Add extensive e2e automation for TLS profile test

[chiragkyal]

Summary by CodeRabbit

• New Features

  • Expanded end-to-end coverage for cluster TLS profile handling across multiple scenarios.
  • Added checks for profile changes, including switching between older TLS settings and modern settings.

• Bug Fixes

  • Improved validation that TLS settings are applied consistently across key components.
  • Added safeguards to confirm rollback and temporary override behavior work as expected.

• Tests

  • Reworked the TLS profile e2e suite to cover more real-world certificate and cipher suite combinations.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: chiragkyal
Once this PR has been reviewed and has the lgtm label, please assign mytreya-rh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 1c390f84-a65f-4872-8099-ebffa7a49224

📥 Commits

Reviewing files that changed from the base of the PR and between 4cae755 and 0d71464.

📒 Files selected for processing (1)

• test/e2e/tls_profile_test.go

---

Walkthrough

The TLS profile e2e test now saves and restores cluster apiserver TLS state, covers legacy and strict adherence paths across cert-manager operands, checks webhook override precedence, and verifies live transitions from Intermediate to Modern.

Changes

TLS profile e2e coverage

Layer / File(s)	Summary
Fixtures and hooks test/e2e/tls_profile_test.go	Adds reusable TLS profile objects, the touched deployments list, and shared setup and teardown that save, verify, restore, and clean cluster apiserver TLS state while checking operator health.
Adherence and overrides test/e2e/tls_profile_test.go	Adds S1–S8 checks for legacy and strict TLS adherence, operand and webhook arg expectations across Modern, Intermediate, and Old profiles, rollback from Strict to Legacy, and a retrying helper for updating or clearing webhook unsupported args.
Live profile switch test/e2e/tls_profile_test.go	Adds S9 coverage for switching the cluster profile from Intermediate to Modern and asserts removal of cipher-suite args plus Modern effective-spec alignment across the webhook and operands.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Test Structure And Quality	⚠️ Warning	Several Expect(err).NotTo(HaveOccurred()) assertions lack diagnostic messages (e.g. lines 87, 135, 164, 190, 210, 330).	Add contextual failure messages to the bare error assertions, or wrap them in helper assertions that report which scenario/step failed.
Microshift Test Compatibility	⚠️ Warning	The new S1–S9 e2e tests read/update apiserver.config.openshift.io/cluster via config.openshift.io APIs, but the suite has no MicroShift skip tag or runtime MicroShift guard.	Add [apigroup:config.openshift.io] or [Skipped:MicroShift], or gate the suite with exutil.IsMicroShiftCluster() and g.Skip().

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title matches the main change: expanding TLS profile e2e test automation into a more extensive suite.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo titles in tls_profile_test.go are static, descriptive strings; no fmt.Sprintf, generated IDs, dates, or runtime values appear in test names.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The new suite only patches cluster TLS config and checks deployment args; it has no node-count, rescheduling, topology-spread, or SNO-specific assumptions.
Topology-Aware Scheduling Compatibility	✅ Passed	Only an e2e TLS profile test changed; no manifests, controllers, affinity, nodeSelector, spread, or replica logic were added.
Ote Binary Stdout Contract	✅ Passed	Changed e2e file has no main/init/TestMain/BeforeSuite stdout writes; it only uses Ginkgo By/Skip and fmt for errors.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	tls_profile_test.go only patches cluster TLS config and checks deployment args; no IPv4 literals, host/IP URL building, or external network calls found.
No-Weak-Crypto	✅ Passed	The changed test file only uses OpenShift TLS profile objects and modern AES-GCM/TLS version args; no MD5/SHA1/DES/RC4/3DES/ECB, custom crypto, or secret comparisons found.
Container-Privileges	✅ Passed	The PR only rewrites an e2e test helper; no container/K8s manifests or privilege-related fields (privileged, hostPID/Network/IPC, SYS_ADMIN, allowPrivilegeEscalation) are added.
No-Sensitive-Data-In-Logs	✅ Passed	New test logs only TLS/profile steps and operand names; no passwords, tokens, PII, hostnames, or secrets appear in the code or diff.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

@chiragkyal: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[chiragkyal]

/cc @arun717 @bharath-b-rh @mytreya-rh