From 95f70304719069dad50242f7245c883da3b1f702 Mon Sep 17 00:00:00 2001
From: Jacek Ewertowski <jacek.ewertowski1@gmail.com>
Date: Fri, 12 Sep 2025 17:24:00 +0200
Subject: [PATCH 1/7] samples: add PQC demo

Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com>
---
 samples/security/pqc/Dockerfile |  41 ++++++++
 samples/security/pqc/README.md  | 170 ++++++++++++++++++++++++++++++++
 2 files changed, 211 insertions(+)
 create mode 100644 samples/security/pqc/Dockerfile
 create mode 100644 samples/security/pqc/README.md

diff --git a/samples/security/pqc/Dockerfile b/samples/security/pqc/Dockerfile
new file mode 100644
index 0000000000..1eb1fa8193
--- /dev/null
+++ b/samples/security/pqc/Dockerfile
@@ -0,0 +1,41 @@
+FROM fedora:41 AS builder
+
+RUN dnf update -y && \
+    dnf install -y oqsprovider && \
+    dnf clean all
+
+# Create directory structure for copying
+RUN mkdir -p /oqs-libs/lib64 /oqs-libs/ossl-modules
+
+# Copy OQS libraries and provider
+RUN cp -av /usr/lib64/liboqs.so* /oqs-libs/lib64/
+RUN cp -av /usr/lib64/ossl-modules/oqsprovider.so /oqs-libs/ossl-modules/
+
+FROM registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:d518f3d1539f45e1253c5c9fa22062802804601d4998cd50344e476a3cc388fe AS final
+
+# Copy OQS libraries and provider from builder stage
+COPY --from=builder /oqs-libs/lib64/* /usr/lib64/
+COPY --from=builder /oqs-libs/ossl-modules/* /usr/lib64/ossl-modules/
+
+# Create OpenSSL configuration that includes OQS provider in /tmp (writable location)
+RUN mkdir -p /tmp/ssl && \
+    echo "# OpenSSL configuration with OQS provider support" > /tmp/ssl/openssl-oqs.cnf && \
+    echo "openssl_conf = openssl_init" >> /tmp/ssl/openssl-oqs.cnf && \
+    echo "" >> /tmp/ssl/openssl-oqs.cnf && \
+    echo "[openssl_init]" >> /tmp/ssl/openssl-oqs.cnf && \
+    echo "providers = provider_sect" >> /tmp/ssl/openssl-oqs.cnf && \
+    echo "" >> /tmp/ssl/openssl-oqs.cnf && \
+    echo "[provider_sect]" >> /tmp/ssl/openssl-oqs.cnf && \
+    echo "default = default_sect" >> /tmp/ssl/openssl-oqs.cnf && \
+    echo "oqsprovider = oqsprovider_sect" >> /tmp/ssl/openssl-oqs.cnf && \
+    echo "" >> /tmp/ssl/openssl-oqs.cnf && \
+    echo "[default_sect]" >> /tmp/ssl/openssl-oqs.cnf && \
+    echo "activate = 1" >> /tmp/ssl/openssl-oqs.cnf && \
+    echo "" >> /tmp/ssl/openssl-oqs.cnf && \
+    echo "[oqsprovider_sect]" >> /tmp/ssl/openssl-oqs.cnf && \
+    echo "activate = 1" >> /tmp/ssl/openssl-oqs.cnf && \
+    chmod 644 /tmp/ssl/openssl-oqs.cnf
+
+# Set environment variables for OQS OpenSSL
+ENV OPENSSL_CONF=/tmp/ssl/openssl-oqs.cnf
+ENV LD_LIBRARY_PATH=/usr/lib64
diff --git a/samples/security/pqc/README.md b/samples/security/pqc/README.md
new file mode 100644
index 0000000000..934bd8888a
--- /dev/null
+++ b/samples/security/pqc/README.md
@@ -0,0 +1,170 @@
+# OSSM 3 - PQC demo
+
+## Prerequisites
+
+1. Install OpenShift Service Mesh Operator 3.1.
+2. Install Gateway API CRDs.
+
+## Customize proxy image
+
+1. Get pull secret from OCP:
+
+    ```shell
+    oc get secret pull-secret -n openshift-config -o jsonpath='{.data.\.dockerconfigjson}' | base64 -d > /tmp/config.json
+    ```
+
+1. Pull istio-proxy 1.26.2:
+
+    ```shell
+    docker --config /tmp pull registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:d518f3d1539f45e1253c5c9fa22062802804601d4998cd50344e476a3cc388fe
+    ```
+
+1. Build a custom proxy with OQS provider:
+
+    ```shell
+    docker build -t localhost:5000/istio-system/istio-proxy-oqs:1.26.2 .
+    ```
+
+1. Expose cluster registry to your local environment:
+
+    ```shell
+    oc port-forward -n openshift-image-registry svc/image-registry 5000:5000 &
+    ```
+
+1. Obtain a token from https://oauth-openshift.<your-cluster-domain>/oauth/token/request and login to the cluster registry:
+
