wip: CNTRLPLANE-3540: refactor(test/extended/tls): simplify the testing and remove duplication

[ingvagabund]

SSIA

Summary by CodeRabbit

• Tests

  • TLS tests now derive the expected effective TLS profile from the live APIServer and validate propagation across observed config, injected ConfigMaps, deployment env vars, and wire-level enforcement.
  • Added a reconciliation-style disruptive test to apply a different profile and wait for end-to-end reconciliation; moved restoration checks to run after the disruptive flow.
  • Removed hardcoded cipher lists and improved rollout/wait handling for reliability.

• Refactor

  • Consolidated and precomputed wire-level TLS checks and validation helpers for reuse and clearer verification.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Refactors TLS observed-config tests to capture an expected tlsConfig from the live APIServer profile, thread that expected config through observedConfig, ConfigMap injection, deployment env-vars, and wire-level checks, centralize APIServer profile set/restore helpers, and add reconciliation polling and a disruptive reconciliation test.

Changes

TLS Profile Test Refactoring

Layer / File(s)	Summary
tlsConfig struct and helpers test/extended/tls/tls_observed_config.go	Add tlsConfig and tlsVersionStringToUint16 to represent expected effective TLS settings.
Non-disruptive observedConfig & ordering test/extended/tls/tls_observed_config.go	Non-disruptive suite captures expected tlsConfig from APIServer and passes it to verifyAllTLSConfiguration; move ConfigMap inject-tls/servingInfo restoration tests to after Custom disruptive test.
Modern profile tests (HyperShift & standalone) test/extended/tls/tls_observed_config.go	Modern flows compute wire-level expectations via getWireLevelTLSConfigs, use setAPIServerTLSProfile/restoreOriginalTLSProfile, call testDeploymentTLSEnvVars, and run testWireLevelTLS with precomputed configs.
Custom profile tests and validations test/extended/tls/tls_observed_config.go	Custom flows replace inline cipher lists with expected-config-driven checks, use set/restore helpers, validate ConfigMap injection via testConfigMapTLSInjection, and validate deployment TLS env-vars via testDeploymentTLSEnvVars; update validateTLSConfig/validateServingInfoTLSConfig.
Wire-level refactor & reconciliation test/extended/tls/tls_observed_config.go	Refactor testWireLevelTLS to accept precomputed allow/deny *tls.Config, add captureTLSConfiguration, generateDifferentTLSProfile, setAPIServerTLSProfile, restoreOriginalTLSProfile, implement getWireLevelTLSConfigs, waitForTLSReconciliation, validateAllTargetsOnce, and add a disruptive reconciliation test that waits for full propagation.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• openshift/origin#31246: Similar refactor of tls_observed_config.go to centralize profile-derived expectations and consolidate wire-level TLS verification logic.

Suggested reviewers

• kaleemsiddiqu
• ricardomaraschini

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Test Structure And Quality	⚠️ Warning	Reconciliation test at line 513 modifies cluster APIServer TLS profile without DeferCleanup (only TODO comment); 23 error assertions lack meaningful messages.	Implement DeferCleanup in reconciliation test to restore original TLS profile; add descriptive messages to assertions like o.Expect(err).NotTo(o.HaveOccurred(), "failed to get APIServer config").
Ipv6 And Disconnected Network Test Compatibility	⚠️ Warning	Test function forwardPortAndExecute uses hardcoded IPv4 localhost (127.0.0.1) without IPv6 fallback in port-forward readiness check, causing failures in IPv6-only environments.	Replace hardcoded 127.0.0.1 with ::1 or implement dual-test logic similar to checkTLSConnection; use net.JoinHostPort for URL construction to ensure IPv6 compatibility across all wire-level TLS validation tests.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main refactoring work: simplifying TLS testing and removing duplication through centralized validation and consolidated helpers.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test names are stable and deterministic. Four tests use fmt.Sprintf to include target.namespace in titles, but namespace values are hardcoded static strings (well-known OpenShift system...
Microshift Test Compatibility	✅ Passed	All tests use unavailable OpenShift APIs (config.openshift.io/v1) but are protected: first test has individual isMicroShift check with g.Skip(); other 7 tests have Describe-level BeforeEach protect...
Single Node Openshift (Sno) Test Compatibility	✅ Passed	Tests in tls_observed_config.go do not make assumptions that would fail on SNO. No multi-node requirements detected: deployments default to 1 replica, no node-specific operations, no pod anti-affin...
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only test code (test/extended/tls/) with no deployment manifests, operator code, or scheduling constraints introduced. Check not applicable.
Ote Binary Stdout Contract	✅ Passed	Comprehensive analysis of test/extended/tls/tls_observed_config.go confirms no OTE Binary Stdout Contract violations: no fmt.Print, klog, log.Print, or os.Stdout writes in process-level code; no in...
No-Weak-Crypto	✅ Passed	No weak cryptography algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons found. Code uses only standard crypto/tls and libr...
Container-Privileges	✅ Passed	This PR refactors Go test code only (tls_observed_config.go). No Kubernetes manifests or container security context specifications were found, so no privilege escalation configurations exist to flag.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data exposure in logs. Logging includes only public TLS configuration (IANA cipher names, protocol versions, cluster names) and test infrastructure details, not passwords, tokens, cert...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ingvagabund

