OCPBUGS-84551: fix(ingress): set FIPS_ENABLED env var on ingress operator

[csrwng]

Summary

• The ingress operator determines FIPS mode by reading /proc/sys/crypto/fips_enabled on the node where it runs. In hosted clusters, the ingress operator runs on the management cluster, which may have a different FIPS state than the hosted cluster. This causes the operator to deploy routers with incorrect cipher configuration when the FIPS states differ.
• Set FIPS_ENABLED=true on the ingress operator container when the hosted cluster has FIPS enabled, so the operator uses the correct cipher suite regardless of the management cluster's FIPS state.

Test plan

• Verify unit tests pass: go test ./control-plane-operator/controllers/hostedcontrolplane/v2/ingressoperator/ -v
• Create a FIPS-enabled hosted cluster and verify the ingress operator deployment has FIPS_ENABLED=true set
• Create a non-FIPS hosted cluster and verify the ingress operator deployment does not have FIPS_ENABLED set
• Verify the ingress operator deploys routers with correct FIPS cipher configuration on a FIPS-enabled hosted cluster running on a non-FIPS management cluster

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Ingress operator now enables FIPS mode when FIPS is turned on in the hosted control plane configuration (exposes FIPS_ENABLED to the operator).

• Tests

  • Added unit tests validating that the ingress operator receives the FIPS_ENABLED setting when FIPS is true and does not when false.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@csrwng: This pull request references Jira Issue OCPBUGS-84551, which is invalid:

• expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

• The ingress operator determines FIPS mode by reading /proc/sys/crypto/fips_enabled on the node where it runs. In hosted clusters, the ingress operator runs on the management cluster, which may have a different FIPS state than the hosted cluster. This causes the operator to deploy routers with incorrect cipher configuration when the FIPS states differ.
• Set FIPS_ENABLED=true on the ingress operator container when the hosted cluster has FIPS enabled, so the operator uses the correct cipher suite regardless of the management cluster's FIPS state.

Test plan

• Verify unit tests pass: go test ./control-plane-operator/controllers/hostedcontrolplane/v2/ingressoperator/ -v
• Create a FIPS-enabled hosted cluster and verify the ingress operator deployment has FIPS_ENABLED=true set
• Create a non-FIPS hosted cluster and verify the ingress operator deployment does not have FIPS_ENABLED set
• Verify the ingress operator deploys routers with correct FIPS cipher configuration on a FIPS-enabled hosted cluster running on a non-FIPS management cluster

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 6245893f-2d30-4347-a43d-05437baf56b1

📥 Commits

Reviewing files that changed from the base of the PR and between 702f9b8 and fef03ff.

📒 Files selected for processing (2)

• control-plane-operator/controllers/hostedcontrolplane/v2/ingressoperator/deployment.go
• control-plane-operator/controllers/hostedcontrolplane/v2/ingressoperator/deployment_test.go

🚧 Files skipped from review as they are similar to previous changes (2)

• control-plane-operator/controllers/hostedcontrolplane/v2/ingressoperator/deployment.go
• control-plane-operator/controllers/hostedcontrolplane/v2/ingressoperator/deployment_test.go

---

📝 Walkthrough

Walkthrough

The changes update the ingress operator deployment adaptation to check cpContext.HCP.Spec.FIPS and, when true, upsert an environment variable FIPS_ENABLED="true" into the ingress-operator container. A new unit test TestAdaptDeployment is added with two subtests: one asserting the env var is present when FIPS is true, and another asserting it is absent when FIPS is false. The test builds a HostedControlPlane, loads the deployment manifest, runs adaptDeployment, locates the container, and performs the assertions.