+    ```shell
+    docker login -u kubeadmin localhost:5000
+    ```
+
+1. Alternatively, you can upload the image with the following command:
+
+    ```shell
+    docker login -u $(oc whoami) -p $(oc whoami -t) localhost:5000
+    ```
+
+1. Push the OQS-based proxy:
+
+    ```shell
+    oc new-project istio-system
+    docker push localhost:5000/istio-system/istio-proxy-oqs:1.26.2
+    ```
+
+1. Stop port-forwarding the registry API:
+
+    ```shell
+    kill %1
+    ```
+
+## Install Service Mesh
+
+1. Install CNI:
+
+    ```shell
+    oc new-project istio-cni
+    oc apply -f - <<EOF
+    apiVersion: sailoperator.io/v1
+    kind: IstioCNI
+    metadata:
+      name: default
+    spec:
+      version: v1.26.2
+      namespace: istio-cni
+    EOF
+    ```
+
+1. Install control plane:
+
+    ```shell
+    oc apply -f - <<EOF
+    apiVersion: sailoperator.io/v1
+    kind: Istio
+    metadata:
+      name: default
+    spec:
+      version: v1.26.2
+      namespace: istio-system
+      updateStrategy:
+        type: InPlace
+      values:
+        meshConfig:
+          accessLogFile: /dev/stdout
+        pilot:
+          env:
+            COMPLIANCE_POLICY: "pqc"
+    EOF
+    ```
+
+1. Generate certificates:
+
+    ```shell
+    mkdir example_certs1
+    openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout example_certs1/example.com.key -out example_certs1/example.com.crt
+    openssl req -out example_certs1/httpbin.example.com.csr -newkey rsa:2048 -nodes -keyout example_certs1/httpbin.example.com.key -subj "/CN=httpbin.example.com/O=httpbin organization"
+    openssl x509 -req -sha256 -days 365 -CA example_certs1/example.com.crt -CAkey example_certs1/example.com.key -set_serial 0 -in example_certs1/httpbin.example.com.csr -out example_certs1/httpbin.example.com.crt
+    openssl req -out example_certs1/helloworld.example.com.csr -newkey rsa:2048 -nodes -keyout example_certs1/helloworld.example.com.key -subj "/CN=helloworld.example.com/O=helloworld organization"
+    openssl x509 -req -sha256 -days 365 -CA example_certs1/example.com.crt -CAkey example_certs1/example.com.key -set_serial 1 -in example_certs1/helloworld.example.com.csr -out example_certs1/helloworld.example.com.crt
+    ```
+
+1. Create a secret for a gateway:
+
+    ```shell
+    oc create -n istio-system secret tls httpbin-credential \
+        --key=example_certs1/httpbin.example.com.key \
+        --cert=example_certs1/httpbin.example.com.crt
+    ```
+
+1. Deploy a Gateway:
+
+   ```shell
+   oc apply -f - <<EOF
+   apiVersion: gateway.networking.k8s.io/v1beta1
+   kind: Gateway
+   metadata:
+     name: pqc-gateway
+     namespace: istio-system
+     annotations:
+       sidecar.istio.io/proxyImage: "image-registry.openshift-image-registry.svc:5000/istio-system/istio-proxy-oqs:1.26.2"
+   spec:
+     gatewayClassName: istio
+     listeners:
+     - name: https
+       port: 443
+       protocol: HTTPS
+       tls:
+         mode: Terminate
+         certificateRefs:
+         - name: httpbin-credential
+           namespace: istio-system
+       allowedRoutes:
+         namespaces:
+           from: All
+   ---
+   apiVersion: gateway.networking.k8s.io/v1beta1
+   kind: HTTPRoute
+   metadata:
+     name: httpbin-route
+     namespace: default
+   spec:
+     parentRefs:
+     - name: pqc-gateway
+       namespace: istio-system
+     hostnames:
+     - "httpbin.example.com"
+     rules:
+     - matches:
+       - path:
+           type: PathPrefix
+           value: /
+       backendRefs:
+       - name: httpbin
+         port: 8000
+   EOF
+   ```
+
+1. Deploy httpbin:
+
+   ```shell
+   oc label ns default istio-injection=enabled
+   kubectl apply -f https://raw.githubusercontent.com/openshift-service-mesh/istio/master/samples/httpbin/httpbin.yaml
+   ```

