OCPBUGS-82151: Filter non-FIPS TLS 1.3 ciphers and validate effective profiles

[bentito]

Manual backport of #1401 due to merge conflicts.

Summary by CodeRabbit

• New Features

  • Enhanced TLS security profile validation now incorporates cluster APIServer configuration.
  • Added FIPS mode support with automatic TLS 1.3 cipher filtering for FIPS compliance.
  • Improved validation includes custom profile field checks (ciphers, syntax, minTLSVersion).

• Bug Fixes

  • Added detailed error messages when TLS profiles contain non-FIPS-approved ciphers on FIPS-enabled clusters.

[openshift-ci-robot]

@bentito: This pull request references Jira Issue OCPBUGS-3917, which is invalid:

• expected the bug to target either version "4.21." or "openshift-4.21.", but it targets "4.22.0" instead
• expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is Verified instead
• release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
• expected Jira Issue OCPBUGS-3917 to depend on a bug targeting a version in 4.22.0 and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Manual backport of #1401 due to merge conflicts.

/jira cherrypick OCPBUGS-3917

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 494e9156-4fa9-41ce-ae92-8f3ab7db23c1

📥 Commits

Reviewing files that changed from the base of the PR and between 6c70966 and 6222a22.

📒 Files selected for processing (4)

• pkg/operator/controller/ingress/controller.go
• pkg/operator/controller/ingress/controller_test.go
• pkg/operator/controller/ingress/deployment.go
• pkg/operator/controller/ingress/deployment_test.go

---

Walkthrough

The changes introduce FIPS mode awareness to TLS security profile validation and deployment generation. The validation chain now incorporates cluster APIServer config to resolve effective TLS profiles and reject profiles with non-FIPS-approved TLS 1.3 ciphers on FIPS-enabled clusters. Deployment generation detects FIPS mode via procfs and filters TLS 1.3 cipher suites accordingly.

Changes

Cohort / File(s)	Summary
TLS Security Profile Validation pkg/operator/controller/ingress/controller.go, pkg/operator/controller/ingress/controller_test.go	Enhanced validation chain to pass APIServer config through Reconcile → admit → validate → validateTLSSecurityProfile. Added custom profile field validation (cipher presence, syntax, validity, minTLSVersion) and FIPS-mode rejection logic that filters TLS 1.3 ciphers and errors if none remain FIPS-approved. Includes new test covering FIPS validation for both inherited and direct TLS profiles.
Deployment FIPS Cipher Filtering pkg/operator/controller/ingress/deployment.go, pkg/operator/controller/ingress/deployment_test.go	Detection of FIPS mode via /proc/sys/crypto/fips_enabled with fallback to non-FIPS behavior on read errors. Filters router's TLS 1.3 cipher suite list to FIPS-approved ciphers when FIPS is enabled, updating ROUTER_CIPHERSUITES environment variable while preserving ROUTER_CIPHERS. Test validates cipher filtering behavior and environment variable sorting across FIPS state changes.

Sequence Diagram(s)

sequenceDiagram
    participant Reconcile
    participant Admit
    participant Validate
    participant ValidateTLS
    participant FIPS as FIPS Check
    
    Reconcile->>Admit: Call with apiConfig
    Admit->>Validate: Pass apiConfig
    Validate->>ValidateTLS: Pass apiConfig
    
    ValidateTLS->>ValidateTLS: Resolve effective TLS profile<br/>(ingress-specific or inherited)
    ValidateTLS->>ValidateTLS: Validate custom fields<br/>(presence, cipher syntax, validity)
    ValidateTLS->>FIPS: Check if FIPS enabled
    
    alt FIPS Enabled
        ValidateTLS->>ValidateTLS: Filter TLS 1.3 ciphers<br/>to FIPS-approved set
        alt No FIPS ciphers remain
            ValidateTLS-->>Admit: Rejection with offending ciphers
        else FIPS ciphers present
            ValidateTLS-->>Admit: Validation success
        end
    else FIPS Disabled
        ValidateTLS-->>Admit: Validation success
    end

