Skip to content

[release-4.19] OCPBUGS-65945: TLS 1.3 / Modern profile tests #30529

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wangke19 wants to merge 3 commits into
base: release-4.19
Choose a base branch
from
Open

[release-4.19] OCPBUGS-65945: TLS 1.3 / Modern profile tests #30529

wangke19 wants to merge 3 commits into from
+203 −26

Conversation

@wangke19
Copy link
Contributor

@wangke19 wangke19 commented Nov 25, 2025

Summary

Cherry-pick of #29611 to release-4.19 branch.

This PR adds comprehensive TLS version tests for core OpenShift services to ensure proper TLS 1.3 and Modern profile support.

Changes include:

  • Added TLS version tests for core services (kube-apiserver, openshift-apiserver, oauth-server, etcd, etc.)
  • Fixed close connection error checks based on review feedback
  • Added verification fixes for intentionally broken test data and regenerated annotations

Cherry-picked commits:

  • a13952b TLS version tests for core services
  • b24ff30 Accept suggestions from @wangke19, add some close connection error checks back in.
  • ffaa3b4 Fix verification issues for TLS minimum versions test

Original PR: #29611
Supersedes: #30524

🤖 Generated with Claude Code

jacobsee and others added 3 commits November 25, 2025 13:56
@jacobsee @wangke19
TLS version tests for core services
a13952b 
Adds tests to core services for ensuring that they are serving TLS versions in line with the currently selected TLS profile in the cluster config.
@jacobsee @wangke19
Accept suggestions from @wangke19, add some close connection error ch…
b24ff30 
…ecks back in.
@wangke19 @claude
Fix verification issues for TLS minimum versions test
ffaa3b4 
- Exclude intentionally broken catalog-error JSON from validation
  The file test/extended/util/compat_otp/testdata/opm/render/validate/catalog-error/operator-2/index.json
  contains invalid JSON by design for testing error cases
- Regenerate annotations for TestTLSMinimumVersions test
  This test was added in the cherry-pick but annotations weren't regenerated

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>
@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 25, 2025

Pipeline controller notification
This repository is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

@openshift-ci-robot openshift-ci-robot added jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Nov 25, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 25, 2025

@wangke19: This pull request references Jira Issue OCPBUGS-65944, which is invalid:

  • expected the bug to target either version "4.19." or "openshift-4.19.", but it targets "4.20.z" instead
  • expected dependent Jira Issue OCPBUGS-64799 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is MODIFIED instead
  • expected dependent Jira Issue OCPBUGS-64799 to target a version in 4.20.0, 4.20.z, but it targets "4.21.0" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Summary

Cherry-pick of #29611 to release-4.19 branch.

This PR adds comprehensive TLS version tests for core OpenShift services to ensure proper TLS 1.3 and Modern profile support.

Changes include:

  • Added TLS version tests for core services (kube-apiserver, openshift-apiserver, oauth-server, etcd, etc.)
  • Fixed close connection error checks based on review feedback
  • Added verification fixes for intentionally broken test data and regenerated annotations

Cherry-picked commits:

  • a13952b TLS version tests for core services
  • b24ff30 Accept suggestions from @wangke19, add some close connection error checks back in.
  • ffaa3b4 Fix verification issues for TLS minimum versions test

Original PR: #29611
Supersedes: #30524

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from celebdor and knobunc November 25, 2025 06:24
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 25, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: wangke19
Once this PR has been reviewed and has the lgtm label, please assign stbenjam for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@wangke19 wangke19 mentioned this pull request Nov 25, 2025
Closed
@wangke19
Copy link
Contributor Author

wangke19 commented Nov 25, 2025

/retitle [release-4.19] OCPBUGS-65945: TLS 1.3 / Modern profile tests

@openshift-ci openshift-ci bot changed the title [release-4.19] OCPBUGS-65944: TLS 1.3 / Modern profile tests [release-4.19] OCPBUGS-65945: TLS 1.3 / Modern profile tests Nov 25, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 25, 2025

@wangke19: This pull request references Jira Issue OCPBUGS-65945, which is invalid:

  • expected dependent Jira Issue OCPBUGS-64799 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is MODIFIED instead
  • expected dependent Jira Issue OCPBUGS-64799 to target a version in 4.20.0, 4.20.z, but it targets "4.21.0" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Summary

Cherry-pick of #29611 to release-4.19 branch.

This PR adds comprehensive TLS version tests for core OpenShift services to ensure proper TLS 1.3 and Modern profile support.

Changes include:

  • Added TLS version tests for core services (kube-apiserver, openshift-apiserver, oauth-server, etcd, etc.)
  • Fixed close connection error checks based on review feedback
  • Added verification fixes for intentionally broken test data and regenerated annotations

Cherry-picked commits:

  • a13952b TLS version tests for core services
  • b24ff30 Accept suggestions from @wangke19, add some close connection error checks back in.
  • ffaa3b4 Fix verification issues for TLS minimum versions test

Original PR: #29611
Supersedes: #30524

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 25, 2025

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

@neisw
Copy link
Contributor

neisw commented Nov 25, 2025

/hold

Investigating 4.21-e2e-metal-ipi-ovn-bm failures

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 25, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 25, 2025

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 25, 2025

@wangke19: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@ingvagabund
Copy link
Member

ingvagabund commented Dec 5, 2025

/jira refresh

@openshift-ci-robot
Copy link

openshift-ci-robot commented Dec 5, 2025

@ingvagabund: This pull request references Jira Issue OCPBUGS-65945, which is invalid:

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@celebdor celebdor Awaiting requested review from celebdor

@knobunc knobunc Awaiting requested review from knobunc

Assignees

No one assigned

Labels

do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@wangke19 @openshift-ci-robot @neisw @ingvagabund @jacobsee