From b38ecbaa8d668cefbbc9249c116bf44c1aac2db3 Mon Sep 17 00:00:00 2001
From: Jacek Ewertowski <jacek.ewertowski1@gmail.com>
Date: Tue, 14 Oct 2025 15:00:42 +0200
Subject: [PATCH 2/7] Build OQS provider from source code

Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com>
---
 samples/security/pqc/Dockerfile | 78 ++++++++++++++++++---------------
 1 file changed, 43 insertions(+), 35 deletions(-)

diff --git a/samples/security/pqc/Dockerfile b/samples/security/pqc/Dockerfile
index 1eb1fa8193..93a5b44801 100644
--- a/samples/security/pqc/Dockerfile
+++ b/samples/security/pqc/Dockerfile
@@ -1,41 +1,49 @@
-FROM fedora:41 AS builder
+FROM redhat/ubi9 AS builder
 
-RUN dnf update -y && \
-    dnf install -y oqsprovider && \
-    dnf clean all
+ARG LIBOQS_TAG=0.12.0
+ARG OQSPROVIDER_TAG=0.8.0
+ARG INSTALLDIR_OPENSSL=/usr/lib64
+ARG INSTALLDIR_LIBOQS=/opt/liboqs
 
-# Create directory structure for copying
-RUN mkdir -p /oqs-libs/lib64 /oqs-libs/ossl-modules
+RUN dnf install -y git make cmake ninja-build
+RUN dnf install -y openssl-devel
+RUN dnf install -y gcc gcc-c++
 
-# Copy OQS libraries and provider
-RUN cp -av /usr/lib64/liboqs.so* /oqs-libs/lib64/
-RUN cp -av /usr/lib64/ossl-modules/oqsprovider.so /oqs-libs/ossl-modules/
+WORKDIR /optbuild
+RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs
+
+WORKDIR /optbuild/liboqs/build
+RUN cmake -G"Ninja" .. \
+    -DOPENSSL_ROOT_DIR=${INSTALLDIR_OPENSSL} \
+    -DCMAKE_INSTALL_PREFIX=${INSTALLDIR_LIBOQS} && \
+    ninja install
+
+WORKDIR /optbuild
+RUN git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git
+
+WORKDIR /optbuild/oqs-provider
+RUN liboqs_DIR=${INSTALLDIR_LIBOQS} cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR_OPENSSL} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR_OPENSSL} -S . -B _build && \
+    cmake --build _build && \
+    cmake --install _build && \
+    cp _build/lib/oqsprovider.so ${INSTALLDIR_OPENSSL}/ossl-modules
 
 FROM registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:d518f3d1539f45e1253c5c9fa22062802804601d4998cd50344e476a3cc388fe AS final
 
