NE-2333: Add support for TLS curves in HAProxy configuration

[richardsonnick]

Introduces the ROUTER_CURVES environment variable which maps directly to HAProxy's ssl-default-bind-curves directive, allowing operators to configure the TLS key exchange groups used by the router. When ROUTER_CURVES is not set, no directive is emitted and HAProxy uses its built-in defaults.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7fb61bfd-3cfb-4f2a-bd76-ab72d4d69ce6

📥 Commits

Reviewing files that changed from the base of the PR and between 57ddf89 and 8997b3d.

📒 Files selected for processing (1)

• images/router/haproxy/conf/haproxy-config.template

---

Walkthrough

The HAProxy configuration template now conditionally emits an ssl-default-bind-curves <value> directive in the global section when the ROUTER_CURVES environment variable is set.

Changes

Cohort / File(s)	Summary
HAProxy Configuration Template images/router/haproxy/conf/haproxy-config.template	Adds a conditional ssl-default-bind-curves directive in the global section that outputs the value of ROUTER_CURVES when configured.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[candita]

/retitle NE-2332: Add support for TLS curves in HAProxy configuration

[openshift-ci-robot]

@richardsonnick: This pull request references NE-2332 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Introduces the ROUTER_CURVES environment variable which maps directly to HAProxy's ssl-default-bind-curves directive, allowing operators to configure the TLS key exchange groups used by the router. When ROUTER_CURVES is not set, no directive is emitted and HAProxy uses its built-in defaults.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[Miciah]

/approve
/lgtm

Thanks for your patience and responsiveness!

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Miciah

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [Miciah]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Miciah]

/lgtm

[openshift-ci]

@richardsonnick: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[Miciah]

/payload-job periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-upgrade-fips

[openshift-ci]

@Miciah: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-upgrade-fips

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/34159260-2c54-11f1-89b2-7977742c8eef-0

[lihongan]

/verified by @lihongan

// it is working on FIPS cluster
$ oc get clusterversion
NAME      VERSION                                                AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.22.0-0-2026-03-31-012306-test-ci-ln-nf1j9gb-latest   True        False         50m     Cluster version is 4.22.0-0-2026-03-31-012306-test-ci-ln-nf1j9gb-latest

sh-5.1$ grep curve haproxy.config 
sh-5.1$ grep curve haproxy-config.template 
  ssl-default-bind-curves {{ . }}
sh-5.1$

// after scaling down CVO/CIO, we could set env ROUTER_CURVES to change the default
$ oc -n openshift-ingress get deployment/router-default -oyaml | grep CURVES -A1
        - name: ROUTER_CURVES
          value: P-256

sh-5.1$ grep curve haproxy.config 
  ssl-default-bind-curves P-256

[openshift-ci-robot]

@lihongan: This PR has been marked as verified by @lihongan.

Details

In response to this:

/verified by @lihongan

// it is working on FIPS cluster
$ oc get clusterversion
NAME      VERSION                                                AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.22.0-0-2026-03-31-012306-test-ci-ln-nf1j9gb-latest   True        False         50m     Cluster version is 4.22.0-0-2026-03-31-012306-test-ci-ln-nf1j9gb-latest

sh-5.1$ grep curve haproxy.config 
sh-5.1$ grep curve haproxy-config.template 
 ssl-default-bind-curves {{ . }}
sh-5.1$

// after scaling down CVO/CIO, we could set env ROUTER_CURVES to change the default
$ oc -n openshift-ingress get deployment/router-default -oyaml | grep CURVES -A1
       - name: ROUTER_CURVES
         value: P-256

sh-5.1$ grep curve haproxy.config 
 ssl-default-bind-curves P-256

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[lihongan]

Change included in accepted release 4.22.0-0.nightly-2026-04-01-092906

[candita]

Replaces #678

[candita]

/retitle NE-2333: Add support for TLS curves in HAProxy configuration

[candita]

/jira refresh