Enable TLSv1.2 for ZTunnel when in FIPS mode

[dgn]

This change builds on istio/ztunnel#1711 which adds TLSv1.2 support to ZTunnel when TLS12_ENABLED is set to true. This patch will always set the env var when in FIPS mode, for all versions of ZTunnel, even though it is only supported from 1.29+, but the env var will simply be ignored by versions that don't support it.

[dgn]

Adding a hold until I can test this on an actual FIPS-enabled cluster

[codecov]

Codecov Report

❌ Patch coverage is 50.00000% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 80.85%. Comparing base (1747f2d) to head (9c6d75f).
⚠️ Report is 3 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/istiovalues/fips.go	60.00%	1 Missing and 1 partial ⚠️
pkg/reconcile/ztunnel.go	33.33%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1547      +/-   ##
==========================================
+ Coverage   80.75%   80.85%   +0.10%     
==========================================
  Files          50       50              
  Lines        2458     2466       +8     
==========================================
+ Hits         1985     1994       +9     
+ Misses        348      346       -2     
- Partials      125      126       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[sridhargaddam]

One small observation, otherwise LGTM.

[sridhargaddam]

FipsEnabled seems to be a global variable and we are mutating its state. I think we should restore its state to the original value after calling ApplyZTunnelFipsValues.

[dgn]

I added a separate commit for that, PTAL

[dgn]

/hold cancel

I was able to verify this on a FIPS-enabled cluster.

[dgn]

/retest

[dgn]

/cherry-pick release-1.28

[istio-testing]

@dgn: once the present PR merges, I will cherry-pick it on top of release-1.28 in a new PR and assign it to you.

Details

In response to this:

/cherry-pick release-1.28

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[istio-testing]

In response to a cherrypick label: #1547 failed to apply on top of branch "release-1.28":

Applying: Enable TLSv1.2 for ZTunnel when in FIPS mode
Using index info to reconstruct a base tree...
A	pkg/reconcile/ztunnel.go
Falling back to patching base and 3-way merge...
CONFLICT (modify/delete): pkg/reconcile/ztunnel.go deleted in HEAD and modified in Enable TLSv1.2 for ZTunnel when in FIPS mode. Version Enable TLSv1.2 for ZTunnel when in FIPS mode of pkg/reconcile/ztunnel.go left in tree.
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Patch failed at 0001 Enable TLSv1.2 for ZTunnel when in FIPS mode

[istio-testing]

In response to a cherrypick label: new issue created for failed cherrypick: #1593