Skip to content

Commit 064ef8a

Browse files
machine424machine424
committed
MON-3960: test: enable back TestTLSSecurityProfileConfiguration and make it only check the default TLSProfiles as changing the profiles is disruptive (nodes rollout), other profiles/cases are now checked in new unit tests
1 parent d9384f5 commit 064ef8a

File tree

2 files changed

+112
-103
lines changed

2 files changed

+112
-103
lines changed

pkg/manifests/manifests_test.go

Lines changed: 79 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4953,3 +4953,82 @@ xx_omitted_before_deploy__test_file_name:foo.yaml`,
49534953
})
49544954
}
49554955
}
4956+
4957+
func TestSetTLSSecurityConfiguration(t *testing.T) {
4958+
tests := []struct {
4959+
name string
4960+
apiServerConfig *APIServerConfig
4961+
initialArgs []string
4962+
tlsCipherSuitesArg string
4963+
tlsMinVersionArg string
4964+
finalArgs []string
4965+
}{
4966+
{
4967+
name: "Empty APIServerConfig",
4968+
apiServerConfig: &APIServerConfig{},
4969+
initialArgs: []string{"--foo=bar"},
4970+
tlsCipherSuitesArg: "--tls-cipher-suites=",
4971+
tlsMinVersionArg: "--tls-min-version=",
4972+
finalArgs: []string{
4973+
"--foo=bar",
4974+
"--tls-cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
4975+
"--tls-min-version=VersionTLS12",
4976+
},
4977+
},
4978+
{
4979+
name: "Empty APIServerConfig args to override",
4980+
apiServerConfig: &APIServerConfig{},
4981+
initialArgs: []string{"--foo=bar", "--tls-cipher-suites=toOverride", "--tls-min-version=toOverride"},
4982+
tlsCipherSuitesArg: "--tls-cipher-suites=",
4983+
tlsMinVersionArg: "--tls-min-version=",
4984+
finalArgs: []string{
4985+
"--foo=bar",
4986+
"--tls-cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
4987+
"--tls-min-version=VersionTLS12",
4988+
},
4989+
},
4990+
{
4991+
name: "Custom TLSSecurityProfile",
4992+
apiServerConfig: NewAPIServerConfig(&configv1.APIServer{
4993+
Spec: configv1.APIServerSpec{
4994+
TLSSecurityProfile: &configv1.TLSSecurityProfile{
4995+
Type: configv1.TLSProfileCustomType,
4996+
Custom: &configv1.CustomTLSProfile{
4997+
TLSProfileSpec: configv1.TLSProfileSpec{
4998+
Ciphers: []string{
4999+
"ECDHE-RSA-AES128-GCM-SHA256",
5000+
"ECDHE-ECDSA-AES256-GCM-SHA384",
5001+
},
5002+
MinTLSVersion: "VersionTLS10",
5003+
},
5004+
},
5005+
},
5006+
},
5007+
}),
5008+
initialArgs: []string{"--foo=bar", "--tls-cipher-suites=toOverride", "--tls-min-version=toOverride"},
5009+
tlsCipherSuitesArg: "--tls-cipher-suites=",
5010+
tlsMinVersionArg: "--tls-min-version=",
5011+
finalArgs: []string{
5012+
"--foo=bar",
5013+
"--tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
5014+
"--tls-min-version=VersionTLS10",
5015+
},
5016+
},
5017+
}
5018+
5019+
for _, tt := range tests {
5020+
t.Run(tt.name, func(t *testing.T) {
5021+
f := NewFactory(
5022+
"openshift-monitoring",
5023+
"openshift-user-workload-monitoring",
5024+
NewDefaultConfig(),
5025+
defaultInfrastructureReader(),
5026+
&fakeProxyReader{},
5027+
NewAssets(assetsPath),
5028+
tt.apiServerConfig,
5029+
&configv1.Console{},
5030+
)
5031+
require.Equal(t, tt.finalArgs, f.setTLSSecurityConfiguration(tt.initialArgs, tt.tlsCipherSuitesArg, tt.tlsMinVersionArg))
5032+
})
5033+
}
5034+
}

test/e2e/tls_security_profile_test.go

Lines changed: 33 additions & 103 deletions
Original file line numberDiff line numberDiff line change
@@ -37,97 +37,39 @@ func atLeastVersionTLS12(v string) string {
3737
return v
3838
}
3939

