test: Add TLS security profile propagation test with Ginkgo framework

kaleemsiddiqu · kaleemsiddiqu · commit 8ffbd4caa6fe · 2026-02-11T18:13:58.000+05:30
Implement end-to-end test to verify that TLS security profile changes
propagate from the APIServer to the OpenShift Controller Manager.

Signed-off-by: Kaleemullah Siddiqui &lt;ksiddiqu@redhat.com&gt;
diff --git a/cmd/cluster-openshift-controller-manager-operator-tests-ext/dependencies.go b/cmd/cluster-openshift-controller-manager-operator-tests-ext/dependencies.go
@@ -0,0 +1,8 @@
+// This file imports test packages to ensure they are included in the build.
+// These imports are necessary to register Ginkgo tests with the OpenShift Tests Extension framework.
+package main
+
+import (
+    // Import test packages to register Ginkgo tests
+    _ "github.com/openshift/cluster-openshift-controller-manager-operator/test/e2e"
+)
diff --git a/cmd/cluster-openshift-controller-manager-operator-tests-ext/main.go b/cmd/cluster-openshift-controller-manager-operator-tests-ext/main.go
@@ -1,30 +1,45 @@
+/*
+This command is used to run the Cluster Controller Manager Operator tests extension for OpenShift.
+It registers the Cluster Controller Manager Operator tests with the OpenShift Tests Extension framework
+and provides a command-line interface to execute them.
+For further information, please refer to the documentation at:
+https://github.com/openshift-eng/openshift-tests-extension/blob/main/cmd/example-tests/main.go
+*/
+
 package main
 
 import (
-	"context"
+	"fmt"
 	"os"
 
 	"github.com/spf13/cobra"
 	"k8s.io/component-base/cli"
+	"k8s.io/klog/v2"
 
 	otecmd "github.com/openshift-eng/openshift-tests-extension/pkg/cmd"
 	oteextension "github.com/openshift-eng/openshift-tests-extension/pkg/extension"
+	oteginkgo "github.com/openshift-eng/openshift-tests-extension/pkg/ginkgo"
 	"github.com/openshift/cluster-openshift-controller-manager-operator/pkg/version"
-
-	"k8s.io/klog/v2"
 )
 
 func main() {
-	command := newOperatorTestCommand(context.Background())
-	code := cli.Run(command)
+	cmd, err := newOperatorTestCommand()
+	if err != nil {
+		klog.Fatal(err)
+	}
+
+	code := cli.Run(cmd)
 	os.Exit(code)
 }
 
-func newOperatorTestCommand(ctx context.Context) *cobra.Command {
-	registry := prepareOperatorTestsRegistry()
+func newOperatorTestCommand() (*cobra.Command, error) {
+	registry, err := prepareOperatorTestsRegistry()
+	if err != nil {
+		return nil, fmt.Errorf("failed to prepare test registry: %w", err)
+	}
 
 	cmd := &cobra.Command{
-		Use:   "cluster-openshift-controller-manager-operator-tests-ext",
+		Use:   "cluster-openshift-controller-manager-operator-tests",
 		Short: "A binary used to run cluster-openshift-controller-manager-operator tests as part of OTE.",
 		Run: func(cmd *cobra.Command, args []string) {
 			if err := cmd.Help(); err != nil {
@@ -41,13 +56,29 @@ func newOperatorTestCommand(ctx context.Context) *cobra.Command {
 
 	cmd.AddCommand(otecmd.DefaultExtensionCommands(registry)...)
 
-	return cmd
+	return cmd, nil
 }
 
-func prepareOperatorTestsRegistry() *oteextension.Registry {
+// prepareOperatorTestsRegistry creates the OTE registry for this operator.
+// This method must be called before adding the registry to the OTE framework.
+func prepareOperatorTestsRegistry() (*oteextension.Registry, error) {
 	registry := oteextension.NewRegistry()
 	extension := oteextension.NewExtension("openshift", "payload", "cluster-openshift-controller-manager-operator")
 