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• test/extended/tls/OWNERS [ingvagabund]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[openshift-trt]

Job Failure Risk Analysis for sha: 3caf382

Job Name	Failure Risk
pull-ci-openshift-origin-main-e2e-gcp-ovn	Low [Feature:NetworkSegmentation][ovn-kubernetes-ote][sig-network] Network Segmentation: services on a user defined primary network should be reachable through their cluster IP, node port and load balancer L2 primary UDN with custom network, cluster-networked pods, NodePort service [Suite:openshift/conformance/parallel] This test has passed 0.00% of 4 runs on release 5.0 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:standard Network:ovn NetworkStack:ipv4 OS:rhcos9 Owner:eng Platform:gcp Procedure:none SecurityMode:default Topology:ha Upgrade:micro] in the last week.
pull-ci-openshift-origin-main-e2e-metal-ipi-ovn-ipv6	Low [Feature:NetworkSegmentation][ovn-kubernetes-ote][sig-network] Network Segmentation: services on a user defined primary network should be reachable through their cluster IP, node port and load balancer L2 primary UDN with custom network, cluster-networked pods, NodePort service [Suite:openshift/conformance/parallel] This test has passed 0.00% of 1 runs on release 5.0 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:standard Network:ovn NetworkStack:ipv6 OS:rhcos9 Owner:eng Platform:metal Procedure:none SecurityMode:default Topology:ha Upgrade:micro] in the last week.
pull-ci-openshift-origin-main-e2e-vsphere-ovn	Low [Feature:NetworkSegmentation][ovn-kubernetes-ote][sig-network] Network Segmentation: services on a user defined primary network should be reachable through their cluster IP, node port and load balancer L2 primary UDN with custom network, cluster-networked pods, NodePort service [Suite:openshift/conformance/parallel] This test has passed 0.00% of 4 runs on release 5.0 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:standard Network:ovn NetworkStack:ipv4 OS:rhcos9 Owner:eng Platform:vsphere Procedure:none SecurityMode:default Topology:ha Upgrade:none] in the last week.
pull-ci-openshift-origin-main-e2e-vsphere-ovn-upi	Low [Feature:NetworkSegmentation][ovn-kubernetes-ote][sig-network] Network Segmentation: services on a user defined primary network should be reachable through their cluster IP, node port and load balancer L2 primary UDN with custom network, cluster-networked pods, NodePort service [Suite:openshift/conformance/parallel] This test has passed 0.00% of 3 runs on release 5.0 [Architecture:amd64 FeatureSet:default Installer:upi JobTier:standard Network:ovn NetworkStack:ipv4 OS:rhcos9 Owner:eng Platform:vsphere Procedure:none SecurityMode:default Topology:ha Upgrade:none] in the last week.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/extended/tls/tls_observed_config.go`:
- Around line 503-537: This test uses the guest oc and hard-codes false into
verifyAllTLSConfiguration and waitForTLSReconciliation while reconciliation
helpers probe all ConfigMaps regardless of managementClusterComponent, which
breaks HyperShift; update the test to follow the existing
HostedCluster/HyperShift flow used by the Modern/Custom cases: when running on
HyperShift (detect via the same helper used elsewhere in this file), wire the
guest vs management client through the hosted-cluster path (pass the hosted
client or set the managementClusterComponent appropriately) into
generateDifferentTLSProfile/setAPIServerTLSProfile/verifyAllTLSConfiguration/waitForTLSReconciliation
instead of using the hard-coded oc and false, or alternatively call Skip for
HyperShift runs; ensure allTLSTestTargets are filtered per
managementClusterComponent when invoking the reconciliation helpers.
- Around line 503-545: This test mutates the cluster TLS profile but doesn't
restore it; after reading originalAPIServer (originalAPIServer and
originalProfile) register a g.DeferCleanup that calls setAPIServerTLSProfile to
apply originalProfile and then calls waitForTLSReconciliation to wait for
targets to return to the original config (use context.Background() in the
cleanup to avoid relying on configChangeCtx), and handle/expect no error so the
cluster is restored even if the test fails.
- Around line 1422-1424: In the tls.VersionTLS11 case update the "should work"
probe so it is clamped to exactly TLS 1.1 by setting MaxVersion:
tls.VersionTLS11 on the tls.Config assigned to tlsShouldWork (the current
assignment uses only MinVersion and allows higher TLS versions); modify the
tlsShouldWork assignment in the tls.VersionTLS11 branch to include MaxVersion:
tls.VersionTLS11 while leaving tlsShouldNotWork unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: f937e07f-5927-4cfa-bb56-4a129631f25a