-# Copy OQS libraries and provider from builder stage
-COPY --from=builder /oqs-libs/lib64/* /usr/lib64/
-COPY --from=builder /oqs-libs/ossl-modules/* /usr/lib64/ossl-modules/
-
-# Create OpenSSL configuration that includes OQS provider in /tmp (writable location)
-RUN mkdir -p /tmp/ssl && \
-    echo "# OpenSSL configuration with OQS provider support" > /tmp/ssl/openssl-oqs.cnf && \
-    echo "openssl_conf = openssl_init" >> /tmp/ssl/openssl-oqs.cnf && \
-    echo "" >> /tmp/ssl/openssl-oqs.cnf && \
-    echo "[openssl_init]" >> /tmp/ssl/openssl-oqs.cnf && \
-    echo "providers = provider_sect" >> /tmp/ssl/openssl-oqs.cnf && \
-    echo "" >> /tmp/ssl/openssl-oqs.cnf && \
-    echo "[provider_sect]" >> /tmp/ssl/openssl-oqs.cnf && \
-    echo "default = default_sect" >> /tmp/ssl/openssl-oqs.cnf && \
-    echo "oqsprovider = oqsprovider_sect" >> /tmp/ssl/openssl-oqs.cnf && \
-    echo "" >> /tmp/ssl/openssl-oqs.cnf && \
-    echo "[default_sect]" >> /tmp/ssl/openssl-oqs.cnf && \
-    echo "activate = 1" >> /tmp/ssl/openssl-oqs.cnf && \
-    echo "" >> /tmp/ssl/openssl-oqs.cnf && \
-    echo "[oqsprovider_sect]" >> /tmp/ssl/openssl-oqs.cnf && \
-    echo "activate = 1" >> /tmp/ssl/openssl-oqs.cnf && \
-    chmod 644 /tmp/ssl/openssl-oqs.cnf
-
-# Set environment variables for OQS OpenSSL
-ENV OPENSSL_CONF=/tmp/ssl/openssl-oqs.cnf
-ENV LD_LIBRARY_PATH=/usr/lib64
+ARG LIBOQS_TAG=0.12.0
+ARG OQSPROVIDER_TAG=0.8.0
+ARG INSTALLDIR_OPENSSL=/usr/lib64
+ARG INSTALLDIR_LIBOQS=/opt/liboqs
+
+COPY --from=builder ${INSTALLDIR_LIBOQS} ${INSTALLDIR_LIBOQS}
+COPY --from=builder ${INSTALLDIR_OPENSSL}/ossl-modules ${INSTALLDIR_OPENSSL}/ossl-modules
+
+USER root
+RUN sed '/^default = default_sect$/a oqsprovider = oqsprovider_sect' /etc/pki/tls/openssl.cnf > /tmp/openssl.cnf
+RUN printf "\n[oqsprovider_sect]\n" >> /tmp/openssl.cnf
+RUN echo "module = /usr/lib64/ossl-modules/oqsprovider.so" >> /tmp/openssl.cnf
+RUN echo "activate = 1" >> /tmp/openssl.cnf
+RUN cp /tmp/openssl.cnf /etc/pki/tls/openssl.cnf
+USER 1000
+
+ENTRYPOINT ["/bin/bash"]
+

From d3c27f394e1d6cd0100a3bf2bc508081e067c66f Mon Sep 17 00:00:00 2001
From: Jacek Ewertowski <jacek.ewertowski1@gmail.com>
Date: Tue, 14 Oct 2025 15:03:40 +0200
Subject: [PATCH 3/7] Remove custom entrypoint

Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com>
---
 samples/security/pqc/Dockerfile | 2 --
 1 file changed, 2 deletions(-)

diff --git a/samples/security/pqc/Dockerfile b/samples/security/pqc/Dockerfile
index 93a5b44801..e081bf454a 100644
--- a/samples/security/pqc/Dockerfile
+++ b/samples/security/pqc/Dockerfile
@@ -45,5 +45,3 @@ RUN echo "activate = 1" >> /tmp/openssl.cnf
 RUN cp /tmp/openssl.cnf /etc/pki/tls/openssl.cnf
 USER 1000
 
-ENTRYPOINT ["/bin/bash"]
-

From f2d17492679b9199c60a419aa8d7ad3f3fe3db0c Mon Sep 17 00:00:00 2001
From: Jacek Ewertowski <jacek.ewertowski1@gmail.com>
Date: Tue, 14 Oct 2025 16:24:03 +0200
Subject: [PATCH 4/7] Fix steps in the demo

Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com>
---
 samples/security/pqc/README.md | 56 ++++++++++++++++++++++------------
 1 file changed, 36 insertions(+), 20 deletions(-)

diff --git a/samples/security/pqc/README.md b/samples/security/pqc/README.md
index 934bd8888a..d37be757f6 100644
--- a/samples/security/pqc/README.md
+++ b/samples/security/pqc/README.md
@@ -75,25 +75,25 @@
 
