NE-2333: Add support for configurable SSL curves in HAProxy configuration

[richardsonnick]

To support new PQC key exchanges add option to set default ssl curves.

Adds a new environment variable ROUTER_CURVES.

This is a colon delimited set of curves to use for ECDHE.
Uses HAProxy's ssl-default-bind-curves to configure openssl's supported groups (https://docs.haproxy.org/3.1/configuration.html#ssl-default-bind-curves).

By if no ROUTER_CURVES is given a default group set X25519MLKEM768:X25519:P-256 is used.

Tested via local cluster (see comments below)

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[richardsonnick]

/test all

[richardsonnick]

/test all

[richardsonnick]

/retest-required

[richardsonnick]

/retest-required

[openshift-ci]

@richardsonnick: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-metal-ipi-ovn-dualstack	f033f21	link	false	/test e2e-metal-ipi-ovn-dualstack
ci/prow/e2e-aws-serial	f033f21	link	true	/test e2e-aws-serial
ci/prow/okd-scos-e2e-aws-ovn	f033f21	link	false	/test okd-scos-e2e-aws-ovn
ci/prow/e2e-metal-ipi-ovn-router	f033f21	link	false	/test e2e-metal-ipi-ovn-router

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[Miciah]

/assign

[candita]

/assign @rfredette @davidesalerno

[candita]

@richardsonnick can you please add a jira or RFE number to this PR?

[zetamorph]

@richardsonnick can you please add a jira or RFE number to this PR?

Hi, I'm not the PR creator, but this PR is also relevant for RFE-5389.

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)

• do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9fc693ff-5c05-4652-b3d2-51d1a9348a73

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Add a conditional ssl-default-bind-curves directive to the HAProxy config template: emit ssl-default-bind-curves {{ . }} when ROUTER_CURVES is set; omit the directive entirely when ROUTER_CURVES is not set.

Changes

Cohort / File(s)	Summary
HAProxy Configuration Template images/router/haproxy/conf/haproxy-config.template	Add conditional ssl-default-bind-curves {{ . }} emission in global: output the directive when ROUTER_CURVES is present; do not emit any ssl-default-bind-curves directive when it is absent.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Miciah]

@richardsonnick, do we need this for OpenShift 4.22.0? @lihongan did some testing and determined that the default crypto policy does not include ML-KEM, so what do you think about dropping f033f21 and merging this PR in order to have basic PQC-readiness in OpenShift 4.22.0?

[candita]

/remove-lifecycle stale

[candita]

/retitle "NE-2333: Add support for configurable SSL curves in HAProxy configuration"

[Miciah]

@richardsonnick, sorry if I wasn't clear earlier. When I asked you to drop f033f21, I meant that we should still have a default ssl-default-bind-curves setting as you had in 54ffaf1. If we have a default setting that includes ML-KEM when ROUTER_CURVES isn't set, then we can be PQC-ready without waiting for the TLS curves API or operator changes. Is that a reasonable approach for OpenShift 4.22.0?

[Miciah]

It looks like HAProxy is still using openssl 3.2.2 which does not have support for PQC groups. Openssl introduced these groups in version 3.5. I'm assuming openshift 4.22 will bump the openssl version, but just fyi.

The latest 4.22 nightlies should have OpenSSL 3.5. For example, @lihongan said 4.22.0-0.nightly-2026-03-17-033403 had it.

[richardsonnick]

@richardsonnick, sorry if I wasn't clear earlier. When I asked you to drop f033f21, I meant that we should still have a default ssl-default-bind-curves setting as you had in 54ffaf1. If we have a default setting that includes ML-KEM when ROUTER_CURVES isn't set, then we can be PQC-ready without waiting for the TLS curves API or operator changes. Is that a reasonable approach for OpenShift 4.22.0?

@Miciah That makes sense. I can restore the else block with a PQC-inclusive default. My concern is about backportability: if this is cherrypicked to 4.21 branches, which ship OpenSSL 3.2.2, HAProxy will fail to start with unable to set curves list. Is the intent that this change is 4.22+ only? You have more domain knowledge than me with how backports are handled so just making sure :)

I'll went ahead and re-added the defaults though. Also reran the tests.

[openshift-ci-robot]

@richardsonnick: This pull request references NE-2333 which is a valid jira issue.

Details

In response to this:

To support new PQC key exchanges add option to set default ssl curves.

Adds a new environment variable ROUTER_CURVES.

This is a colon delimited set of curves to use for ECDHE.
Uses HAProxy's ssl-default-bind-curves to configure openssl's supported groups (https://docs.haproxy.org/3.1/configuration.html#ssl-default-bind-curves).

By if no ROUTER_CURVES is given a default group set X25519MLKEM768:X25519:P-256 is used.

Tested via local cluster (see comments below)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[Miciah]

My concern is about backportability: if this is cherrypicked to 4.21 branches, which ship OpenSSL 3.2.2, HAProxy will fail to start with unable to set curves list. Is the intent that this change is 4.22+ only? You have more domain knowledge than me with how backports are handled so just making sure :)

I wasn't expecting this change to be backported. Unless the OpenSSL 3.5 bump is backported (which seems unlikely), I don't see much value in backporting the ROUTER_CURVES option. Are there any plans or requirements for backporting PQC-related changes to OpenShift 4.21?

[candita]

@richardsonnick will you test again with a nightly that contains the OpenSSL changes?
@Miciah we may not need it now, but can we add a Jira to handle sanitizing/validating the value of ROUTER_CURVES?

