Fix MLflow build for FIPS and for the release pyproject.toml

Resolves:
https://issues.redhat.com/browse/RHOAIENG-46925

Signed-off-by: mprahl <mprahl@users.noreply.github.com>

Author: mprahl

Dockerfile.konflux

@@ -15,11 +15,20 @@ USER 0
 COPY --chown=1001:0 . .
 RUN set -eux; \
     python -m pip install --no-cache-dir build; \
+    cp pyproject.release.toml pyproject.toml; \
+    python -m build --wheel --outdir /tmp/dist libs/tracing; \
+    python -m build --wheel --outdir /tmp/dist libs/skinny; \
     python -m build --wheel --outdir /tmp/dist; \
     python -m build --wheel --outdir /tmp/dist kubernetes-workspace-provider
 
 FROM registry.access.redhat.com/ubi9/python-311@sha256:bb09d55bce99b839b0df565ab9e244cdc545037e612dad388569016137367cab
-ARG MLFLOW_VERSION=3.3.2
+# Build cryptography from source against the system OpenSSL for FIPS compliance.
+# The pip manylinux wheel bundles its own non-FIPS OpenSSL, so we must compile
+# from source with OPENSSL_NO_VENDOR=1 to link against the system library.
+RUN set -eux; \
+    dnf install -y --setopt=tsflags=nodocs openssl-devel cargo rust gcc python3.11-devel && \
+    OPENSSL_NO_VENDOR=1 python -m pip wheel --no-cache-dir --no-binary cryptography "cryptography>=43.0.0,<47" -w /tmp/dist && \
+    dnf clean all
 ENV PYTHONDONTWRITEBYTECODE=1 \
     PYTHONUNBUFFERED=1 \
     MLFLOW_DISABLE_TELEMETRY=true \
@@ -29,14 +38,27 @@ ENV PYTHONDONTWRITEBYTECODE=1 \
 WORKDIR /app
 
 USER 0
-COPY --from=python-builder /tmp/dist/mlflow-*.whl /tmp/dist/
-COPY --from=python-builder /tmp/dist/mlflow_kubernetes_workspace_provider-*.whl /tmp/dist/
+COPY --from=python-builder /tmp/dist/ /tmp/dist/
 RUN set -eux; \
-    dnf install -y --setopt=tsflags=nodocs postgresql-devel gcc python3-devel && \
-    python -m pip install --no-cache-dir /tmp/dist/mlflow-*.whl /tmp/dist/mlflow_kubernetes_workspace_provider-*.whl && \
+    dnf install -y --setopt=tsflags=nodocs postgresql-devel gcc python3.11-devel && \
+    python -m pip install --no-cache-dir /tmp/dist/mlflow*.whl && \
+    python -m pip install --no-cache-dir --force-reinstall /tmp/dist/cryptography-*.whl && \
     python -m pip install --no-cache-dir boto3 psycopg2 prometheus-flask-exporter && \
     dnf clean all && \
-    rm -f /tmp/dist/mlflow-*.whl /tmp/dist/mlflow_kubernetes_workspace_provider-*.whl
+    rm -rf /tmp/dist
+
+# FIPS compliance: verify the cryptography package uses the system OpenSSL
+# rather than a bundled copy. The system OpenSSL on UBI 9 is FIPS-validated
+# and will operate in FIPS mode when the host kernel has FIPS enabled.
+RUN set -eux; \
+    sys_openssl=$(openssl version | awk '{print $1, $2, $3, $4, $5}'); \
+    py_openssl=$(python -c "from cryptography.hazmat.backends.openssl.backend import backend; print(backend.openssl_version_text())"); \
+    echo "System OpenSSL:      ${sys_openssl}"; \
+    echo "cryptography OpenSSL: ${py_openssl}"; \
+    [ "${sys_openssl}" = "${py_openssl}" ] || { \
+        echo "FIPS ERROR: cryptography is not using the system OpenSSL"; \
+        exit 1; \
+    }
 
 # Copy built UI from builder stage
 COPY --from=ui-builder /opt/app-root/src/build /tmp/mlflow-ui-build