Add E2E test for the TLSAdherence openshift/api field

[richardsonnick]

Adds E2E tests for the TLSAdherence openshift/api field. This is a requirement for GA.

Summary by CodeRabbit

• Tests
  • Added integration tests for TLSAdherence feature gate behavior and cluster API server validation
  • Tests verify API server accepts and reflects different TLSAdherence policy configurations
  • Tests confirm TLSAdherence feature gate status is properly reported in cluster configuration
  • Tests validate cluster operators are not degraded during configuration updates

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[coderabbitai]

Walkthrough

A new Ginkgo test file is added under test/extended/apiserver/ that validates TLSAdherence feature gate behavior. It skips for MicroShift/HyperShift or when the gate is disabled, then asserts feature gate presence in status, dry-run spec field updates, policy enum validity, and no degraded cluster operators.

Changes

TLSAdherence Integration Tests

Layer / File(s)	Summary
Package, helper, and suite skip guards test/extended/apiserver/tls_adherence.go	Declares imports and the TLSAdherence feature gate name constant. Adds a helper that queries featuregate/cluster status to check if TLSAdherence is in the enabled list. Defines the Ginkgo Describe suite with a BeforeEach that skips the entire suite on MicroShift/HyperShift or when the feature gate is not enabled.
Feature gate presence, dry-run spec updates, and enum validation test/extended/apiserver/tls_adherence.go	Asserts TLSAdherence appears in featuregate/cluster .status.featureGates[].enabled[].name. Dry-run updates apiservers/cluster.spec.tlsAdherence to StrictAllComponents and LegacyAdheringComponentsOnly, asserting each reflected value matches. Validates the live spec.tlsAdherence is one of the defined TLSAdherencePolicy enum values.
Cluster operator degradation check test/extended/apiserver/tls_adherence.go	Lists all cluster operators and fails the test if any operator has Type=OperatorDegraded with Status=True, reporting reason and message in the failure output.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Test Structure And Quality	⚠️ Warning	BeforeEach block (lines 48, 50, 56) contains 3 assertions without meaningful failure messages (e.g., o.Expect(err).NotTo(o.HaveOccurred())), violating custom check requirement #4. Test code itsel...	Add failure messages to BeforeEach assertions: e.g., change line 48 to o.Expect(err).NotTo(o.HaveOccurred(), "failed to check if cluster is MicroShift")

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and concisely describes the main change: adding E2E tests for the TLSAdherence openshift/api field, which matches the file added and PR objectives.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test names in tls_adherence.go are stable and deterministic. All It() and Describe() declarations use static strings without dynamic information (no timestamps, UUIDs, pod/namespace names, or g...
Microshift Test Compatibility	✅ Passed	All 5 test cases have [apigroup:config.openshift.io] tags and BeforeEach runtime skip check protecting them from MicroShift execution, per the check's allowed protection mechanisms.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The tests are API-level configuration checks using OpenShift APIs (featuregate/cluster, apiservers/cluster, ClusterOperators) with dry-run operations. They make no assumptions about cluster topolog...
Topology-Aware Scheduling Compatibility	✅ Passed	This PR adds only integration test code with no deployment manifests, operator code, or controllers. No scheduling constraints are introduced; the check is not applicable.
Ote Binary Stdout Contract	✅ Passed	File contains no stdout writes at process level. fmt.Errorf and fmt.Sprintf are used only for error/message formatting, not stdout. No klog, Print, Println, or Printf calls found. All code is withi...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Test file contains no IPv4 assumptions, hardcoded IPv4 addresses, or external connectivity requirements. All operations use cluster-internal API calls only.
No-Weak-Crypto	✅ Passed	No weak cryptography patterns found. File contains only test code for TLSAdherence feature gate validation with no crypto algorithms, custom implementations, or secret comparisons.
Container-Privileges	✅ Passed	PR adds only Go test code (test/extended/apiserver/tls_adherence.go) with no container manifests, Kubernetes definitions, or privileged container settings.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data (passwords, tokens, API keys, PII, session IDs) found in logging. The single g.Fail statement logs cluster operator names, condition reasons, and messages—standard Kubernetes diag...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: richardsonnick
Once this PR has been reviewed and has the lgtm label, please assign smg247 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/extended/apiserver/tls_adherence.go`:
- Around line 120-131: The test assertion in the It block does not account for
the optional spec.tlsAdherence field being unset. Since the field is marked as
optional with omitempty and the test comment acknowledges "when set", the
apiServer.Spec.TLSAdherence value may be nil, causing the BeElementOf assertion
to fail even when the state is valid. Either guard the assertion with a nil
check that conditionally validates only when the field is set, or add the
nil/zero value to the validValues slice so that an unset field is considered a
valid state.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 328d6dfb-fe5e-4dfc-a5f3-811d6c04d0e2

