Skip to content

[release-4.18] OCPBUGS-65943: TLS 1.3 / Modern profile tests #30530

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wangke19 wants to merge 3 commits into from
Closed

[release-4.18] OCPBUGS-65943: TLS 1.3 / Modern profile tests #30530

wangke19 wants to merge 3 commits into from
+203 −26

Conversation

@wangke19
Copy link
Contributor

@wangke19 wangke19 commented Nov 25, 2025

Summary

Cherry-pick of #29611 to release-4.18 branch.

This PR adds comprehensive TLS version tests for core OpenShift services to ensure proper TLS 1.3 and Modern profile support.

Changes include:

  • Added TLS version tests for core services (kube-apiserver, openshift-apiserver, oauth-server, etcd, etc.)
  • Fixed close connection error checks based on review feedback
  • Added verification fixes for intentionally broken test data and regenerated annotations

Cherry-picked commits:

  • b875057 TLS version tests for core services
  • c4be66e Accept suggestions from @wangke19, add some close connection error checks back in.
  • 0b49c92 Fix verification issues for TLS minimum versions test

Original PR: #29611
Supersedes: #30522

🤖 Generated with Claude Code

jacobsee and others added 3 commits November 25, 2025 14:28
@jacobsee @wangke19
TLS version tests for core services
b875057 
Adds tests to core services for ensuring that they are serving TLS versions in line with the currently selected TLS profile in the cluster config.
@jacobsee @wangke19
Accept suggestions from @wangke19, add some close connection error ch…
c4be66e 
…ecks back in.
@wangke19 @claude
Fix verification issues for TLS minimum versions test
0b49c92 
- Exclude intentionally broken catalog-error JSON from validation
  The file test/extended/util/compat_otp/testdata/opm/render/validate/catalog-error/operator-2/index.json
  contains invalid JSON by design for testing error cases
- Regenerate annotations for TestTLSMinimumVersions test
  This test was added in the cherry-pick but annotations weren't regenerated

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>
@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 25, 2025

Pipeline controller notification
This repository is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

@openshift-ci-robot openshift-ci-robot added jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Nov 25, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 25, 2025

@wangke19: This pull request references Jira Issue OCPBUGS-65943, which is invalid:

  • expected dependent Jira Issue OCPBUGS-64799 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is MODIFIED instead
  • expected dependent Jira Issue OCPBUGS-64799 to target a version in 4.19.0, 4.19.z, but it targets "4.21.0" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

Cherry-pick of #29611 to release-4.18 branch.

This PR adds comprehensive TLS version tests for core OpenShift services to ensure proper TLS 1.3 and Modern profile support.

Changes include:

  • Added TLS version tests for core services (kube-apiserver, openshift-apiserver, oauth-server, etcd, etc.)
  • Fixed close connection error checks based on review feedback
  • Added verification fixes for intentionally broken test data and regenerated annotations

Cherry-picked commits:

  • b875057 TLS version tests for core services
  • c4be66e Accept suggestions from @wangke19, add some close connection error checks back in.
  • 0b49c92 Fix verification issues for TLS minimum versions test

Original PR: #29611
Supersedes: #30522

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@wangke19 wangke19 mentioned this pull request Nov 25, 2025
Closed
@openshift-ci openshift-ci bot requested review from bparees and jsafrane November 25, 2025 06:49
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 25, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: wangke19
Once this PR has been reviewed and has the lgtm label, please assign sosiouxme for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 25, 2025

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

@neisw
Copy link
Contributor

neisw commented Nov 25, 2025

/hold

Investigating 4.21-e2e-metal-ipi-ovn-bm failures

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 25, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Nov 25, 2025

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 25, 2025

@wangke19: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@wangke19
Copy link
Contributor Author

wangke19 commented Jan 16, 2026

/close
4.18 will be backported from PR #30536

@wangke19 wangke19 closed this Jan 16, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 16, 2026

@wangke19: This pull request references Jira Issue OCPBUGS-65943. The bug has been updated to no longer refer to the pull request using the external bug tracker. All external bug links have been closed. The bug has been moved to the NEW state.

Details

In response to this:

Summary

Cherry-pick of #29611 to release-4.18 branch.

This PR adds comprehensive TLS version tests for core OpenShift services to ensure proper TLS 1.3 and Modern profile support.

Changes include:

  • Added TLS version tests for core services (kube-apiserver, openshift-apiserver, oauth-server, etcd, etc.)
  • Fixed close connection error checks based on review feedback
  • Added verification fixes for intentionally broken test data and regenerated annotations

Cherry-picked commits:

  • b875057 TLS version tests for core services
  • c4be66e Accept suggestions from @wangke19, add some close connection error checks back in.
  • 0b49c92 Fix verification issues for TLS minimum versions test

Original PR: #29611
Supersedes: #30522

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bparees bparees Awaiting requested review from bparees

@jsafrane jsafrane Awaiting requested review from jsafrane

Assignees

No one assigned

Labels

do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@wangke19 @openshift-ci-robot @neisw @jacobsee