From d81745dee4ec428b89230d65e0f4283482636055 Mon Sep 17 00:00:00 2001
From: Pierre Riteau <pierre@stackhpc.com>
Date: Wed, 14 Jan 2026 12:20:39 +0100
Subject: [PATCH] CI: Set RL9 crypto policy to DEFAULT

This should resolve SSH issues with some modern key types such as
ed25519.

(cherry picked from commit f4b85ef6068187df0f5bd0773eec5f0c65f516da)
---
 etc/kayobe/ansible/cis.yml                                    | 2 +-
 .../ci-aio/inventory/group_vars/cis-hardening/cis             | 4 ++++
 .../ci-multinode/inventory/group_vars/cis-hardening/cis       | 4 ++++
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/etc/kayobe/ansible/cis.yml b/etc/kayobe/ansible/cis.yml
index faa6ab586b..656a87563c 100644
--- a/etc/kayobe/ansible/cis.yml
+++ b/etc/kayobe/ansible/cis.yml
@@ -12,7 +12,7 @@
         that:
           - ssh_key_type != 'ed25519'
         fail_msg: FIPS policy does not currently support ed25519 SSH keys on RHEL family systems
-      when: ansible_facts.os_family == 'RedHat'
+      when: ansible_facts.os_family == 'RedHat' and rhel9cis_crypto_policy == 'FIPS'
 
     - name: Ensure the cron package is installed on ubuntu
       ansible.builtin.package:
diff --git a/etc/kayobe/environments/ci-aio/inventory/group_vars/cis-hardening/cis b/etc/kayobe/environments/ci-aio/inventory/group_vars/cis-hardening/cis
index 9f5e273c76..252c97bf79 100644
--- a/etc/kayobe/environments/ci-aio/inventory/group_vars/cis-hardening/cis
+++ b/etc/kayobe/environments/ci-aio/inventory/group_vars/cis-hardening/cis
@@ -2,6 +2,10 @@
 ##############################################################################
 # Rocky 9 CIS Hardening Configuration
 
+# NOTE: Using DEFAULT crypto policy in CI. FIPS breaks ed25519 SSH keys, and
+# FUTURE breaks wazuh agent repo metadata download.
+rhel9cis_crypto_policy: DEFAULT
+
 # Disable shell timeout for inactivity which can be disruptive to
 # development work.
 rhel9cis_rule_5_4_3_2: false
diff --git a/etc/kayobe/environments/ci-multinode/inventory/group_vars/cis-hardening/cis b/etc/kayobe/environments/ci-multinode/inventory/group_vars/cis-hardening/cis
index 9f5e273c76..252c97bf79 100644
--- a/etc/kayobe/environments/ci-multinode/inventory/group_vars/cis-hardening/cis
+++ b/etc/kayobe/environments/ci-multinode/inventory/group_vars/cis-hardening/cis
@@ -2,6 +2,10 @@
 ##############################################################################
 # Rocky 9 CIS Hardening Configuration
 
+# NOTE: Using DEFAULT crypto policy in CI. FIPS breaks ed25519 SSH keys, and
+# FUTURE breaks wazuh agent repo metadata download.
+rhel9cis_crypto_policy: DEFAULT
+
 # Disable shell timeout for inactivity which can be disruptive to
 # development work.
 rhel9cis_rule_5_4_3_2: false