USHIFT-6925 USHIFT-6851: Introduce post-quantrum Curves to Ingress defaults and FIPs detection

[eslutsky]

Summary by CodeRabbit

• New Features

  • Added X25519MLKEM768 (post‑quantum) to the default TLS curve list; non‑supporting clients fall back to existing curves.
  • Introduced a ROUTER_CURVES environment variable to expose selected curves to the router.
  • Added automatic FIPS detection; when FIPS is enabled, TLS curves are restricted to P-256:P-384:P-521 and FIPS‑approved cipher suites.

• Tests

  • Added a test verifying ML‑KEM post‑quantum curve negotiation.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: eslutsky

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [eslutsky]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 07c26e2f-a26a-40ca-baa5-f7eb5f1ed7ad

📥 Commits

Reviewing files that changed from the base of the PR and between 6f1b76f and 9e1e64a.

📒 Files selected for processing (1)

• test/suites/optional/tls-scanner.robot

🚧 Files skipped from review as they are similar to previous changes (1)

• test/suites/optional/tls-scanner.robot

---

Walkthrough

Adds FIPS detection and, when enabled, filters TLS 1.3 cipher suites and removes non‑FIPS curves; exposes the resulting RouterTLSCurves to the router Deployment and adds a Robot test that verifies ML‑KEM curve negotiation.

Changes

FIPS-Aware TLS Configuration

Layer / File(s)	Summary
FIPS detection pkg/components/controllers.go	Package-level isFIPSEnabled initialized by detectFIPS() which reads FIPS_ENABLED env or /proc/sys/crypto/fips_enabled; defines fipsApprovedTLS13Ciphers.
TLS cipher & curve filtering and render param pkg/components/controllers.go	In generateIngressParams filters TLS1.3 ciphers to the FIPS set and removes ML‑KEM/X25519 curves when FIPS is enabled; sets RouterTLSCurves render parameter.
Deployment template and tests assets/components/openshift-router/deployment.yaml, test/suites/optional/tls-scanner.robot	Adds ROUTER_CURVES env var wired from {{ .RouterTLSCurves }} and Robot test/keyword that execs openssl s_client in the router pod to verify ML‑KEM curve negotiation.

Sequence Diagram

sequenceDiagram
    participant System as System / Environment
    participant Controller as Controller Logic
    participant TLSConfig as TLS Configurator
    participant Template as Deployment Template

    System->>Controller: read FIPS_ENABLED or /proc/sys/crypto/fips_enabled
    Controller->>Controller: set isFIPSEnabled
    Controller->>TLSConfig: generateIngressParams()
    alt FIPS Enabled
        TLSConfig->>TLSConfig: filter tls13Ciphers to fipsApprovedTLS13Ciphers
        TLSConfig->>TLSConfig: remove ML-KEM and X25519 from tlsCurves
    else FIPS Disabled
        TLSConfig->>TLSConfig: keep full cipher and curve lists
    end
    TLSConfig->>Controller: return tlsCurves
    Controller->>Template: render with RouterTLSCurves
    Template->>Template: inject ROUTER_CURVES env var

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title references the main changes (post-quantum curves and FIPS detection) but contains a typo ('post-quantrum' instead of 'post-quantum') and is somewhat verbose with two JIRA issue numbers.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only Robot Framework tests, not Ginkgo tests. The check targets Ginkgo syntax (It(), Describe()) and is not applicable.
Test Structure And Quality	✅ Passed	No Ginkgo tests added in PR; custom check is inapplicable. Tests use Robot Framework, which has proper setup/teardown, documentation, and single-responsibility structure.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests added in this PR; only Robot Framework tests and non-test code changes. Check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are added. The only test added is a Robot Framework test in tls-scanner.robot, which is outside the scope of this check targeting Ginkgo test compatibility.
Topology-Aware Scheduling Compatibility	✅ Passed	Changes only add TLS config and FIPS logic; no new scheduling constraints (affinity, topology spreads, PDBs, or nodeSelectors) are introduced.
Ote Binary Stdout Contract	✅ Passed	PR changes not in OTE binaries; pkg/components/controllers.go is main microshift code using klog (writes to stderr by default). Robot Framework tests are external.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. Only a Robot Framework test is modified, which is outside the scope of this check designed for Ginkgo tests.
No-Weak-Crypto	✅ Passed	No weak crypto patterns (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB, custom crypto, or insecure comparisons) detected. PR implements modern TLS 1.3 ciphers and post-quantum curves instead.
Container-Privileges	✅ Passed	PR modifies only ROUTER_CURVES env var and adds FIPS detection. No changes to privileged, hostPID/Network/IPC, SYS_ADMIN, or allowPrivilegeEscalation settings.
No-Sensitive-Data-In-Logs	✅ Passed	All logging in the PR logs only FIPS mode status (boolean values "true"/"false" or "0"/"1"), not passwords, tokens, keys, PII, session IDs, hostnames, or customer data.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

pkg/components/controllers.go (1)

30-31: 💤 Low value

Package-level FIPS detection executes at init time.

