Skip to content

[release-4.20] OCPBUGS-72395:Unrevert tls tests with fixes #30665

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
openshift-cherrypick-robot wants to merge 4 commits into from
Closed

[release-4.20] OCPBUGS-72395:Unrevert tls tests with fixes #30665

openshift-cherrypick-robot wants to merge 4 commits into from

Conversation

@openshift-cherrypick-robot
Copy link

@openshift-cherrypick-robot openshift-cherrypick-robot commented Jan 8, 2026

This is an automated cherry-pick of #30660

/assign wangke19

wangke19 and others added 4 commits January 8, 2026 15:01
@wangke19
Reapply "OCPBUGS-64799: TLS 1.3 / Modern profile tests (openshift#29611
d8068a3 
…)"

This reverts commit 10dab7a.
@wangke19 @claude
Fix TestTLSDefaults to use port-forwarding like TestTLSMinimumVersions
8fc80c0 
This commit refactors TestTLSDefaults to use the same port-forwarding
approach as TestTLSMinimumVersions, which fixes DNS resolution failures
when running in CI as a pod.

Problem:
When the test runs as a pod in the cluster, it attempted to connect
directly to the external API server hostname from the kubeconfig
(e.g., api.cluster5.ocpci.eng.rdu2.redhat.com). However, the pod's
internal DNS cannot resolve this external hostname, resulting in:
  dial tcp: lookup api.cluster5.ocpci.eng.rdu2.redhat.com on 172.30.0.10:53: no such host

Solution:
Use forwardPortAndExecute() to create a port-forward tunnel to the
apiserver service in openshift-kube-apiserver namespace, then test
against localhost:<forwarded-port>. This approach:
- Works both in-cluster (CI) and externally (with kubeconfig)
- Eliminates DNS resolution issues entirely
- Is consistent with TestTLSMinimumVersions pattern
- Includes built-in retry logic (3 attempts)
- Simplifies the code by removing URL parsing and env var detection

Changes:
- Removed net/url and os imports (no longer needed)
- Wrapped TLS version and cipher tests in forwardPortAndExecute callback
- Changed error reporting from t.Errorf() to returning errors for retry support
- Tests now connect to localhost via port-forward tunnel

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>
@wangke19 @claude
Enable TLS tests on IPv6 clusters
70598ec 
Remove the IPv4-only restriction from TLS tests to support IPv6 clusters.
The tests use port-forwarding to localhost, which works for both IPv4
and IPv6 environments since localhost resolves appropriately in both cases.

Changes:
- Removed IPv4-only check in BeforeEach that skipped tests on IPv6 clusters
- Removed unused networking import

This allows the TLS configuration tests to run on:
- IPv4-only clusters
- IPv6-only clusters
- Dual-stack (IPv4+IPv6) clusters

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>
@wangke19
Improve TLS 1.2 constraint comment for cipher suite testing
e397e74 
Update the comment explaining why cipher suite tests are constrained to
TLS 1.2 to be more technically accurate. The previous comment suggested
this was about "Go 1.23+ behavior", but the real issue is fundamental to
how TLS 1.3 works:

- The intermediate profile allows both TLS 1.2 and TLS 1.3
- Clients negotiate TLS 1.3 when MaxVersion is unspecified and server supports it
- TLS 1.3 spec predefines cipher suites and doesn't support configuration
- Therefore, specifying any cipher suite has no effect with TLS 1.3
- Forcing TLS 1.2 allows actual testing of cipher suite restrictions

This makes the reasoning clearer for future maintainers.
@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Jan 8, 2026
Merged
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 8, 2026

@openshift-cherrypick-robot: Jira Issue OCPBUGS-71229 has been cloned as Jira Issue OCPBUGS-72395. Will retitle bug to link to clone.
/retitle [release-4.20] OCPBUGS-72395:Unrevert tls tests with fixes

Details

In response to this:

This is an automated cherry-pick of #30660

/assign wangke19

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot changed the title [release-4.20] OCPBUGS-71229:Unrevert tls tests with fixes [release-4.20] OCPBUGS-72395:Unrevert tls tests with fixes Jan 8, 2026
@openshift-ci-robot openshift-ci-robot added jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jan 8, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 8, 2026

@openshift-cherrypick-robot: This pull request references Jira Issue OCPBUGS-72395, which is invalid:

  • expected dependent Jira Issue OCPBUGS-71229 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is MODIFIED instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

This is an automated cherry-pick of #30660

/assign wangke19

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from p0lyn0mial and sjenning January 8, 2026 15:03
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 8, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: openshift-cherrypick-robot
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@wangke19
Copy link
Contributor

wangke19 commented Jan 8, 2026

/payload 4.20 nightly blocking

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 8, 2026

@wangke19: trigger 13 job(s) of type blocking for the nightly release of OCP 4.20

  • periodic-ci-openshift-release-master-nightly-4.20-e2e-aws-ovn-serial-1of2
  • periodic-ci-openshift-release-master-nightly-4.20-e2e-aws-ovn-serial-2of2
  • periodic-ci-openshift-release-master-ci-4.20-e2e-aws-upgrade-ovn-single-node
  • periodic-ci-openshift-release-master-ci-4.20-e2e-aws-ovn-techpreview
  • periodic-ci-openshift-release-master-ci-4.20-e2e-aws-ovn-techpreview-serial-1of3
  • periodic-ci-openshift-release-master-ci-4.20-e2e-aws-ovn-techpreview-serial-2of3
  • periodic-ci-openshift-release-master-ci-4.20-e2e-aws-ovn-techpreview-serial-3of3
  • periodic-ci-openshift-release-master-nightly-4.20-e2e-aws-ovn-upgrade-fips
  • periodic-ci-openshift-release-master-ci-4.20-e2e-azure-ovn-upgrade
  • periodic-ci-openshift-release-master-ci-4.20-upgrade-from-stable-4.19-e2e-gcp-ovn-rt-upgrade
  • periodic-ci-openshift-hypershift-release-4.20-periodics-e2e-aws-ovn-conformance
  • periodic-ci-openshift-release-master-nightly-4.20-e2e-metal-ipi-ovn-bm
  • periodic-ci-openshift-release-master-nightly-4.20-e2e-metal-ipi-ovn-ipv6

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/37707c00-ecc0-11f0-961d-a7aa3e55bccc-0

@wangke19 wangke19 mentioned this pull request Jan 9, 2026
Open
@wangke19
Copy link
Contributor

wangke19 commented Jan 9, 2026

Closing this PR in favor of #30668 which includes the following fixes:

  • Excluded intentionally invalid test JSON file from validation (catalog-error test case)
  • Regenerated test annotations to include TestTLSMinimumVersions

Both CI failures have been resolved:
✅ JSON validation now passes (invalid test file excluded)
✅ Generated file verification now passes (annotations regenerated)

/close

@openshift-ci openshift-ci bot closed this Jan 9, 2026
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 9, 2026

@wangke19: Closed this PR.

Details

In response to this:

Closing this PR in favor of #30668 which includes the following fixes:

  • Excluded intentionally invalid test JSON file from validation (catalog-error test case)
  • Regenerated test annotations to include TestTLSMinimumVersions

Both CI failures have been resolved:
✅ JSON validation now passes (invalid test file excluded)
✅ Generated file verification now passes (annotations regenerated)

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 9, 2026

@openshift-cherrypick-robot: This pull request references Jira Issue OCPBUGS-72395. The bug has been updated to no longer refer to the pull request using the external bug tracker.

Details

In response to this:

This is an automated cherry-pick of #30660

/assign wangke19

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@p0lyn0mial p0lyn0mial Awaiting requested review from p0lyn0mial

@sjenning sjenning Awaiting requested review from sjenning

Assignees

@wangke19 wangke19

Labels

jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@openshift-cherrypick-robot @openshift-ci-robot @wangke19