AUTOSCALE-839: Add E2E tests for centralized TLS profiles#487
Conversation
|
@joelsmith: This pull request references AUTOSCALE-839 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
WalkthroughAdds a new Serial Ginkgo TLS adherence test suite for the cluster-autoscaler operator, including helpers to patch APIServer TLS security profiles/policies and a probe pod that validates webhook TLS handshakes via cipher-suite-constrained curl calls. Also updates several dependency versions in go.mod and testutils/go.mod, removing two indirect modules. ChangesTLS Adherence Test Suite
Dependency Version Updates
Estimated code review effort: 3 (Moderate) | ~25 minutes Sequence Diagram(s)sequenceDiagram
participant Test as Ginkgo Test
participant APIServer as config.openshift.io APIServer
participant ProbePod as tlsProbe Pod
participant Webhook as Webhook Service
Test->>APIServer: patch TLSSecurityProfile / TLSAdherencePolicy
Test->>ProbePod: create probe pod
ProbePod->>Webhook: resolve HTTPS address
Test->>ProbePod: oc exec curl with cipher suite
ProbePod->>Webhook: TLS handshake attempt
Webhook-->>ProbePod: handshake accepted/rejected
ProbePod-->>Test: result
Test->>APIServer: restore original TLS config
Important Pre-merge checks failedPlease resolve all errors before merging. Addressing warnings is optional. ❌ Failed checks (1 error, 3 warnings)
✅ Passed checks (11 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 4
🧹 Nitpick comments (1)
pkg/operators/cluster-autoscaler-operator.go (1)
227-227: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winAvoid
:latestfor the probe image.Pulling
ubi9-minimal:latestmakes the test non-reproducible and prone to flakes/breakage on upstream image changes. Pin to a specific tag (or digest).🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@pkg/operators/cluster-autoscaler-operator.go` at line 227, The probe image is using an unpinned `:latest` tag, which makes the test non-reproducible. Update the image reference in the `cluster-autoscaler-operator` probe configuration to use a specific immutable tag or digest instead of `registry.access.redhat.com/ubi9-minimal:latest`, keeping the change local to the image field used by that probe setup.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@pkg/operators/cluster-autoscaler-operator.go`:
- Line 147: Fix the remaining golangci-lint issues in
cluster-autoscaler-operator.go by cleaning up formatting around the affected
symbols: remove the extra blank lines before the return statements in the
relevant functions (including the one returning apiServer) to satisfy nlreturn,
end the affected comments with periods to satisfy godot, and adjust
whitespace/cuddling around the flagged blocks to satisfy wsl_v5. Run the project
formatter/linter after updating the nearby functions and comment blocks so all
reported findings are cleared before merge.
- Around line 357-374: Guard the `AfterEach` cleanup in
`cluster-autoscaler-operator.go` against partial `BeforeEach` setup by checking
whether `g` and `probe` were successfully initialized before using them. In the
`AfterEach` block, skip `g.WithSpecReport(specReport).GatherAll()` when `g` is
nil, and only call `probe.teardown(ctx)` when `probe` is non-nil (and its
clientset is available via `tlsProbe.teardown`). Keep the existing
restore/reconcile cleanup, but make the teardown path resilient so failures in
`NewGatherer`, `LoadClient`, or `LoadClientset` do not panic in `AfterEach`.
- Around line 312-319: `expectHandshakeRejected` currently treats every
`probe.handshake(ctx, cipherSuite)` error as a successful rejection, which both
trips the `nilerr` lint and can hide unrelated failures. Update this helper to
distinguish a real TLS/cipher negotiation failure from connectivity or setup
errors by checking the handshake error details/exit code before returning
success, and only return nil for the expected reject case. If the non-nil error
is intentionally ignored in the reject path, add the appropriate `nilerr`
suppression/comment at the `probe.handshake` check so golangci-lint is
satisfied.
- Around line 216-238: The TLS probe pod is configured to run non-root but does
not set an explicit UID, so kubelet may reject it when using
ubi9-minimal:latest. Update the PodSpec in cluster-autoscaler-operator.go to set
a numeric RunAsUser alongside RunAsNonRoot in the pod-level SecurityContext,
keeping the existing probe container security settings unchanged. This change
should be made in the PodSpec for the "probe" container so the pod can start
reliably without depending on SCC-injected IDs.
---
Nitpick comments:
In `@pkg/operators/cluster-autoscaler-operator.go`:
- Line 227: The probe image is using an unpinned `:latest` tag, which makes the
test non-reproducible. Update the image reference in the
`cluster-autoscaler-operator` probe configuration to use a specific immutable
tag or digest instead of `registry.access.redhat.com/ubi9-minimal:latest`,
keeping the change local to the image field used by that probe setup.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
530e589 to
b1c8a6f
Compare
Add E2E tests to verify that the cluster-autoscaler-operator correctly applies centralized TLS profiles as directed by APIServer config's TLSAdherence field. Also bump openshift/api and openshift/client-go to versions that include the TLSAdherence field on APIServerSpec.
|
/test e2e-aws-periodic-pre |
|
@joelsmith: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Add E2E tests to verify that the cluster-autoscaler-operator correctly applies centralized TLS profiles as directed by APIServer cluster config's TLSAdherence field.
Also bump openshift/api and openshift/client-go to versions that include the TLSAdherence field on APIServerSpec.
Summary by CodeRabbit
Bug Fixes
Tests