+	extension.AddSuite(oteextension.Suite{
+		Name:        "openshift/cluster-openshift-controller-manager-operator/operator/serial",
+		Parallelism: 1,
+		Qualifiers: []string{
+			`name.contains("[Operator]") && name.contains("[Serial]")`,
+		},
+	})
+
+	specs, err := oteginkgo.BuildExtensionTestSpecsFromOpenShiftGinkgoSuite()
+	if err != nil {
+		return nil, fmt.Errorf("couldn't build extension test specs from ginkgo: %w", err)
+	}
+
+	extension.AddSpecs(specs)
 	registry.Register(extension)
-	return registry
+	return registry, nil
 }
diff --git a/test/e2e/tls_security_profile.go b/test/e2e/tls_security_profile.go
@@ -0,0 +1,293 @@
+package e2e
+
+import (
+	"context"
+	"encoding/json"
+	"strings"
+	"testing"
+	"time"
+
+	g "github.com/onsi/ginkgo/v2"
+	"github.com/stretchr/testify/require"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/util/wait"
+
+	configv1 "github.com/openshift/api/config/v1"
+	"github.com/openshift/cluster-openshift-controller-manager-operator/test/framework"
+)
+
+var _ = g.Describe("[sig-openshift-controller-manager] TLS Security Profile", func() {
+	g.It("[Operator][TLS][Serial] should propagate Modern TLS profile from APIServer to OpenShift Controller Manager", func() {
+		testTLSSecurityProfilePropagation(g.GinkgoTB())
+	})
+})
+
+func testTLSSecurityProfilePropagation(t testing.TB) {
+	ctx := context.Background()
+	client := framework.MustNewClientset(t, nil)
+
+	// Make sure the operator is fully up
+	framework.MustEnsureClusterOperatorStatusIsSet(t, client)
+
+	// Get the current APIServer config
+	apiServer, err := client.APIServers().Get(ctx, "cluster", metav1.GetOptions{})
+	require.NoError(t, err, "failed to get APIServer config")
+
+	// Save the original TLS profile for cleanup
+	originalTLSProfile := apiServer.Spec.TLSSecurityProfile
+
+	// Modify the TLS security profile to use Modern profile
+	// Modern profile uses TLS 1.3 with modern cipher suites
+	apiServer.Spec.TLSSecurityProfile = &configv1.TLSSecurityProfile{
+		Type:   configv1.TLSProfileModernType,
+		Modern: &configv1.ModernTLSProfile{},
+	}
+
+	_, err = client.APIServers().Update(ctx, apiServer, metav1.UpdateOptions{})
+	require.NoError(t, err, "failed to update APIServer TLS profile to Modern")
+
+	// Cleanup: restore original TLS profile and verify restoration
+	t.Cleanup(func() {
+		t.Log("Restoring original TLS profile")
+		apiServer, err := client.APIServers().Get(ctx, "cluster", metav1.GetOptions{})
+		if err != nil {
+			t.Logf("failed to get APIServer for cleanup: %v", err)
+			return
+		}
+		apiServer.Spec.TLSSecurityProfile = originalTLSProfile
+		if _, err := client.APIServers().Update(ctx, apiServer, metav1.UpdateOptions{}); err != nil {
+			t.Logf("failed to restore original TLS profile: %v", err)
+			return
+		}
+
+		// Wait for operator to reconcile the restoration
+		t.Log("Waiting for operator to reconcile TLS profile restoration")
+		err = wait.PollUntilContextTimeout(ctx, 10*time.Second, 10*time.Minute, true, func(ctx context.Context) (bool, error) {
+			co, err := client.ClusterOperators().Get(ctx, "openshift-controller-manager", metav1.GetOptions{})
+			if err != nil {
+				t.Logf("error getting clusteroperator during cleanup: %v", err)
+				return false, nil
+			}
+
+			isAvailable := false
+			isProgressing := true
+
+			for _, c := range co.Status.Conditions {
+				if c.Type == configv1.OperatorAvailable && c.Status == configv1.ConditionTrue {
+					isAvailable = true
+				}
+				if c.Type == configv1.OperatorProgressing && c.Status == configv1.ConditionFalse {
+					isProgressing = false
+				}
+			}
+
+			if isAvailable && !isProgressing {
+				t.Log("Operator reconciliation after restoration complete")
+				return true, nil
+			}
+
+			return false, nil
+		})
+		if err != nil {
+			t.Logf("operator did not complete reconciliation after restoration: %v", err)
+			return
+		}
+
+		// Verify TLS profile was restored (should be back to default TLS 1.2 or original setting)
+		t.Log("Verifying TLS profile was restored correctly")
