Skip to content

AUTOSCALE-839: Add E2E tests for centralized TLS profiles#487

Open
joelsmith wants to merge 1 commit into
openshift:masterfrom
joelsmith:master
Open

AUTOSCALE-839: Add E2E tests for centralized TLS profiles#487
joelsmith wants to merge 1 commit into
openshift:masterfrom
joelsmith:master

Conversation

@joelsmith

@joelsmith joelsmith commented Jul 9, 2026

Copy link
Copy Markdown

Add E2E tests to verify that the cluster-autoscaler-operator correctly applies centralized TLS profiles as directed by APIServer cluster config's TLSAdherence field.

Also bump openshift/api and openshift/client-go to versions that include the TLSAdherence field on APIServerSpec.

Summary by CodeRabbit

  • Bug Fixes

    • Updated several platform and API dependencies to newer versions for improved stability and compatibility.
    • Removed outdated indirect dependencies to keep the build footprint cleaner.
  • Tests

    • Added broader TLS validation coverage for webhook behavior under different security settings, helping catch handshake issues earlier.

@openshift-ci-robot

openshift-ci-robot commented Jul 9, 2026

Copy link
Copy Markdown

@joelsmith: This pull request references AUTOSCALE-839 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Add E2E tests to verify that the cluster-autoscaler-operator correctly
applies centralized TLS profiles as directed by APIServer config's
TLSAdherence field.

Also bump openshift/api and openshift/client-go to versions that
include the TLSAdherence field on APIServerSpec.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 9, 2026
@openshift-ci openshift-ci Bot requested review from miyadav and racheljpg July 9, 2026 20:27
@openshift-ci

openshift-ci Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign miyadav for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown

Walkthrough

Adds a new Serial Ginkgo TLS adherence test suite for the cluster-autoscaler operator, including helpers to patch APIServer TLS security profiles/policies and a probe pod that validates webhook TLS handshakes via cipher-suite-constrained curl calls. Also updates several dependency versions in go.mod and testutils/go.mod, removing two indirect modules.

Changes

TLS Adherence Test Suite

Layer / File(s) Summary
TLS test helpers and probe infrastructure
pkg/operators/cluster-autoscaler-operator.go
Adds imports, helpers to get/patch/restore APIServer TLS security profile and adherence policy, and a tlsProbe type that creates a pod, resolves the webhook HTTPS address, and executes cipher-constrained curl handshakes with rejection assertions.
TLS adherence spec cases
pkg/operators/cluster-autoscaler-operator.go
Implements a Serial spec with BeforeEach/AfterEach setup/teardown and multiple It cases verifying webhook TLS cipher acceptance/rejection across StrictAllComponents and NoOpinion policy states, including transitions.

Dependency Version Updates

Layer / File(s) Summary
Root go.mod dependency bumps
go.mod
Bumps openshift/api, k8s.io/utils, go-restful, go-openapi/swag (and submodules), openshift/client-go, klog, kube-openapi, and structured-merge-diff; removes josharian/intern and mailru/easyjson.
testutils/go.mod dependency bumps
testutils/go.mod
Applies matching dependency version bumps and removes the same two indirect modules in testutils/go.mod.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Test as Ginkgo Test
  participant APIServer as config.openshift.io APIServer
  participant ProbePod as tlsProbe Pod
  participant Webhook as Webhook Service

  Test->>APIServer: patch TLSSecurityProfile / TLSAdherencePolicy
  Test->>ProbePod: create probe pod
  ProbePod->>Webhook: resolve HTTPS address
  Test->>ProbePod: oc exec curl with cipher suite
  ProbePod->>Webhook: TLS handshake attempt
  Webhook-->>ProbePod: handshake accepted/rejected
  ProbePod-->>Test: result
  Test->>APIServer: restore original TLS config
Loading

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 3 warnings)

Check name Status Explanation Resolution
No-Sensitive-Data-In-Logs ❌ Error The TLS probe returns raw curl stderr in its error, which can surface the internal webhook hostname in test logs. Avoid returning raw stderr; redact hostnames/URLs or keep only a high-level handshake failure message.
Test Structure And Quality ⚠️ Warning BeforeEach/AfterEach are brittle: cleanup can dereference nil state after partial setup, and expectHandshakeRejected treats any error as success. Add nil guards in AfterEach, give the probe pod an explicit RunAsUser, and make handshake rejection distinguish TLS failures from connectivity errors.
Microshift Test Compatibility ⚠️ Warning New TLS adherence tests patch config.openshift.io APIServer and lack any MicroShift skip/apigroup guard. Add a MicroShift guard or [apigroup:config.openshift.io] tag, or avoid APIServer/TLSAdherence changes in MicroShift runs.
Ipv6 And Disconnected Network Test Compatibility ⚠️ Warning The new Ginkgo test pulls registry.access.redhat.com/ubi9-minimal:latest, an external public registry image, so it can break in disconnected CI. Use a mirrored/internal image or image stream for the probe pod; then verify in the serial IPv6 job if needed.
✅ Passed checks (11 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed All new Ginkgo titles are static string literals; none interpolate runtime values or generated identifiers.
Single Node Openshift (Sno) Test Compatibility ✅ Passed The new TLS adherence tests only patch APIServer config and run a single probe pod; they contain no multi-node, anti-affinity, drain, or topology assumptions.
Topology-Aware Scheduling Compatibility ✅ Passed The PR only adds E2E TLS tests and dependency bumps; the new pod spec has no nodeSelector, affinity, spread constraints, or topology assumptions.
Ote Binary Stdout Contract ✅ Passed No added main/TestMain/init/BeforeSuite/AfterSuite/RunSpecs or stdout logging; the new file only contains spec-scoped Ginkgo hooks.
No-Weak-Crypto ✅ Passed The new TLS test only uses AES-GCM suites; no custom crypto or secret/token comparisons were added.
Container-Privileges ✅ Passed PASS: the new probe pod runs as non-root with allowPrivilegeEscalation=false, drops all caps, and no hostPID/hostNetwork/hostIPC or privileged flags were added.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: adding E2E tests for centralized TLS profiles.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🧹 Nitpick comments (1)
pkg/operators/cluster-autoscaler-operator.go (1)

