Skip to content

tls: add cluster-authentication-operator and operands to tested compo… #31208

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
gangwgr wants to merge 1 commit into
base: main
Choose a base branch
from
+38 −20
Draft

tls: add cluster-authentication-operator and operands to tested compo… #31208

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 38 additions & 20 deletions test/extended/tls/tls_observed_config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ type observedConfigTarget struct {
namespace string
operatorConfigGVR schema.GroupVersionResource
operatorConfigName string
servingInfoPath []string // default: ["servingInfo"]
managementClusterComponent bool
}

Expand Down Expand Up @@ -110,6 +111,7 @@ var observedConfigTargets = []observedConfigTarget{
{namespace: "openshift-etcd", operatorConfigGVR: schema.GroupVersionResource{Group: "operator.openshift.io", Version: "v1", Resource: "etcds"}, operatorConfigName: "cluster", managementClusterComponent: true},
{namespace: "openshift-kube-controller-manager", operatorConfigGVR: schema.GroupVersionResource{Group: "operator.openshift.io", Version: "v1", Resource: "kubecontrollermanagers"}, operatorConfigName: "cluster", managementClusterComponent: true},
{namespace: "openshift-kube-scheduler", operatorConfigGVR: schema.GroupVersionResource{Group: "operator.openshift.io", Version: "v1", Resource: "kubeschedulers"}, operatorConfigName: "cluster", managementClusterComponent: true},
{namespace: "openshift-authentication-operator", operatorConfigGVR: schema.GroupVersionResource{Group: "operator.openshift.io", Version: "v1", Resource: "authentications"}, operatorConfigName: "cluster", servingInfoPath: []string{"oauthServer", "servingInfo"}, managementClusterComponent: true},
}

var configMapTargets = []configMapTarget{
Expand All @@ -121,6 +123,7 @@ var configMapTargets = []configMapTarget{
{namespace: "openshift-kube-controller-manager", configMapName: "kube-controller-manager-operator-config", configMapNamespace: "openshift-kube-controller-manager-operator", configMapKey: "config.yaml", managementClusterComponent: true},
{namespace: "openshift-kube-scheduler", configMapName: "openshift-kube-scheduler-operator-config", configMapNamespace: "openshift-kube-scheduler-operator", configMapKey: "config.yaml", managementClusterComponent: true},
{namespace: "openshift-cluster-samples-operator", configMapName: "samples-operator-config", configMapNamespace: "openshift-cluster-samples-operator", configMapKey: "config.yaml"},
{namespace: "openshift-authentication-operator", configMapName: "authentication-operator-config", configMapNamespace: "openshift-authentication-operator", configMapKey: "operator-config.yaml", managementClusterComponent: true},
}

var deploymentEnvVarTargets = []deploymentEnvVarTarget{
Expand All @@ -139,6 +142,9 @@ var serviceTargets = []serviceTarget{
{namespace: "openshift-kube-controller-manager", serviceName: "kube-controller-manager", servicePort: "443", managementClusterComponent: true},
{namespace: "openshift-kube-scheduler", serviceName: "scheduler", servicePort: "443", managementClusterComponent: true},
{namespace: "openshift-cluster-samples-operator", serviceName: "metrics", servicePort: "60000", deploymentName: "cluster-samples-operator"},
{namespace: "openshift-authentication-operator", serviceName: "metrics", servicePort: "443", deploymentName: "authentication-operator", managementClusterComponent: true},
{namespace: "openshift-authentication", serviceName: "oauth-openshift", servicePort: "443", deploymentName: "oauth-openshift", managementClusterComponent: true},
{namespace: "openshift-oauth-apiserver", serviceName: "api", servicePort: "443", deploymentName: "apiserver", managementClusterComponent: true},
}

// clusterOperatorTarget identifies a ClusterOperator whose stability is
Expand All @@ -157,6 +163,7 @@ var clusterOperatorTargets = []clusterOperatorTarget{
{name: "kube-controller-manager", managementClusterComponent: true},
{name: "kube-scheduler", managementClusterComponent: true},
{name: "openshift-samples"},
{name: "authentication", managementClusterComponent: true},
}

var deploymentRolloutTargets = []deploymentRolloutTarget{
Expand All @@ -165,6 +172,9 @@ var deploymentRolloutTargets = []deploymentRolloutTarget{
{namespace: "openshift-apiserver", deploymentName: "apiserver", managementClusterComponent: true},
{namespace: "openshift-cluster-version", deploymentName: "cluster-version-operator", managementClusterComponent: true},
{namespace: "openshift-cluster-samples-operator", deploymentName: "cluster-samples-operator"},
{namespace: "openshift-authentication-operator", deploymentName: "authentication-operator", managementClusterComponent: true},
{namespace: "openshift-authentication", deploymentName: "oauth-openshift", managementClusterComponent: true},
{namespace: "openshift-oauth-apiserver", deploymentName: "apiserver", managementClusterComponent: true},
}