📥 Commits

Reviewing files that changed from the base of the PR and between 3caf382 and b050cbe.

📒 Files selected for processing (1)

• test/extended/tls/tls_observed_config.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

In Go's crypto/tls, if a client config sets MinVersion=tls.VersionTLS11 and leaves MaxVersion unset, can the handshake negotiate TLS 1.2 or TLS 1.3? To force exactly TLS 1.1, do both MinVersion and MaxVersion need to be tls.VersionTLS11?

💡 Result:

In Go's crypto/tls package, if a client config sets MinVersion to tls.VersionTLS11 and leaves MaxVersion unset (its zero value), the handshake can negotiate TLS 1.2 or TLS 1.3 [1][2][3]. When MaxVersion is unset (zero), it defaults to the maximum version supported by the package, which is currently TLS 1.3 [1][4][5]. The handshake process iterates through the package's supported versions—sorted from highest to lowest—and includes any version that is greater than or equal to MinVersion and less than or equal to MaxVersion (if set) [2][5][6]. Therefore, leaving MaxVersion unset does not restrict the client to the specified minimum version; it allows the negotiation of any supported protocol version equal to or higher than the minimum [2][5]. To force the client to use exactly TLS 1.1, you must set both MinVersion and MaxVersion to tls.VersionTLS11 [2][5][6]. This restricts the range of acceptable versions to that single value [2][5].

Citations:

• 1: https://pkg.go.dev/crypto/tls@go1.26.3
• 2: https://go.dev/src/crypto/tls/common.go?m=text
• 3: https://github.com/golang/go/blob/go1.26.2/src/crypto/tls/common.go
• 4: https://pkg.go.dev/crypto/tls
• 5: https://go.googlesource.com/go/+/refs/heads/master/src/crypto/tls/common.go
• 6: https://tip.golang.org/src/crypto/tls/common.go?m=text

---

Clamp the TLS 1.1 “should work” probe to exactly TLS 1.1.

In test/extended/tls/tls_observed_config.go (around lines 1422-1424), tls.Config{MinVersion: tls.VersionTLS11, ...} still permits negotiating TLS 1.2/1.3 when MaxVersion is left unset. Set MaxVersion: tls.VersionTLS11 too so the probe allows only TLS 1.1.

🧰 Tools

🪛 OpenGrep (1.22.0)

[ERROR] 1423-1423: TLS certificate verification is disabled via InsecureSkipVerify. This allows man-in-the-middle attacks. Remove InsecureSkipVerify or set it to false.

(coderabbit.tls.go-insecure-skip-verify)

---

[ERROR] 1423-1423: TLS certificate verification is disabled via InsecureSkipVerify. This allows man-in-the-middle attacks. Remove InsecureSkipVerify or set it to false.

(coderabbit.tls.go-insecure-skip-verify)

---

[ERROR] 1424-1424: TLS certificate verification is disabled via InsecureSkipVerify. This allows man-in-the-middle attacks. Remove InsecureSkipVerify or set it to false.

(coderabbit.tls.go-insecure-skip-verify)

---

[ERROR] 1424-1424: TLS certificate verification is disabled via InsecureSkipVerify. This allows man-in-the-middle attacks. Remove InsecureSkipVerify or set it to false.

