%   +2.36%     
==========================================
  Files        1417     1959     +542     
  Lines      222520   308423   +85903     
==========================================
+ Hits       166307   237808   +71501     
- Misses      48665    63058   +14393     
- Partials     7548     7557       +9     

Components	Coverage Δ
Client	78.49% <ø> (ø)
Core	83.31% <8.13%> (∅)
Go	75.70% <62.85%> (-0.04%)	⬇️

Files with missing lines	Coverage Δ
internal/compaction/params.go	94.64% <100.00%> (+0.09%)	⬆️
internal/core/src/indexbuilder/index_c.cpp	53.52% <100.00%> (ø)
internal/core/src/storage/StorageV2FSCache.cpp	70.31% <100.00%> (ø)
internal/core/src/storage/StorageV2FSCache.h	100.00% <100.00%> (ø)
internal/core/src/storage/storage_c.cpp	39.84% <100.00%> (ø)
internal/datacoord/util.go	83.39% <100.00%> (+0.06%)	⬆️
internal/datanode/index/init_segcore.go	88.46% <100.00%> (+0.46%)	⬆️
internal/datanode/index/task_analyze.go	80.68% <100.00%> (+0.13%)	⬆️
internal/datanode/index/task_index.go	78.04% <100.00%> (+0.07%)	⬆️
internal/storagev2/packed/packed_reader.go	74.78% <100.00%> (+0.21%)	⬆️
... and 19 more

... and 567 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[zhikunyao]

/ci-rerun-buildenv

[sre-ci-robot]

Build Env Images Ready

New builder images have been built and pushed to Harbor.

Image tag: 20260318-e2fa8ed

Type	OS	Harbor Image
CPU	ubuntu22.04	harbor-us-vdc.zilliz.cc/milvusdb/milvus-env:ubuntu22.04-20260318-e2fa8ed
CPU	amazonlinux2023	harbor-us-vdc.zilliz.cc/milvusdb/milvus-env:amazonlinux2023-20260318-e2fa8ed

Next Steps

To use these new builder images for CI, update the .env file in this PR:

# Update CPU builder tag
sed -i 's/^DATE_VERSION=.*/DATE_VERSION=20260318-e2fa8ed/' .env
sed -i 's/^LATEST_DATE_VERSION=.*/LATEST_DATE_VERSION=20260318-e2fa8ed/' .env

Then commit and push to trigger CI with the new builder images.

Build: #14

[sre-ci-robot]

[INFO] PR Label Summary by Default
[FAILED] PR #48331 not merged

• Title: enhance: enable OpenSSL FIPS mode for Milvus
• Status: OPEN
• Link: enhance: enable OpenSSL FIPS mode for Milvus #48331

Use /refresh-label to update related check and label manually

[mergify]

@XuanYang-cn Thanks for your contribution. Please submit with DCO, see the contributing guide https://github.com/milvus-io/milvus/blob/master/CONTRIBUTING.md#developer-certificate-of-origin-dco.

[sre-ci-robot]

[INFO] PR Label Summary by Default
[FAILED] PR #48331 not merged

• Title: enhance: enable OpenSSL FIPS mode for Milvus
• Status: OPEN
• Link: enhance: enable OpenSSL FIPS mode for Milvus #48331

Use /refresh-label to update related check and label manually

[sre-ci-robot]

[INFO] PR Label Summary by Default
[FAILED] PR #48331 not merged

• Title: enhance: enable OpenSSL FIPS mode for Milvus
• Status: OPEN
• Link: enhance: enable OpenSSL FIPS mode for Milvus #48331

Use /refresh-label to update related check and label manually

[sre-ci-robot]

[INFO] PR Label Summary by Default
[FAILED] PR #48331 not merged

• Title: enhance: enable OpenSSL FIPS mode for Milvus
• Status: OPEN
• Link: enhance: enable OpenSSL FIPS mode for Milvus #48331

Use /refresh-label to update related check and label manually

[sre-ci-robot]

[INFO] PR Label Summary by Default
[FAILED] PR #48331 not merged

• Title: enhance: enable OpenSSL FIPS mode for Milvus
• Status: OPEN
• Link: enhance: enable OpenSSL FIPS mode for Milvus #48331

Use /refresh-label to update related check and label manually

[mergify]

@XuanYang-cn go-sdk check failed, comment rerun go-sdk can trigger the job again.

[sre-ci-robot]

[INFO] PR Label Summary by Default
[FAILED] PR #48331 not merged

• Title: enhance: enable OpenSSL FIPS mode for Milvus
• Status: OPEN
• Link: enhance: enable OpenSSL FIPS mode for Milvus #48331

Use /refresh-label to update related check and label manually

[mergify]

@XuanYang-cn go-sdk check failed, comment rerun go-sdk can trigger the job again.

[XuanYang-cn]

rerun go-sdk

[mergify]

@XuanYang-cn go-sdk check failed, comment rerun go-sdk can trigger the job again.

[XuanYang-cn]

rerun go-sdk

[mergify]

@XuanYang-cn go-sdk check failed, comment rerun go-sdk can trigger the job again.

[XuanYang-cn]

rerun go-sdk

[mergify]

@XuanYang-cn go-sdk check failed, comment rerun go-sdk can trigger the job again.

[sre-ci-robot]

[INFO] PR Label Summary by Default
[SUCCESS] PR #48331 merged to master

• Title: enhance: enable OpenSSL FIPS mode for Milvus
• Link: enhance: enable OpenSSL FIPS mode for Milvus #48331

Use /refresh-label to update related check and label manually

[mergify]

@XuanYang-cn go-sdk check failed, comment rerun go-sdk can trigger the job again.

[tedxu]

/lgtm
/approve

[sre-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: tedxu, XuanYang-cn

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [tedxu]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sre-ci-robot]

[INFO] PR Label Summary by Default
[SUCCESS] PR #48331 merged to master

• Title: enhance: enable OpenSSL FIPS mode for Milvus
• Link: enhance: enable OpenSSL FIPS mode for Milvus #48331

Use /refresh-label to update related check and label manually