Skip to content

CORENET-7054: Use TLS profile to render CLI args for deployed components#3043

Open
tpantelis wants to merge 7 commits into
openshift:masterfrom
tpantelis:render_tls_args
Open

CORENET-7054: Use TLS profile to render CLI args for deployed components#3043
tpantelis wants to merge 7 commits into
openshift:masterfrom
tpantelis:render_tls_args

Conversation

@tpantelis

Copy link
Copy Markdown
Contributor

See commits for details

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 6, 2026
@openshift-ci-robot

openshift-ci-robot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

@tpantelis: This pull request references CORENET-7054 which is a valid jira issue.

Details

In response to this:

See commits for details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@tpantelis

Copy link
Copy Markdown
Contributor Author

/cc @danwinship

@openshift-ci openshift-ci Bot requested a review from danwinship July 6, 2026 13:32
@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 5aaa8e41-daef-4db1-bff6-6598ccae3843

📥 Commits

Reviewing files that changed from the base of the PR and between 274ce30 and ac5e5ce.

📒 Files selected for processing (23)
  • bindata/kube-proxy/kube-proxy.yaml
  • bindata/network/frr-k8s/frr-k8s.yaml
  • bindata/network/frr-k8s/node-status-cleaner.yaml
  • bindata/network/multus-admission-controller/admission-controller.yaml
  • bindata/network/network-metrics/001-daemonset.yaml
  • bindata/network/node-identity/managed/node-identity.yaml
  • bindata/network/node-identity/self-hosted/node-identity.yaml
  • bindata/network/ovn-kubernetes/common/008-script-lib.yaml
  • bindata/network/ovn-kubernetes/self-hosted/ovnkube-control-plane.yaml
  • pkg/network/bootstrap_test.go
  • pkg/network/kube_proxy.go
  • pkg/network/kube_proxy_test.go
  • pkg/network/multus.go
  • pkg/network/multus_admission_controller.go
  • pkg/network/multus_admission_controller_test.go
  • pkg/network/network_metrics_test.go
  • pkg/network/node_identity.go
  • pkg/network/node_identity_test.go
  • pkg/network/ovn_kubernetes.go
  • pkg/network/ovn_kubernetes_test.go
  • pkg/network/render.go
  • pkg/network/render_test.go
  • pkg/network/tls.go
🚧 Files skipped from review as they are similar to previous changes (18)
  • pkg/network/kube_proxy.go
  • bindata/network/node-identity/managed/node-identity.yaml
  • pkg/network/multus_admission_controller.go
  • pkg/network/ovn_kubernetes.go
  • pkg/network/tls.go
  • bindata/kube-proxy/kube-proxy.yaml
  • pkg/network/ovn_kubernetes_test.go
  • pkg/network/node_identity.go
  • pkg/network/render.go
  • pkg/network/bootstrap_test.go
  • pkg/network/network_metrics_test.go
  • pkg/network/kube_proxy_test.go
  • pkg/network/multus_admission_controller_test.go
  • bindata/network/ovn-kubernetes/self-hosted/ovnkube-control-plane.yaml
  • pkg/network/node_identity_test.go
  • pkg/network/render_test.go
  • pkg/network/multus.go
  • bindata/network/node-identity/self-hosted/node-identity.yaml

Summary by CodeRabbit

  • New Features
    • Components that use TLS can now follow the configured TLS profile for minimum version and cipher suites.
    • Support was added across network-related workloads so more services start with consistent TLS settings.
  • Bug Fixes
    • Improved TLS handling for TLS 1.3 by avoiding explicit cipher suite settings when they are not needed.
    • Normalized cipher suite values so configured TLS settings are applied more reliably.

Walkthrough

This PR propagates TLS profile data into multiple network render paths, updates manifests and scripts to conditionally emit TLS min-version/cipher-suite arguments, normalizes TLS profile cipher handling, and expands rendering tests to verify the new output.