 1. Install control plane:
 
-    ```shell
-    oc apply -f - <<EOF
-    apiVersion: sailoperator.io/v1
-    kind: Istio
-    metadata:
-      name: default
-    spec:
-      version: v1.26.2
-      namespace: istio-system
-      updateStrategy:
-        type: InPlace
-      values:
-        meshConfig:
-          accessLogFile: /dev/stdout
-        pilot:
-          env:
-            COMPLIANCE_POLICY: "pqc"
-    EOF
-    ```
+   ```shell
+   oc apply -f - <<EOF
+   apiVersion: sailoperator.io/v1
+   kind: Istio
+   metadata:
+     name: default
+   spec:
+     version: v1.26.2
+     namespace: istio-system
+     updateStrategy:
+       type: InPlace
+     values:
+       meshConfig:
+         accessLogFile: /dev/stdout
+         tlsDefaults:
+           ecdhCurves:
+           - X25519MLKEM768
+   EOF
+   ```
 
 1. Generate certificates:
 
@@ -166,5 +166,21 @@
 
    ```shell
    oc label ns default istio-injection=enabled
-   kubectl apply -f https://raw.githubusercontent.com/openshift-service-mesh/istio/master/samples/httpbin/httpbin.yaml
+   oc apply -n default -f https://raw.githubusercontent.com/openshift-service-mesh/istio/master/samples/httpbin/httpbin.yaml
    ```
+
+1. Send a test request using PQC key exchange algorithm:
+
+   ```shell
+   INGRESS_ADDR=$(kubectl get svc pqc-gateway-istio -n istio-system -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
+   docker run \
+     --network kind \
+     -v ./example_certs1/example.com.crt:/etc/example_certs1/example.com.crt \
+     --rm -it openquantumsafe/curl \
+     curl -vk \
+     --curves X25519MLKEM768 \
+     --cacert /etc/example_certs1/example.com.crt \
+     -H "Host: httpbin.example.com" \
+     "https://$INGRESS_ADDR:443/status/200"
+   ```
+

From 617806a9d1079994aff2006f75ff57705cf69310 Mon Sep 17 00:00:00 2001
From: Jacek Ewertowski <jacek.ewertowski1@gmail.com>
Date: Wed, 15 Oct 2025 15:48:28 +0200
Subject: [PATCH 5/7] Improve the instruction

Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com>
---
 samples/security/pqc/Dockerfile |  25 +++---
 samples/security/pqc/README.md  | 146 ++++++++++++++++----------------
 2 files changed, 88 insertions(+), 83 deletions(-)

diff --git a/samples/security/pqc/Dockerfile b/samples/security/pqc/Dockerfile
index e081bf454a..e2d1ab230a 100644
--- a/samples/security/pqc/Dockerfile
+++ b/samples/security/pqc/Dockerfile
@@ -1,4 +1,4 @@
-FROM redhat/ubi9 AS builder
+FROM docker.io/redhat/ubi9:9.6 AS builder
 
 ARG LIBOQS_TAG=0.12.0
 ARG OQSPROVIDER_TAG=0.8.0
@@ -13,7 +13,7 @@ WORKDIR /optbuild
 RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs
 
 WORKDIR /optbuild/liboqs/build
-RUN cmake -G"Ninja" .. \
+RUN cmake -G "Ninja" .. \
     -DOPENSSL_ROOT_DIR=${INSTALLDIR_OPENSSL} \
     -DCMAKE_INSTALL_PREFIX=${INSTALLDIR_LIBOQS} && \
     ninja install
@@ -22,15 +22,17 @@ WORKDIR /optbuild
 RUN git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git
 
 WORKDIR /optbuild/oqs-provider
-RUN liboqs_DIR=${INSTALLDIR_LIBOQS} cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR_OPENSSL} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR_OPENSSL} -S . -B _build && \
+RUN liboqs_DIR=${INSTALLDIR_LIBOQS} cmake \
+    -DOPENSSL_ROOT_DIR=${INSTALLDIR_OPENSSL} \
+    -DCMAKE_BUILD_TYPE=Release \
+    -DCMAKE_PREFIX_PATH=${INSTALLDIR_OPENSSL} \
+    -S . -B _build && \
     cmake --build _build && \
     cmake --install _build && \
     cp _build/lib/oqsprovider.so ${INSTALLDIR_OPENSSL}/ossl-modules
 
-FROM registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:d518f3d1539f45e1253c5c9fa22062802804601d4998cd50344e476a3cc388fe AS final
+FROM registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9:1.26.2 AS final
 