// ─── Guest-side filters for HyperShift ─────────────────────────────────────
Expand Down Expand Up @@ -800,25 +810,28 @@ func testObservedConfig(oc *exutil.CLI, ctx context.Context, t observedConfigTar
observedJSON, _ := json.MarshalIndent(observedConfigRaw, "", " ")
e2e.Logf("ObservedConfig:\n%s", string(observedJSON))

// Verify servingInfo exists.
g.By("verifying servingInfo in ObservedConfig")
_, found, err = unstructured.NestedMap(observedConfigRaw, "servingInfo")
o.Expect(err).NotTo(o.HaveOccurred(), "failed to get servingInfo from observedConfig")
o.Expect(found).To(o.BeTrue(), "expected servingInfo in ObservedConfig")

// Verify minTLSVersion is populated.
g.By("verifying servingInfo.minTLSVersion in ObservedConfig")
minTLSVersion, found, err := unstructured.NestedString(observedConfigRaw, "servingInfo", "minTLSVersion")
o.Expect(err).NotTo(o.HaveOccurred(), "failed to get servingInfo.minTLSVersion")
o.Expect(found).To(o.BeTrue(), "expected minTLSVersion in servingInfo")
siPath := t.servingInfoPath
if len(siPath) == 0 {
siPath = []string{"servingInfo"}
}
siLabel := strings.Join(siPath, ".")

g.By(fmt.Sprintf("verifying %s in ObservedConfig", siLabel))
_, found, err = unstructured.NestedMap(observedConfigRaw, siPath...)
o.Expect(err).NotTo(o.HaveOccurred(), fmt.Sprintf("failed to get %s from observedConfig", siLabel))
o.Expect(found).To(o.BeTrue(), fmt.Sprintf("expected %s in ObservedConfig", siLabel))

g.By(fmt.Sprintf("verifying %s.minTLSVersion in ObservedConfig", siLabel))
minTLSVersion, found, err := unstructured.NestedString(observedConfigRaw, append(siPath, "minTLSVersion")...)
o.Expect(err).NotTo(o.HaveOccurred(), fmt.Sprintf("failed to get %s.minTLSVersion", siLabel))
o.Expect(found).To(o.BeTrue(), fmt.Sprintf("expected minTLSVersion in %s", siLabel))
o.Expect(minTLSVersion).NotTo(o.BeEmpty(), "expected minTLSVersion to be non-empty")
e2e.Logf("ObservedConfig servingInfo.minTLSVersion: %s", minTLSVersion)
e2e.Logf("ObservedConfig %s.minTLSVersion: %s", siLabel, minTLSVersion)

// Verify cipherSuites is populated.
g.By("verifying servingInfo.cipherSuites in ObservedConfig")
cipherSuites, found, err := unstructured.NestedStringSlice(observedConfigRaw, "servingInfo", "cipherSuites")
o.Expect(err).NotTo(o.HaveOccurred(), "failed to get servingInfo.cipherSuites")
o.Expect(found).To(o.BeTrue(), "expected cipherSuites in servingInfo")
g.By(fmt.Sprintf("verifying %s.cipherSuites in ObservedConfig", siLabel))
cipherSuites, found, err := unstructured.NestedStringSlice(observedConfigRaw, append(siPath, "cipherSuites")...)
o.Expect(err).NotTo(o.HaveOccurred(), fmt.Sprintf("failed to get %s.cipherSuites", siLabel))
o.Expect(found).To(o.BeTrue(), fmt.Sprintf("expected cipherSuites in %s", siLabel))
o.Expect(cipherSuites).NotTo(o.BeEmpty(), "expected cipherSuites to be non-empty")
e2e.Logf("ObservedConfig servingInfo.cipherSuites: %d suites", len(cipherSuites))

Expand Down Expand Up @@ -1308,11 +1321,16 @@ func verifyObservedConfigForTargets(oc *exutil.CLI, ctx context.Context, expecte
fmt.Sprintf("expected spec.observedConfig in %s/%s after %s switch",
t.operatorConfigGVR.Resource, t.operatorConfigName, profileLabel))

minTLSVersion, found, err := unstructured.NestedString(observedConfigRaw, "servingInfo", "minTLSVersion")
siPath := t.servingInfoPath
if len(siPath) == 0 {
siPath = []string{"servingInfo"}
}

minTLSVersion, found, err := unstructured.NestedString(observedConfigRaw, append(siPath, "minTLSVersion")...)
o.Expect(err).NotTo(o.HaveOccurred())
o.Expect(found).To(o.BeTrue(),
fmt.Sprintf("expected servingInfo.minTLSVersion in ObservedConfig of %s/%s after %s switch",
t.operatorConfigGVR.Resource, t.operatorConfigName, profileLabel))
fmt.Sprintf("expected %s.minTLSVersion in ObservedConfig of %s/%s after %s switch",
strings.Join(siPath, "."), t.operatorConfigGVR.Resource, t.operatorConfigName, profileLabel))
o.Expect(minTLSVersion).To(o.Equal(expectedVersion),
fmt.Sprintf("ObservedConfig %s/%s: expected minTLSVersion=%s after %s switch, got %s",
t.operatorConfigGVR.Resource, t.operatorConfigName, expectedVersion, profileLabel, minTLSVersion))
Expand Down