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: setting the FIPS_ENABLED environment variable on the ingress operator when FIPS is enabled, which directly matches the changeset modifications.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Test names are stable and deterministic with static string literals describing purpose without dynamic information like generated suffixes, timestamps, UUIDs, or node names.
Test Structure And Quality	✅ Passed	The custom check targets Ginkgo test code, but this PR contains standard Go unit tests using the testing package with t.Run() subtests instead.
Microshift Test Compatibility	✅ Passed	The PR adds only standard Go unit tests, not Ginkgo e2e tests. The custom check applies exclusively to new Ginkgo e2e tests using patterns like It(), Describe(), Context(), or When().
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The test added is a standard Go unit test, not a Ginkgo e2e test, and does not fall under SNO compatibility requirements.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds only FIPS_ENABLED environment variable; deployment uses single replica with no affinity, topology spread constraints, node selectors, or tolerations—topology-safe across all OpenShift variants.
Ote Binary Stdout Contract	✅ Passed	Pull request modifies only library-level code in ingressoperator package with FIPS_ENABLED environment variable and unit test, with no stdout-writing code in process-level sections.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This check is not applicable to the provided PR. The PR introduces only a standard Go unit test using testing.T and t.Run(), not Ginkgo e2e tests.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Review rate limit: 8/10 reviews remaining, refill in 6 minutes and 4 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: csrwng

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [csrwng]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 36.50%. Comparing base (e45d15e) to head (fef03ff).
⚠️ Report is 27 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8375      +/-   ##
==========================================
+ Coverage   36.48%   36.50%   +0.01%     
==========================================
  Files         765      765              
  Lines       93266    93267       +1     
==========================================
+ Hits        34032    34050      +18     
+ Misses      56519    56501      -18     
- Partials     2715     2716       +1     

Files with missing lines	Coverage Δ
...ostedcontrolplane/v2/ingressoperator/deployment.go	62.06% <100.00%> (+62.06%)	⬆️

Flag	Coverage Δ
cmd-support	30.34% <ø> (ø)
cpo-hostedcontrolplane	37.16% <100.00%> (+0.10%)	⬆️
cpo-other	35.69% <ø> (ø)
hypershift-operator	47.89% <ø> (ø)
other	28.57% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[joshbranham]

/lgtm

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws

[coderabbitai]

🧹 Nitpick comments (1)

control-plane-operator/controllers/hostedcontrolplane/v2/ingressoperator/deployment.go (1)

25-29: Make FIPS_ENABLED explicit for both FIPS states.

Current logic sets FIPS_ENABLED only on true, but never clears it on false. Making both branches explicit keeps adaptDeployment idempotent even if the input deployment was previously mutated.

Suggested diff

 		if cpContext.HCP.Spec.FIPS {
 			podspec.UpsertEnvVar(c, corev1.EnvVar{
 				Name: "FIPS_ENABLED", Value: "true",
 			})
+		} else {
+			filtered := c.Env[:0]
+			for _, env := range c.Env {
+				if env.Name != "FIPS_ENABLED" {
+					filtered = append(filtered, env)
+				}
+			}
+			c.Env = filtered
 		}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@control-plane-operator/controllers/hostedcontrolplane/v2/ingressoperator/deployment.go`
around lines 25 - 29, The code only sets FIPS_ENABLED when
cpContext.HCP.Spec.FIPS is true, leaving the variable absent when false and
breaking idempotency in adaptDeployment; change the branch so
podspec.UpsertEnvVar is called in both cases with corev1.EnvVar{Name:
"FIPS_ENABLED", Value: "true"} when cpContext.HCP.Spec.FIPS is true and Value:
"false" when false (use the same UpsertEnvVar call path so existing env is
updated), referencing cpContext.HCP.Spec.FIPS and podspec.UpsertEnvVar to locate
where to make the change.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In
`@control-plane-operator/controllers/hostedcontrolplane/v2/ingressoperator/deployment.go`:
- Around line 25-29: The code only sets FIPS_ENABLED when
cpContext.HCP.Spec.FIPS is true, leaving the variable absent when false and
breaking idempotency in adaptDeployment; change the branch so
podspec.UpsertEnvVar is called in both cases with corev1.EnvVar{Name:
"FIPS_ENABLED", Value: "true"} when cpContext.HCP.Spec.FIPS is true and Value:
"false" when false (use the same UpsertEnvVar call path so existing env is
updated), referencing cpContext.HCP.Spec.FIPS and podspec.UpsertEnvVar to locate
where to make the change.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 4009eeba-d275-4785-8cf0-ae409ec640bf

📥 Commits

Reviewing files that changed from the base of the PR and between e45d15e and 702f9b8.