-ARG LIBOQS_TAG=0.12.0
-ARG OQSPROVIDER_TAG=0.8.0
 ARG INSTALLDIR_OPENSSL=/usr/lib64
 ARG INSTALLDIR_LIBOQS=/opt/liboqs
 
@@ -38,10 +40,9 @@ COPY --from=builder ${INSTALLDIR_LIBOQS} ${INSTALLDIR_LIBOQS}
 COPY --from=builder ${INSTALLDIR_OPENSSL}/ossl-modules ${INSTALLDIR_OPENSSL}/ossl-modules
 
 USER root
-RUN sed '/^default = default_sect$/a oqsprovider = oqsprovider_sect' /etc/pki/tls/openssl.cnf > /tmp/openssl.cnf
-RUN printf "\n[oqsprovider_sect]\n" >> /tmp/openssl.cnf
-RUN echo "module = /usr/lib64/ossl-modules/oqsprovider.so" >> /tmp/openssl.cnf
-RUN echo "activate = 1" >> /tmp/openssl.cnf
-RUN cp /tmp/openssl.cnf /etc/pki/tls/openssl.cnf
+RUN sed '/^default = default_sect$/a oqsprovider = oqsprovider_sect' /etc/pki/tls/openssl.cnf > /tmp/openssl.cnf && \
+    printf "\n[oqsprovider_sect]\n" >> /tmp/openssl.cnf && \
+    echo "module = /usr/lib64/ossl-modules/oqsprovider.so" >> /tmp/openssl.cnf && \
+    echo "activate = 1" >> /tmp/openssl.cnf && \
+    cp /tmp/openssl.cnf /etc/pki/tls/openssl.cnf
 USER 1000
-
diff --git a/samples/security/pqc/README.md b/samples/security/pqc/README.md
index d37be757f6..3c6dac048e 100644
--- a/samples/security/pqc/README.md
+++ b/samples/security/pqc/README.md
@@ -2,76 +2,64 @@
 
 ## Prerequisites
 
-1. Install OpenShift Service Mesh Operator 3.1.
-2. Install Gateway API CRDs.
+1. Install OpenShift Service Mesh Operator 3.1+.
+1. Install Gateway API CRDs (not required on OCP 4.19+).
 
-## Customize proxy image
-
-1. Get pull secret from OCP:
-
-    ```shell
-    oc get secret pull-secret -n openshift-config -o jsonpath='{.data.\.dockerconfigjson}' | base64 -d > /tmp/config.json
-    ```
-
-1. Pull istio-proxy 1.26.2:
-
-    ```shell
-    docker --config /tmp pull registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:d518f3d1539f45e1253c5c9fa22062802804601d4998cd50344e476a3cc388fe
-    ```
-
-1. Build a custom proxy with OQS provider:
-
-    ```shell
-    docker build -t localhost:5000/istio-system/istio-proxy-oqs:1.26.2 .
-    ```
+   ```shell
+   oc apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.3.0/standard-install.yaml
+   ```
 
-1. Expose cluster registry to your local environment:
+## Customize istio-proxy image
 
-    ```shell
-    oc port-forward -n openshift-image-registry svc/image-registry 5000:5000 &
-    ```
+OpenShift Service Mesh 3.1 does not deliver istio-proxy image with built-in support for PQC.
+Enabling post-quantum safe algorithms requires configuring [OQS provider](https://github.com/open-quantum-safe/oqs-provider) in the proxy container.
 
-1. Obtain a token from https://oauth-openshift.<your-cluster-domain>/oauth/token/request and login to the cluster registry:
+1. Get pull secret from OCP and build the proxy image with OQS provider:
 
     ```shell
-    docker login -u kubeadmin localhost:5000
+    oc get secret pull-secret -n openshift-config -o jsonpath='{.data.\.dockerconfigjson}' | base64 -d > /tmp/config.json
+    podman --config /tmp build -t localhost:5000/istio-system/istio-proxyv2-rhel9-oqs:1.26.2 .
     ```
 
-1. Alternatively, you can upload the image with the following command:
+1. Configure permissions for pushing images to OCP image registry:
 
-    ```shell
-    docker login -u $(oc whoami) -p $(oc whoami -t) localhost:5000
-    ```
+   ```shell
+   oc new-project istio-system
+   oc policy add-role-to-user system:image-pusher -z default -n istio-system
+   TOKEN=$(oc create token default -n istio-system)
+   ```
 