227-227: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Avoid :latest for the probe image.

Pulling ubi9-minimal:latest makes the test non-reproducible and prone to flakes/breakage on upstream image changes. Pin to a specific tag (or digest).

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/operators/cluster-autoscaler-operator.go` at line 227, The probe image is
using an unpinned `:latest` tag, which makes the test non-reproducible. Update
the image reference in the `cluster-autoscaler-operator` probe configuration to
use a specific immutable tag or digest instead of
`registry.access.redhat.com/ubi9-minimal:latest`, keeping the change local to
the image field used by that probe setup.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/operators/cluster-autoscaler-operator.go`:
- Line 147: Fix the remaining golangci-lint issues in
cluster-autoscaler-operator.go by cleaning up formatting around the affected
symbols: remove the extra blank lines before the return statements in the
relevant functions (including the one returning apiServer) to satisfy nlreturn,
end the affected comments with periods to satisfy godot, and adjust
whitespace/cuddling around the flagged blocks to satisfy wsl_v5. Run the project
formatter/linter after updating the nearby functions and comment blocks so all
reported findings are cleared before merge.
- Around line 357-374: Guard the `AfterEach` cleanup in
`cluster-autoscaler-operator.go` against partial `BeforeEach` setup by checking
whether `g` and `probe` were successfully initialized before using them. In the
`AfterEach` block, skip `g.WithSpecReport(specReport).GatherAll()` when `g` is
nil, and only call `probe.teardown(ctx)` when `probe` is non-nil (and its
clientset is available via `tlsProbe.teardown`). Keep the existing
restore/reconcile cleanup, but make the teardown path resilient so failures in
`NewGatherer`, `LoadClient`, or `LoadClientset` do not panic in `AfterEach`.
- Around line 312-319: `expectHandshakeRejected` currently treats every
`probe.handshake(ctx, cipherSuite)` error as a successful rejection, which both
trips the `nilerr` lint and can hide unrelated failures. Update this helper to
distinguish a real TLS/cipher negotiation failure from connectivity or setup
errors by checking the handshake error details/exit code before returning
success, and only return nil for the expected reject case. If the non-nil error
is intentionally ignored in the reject path, add the appropriate `nilerr`
suppression/comment at the `probe.handshake` check so golangci-lint is
satisfied.
- Around line 216-238: The TLS probe pod is configured to run non-root but does
not set an explicit UID, so kubelet may reject it when using
ubi9-minimal:latest. Update the PodSpec in cluster-autoscaler-operator.go to set
a numeric RunAsUser alongside RunAsNonRoot in the pod-level SecurityContext,
keeping the existing probe container security settings unchanged. This change
should be made in the PodSpec for the "probe" container so the pod can start
reliably without depending on SCC-injected IDs.

---

Nitpick comments:
In `@pkg/operators/cluster-autoscaler-operator.go`:
- Line 227: The probe image is using an unpinned `:latest` tag, which makes the
test non-reproducible. Update the image reference in the
`cluster-autoscaler-operator` probe configuration to use a specific immutable
tag or digest instead of `registry.access.redhat.com/ubi9-minimal:latest`,
keeping the change local to the image field used by that probe setup.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

Comment thread pkg/operators/cluster-autoscaler-operator.go
Comment thread pkg/operators/cluster-autoscaler-operator.go
Comment thread pkg/operators/cluster-autoscaler-operator.go
Comment thread pkg/operators/cluster-autoscaler-operator.go
@joelsmith joelsmith force-pushed the master branch 4 times, most recently from 530e589 to b1c8a6f Compare July 9, 2026 20:53
Add E2E tests to verify that the cluster-autoscaler-operator correctly
applies centralized TLS profiles as directed by APIServer config's
TLSAdherence field.

Also bump openshift/api and openshift/client-go to versions that
include the TLSAdherence field on APIServerSpec.
@joelsmith

Copy link
Copy Markdown
Author

/test e2e-aws-periodic-pre

@openshift-ci

openshift-ci Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

@joelsmith: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants