TL;DR
PQC support in OCP requires TLS 1.3. We have three documented places to configure TLS profiles. All OpenShift components (and layered products) should conform to the TLS configuration defined in one of those three places. While enforcing this configuration, check for quantum-safe ML-KEM key encapsulation support when running in TLS 1.3 mode. And this is mandatory by OCP 4.22. I've included below the steps to get started and create the required Jira for this work. That's it! (but you should read the long version & clone the template now
 
The long version now:

Hi Team,

We're launching an important initiative to enhance the security posture of our products and to meet upcoming post-quantum cryptography (PQC) support requirements. This activity is a release blocker for OCP 4.22.

PQC support in Go starts with protecting key exchange (key encapsulation) using the hybrid ML-KEM available since OCP 4.20 (exact name “X25519MLKEM768”).

One key requirement for enabling PQC with TLS is support for TLS 1.3. This support must be consistent and enforced adequately across the platform. As our customers have only three ways to configure TLS profiles [0] and as they can configure custom TLS profiles, the point is not only to switch defaults from TLS 1.2 to TLS 1.3, it is to ensure that whatever a customer configures [0] is enforced throughout the platform.

Having a centrally managed configuration will help with future TLS changes as new PQC algorithms are finalized and adopted. Part of the acceptance criteria is to ensure that your component, when using TLS 1.3, defaults to the ML-KEM quantum-safe key encapsulation mechanism.

This project is a key step in addressing customer feedback on vulnerability scan output and must be completed by the OCP 4.22 GA date (currently planned for June 2026).

This effort is part of a larger strategy and is tracked under the OCP Strat JIRA: OCPSTRAT-2611 - Centralized & enforced TLS configuration throughout OpenShift (Core & layered products). Please refer to this ticket and the FAQ document for more details on the scope and responsibilities. We also provide general technical guidance and code samples to kickstart this effort within your component.

Action Required: Adoption Epic Creation

Please create your operator's adoption JIRA Epic based on the template by following the instructions below:

1. Clone the template: Go to the template JIRA (PLMPGM-6492), select 'More' → 'Clone Operators Productization Template' from the drop-down (lowest option, displays only ‘Clone Operator Product…’).

1. Locate and Update the Cloned Epic:

• Find the newly created Epic by checking Issue Links in PLMPGM-6492

• Clones below, and look for the title: "CLONE – [Operator/Component Name] Central TLS Profile consistency (Template)"

• Select the Cloned Epic (be careful not to update the original template: PLMPGM-6492).

• Update the Summary, Epic Name, and Description with your component/operator's specific information.

• Move the Epic to an Epic in your own Jira project, where your team can act upon.

1. Link to the OCP Strategy: In your Cloned Epic, set the "Triggered By" field and link it to the OCPSTRAT initiative: OCPSTRAT-2611. 

Next Steps

• Ensure your team is aware of this requirement and begins planning for the required work.

• This must be discussed at the December readouts.