(coderabbit.tls.go-insecure-skip-verify)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/tls/tls_observed_config.go` around lines 1422 - 1424, In the
tls.VersionTLS11 case update the "should work" probe so it is clamped to exactly
TLS 1.1 by setting MaxVersion: tls.VersionTLS11 on the tls.Config assigned to
tlsShouldWork (the current assignment uses only MinVersion and allows higher TLS
versions); modify the tlsShouldWork assignment in the tls.VersionTLS11 branch to
include MaxVersion: tls.VersionTLS11 while leaving tlsShouldNotWork unchanged.

[coderabbitai]

♻️ Duplicate comments (3)

test/extended/tls/tls_observed_config.go (3)

1424-1426: ⚠️ Potential issue | 🟠 Major

Clamp the TLS 1.1 success probe to exactly TLS 1.1.

Line 1425 sets only MinVersion: tls.VersionTLS11. With MaxVersion unset, the client can negotiate TLS 1.2/1.3, which can mask a TLS 1.1 regression.

Suggested fix

- tlsShouldWork = &tls.Config{MinVersion: tls.VersionTLS11, InsecureSkipVerify: true}
+ tlsShouldWork = &tls.Config{MinVersion: tls.VersionTLS11, MaxVersion: tls.VersionTLS11, InsecureSkipVerify: true}

In Go's crypto/tls, if tls.Config sets MinVersion=tls.VersionTLS11 and leaves MaxVersion unset, can negotiation still use TLS 1.2 or TLS 1.3?

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/tls/tls_observed_config.go` around lines 1424 - 1426, The TLS
1.1 success probe currently only sets MinVersion in the case tls.VersionTLS11,
allowing negotiation to upgrade to TLS 1.2/1.3; update the tlsShouldWork config
used in that case to explicitly set MaxVersion: tls.VersionTLS11 (in addition to
MinVersion: tls.VersionTLS11) so the probe is clamped to exactly TLS 1.1; locate
the switch handling tls.VersionTLS11 (the case block that sets tlsShouldWork and
tlsShouldNotWork) and add the MaxVersion field to tlsShouldWork.

---

515-547: ⚠️ Potential issue | 🟠 Major

This disruptive test still does not restore the original APIServer TLS profile.

You capture originalProfile at Line 515, mutate the cluster profile at Line 533, but only leave a TODO at Line 545. This leaves cluster TLS state mutated after the test (especially on failure).

Suggested fix

 originalProfile := originalAPIServer.Spec.TLSSecurityProfile
 currentTLSConfig := captureTLSConfiguration(originalProfile)
+
+g.DeferCleanup(func(_ context.Context) {
+  cleanupCtx, cancel := context.WithTimeout(context.Background(), 60*time.Minute)
+  defer cancel()
+  restoreOriginalTLSProfile(oc, cleanupCtx, originalProfile, string(currentTLSConfig.profileType))
+})

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/tls/tls_observed_config.go` around lines 515 - 547, The test
mutates the APIServer TLS profile (via setAPIServerTLSProfile) but never
restores originalAPIServer.Spec.TLSSecurityProfile on exit; add a cleanup that
captures originalProfile before calling setAPIServerTLSProfile and registers a
deferred restore (using the test harness DeferCleanup or a Go defer) that calls
setAPIServerTLSProfile(oc, configChangeCtx, originalProfile, "<original-type>")
and waits for reconciliation (e.g., waitForTLSReconciliation) so the cluster is
returned to its prior state on success or failure; register the cleanup
immediately after computing originalProfile (before generateDifferentTLSProfile
/ setAPIServerTLSProfile) and ensure errors from the restore are logged/fail the
cleanup so failures are visible.

---

528-540: ⚠️ Potential issue | 🟠 Major

HyperShift routing is still broken in the disruptive reconciliation flow.

Line 528 and Line 539 hard-code false with allTLSTestTargets, and the ConfigMap loop (Line 1510 onward) still does not skip managementClusterComponent targets. On HyperShift this can probe management-side targets via the guest client and fail against the wrong scope.

Suggested fix

- verifyAllTLSConfiguration(oc, configChangeCtx, false, allTLSTestTargets)
+ selectedTargets := allTLSTestTargets
+ if isHyperShiftCluster {
+   selectedTargets = tlsTestTargets{
+     observedConfig:    guestObservedCfg,
+     configMaps:        guestCMs,
+     deploymentEnvVars: guestEnvVars,
+     services:          guestSvcs,
+   }
+ }
+ verifyAllTLSConfiguration(oc, configChangeCtx, isHyperShiftCluster, selectedTargets)

...