Changes

TLS profile rendering updates

Layer / File(s) Summary
TLS profile normalization
pkg/network/tls.go, pkg/network/bootstrap_test.go
toTLSProfile clears cipher suites for TLS 1.3 and normalizes cipher names; bootstrap tests were updated for the new profile values.
Render data gets TLS fields
pkg/network/kube_proxy.go, pkg/network/ovn_kubernetes.go, pkg/network/multus.go, pkg/network/multus_admission_controller.go, pkg/network/node_identity.go, pkg/network/render.go
Render entry points now inject TLS profile data before manifest generation for kube-proxy, OVN-Kubernetes, Multus, node identity, and FRR routing capabilities.
Manifest and script TLS arguments
bindata/kube-proxy/kube-proxy.yaml, bindata/network/multus-admission-controller/admission-controller.yaml, bindata/network/network-metrics/001-daemonset.yaml, bindata/network/node-identity/managed/node-identity.yaml, bindata/network/node-identity/self-hosted/node-identity.yaml, bindata/network/ovn-kubernetes/common/008-script-lib.yaml, bindata/network/ovn-kubernetes/self-hosted/ovnkube-control-plane.yaml, bindata/network/frr-k8s/frr-k8s.yaml, bindata/network/frr-k8s/node-status-cleaner.yaml
Templates and the shared ovnkube script library now conditionally emit TLS min-version and cipher-suite flags, and ovnkube-control-plane now sources the shared script library.
Renderer tests
pkg/network/kube_proxy_test.go, pkg/network/multus_admission_controller_test.go, pkg/network/network_metrics_test.go, pkg/network/node_identity_test.go, pkg/network/ovn_kubernetes_test.go, pkg/network/render_test.go
Rendering tests were expanded to extract rendered commands/scripts and assert the TLS-aware arguments across kube-proxy, Multus admission controller, network-metrics, node identity, OVN-Kubernetes, and FRR outputs.

Estimated code review effort: 4 (Complex) | ~60 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 5 | ❌ 10

❌ Failed checks (10 inconclusive)

Check name Status Explanation Resolution
Stable And Deterministic Test Names ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Test Structure And Quality ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Microshift Test Compatibility ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Single Node Openshift (Sno) Test Compatibility ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Topology-Aware Scheduling Compatibility ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Ote Binary Stdout Contract ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Ipv6 And Disconnected Network Test Compatibility ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No-Weak-Crypto ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
Container-Privileges ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
No-Sensitive-Data-In-Logs ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly matches the main change: rendering deployed components' CLI args from the TLS profile.
Description check ✅ Passed The description is brief, but it is still related to the commit-based TLS profile rendering changes.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

level=error msg="Running error: context loading failed: failed to load packages: failed to load packages: failed to load with go/packages: err: exit status 1: stderr: go: inconsistent vendoring in :\n\tgithub.com/Masterminds/semver@v1.5.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/Masterminds/sprig/v3@v3.2.3: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/containernetworking/cni@v0.8.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/ghodss/yaml@v1.0.1-0.20190212211648-25d852aebe32: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/go-bindata/go-bindata@v3.1.2+incompatible: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/onsi/gomega@v1.39.1: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tgithub.com/ope

... [truncated 17405 characters] ...

red in go.mod, but not marked as explicit in vendor/modules.txt\n\tk8s.io/gengo/v2@v2.0.0-20251215205346-5ee0d033ba5b: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tk8s.io/kms@v0.35.2: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tk8s.io/kube-aggregator@v0.35.1: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tsigs.k8s.io/randfill@v1.0.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\tsigs.k8s.io/structured-merge-diff/v6@v6.3.2: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt\n\n\tTo ignore the vendor directory, use -mod=readonly or -mod=mod.\n\tTo sync the vendor directory, run:\n\t\tgo mod vendor\n"


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested review from marty-power and taanyas July 6, 2026 13:34
@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: tpantelis
Once this PR has been reviewed and has the lgtm label, please assign jcaamano for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
bindata/network/node-identity/managed/node-identity.yaml (1)

138-154: 🩺 Stability & Availability | 🔴 Critical | ⚡ Quick win

Missing line continuation breaks the webhook exec command when TLS profile is enabled.

Line 148 (--loglevel="${LOGLEVEL}") has no trailing \, but the TLS args block is appended right after it. When .UseTLSProfile is true, the rendered script becomes two separate shell statements — bash will try to execute --tls-min-version=... as a command name and fail (script runs with set -xe), crashing the webhook container. The self-hosted template avoids this by placing the TLS block before the unconditional last argument. Apply the same ordering here.

🐛 Proposed fix
                 --extra-allowed-user="system:serviceaccount:openshift-ovn-kubernetes:ovn-kubernetes-control-plane" \
                 --pod-admission-conditions="/var/run/ovnkube-identity-config/additional-pod-admission-cond.json" \
-                --loglevel="${LOGLEVEL}"
              {{- if .UseTLSProfile }}
                 --tls-min-version={{.TLSMinVersion}} \
              {{- if .TLSCipherSuites }}
                 --tls-cipher-suites={{.TLSCipherSuites}} \
              {{- end }}
              {{- end }}
+                --loglevel="${LOGLEVEL}"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@bindata/network/node-identity/managed/node-identity.yaml` around lines 138 -
154, The exec command in the ovnkube-identity container template is broken when
UseTLSProfile is enabled because the unconditional --loglevel argument ends the
shell line before the TLS flags, so the inserted TLS block is treated as a
separate command. Update the command in node-identity.yaml to keep the TLS
arguments part of the same exec invocation by reordering them so the TLS block
appears before the final unconditional argument, matching the self-hosted
template and preserving the line continuations around the webhook exec command.
🧹 Nitpick comments (3)
pkg/network/ovn_kubernetes_test.go (1)

197-215: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Minor: callback reassigns outer-scope objs/err instead of using local variables.