+		err = wait.PollUntilContextTimeout(ctx, 5*time.Second, 2*time.Minute, true, func(ctx context.Context) (bool, error) {
+			cfg, err := client.OpenShiftControllerManagers().Get(ctx, "cluster", metav1.GetOptions{})
+			if err != nil {
+				t.Logf("error getting openshift controller manager config during cleanup verification: %v", err)
+				return false, nil
+			}
+
+			observedConfig := map[string]interface{}{}
+			if err := json.Unmarshal(cfg.Spec.ObservedConfig.Raw, &observedConfig); err != nil {
+				t.Logf("failed to unmarshal observed config during cleanup: %v", err)
+				return false, nil
+			}
+
+			// Check the restored TLS version
+			minTLSVersion, found, err := unstructured.NestedString(observedConfig, "servingInfo", "minTLSVersion")
+			if err != nil {
+				t.Logf("error reading minTLSVersion during cleanup: %v", err)
+				return false, nil
+			}
+
+			// If original profile was nil, expect default (typically VersionTLS12)
+			// If original profile was set, it should match
+			if originalTLSProfile == nil {
+				// Default OpenShift TLS profile is typically TLS 1.2
+				if found && minTLSVersion == "VersionTLS12" {
+					t.Logf("TLS profile restored to default: %s", minTLSVersion)
+					return true, nil
+				}
+				// Also accept if TLS config is removed entirely (using cluster defaults)
+				if !found || minTLSVersion == "" {
+					t.Log("TLS profile restored to cluster defaults (no explicit TLS version)")
+					return true, nil
+				}
+			} else {
+				// If there was an original profile, verify it's not TLS 1.3 anymore
+				if found && minTLSVersion != "VersionTLS13" {
+					t.Logf("TLS profile restored from Modern: %s", minTLSVersion)
+					return true, nil
+				}
+			}
+
+			t.Logf("Waiting for TLS profile restoration to propagate, current: %s", minTLSVersion)
+			return false, nil
+		})
+		if err != nil {
+			t.Logf("TLS profile was not properly restored in observed config: %v", err)
+		}
+	})
+
+	// Wait for the operator to start progressing (detecting the change)
+	t.Log("Waiting for operator to detect TLS profile change and start progressing")
+	err = wait.PollUntilContextTimeout(ctx, 5*time.Second, 5*time.Minute, true, func(ctx context.Context) (bool, error) {
+		co, err := client.ClusterOperators().Get(ctx, "openshift-controller-manager", metav1.GetOptions{})
+		if err != nil {
+			t.Logf("error getting clusteroperator: %v", err)
+			return false, nil
+		}
+		for _, c := range co.Status.Conditions {
+			if c.Type == configv1.OperatorProgressing && c.Status == configv1.ConditionTrue {
+				t.Logf("Operator is now progressing, reason: %s", c.Reason)
+				return true, nil
+			}
+		}
+		return false, nil
+	})
+	if err != nil {
+		t.Logf("Warning: operator did not start progressing within 5 minutes, continuing anyway: %v", err)
+	}
+
+	// Wait for the operator to finish progressing (reconciliation complete)
+	// This typically takes 12-15 minutes for TLS changes to propagate
+	t.Log("Waiting for operator to complete reconciliation (may take up to 15 minutes)")
+	err = wait.PollUntilContextTimeout(ctx, 10*time.Second, 15*time.Minute, true, func(ctx context.Context) (bool, error) {
+		co, err := client.ClusterOperators().Get(ctx, "openshift-controller-manager", metav1.GetOptions{})
+		if err != nil {
+			t.Logf("error getting clusteroperator: %v", err)
+			return false, nil
+		}
+
+		isAvailable := false
+		isProgressing := true
+		isDegraded := false
+
+		for _, c := range co.Status.Conditions {
+			if c.Type == configv1.OperatorAvailable && c.Status == configv1.ConditionTrue {
+				isAvailable = true
+			}
+			if c.Type == configv1.OperatorProgressing && c.Status == configv1.ConditionFalse {
+				isProgressing = false
+			}
+			if c.Type == configv1.OperatorDegraded && c.Status == configv1.ConditionTrue {
+				isDegraded = true
+			}
+		}
+
+		if isDegraded {
+			t.Log("Warning: operator is degraded")
+			return false, nil
+		}
+
+		if isAvailable && !isProgressing {
+			t.Log("Operator reconciliation complete")
+			return true, nil
+		}
+
