[release-3.3] fix: write correct helm value for FIPS-140-2 support

pkg/istiovalues/fips.go

@@ -57,8 +57,8 @@ func ApplyFipsValues(values helm.Values) (helm.Values, error) {
 // ApplyZTunnelFipsValues sets value ztunnel.env.TLS12_ENABLED if FIPS mode is enabled in the system.
 func ApplyZTunnelFipsValues(values helm.Values) (helm.Values, error) {
 	if FipsEnabled {
-		if err := values.SetIfAbsent("ztunnel.env.TLS12_ENABLED", "true"); err != nil {
-			return nil, fmt.Errorf("failed to set ztunnel.env.TLS12_ENABLED: %w", err)
+		if err := values.SetIfAbsent("env.TLS12_ENABLED", "true"); err != nil {
+			return nil, fmt.Errorf("failed to set env.TLS12_ENABLED: %w", err)
 		}
 	}
 	return values, nil

pkg/istiovalues/fips_test.go

@@ -120,9 +120,7 @@ func TestApplyZTunnelFipsValues(t *testing.T) {
 			name:        "FIPS enabled",
 			fipsEnabled: true,
 			expectValues: helm.Values{
-				"ztunnel": map[string]any{
-					"env": map[string]any{"TLS12_ENABLED": string("true")},
-				},
+				"env": map[string]any{"TLS12_ENABLED": string("true")},
 			},
 		},
 	}

tests/integration/api/ztunnel_test.go

@@ -23,10 +23,12 @@ import (
 	v1 "github.com/istio-ecosystem/sail-operator/api/v1"
 	"github.com/istio-ecosystem/sail-operator/api/v1alpha1"
 	"github.com/istio-ecosystem/sail-operator/pkg/enqueuelogger"
+	"github.com/istio-ecosystem/sail-operator/pkg/istiovalues"
 	"github.com/istio-ecosystem/sail-operator/pkg/istioversion"
 	. "github.com/istio-ecosystem/sail-operator/pkg/test/util/ginkgo"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
+	"github.com/onsi/gomega/types"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -174,6 +176,69 @@ var _ = Describe("ZTunnel DaemonSet status changes", Label("ztunnel"), Ordered,
 	}
 })
 
+var _ = Describe("ZTunnel FIPS", Label("ztunnel", "fips"), Ordered, func() {
+	SetDefaultEventuallyPollingInterval(time.Second)
+	SetDefaultEventuallyTimeout(30 * time.Second)
+
+	ctx := context.Background()
+
+	const fipsZTunnelNamespace = "ztunnel-fips-test"
+	fipsZTunnelKey := client.ObjectKey{Name: ztunnelName}
+	daemonsetKey := client.ObjectKey{Name: "ztunnel", Namespace: fipsZTunnelNamespace}
+
+	namespace := &corev1.Namespace{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: fipsZTunnelNamespace,
+		},
+	}
+
+	BeforeAll(func() {
+		Expect(k8sClient.Create(ctx, namespace)).To(Succeed())
+	})
+
+	AfterAll(func() {
+		Expect(k8sClient.Delete(ctx, namespace)).To(Succeed())
+	})
+
+	It("sets TLS12_ENABLED on the ztunnel DaemonSet when FipsEnabled is true", func() {
+		originalFipsEnabled := istiovalues.FipsEnabled
+		DeferCleanup(func() {
+			istiovalues.FipsEnabled = originalFipsEnabled
+		})
+		istiovalues.FipsEnabled = true
+
+		ztunnel := &v1.ZTunnel{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: ztunnelName,
+			},
+			Spec: v1.ZTunnelSpec{
+				Version:   istioversion.Default,
+				Namespace: fipsZTunnelNamespace,
+			},
+		}
+		Expect(k8sClient.Create(ctx, ztunnel)).To(Succeed())
+		DeferCleanup(func() {
+			Expect(k8sClient.Delete(ctx, ztunnel)).To(Succeed())
+			Eventually(k8sClient.Get).WithArguments(ctx, fipsZTunnelKey, &v1.ZTunnel{}).Should(ReturnNotFoundError())
+		})
+
+		ds := &appsv1.DaemonSet{}
+		Eventually(k8sClient.Get).WithArguments(ctx, daemonsetKey, ds).Should(Succeed())
+
+		Expect(ds).To(HaveContainersThat(ContainElement(WithTransform(getEnvVars,
+			ContainElement(corev1.EnvVar{Name: "TLS12_ENABLED", Value: "true"})))),
+			"Expected TLS12_ENABLED to be set to true on ztunnel DaemonSet when FIPS is enabled")
+	})
+})
+
+func HaveContainersThat(matcher types.GomegaMatcher) types.GomegaMatcher {
+	return HaveField("Spec.Template.Spec.Containers", matcher)
+}
+
+func getEnvVars(container corev1.Container) []corev1.EnvVar {
+	return container.Env
+}
+
 // expectZTunnelV1Condition on the v1.ZTunnel resource to eventually have a given status.
 func expectZTunnelV1Condition(ctx context.Context, condition v1.ZTunnelConditionType, status metav1.ConditionStatus,
 	extraChecks ...func(Gomega, *v1.ZTunnelCondition),