Purely cosmetic since objs/err aren't read again after this block, but shadowing with local variables inside the closure would be clearer.

♻️ Optional cleanup
 		func(t *testing.T, tlsProfile bootstrap.TLSProfile) string {
 			testBootstrap := *bootstrapResult
 			testBootstrap.TLSProfile = tlsProfile
-			objs, _, err = renderOVNKubernetes(config, &testBootstrap, manifestDirOvn, fakeClient, featureGatesCNO)
-			g.Expect(err).NotTo(HaveOccurred())
+			objs, _, err := renderOVNKubernetes(config, &testBootstrap, manifestDirOvn, fakeClient, featureGatesCNO)
+			g.Expect(err).NotTo(HaveOccurred())
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/network/ovn_kubernetes_test.go` around lines 197 - 215, The callback in
testTLSArgRendering is reusing the outer-scope objs and err variables from
renderOVNKubernetes, which makes the closure less clear. Update the closure to
use local variables for the renderOVNKubernetes result and error handling, then
continue using those locals when finding the ConfigMap and extracting
ovnkube-lib.sh. Keep the change scoped to the test helper call site in
ovn_kubernetes_test.go.
pkg/network/node_identity_test.go (1)

103-109: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Test only validates substring presence, not shell-script validity.

findOvnkubeIdentityExec and the TLS assertions check ContainSubstring against the raw rendered text, so a missing line-continuation \ (see the managed node-identity.yaml bug) wouldn't be caught by this suite. Consider a lightweight syntax check (e.g., bash -n on the extracted script, if feasible in unit tests) for the rendered command blocks to catch broken continuations.

Also applies to: 160-165, 265-274

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/network/node_identity_test.go` around lines 103 - 109, The current TLS
rendering checks for the webhook command only verify substrings via
findOvnkubeIdentityExec and related TLS assertions, so they can miss broken
shell syntax such as a missing line-continuation. Update the tests around
testTLSArgRendering and the other affected cases to validate the extracted
script as shell, preferably by adding a lightweight syntax check on the rendered
command block (for example via bash -n or an equivalent parsing step) in
addition to the existing content assertions.
bindata/kube-proxy/kube-proxy.yaml (1)

147-154: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

TLS conditional rendering verified correct.

Traced all three branches (UseTLSProfile true+ciphers, true+no-ciphers for TLS1.3, and false/fallback) — shell line continuations render correctly in each case, and fallback cipher list matches the prior hardcoded default. kube-rbac-proxy supports both --tls-min-version and --tls-cipher-suites flags as used here.

One maintainability note: this exact 7-line conditional block is duplicated verbatim in bindata/network/network-metrics/001-daemonset.yaml (and will likely recur in the other sibling renderers in this stack). Consider whether the render pipeline supports a shared template partial (Go template define/template action) to avoid drift if the TLS flag logic changes later.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@bindata/kube-proxy/kube-proxy.yaml` around lines 147 - 154, The TLS flag
rendering block is duplicated in multiple kube-proxy-related templates, which
risks drift if the logic changes. Refactor the repeated `UseTLSProfile` /
`TLSMinVersion` / `TLSCipherSuites` conditional into a shared Go template
partial using `define`/`template`, then reuse that partial from this renderer
and the sibling manifests. Keep the rendered shell line continuations and
fallback cipher list identical by centralizing the logic in one place.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/network/bootstrap_test.go`:
- Around line 89-91: The failure message in the bootstrap test has a stale
expected TLS version, so update the t.Errorf call in the TLS assertion to report
the same expected value used in the if condition within bootstrap_test.go. Use
the existing result.TLSProfile.Spec.MinTLSVersion check as the source of truth
and make the logged expected version consistent with configv1.VersionTLS11 so
failures point to the correct value.

