test: Addition of ginkgo framework dependencies and TLS propagation test #409

kaleemsiddiqu · 2026-02-10T13:04:29Z

For Ginkgo test framework support, ginkgo dependencies added
Test added to confirm that TLS propagation is applied correctly through controller-manager operator

Test for changes done in #407

openshift-ci · 2026-02-10T13:27:54Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: kaleemsiddiqu
Once this PR has been reviewed and has the lgtm label, please assign prabhapa for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

kaleemsiddiqu · 2026-02-11T07:06:53Z

Local run is successful ...

$ ./cluster-openshift-controller-manager-operator-tests-ext run-test "[sig-openshift-controller-manager] TLS Security Profile [Operator][TLS][Serial] should propagate Modern TLS profile from APIServer to OpenShift Controller Manager"
  Running Suite:  - /home/ksiddiqu/openshift-repos/cluster-openshift-controller-manager-operator  
  Random Seed: 1770724152 - will randomize all specs
  Will run 1 of 1 specs  
  [sig-openshift-controller-manager] TLS Security Profile [Operator][TLS][Serial] should propagate Modern TLS profile from APIServer to OpenShift Controller Manager
  github.com/openshift/cluster-openshift-controller-manager-operator/test/e2e/tls_security_profile.go:22
    STEP: Waiting for operator to detect TLS profile change and start progressing @ 02/10/26 17:19:14.959
  "level"=0 "msg"="Operator is now progressing" "reason"="RouteControllerManager_DesiredStateNotYetAchieved::_DesiredStateNotYetAchieved"
    STEP: Waiting for operator to complete reconciliation (may take up to 15 minutes) @ 02/10/26 17:19:35.295
  "level"=0 "msg"="Operator still reconciling" "available"=true "progressing"=true
  ....
  "level"=0 "msg"="Operator reconciliation complete" "available"=true "progressing"=false
    STEP: Verifying TLS config in observed config @ 02/10/26 17:26:05.688
  "level"=0 "msg"="TLS config successfully observed" "config"="{\"build\":{\"buildDefaults\":{\"resources\":{}},\"imageTemplateFormat\":{\"format\":\"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6b886af6a57059906e7758471f7a0929ec32af0bed641688ff2d33d7cc68e3ff\"}},\"controllers\":[\"openshift.io/build\",\"openshift.io/build-config-change\",\"openshift.io/builder-rolebindings\",\"openshift.io/builder-serviceaccount\",\"-openshift.io/default-rolebindings\",\"openshift.io/deployer\",\"openshift.io/deployer-rolebindings\",\"openshift.io/deployer-serviceaccount\",\"openshift.io/deploymentconfig\",\"openshift.io/image-import\",\"openshift.io/image-puller-rolebindings\",\"openshift.io/image-signature-import\",\"openshift.io/image-trigger\",\"openshift.io/ingress-ip\",\"openshift.io/ingress-to-route\",\"openshift.io/origin-namespace\",\"openshift.io/serviceaccount\",\"openshift.io/serviceaccount-pull-secrets\",\"openshift.io/templateinstance\",\"openshift.io/templateinstancefinalizer\",\"openshift.io/unidling\"],\"deployer\":{\"imageTemplateFormat\":{\"format\":\"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:295c2081fdef963a20bbf322efea62b16581013474ce8371110ea7bec0e66077\"}},\"dockerPullSecret\":{\"internalRegistryHostname\":\"image-registry.openshift-image-registry.svc:5000\"},\"featureGates\":[\"BuildCSIVolumes=true\"],\"ingress\":{\"ingressIPNetworkCIDR\":\"\"},\"servingInfo\":{\"cipherSuites\":[\"TLS_AES_128_GCM_SHA256\",\"TLS_AES_256_GCM_SHA384\",\"TLS_CHACHA20_POLY1305_SHA256\"],\"minTLSVersion\":\"VersionTLS13\"}}"
  "level"=0 "msg"="Validated Modern TLS config" "minTLSVersion"="VersionTLS13" "cipherSuites"=["TLS_AES_128_GCM_SHA256" "TLS_AES_256_GCM_SHA384" "TLS_CHACHA20_POLY1305_SHA256"]
    STEP: Restoring original TLS profile @ 02/10/26 17:26:05.997
    STEP: Waiting for operator to reconcile TLS profile restoration @ 02/10/26 17:26:07.125
  "level"=0 "msg"="Operator reconciliation after restoration complete"
    STEP: Verifying TLS profile was restored correctly @ 02/10/26 17:26:07.421
  "level"=0 "msg"="Waiting for TLS profile restoration to propagate" "current"="VersionTLS13"
  "level"=0 "msg"="TLS profile restored to default" "minTLSVersion"="VersionTLS12"
  • [445.371 seconds]
  ------------------------------

