test: Addition of ginkgo framework dependencies and TLS propagation test

[kaleemsiddiqu]

1. For Ginkgo test framework support, ginkgo dependencies added
2. Test added to confirm that TLS propagation is applied correctly through controller-manager operator

Test for changes done in #407

[kaleemsiddiqu]

Local run is successful ...

$ ./cluster-openshift-controller-manager-operator-tests-ext run-test "[sig-openshift-controller-manager] TLS Security Profile [Operator][TLS][Serial] should propagate Modern TLS profile from APIServer to OpenShift Controller Manager"
  Running Suite:  - /home/ksiddiqu/openshift-repos/cluster-openshift-controller-manager-operator  
  Random Seed: 1770724152 - will randomize all specs
  Will run 1 of 1 specs  
  [sig-openshift-controller-manager] TLS Security Profile [Operator][TLS][Serial] should propagate Modern TLS profile from APIServer to OpenShift Controller Manager
  github.com/openshift/cluster-openshift-controller-manager-operator/test/e2e/tls_security_profile.go:22
    STEP: Waiting for operator to detect TLS profile change and start progressing @ 02/10/26 17:19:14.959
  "level"=0 "msg"="Operator is now progressing" "reason"="RouteControllerManager_DesiredStateNotYetAchieved::_DesiredStateNotYetAchieved"
    STEP: Waiting for operator to complete reconciliation (may take up to 15 minutes) @ 02/10/26 17:19:35.295
  "level"=0 "msg"="Operator still reconciling" "available"=true "progressing"=true
  ....
  "level"=0 "msg"="Operator reconciliation complete" "available"=true "progressing"=false
    STEP: Verifying TLS config in observed config @ 02/10/26 17:26:05.688
  "level"=0 "msg"="TLS config successfully observed" "config"="{\"build\":{\"buildDefaults\":{\"resources\":{}},\"imageTemplateFormat\":{\"format\":\"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6b886af6a57059906e7758471f7a0929ec32af0bed641688ff2d33d7cc68e3ff\"}},\"controllers\":[\"openshift.io/build\",\"openshift.io/build-config-change\",\"openshift.io/builder-rolebindings\",\"openshift.io/builder-serviceaccount\",\"-openshift.io/default-rolebindings\",\"openshift.io/deployer\",\"openshift.io/deployer-rolebindings\",\"openshift.io/deployer-serviceaccount\",\"openshift.io/deploymentconfig\",\"openshift.io/image-import\",\"openshift.io/image-puller-rolebindings\",\"openshift.io/image-signature-import\",\"openshift.io/image-trigger\",\"openshift.io/ingress-ip\",\"openshift.io/ingress-to-route\",\"openshift.io/origin-namespace\",\"openshift.io/serviceaccount\",\"openshift.io/serviceaccount-pull-secrets\",\"openshift.io/templateinstance\",\"openshift.io/templateinstancefinalizer\",\"openshift.io/unidling\"],\"deployer\":{\"imageTemplateFormat\":{\"format\":\"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:295c2081fdef963a20bbf322efea62b16581013474ce8371110ea7bec0e66077\"}},\"dockerPullSecret\":{\"internalRegistryHostname\":\"image-registry.openshift-image-registry.svc:5000\"},\"featureGates\":[\"BuildCSIVolumes=true\"],\"ingress\":{\"ingressIPNetworkCIDR\":\"\"},\"servingInfo\":{\"cipherSuites\":[\"TLS_AES_128_GCM_SHA256\",\"TLS_AES_256_GCM_SHA384\",\"TLS_CHACHA20_POLY1305_SHA256\"],\"minTLSVersion\":\"VersionTLS13\"}}"
  "level"=0 "msg"="Validated Modern TLS config" "minTLSVersion"="VersionTLS13" "cipherSuites"=["TLS_AES_128_GCM_SHA256" "TLS_AES_256_GCM_SHA384" "TLS_CHACHA20_POLY1305_SHA256"]
    STEP: Restoring original TLS profile @ 02/10/26 17:26:05.997
    STEP: Waiting for operator to reconcile TLS profile restoration @ 02/10/26 17:26:07.125
  "level"=0 "msg"="Operator reconciliation after restoration complete"
    STEP: Verifying TLS profile was restored correctly @ 02/10/26 17:26:07.421
  "level"=0 "msg"="Waiting for TLS profile restoration to propagate" "current"="VersionTLS13"
  "level"=0 "msg"="TLS profile restored to default" "minTLSVersion"="VersionTLS12"
  • [445.371 seconds]
  ------------------------------