-1. Push the OQS-based proxy:
+1. Create an image stream for custom istio-proxy and expose the registry:
 
-    ```shell
-    oc new-project istio-system
-    docker push localhost:5000/istio-system/istio-proxy-oqs:1.26.2
-    ```
+   ```shell
+   oc patch configs.imageregistry.operator.openshift.io/cluster --type=merge -p '{"spec":{"defaultRoute":true}}'
+   oc create imagestream istio-proxyv2-rhel9-oqs -n istio-system
+   ```
 
-1. Stop port-forwarding the registry API:
+1. Push the local image:
 
-    ```shell
-    kill %1
-    ```
+   ```shell
+   HOST=$(oc get route default-route -n openshift-image-registry -o jsonpath='{.spec.host}')
+   podman login --tls-verify=false -u default -p $TOKEN $HOST
+   podman push --tls-verify=false istio-proxyv2-rhel9-oqs:1.26.2 $HOST/istio-system/istio-proxyv2-rhel9-oqs:1.26.2
+   ```
 
 ## Install Service Mesh
 
 1. Install CNI:
 
-    ```shell
-    oc new-project istio-cni
-    oc apply -f - <<EOF
-    apiVersion: sailoperator.io/v1
-    kind: IstioCNI
-    metadata:
-      name: default
-    spec:
-      version: v1.26.2
-      namespace: istio-cni
-    EOF
-    ```
+   ```shell
+   oc new-project istio-cni
+   oc apply -f - <<EOF
+   apiVersion: sailoperator.io/v1
+   kind: IstioCNI
+   metadata:
+     name: default
+   spec:
+     version: v1.26.2
+     namespace: istio-cni
+   EOF
+   ```
 
 1. Install control plane:
 
@@ -98,20 +86,20 @@
 1. Generate certificates:
 
     ```shell
-    mkdir example_certs1
-    openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout example_certs1/example.com.key -out example_certs1/example.com.crt
-    openssl req -out example_certs1/httpbin.example.com.csr -newkey rsa:2048 -nodes -keyout example_certs1/httpbin.example.com.key -subj "/CN=httpbin.example.com/O=httpbin organization"
-    openssl x509 -req -sha256 -days 365 -CA example_certs1/example.com.crt -CAkey example_certs1/example.com.key -set_serial 0 -in example_certs1/httpbin.example.com.csr -out example_certs1/httpbin.example.com.crt
-    openssl req -out example_certs1/helloworld.example.com.csr -newkey rsa:2048 -nodes -keyout example_certs1/helloworld.example.com.key -subj "/CN=helloworld.example.com/O=helloworld organization"
-    openssl x509 -req -sha256 -days 365 -CA example_certs1/example.com.crt -CAkey example_certs1/example.com.key -set_serial 1 -in example_certs1/helloworld.example.com.csr -out example_certs1/helloworld.example.com.crt
+    mkdir certs
+    openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout certs/example.com.key -out certs/example.com.crt
+    openssl req -out certs/httpbin.example.com.csr -newkey rsa:2048 -nodes -keyout certs/httpbin.example.com.key -subj "/CN=httpbin.example.com/O=httpbin organization"
+    openssl x509 -req -sha256 -days 365 -CA certs/example.com.crt -CAkey certs/example.com.key -set_serial 0 -in certs/httpbin.example.com.csr -out certs/httpbin.example.com.crt
+    openssl req -out certs/helloworld.example.com.csr -newkey rsa:2048 -nodes -keyout certs/helloworld.example.com.key -subj "/CN=helloworld.example.com/O=helloworld organization"
+    openssl x509 -req -sha256 -days 365 -CA certs/example.com.crt -CAkey certs/example.com.key -set_serial 1 -in certs/helloworld.example.com.csr -out certs/helloworld.example.com.crt
     ```
 
 1. Create a secret for a gateway:
 
     ```shell
     oc create -n istio-system secret tls httpbin-credential \
-        --key=example_certs1/httpbin.example.com.key \
-        --cert=example_certs1/httpbin.example.com.crt
+        --key=certs/httpbin.example.com.key \
+        --cert=certs/httpbin.example.com.crt
     ```
 
 1. Deploy a Gateway:
@@ -124,7 +112,7 @@
      name: pqc-gateway
      namespace: istio-system
      annotations:
-       sidecar.istio.io/proxyImage: "image-registry.openshift-image-registry.svc:5000/istio-system/istio-proxy-oqs:1.26.2"
+       sidecar.istio.io/proxyImage: "image-registry.openshift-image-registry.svc:5000/istio-system/istio-proxyv2-rhel9-oqs:1.26.2"
    spec:
      gatewayClassName: istio
      listeners:
@@ -162,25 +150,41 @@
    EOF
    ```
 
