From 11e654d9fb02ce9ba9c610a46beb6698b123a87a Mon Sep 17 00:00:00 2001
From: Daniel Grimm <dgrimm@redhat.com>
Date: Thu, 12 Feb 2026 13:07:35 +0100
Subject: [PATCH] [release-1.28] Enable TLSv1.2 for ZTunnel when in FIPS mode
 (#1596)

* Enable TLSv1.2 for ZTunnel when in FIPS mode

This change builds on https://github.com/istio/ztunnel/pull/1711 which
adds TLSv1.2 support to ZTunnel when `TLS12_ENABLED` is set to `true`.
This patch will always set the env var when in FIPS mode, for all
versions of ZTunnel, even though it is only supported from 1.29+, but
the env var will simply be ignored by versions that don't support it.

Signed-off-by: Daniel Grimm <dgrimm@redhat.com>

* Make sure that FipsEnabled is restored to original value

In our tests, we sometimes set FipsEnabled manually. We should make sure
to reset it to its original value during test cleanup.

Signed-off-by: Daniel Grimm <dgrimm@redhat.com>

---------

Signed-off-by: Daniel Grimm <dgrimm@redhat.com>
---
 controllers/ztunnel/ztunnel_controller.go |  6 +++
 pkg/istiovalues/fips.go                   | 10 +++++
 pkg/istiovalues/fips_test.go              | 45 +++++++++++++++++++++++
 pkg/revision/values_test.go               |  2 +
 4 files changed, 63 insertions(+)

diff --git a/controllers/ztunnel/ztunnel_controller.go b/controllers/ztunnel/ztunnel_controller.go
index 284ad4b07..85d82644d 100644
--- a/controllers/ztunnel/ztunnel_controller.go
+++ b/controllers/ztunnel/ztunnel_controller.go
@@ -157,6 +157,12 @@ func (r *Reconciler) installHelmChart(ctx context.Context, ztunnel *v1.ZTunnel)
 		return fmt.Errorf("failed to apply profile: %w", err)
 	}
 
+	// apply FipsValues on top of mergedHelmValues from profile
+	mergedHelmValues, err = istiovalues.ApplyZTunnelFipsValues(mergedHelmValues)
+	if err != nil {
+		return fmt.Errorf("failed to apply FIPS values: %w", err)
+	}
+
 	// Apply any user Overrides configured as part of values.ztunnel
 	// This step was not required for the IstioCNI resource because the Helm templates[*] automatically override values.cni
 	// [*]https://github.com/istio/istio/blob/0200fd0d4c3963a72f36987c2e8c2887df172abf/manifests/charts/istio-cni/templates/zzy_descope_legacy.yaml#L3
diff --git a/pkg/istiovalues/fips.go b/pkg/istiovalues/fips.go
index f8a10f5e4..846a0d26d 100644
--- a/pkg/istiovalues/fips.go
+++ b/pkg/istiovalues/fips.go
@@ -53,3 +53,13 @@ func ApplyFipsValues(values helm.Values) (helm.Values, error) {
 	}
 	return values, nil
 }
+
+// ApplyZTunnelFipsValues sets value ztunnel.env.TLS12_ENABLED if FIPS mode is enabled in the system.
+func ApplyZTunnelFipsValues(values helm.Values) (helm.Values, error) {
+	if FipsEnabled {
+		if err := values.SetIfAbsent("ztunnel.env.TLS12_ENABLED", "true"); err != nil {
+			return nil, fmt.Errorf("failed to set ztunnel.env.TLS12_ENABLED: %w", err)
+		}
+	}
+	return values, nil
+}
diff --git a/pkg/istiovalues/fips_test.go b/pkg/istiovalues/fips_test.go
index 4cbf5803e..0ef3e5965 100644
--- a/pkg/istiovalues/fips_test.go
+++ b/pkg/istiovalues/fips_test.go
@@ -87,6 +87,8 @@ func TestApplyFipsValues(t *testing.T) {
 	values := helm.Values{}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			originalFipsEnabled := FipsEnabled
+			t.Cleanup(func() { FipsEnabled = originalFipsEnabled })
 			FipsEnabled = tt.fipsEnabled
 			actual, err := ApplyFipsValues(values)
 			if (err != nil) != tt.expectErr {
@@ -101,3 +103,46 @@ func TestApplyFipsValues(t *testing.T) {
 		})
 	}
 }
+
+func TestApplyZTunnelFipsValues(t *testing.T) {
+	tests := []struct {
+		name         string
+		fipsEnabled  bool
+		expectValues helm.Values
+		expectErr    bool
+	}{
+		{
+			name:         "FIPS not enabled",
+			fipsEnabled:  false,
+			expectValues: helm.Values{},
+		},
+		{
+			name:        "FIPS enabled",
+			fipsEnabled: true,
+			expectValues: helm.Values{
+				"ztunnel": map[string]any{
+					"env": map[string]any{"TLS12_ENABLED": string("true")},
+				},
+			},
+		},
+	}
+
+	values := helm.Values{}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			originalFipsEnabled := FipsEnabled
+			t.Cleanup(func() { FipsEnabled = originalFipsEnabled })
+			FipsEnabled = tt.fipsEnabled
+			actual, err := ApplyZTunnelFipsValues(values)
+			if (err != nil) != tt.expectErr {
+				t.Errorf("applyFipsValues() error = %v, expectErr %v", err, tt.expectErr)
+			}
+
+			if err == nil {
+				if diff := cmp.Diff(tt.expectValues, actual); diff != "" {
+					t.Errorf("TLS12_ENABLED env wasn't applied properly; diff (-expected, +actual):\n%v", diff)
+				}
+			}
+		})
+	}
+}
diff --git a/pkg/revision/values_test.go b/pkg/revision/values_test.go
index 0c6b175dd..1bdb34f0c 100644
--- a/pkg/revision/values_test.go
+++ b/pkg/revision/values_test.go
@@ -107,6 +107,8 @@ apiVersion: sailoperator.io/v1
 kind: IstioRevision
 spec:`)), 0o644))
 
+	originalFipsEnabled := istiovalues.FipsEnabled
+	t.Cleanup(func() { istiovalues.FipsEnabled = originalFipsEnabled })
 	istiovalues.FipsEnabled = true
 	values := &v1.Values{}
 	result, err := ComputeValues(values, namespace, version, config.PlatformOpenShift, "default", "",