tls: add cluster-authentication-operator and operands to tested compo…

[gangwgr]

for https://github.com/openshift/cluster-authentication-operator/pull/892]

Add the authentication operator (openshift-authentication-operator) and its OAuth server operand (openshift-authentication) to all target lists: observedConfigTargets, configMapTargets, serviceTargets, clusterOperatorTargets, and deploymentRolloutTargets.

The authentication operator uses a non-standard ObservedConfig path (oauthServer.servingInfo instead of servingInfo). Add a servingInfoPath field to observedConfigTarget so testObservedConfig and verifyObservedConfigForTargets resolve the path dynamically, defaulting to ["servingInfo"] for all existing targets.

Summary by CodeRabbit

• Tests
  • Extended TLS observed-config test coverage for OpenShift authentication-related operators and components.
  • Enhanced ObservedConfig verification logic configurability for servingInfo JSON paths.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Walkthrough

This PR extends TLS ObservedConfig test coverage to authentication operators by parameterizing the assertion logic with a configurable servingInfoPath field, allowing components to declare nested locations for TLS settings. It adds new test targets for openshift-authentication-operator, openshift-authentication, and openshift-oauth-apiserver across observed-config, ConfigMap injection, service, operator stability, and deployment rollout verification layers.

Changes

TLS ObservedConfig authentication extension

Layer / File(s)	Summary
servingInfoPath field in observedConfigTarget test/extended/tls/tls_observed_config.go	observedConfigTarget struct gains a servingInfoPath field that defaults to ["servingInfo"], enabling different components to specify where TLS configuration is nested in ObservedConfig.
Update verification functions to use servingInfoPath test/extended/tls/tls_observed_config.go	testObservedConfig and verifyObservedConfigForTargets now compute and use the per-target servingInfoPath to extract minTLSVersion and cipherSuites, replacing hardcoded servingInfo references.
Add authentication component targets across test lists test/extended/tls/tls_observed_config.go	Observed-config, ConfigMap injection, wire-level service, ClusterOperator stability, and deployment rollout target lists are expanded with authentication-operator and authentication components, each marked as management-cluster scope and configured with appropriate nested paths.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• openshift/origin#31160: Both PRs modify test/extended/tls/tls_observed_config.go by refactoring observedConfigTarget-driven TLS ObservedConfig verification logic (the referenced PR introduces typed lists; this PR adds configurable servingInfoPath support).
• openshift/origin#31194: Both PRs modify test/extended/tls/tls_observed_config.go to change how TLS profile expectations are derived and validated, with overlapping changes to minTLSVersion handling.

Suggested reviewers

• kaleemsiddiqu

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Ipv6 And Disconnected Network Test Compatibility	⚠️ Warning	New Ginkgo tests have IPv4-only assumption in forwardPortAndExecute() which uses hardcoded 127.0.0.1 for port-forward readiness checks, failing on IPv6-only clusters.	Test both IPv4 and IPv6 localhost addresses for port-forward readiness: test ::1 and 127.0.0.1 with proper error handling for each address family.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly identifies the main change: adding authentication-related operators to TLS test coverage, which aligns with the PR objectives and code changes.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test titles use static component names and port numbers. New targets follow existing stable naming patterns with no dynamic content changes between runs.
Test Structure And Quality	✅ Passed	Adds auth operator test targets via data. Code quality is high: BeforeEach/DeferCleanup for setup, timeouts on cluster ops, meaningful assertion messages, new entries follow existing patterns.
Microshift Test Compatibility	✅ Passed	No new Ginkgo tests added. All tests skip on MicroShift via exutil.IsMicroShiftCluster() in BeforeEach, preventing unavailable API access.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e test definitions (It/Describe/Context/When) added. PR only extends existing tests with new target entries and refactors utility functions.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only test file (test/extended/tls/tls_observed_config.go), adding test targets for authentication operators. No deployment manifests, operator code, or scheduling constraints introduced.
Ote Binary Stdout Contract	✅ Passed	This PR modifies a Ginkgo test package file with no process-level code (no main, init, TestMain functions) and no stdout writes. Changes are data entries and test logic within test blocks.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gangwgr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• test/extended/tls/OWNERS [gangwgr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

🧹 Nitpick comments (1)

test/extended/tls/tls_observed_config.go (1)

836-836: ⚡ Quick win

Use siLabel instead of hardcoded "servingInfo" for log consistency.

Line 829 correctly uses siLabel when logging minTLSVersion, but this line hardcodes "servingInfo". For the authentication operator (which uses path ["oauthServer", "servingInfo"]), the logs would inconsistently show "oauthServer.servingInfo" for minTLSVersion but just "servingInfo" for cipherSuites.

Suggested fix

-	e2e.Logf("ObservedConfig servingInfo.cipherSuites: %d suites", len(cipherSuites))
+	e2e.Logf("ObservedConfig %s.cipherSuites: %d suites", siLabel, len(cipherSuites))

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/tls/tls_observed_config.go` at line 836, Replace the hardcoded
"servingInfo" string in the e2e.Logf call with the siLabel variable to keep log
labels consistent (the line containing e2e.Logf("ObservedConfig
servingInfo.cipherSuites: %d suites", len(cipherSuites))). Update the call to
use siLabel so it matches the earlier log of minTLSVersion and reflects the full
path (e.g., "oauthServer.servingInfo") dynamically.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/extended/tls/tls_observed_config.go`:
- Line 836: Replace the hardcoded "servingInfo" string in the e2e.Logf call with
the siLabel variable to keep log labels consistent (the line containing
e2e.Logf("ObservedConfig servingInfo.cipherSuites: %d suites",
len(cipherSuites))). Update the call to use siLabel so it matches the earlier
log of minTLSVersion and reflects the full path (e.g.,
"oauthServer.servingInfo") dynamically.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: f0d298ae-4ee8-49e1-9cb9-7db47797c99f

📥 Commits

Reviewing files that changed from the base of the PR and between 50759b5 and 743a603.

📒 Files selected for processing (1)

• test/extended/tls/tls_observed_config.go

[gangwgr]

/test tls-observed-config-hypershift
/test tls-observed-config

[gangwgr]

/test tls-observed-config-hypershift
/test tls-observed-config

[gangwgr]

/test tls-observed-config

[openshift-ci]

@gangwgr: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.