  Ran 1 of 1 Specs in 445.371 seconds
  SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 0 Skipped
...
\"available\"=true \"progressing\"=false\n  STEP: Verifying TLS config in observed config @ 02/10/26 17:26:05.688\n\"level\"=0 \"msg\"=\"TLS config successfully observed\" \"config\"=\"{\\\"build\\\":{\\\"buildDefaults\\\":{\\\"resources\\\":{}},\\\"imageTemplateFormat\\\":{\\\"format\\\":\\\"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6b886af6a57059906e7758471f7a0929ec32af0bed641688ff2d33d7cc68e3ff\\\"}},\\\"controllers\\\":[\\\"openshift.io/build\\\",\\\"openshift.io/build-config-change\\\",\\\"openshift.io/builder-rolebindings\\\",\\\"openshift.io/builder-serviceaccount\\\",\\\"-openshift.io/default-rolebindings\\\",\\\"openshift.io/deployer\\\",\\\"openshift.io/deployer-rolebindings\\\",\\\"openshift.io/deployer-serviceaccount\\\",\\\"openshift.io/deploymentconfig\\\",\\\"openshift.io/image-import\\\",\\\"openshift.io/image-puller-rolebindings\\\",\\\"openshift.io/image-signature-import\\\",\\\"openshift.io/image-trigger\\\",\\\"openshift.io/ingress-ip\\\",\\\"openshift.io/ingress-to-route\\\",\\\"openshift.io/origin-namespace\\\",\\\"openshift.io/serviceaccount\\\",\\\"openshift.io/serviceaccount-pull-secrets\\\",\\\"openshift.io/templateinstance\\\",\\\"openshift.io/templateinstancefinalizer\\\",\\\"openshift.io/unidling\\\"],\\\"deployer\\\":{\\\"imageTemplateFormat\\\":{\\\"format\\\":\\\"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:295c2081fdef963a20bbf322efea62b16581013474ce8371110ea7bec0e66077\\\"}},\\\"dockerPullSecret\\\":{\\\"internalRegistryHostname\\\":\\\"image-registry.openshift-image-registry.svc:5000\\\"},\\\"featureGates\\\":[\\\"BuildCSIVolumes=true\\\"],\\\"ingress\\\":{\\\"ingressIPNetworkCIDR\\\":\\\"\\\"},\\\"servingInfo\\\":{\\\"cipherSuites\\\":[\\\"TLS_AES_128_GCM_SHA256\\\",\\\"TLS_AES_256_GCM_SHA384\\\",\\\"TLS_CHACHA20_POLY1305_SHA256\\\"],\\\"minTLSVersion\\\":\\\"VersionTLS13\\\"}}\"\n\"level\"=0 \"msg\"=\"Validated Modern TLS config\" \"minTLSVersion\"=\"VersionTLS13\" \"cipherSuites\"=[\"TLS_AES_128_GCM_SHA256\" \"TLS_AES_256_GCM_SHA384\" \"TLS_CHACHA20_POLY1305_SHA256\"]\n  STEP: Restoring original TLS profile @ 02/10/26 17:26:05.997\n  STEP: Waiting for operator to reconcile TLS profile restoration @ 02/10/26 17:26:07.125\n\"level\"=0 \"msg\"=\"Operator reconciliation after restoration complete\"\n  STEP: Verifying TLS profile was restored correctly @ 02/10/26 17:26:07.421\n\"level\"=0 \"msg\"=\"Waiting for TLS profile restoration to propagate\" \"current\"=\"VersionTLS13\"\n\"level\"=0 \"msg\"=\"Waiting for TLS profile restoration to propagate\" \"current\"=\"VersionTLS13\"\n\"level\"=0 \"msg\"=\"Waiting for TLS profile restoration to propagate\" \"current\"=\"VersionTLS13\"\n\"level\"=0 \"msg\"=\"Waiting for TLS profile restoration to propagate\" \"current\"=\"VersionTLS13\"\n\"level\"=0 \"msg\"=\"TLS profile restored to default\" \"minTLSVersion\"=\"VersionTLS12\"\n"
  }
]ksiddiqu@ksiddiqu-thinkpadx1carbongen11:~/openshift-repos/cluster-openshift-controller-manager-operator$

