USHIFT-6925 USHIFT-6851: Introduce Post-Quantum Curves to Ingress defaults and FIPs detection

[eslutsky]

Summary by CodeRabbit

• New Features

  • Post‑quantum curve (X25519MLKEM768) included in the default TLS curve list; router exposes selected TLS curves via a new environment variable.
  • Automatic FIPS detection toggles FIPS‑compliant TLS cipher and curve restrictions when enabled.

• Tests

  • Added integration test for ML‑KEM post‑quantum curve negotiation and unit tests validating FIPS cipher/curve behavior.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: eslutsky

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [eslutsky]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 05942008-a462-4dae-897d-54323741b506

📥 Commits

Reviewing files that changed from the base of the PR and between b3be376 and a9aaf1e.

📒 Files selected for processing (3)

• pkg/components/controllers.go
• pkg/components/controllers_test.go
• test/suites/optional/tls-scanner.robot

🚧 Files skipped from review as they are similar to previous changes (3)

• test/suites/optional/tls-scanner.robot
• pkg/components/controllers_test.go
• pkg/components/controllers.go

---

Walkthrough

Adds FIPS detection and, when enabled, filters TLS 1.3 cipher suites and removes non‑FIPS curves; exposes the resulting RouterTLSCurves to the router Deployment and adds a Robot test that verifies ML‑KEM curve negotiation.

Changes

FIPS-Aware TLS Configuration

Layer / File(s)	Summary
FIPS detection pkg/components/controllers.go	Package-level isFIPSEnabled initialized by detectFIPS() which reads FIPS_ENABLED env or /proc/sys/crypto/fips_enabled; defines fipsApprovedTLS13Ciphers.
TLS cipher & curve filtering and render param pkg/components/controllers.go	generateIngressParams(cfg, fipsEnabled) added; when fipsEnabled is true, TLS1.3 ciphers are filtered to the FIPS allowlist and ML‑KEM/X25519 curves are removed; RouterTLSCurves render param set.
Deployment template wiring assets/components/openshift-router/deployment.yaml	Adds ROUTER_CURVES env var wired from {{ .RouterTLSCurves }} into the router container.
Unit and integration tests pkg/components/controllers_test.go, test/suites/optional/tls-scanner.robot	Adds Go tests validating cipher/curve filtering behavior and a Robot test/keyword which execs openssl s_client in the router pod to verify ML‑KEM curve negotiation.

Sequence Diagram

sequenceDiagram
    participant System as System / Environment
    participant Controller as Controller Logic
    participant TLSConfig as generateIngressParams
    participant Template as Deployment Template

    System->>Controller: read FIPS_ENABLED or /proc/sys/crypto/fips_enabled
    Controller->>Controller: set isFIPSEnabled
    Controller->>TLSConfig: generateIngressParams(cfg, fipsEnabled)
    alt FIPS Enabled
        TLSConfig->>TLSConfig: filter tls13Ciphers to fipsApprovedTLS13Ciphers
        TLSConfig->>TLSConfig: remove ML-KEM and X25519 from tlsCurves
    else FIPS Disabled
        TLSConfig->>TLSConfig: keep full cipher and curve lists
    end
    TLSConfig->>Controller: return tlsCurves
    Controller->>Template: render with RouterTLSCurves
    Template->>Template: inject ROUTER_CURVES env var

