[release-4.21] OCPBUGS-71229:Unrevert tls tests with fixes #30660
Conversation
…)" This reverts commit 10dab7a.
This commit refactors TestTLSDefaults to use the same port-forwarding approach as TestTLSMinimumVersions, which fixes DNS resolution failures when running in CI as a pod. Problem: When the test runs as a pod in the cluster, it attempted to connect directly to the external API server hostname from the kubeconfig (e.g., api.cluster5.ocpci.eng.rdu2.redhat.com). However, the pod's internal DNS cannot resolve this external hostname, resulting in: dial tcp: lookup api.cluster5.ocpci.eng.rdu2.redhat.com on 172.30.0.10:53: no such host Solution: Use forwardPortAndExecute() to create a port-forward tunnel to the apiserver service in openshift-kube-apiserver namespace, then test against localhost:<forwarded-port>. This approach: - Works both in-cluster (CI) and externally (with kubeconfig) - Eliminates DNS resolution issues entirely - Is consistent with TestTLSMinimumVersions pattern - Includes built-in retry logic (3 attempts) - Simplifies the code by removing URL parsing and env var detection Changes: - Removed net/url and os imports (no longer needed) - Wrapped TLS version and cipher tests in forwardPortAndExecute callback - Changed error reporting from t.Errorf() to returning errors for retry support - Tests now connect to localhost via port-forward tunnel 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Remove the IPv4-only restriction from TLS tests to support IPv6 clusters. The tests use port-forwarding to localhost, which works for both IPv4 and IPv6 environments since localhost resolves appropriately in both cases. Changes: - Removed IPv4-only check in BeforeEach that skipped tests on IPv6 clusters - Removed unused networking import This allows the TLS configuration tests to run on: - IPv4-only clusters - IPv6-only clusters - Dual-stack (IPv4+IPv6) clusters 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Update the comment explaining why cipher suite tests are constrained to TLS 1.2 to be more technically accurate. The previous comment suggested this was about "Go 1.23+ behavior", but the real issue is fundamental to how TLS 1.3 works: - The intermediate profile allows both TLS 1.2 and TLS 1.3 - Clients negotiate TLS 1.3 when MaxVersion is unspecified and server supports it - TLS 1.3 spec predefines cipher suites and doesn't support configuration - Therefore, specifying any cipher suite has no effect with TLS 1.3 - Forcing TLS 1.2 allows actual testing of cipher suite restrictions This makes the reasoning clearer for future maintainers.
|
@openshift-cherrypick-robot: Jira Issue OCPBUGS-70249 has been cloned as Jira Issue OCPBUGS-71229. Will retitle bug to link to clone. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
changed the title
openshift-ci-robot
added
jira/severity-important
|
@openshift-cherrypick-robot: This pull request references Jira Issue OCPBUGS-71229, which is valid. The bug has been moved to the POST state. 7 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/payload 4.21 nightly blocking |
|
@wangke19: trigger 13 job(s) of type blocking for the nightly release of OCP 4.21
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/04da7ac0-ec3e-11f0-996c-b3afba9304f6-0 |
|
/test okd-scos-images |
|
All block CI jobs are green. It's ready for merge. |
|
/verified by CI tests |
|
/lgtm |
openshift-ci-robot
added
the
verified
|
@wangke19: This PR has been marked as verified by DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/lgtm |
|
/cherry-pick release-4.20 |
|
@wangke19: once the present PR merges, I will cherry-pick it on top of DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: openshift-cherrypick-robot, smg247, wangke19 The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/test okd-scos-images |
|
/label backport-risk-assessed |
|
@wangke19: Can not set label backport-risk-assessed: Must be member in one of these teams: [openshift-patch-managers openshift-release-oversight openshift-staff-engineers openshift-sustaining-engineers] DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/label backport-risk-assessed |
openshift-ci
bot
added
the
backport-risk-assessed
openshift-ci
bot
assigned
adambkaplan,
dgoodwin,
gangwgr,
jadhaj,
kasturinarra,
lyman9966,
Moebasim,
pamoedom and
prabhapa
|
@stbenjam: Overrode contexts on behalf of stbenjam: ci/prow/okd-scos-images DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@openshift-cherrypick-robot: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
openshift-merge-bot
bot
merged commit 93729f9
into
openshift:release-4.21
|
@openshift-cherrypick-robot: Jira Issue Verification Checks: Jira Issue OCPBUGS-71229 Jira Issue OCPBUGS-71229 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@wangke19: new pull request created: #30665 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Fix included in accepted release 4.21.0-0.nightly-2026-01-13-111112 |
15 participants
This is an automated cherry-pick of #30536
/assign wangke19