[richardsonnick]

My concern is about backportability: if this is cherrypicked to 4.21 branches, which ship OpenSSL 3.2.2, HAProxy will fail to start with unable to set curves list. Is the intent that this change is 4.22+ only? You have more domain knowledge than me with how backports are handled so just making sure :)

I wasn't expecting this change to be backported. Unless the OpenSSL 3.5 bump is backported (which seems unlikely), I don't see much value in backporting the ROUTER_CURVES option. Are there any plans or requirements for backporting PQC-related changes to OpenShift 4.21?

None that I'm aware of.

[Miciah]

we may not need it now, but can we add a Jira to handle sanitizing/validating the value of ROUTER_CURVES?

Typically the operator handles sanitizing/validating the values for environment variables (for example, the operator validates ROUTER_CIPHERS), so that can be covered by NE-2332 and openshift/cluster-ingress-operator#1287.

[Miciah]

Thanks!

/approve
/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Miciah

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [Miciah]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[lihongan]

/payload-job periodic-ci-openshift-release-master-nightly-4.22-e2e-aws-ovn-cgroupsv2 periodic-ci-openshift-openshift-tests-private-release-4.22-amd64-nightly-azure-ipi-marketplace-mini-perm-f7

[openshift-ci]

@lihongan: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-openshift-tests-private-release-4.22-amd64-nightly-azure-ipi-marketplace-mini-perm-f7

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/4353d930-297f-11f1-9285-43ceaca58aa8-0

[openshift-ci]

@lihongan: it appears that you have attempted to use some version of the payload command, but your comment was incorrectly formatted and cannot be acted upon. See the docs for usage info.

[lihongan]

/payload-job periodic-ci-openshift-release-main-nightly-4.22-e2e-azure-ovn-runc

[openshift-ci]

@lihongan: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-main-nightly-4.22-e2e-azure-ovn-runc

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/0c1cd720-2982-11f1-9de7-e476ddbcfdd5-0

[openshift-ci]

@lihongan: it appears that you have attempted to use some version of the payload command, but your comment was incorrectly formatted and cannot be acted upon. See the docs for usage info.

[lihongan]

/verified by @lihongan

$ oc get clusterversion
NAME      VERSION                                                AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.22.0-0-2026-03-27-015018-test-ci-ln-dcb4s7t-latest   True        False         149m    Cluster version is 4.22.0-0-2026-03-27-015018-test-ci-ln-dcb4s7t-latest

// rsh to router-default pod
sh-5.1$ grep curve haproxy.config 
  ssl-default-bind-curves X25519MLKEM768:X25519:P-256

sh-5.1$ openssl s_client -connect downloads-openshift-console.apps.ci-ln-dcb4s7t-76ef8.aws-4.ci.openshift.org:443 -servername downloads-openshift-console.apps.ci-ln-dcb4s7t-76ef8.aws-4.ci.openshift.org -groups X25519MLKEM768 </dev/null 2>&1 | grep -E "Negotiated|Cipher|Protocol"
Negotiated TLS1.3 group: X25519MLKEM768
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Protocol: TLSv1.3

sh-5.1$ openssl s_client -connect console-openshift-console.apps.ci-ln-dcb4s7t-76ef8.aws-4.ci.openshift.org:443 -servername console-openshift-console.apps.ci-ln-dcb4s7t-76ef8.aws-4.ci.openshift.org -groups X25519MLKEM768 </dev/null 2>&1 | grep -E "Negotiated|Cipher|Protocol"
Negotiated TLS1.3 group: X25519MLKEM768
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Protocol: TLSv1.3

// after scale down CVO/CIO, we could set the custom ROUTER_CURVES env var on the router deployment

[openshift-ci-robot]

@lihongan: This PR has been marked as verified by @lihongan.

Details

In response to this:

/verified by @lihongan

$ oc get clusterversion
NAME      VERSION                                                AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.22.0-0-2026-03-27-015018-test-ci-ln-dcb4s7t-latest   True        False         149m    Cluster version is 4.22.0-0-2026-03-27-015018-test-ci-ln-dcb4s7t-latest

// rsh to router-default pod
sh-5.1$ grep curve haproxy.config 
 ssl-default-bind-curves X25519MLKEM768:X25519:P-256

sh-5.1$ openssl s_client -connect downloads-openshift-console.apps.ci-ln-dcb4s7t-76ef8.aws-4.ci.openshift.org:443 -servername downloads-openshift-console.apps.ci-ln-dcb4s7t-76ef8.aws-4.ci.openshift.org -groups X25519MLKEM768 </dev/null 2>&1 | grep -E "Negotiated|Cipher|Protocol"
Negotiated TLS1.3 group: X25519MLKEM768
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Protocol: TLSv1.3

sh-5.1$ openssl s_client -connect console-openshift-console.apps.ci-ln-dcb4s7t-76ef8.aws-4.ci.openshift.org:443 -servername console-openshift-console.apps.ci-ln-dcb4s7t-76ef8.aws-4.ci.openshift.org -groups X25519MLKEM768 </dev/null 2>&1 | grep -E "Negotiated|Cipher|Protocol"
Negotiated TLS1.3 group: X25519MLKEM768
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Protocol: TLSv1.3

// after scale down CVO/CIO, we could set the custom ROUTER_CURVES env var on the router deployment

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[candita]

/jira refresh

[candita]

Reverted by #754