[release-4.20] OCPBUGS-72395: Unrevert TLS tests with fixes #30668
+227
−34
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…)" This reverts commit 10dab7a.
This commit refactors TestTLSDefaults to use the same port-forwarding approach as TestTLSMinimumVersions, which fixes DNS resolution failures when running in CI as a pod. Problem: When the test runs as a pod in the cluster, it attempted to connect directly to the external API server hostname from the kubeconfig (e.g., api.cluster5.ocpci.eng.rdu2.redhat.com). However, the pod's internal DNS cannot resolve this external hostname, resulting in: dial tcp: lookup api.cluster5.ocpci.eng.rdu2.redhat.com on 172.30.0.10:53: no such host Solution: Use forwardPortAndExecute() to create a port-forward tunnel to the apiserver service in openshift-kube-apiserver namespace, then test against localhost:<forwarded-port>. This approach: - Works both in-cluster (CI) and externally (with kubeconfig) - Eliminates DNS resolution issues entirely - Is consistent with TestTLSMinimumVersions pattern - Includes built-in retry logic (3 attempts) - Simplifies the code by removing URL parsing and env var detection Changes: - Removed net/url and os imports (no longer needed) - Wrapped TLS version and cipher tests in forwardPortAndExecute callback - Changed error reporting from t.Errorf() to returning errors for retry support - Tests now connect to localhost via port-forward tunnel
Remove the IPv4-only restriction from TLS tests to support IPv6 clusters. The tests use port-forwarding to localhost, which works for both IPv4 and IPv6 environments since localhost resolves appropriately in both cases. Changes: - Removed IPv4-only check in BeforeEach that skipped tests on IPv6 clusters - Removed unused networking import This allows the TLS configuration tests to run on: - IPv4-only clusters - IPv6-only clusters - Dual-stack (IPv4+IPv6) clusters
Update the comment explaining why cipher suite tests are constrained to TLS 1.2 to be more technically accurate. The previous comment suggested this was about "Go 1.23+ behavior", but the real issue is fundamental to how TLS 1.3 works: - The intermediate profile allows both TLS 1.2 and TLS 1.3 - Clients negotiate TLS 1.3 when MaxVersion is unspecified and server supports it - TLS 1.3 spec predefines cipher suites and doesn't support configuration - Therefore, specifying any cipher suite has no effect with TLS 1.3 - Forcing TLS 1.2 allows actual testing of cipher suite restrictions This makes the reasoning clearer for future maintainers.
The file test/extended/util/compat_otp/testdata/opm/render/validate/catalog-error/operator-2/index.json is an intentionally malformed JSON file used to test error handling in the catalog validation code. It contains multiple JSON objects without being wrapped in an array, which is the expected error case. Add this file to the excluded_files list in verify-jsonformat.sh to prevent it from failing JSON validation checks during CI.
Run hack/update-generated.sh to regenerate test annotations after adding the new TestTLSMinimumVersions test. This adds the test to the annotations map so it can be properly tagged with [Suite:openshift/conformance/parallel].
openshift-ci-robot
added
jira/severity-important
|
@wangke19: This pull request references Jira Issue OCPBUGS-72395, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
Contributor
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: wangke19 The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
Contributor
|
@wangke19: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Contributor
Author
|
/payload 4.21 nightly blocking |
Contributor
|
@wangke19: trigger 13 job(s) of type blocking for the nightly release of OCP 4.21
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/4b3df6c0-ed3f-11f0-813a-7af3f9200b0a-0 |
This was referenced Jan 9, 2026
Contributor
Author
|
/test periodic-ci-openshift-release-master-ci-4.21-e2e-aws-upgrade-ovn-single-node |
Contributor
|
@wangke19: The specified target(s) for The following commands are available to trigger optional jobs: Use DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Contributor
Author
|
/test periodic-ci-openshift-release-master-nightly-4.21-e2e-aws-ovn-upgrade-fips |
Contributor
|
@wangke19: The specified target(s) for The following commands are available to trigger optional jobs: Use DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Cherry-pick of commits from #30660 to release-4.20 with manual fixes for CI failures.
This PR re-applies the TLS 1.3 / Modern profile tests that were previously reverted, along with fixes to make them work properly in CI.
Commits
Fixes Applied
test/extended/util/compat_otp/testdata/opm/render/validate/catalog-error/operator-2/index.jsonto the excluded files list inhack/verify-jsonformat.sh. This file is intentionally malformed (multiple JSON objects without array wrapper) to test error handling in catalog validation.hack/update-generated.shto regeneratetest/extended/util/annotate/generated/zz_generated.annotations.gowith the newTestTLSMinimumVersionstest annotation.References
🤖 Generated with Claude Code
Co-Authored-By: Claude noreply@anthropic.com