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 22.22% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	❓ Inconclusive	The custom check specifies Ginkgo test quality requirements, but the PR contains only standard Go unit tests and Robot Framework tests—no Ginkgo-style tests are present in the PR changes.	Clarify whether the check applies to all tests in the repo or only Ginkgo tests. The Go unit tests added meet quality standards (single responsibility, meaningful assertions, proper setup), but they use standard testing.T, not Ginkgo.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main changes: FIPS detection and post-quantum curve support for ingress router configuration.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test names in the PR are static and descriptive with no dynamic values; no Ginkgo tests present.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests were added in this PR. The new Robot Framework test uses only native Kubernetes APIs available on MicroShift; the check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests added. PR includes only Robot Framework tests (MicroShift-specific) and Go unit tests, which are outside the scope of the SNO compatibility check.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds FIPS detection and TLS filtering only—no topology-unfriendly scheduling constraints. Deployment: static 1 replica, Recreate strategy, worker-only nodeSelector, no affinity/topology spread.
Ote Binary Stdout Contract	✅ Passed	PR modifies MicroShift components and Robot Framework tests, not OTE binaries. OTE Binary Stdout Contract applies only to OpenShift Tests Extension test binaries; this PR contains none.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests added; check applies only to Ginkgo tests. PR adds Robot Framework and Go unit tests instead, which are out of scope.
No-Weak-Crypto	✅ Passed	No weak crypto (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), no custom crypto implementations, and no non-constant-time secret comparisons found. Code uses standard NIST-approved TLS ciphers and curves.
Container-Privileges	✅ Passed	Only allowPrivilegeEscalation: true is present with explicit justification (bugzilla #2007246). No privileged mode, hostPID/Network/IPC, SYS_ADMIN capability, or unjustified root access found.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data logged. New klog statements only log FIPS config flags and kernel status values, which are standard system configuration, not secrets or PII.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

level=warning msg="The linter 'gomodguard' is deprecated (since v2.12.0) due to: new major version. Replaced by gomodguard_v2."
level=warning msg="Suggested new configuration:\nlinters:\n enable:\n - gomodguard_v2\n"
level=error msg="Running error: context loading failed: failed to load packages: failed to load packages: failed to load with go/packages: err: exit status 1: stderr: go: inconsistent vendoring in :\n\tgithub.com/apparentlymart/go-cidr@v1.1.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/coreos/go-systemd@v0.0.0-20190321100706-95778dfbb74e: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/google/go-cmp@v0.7.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/miekg/dns@v1.1.63: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/openshift/api@v0.0.0-20260309155933-45fd88d185dd: is

... [truncated 29740 characters] ...

elet: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\tk8s.io/metrics: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\tk8s.io/mount-utils: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\tk8s.io/pod-security-admission: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\tk8s.io/sample-apiserver: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\tk8s.io/sample-cli-plugin: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\tk8s.io/sample-controller: is replaced in go.mod, but not marked as replaced in vendor/modules.txt\n\n\tTo ignore the vendor directory, use -mod=readonly or -mod=mod.\n\tTo sync the vendor directory, run:\n\t\tgo mod vendor\n"

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

pkg/components/controllers.go (1)

30-31: 💤 Low value

Package-level FIPS detection executes at init time.

This is evaluated once when the package loads. Acceptable for production but makes unit testing harder—tests cannot easily inject different FIPS states. Consider exposing a test hook or making isFIPSEnabled a function if testability becomes a concern.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/components/controllers.go` around lines 30 - 31, The package currently
initializes a package-level variable isFIPSEnabled by calling detectFIPS() at
load time which hinders tests; change this to either (A) replace the variable
with a function IsFIPSEnabled() that calls detectFIPS() (and update all call
sites that reference isFIPSEnabled), or (B) keep a backed variable but add a
test hook SetFIPSEnabledForTest(value bool) and use lazy evaluation (e.g.,
sync.Once) so tests can override it; update references to use the new function
or the setter and ensure detectFIPS remains the production implementation.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/components/controllers.go`:
- Around line 30-31: The package currently initializes a package-level variable
isFIPSEnabled by calling detectFIPS() at load time which hinders tests; change
this to either (A) replace the variable with a function IsFIPSEnabled() that
calls detectFIPS() (and update all call sites that reference isFIPSEnabled), or
(B) keep a backed variable but add a test hook SetFIPSEnabledForTest(value bool)
and use lazy evaluation (e.g., sync.Once) so tests can override it; update
references to use the new function or the setter and ensure detectFIPS remains
the production implementation.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: b3f7424d-471c-407c-ae3a-c14164ec1e36

📥 Commits

Reviewing files that changed from the base of the PR and between 9a9d010 and 0852771.