40-
func TestTLSSecurityProfileConfiguration(t *testing.T) {
41-
t.Skip("Changing apiserverConfig.Spec.TLSSecurityProfile now makes MCO rollout nodes which is disruptive for other tests. See https://issues.redhat.com/browse/MON-3959")
42-
testCases := []struct {
43-
name string
44-
profile *configv1.TLSSecurityProfile
45-
expectedCipherSuite []string
46-
expectedMinTLSVersion string
47-
}{
48-
{
49-
name: "no profile",
50-
profile: nil,
51-
expectedCipherSuite: manifests.APIServerDefaultTLSCiphers,
52-
expectedMinTLSVersion: "VersionTLS12",
53-
},
54-
{
55-
name: "old profile",
56-
profile: &configv1.TLSSecurityProfile{
57-
Type: configv1.TLSProfileOldType,
58-
Old: &configv1.OldTLSProfile{},
59-
},
60-
expectedCipherSuite: configv1.TLSProfiles[configv1.TLSProfileOldType].Ciphers,
61-
expectedMinTLSVersion: "VersionTLS10",
62-
},
63-
{
64-
name: "intermediate profile",
65-
profile: &configv1.TLSSecurityProfile{
66-
Type: configv1.TLSProfileIntermediateType,
67-
Intermediate: &configv1.IntermediateTLSProfile{},
68-
},
69-
expectedCipherSuite: configv1.TLSProfiles[configv1.TLSProfileIntermediateType].Ciphers,
70-
expectedMinTLSVersion: "VersionTLS12",
71-
},
72-
{
73-
name: "custom profile",
74-
profile: &configv1.TLSSecurityProfile{
75-
Type: configv1.TLSProfileCustomType,
76-
Custom: &configv1.CustomTLSProfile{
77-
TLSProfileSpec: configv1.TLSProfileSpec{
78-
Ciphers: []string{
79-
"ECDHE-RSA-AES128-GCM-SHA256",
80-
"ECDHE-ECDSA-AES256-GCM-SHA384",
81-
},
82-
MinTLSVersion: "VersionTLS10",
83-
},
84-
},
85-
},
86-
expectedCipherSuite: []string{
87-
"ECDHE-RSA-AES128-GCM-SHA256",
88-
"ECDHE-ECDSA-AES256-GCM-SHA384",
89-
},
90-
expectedMinTLSVersion: "VersionTLS10",
91-
},
92-
}
93-
94-
for _, tt := range testCases {
95-
t.Run(tt.name, func(t *testing.T) {
96-
setTLSSecurityProfile(t, tt.profile)
97-
// The admission webhook supports only TLS versions >= 1.2.
98-
assertCorrectTLSConfiguration(t, "prometheus-operator-admission-webhook", "deployment",
99-
manifests.PrometheusOperatorWebTLSCipherSuitesFlag,
100-
manifests.PrometheusOperatorWebTLSMinTLSVersionFlag, tt.expectedCipherSuite,
101-
atLeastVersionTLS12(tt.expectedMinTLSVersion))
102-
assertCorrectTLSConfiguration(t, "prometheus-operator", "deployment",
103-
manifests.KubeRbacProxyTLSCipherSuitesFlag,
104-
manifests.KubeRbacProxyMinTLSVersionFlag, tt.expectedCipherSuite, tt.expectedMinTLSVersion)
105-
assertCorrectTLSConfiguration(t, "kube-state-metrics", "deployment",
106-
manifests.KubeRbacProxyTLSCipherSuitesFlag,
107-
manifests.KubeRbacProxyMinTLSVersionFlag, tt.expectedCipherSuite, tt.expectedMinTLSVersion)
108-
assertCorrectTLSConfiguration(t, "openshift-state-metrics", "deployment",
109-
manifests.KubeRbacProxyTLSCipherSuitesFlag,
110-
manifests.KubeRbacProxyMinTLSVersionFlag, tt.expectedCipherSuite, tt.expectedMinTLSVersion)
111-
assertCorrectTLSConfiguration(t, "node-exporter", "daemonset",
112-
manifests.KubeRbacProxyTLSCipherSuitesFlag,
113-
manifests.KubeRbacProxyMinTLSVersionFlag, tt.expectedCipherSuite, tt.expectedMinTLSVersion)
114-
assertCorrectTLSConfiguration(t, "telemeter-client", "deployment",
115-
manifests.KubeRbacProxyTLSCipherSuitesFlag,
116-
manifests.KubeRbacProxyMinTLSVersionFlag, tt.expectedCipherSuite, tt.expectedMinTLSVersion)
117-
assertCorrectTLSConfiguration(t, "thanos-querier", "deployment",
118-
manifests.KubeRbacProxyTLSCipherSuitesFlag,
119-
manifests.KubeRbacProxyMinTLSVersionFlag, tt.expectedCipherSuite, tt.expectedMinTLSVersion)
120-
assertCorrectTLSConfiguration(t, "alertmanager-main", "statefulset",
121-
manifests.KubeRbacProxyTLSCipherSuitesFlag,
122-
manifests.KubeRbacProxyMinTLSVersionFlag, tt.expectedCipherSuite, tt.expectedMinTLSVersion)
123-
assertCorrectTLSConfiguration(t, "prometheus-k8s", "statefulset",
124-
manifests.KubeRbacProxyTLSCipherSuitesFlag,
125-