  Ran 1 of 1 Specs in 445.371 seconds
  SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 0 Skipped
...
\"available\"=true \"progressing\"=false\n  STEP: Verifying TLS config in observed config @ 02/10/26 17:26:05.688\n\"level\"=0 \"msg\"=\"TLS config successfully observed\" \"config\"=\"{\\\"build\\\":{\\\"buildDefaults\\\":{\\\"resources\\\":{}},\\\"imageTemplateFormat\\\":{\\\"format\\\":\\\"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6b886af6a57059906e7758471f7a0929ec32af0bed641688ff2d33d7cc68e3ff\\\"}},\\\"controllers\\\":[\\\"openshift.io/build\\\",\\\"openshift.io/build-config-change\\\",\\\"openshift.io/builder-rolebindings\\\",\\\"openshift.io/builder-serviceaccount\\\",\\\"-openshift.io/default-rolebindings\\\",\\\"openshift.io/deployer\\\",\\\"openshift.io/deployer-rolebindings\\\",\\\"openshift.io/deployer-serviceaccount\\\",\\\"openshift.io/deploymentconfig\\\",\\\"openshift.io/image-import\\\",\\\"openshift.io/image-puller-rolebindings\\\",\\\"openshift.io/image-signature-import\\\",\\\"openshift.io/image-trigger\\\",\\\"openshift.io/ingress-ip\\\",\\\"openshift.io/ingress-to-route\\\",\\\"openshift.io/origin-namespace\\\",\\\"openshift.io/serviceaccount\\\",\\\"openshift.io/serviceaccount-pull-secrets\\\",\\\"openshift.io/templateinstance\\\",\\\"openshift.io/templateinstancefinalizer\\\",\\\"openshift.io/unidling\\\"],\\\"deployer\\\":{\\\"imageTemplateFormat\\\":{\\\"format\\\":\\\"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:295c2081fdef963a20bbf322efea62b16581013474ce8371110ea7bec0e66077\\\"}},\\\"dockerPullSecret\\\":{\\\"internalRegistryHostname\\\":\\\"image-registry.openshift-image-registry.svc:5000\\\"},\\\"featureGates\\\":[\\\"BuildCSIVolumes=true\\\"],\\\"ingress\\\":{\\\"ingressIPNetworkCIDR\\\":\\\"\\\"},\\\"servingInfo\\\":{\\\"cipherSuites\\\":[\\\"TLS_AES_128_GCM_SHA256\\\",\\\"TLS_AES_256_GCM_SHA384\\\",\\\"TLS_CHACHA20_POLY1305_SHA256\\\"],\\\"minTLSVersion\\\":\\\"VersionTLS13\\\"}}\"\n\"level\"=0 \"msg\"=\"Validated Modern TLS config\" \"minTLSVersion\"=\"VersionTLS13\" \"cipherSuites\"=[\"TLS_AES_128_GCM_SHA256\" \"TLS_AES_256_GCM_SHA384\" \"TLS_CHACHA20_POLY1305_SHA256\"]\n  STEP: Restoring original TLS profile @ 02/10/26 17:26:05.997\n  STEP: Waiting for operator to reconcile TLS profile restoration @ 02/10/26 17:26:07.125\n\"level\"=0 \"msg\"=\"Operator reconciliation after restoration complete\"\n  STEP: Verifying TLS profile was restored correctly @ 02/10/26 17:26:07.421\n\"level\"=0 \"msg\"=\"Waiting for TLS profile restoration to propagate\" \"current\"=\"VersionTLS13\"\n\"level\"=0 \"msg\"=\"Waiting for TLS profile restoration to propagate\" \"current\"=\"VersionTLS13\"\n\"level\"=0 \"msg\"=\"Waiting for TLS profile restoration to propagate\" \"current\"=\"VersionTLS13\"\n\"level\"=0 \"msg\"=\"Waiting for TLS profile restoration to propagate\" \"current\"=\"VersionTLS13\"\n\"level\"=0 \"msg\"=\"TLS profile restored to default\" \"minTLSVersion\"=\"VersionTLS12\"\n"
  }
]ksiddiqu@ksiddiqu-thinkpadx1carbongen11:~/openshift-repos/cluster-openshift-controller-manager-operator$

[kaleemsiddiqu]

@ricardomaraschini @ingvagabund @gangwgr please review this.

