OCPBUGS-70249:Unrevert tls tests with fixes

[wangke19]

### What Was Fixed:

This PR unrereverts the TLS 1.3 / Modern profile tests that were previously reverted in PR #30533 due to test failures. The original implementation was in PR #29611 for OCPBUGS-64799.

After investigation, the test failures were caused by two distinct bugs in the TLS tests:

Bug 1: TestTLSDefaults used direct connection instead of port-forwarding

Problem: The test attempted to connect directly to the external API server hostname from the kubeconfig (e.g., api.cluster5.ocpci.eng.rdu2.redhat.com). When running as a pod in the cluster (CI environment), the pod's internal DNS cannot resolve this external hostname, resulting in:

dial tcp: lookup api.cluster5.ocpci.eng.rdu2.redhat.com on 172.30.0.10:53: no such host

Fix: Updated TestTLSDefaults to use the same forwardPortAndExecute() approach as TestTLSMinimumVersions, which creates an oc port-forward tunnel to the apiserver service. This approach:

• Works both in-cluster (CI) and externally (with kubeconfig)
• Eliminates DNS resolution issues entirely
• Is consistent with the TestTLSMinimumVersions pattern
• Includes built-in retry logic (3 attempts)

Bug 2: TLS 1.3 doesn't support cipher suite configuration

Problem: The intermediate TLS profile allows both TLS 1.2 and TLS 1.3. When the client doesn't specify MaxVersion, it negotiates TLS 1.3 if the server supports it. TLS 1.3 does not support configuring cipher suites (they're predetermined by the spec), so specifying any cipher suite (RC4 or modern ciphers) has no effect. This caused the cipher suite validation test to incorrectly succeed when connecting with deprecated ciphers that should have been rejected.

Example observed behavior:

• Client requests: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xC007)
• With TLS 1.3 negotiated: Connection succeeds using TLS_AES_128_GCM_SHA256 (0x1301)

Fix: Constrain the cipher test to TLS 1.2 only to ensure cipher suite restrictions are actually tested:

cfg := &tls.Config{
    CipherSuites:       []uint16{cipher},
    MinVersion:         tls.VersionTLS12,
    MaxVersion:         tls.VersionTLS12,  // Forces TLS 1.2 so cipher suites are evaluated
    InsecureSkipVerify: true,
}

Additional fixes:

• Fixed variable shadowing where err := conn.Close() shadowed the outer err from tls.Dial(), making the test check the wrong error
• Renamed to dialErr and closeErr for clarity

IPv6 Support

Removed the IPv4-only restriction to enable tests on IPv6 clusters:

• ✅ Tests now run on IPv4-only clusters
• ✅ Tests now run on IPv6-only clusters
• ✅ Tests now run on dual-stack (IPv4+IPv6) clusters

The tests use port-forwarding to localhost, which resolves appropriately in both IPv4 (127.0.0.1) and IPv6 (::1) environments.

Testing

Tested against live OpenShift cluster with both single-stack IPv4 and dual-stack IPv6 configurations:

SUCCESS! -- 2 Passed | 0 Failed | 0 Pending | 0 Skipped

Related Issues

• Fixes: OCPBUGS-64799
• Reverts: PR TRT-2439: Revert "TLS 1.3 / Modern profile tests" #30533 (the revert)
• Original implementation: PR OCPBUGS-64799: TLS 1.3 / Modern profile tests #29611
• Related: TRT-2439

References

• TLS 1.3 RFC 8446 - Cipher suites are predefined and not configurable
• k8s.io/client-go/rest.Config documentation
• openshift/library-go DefaultCiphers() - deliberately excludes RC4 and weak ciphers

[openshift-ci-robot]

Pipeline controller notification
This repository is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[wangke19]

/payload-job periodic-ci-openshift-release-master-nightly-4.21-e2e-metal-ipi-ovn-bm

[openshift-ci]

@wangke19: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-master-nightly-4.21-e2e-metal-ipi-ovn-bm

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/be3adcd0-ca92-11f0-97ec-df7a13906fc6-0

[wangke19]

/payload-job periodic-ci-openshift-release-master-nightly-4.21-e2e-metal-ipi-ovn-bm

