Skip to content

CI: Set RL9 crypto policy to DEFAULT (Caracal) #2086

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
priteau merged 1 commit into from
Jan 15, 2026
Merged

CI: Set RL9 crypto policy to DEFAULT (Caracal) #2086

priteau merged 1 commit into from
Jan 15, 2026

Conversation

@priteau
Copy link
Member

@priteau priteau commented Jan 15, 2026

This should resolve SSH issues with some modern key types such as ed25519.

(cherry picked from commit f4b85ef)

@priteau
CI: Set RL9 crypto policy to DEFAULT
d81745d 
This should resolve SSH issues with some modern key types such as
ed25519.

(cherry picked from commit f4b85ef)
@priteau priteau self-assigned this Jan 15, 2026
@priteau priteau requested a review from a team as a code owner January 15, 2026 09:14
gemini-code-assist[bot]
gemini-code-assist bot reviewed Jan 15, 2026
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the RHEL 9 crypto policy to DEFAULT for CI environments to resolve issues with ed25519 SSH keys. The changes involve modifying an Ansible playbook to conditionally assert key types based on the crypto policy and updating CI environment variables to set the new policy. The changes are logical and well-explained. I have one suggestion to improve the robustness of the conditional check in the Ansible playbook by making it more specific to RHEL 9.

etc/kayobe/ansible/cis.yml
- ssh_key_type != 'ed25519'
fail_msg: FIPS policy does not currently support ed25519 SSH keys on RHEL family systems
when: ansible_facts.os_family == 'RedHat'
when: ansible_facts.os_family == 'RedHat' and rhel9cis_crypto_policy == 'FIPS'
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The variable rhel9cis_crypto_policy is specific to RHEL 9, but this when condition could apply to other RedHat family OS versions. To avoid potential issues and make the condition more explicit, it would be better to also check for the distribution major version.

      when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '9' and rhel9cis_crypto_policy == 'FIPS'

@priteau priteau changed the title CI: Set RL9 crypto policy to DEFAULT CI: Set RL9 crypto policy to DEFAULT (Caracal) Jan 15, 2026
@priteau priteau merged commit 2648bd5 into stackhpc/2024.1 Jan 15, 2026
37 of 45 checks passed
@priteau priteau deleted the rhel9cis-crypto-policy-ci-caracal branch January 15, 2026 17:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MoteHue MoteHue MoteHue approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@priteau priteau

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@priteau @MoteHue