Loading

sequenceDiagram
    participant DesiredDeployment
    participant ProcFS as /proc/sys
    participant CipherFilter
    participant EnvVar as ROUTER_CIPHERSUITES
    
    DesiredDeployment->>ProcFS: Read fips_enabled
    
    alt File readable
        ProcFS-->>DesiredDeployment: FIPS status
    else Read error
        DesiredDeployment->>DesiredDeployment: Assume non-FIPS
    end
    
    DesiredDeployment->>CipherFilter: Check FIPS enabled
    
    alt FIPS Enabled
        CipherFilter->>CipherFilter: Filter TLS 1.3 ciphers<br/>to FIPS-approved subset
        CipherFilter->>EnvVar: Set filtered ciphers
    else FIPS Disabled
        CipherFilter->>EnvVar: Set all ciphers
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: filtering non-FIPS TLS 1.3 ciphers and validating effective TLS security profiles, which aligns with the substantial modifications across controller, deployment, and test files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Test files use Go's standard testing package with static t.Run() subtests, not Ginkgo BDD framework. No dynamic test names, timestamps, or generated IDs present.
Test Structure And Quality	✅ Passed	TestDesiredRouterDeploymentFIPS properly tests FIPS mode cipher filtering with correct setup/cleanup and clear assertions; validateTLSSecurityProfile test correctly passes required APIServer argument.
Microshift Test Compatibility	✅ Passed	This PR modifies unit tests in the ingress controller package using the standard Go testing package, not Ginkgo e2e tests. The check for MicroShift-incompatible Ginkgo APIs is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The pull request adds only unit tests using Go's testing.T framework, not Ginkgo e2e tests. The custom check for Ginkgo e2e tests is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR introduces FIPS-aware TLS cipher filtering with no changes to pod scheduling, replica counts, node selectors, or affinity policies.
Ote Binary Stdout Contract	✅ Passed	TLS security profile validation and FIPS cipher filtering logic modifications do not write to stdout; logger uses Zap (stderr) and module initialization only reads from system files.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	The custom check for IPv6 and disconnected network compatibility applies only to Ginkgo e2e tests. This PR adds standard Go unit tests with no external connectivity requirements or IPv4 assumptions.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign miheer for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[bentito]

/jira cherrypick OCPBUGS-3917

[openshift-ci-robot]

@bentito: An error was encountered cloning bug for cherrypick for bug OCPBUGS-3917 on the Jira server at https://redhat.atlassian.net. No known errors were detected, please see the full error message for details.

Full error message.

request failed. Please analyze the request body for more details. Status code: 400: {"errorMessages":[],"errors":{"versions":"Cannot assign issue to versions 21782, 21776 as they have been archived. Please refresh the page to update the list of non-archived versions."}}

Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.

Details

In response to this:

/jira cherrypick OCPBUGS-3917

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@bentito: This pull request references Jira Issue OCPBUGS-82151, which is invalid:

• expected the bug to target the "4.21.z" version, but no target version was set
• release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
• expected Jira Issue OCPBUGS-82151 to depend on a bug targeting a version in 4.22.0 and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Manual backport of #1401 due to merge conflicts.

/jira cherrypick OCPBUGS-3917

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[bentito]

/jira refresh

[openshift-ci-robot]

@bentito: This pull request references Jira Issue OCPBUGS-82151, which is invalid:

• expected the bug to target the "4.21.z" version, but no target version was set
• release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
• expected Jira Issue OCPBUGS-82151 to depend on a bug targeting a version in 4.22.0 and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[bentito]

/jira refresh

[openshift-ci-robot]

@bentito: This pull request references Jira Issue OCPBUGS-82151, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.z) matches configured target version for branch (4.21.z)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)
• release note type set to "Release Note Not Required"
• dependent bug Jira Issue OCPBUGS-3917 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• dependent Jira Issue OCPBUGS-3917 targets the "4.22.0" version, which is one of the valid target versions: 4.22.0
• bug has dependents

No GitHub users were found matching the public email listed for the QA contact in Jira (hongli@redhat.com), skipping review request.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@bentito: This pull request references Jira Issue OCPBUGS-82151, which is valid.

