USHIFT-6925: Introduce Curves to Ingress and FIPs detection

[eslutsky]

Summary by CodeRabbit

• New Features
  • Added automatic FIPS mode detection for the router
  • When FIPS is enabled, the router applies FIPS-compliant TLS cipher suites and curves for enhanced security compliance

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: eslutsky

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [eslutsky]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

The PR adds FIPS mode detection and conditions TLS configuration on FIPS enablement. When FIPS is active, cipher suites and curves are restricted to FIPS-approved algorithms; non-FIPS mode preserves existing selections. The resulting curve list is passed to the router deployment template.

Changes

FIPS-Aware TLS Configuration

Layer / File(s)	Summary
FIPS Detection pkg/components/controllers.go (lines 30–74)	Package-level isFIPSEnabled flag initialized by detectFIPS(), which checks FIPS_ENABLED env var or reads /proc/sys/crypto/fips_enabled with fallback logic.
TLS Filtering Logic pkg/components/controllers.go (lines 41–46, 511–538)	Defined fipsApprovedTLS13Ciphers list. In generateIngressParams, conditionally filter TLS 1.3 ciphers and remove post-quantum curves (ML-KEM, X25519) when FIPS is enabled.
Render Integration pkg/components/controllers.go (line 630)	New RouterTLSCurves field passed to ingress render parameters with the FIPS-conditional curve list.
Deployment Template assets/components/openshift-router/deployment.yaml (lines 61–62)	Added ROUTER_CURVES environment variable sourced from {{ .RouterTLSCurves }}.

Sequence Diagram

sequenceDiagram
    participant System as System / Environment
    participant Controller as Controller Logic
    participant TLS as TLS Configuration
    participant Template as Deployment Template

    System->>Controller: Check FIPS_ENABLED env or /proc/sys/crypto/fips_enabled
    Controller->>Controller: Set isFIPSEnabled flag
    Controller->>TLS: generateIngressParams()
    alt FIPS Enabled
        TLS->>TLS: Filter ciphers to fipsApprovedTLS13Ciphers
        TLS->>TLS: Remove ML-KEM, X25519 from curve list
    else FIPS Disabled
        TLS->>TLS: Keep full cipher and curve lists
    end
    TLS->>Controller: Return tlsCurves value
    Controller->>Template: Render with RouterTLSCurves parameter
    Template->>Template: Inject ROUTER_CURVES env var

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Ote Binary Stdout Contract	❓ Inconclusive	Cannot verify OTE Binary Stdout Contract compliance without access to actual PR code changes, diff, and repository context.	Provide the actual git diff output or file changes to analyze for unauthorized stdout writes.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	No test files with dynamic test names found in PR modifications.
Test Structure And Quality	✅ Passed	PR does not include Ginkgo test code, only modifies controllers.go and a Kubernetes manifest file.
Microshift Test Compatibility	✅ Passed	This PR does not introduce any new Ginkgo e2e tests. The changes consist solely of production code modifications to pkg/components/controllers.go and a Kubernetes manifest update. Since the custom check applies only to new Ginkgo e2e test definitions, the check is not applicable and therefore passes.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR does not add any new Ginkgo e2e tests. Changes are limited to deployment YAML and controller logic for FIPS detection.
Topology-Aware Scheduling Compatibility	✅ Passed	The pull request introduces no topology-breaking scheduling constraints. The deployment manifest change is limited to adding a ROUTER_CURVES environment variable. The existing nodeSelector for node-role.kubernetes.io/worker remains unchanged. No affinity rules or topology spread constraints were added.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	The custom check for IPv6 and disconnected network test compatibility is not applicable to this PR as no new Ginkgo e2e tests are added.
Title check	✅ Passed	The title accurately reflects the main changes: FIPS detection and TLS curve handling for ingress router configuration.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

pkg/components/controllers.go (1)

30-31: 💤 Low value

Package-level FIPS detection executes at init time.

This is evaluated once when the package loads. Acceptable for production but makes unit testing harder—tests cannot easily inject different FIPS states. Consider exposing a test hook or making isFIPSEnabled a function if testability becomes a concern.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/components/controllers.go` around lines 30 - 31, The package currently
initializes a package-level variable isFIPSEnabled by calling detectFIPS() at
load time which hinders tests; change this to either (A) replace the variable
with a function IsFIPSEnabled() that calls detectFIPS() (and update all call
sites that reference isFIPSEnabled), or (B) keep a backed variable but add a
test hook SetFIPSEnabledForTest(value bool) and use lazy evaluation (e.g.,
sync.Once) so tests can override it; update references to use the new function
or the setter and ensure detectFIPS remains the production implementation.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/components/controllers.go`:
- Around line 30-31: The package currently initializes a package-level variable
isFIPSEnabled by calling detectFIPS() at load time which hinders tests; change
this to either (A) replace the variable with a function IsFIPSEnabled() that
calls detectFIPS() (and update all call sites that reference isFIPSEnabled), or
(B) keep a backed variable but add a test hook SetFIPSEnabledForTest(value bool)
and use lazy evaluation (e.g., sync.Once) so tests can override it; update
references to use the new function or the setter and ensure detectFIPS remains
the production implementation.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: b3f7424d-471c-407c-ae3a-c14164ec1e36

📥 Commits

Reviewing files that changed from the base of the PR and between 9a9d010 and 0852771.

📒 Files selected for processing (2)

• assets/components/openshift-router/deployment.yaml
• pkg/components/controllers.go

[eslutsky]

/test all

[openshift-ci-robot]

@eslutsky: This pull request references USHIFT-6925 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary by CodeRabbit

• New Features
• Added automatic FIPS mode detection for the router
• When FIPS is enabled, the router applies FIPS-compliant TLS cipher suites and curves for enhanced security compliance

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@eslutsky: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.