---

Outside diff comments:
In `@bindata/network/node-identity/managed/node-identity.yaml`:
- Around line 138-154: The exec command in the ovnkube-identity container
template is broken when UseTLSProfile is enabled because the unconditional
--loglevel argument ends the shell line before the TLS flags, so the inserted
TLS block is treated as a separate command. Update the command in
node-identity.yaml to keep the TLS arguments part of the same exec invocation by
reordering them so the TLS block appears before the final unconditional
argument, matching the self-hosted template and preserving the line
continuations around the webhook exec command.

---

Nitpick comments:
In `@bindata/kube-proxy/kube-proxy.yaml`:
- Around line 147-154: The TLS flag rendering block is duplicated in multiple
kube-proxy-related templates, which risks drift if the logic changes. Refactor
the repeated `UseTLSProfile` / `TLSMinVersion` / `TLSCipherSuites` conditional
into a shared Go template partial using `define`/`template`, then reuse that
partial from this renderer and the sibling manifests. Keep the rendered shell
line continuations and fallback cipher list identical by centralizing the logic
in one place.

In `@pkg/network/node_identity_test.go`:
- Around line 103-109: The current TLS rendering checks for the webhook command
only verify substrings via findOvnkubeIdentityExec and related TLS assertions,
so they can miss broken shell syntax such as a missing line-continuation. Update
the tests around testTLSArgRendering and the other affected cases to validate
the extracted script as shell, preferably by adding a lightweight syntax check
on the rendered command block (for example via bash -n or an equivalent parsing
step) in addition to the existing content assertions.

In `@pkg/network/ovn_kubernetes_test.go`:
- Around line 197-215: The callback in testTLSArgRendering is reusing the
outer-scope objs and err variables from renderOVNKubernetes, which makes the
closure less clear. Update the closure to use local variables for the
renderOVNKubernetes result and error handling, then continue using those locals
when finding the ConfigMap and extracting ovnkube-lib.sh. Keep the change scoped
to the test helper call site in ovn_kubernetes_test.go.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 0b82c24d-12c4-476b-91a0-23123dd70a38

📥 Commits

Reviewing files that changed from the base of the PR and between 28900a1 and 274ce30.

📒 Files selected for processing (23)
  • bindata/kube-proxy/kube-proxy.yaml
  • bindata/network/frr-k8s/frr-k8s.yaml
  • bindata/network/frr-k8s/node-status-cleaner.yaml
  • bindata/network/multus-admission-controller/admission-controller.yaml
  • bindata/network/network-metrics/001-daemonset.yaml
  • bindata/network/node-identity/managed/node-identity.yaml
  • bindata/network/node-identity/self-hosted/node-identity.yaml
  • bindata/network/ovn-kubernetes/common/008-script-lib.yaml
  • bindata/network/ovn-kubernetes/self-hosted/ovnkube-control-plane.yaml
  • pkg/network/bootstrap_test.go
  • pkg/network/kube_proxy.go
  • pkg/network/kube_proxy_test.go
  • pkg/network/multus.go
  • pkg/network/multus_admission_controller.go
  • pkg/network/multus_admission_controller_test.go
  • pkg/network/network_metrics_test.go
  • pkg/network/node_identity.go
  • pkg/network/node_identity_test.go
  • pkg/network/ovn_kubernetes.go
  • pkg/network/ovn_kubernetes_test.go
  • pkg/network/render.go
  • pkg/network/render_test.go
  • pkg/network/tls.go

Comment thread pkg/network/bootstrap_test.go Outdated
tpantelis added 7 commits July 6, 2026 10:08
This commit adds rendering of TLS CLI args based on the TLS profile
to the webhook container command of the network-node-identity Deployment
for both managed and self-hosted environments.

Changes:
- Add TLS profile configuration to renderNetworkNodeIdentity
- Update yaml manifests to include TLS CLI arguments when configured

Also added unit tests for the renderNetworkNodeIdentity function to
verify correct rendering of the DaemonSet (self-hosted) and the
Deployment (HyperShift) configurations, TLS argument handling based on
adherence policies, and proper behavior when network node identity is
disabled.

Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
This commit adds rendering of TLS CLI args based on the TLS profile
to the multus-admission-controller Deployment.

Changes:
- Add --tls-min-version and --tls-cipher-suites flags to the webhook
  container for both HyperShift and non-HyperShift deployments
- Add --tls-min-version and --tls-cipher-suites flags to kube-rbac-proxy
  with fallback to hardcoded ciphers when TLS profile is not honored
- Call addTLSInfoToRenderData in renderMultusAdmissonControllerConfig
  to populate TLS template data
- Add comprehensive unit tests for TLS argument rendering in both
  HyperShift and non-HyperShift modes

Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Replace inline kube-rbac-proxy script code with the
shared start-rbac-proxy-node() function from the ovnkube-script-lib
ConfigMap. This reduces code duplication and ensures consistent
behavior across all OVN Kubernetes components.

Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Add TLS profile support to the start-rbac-proxy-node() function in the
ovnkube-script-lib ConfigMap. This function is used by kube-rbac-proxy
containers in ovnkube-node and ovnkube-control-plane pods.

Changes:
- Add TLS template code to start-rbac-proxy-node() function in 008-script-lib.yaml
- Add addTLSInfoToRenderData() call in renderOVNKubernetes() function
- Add TLS test to TestRenderOVNKubernetes using testTLSArgRendering helper

Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
- Update bindata/kube-proxy/kube-proxy.yaml to use TLS profile template
  variables (UseTLSProfile, TLSMinVersion, TLSCipherSuites) in the
  kube-rbac-proxy container's exec command
- Add call to addTLSInfoToRenderData in renderStandaloneKubeProxy to
  populate TLS profile data in the render context
- Add unit test in TestRenderKubeProxy to verify TLS CLI arguments are
  correctly rendered based on TLS profile adherence policy

Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
- Update bindata/network/network-metrics/001-daemonset.yaml to use TLS
  profile template variables (UseTLSProfile, TLSMinVersion,
  TLSCipherSuites) in the kube-rbac-proxy container's args
- Update renderNetworkMetricsDaemon to accept bootstrapResult parameter
  and add call to addTLSInfoToRenderData to populate TLS profile data
- Update renderMultus to pass bootstrapResult to renderNetworkMetricsDaemon
- Add unit test in TestRenderNetworkMetricsDaemon to verify TLS CLI
  arguments are correctly rendered based on TLS profile adherence policy

Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
This commit adds rendering of TLS CLI args based on the TLS profile
to the three FRR components that serve HTTPS endpoints:

1. controller container (port 9140) - Kubernetes controller for FRR
2. frr-metrics container (port 9141) - Prometheus metrics exporter
3. frr-k8s-statuscleaner container (port 9123) - Webhook for status cleanup

Changes:
- Add conditional template code to render --tls-min-version and
  --tls-cipher-suites CLI arguments when UseTLSProfile is true
- Update renderAdditionalRoutingCapabilities to accept bootstrapResult
  parameter and call addTLSInfoToRenderData
- Add comprehensive unit tests in Test_renderFRRRoutingCapabilities
  using the testTLSArgRendering helper function

Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

@tpantelis: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-ovn-ipsec-step-registry ac5e5ce link true /test e2e-ovn-ipsec-step-registry
ci/prow/e2e-azure-ovn-upgrade ac5e5ce link true /test e2e-azure-ovn-upgrade
ci/prow/e2e-aws-ovn-upgrade-ipsec ac5e5ce link true /test e2e-aws-ovn-upgrade-ipsec
ci/prow/e2e-aws-ovn-fdp-qe ac5e5ce link true /test e2e-aws-ovn-fdp-qe
ci/prow/e2e-gcp-ovn-upgrade ac5e5ce link true /test e2e-gcp-ovn-upgrade
ci/prow/e2e-metal-ipi-ovn-ipv6 ac5e5ce link true /test e2e-metal-ipi-ovn-ipv6
ci/prow/e2e-metal-ipi-ovn-dualstack-bgp-local-gw ac5e5ce link true /test e2e-metal-ipi-ovn-dualstack-bgp-local-gw
ci/prow/5.0-upgrade-from-stable-4.22-e2e-gcp-ovn-upgrade ac5e5ce link false /test 5.0-upgrade-from-stable-4.22-e2e-gcp-ovn-upgrade
ci/prow/5.0-upgrade-from-stable-4.22-e2e-aws-ovn-upgrade ac5e5ce link false /test 5.0-upgrade-from-stable-4.22-e2e-aws-ovn-upgrade
ci/prow/e2e-aws-ovn-upgrade ac5e5ce link true /test e2e-aws-ovn-upgrade
ci/prow/frrk8s-e2e ac5e5ce link false /test frrk8s-e2e
ci/prow/e2e-gcp-ovn ac5e5ce link true /test e2e-gcp-ovn
ci/prow/e2e-aws-ovn-hypershift-conformance ac5e5ce link true /test e2e-aws-ovn-hypershift-conformance
ci/prow/e2e-metal-ipi-ovn-ipv6-ipsec ac5e5ce link true /test e2e-metal-ipi-ovn-ipv6-ipsec
ci/prow/e2e-aws-ovn-rhcos10-techpreview ac5e5ce link false /test e2e-aws-ovn-rhcos10-techpreview

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants