Skip to content

CI: Set RL9 crypto policy to DEFAULT #2085

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
priteau merged 1 commit into from
Jan 15, 2026
Merged

CI: Set RL9 crypto policy to DEFAULT #2085

priteau merged 1 commit into from
Jan 15, 2026

Conversation

@priteau
Copy link
Member

@priteau priteau commented Jan 14, 2026

This should resolve SSH issues with some modern key types such as ed25519.

@priteau priteau self-assigned this Jan 14, 2026
@priteau priteau requested a review from a team as a code owner January 14, 2026 11:18
gemini-code-assist[bot]
gemini-code-assist bot reviewed Jan 14, 2026
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request sets the RHEL 9 crypto policy to DEFAULT for CI environments to enable ed25519 SSH keys, which is a good improvement. However, a related change in etc/kayobe/ansible/maintenance/cis.yml seems to be missing. There's an assertion in that file that will likely cause CI to fail if ed25519 keys are used, even with this PR's changes. I'd recommend updating that assertion to only run when the crypto policy is FIPS, for example: when: ansible_facts.os_family == 'RedHat' and rhel9cis_crypto_policy == 'FIPS'. This would make the change fully effective. I've also added a comment about configuration duplication to improve maintainability.

etc/kayobe/environments/ci-aio/inventory/group_vars/cis-hardening/cis
Comment on lines +5 to +7
# NOTE: Using DEFAULT crypto policy in CI. FIPS breaks ed25519 SSH keys, and
# FUTURE breaks wazuh agent repo metadata download.
rhel9cis_crypto_policy: DEFAULT
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

This configuration is duplicated in etc/kayobe/environments/ci-multinode/inventory/group_vars/cis-hardening/cis. To improve maintainability and avoid having to update multiple files for future changes, consider defining this in a common inventory group for all CI environments. If you have a parent group for ci-aio and ci-multinode, you could define this variable there to keep the configuration DRY (Don't Repeat Yourself).

@priteau
CI: Set RL9 crypto policy to DEFAULT
f4b85ef 
This should resolve SSH issues with some modern key types such as
ed25519.
@priteau priteau force-pushed the rhel9cis-crypto-policy-ci branch from 6234bf1 to f4b85ef Compare January 14, 2026 11:20
@priteau priteau merged commit 34f04d1 into stackhpc/2025.1 Jan 15, 2026
35 of 42 checks passed
@priteau priteau deleted the rhel9cis-crypto-policy-ci branch January 15, 2026 09:12
@elelaysh elelaysh mentioned this pull request Jan 16, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MoteHue MoteHue MoteHue approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@priteau priteau

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@priteau @MoteHue