[openshift-ci]

@wangke19: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-master-nightly-4.21-e2e-metal-ipi-ovn-bm

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/7f1cfd90-caf5-11f0-9972-e7706940b560-0

[wangke19]

/payload-job periodic-ci-openshift-release-master-nightly-4.21-e2e-agent-ha-dualstack-conformance

[openshift-ci]

@wangke19: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-master-nightly-4.21-e2e-agent-ha-dualstack-conformance

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/92ceccb0-caf5-11f0-9c4d-d12e7d9d0fa5-0

[wangke19]

/payload-job periodic-ci-openshift-release-master-nightly-4.21-e2e-metal-ipi-ovn-upgrade

[openshift-ci]

@wangke19: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-master-nightly-4.21-e2e-metal-ipi-ovn-upgrade

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/ab7846b0-caf5-11f0-9605-34cb18c668c9-0

[wangke19]

/payload-job periodic-ci-openshift-release-master-nightly-4.21-e2e-agent-ha-dualstack-conformance

[openshift-ci]

@wangke19: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-master-nightly-4.21-e2e-agent-ha-dualstack-conformance

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/6ba60730-cb3a-11f0-8d31-f7a85637c458-0

[openshift-ci-robot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[wangke19]

/payload-job periodic-ci-openshift-release-master-nightly-4.21-e2e-metal-ipi-ovn-bm

[openshift-ci]

@wangke19: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-master-nightly-4.21-e2e-metal-ipi-ovn-bm

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/1ab2d0e0-cb64-11f0-8005-06e842255afc-0

[wangke19]

/payload-job periodic-ci-openshift-release-master-nightly-4.21-e2e-agent-ha-dualstack-conformance

[openshift-ci]

@wangke19: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-master-nightly-4.21-e2e-agent-ha-dualstack-conformance

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/25e247c0-cb64-11f0-9b6a-fc6039487e5f-0

[wangke19]

/payload-job periodic-ci-openshift-release-master-nightly-4.21-e2e-metal-ipi-ovn-upgrade

[openshift-ci]

@wangke19: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-master-nightly-4.21-e2e-metal-ipi-ovn-upgrade

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/2ffb6ca0-cb64-11f0-87e6-5149162538b8-0

[openshift-ci-robot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[wangke19]

/payload-job periodic-ci-openshift-release-master-nightly-4.21-e2e-metal-ipi-ovn-bm

[openshift-ci]

@wangke19: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-master-nightly-4.21-e2e-metal-ipi-ovn-bm

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/d89f6d30-cc67-11f0-9540-2d1926f59e52-0

[openshift-ci-robot]

@wangke19: This pull request references Jira Issue OCPBUGS-70249, which is invalid:

• expected the bug to target either version "4.22." or "openshift-4.22.", but it targets "4.21.0" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[wangke19]

/jira refresh

[openshift-ci-robot]

@wangke19: This pull request references Jira Issue OCPBUGS-70249, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @wangke19

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@openshift-ci-robot: GitHub didn't allow me to request PR reviews from the following users: wangke19.

Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

@wangke19: This pull request references Jira Issue OCPBUGS-70249, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @wangke19

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[neisw]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jacobsee, neisw, wangke19

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [neisw]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 66bd106 and 2 for PR HEAD 4402603 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 8d2c06c and 1 for PR HEAD 4402603 in total

[wangke19]

/test okd-scos-images

[smg247]

/override ci/prow/okd-scos-images

[openshift-ci-robot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[openshift-ci]

@smg247: Overrode contexts on behalf of smg247: ci/prow/okd-scos-images

Details

In response to this:

/override ci/prow/okd-scos-images

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[wangke19]

/test e2e-aws-ovn-microshift

[wangke19]

/cherry-pick release-4.21

[openshift-cherrypick-robot]

@wangke19: once the present PR merges, I will cherry-pick it on top of release-4.21 in a new PR and assign it to you.

