TRT-2597: [Revert "NE-2333: Add support for configurable SSL curves in HAProxy configuration"](https://github.com/openshift/router/pull/754#top)

[neisw]

Reverts #678

Per OpenShift policy, we are reverting this breaking change to get CI and/or nightly payloads flowing again.

Multiple fips job failures due to unable to set SSL curves list. Issue is tracked via TRT-2597

To unrevert this, revert this PR, and layer an additional separate commit on top that addresses the problem. Before merging the unrevert, please run these jobs on the PR and check the result of these jobs to confirm the fix has corrected the problem:

/payload-aggregate periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-upgrade-fips 10

CC: @richardsonnick

[openshift-ci-robot]

@neisw: This pull request references NE-2333 which is a valid jira issue.

Details

In response to this:

Reverts #678

Looks like fips jobs are failing due to this. Starting investigation, opening revert to verify with periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-upgrade-fips

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9c78b744-5de7-4b28-b99b-dbc691b6a9df

📥 Commits

Reviewing files that changed from the base of the PR and between b22b233 and 79c1c84.

📒 Files selected for processing (1)

• images/router/haproxy/conf/haproxy-config.template

💤 Files with no reviewable changes (1)

• images/router/haproxy/conf/haproxy-config.template

---

Walkthrough

Removed the TLS "default bind curves" configuration directive (ssl-default-bind-curves) from the HAProxy template's global section. This 8-line removal eliminates environment variable handling for ROUTER_CURVES and its default value of X25519MLKEM768:X25519:P-256.

Changes

Cohort / File(s)	Summary
TLS Configuration Removal images/router/haproxy/conf/haproxy-config.template	Deleted 8 lines handling ssl-default-bind-curves directive and ROUTER_CURVES environment variable configuration from the global section.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[neisw]

/payload-aggregate periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-upgrade-fips 10

[openshift-ci]

@neisw: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-upgrade-fips

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/ccc516a0-29f9-11f1-8cf0-6c5e1f66d6ea-0

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign candita for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[alebedev87]

There is a high confidence that the default TLS curve X25519MLKEM768:X25519:P-256 is not working on FIPS. Here is an investigation of a failed job:

error reloading router: exit status 1                                                                                              
  [NOTICE]   (13) : haproxy version is 2.8.18-ae90be6                                                                                
  [ALERT]    (13) : config : Proxy 'fe_sni': unable to set SSL curves list to                                                        
    'X25519MLKEM768:X25519:P-256' for bind 'unix@/var/lib/haproxy/run/haproxy-sni.sock'                                              
  [ALERT]    (13) : config : Proxy 'fe_no_sni': unable to set SSL curves list to                                                     
    'X25519MLKEM768:X25519:P-256' for bind 'unix@/var/lib/haproxy/run/haproxy-no-sni.sock'                                           
  [ALERT]    (13) : config : Fatal errors found in configuration.                                                                    
                                                                                                                                     
  HAProxy cannot start because it's unable to set the SSL curves list to X25519MLKEM768:X25519:P-256. This is a FIPS-specific issue —
   the X25519MLKEM768 curve (a post-quantum key exchange algorithm) is not available in FIPS mode because it's not FIPS-approved.

/lgtm
/approve

[alebedev87]

/override ci/prow/e2e-upgrade

Can I?

[openshift-ci]

@alebedev87: Overrode contexts on behalf of alebedev87: ci/prow/e2e-upgrade

Details

In response to this:

/override ci/prow/e2e-upgrade

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[alebedev87]

/override ci/prow/e2e-agnostic
/override ci/prow/e2e-aws-serial-1of2
/override ci/prow/e2e-aws-serial-2of2

[openshift-ci]

@alebedev87: Overrode contexts on behalf of alebedev87: ci/prow/e2e-agnostic, ci/prow/e2e-aws-serial-1of2, ci/prow/e2e-aws-serial-2of2

Details

In response to this:

/override ci/prow/e2e-agnostic
/override ci/prow/e2e-aws-serial-1of2
/override ci/prow/e2e-aws-serial-2of2

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[alebedev87]

/retitle TRT-2597: [Revert "NE-2333: Add support for configurable SSL curves in HAProxy configuration"](#754 (comment))

[openshift-ci-robot]

@neisw: This pull request references TRT-2597 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Reverts #678

Looks like fips jobs are failing due to this. Starting investigation, opening revert to verify with periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-upgrade-fips

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@neisw: This pull request references TRT-2597 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Reverts #678

Per OpenShift policy, we are reverting this breaking change to get CI and/or nightly payloads flowing again.

Multiple fips job failures due to unable to set SSL curves list. Issue is tracked via TRT-2597

To unrevert this, revert this PR, and layer an additional separate commit on top that addresses the problem. Before merging the unrevert, please run these jobs on the PR and check the result of these jobs to confirm the fix has corrected the problem:

/payload-aggregate periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-upgrade-fips 10

CC: @richardsonnick

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[neisw]

/label approved
/label docs-approved
/label px-approved
/verified by ci and claude

[openshift-ci-robot]

@neisw: This PR has been marked as verified by ci and claude.

Details

In response to this:

/label approved
/label docs-approved
/label px-approved
/verified by ci and claude

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.