OCPBUGS-62238: configure tls profile for router metrics

[jcmoraisjr]

Router has two new envvars to configure TLS minimal version and allowed ciphers. This update reads the configuration from the apiserver TLS profile and configures those envvars accordingly.

TLS profile has cipher names in OpenSSL format, while internally library-go uses IANA names. The name is converted before sending to router, which is an internal component.

https://issues.redhat.com/browse/OCPBUGS-62238

[openshift-ci-robot]

@jcmoraisjr: This pull request references Jira Issue OCPBUGS-62238, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @ShudiLi

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Router has two new envvars to configure TLS minimal version and allowed ciphers. This update reads the configuration from the apiserver TLS profile and configures those envvars accordingly.

TLS profile has cipher names in OpenSSL format, while internally library-go uses IANA names. The name is converted before sending to router, which is an internal component.

https://issues.redhat.com/browse/OCPBUGS-62238

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: e576e6e0-f0f2-4500-a259-e3a95a72fdf6

📥 Commits

Reviewing files that changed from the base of the PR and between 8d9a3fd and 9ddddd1.

📒 Files selected for processing (1)

• pkg/operator/controller/ingress/deployment.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/operator/controller/ingress/deployment.go

---

📝 Walkthrough

Walkthrough

This change updates the ingress deployment controller to add TLS metrics configuration. It computes OpenSSL-to-IANA cipher suite names via crypto.OpenSSLToIANACipherSuites, imports crypto from library-go, and exposes two new environment variables—ROUTER_METRICS_TLS_CIPHERS and ROUTER_METRICS_TLS_MIN_VERSION—derived from the TLS profile metrics. These metrics are added alongside existing TLS settings in the router deployment specification. The go.mod file was also modified.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main change: configuring TLS profile metrics for the router component, which matches the primary objective of the pull request.
Description check	✅ Passed	The description is clearly related to the changeset, explaining how the PR reads the apiserver TLS profile and configures router environment variables, including the cipher name conversion from OpenSSL to IANA format.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Stable And Deterministic Test Names	✅ Passed	Pull request adds new test file with standard Go testing conventions; no Ginkgo tests with dynamic names.
Test Structure And Quality	✅ Passed	The custom check for Ginkgo test structure is not applicable to this PR as no test files were modified.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jcmoraisjr]

/retest

[ShudiLi]

tested it with 4.21.0-0-2026-03-10-115701-test-ci-ln-mwiic1k-latest, two new envs ROUTER_METRICS_TLS_CIPHERS and ROUTER_METRICS_TLS_MIN_VERSION were added

1.
% oc get clusterversion
NAME      VERSION                                                AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.21.0-0-2026-03-10-115701-test-ci-ln-mwiic1k-latest   True        False         46m     Cluster version is 4.21.0-0-2026-03-10-115701-test-ci-ln-mwiic1k-latest

2. Configure Modern tlsSecurityProfile for the apiserver and the ingresscontroller
% oc -n openshift-ingress-operator get ingresscontroller default -ojsonpath="{.spec.tlsSecurityProfile}"
{"type":"Modern"}%                                                                                                                                                                                                                                                         % oc get apiserver cluster -ojsonpath="{.spec.tlsSecurityProfile}"                                      
{"modern":{},"type":"Modern"}% 

3.
% oc -n openshift-ingress get deployment router-default -oyaml | grep -A1 -E "ROUTER_METRICS_TLS_CIPHERS|ROUTER_METRICS_TLS_MIN_VERSION"
        - name: ROUTER_METRICS_TLS_CIPHERS
          value: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
--
        - name: ROUTER_METRICS_TLS_MIN_VERSION
          value: VersionTLS13


4. 
% oc -n openshift-ingress rsh router-default-54f6f49c64-6rkx8
sh-5.1$ env | grep -i tls
ROUTER_METRICS_TLS_CERT_FILE=/etc/pki/tls/metrics-certs/tls.crt
ROUTER_METRICS_TLS_CIPHERS=TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ROUTER_METRICS_TLS_MIN_VERSION=VersionTLS13
SSL_MIN_VERSION=TLSv1.3
ROUTER_CIPHERSUITES=TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ROUTER_METRICS_TLS_KEY_FILE=/etc/pki/tls/metrics-certs/tls.key
DEFAULT_CERTIFICATE_DIR=/etc/pki/tls/private
sh-5.1$

5.
% nmap --script ssl-enum-ciphers -p 1936 127.0.0.1
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-10 21:30 +0800
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000066s latency).

