CNTRLPLANE-3428: tls fix HyperShift guest-side CO wait and Custom profile handling

[gangwgr]

Fixed three HyperShift-specific failures in the TLS observed-config e2e tests:

1. Unknown TLS profile type: Custom — After a config-change test sets a Custom profile and DeferCleanup doesn't fully restore, subsequent tests crash because getExpectedMinTLSVersionWithType tries to look up "Custom" in configv1.TLSProfiles, which only contains predefined profiles.

2. ClusterOperator etcd did not reach stable state after 25m0s — waitForGuestOperatorsAfterTLSChange was iterating over all clusterOperatorNames including control-plane COs (etcd, kube-apiserver, etc.) that are managed by the HCP and shouldn't be polled from the guest cluster.

3. deployments.apps "controller-manager" not found — guestSideDeploymentRolloutTargets() was returning all deployment rollout targets including control-plane ones (controller-manager, apiserver, cluster-version-operator) that don't exist on the guest cluster.

Summary by CodeRabbit

• Tests
  • Enhanced TLS tests for HyperShift with refined target selection to skip management-cluster–only components
  • More reliable ConfigMap verification during TLS profile switches by polling until changes appear
  • Stricter validation for custom TLS profiles to require and use explicit custom settings
  • Narrowed operator stabilization checks to only relevant guest-side operators after TLS changes

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Narrow TLS test waits to HyperShift guest-side targets, skip management-cluster-only targets, poll ConfigMaps until inject-TLS and expected TLS appear, and derive Custom TLSProfile min version from Config.Spec.TLSSecurityProfile.Custom.MinTLSVersion.

Changes

TLS Profile Testing Enhancements

Layer / File(s)	Summary
Target types and annotated target lists test/extended/tls/tls_observed_config.go	Replace controlPlane with managementClusterComponent in typed target structs; mark observedConfig, ConfigMap, service, and deployment rollout targets that exist only on the management cluster.
Guest-side filters and operator list test/extended/tls/tls_observed_config.go	Add guestSideClusterOperatorNames and implement guest-side filter helpers to return only targets where managementClusterComponent is false; adjust deployment rollout target filtering and guest operator wait list.
Test loops skipping management-cluster-only targets test/extended/tls/tls_observed_config.go	Update read-only and disruptive test loops (observed-config, ConfigMap injection, deployment env vars, wire-level TLS, and restoration tests) to skip targets marked managementClusterComponent: true on HyperShift.
ConfigMap polling and TLSProfile custom handling test/extended/tls/tls_observed_config.go	verifyConfigMapsForTargets now polls up to 5 minutes for the inject-TLS annotation and expected TLS version substring; getExpectedMinTLSVersionWithType requires .Custom for TLSProfileCustomType and reads minTLSVersion from Custom.MinTLSVersion.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• openshift/origin#31160: Both PRs modify test/extended/tls/tls_observed_config.go to implement HyperShift guest-side filtering by introducing/using guest-side target/operator subsets and updating wait logic.

Suggested reviewers

• kaleemsiddiqu

🚥 Pre-merge checks | ✅ 10 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	71% of assertions lack meaningful failure messages (35 of 49). Tests follow Ginkgo best practices for structure, cleanup, and timeouts, but violate assertion message requirement.	Add failure messages to all o.Expect().NotTo(o.HaveOccurred()) assertions per quality guideline requirement.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main changes: HyperShift-specific TLS fixes including guest-side ClusterOperator wait logic and Custom profile handling, which align with the core objectives.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test names use static, hardcoded values (namespace names and service ports) that never change between runs, making them stable and deterministic per requirements.
Microshift Test Compatibility	✅ Passed	All Ginkgo tests in the modified file are protected from running on MicroShift via exutil.IsMicroShiftCluster() check with g.Skip() in BeforeEach blocks in both Describe declarations.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new test declarations added. Existing tests have no multi-node assumptions and skip MicroShift. All changes are topology-agnostic.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only E2E test code (test/extended/tls/tls_observed_config.go) with no deployment manifests, operator code, controllers, or scheduling constraints introduced.
Ote Binary Stdout Contract	✅ Passed	The modified file is a Ginkgo test package with no process-level stdout writes, init/main functions, klog usage, or fmt.Print calls outside test blocks.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo tests added, only modifications to existing test utilities. Existing code properly tests both IPv4 and IPv6, with no external connectivity dependencies.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gangwgr]

/test pull-ci-openshift-origin-main-tls-observed-config-hypershift

[gangwgr]

/test pull-ci-openshift-origin-main-tls-observed-config

[gangwgr]

/test tls-observed-config-hypershift
/test tls-observed-config

[gangwgr]

/test tls-observed-config-hypershift
/test tls-observed-config

[openshift-ci-robot]

@gangwgr: This pull request references CNTRLPLANE-3428 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Fix two issues found in HyperShift CI:

1. waitForGuestOperatorsAfterTLSChange was iterating over all clusterOperatorNames (including etcd, kube-apiserver, etc.) which run on the management cluster. On HyperShift these COs may not stabilize on the guest side after a TLS change, causing a 25m timeout. Use a new guestSideClusterOperatorNames list that only includes guest-side COs (image-registry, openshift-samples).

2. getExpectedMinTLSVersionWithType crashed with "Unknown TLS profile type: Custom" because configv1.TLSProfiles only contains predefined profiles. If a Custom profile is active (e.g. from a failed cleanup), read minTLSVersion directly from the Custom spec instead.