📒 Files selected for processing (2)

• assets/components/openshift-router/deployment.yaml
• pkg/components/controllers.go

[eslutsky]

/test all

[openshift-ci-robot]

@eslutsky: This pull request references USHIFT-6925 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary by CodeRabbit

• New Features
• Added automatic FIPS mode detection for the router
• When FIPS is enabled, the router applies FIPS-compliant TLS cipher suites and curves for enhanced security compliance

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@eslutsky: This pull request references USHIFT-6925 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

This pull request references USHIFT-6851 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary by CodeRabbit

• New Features
• Added automatic FIPS mode detection for the router
• When FIPS is enabled, the router applies FIPS-compliant TLS cipher suites and curves for enhanced security compliance

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[eslutsky]

/test all

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/suites/optional/tls-scanner.robot`:
- Around line 52-54: The test "Ingress Router TLS Curves supports ML-KEM Post
Quantum Curves" unconditionally asserts presence of the ML-KEM curve
X25519MLKEM768 but FIPS mode removes ML-KEM curves; update the test to check the
ROUTER_CURVES variable first (e.g., Run Keyword Unless    '${X25519MLKEM768}' in
'${ROUTER_CURVES}'    Skip Test    "ML-KEM curves not present (FIPS mode)"), or
add a pre-check keyword that inspects ROUTER_CURVES for 'X25519MLKEM768' and
skips the test when not present before performing the openssl/negotiation
assertion. Ensure the same pre-check is applied to the related tests covering
lines 130-144.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 6146a461-c936-4f2c-adfb-606034e53972

📥 Commits

Reviewing files that changed from the base of the PR and between 0852771 and 6f1b76f.

📒 Files selected for processing (1)

• test/suites/optional/tls-scanner.robot

[eslutsky]

/test all

[eslutsky]

/test e2e-aws-tests-periodic

[pacevedom]

/retitle USHIFT-6925 USHIFT-6851: Introduce Post-Quantum Curves to Ingress defaults and FIPs detection

[coderabbitai]

🧹 Nitpick comments (2)

pkg/components/controllers_test.go (2)

63-63: ⚡ Quick win

Avoid panic-prone type assertions in test assertions.

At Line 63, Line 97, and Line 120, direct .(string) assertions can panic and hide failure context. Prefer checked extraction with ok + t.Fatalf(...).

Proposed change

+func requireStringParam(t *testing.T, params map[string]interface{}, key string) string {
+	t.Helper()
+	v, ok := params[key]
+	if !ok {
+		t.Fatalf("missing param %q", key)
+	}
+	s, ok := v.(string)
+	if !ok {
+		t.Fatalf("param %q has type %T, want string", key, v)
+	}
+	return s
+}
+
 func TestGenerateIngressParamsFIPSCiphers(t *testing.T) {
 	cfg := newTestConfig()
@@
-		cipherSuites := params["RouterCiphersSuites"].(string)
+		cipherSuites := requireStringParam(t, params, "RouterCiphersSuites")
@@
-		cipherSuites := params["RouterCiphersSuites"].(string)
+		cipherSuites := requireStringParam(t, params, "RouterCiphersSuites")
@@
-		curves := params["RouterTLSCurves"].(string)
+		curves := requireStringParam(t, params, "RouterTLSCurves")
@@
-		curves := params["RouterTLSCurves"].(string)
+		curves := requireStringParam(t, params, "RouterTLSCurves")

Also applies to: 97-97, 120-120

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/components/controllers_test.go` at line 63, Replace the panic-prone
direct type assertions like cipherSuites :=
params["RouterCiphersSuites"].(string) with checked extractions using the
comma-ok form (e.g., v, ok := params["RouterCiphersSuites"]; s, ok :=
v.(string); if !ok { t.Fatalf("expected RouterCiphersSuites to be string, got
%T", v) }) so tests fail gracefully with clear messages; apply the same pattern
to the other assertions referenced (the similar direct .(string) uses in the
same test around the RouterCiphersSuites/corresponding variables at the other
two occurrences) and update the t.Fatalf messages to include the actual
type/value for easier debugging.