manifests.KubeRbacProxyMinTLSVersionFlag, tt.expectedCipherSuite, tt.expectedMinTLSVersion)
126-
assertCorrectTLSConfiguration(t, "metrics-server", "deployment",
127-
manifests.MetricsServerTLSCipherSuitesFlag,
128-
manifests.MetricsServerTLSMinTLSVersionFlag, tt.expectedCipherSuite, tt.expectedMinTLSVersion)
129-
})
130-
}
40+
func TestDefaultTLSSecurityProfileConfiguration(t *testing.T) {
41+
// The admission webhook supports only TLS versions >= 1.2.
42+
assertCorrectTLSConfiguration(t, "prometheus-operator-admission-webhook", "deployment",
43+
manifests.PrometheusOperatorWebTLSCipherSuitesFlag,
44+
manifests.PrometheusOperatorWebTLSMinTLSVersionFlag, configv1.TLSProfiles[configv1.TLSProfileIntermediateType].Ciphers,
45+
atLeastVersionTLS12("VersionTLS12"))
46+
assertCorrectTLSConfiguration(t, "prometheus-operator", "deployment",
47+
manifests.KubeRbacProxyTLSCipherSuitesFlag,
48+
manifests.KubeRbacProxyMinTLSVersionFlag, configv1.TLSProfiles[configv1.TLSProfileIntermediateType].Ciphers, "VersionTLS12")
49+
assertCorrectTLSConfiguration(t, "kube-state-metrics", "deployment",
50+
manifests.KubeRbacProxyTLSCipherSuitesFlag,
51+
manifests.KubeRbacProxyMinTLSVersionFlag, configv1.TLSProfiles[configv1.TLSProfileIntermediateType].Ciphers, "VersionTLS12")
52+
assertCorrectTLSConfiguration(t, "openshift-state-metrics", "deployment",
53+
manifests.KubeRbacProxyTLSCipherSuitesFlag,
54+
manifests.KubeRbacProxyMinTLSVersionFlag, configv1.TLSProfiles[configv1.TLSProfileIntermediateType].Ciphers, "VersionTLS12")
55+
assertCorrectTLSConfiguration(t, "node-exporter", "daemonset",
56+
manifests.KubeRbacProxyTLSCipherSuitesFlag,
57+
manifests.KubeRbacProxyMinTLSVersionFlag, configv1.TLSProfiles[configv1.TLSProfileIntermediateType].Ciphers, "VersionTLS12")
58+
assertCorrectTLSConfiguration(t, "telemeter-client", "deployment",
59+
manifests.KubeRbacProxyTLSCipherSuitesFlag,
60+
manifests.KubeRbacProxyMinTLSVersionFlag, configv1.TLSProfiles[configv1.TLSProfileIntermediateType].Ciphers, "VersionTLS12")
61+
assertCorrectTLSConfiguration(t, "thanos-querier", "deployment",
62+
manifests.KubeRbacProxyTLSCipherSuitesFlag,
63+
manifests.KubeRbacProxyMinTLSVersionFlag, configv1.TLSProfiles[configv1.TLSProfileIntermediateType].Ciphers, "VersionTLS12")
64+
assertCorrectTLSConfiguration(t, "alertmanager-main", "statefulset",
65+
manifests.KubeRbacProxyTLSCipherSuitesFlag,
66+
manifests.KubeRbacProxyMinTLSVersionFlag, configv1.TLSProfiles[configv1.TLSProfileIntermediateType].Ciphers, "VersionTLS12")
67+
assertCorrectTLSConfiguration(t, "prometheus-k8s", "statefulset",
68+
manifests.KubeRbacProxyTLSCipherSuitesFlag,
69+
manifests.KubeRbacProxyMinTLSVersionFlag, configv1.TLSProfiles[configv1.TLSProfileIntermediateType].Ciphers, "VersionTLS12")
70+
assertCorrectTLSConfiguration(t, "metrics-server", "deployment",
71+
manifests.MetricsServerTLSCipherSuitesFlag,
72+
manifests.MetricsServerTLSMinTLSVersionFlag, configv1.TLSProfiles[configv1.TLSProfileIntermediateType].Ciphers, "VersionTLS12")
13173
}
13274

13375
func assertCorrectTLSConfiguration(t *testing.T, componentName, objectType, tlsCipherSuiteFlag, tlsMinTLSVersionFlag string, expectedCipherSuite []string, expectedTLSVersion string) {
@@ -199,15 +141,3 @@ func correctMinTLSVersion(minTLSVersionArg, tlsVersion string, containers []v1.C
199141
}
200142
return false
201143
}
202-
203-
func setTLSSecurityProfile(t *testing.T, tlsSecurityProfile *configv1.TLSSecurityProfile) {
204-
ctx := context.Background()
205-
apiserverConfig, err := f.OpenShiftConfigClient.ConfigV1().APIServers().Get(ctx, "cluster", metav1.GetOptions{})
206-
if err != nil {
207-
t.Fatal(err)
208-
}
209-
apiserverConfig.Spec.TLSSecurityProfile = tlsSecurityProfile
210-
if _, err := f.OpenShiftConfigClient.ConfigV1().APIServers().Update(ctx, apiserverConfig, metav1.UpdateOptions{}); err != nil {
211-
t.Fatal(err)
212-
}
213-
}

0 commit comments

Comments
 (0)