Add E2E test for the TLSAdherence openshift/api field

[richardsonnick]

Adds E2E tests for the TLSAdherence openshift/api field. This is a requirement for GA.

Summary by CodeRabbit

• Tests
  • Added integration coverage for the TLSAdherence feature gate and API server validation
  • Verify the API rejects unrecognized spec.tlsAdherence values and accepts valid policies
  • Ensure TLSAdherence gate state is correctly reported in cluster configuration
  • Confirm updates do not cause cluster operators to degrade

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 9119cbe5-3c63-40ed-a3e8-d3e9e48fa987

📥 Commits

Reviewing files that changed from the base of the PR and between 1f5851c and e65c04c.

📒 Files selected for processing (2)

• test/extended/apiserver/tls.go
• test/extended/apiserver/tls_adherence.go

---

Walkthrough

A new Ginkgo test file is added under test/extended/apiserver/ that validates TLSAdherence feature gate behavior. It skips when the gate is disabled, then asserts feature gate presence in status, dry-run spec field updates, policy enum validity, and no degraded cluster operators. Two existing TLS tests are also updated to conditionally skip based on the same feature gate.

Changes

TLSAdherence Integration Tests

Layer / File(s)	Summary
Test infrastructure and feature gate helper test/extended/apiserver/tls_adherence.go	Declares imports including Ginkgo/Gomega and OpenShift config/v1 client types. Defines the TLSAdherence feature gate name constant and implements a helper function that queries featuregate/cluster status to check if TLSAdherence is in the enabled list.
Ginkgo suite and conditional skip logic test/extended/apiserver/tls_adherence.go	Creates the Ginkgo Describe suite with a BeforeEach hook that skips all suite tests when the TLSAdherence feature gate is not enabled on the cluster.
TLSAdherence spec validation and cluster health tests test/extended/apiserver/tls_adherence.go	Implements three test cases: validates rejection of invalid spec.tlsAdherence values (asserting 422 Invalid error on dry-run), validates acceptance of valid enum values StrictAllComponents and LegacyAdheringComponentsOnly (asserting reflected values match requested), and validates cluster health by checking that no cluster operator is degraded.
Conditional gating of existing TLS tests test/extended/apiserver/tls.go	Updates TestTLSMinimumVersions and TestTLSDefaults to evaluate the TLSAdherence feature gate at test start and skip when disabled, ensuring compatibility with clusters where the gate is not enabled.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Test Structure And Quality	⚠️ Warning	tls.go modifications lack assertion messages in 6 Expect calls (lines 53, 60, 95, 122, 129, 133), violating the requirement for meaningful failure messages to diagnose issues.	Add descriptive messages to all Expect assertions in tls.go, e.g., Expect(err).NotTo(HaveOccurred(), "failed to check TLS adherence feature gate") for context.
Ipv6 And Disconnected Network Test Compatibility	⚠️ Warning	The modified tls.go tests use fmt.Sprintf("localhost:%d", port) for TLS connections (lines 100, 111, 142, 152, 191, 246, 255), which may fail in IPv6-only disconnected environments. The existing tl...	Update tls.go to explicitly test both IPv4 (127.0.0.1) and IPv6 ([::1]) addresses like tls_observed_config.go does, or use net.JoinHostPort() with dynamic IP family detection.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding E2E tests for the TLSAdherence field. It is concise, specific, and clearly conveys the primary purpose of the changeset.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test titles (Describe and It) in both tls_adherence.go and tls.go use stable, static strings with no dynamic values, generated IDs, timestamps, or other runtime-dependent information.
Microshift Test Compatibility	✅ Passed	All new and modified tests include [apigroup:config.openshift.io] tag, which auto-skips them on MicroShift CI jobs per the custom check instructions. Tests use config.openshift.io APIs (FeatureGate...
Single Node Openshift (Sno) Test Compatibility	✅ Passed	Tests validate API behavior (spec.tlsAdherence field) and TLS protocol versions via port-forward to control plane services; all services exist on SNO, no multi-node assumptions detected.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds E2E test code only (test/extended/apiserver/). Custom check applies to deployment manifests, operator code, or controllers—not test files. No topology-sensitive scheduling constraints intro...
Ote Binary Stdout Contract	✅ Passed	Both files follow proper OTE binary stdout contract patterns: no process-level stdout writes detected, all executable code is in test callbacks (It, BeforeEach) or utility functions called during t...
No-Weak-Crypto	✅ Passed	No weak cryptography detected. Files contain standard TLS testing using crypto/tls and library-go helpers; RC4 mentioned only in comments. No custom crypto, weak algorithms (MD5, SHA1, DES, 3DES, B...
Container-Privileges	✅ Passed	PR contains only Go test code files. No container/K8s manifests present with privileged, hostPID/Network/IPC, SYS_ADMIN, or allowPrivilegeEscalation settings.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data exposure found. Logging statements report generic errors, test results, TLS configuration parameters, and cluster operator status without exposing passwords, tokens, keys, PII, or...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: richardsonnick
Once this PR has been reviewed and has the lgtm label, please assign smg247 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/extended/apiserver/tls_adherence.go`:
- Around line 120-131: The test assertion in the It block does not account for
the optional spec.tlsAdherence field being unset. Since the field is marked as
optional with omitempty and the test comment acknowledges "when set", the
apiServer.Spec.TLSAdherence value may be nil, causing the BeElementOf assertion
to fail even when the state is valid. Either guard the assertion with a nil
check that conditionally validates only when the field is set, or add the
nil/zero value to the validValues slice so that an unset field is considered a
valid state.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 328d6dfb-fe5e-4dfc-a5f3-811d6c04d0e2

📥 Commits

Reviewing files that changed from the base of the PR and between b3b98a0 and 1f5851c.

📒 Files selected for processing (1)

• test/extended/apiserver/tls_adherence.go

[joelanford]

This is not true, right? I think it is applicable in both, though it may make sense to have a separate test for Hypershift since it has a split apiserver and a HyperShift-specific configuration API for configuring the TLS profile of the hosted cluster.

[richardsonnick]

oh sorry yes no this is not true. removing.

[joelanford]

Can't hurt to verify this, but I don't think this should count toward the 5 tests, the intent of which are more functional rather than verifying assumptions.

[joelanford]

I think there is a different kind of test that we can implement that essentially continuously monitors the cluster to verify an invariant is never violated. The way this test is implemented, you'll only get a point in time verification, which would likely result in false negatives.

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[joelanford]

I think it's a stretch to make these two separate tests. But I think a single test that verifies that all valid values can be successfully dry-run updated is a reasonable single test to run.

[candita]

Is it possible to test to make sure this can only be set by cluster-admins? Is there an RBAC in place to test?

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[openshift-ci]

@richardsonnick: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-ovn	e65c04c	link	true	/test e2e-gcp-ovn
ci/prow/e2e-vsphere-ovn	e65c04c	link	true	/test e2e-vsphere-ovn

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.