- err = waitForTLSReconciliation(oc, configChangeCtx, false, allTLSTestTargets)
+ err = waitForTLSReconciliation(oc, configChangeCtx, isHyperShiftCluster, selectedTargets)

for _, target := range targets.configMaps {
+ if isHyperShiftCluster && target.managementClusterComponent {
+   continue
+ }
  totalCount++
  ...
}

Also applies to: 1510-1524

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/tls/tls_observed_config.go` around lines 528 - 540, The test is
hard-coding the disruptive-mode boolean (false) when calling
verifyAllTLSConfiguration and waitForTLSReconciliation with allTLSTestTargets
and the ConfigMap loop still probes managementClusterComponent targets; update
the calls to pass a variable that reflects the HyperShift context (e.g.,
disruptiveModeOrUseGuestClient boolean) instead of the literal false, and modify
the ConfigMap processing loop that iterates targets (the code referencing
managementClusterComponent) to skip managementClusterComponent targets when
running under HyperShift/guest-client mode (use configChangeCtx or a new
isHyperShift flag to decide), ensuring
verifyAllTLSConfiguration(allTLSTestTargets, configChangeCtx, <flag>) and
waitForTLSReconciliation(...) use that flag and the loop excludes
managementClusterComponent targets accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@test/extended/tls/tls_observed_config.go`:
- Around line 1424-1426: The TLS 1.1 success probe currently only sets
MinVersion in the case tls.VersionTLS11, allowing negotiation to upgrade to TLS
1.2/1.3; update the tlsShouldWork config used in that case to explicitly set
MaxVersion: tls.VersionTLS11 (in addition to MinVersion: tls.VersionTLS11) so
the probe is clamped to exactly TLS 1.1; locate the switch handling
tls.VersionTLS11 (the case block that sets tlsShouldWork and tlsShouldNotWork)
and add the MaxVersion field to tlsShouldWork.
- Around line 515-547: The test mutates the APIServer TLS profile (via
setAPIServerTLSProfile) but never restores
originalAPIServer.Spec.TLSSecurityProfile on exit; add a cleanup that captures
originalProfile before calling setAPIServerTLSProfile and registers a deferred
restore (using the test harness DeferCleanup or a Go defer) that calls
setAPIServerTLSProfile(oc, configChangeCtx, originalProfile, "<original-type>")
and waits for reconciliation (e.g., waitForTLSReconciliation) so the cluster is
returned to its prior state on success or failure; register the cleanup
immediately after computing originalProfile (before generateDifferentTLSProfile
/ setAPIServerTLSProfile) and ensure errors from the restore are logged/fail the
cleanup so failures are visible.
- Around line 528-540: The test is hard-coding the disruptive-mode boolean
(false) when calling verifyAllTLSConfiguration and waitForTLSReconciliation with
allTLSTestTargets and the ConfigMap loop still probes managementClusterComponent
targets; update the calls to pass a variable that reflects the HyperShift
context (e.g., disruptiveModeOrUseGuestClient boolean) instead of the literal
false, and modify the ConfigMap processing loop that iterates targets (the code
referencing managementClusterComponent) to skip managementClusterComponent
targets when running under HyperShift/guest-client mode (use configChangeCtx or
a new isHyperShift flag to decide), ensuring
verifyAllTLSConfiguration(allTLSTestTargets, configChangeCtx, <flag>) and
waitForTLSReconciliation(...) use that flag and the loop excludes
managementClusterComponent targets accordingly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: c9190c70-6845-4e3a-87bd-77fa4b33f8da

📥 Commits

Reviewing files that changed from the base of the PR and between b050cbe and 2ef7e93.