+		t.Logf("Operator still reconciling, available=%v, progressing=%v", isAvailable, isProgressing)
+		return false, nil
+	})
+	require.NoError(t, err, "operator did not complete reconciliation")
+
+	// Now verify the TLS config was propagated to the observed config
+	t.Log("Verifying TLS config in observed config")
+	err = wait.PollUntilContextTimeout(ctx, 5*time.Second, 2*time.Minute, true, func(ctx context.Context) (bool, error) {
+		cfg, err := client.OpenShiftControllerManagers().Get(ctx, "cluster", metav1.GetOptions{})
+		if err != nil {
+			t.Logf("error getting openshift controller manager config: %v", err)
+			return false, nil
+		}
+
+		observed := string(cfg.Spec.ObservedConfig.Raw)
+
+		// The Modern TLS profile should set minTLSVersion to TLS 1.3
+		// We're looking for the propagated TLS settings
+		hasTLSVersion := strings.Contains(observed, "\"minTLSVersion\"")
+		hasCipherSuites := strings.Contains(observed, "\"cipherSuites\"")
+
+		if !hasTLSVersion || !hasCipherSuites {
+			t.Logf("TLS config not yet observed in config: %s", observed)
+			return false, nil
+		}
+
+		t.Logf("TLS config successfully observed: %s", observed)
+
+		// Additional validation: parse the observed config
+		observedConfig := map[string]interface{}{}
+		if err := json.Unmarshal(cfg.Spec.ObservedConfig.Raw, &observedConfig); err != nil {
+			t.Logf("failed to unmarshal observed config: %v", err)
+			return false, nil
+		}
+
+		// Verify servingInfo exists
+		_, found, err := unstructured.NestedMap(observedConfig, "servingInfo")
+		if err != nil || !found {
+			t.Log("servingInfo not found in observed config")
+			return false, nil
+		}
+
+		// Verify minTLSVersion is set to TLS 1.3 (Modern profile)
+		minTLSVersion, found, err := unstructured.NestedString(observedConfig, "servingInfo", "minTLSVersion")
+		if err != nil || !found || minTLSVersion == "" {
+			t.Logf("minTLSVersion not properly set, found=%v, value=%s", found, minTLSVersion)
+			return false, nil
+		}
+
+		// Modern profile should use VersionTLS13 (exact string match)
+		if minTLSVersion != "VersionTLS13" {
+			t.Logf("minTLSVersion not VersionTLS13 yet, got=%s, expected=VersionTLS13", minTLSVersion)
+			return false, nil
+		}
+
+		// Verify cipherSuites is set and contains the expected Modern profile ciphers
+		cipherSuites, found, err := unstructured.NestedStringSlice(observedConfig, "servingInfo", "cipherSuites")
+		if err != nil || !found || len(cipherSuites) == 0 {
+			t.Logf("cipherSuites not properly set, found=%v, count=%d", found, len(cipherSuites))
+			return false, nil
+		}
+
+		// Modern profile should have exactly these TLS 1.3 cipher suites
+		expectedCiphers := []string{
+			"TLS_AES_128_GCM_SHA256",
+			"TLS_AES_256_GCM_SHA384",
+			"TLS_CHACHA20_POLY1305_SHA256",
+		}
+
+		// Verify all expected ciphers are present
+		cipherSet := make(map[string]bool)
+		for _, cipher := range cipherSuites {
+			cipherSet[cipher] = true
+		}
+
+		for _, expected := range expectedCiphers {
+			if !cipherSet[expected] {
+				// Don't fail immediately, keep polling
+				t.Logf("expected cipher suite not found yet: %s, got: %v", expected, cipherSuites)
+				return false, nil
+			}
+		}
+
+		t.Logf("Validated Modern TLS config: minTLSVersion=%s, cipherSuites=%v", minTLSVersion, cipherSuites)
+		return true, nil
+	})
+
+	require.NoError(t, err, "Modern TLS security profile from APIServer was not propagated to OpenShift Controller Manager observed config")
+}
diff --git a/test/framework/clientset.go b/test/framework/clientset.go
@@ -56,7 +56,8 @@ func NewClientset(kubeconfig *restclient.Config) (clientset *Clientset, err erro
 
 // MustNewClientset is like NewClienset but aborts the test if clienset cannot
 // be constructed.
-func MustNewClientset(t *testing.T, kubeconfig *restclient.Config) *Clientset {
+func MustNewClientset(t testing.TB, kubeconfig *restclient.Config) *Clientset {
+	t.Helper()
 	clientset, err := NewClientset(kubeconfig)
 	if err != nil {
 		t.Fatal(err)
diff --git a/test/framework/conditionhelper.go b/test/framework/conditionhelper.go
