CI: Set RL9 crypto policy to DEFAULT (Antelope) #2087
Conversation
This should resolve SSH issues with some modern key types such as ed25519. (cherry picked from commit f4b85ef)
priteau
force-pushed
the
rhel9cis-crypto-policy-ci-antelope
branch
from
128b6b2 to
6245b85
Compare
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the CI configuration to set the RHEL 9 crypto policy to DEFAULT, which resolves issues with ed25519 SSH keys. This is achieved by adding environment-specific group variables for ci-aio and ci-multinode to override the default FIPS policy. The Ansible playbook for CIS hardening is also updated to only check for unsupported key types when the FIPS policy is active. The changes are logical and address the issue described. I've left one comment regarding duplicated configuration between the CI environments, suggesting a possible improvement for future maintainability.
I am having trouble creating individual review comments. Click here to see my feedback.
etc/kayobe/environments/ci-multinode/inventory/group_vars/cis-hardening/cis (1-21)
This file is identical to etc/kayobe/environments/ci-aio/inventory/group_vars/cis-hardening/cis. To avoid duplication and ensure consistency, consider creating a common set of CI group variables that can be shared between the ci-aio and ci-multinode environments. For example, you could define a common inventory group for CI and place these variables there. This would make future maintenance easier as changes would only need to be made in one place.
priteau
changed the title
This should resolve SSH issues with some modern key types such as ed25519.
(cherry picked from commit f4b85ef)