PORT     STATE SERVICE
1936/tcp open  jetcmeserver
| ssl-enum-ciphers: 
|   TLSv1.3: 
|     ciphers: 
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (X25519MLKEM768) - A
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (X25519MLKEM768) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (X25519MLKEM768) - A
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 12.15 seconds

[davidesalerno]

/assign

[davidesalerno]

A couple of comments

[davidesalerno]

If tlsProfileMetrics.Ciphers is empty OR conversion drops everything, strings.Join(ianaNames, ":") becomes "".

Isn't it better to set ROUTER_METRICS_TLS_CIPHERS only when len(ianaNames) > 0

[jcmoraisjr]

Just realized that this is already handled by router: in case envvar is missing or empty, it defaults to the intermediate profile. So assigning empty is fine. Moreover apiserver api already validates if the user input has at least one valid tls1.0-1.2 cipher name, so it ensures that this will never be empty.

[davidesalerno]

I could be useful to add a small guard/comment or unit test to cover the case when TLSSecurityProfile is nil.

[jcmoraisjr]

This is already implemented inside tlsProfileSpecForSecurityProfile(): in case the profile is nil, it uses the intermediate profile.

[bentito]

/lgtm

[bentito]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bentito

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [bentito]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[bentito]

@ShudiLi can you re-verify please?

[davidesalerno]

/lgtm

[jcmoraisjr]

/hold

I'll add another validation on the incoming ciphers, on top of the apiserver api ones, to ensure we send only a valid list to the router.

[davidesalerno]

/lgtm

[candita]

/tide refresh

[candita]

/test unit

[lihongan]

/retest-required

[ShudiLi]

tested it with 4.22.0-0-2026-03-17-024743-test-ci-ln-yy3r7fk-latest

1.
% oc get clusterversion
NAME      VERSION                                                AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.22.0-0-2026-03-17-024743-test-ci-ln-yy3r7fk-latest   True        False         64m     Cluster version is 4.22.0-0-2026-03-17-024743-test-ci-ln-yy3r7fk-latest

2.
% oc get apiserver cluster -ojsonpath="{.spec.tlsSecurityProfile}"
{"modern":{},"type":"Modern"}%                                                                                                                                                                                                                                        % oc -n openshift-ingress-operator get ingresscontroller default -ojsonpath="{.spec.tlsSecurityProfile}"
{"type":"Modern"}%          

3.
% oc -n openshift-ingress get deployment router-default -oyaml | grep -A1 -E "ROUTER_METRICS_TLS_CIPHERS|ROUTER_METRICS_TLS_MIN_VERSION"
        - name: ROUTER_METRICS_TLS_CIPHERS
          value: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
--
        - name: ROUTER_METRICS_TLS_MIN_VERSION
          value: VersionTLS13

4.
% nmap --script ssl-enum-ciphers -p 1936 127.0.0.1
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-17 12:38 +0800
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000065s latency).

PORT     STATE SERVICE
1936/tcp open  jetcmeserver
| ssl-enum-ciphers: 
|   TLSv1.3: 
|     ciphers: 
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (X25519MLKEM768) - A
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (X25519MLKEM768) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (X25519MLKEM768) - A
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 11.75 seconds   

[ShudiLi]

/verified by @ShudiLi

[openshift-ci-robot]

@ShudiLi: This PR has been marked as verified by @ShudiLi.

Details

In response to this:

/verified by @ShudiLi

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[bentito]

/test hypershift-e2e-aks

[jcmoraisjr]

/unhold

[jcmoraisjr]

/retest

[bentito]

/retest

[jcmoraisjr]

/retest

[jcmoraisjr]

/test e2e-aws-ovn-hypershift-conformance

[jcmoraisjr]

/override ci/prow/e2e-aws-ovn-hypershift-conformance

[openshift-ci]

@jcmoraisjr: Overrode contexts on behalf of jcmoraisjr: ci/prow/e2e-aws-ovn-hypershift-conformance

Details

In response to this:

/override ci/prow/e2e-aws-ovn-hypershift-conformance

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@jcmoraisjr: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.