---

55-56: ⚡ Quick win

Use a fresh config per subtest to avoid hidden coupling.

At Line 55 and Line 89, shared cfg across t.Run blocks can make tests order-dependent if generateIngressParams ever mutates input.

Proposed change

 func TestGenerateIngressParamsFIPSCiphers(t *testing.T) {
-	cfg := newTestConfig()
-
 	t.Run("FIPS enabled filters non-FIPS TLS 1.3 ciphers", func(t *testing.T) {
+		cfg := newTestConfig()
 		params, err := generateIngressParams(cfg, true)
@@
 	t.Run("non-FIPS keeps all TLS 1.3 ciphers", func(t *testing.T) {
+		cfg := newTestConfig()
 		params, err := generateIngressParams(cfg, false)
@@
 func TestGenerateIngressParamsFIPSCurves(t *testing.T) {
-	cfg := newTestConfig()
-
 	t.Run("FIPS enabled uses only NIST curves", func(t *testing.T) {
+		cfg := newTestConfig()
 		params, err := generateIngressParams(cfg, true)
@@
 	t.Run("non-FIPS includes PQC hybrid curve", func(t *testing.T) {
+		cfg := newTestConfig()
 		params, err := generateIngressParams(cfg, false)

Also applies to: 89-90

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/components/controllers_test.go` around lines 55 - 56, The tests share a
single cfg created by newTestConfig() and pass it into multiple t.Run subtests,
which can create order-dependent failures if generateIngressParams mutates cfg;
update the test to create a fresh config inside each subtest (call
newTestConfig() within each t.Run closure or otherwise deep-copy cfg before
passing it to generateIngressParams) so each subtest gets an independent config
instance; ensure references to cfg in both the subtest at line ~55 and the one
at ~89 are replaced with per-subtest locals.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@pkg/components/controllers_test.go`:
- Line 63: Replace the panic-prone direct type assertions like cipherSuites :=
params["RouterCiphersSuites"].(string) with checked extractions using the
comma-ok form (e.g., v, ok := params["RouterCiphersSuites"]; s, ok :=
v.(string); if !ok { t.Fatalf("expected RouterCiphersSuites to be string, got
%T", v) }) so tests fail gracefully with clear messages; apply the same pattern
to the other assertions referenced (the similar direct .(string) uses in the
same test around the RouterCiphersSuites/corresponding variables at the other
two occurrences) and update the t.Fatalf messages to include the actual
type/value for easier debugging.
- Around line 55-56: The tests share a single cfg created by newTestConfig() and
pass it into multiple t.Run subtests, which can create order-dependent failures
if generateIngressParams mutates cfg; update the test to create a fresh config
inside each subtest (call newTestConfig() within each t.Run closure or otherwise
deep-copy cfg before passing it to generateIngressParams) so each subtest gets
an independent config instance; ensure references to cfg in both the subtest at
line ~55 and the one at ~89 are replaced with per-subtest locals.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 0a707ca9-bfd2-4d7a-a8af-973768114373

📥 Commits

Reviewing files that changed from the base of the PR and between 9e1e64a and b3be376.

📒 Files selected for processing (3)

• pkg/components/controllers.go
• pkg/components/controllers_test.go
• test/suites/optional/tls-scanner.robot

🚧 Files skipped from review as they are similar to previous changes (2)

• test/suites/optional/tls-scanner.robot
• pkg/components/controllers.go

[openshift-ci]

@eslutsky: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.