kaleemsiddiqu · 2026-02-11T07:12:47Z

@ricardomaraschini @ingvagabund @gangwgr please review this.

cmd/cluster-openshift-controller-manager-operator-tests-ext/main.go

test/e2e/main_test.go

Makefile

cmd/cluster-openshift-controller-manager-operator-tests-ext/main.go

gangwgr · 2026-02-11T10:19:32Z

make 2 commits, vendor changes should be in different commit

test/e2e/tls_security_profile.go

Add vendor dependencies for the Ginkgo testing framework, openshift-tests-extension framework, and testify assertion library Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>

Implement end-to-end test to verify that TLS security profile changes propagate from the APIServer to the OpenShift Controller Manager. Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>

gangwgr · 2026-02-11T13:36:12Z

cmd/cluster-openshift-controller-manager-operator-tests-ext/dependencies.go

@@ -0,0 +1,8 @@
+// This file imports test packages to ensure they are included in the build.


file name not correct

what should be filename here? dependencymagnet.go ?

gangwgr · 2026-02-11T13:38:40Z

test/e2e/tls_security_profile.go

+
+	// Now verify the TLS config was propagated to the observed config
+	t.Log("Verifying TLS config in observed config")
+	err = wait.PollUntilContextTimeout(ctx, 5*time.Second, 2*time.Minute, true, func(ctx context.Context) (bool, error) {


better to create func for verification of tls and move to library-go repo, so it can be use other components

so it can reuse in both restoration and observation for verification

It is specific to controller-manager operator with couple of checks for TLS 1.3 version only.
I do not know what could be format of a generic TLS config check as this may involve a lot input and combination of checks depending upon the use case for TLS config check.

are you planning similar case in other namespaces? if not then we can keep your change

If you are planning for other namespaces better to keep common func in which we only pass tls values and compare. it will reduce duplicate work for other namespaces

gangwgr · 2026-02-11T13:39:23Z

test/e2e/tls_security_profile.go

+
+	// Wait for the operator to finish progressing (reconciliation complete)
+	// This typically takes 12-15 minutes for TLS changes to propagate
+	t.Log("Waiting for operator to complete reconciliation (may take up to 15 minutes)")


same for this better to create func and move to library-go repo, so it can be use other components

i have created this openshift/library-go#2050

What is expected here? should i used changes done by you in library-go ? I see that change still in review.

we can use that function here because it will reduce code size

gangwgr · 2026-02-11T13:47:38Z

test/e2e/tls_security_profile.go

+		}
+
+		// Modern profile should have exactly these TLS 1.3 cipher suites
+		expectedCiphers := []string{


move this in constant out side of case

I will do the needful after our above discussion resolution.

openshift-ci · 2026-02-11T16:01:48Z

@kaleemsiddiqu: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-ci bot requested review from prabhapa and sayan-biswas February 10, 2026 13:04

kaleemsiddiqu force-pushed the tls-propagation-test branch from 48a0740 to 5501ab7 Compare February 10, 2026 13:25