This is evaluated once when the package loads. Acceptable for production but makes unit testing harder—tests cannot easily inject different FIPS states. Consider exposing a test hook or making isFIPSEnabled a function if testability becomes a concern.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/components/controllers.go` around lines 30 - 31, The package currently
initializes a package-level variable isFIPSEnabled by calling detectFIPS() at
load time which hinders tests; change this to either (A) replace the variable
with a function IsFIPSEnabled() that calls detectFIPS() (and update all call
sites that reference isFIPSEnabled), or (B) keep a backed variable but add a
test hook SetFIPSEnabledForTest(value bool) and use lazy evaluation (e.g.,
sync.Once) so tests can override it; update references to use the new function
or the setter and ensure detectFIPS remains the production implementation.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/components/controllers.go`:
- Around line 30-31: The package currently initializes a package-level variable
isFIPSEnabled by calling detectFIPS() at load time which hinders tests; change
this to either (A) replace the variable with a function IsFIPSEnabled() that
calls detectFIPS() (and update all call sites that reference isFIPSEnabled), or
(B) keep a backed variable but add a test hook SetFIPSEnabledForTest(value bool)
and use lazy evaluation (e.g., sync.Once) so tests can override it; update
references to use the new function or the setter and ensure detectFIPS remains
the production implementation.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: b3f7424d-471c-407c-ae3a-c14164ec1e36

📥 Commits

Reviewing files that changed from the base of the PR and between 9a9d010 and 0852771.

📒 Files selected for processing (2)

• assets/components/openshift-router/deployment.yaml
• pkg/components/controllers.go

[eslutsky]

/test all

[openshift-ci-robot]

@eslutsky: This pull request references USHIFT-6925 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary by CodeRabbit

• New Features
• Added automatic FIPS mode detection for the router
• When FIPS is enabled, the router applies FIPS-compliant TLS cipher suites and curves for enhanced security compliance

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@eslutsky: This pull request references USHIFT-6925 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

This pull request references USHIFT-6851 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary by CodeRabbit

• New Features
• Added automatic FIPS mode detection for the router
• When FIPS is enabled, the router applies FIPS-compliant TLS cipher suites and curves for enhanced security compliance

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[eslutsky]

/test all

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/suites/optional/tls-scanner.robot`:
- Around line 52-54: The test "Ingress Router TLS Curves supports ML-KEM Post
Quantum Curves" unconditionally asserts presence of the ML-KEM curve
X25519MLKEM768 but FIPS mode removes ML-KEM curves; update the test to check the
ROUTER_CURVES variable first (e.g., Run Keyword Unless    '${X25519MLKEM768}' in
'${ROUTER_CURVES}'    Skip Test    "ML-KEM curves not present (FIPS mode)"), or
add a pre-check keyword that inspects ROUTER_CURVES for 'X25519MLKEM768' and
skips the test when not present before performing the openssl/negotiation
assertion. Ensure the same pre-check is applied to the related tests covering
lines 130-144.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 6146a461-c936-4f2c-adfb-606034e53972

📥 Commits

Reviewing files that changed from the base of the PR and between 0852771 and 6f1b76f.

📒 Files selected for processing (1)

• test/suites/optional/tls-scanner.robot

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add explicit FIPS gating before asserting ML-KEM negotiation.

The keyword unconditionally expects X25519MLKEM768 (Line 142), but FIPS mode intentionally removes ML-KEM curves. This will fail on correctly configured FIPS clusters despite the doc saying the test should be skipped there. Add a pre-check (for example, detect whether ROUTER_CURVES includes X25519MLKEM768) and skip when it does not.

Also applies to: 130-144

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/suites/optional/tls-scanner.robot` around lines 52 - 54, The test
"Ingress Router TLS Curves supports ML-KEM Post Quantum Curves" unconditionally
asserts presence of the ML-KEM curve X25519MLKEM768 but FIPS mode removes ML-KEM
curves; update the test to check the ROUTER_CURVES variable first (e.g., Run
Keyword Unless    '${X25519MLKEM768}' in '${ROUTER_CURVES}'    Skip Test   
"ML-KEM curves not present (FIPS mode)"), or add a pre-check keyword that
inspects ROUTER_CURVES for 'X25519MLKEM768' and skips the test when not present
before performing the openssl/negotiation assertion. Ensure the same pre-check
is applied to the related tests covering lines 130-144.

[eslutsky]

/test all

[eslutsky]

/test e2e-aws-tests-periodic

[openshift-ci]

@eslutsky: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.