In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

In response to this:

@wangke19: This pull request references Jira Issue OCPBUGS-70249, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @wangke19

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

• OWNERS [neisw]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

In response to this:

/override ci/prow/okd-scos-images

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

In response to this:

/cherry-pick release-4.21

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

In response to this:

/override ci/prow/okd-scos-images

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

In response to this:

### What Was Fixed:

This PR unrereverts the TLS 1.3 / Modern profile tests that were previously reverted in PR #30533 due to test failures. The original implementation was in PR #29611 for OCPBUGS-64799.

After investigation, the test failures were caused by two distinct bugs in the TLS tests:

Bug 1: TestTLSDefaults used direct connection instead of port-forwarding

Problem: The test attempted to connect directly to the external API server hostname from the kubeconfig (e.g., api.cluster5.ocpci.eng.rdu2.redhat.com). When running as a pod in the cluster (CI environment), the pod's internal DNS cannot resolve this external hostname, resulting in:

dial tcp: lookup api.cluster5.ocpci.eng.rdu2.redhat.com on 172.30.0.10:53: no such host

Fix: Updated TestTLSDefaults to use the same forwardPortAndExecute() approach as TestTLSMinimumVersions, which creates an oc port-forward tunnel to the apiserver service. This approach:

• Works both in-cluster (CI) and externally (with kubeconfig)
• Eliminates DNS resolution issues entirely
• Is consistent with the TestTLSMinimumVersions pattern
• Includes built-in retry logic (3 attempts)

Bug 2: TLS 1.3 doesn't support cipher suite configuration

Problem: The intermediate TLS profile allows both TLS 1.2 and TLS 1.3. When the client doesn't specify MaxVersion, it negotiates TLS 1.3 if the server supports it. TLS 1.3 does not support configuring cipher suites (they're predetermined by the spec), so specifying any cipher suite (RC4 or modern ciphers) has no effect. This caused the cipher suite validation test to incorrectly succeed when connecting with deprecated ciphers that should have been rejected.

Example observed behavior:

• Client requests: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xC007)
• With TLS 1.3 negotiated: Connection succeeds using TLS_AES_128_GCM_SHA256 (0x1301)

Fix: Constrain the cipher test to TLS 1.2 only to ensure cipher suite restrictions are actually tested:

cfg := &tls.Config{
   CipherSuites:       []uint16{cipher},
   MinVersion:         tls.VersionTLS12,
   MaxVersion:         tls.VersionTLS12,  // Forces TLS 1.2 so cipher suites are evaluated
   InsecureSkipVerify: true,
}

Additional fixes:

• Fixed variable shadowing where err := conn.Close() shadowed the outer err from tls.Dial(), making the test check the wrong error
• Renamed to dialErr and closeErr for clarity

IPv6 Support

Removed the IPv4-only restriction to enable tests on IPv6 clusters:

• ✅ Tests now run on IPv4-only clusters
• ✅ Tests now run on IPv6-only clusters
• ✅ Tests now run on dual-stack (IPv4+IPv6) clusters

The tests use port-forwarding to localhost, which resolves appropriately in both IPv4 (127.0.0.1) and IPv6 (::1) environments.

Testing

Tested against live OpenShift cluster with both single-stack IPv4 and dual-stack IPv6 configurations:

SUCCESS! -- 2 Passed | 0 Failed | 0 Pending | 0 Skipped

Related Issues

• Fixes: OCPBUGS-64799
• Reverts: PR TRT-2439: Revert "TLS 1.3 / Modern profile tests" #30533 (the revert)
• Original implementation: PR OCPBUGS-64799: TLS 1.3 / Modern profile tests #29611
• Related: TRT-2439

References

• TLS 1.3 RFC 8446 - Cipher suites are predefined and not configurable
• k8s.io/client-go/rest.Config documentation
• openshift/library-go DefaultCiphers() - deliberately excludes RC4 and weak ciphers

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

In response to this:

/cherry-pick release-4.21

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.