Support FIPS mode via feature flags & cluster tags

[mzazrivec]

What

This pull request adds the ability to provision a new ARO-HCP cluster in FIPS mode using Azure feature flags & cluster tag fips-enabled.

Why

Testing

Special notes for your reviewer

PR Checklist

• PR is scoped to a single task (no mixed concerns)
• Title follows Conventional Commits format
• Summary explains the "Why" behind the change
• Linked to relevant ticket/issue
• Screenshots included (if graph/UI/metrics changes)
• Self-reviewed the diff
• CI/CD checks are passing (ignore Tide)
• Draft PR used for WIP (if applicable)
• Commit history is clean (rebased/squashed)
• Tricky code blocks are commented
• Specific reviewers tagged
• All comment threads resolved before merge

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mzazrivec
Once this PR has been reviewed and has the lgtm label, please assign mbarnes for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• internal/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @mzazrivec. Thanks for your PR.

I'm waiting for a Azure member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds support for provisioning new ARO-HCP clusters in FIPS mode, controlled via an Azure feature flag and an ARM cluster tag (fips-enabled).

Changes:

• Adds FipsEnabled to experimental feature configuration and maps it into ClusterService cluster builder.
• Introduces a new ARM tag constant and admission mutation logic to parse/validate the tag and set ExperimentalFeatures.FipsEnabled.
• Extends cluster customer properties with a fipsEnabled field.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
internal/ocm/convert.go	Plumbs ExperimentalFeatures.FipsEnabled into the CS cluster builder (FIPS flag).
internal/api/types_experimental.go	Adds FipsEnabled to experimental feature type and defines string constants for tag parsing.
internal/api/types_cluster.go	Adds FipsEnabled to customer properties (JSON).
internal/api/featureflags.go	Adds tag constant for enabling FIPS via ARM tags.
internal/admission/admit_cluster.go	Reads fips-enabled tag and sets experimentalFeatures.FipsEnabled / validates values.