📒 Files selected for processing (1)

• test/extended/tls/tls_observed_config.go

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[openshift-trt]

Job Failure Risk Analysis for sha: 2ef7e93

Job Name	Failure Risk
pull-ci-openshift-origin-main-e2e-aws-ovn-microshift	High install should succeed: other This test has passed 99.40% of 4021 runs on release 5.0 [Overall] in the last week.
pull-ci-openshift-origin-main-e2e-gcp-ovn	Low [Feature:NetworkSegmentation][ovn-kubernetes-ote][sig-network] Network Segmentation: services on a user defined primary network should be reachable through their cluster IP, node port and load balancer L2 primary UDN with custom network, cluster-networked pods, NodePort service [Suite:openshift/conformance/parallel] This test has passed 0.00% of 4 runs on release 5.0 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:standard Network:ovn NetworkStack:ipv4 OS:rhcos9 Owner:eng Platform:gcp Procedure:none SecurityMode:default Topology:ha Upgrade:micro] in the last week.
pull-ci-openshift-origin-main-e2e-metal-ipi-ovn-ipv6	Low [Feature:NetworkSegmentation][ovn-kubernetes-ote][sig-network] Network Segmentation: services on a user defined primary network should be reachable through their cluster IP, node port and load balancer L2 primary UDN with custom network, cluster-networked pods, NodePort service [Suite:openshift/conformance/parallel] This test has passed 0.00% of 1 runs on release 5.0 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:standard Network:ovn NetworkStack:ipv6 OS:rhcos9 Owner:eng Platform:metal Procedure:none SecurityMode:default Topology:ha Upgrade:micro] in the last week.
pull-ci-openshift-origin-main-e2e-vsphere-ovn	Low [Feature:NetworkSegmentation][ovn-kubernetes-ote][sig-network] Network Segmentation: services on a user defined primary network should be reachable through their cluster IP, node port and load balancer L2 primary UDN with custom network, cluster-networked pods, NodePort service [Suite:openshift/conformance/parallel] This test has passed 0.00% of 4 runs on release 5.0 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:standard Network:ovn NetworkStack:ipv4 OS:rhcos9 Owner:eng Platform:vsphere Procedure:none SecurityMode:default Topology:ha Upgrade:none] in the last week.
pull-ci-openshift-origin-main-e2e-vsphere-ovn-upi	Low [Feature:NetworkSegmentation][ovn-kubernetes-ote][sig-network] Network Segmentation: services on a user defined primary network should be reachable through their cluster IP, node port and load balancer L2 primary UDN with custom network, cluster-networked pods, NodePort service [Suite:openshift/conformance/parallel] This test has passed 0.00% of 3 runs on release 5.0 [Architecture:amd64 FeatureSet:default Installer:upi JobTier:standard Network:ovn NetworkStack:ipv4 OS:rhcos9 Owner:eng Platform:vsphere Procedure:none SecurityMode:default Topology:ha Upgrade:none] in the last week.

[openshift-ci-robot]

@ingvagabund: This pull request references CNTRLPLANE-3540 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

SSIA

Summary by CodeRabbit

• Tests

• TLS validation tests now derive expected wire-level behavior from the cluster’s active TLS profile instead of hardcoded assumptions.

• Added a reconciliation-style disruptive test to validate end-to-end profile changes and eventual consistency across observed config, ConfigMaps, deployments, and wire-level enforcement.

• Centralized profile update/restore flows, simplified deployment/ConfigMap verifications, reordered restoration checks, and improved rollout handling for more reliable results.

• Refactor

• Wire-level TLS checks and test helpers were consolidated for reuse and clarity.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[openshift-ci]

@ingvagabund: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-vsphere-ovn	486fe1b	link	true	/test e2e-vsphere-ovn
ci/prow/e2e-aws-ovn-microshift-serial	486fe1b	link	true	/test e2e-aws-ovn-microshift-serial
ci/prow/e2e-aws-ovn-serial-1of2	486fe1b	link	true	/test e2e-aws-ovn-serial-1of2
ci/prow/e2e-aws-ovn-fips	486fe1b	link	true	/test e2e-aws-ovn-fips
ci/prow/e2e-gcp-ovn-upgrade	486fe1b	link	true	/test e2e-gcp-ovn-upgrade
ci/prow/e2e-aws-ovn-serial-2of2	486fe1b	link	true	/test e2e-aws-ovn-serial-2of2
ci/prow/e2e-gcp-ovn	486fe1b	link	true	/test e2e-gcp-ovn
ci/prow/e2e-metal-ipi-ovn-ipv6	486fe1b	link	true	/test e2e-metal-ipi-ovn-ipv6
ci/prow/e2e-vsphere-ovn-upi	486fe1b	link	true	/test e2e-vsphere-ovn-upi
ci/prow/e2e-aws-ovn-microshift	486fe1b	link	true	/test e2e-aws-ovn-microshift

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.