Summary by CodeRabbit

• Bug Fixes
• Ensure custom TLS profiles correctly determine the minimum TLS version.
• Restrict post-TLS-change stability checks and rollout waiting to guest-side components in HyperShift scenarios.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[gangwgr]

/test tls-observed-config-hypershift
/test tls-observed-config

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[gangwgr]

/retest-required

[gangwgr]

/test tls-observed-config-hypershift
/test tls-observed-config

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

test/extended/tls/tls_observed_config.go (1)

245-246: 💤 Low value

Update skip messages for consistency with field rename.

The skip messages reference "control-plane target" but the field was renamed from controlPlane to managementClusterComponent. For consistency, consider updating the skip messages.

♻️ Suggested message updates

-g.Skip(fmt.Sprintf("Skipping control-plane target %s on HyperShift (runs on management cluster)", target.namespace))
+g.Skip(fmt.Sprintf("Skipping management cluster component %s on HyperShift", target.namespace))

Apply similar changes to lines 257, 268, 279, and the disruptive test skip messages at lines 343, 350, 357, 364.

Also applies to: 256-257, 267-268, 278-279

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/tls/tls_observed_config.go` around lines 245 - 246, The skip
text still says "control-plane target" but the field was renamed to
managementClusterComponent, so update the g.Skip messages invoked where the
condition uses isHyperShiftCluster && target.managementClusterComponent (and any
similar g.Skip calls in the same file that check
target.managementClusterComponent) to say something like "Skipping
management-cluster target %s on HyperShift (runs on management cluster)" and
apply the same wording change to the other occurrences and the disruptive test
skip messages that reference the old "control-plane target" phrasing; ensure you
update all g.Skip calls that mention the target.namespace and refer to
control-plane to use management-cluster instead.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/extended/tls/tls_observed_config.go`:
- Around line 112-117: The ConfigMap target entries in tls_observed_config.go
for the operator namespaces (the literal slice entries with namespace values
"openshift-controller-manager", "openshift-kube-apiserver",
"openshift-apiserver", "openshift-kube-controller-manager", and
"openshift-kube-scheduler") are missing managementClusterComponent: true; update
each of those ConfigMap target structs to include managementClusterComponent:
true so they match the corresponding observedConfigTargets and serviceTargets
pattern (i.e., add managementClusterComponent: true to the entries with
configMapName "openshift-controller-manager-operator-config",
"kube-apiserver-operator-config", "openshift-apiserver-operator-config",
"kube-controller-manager-operator-config", and
"openshift-kube-scheduler-operator-config").

---

Nitpick comments:
In `@test/extended/tls/tls_observed_config.go`:
- Around line 245-246: The skip text still says "control-plane target" but the
field was renamed to managementClusterComponent, so update the g.Skip messages
invoked where the condition uses isHyperShiftCluster &&
target.managementClusterComponent (and any similar g.Skip calls in the same file
that check target.managementClusterComponent) to say something like "Skipping
management-cluster target %s on HyperShift (runs on management cluster)" and
apply the same wording change to the other occurrences and the disruptive test
skip messages that reference the old "control-plane target" phrasing; ensure you
update all g.Skip calls that mention the target.namespace and refer to
control-plane to use management-cluster instead.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: ed931bc3-96a3-470c-8e1a-13ea809bc0d8

📥 Commits

Reviewing files that changed from the base of the PR and between 0a0131e and daa8f97.

📒 Files selected for processing (1)

• test/extended/tls/tls_observed_config.go

[gangwgr]

/test tls-observed-config-hypershift
/test tls-observed-config

[ricardomaraschini]

Aren't we checking the observed config for the openshift-cluster-samples-operator ?

[ricardomaraschini]

Can't we have these four groups (observedConfigTargets, configMapTargets, serviceTargets and deploymentRolloutTargets) in a single slice of Targets ? What do you think ?

[gangwgr]

These were intentionally split from a single monolithic tlsTarget struct in the previous PR as per per review feedback. Each test category uses different fields — a single struct would carry many unused fields per entry, making it unclear which fields are relevant to each test. Happy to discuss further if you'd prefer a different approach.

[ricardomaraschini]

Why isn't this a function like, for example, guestSideObservedConfigTargets and guestSideConfigMapTargets ?

[ricardomaraschini]

Just for sanity check: isHyperShiftCluster is true if the scan is happening on a "guest cluster" ? Is that it ?

[gangwgr]

Yes, exactly. isHyperShiftCluster is set in BeforeEach via exutil.IsHypershift() — it's true when the test is running against a guest cluster of a HyperShift-hosted control plane.

[gangwgr]

/test tls-observed-config-hypershift
/test tls-observed-config

[gangwgr]

/test tls-observed-config-hypershift
/test tls-observed-config

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[gangwgr]

/retest

[ricardomaraschini]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gangwgr, ricardomaraschini

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• test/extended/tls/OWNERS [gangwgr,ricardomaraschini]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gangwgr]

/verified by ci runs

[openshift-ci-robot]

@gangwgr: This PR has been marked as verified by ci runs.

Details

In response to this:

/verified by ci runs

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[gangwgr]

/retest-required

[openshift-ci]

@gangwgr: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/tls-observed-config	9485c95	link	false	/test tls-observed-config

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.