📒 Files selected for processing (2)

• control-plane-operator/controllers/hostedcontrolplane/v2/ingressoperator/deployment.go
• control-plane-operator/controllers/hostedcontrolplane/v2/ingressoperator/deployment_test.go

[joshbranham]

/lgtm

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws

[csrwng]

/jira refresh

[openshift-ci-robot]

@csrwng: This pull request references Jira Issue OCPBUGS-84551, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[hypershift-jira-solve-ci]

AI Test Failure Analysis

Job: pull-ci-openshift-hypershift-main-e2e-azure-self-managed | Build: 2049592180179210240 | Cost: $2.0892022 | Failed step: hypershift-azure-run-e2e-self-managed

View full analysis report

---

_{Generated by hypershift-analyze-e2e-failure post-step using Claude claude-opus-4-6}

[cwbotbot]

Test Results

e2e-aws

• Status: ✅ PASS
• Started: 2026-04-29T20:50:53Z
• View Job
• View Job History

e2e-aks

• Status: ✅ PASS
• Started: 2026-04-29T20:50:56Z
• View Job
• View Job History

[csrwng]

/retest-required

[csrwng]

/verified by @csrwng

Manually tested a 5.0ci release payload with the control plane operator built from this PR.

• Created a HostedCluster with .spec.fips=true, inspected the ingress-operator deployment in the control plane namespace. The ingress operator deployment included the new FIPS_ENABLED=true environment variable.
• Created a HostedCluster with .spec.fips=false, inspected the ingress-operator deployment in the control plane namespace. The ingress operator did not include the FIPS_ENABLED=true environment variable.

[openshift-ci-robot]

@csrwng: This PR has been marked as verified by @csrwng.

Details

In response to this:

/verified by @csrwng

Manually tested a 5.0ci release payload with the control plane operator built from this PR.

• Created a HostedCluster with .spec.fips=true, inspected the ingress-operator deployment in the control plane namespace. The ingress operator deployment included the new FIPS_ENABLED=true environment variable.
• Created a HostedCluster with .spec.fips=false, inspected the ingress-operator deployment in the control plane namespace. The ingress operator did not include the FIPS_ENABLED=true environment variable.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD ca91011 and 2 for PR HEAD fef03ff in total

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 9bb7d76 and 1 for PR HEAD fef03ff in total

[hypershift-jira-solve-ci]

I now have all the evidence needed. The failure is completely clear. Let me produce the final report.

Test Failure Analysis Complete

Job Information

• Prow Job: pull-ci-openshift-hypershift-main-verify-workflows
• Build ID: 2049888893527920640
• Target: verify-workflows
• PR: OCPBUGS-84551: fix(ingress): set FIPS_ENABLED env var on ingress operator #8375 — OCPBUGS-84551: fix(ingress): set FIPS_ENABLED env var on ingress operator

Test Failure Analysis

Error

OUTDATED: .github/workflows/envtest-kube.yaml has been updated on main since this branch diverged.
OUTDATED: .github/workflows/envtest-ocp.yaml has been updated on main since this branch diverged.
OUTDATED: .github/workflows/test.yaml has been updated on main since this branch diverged.

Rebase your branch on main: git fetch upstream main && git rebase upstream/main

Summary

The verify-workflows CI job checks that all .github/workflows/ files in the PR branch are up-to-date with the main branch. The PR branch (ocpbugs-84551) diverged from main at commit e45d15e, and since that point, three GitHub Actions workflow files (envtest-kube.yaml, envtest-ocp.yaml, test.yaml) were updated on main. Because the PR branch does not include those updates, the verify-workflows check fails. This is not a product bug or a test flake — it is a branch-staleness check that requires a rebase to resolve.

Root Cause

The verify-workflows CI test is an inline script defined in the openshift/release CI configuration. It iterates over every file in .github/workflows/ on main, compares the file's hash on main vs the PR HEAD vs the merge-base, and flags any file where:

• main has a newer version than what the PR branch carries, AND
• the PR branch's version matches the merge-base (meaning the PR never touched that file — it's simply stale).

