1. Proposed title of this feature request

Ability to disable EMS check on FIPS for Ingress Controller/Router

2. What is the nature and description of the request?

From OpenShift 4.16 [1] the FIPS requires EMS checks, which causes that legacy applications that do not use the EMS failure when reaching application running on OCP.

There is option to disable the EMS on the Machine Config, however, the Ingress Controller doesn't take the configuration from MC.
The router pods will start with FIPS as this is configured during start of container by CRIO. Currently there is no way to configure the "FIPS:NO-ENFORCE-EMS" crypto policy in the router and manual workaround needs to be added, that includes setting the Ingress operator into Unmanaged state.

The request is to configure the crypto policies config or the openssl crypto config to disable the EMS on FIPS enabled systems through the Ingress Controller CR or through annotation.

3. Why does the customer need this? (List the business requirements here)

The upgrade to 4.16 could break some legacy applications and admins want to have ability to disable it for now.

4. List any affected packages or components.

ingress controller/router
machine-config

[1] https://access.redhat.com/solutions/7091328