[gangwgr]

make 2 commits, vendor changes should be in different commit

[gangwgr]

@kaleemsiddiqu there is gap in this
To verify "operands stop answering TLS v1.2", you would need to:

// Attempt TLS 1.2 connection to the controller-manager service - should FAIL
tlsConfigv12 := &tls.Config{
    MinVersion: tls.VersionTLS12,
    MaxVersion: tls.VersionTLS12,
    InsecureSkipVerify: true,
}
conn, err := tls.Dial("tcp", "controller-manager.openshift-controller-manager.svc:443", tlsConfigv12)
// This should fail with a handshake error

// Attempt TLS 1.3 connection - should SUCCEED
tlsConfigv13 := &tls.Config{
    MinVersion: tls.VersionTLS13,
    MaxVersion: tls.VersionTLS13,
    InsecureSkipVerify: true,
}
conn, err := tls.Dial("tcp", "controller-manager.openshift-controller-manager.svc:443", tlsConfigv13)
// This should succeed

[kaleemsiddiqu]

@kaleemsiddiqu there is gap in this To verify "operands stop answering TLS v1.2", you would need to:

// Attempt TLS 1.2 connection to the controller-manager service - should FAIL
tlsConfigv12 := &tls.Config{
    MinVersion: tls.VersionTLS12,
    MaxVersion: tls.VersionTLS12,
    InsecureSkipVerify: true,
}
conn, err := tls.Dial("tcp", "controller-manager.openshift-controller-manager.svc:443", tlsConfigv12)
// This should fail with a handshake error

// Attempt TLS 1.3 connection - should SUCCEED
tlsConfigv13 := &tls.Config{
    MinVersion: tls.VersionTLS13,
    MaxVersion: tls.VersionTLS13,
    InsecureSkipVerify: true,
}
conn, err := tls.Dial("tcp", "controller-manager.openshift-controller-manager.svc:443", tlsConfigv13)
// This should succeed

For this we have to create a test pod and try it from there otherwise this would fail as we are running test from outside of the cluster and dns resolution to service in test will fail.

I think check on config propagation and operator status is sufficient to verify the issue.

[gangwgr]

@kaleemsiddiqu there is gap in this To verify "operands stop answering TLS v1.2", you would need to:

// Attempt TLS 1.2 connection to the controller-manager service - should FAIL
tlsConfigv12 := &tls.Config{
    MinVersion: tls.VersionTLS12,
    MaxVersion: tls.VersionTLS12,
    InsecureSkipVerify: true,
}
conn, err := tls.Dial("tcp", "controller-manager.openshift-controller-manager.svc:443", tlsConfigv12)
// This should fail with a handshake error

// Attempt TLS 1.3 connection - should SUCCEED
tlsConfigv13 := &tls.Config{
    MinVersion: tls.VersionTLS13,
    MaxVersion: tls.VersionTLS13,
    InsecureSkipVerify: true,
}
conn, err := tls.Dial("tcp", "controller-manager.openshift-controller-manager.svc:443", tlsConfigv13)
// This should succeed

For this we have to create a test pod and try it from there otherwise this would fail as we are running test from outside of the cluster and dns resolution to service in test will fail.

I think check on config propagation and operator status is sufficient to verify the issue.

you don't need to create new pod try with ocm pods similar case we have in test-private repo in which we use kas pods
try similar way see if it works https://github.com/openshift/openshift-tests-private/blob/main/test/extended/apiserverauth/apiserver.go#L486

[kaleemsiddiqu]

@kaleemsiddiqu there is gap in this To verify "operands stop answering TLS v1.2", you would need to:
you don't need to create new pod try with ocm pods similar case we have in test-private repo in which we use kas pods try similar way see if it works https://github.com/openshift/openshift-tests-private/blob/main/test/extended/apiserverauth/apiserver.go#L486

@gangwgr
Updated the code to test TLS connection with a temp pod approach, please check that.

[gangwgr]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: gangwgr, kaleemsiddiqu
Once this PR has been reviewed and has the lgtm label, please assign prabhapa for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@kaleemsiddiqu: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[gangwgr]

/hold