Three workflow files were updated on main after the PR branch diverged:

1. .github/workflows/envtest-kube.yaml
2. .github/workflows/envtest-ocp.yaml
3. .github/workflows/test.yaml

The PR itself only modifies control-plane-operator/controllers/hostedcontrolplane/v2/ingressoperator/deployment.go and its test file — it does not touch any workflow files. The branch simply needs to be rebased onto current main to pick up the workflow file updates.

Commit references:

• PR HEAD: fef03ffbcc57a9342eb803055a6d03d3b0be6b1c
• Main: 9bb7d76cde15731979a649709437675413628a51
• Merge Base: e45d15e3232e3a4bea706d58ecd5f5f8483743f5

Recommendations

1. Rebase the PR branch onto main to pick up the updated workflow files:

   git fetch upstream main && git rebase upstream/main

   Then force-push the rebased branch. This is the only fix needed — no code changes are required.

2. Re-trigger the job after rebasing — the verify-workflows check will pass once the branch includes the latest workflow file versions from main.

3. This failure is unrelated to the PR's code changes (ingress operator FIPS_ENABLED env var). The PR's functional changes are not affected.

Evidence

Evidence	Detail
Failed Step	verify-workflows — container test exited with code 1
Failure Type	Branch staleness — outdated .github/workflows/ files
Outdated File 1	.github/workflows/envtest-kube.yaml
Outdated File 2	.github/workflows/envtest-ocp.yaml
Outdated File 3	.github/workflows/test.yaml
PR Changed Files	deployment.go, deployment_test.go (no workflow files)
PR HEAD	fef03ffb
Main HEAD	9bb7d76c
Merge Base	e45d15e3
CI Script	Inline in openshift/release ci-operator config — compares workflow file hashes between main, PR HEAD, and merge-base
Build Log	.work/prow-job-analyze-test-failure/2049888893527920640/logs/build-log.txt

---

[csrwng]

/override ci/prow/verify-workflows

[openshift-ci]

@csrwng: Overrode contexts on behalf of csrwng: ci/prow/verify-workflows

Details

In response to this:

/override ci/prow/verify-workflows

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@csrwng: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@csrwng: Jira Issue OCPBUGS-84551: Some pull requests linked via external trackers have merged:

• openshift/hypershift#8375

The following pull request, linked via external tracker, has not merged:

• openshift/cluster-ingress-operator#1427 is open

All associated pull requests must be merged or unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with /jira refresh.

Jira Issue OCPBUGS-84551 has not been moved to the MODIFIED state.

This PR is marked as verified. If the remaining PRs listed above are marked as verified before merging, the issue will automatically be moved to VERIFIED after all of the changes from the PRs are available in an accepted nightly payload.

Details

In response to this:

Summary

• The ingress operator determines FIPS mode by reading /proc/sys/crypto/fips_enabled on the node where it runs. In hosted clusters, the ingress operator runs on the management cluster, which may have a different FIPS state than the hosted cluster. This causes the operator to deploy routers with incorrect cipher configuration when the FIPS states differ.
• Set FIPS_ENABLED=true on the ingress operator container when the hosted cluster has FIPS enabled, so the operator uses the correct cipher suite regardless of the management cluster's FIPS state.

Test plan

• Verify unit tests pass: go test ./control-plane-operator/controllers/hostedcontrolplane/v2/ingressoperator/ -v
• Create a FIPS-enabled hosted cluster and verify the ingress operator deployment has FIPS_ENABLED=true set
• Create a non-FIPS hosted cluster and verify the ingress operator deployment does not have FIPS_ENABLED set
• Verify the ingress operator deploys routers with correct FIPS cipher configuration on a FIPS-enabled hosted cluster running on a non-FIPS management cluster

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

• Ingress operator now enables FIPS mode when FIPS is turned on in the hosted control plane configuration (exposes FIPS_ENABLED to the operator).

• Tests

• Added unit tests validating that the ingress operator receives the FIPS_ENABLED setting when FIPS is true and does not when false.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[csrwng]

/cherry-pick release-4.22

[openshift-cherrypick-robot]

@csrwng: new pull request created: #8388

Details

In response to this:

/cherry-pick release-4.22

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-merge-robot]

Fix included in release 5.0.0-0.nightly-2026-05-02-042818