7 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.z) matches configured target version for branch (4.21.z)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
• release note type set to "Release Note Not Required"
• dependent bug Jira Issue OCPBUGS-3917 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• dependent Jira Issue OCPBUGS-3917 targets the "4.22.0" version, which is one of the valid target versions: 4.22.0
• bug has dependents

No GitHub users were found matching the public email listed for the QA contact in Jira (hongli@redhat.com), skipping review request.

Details

In response to this:

Manual backport of #1401 due to merge conflicts.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[bentito]

/retest

[bentito]

@coderabbitai are the current check failures due to infrastructure problems or actual code problems?

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Get the current check runs / statuses for PR `#1422`
gh pr checks 1422 --repo openshift/cluster-ingress-operator 2>&1 | head -80

Length of output: 5408

---

Let me dig into the failing job logs to check the root cause.

---

🏁 Script executed:

#!/bin/bash
# Fetch the finished.json or build-log.txt for the failing jobs to check for infra vs code issues
# e2e-aws-ovn-serial-1of2
curl -sL "https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_cluster-ingress-operator/1422/pull-ci-openshift-cluster-ingress-operator-release-4.21-e2e-aws-ovn-serial-1of2/2048490574108954624/finished.json" 2>&1 | head -20

echo "---"
# e2e-aws-ovn-serial-2of2
curl -sL "https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_cluster-ingress-operator/1422/pull-ci-openshift-cluster-ingress-operator-release-4.21-e2e-aws-ovn-serial-2of2/2048490574138314752/finished.json" 2>&1 | head -20

echo "---"
# e2e-aws-ovn-upgrade
curl -sL "https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_cluster-ingress-operator/1422/pull-ci-openshift-cluster-ingress-operator-release-4.21-e2e-aws-ovn-upgrade/2048490574176063488/finished.json" 2>&1 | head -20

echo "---"
# e2e-aws-pre-release-ossm
curl -sL "https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_cluster-ingress-operator/1422/pull-ci-openshift-cluster-ingress-operator-release-4.21-e2e-aws-pre-release-ossm/2048490574226395136/finished.json" 2>&1 | head -20

Length of output: 1932

---

🏁 Script executed:

#!/bin/bash
# Check prowjob artifacts directory listing for the failing jobs to find junit/log files
echo "=== serial-1of2 artifacts ==="
curl -sL "https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_cluster-ingress-operator/1422/pull-ci-openshift-cluster-ingress-operator-release-4.21-e2e-aws-ovn-serial-1of2/2048490574108954624/" 2>&1 | grep -oP 'href="[^"]*"' | head -30

echo "=== upgrade artifacts ==="
curl -sL "https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_cluster-ingress-operator/1422/pull-ci-openshift-cluster-ingress-operator-release-4.21-e2e-aws-ovn-upgrade/2048490574176063488/" 2>&1 | grep -oP 'href="[^"]*"' | head -30

echo "=== ossm artifacts ==="
curl -sL "https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_cluster-ingress-operator/1422/pull-ci-openshift-cluster-ingress-operator-release-4.21-e2e-aws-pre-release-ossm/2048490574226395136/" 2>&1 | grep -oP 'href="[^"]*"' | head -30

Length of output: 6774

---

🏁 Script executed:

#!/bin/bash
echo "=== serial-1of2 build-log tail ==="
curl -sL "https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_cluster-ingress-operator/1422/pull-ci-openshift-cluster-ingress-operator-release-4.21-e2e-aws-ovn-serial-1of2/2048490574108954624/build-log.txt" 2>&1 | tail -40

echo ""
echo "=== upgrade prowjob_junit.xml ==="
curl -sL "https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_cluster-ingress-operator/1422/pull-ci-openshift-cluster-ingress-operator-release-4.21-e2e-aws-ovn-upgrade/2048490574176063488/prowjob_junit.xml" 2>&1 | head -60

echo ""
echo "=== ossm prowjob_junit.xml ==="
curl -sL "https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_cluster-ingress-operator/1422/pull-ci-openshift-cluster-ingress-operator-release-4.21-e2e-aws-pre-release-ossm/2048490574226395136/prowjob_junit.xml" 2>&1 | head -60