-1. Deploy httpbin:
+1. Deploy the backend server:
 
    ```shell
    oc label ns default istio-injection=enabled
    oc apply -n default -f https://raw.githubusercontent.com/openshift-service-mesh/istio/master/samples/httpbin/httpbin.yaml
    ```
 
-1. Send a test request using PQC key exchange algorithm:
+## Verification steps
+
+1. Connect to the gateway with PQC-enabled client using `X25519MLKEM768` for key exchange - it should succeed:
 
    ```shell
    INGRESS_ADDR=$(kubectl get svc pqc-gateway-istio -n istio-system -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
-   docker run \
-     --network kind \
-     -v ./example_certs1/example.com.crt:/etc/example_certs1/example.com.crt \
-     --rm -it openquantumsafe/curl \
-     curl -vk \
-     --curves X25519MLKEM768 \
-     --cacert /etc/example_certs1/example.com.crt \
+   ```
+   ```shell
+   podman run --rm -it \
+     -v ./certs/example.com.crt:/etc/certs/example.com.crt \
+     docker.io/openquantumsafe/curl \
+     curl -vk "https://$INGRESS_ADDR:443/headers" \
      -H "Host: httpbin.example.com" \
-     "https://$INGRESS_ADDR:443/status/200"
+     --curves X25519MLKEM768 \
+     --cacert /etc/certs/example.com.crt
    ```
 
+1. Connect to the gateway with `curl` without any PQC-specific algorithms - it should fail:
+
+   ```shell
+   curl -vk "https://$INGRESS_ADDR:443/headers" \
+     -H "Host: httpbin.example.com" \
+     --cacert ./certs/example.com.crt
+   ```
+   ```text
+   * TLSv1.3 (OUT), TLS handshake, Client hello (1):
+   * TLSv1.3 (IN), TLS alert, handshake failure (552):
+   * TLS connect error: error:0A000410:SSL routines::ssl/tls alert handshake failure
+   * closing connection #0
+   curl: (35) TLS connect error: error:0A000410:SSL routines::ssl/tls alert handshake failure
+   ```

From 05310700a347a125d53c891319fdb5895c37e4f8 Mon Sep 17 00:00:00 2001
From: Jacek Ewertowski <jacek.ewertowski1@gmail.com>
Date: Wed, 15 Oct 2025 15:51:53 +0200
Subject: [PATCH 6/7] Change title

Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com>
---
 samples/security/pqc/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/samples/security/pqc/README.md b/samples/security/pqc/README.md
index 3c6dac048e..bb44b9709d 100644
--- a/samples/security/pqc/README.md
+++ b/samples/security/pqc/README.md
@@ -1,4 +1,4 @@
-# OSSM 3 - PQC demo
+# Quantum-Safe Gateway
 
 ## Prerequisites
 

From 358b7272931b6488751029141b95c3439872dc49 Mon Sep 17 00:00:00 2001
From: Jacek Ewertowski <jacek.ewertowski1@gmail.com>
Date: Wed, 15 Oct 2025 15:58:50 +0200
Subject: [PATCH 7/7] Improve verification steps

Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com>
---
 samples/security/pqc/README.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/samples/security/pqc/README.md b/samples/security/pqc/README.md
index bb44b9709d..df23e70a18 100644
--- a/samples/security/pqc/README.md
+++ b/samples/security/pqc/README.md
@@ -159,11 +159,17 @@ Enabling post-quantum safe algorithms requires configuring [OQS provider](https:
 
 ## Verification steps
 
-1. Connect to the gateway with PQC-enabled client using `X25519MLKEM768` for key exchange - it should succeed:
+1. Get the gateway address depending on your LB provider:
 
    ```shell
    INGRESS_ADDR=$(kubectl get svc pqc-gateway-istio -n istio-system -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
    ```
+   ```shell
+   INGRESS_ADDR=$(kubectl get svc pqc-gateway-istio -n istio-system -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+   ```
+
+1. Connect to the gateway with PQC-enabled client using `X25519MLKEM768` for key exchange - it should succeed:
+
    ```shell
    podman run --rm -it \
      -v ./certs/example.com.crt:/etc/certs/example.com.crt \