📥 Commits

Reviewing files that changed from the base of the PR and between b3b98a0 and 1f5851c.

📒 Files selected for processing (1)

• test/extended/apiserver/tls_adherence.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify TLSAdherence field type/default semantics and whether empty value is a valid persisted state.

set -euo pipefail

echo "== Locate APIServerSpec TLSAdherence definition =="
rg -n --type=go -C4 '\bTLSAdherence\b' 

echo
echo "== Look for defaulting markers or comments tied to TLSAdherence =="
rg -n --type=go -C3 'default|omitempty|TLSAdherencePolicyNoOpinion|tlsAdherence'

echo
echo "== Check if existing tests treat empty/unset tlsAdherence as valid =="
rg -n --type=go -C3 'spec\.tlsAdherence|TLSAdherencePolicy|BeElementOf'

Repository: openshift/origin

Length of output: 50375

---

Add a guard to check if spec.tlsAdherence is set before asserting it matches a valid value.

Line 129 asserts apiServer.Spec.TLSAdherence is one of three explicit enum values, but the field is optional (marked omitempty) and can be unset. The test comment on line 119 says "when set," acknowledging that the field may not always be populated. If the field is unset on the cluster, the BeElementOf assertion will fail even though the state is valid. Guard the assertion with a check for whether the field is set, or include the zero/unset value in the valid values list.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/apiserver/tls_adherence.go` around lines 120 - 131, The test
assertion in the It block does not account for the optional spec.tlsAdherence
field being unset. Since the field is marked as optional with omitempty and the
test comment acknowledges "when set", the apiServer.Spec.TLSAdherence value may
be nil, causing the BeElementOf assertion to fail even when the state is valid.
Either guard the assertion with a nil check that conditionally validates only
when the field is set, or add the nil/zero value to the validValues slice so
that an unset field is considered a valid state.

[joelanford]

This is not true, right? I think it is applicable in both, though it may make sense to have a separate test for Hypershift since it has a split apiserver and a HyperShift-specific configuration API for configuring the TLS profile of the hosted cluster.

[richardsonnick]

oh sorry yes no this is not true. removing.

[joelanford]

Can't hurt to verify this, but I don't think this should count toward the 5 tests, the intent of which are more functional rather than verifying assumptions.

[joelanford]

I think there is a different kind of test that we can implement that essentially continuously monitors the cluster to verify an invariant is never violated. The way this test is implemented, you'll only get a point in time verification, which would likely result in false negatives.

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[joelanford]

I think it's a stretch to make these two separate tests. But I think a single test that verifies that all valid values can be successfully dry-run updated is a reasonable single test to run.

[candita]

Is it possible to test to make sure this can only be set by cluster-admins? Is there an RBAC in place to test?

[openshift-ci]

@richardsonnick: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-vsphere-ovn	1f5851c	link	true	/test e2e-vsphere-ovn
ci/prow/e2e-metal-ipi-ovn-ipv6	1f5851c	link	true	/test e2e-metal-ipi-ovn-ipv6
ci/prow/e2e-gcp-ovn	1f5851c	link	true	/test e2e-gcp-ovn
ci/prow/e2e-aws-ovn-fips	1f5851c	link	true	/test e2e-aws-ovn-fips

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.