Length of output: 4315

---

🏁 Script executed:

#!/bin/bash
echo "=== upgrade build-log tail ==="
curl -sL "https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_cluster-ingress-operator/1422/pull-ci-openshift-cluster-ingress-operator-release-4.21-e2e-aws-ovn-upgrade/2048490574176063488/build-log.txt" 2>&1 | tail -50

echo ""
echo "=== ossm build-log tail ==="
curl -sL "https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_cluster-ingress-operator/1422/pull-ci-openshift-cluster-ingress-operator-release-4.21-e2e-aws-pre-release-ossm/2048490574226395136/build-log.txt" 2>&1 | tail -50

Length of output: 9146

---

@bentito: All four failures are infrastructure problems, not code issues. Here's the breakdown:

---

❌ e2e-aws-ovn-serial-1of2, e2e-aws-ovn-serial-2of2, e2e-aws-ovn-upgrade

All three failed with the same root cause:

Suite run returned error: failed due to a MonitorTest failure

This is the OpenShift CI cluster stability monitor — it watches for infrastructure-level events (pod restarts, operator degradation, etc.) during the test run. These failures are not triggered by the ingress operator code changes in this PR; they reflect transient cluster health issues in the CI environment.

---

❌ e2e-aws-pre-release-ossm

This one failed even faster (~55 seconds in) with:

> No index image found
make: *** [Makefile:74: test-pre-release-ossm] Error 2

The job attempted to log into the Konflux cluster to fetch a pre-release OSSM index image and found none available. This is a pure external dependency / availability issue in the OSSM release pipeline — completely unrelated to this PR.

---

✅ All code-level checks pass

unit, verify, verify-deps, images, e2e-aws-operator, e2e-aws-ovn, e2e-gcp-operator, e2e-azure-operator, e2e-hypershift, and hypershift-e2e-aks all passed successfully.

A /retest should clear the serial and upgrade jobs. The ossm job will likely remain broken until the OSSM index image becomes available in the Konflux registry, but that's not a blocker for this PR.

[bentito]

/retest

[bentito]

/retest

[bentito]

/retest

[bentito]

/retest

[openshift-ci]

@bentito: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-pre-release-ossm	6222a22	link	false	/test e2e-aws-pre-release-ossm

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[bentito]

@coderabbitai please review this PR

[coderabbitai]

@bentito: Sure! I'll kick off a review of this PR now.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[openshift-ci-robot]

@bentito: This pull request references Jira Issue OCPBUGS-82151, which is valid.

7 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.z) matches configured target version for branch (4.21.z)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
• release note type set to "Release Note Not Required"
• dependent bug Jira Issue OCPBUGS-3917 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
• dependent Jira Issue OCPBUGS-3917 targets the "4.22.0" version, which is one of the valid target versions: 4.22.0
• bug has dependents

Requesting review from QA contact:
/cc @melvinjoseph86

Details

In response to this:

Manual backport of #1401 due to merge conflicts.

Summary by CodeRabbit

• New Features

• Enhanced TLS security profile validation now incorporates cluster APIServer configuration.

• Added FIPS mode support with automatic TLS 1.3 cipher filtering for FIPS compliance.

• Improved validation includes custom profile field checks (ciphers, syntax, minTLSVersion).

• Bug Fixes

• Added detailed error messages when TLS profiles contain non-FIPS-approved ciphers on FIPS-enabled clusters.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

@bentito: Sure! I'll kick off a review of this PR now.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[jcmoraisjr]

/assign

[jcmoraisjr]

/lgtm