Details

In response to this:

/cherry-pick release-4.21

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-trt]

Job Failure Risk Analysis for sha: 4402603

Job Name	Failure Risk
pull-ci-openshift-origin-main-e2e-gcp-ovn-upgrade	High

[wangke19]

/test e2e-gcp-ovn-upgrade

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD c2f0318 and 0 for PR HEAD 4402603 in total

[neisw]

/override ci/prow/okd-scos-images

[openshift-ci]

@neisw: Overrode contexts on behalf of neisw: ci/prow/okd-scos-images

Details

In response to this:

/override ci/prow/okd-scos-images

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci-robot]

@wangke19: Jira Issue Verification Checks: Jira Issue OCPBUGS-70249
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-70249 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

### What Was Fixed:

This PR unrereverts the TLS 1.3 / Modern profile tests that were previously reverted in PR #30533 due to test failures. The original implementation was in PR #29611 for OCPBUGS-64799.

After investigation, the test failures were caused by two distinct bugs in the TLS tests:

Bug 1: TestTLSDefaults used direct connection instead of port-forwarding

Problem: The test attempted to connect directly to the external API server hostname from the kubeconfig (e.g., api.cluster5.ocpci.eng.rdu2.redhat.com). When running as a pod in the cluster (CI environment), the pod's internal DNS cannot resolve this external hostname, resulting in:

dial tcp: lookup api.cluster5.ocpci.eng.rdu2.redhat.com on 172.30.0.10:53: no such host

Fix: Updated TestTLSDefaults to use the same forwardPortAndExecute() approach as TestTLSMinimumVersions, which creates an oc port-forward tunnel to the apiserver service. This approach:

• Works both in-cluster (CI) and externally (with kubeconfig)
• Eliminates DNS resolution issues entirely
• Is consistent with the TestTLSMinimumVersions pattern
• Includes built-in retry logic (3 attempts)

Bug 2: TLS 1.3 doesn't support cipher suite configuration

Problem: The intermediate TLS profile allows both TLS 1.2 and TLS 1.3. When the client doesn't specify MaxVersion, it negotiates TLS 1.3 if the server supports it. TLS 1.3 does not support configuring cipher suites (they're predetermined by the spec), so specifying any cipher suite (RC4 or modern ciphers) has no effect. This caused the cipher suite validation test to incorrectly succeed when connecting with deprecated ciphers that should have been rejected.

Example observed behavior:

• Client requests: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xC007)
• With TLS 1.3 negotiated: Connection succeeds using TLS_AES_128_GCM_SHA256 (0x1301)

Fix: Constrain the cipher test to TLS 1.2 only to ensure cipher suite restrictions are actually tested:

cfg := &tls.Config{
   CipherSuites:       []uint16{cipher},
   MinVersion:         tls.VersionTLS12,
   MaxVersion:         tls.VersionTLS12,  // Forces TLS 1.2 so cipher suites are evaluated
   InsecureSkipVerify: true,
}

Additional fixes:

• Fixed variable shadowing where err := conn.Close() shadowed the outer err from tls.Dial(), making the test check the wrong error
• Renamed to dialErr and closeErr for clarity

IPv6 Support

Removed the IPv4-only restriction to enable tests on IPv6 clusters:

• ✅ Tests now run on IPv4-only clusters
• ✅ Tests now run on IPv6-only clusters
• ✅ Tests now run on dual-stack (IPv4+IPv6) clusters

The tests use port-forwarding to localhost, which resolves appropriately in both IPv4 (127.0.0.1) and IPv6 (::1) environments.

Testing

Tested against live OpenShift cluster with both single-stack IPv4 and dual-stack IPv6 configurations:

SUCCESS! -- 2 Passed | 0 Failed | 0 Pending | 0 Skipped

Related Issues

• Fixes: OCPBUGS-64799
• Reverts: PR TRT-2439: Revert "TLS 1.3 / Modern profile tests" #30533 (the revert)
• Original implementation: PR OCPBUGS-64799: TLS 1.3 / Modern profile tests #29611
• Related: TRT-2439

References

• TLS 1.3 RFC 8446 - Cipher suites are predefined and not configurable
• k8s.io/client-go/rest.Config documentation
• openshift/library-go DefaultCiphers() - deliberately excludes RC4 and weak ciphers

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@wangke19: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-cherrypick-robot]

@wangke19: new pull request created: #30660

Details

In response to this:

/cherry-pick release-4.21

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.