Merge pull request #4479 from agullon/USHIFT-2596

openshift-merge-bot[bot] · web-flow · commit d10ca8d5c113 · 2025-02-04T18:53:44.000Z
USHIFT-2596: improve TLS config cipher RF test cases
diff --git a/test/resources/microshift-config.resource b/test/resources/microshift-config.resource
@@ -122,3 +122,13 @@ Clear Lvmd Config
     ...    sudo=True    return_rc=True    return_stderr=True    return_stdout=False
     Log    ${stderr}
     Should Be Equal As Integers    0    ${rc}
+
+Show Config
+    [Documentation]    Run microshift show-config with ${mode}
+    [Arguments]    ${mode}
+    ${output}    ${rc}=    Execute Command
+    ...    microshift show-config --mode ${mode}
+    ...    sudo=True    return_rc=True
+    Should Be Equal As Integers    0    ${rc}
+    ${yaml_data}=    Yaml Parse    ${output}
+    RETURN    ${yaml_data}
diff --git a/test/suites/standard1/show-config.robot b/test/suites/standard1/show-config.robot
@@ -64,13 +64,3 @@ Teardown
     [Documentation]    Test suite teardown
     Remove Drop In MicroShift Config    10-etcd
     Logout MicroShift Host
-
-Show Config
-    [Documentation]    Run microshift show-config with ${mode}
-    [Arguments]    ${mode}
-    ${output}    ${rc}=    Execute Command
-    ...    microshift show-config --mode ${mode}
-    ...    sudo=True    return_rc=True
-    Should Be Equal As Integers    0    ${rc}
-    ${yaml_data}=    Yaml Parse    ${output}
-    RETURN    ${yaml_data}
diff --git a/test/suites/standard2/configuration.robot b/test/suites/standard2/configuration.robot
@@ -48,16 +48,17 @@ ${LVMS_CSI_SNAPSHOT_DISABLED}       SEPARATOR=\n
 ...                                 storage:
 ...                                 \ \ driver: "none"
 ...                                 \ \ optionalCsiComponents: [ none ]
-${TLS_13_MIN_VERSION}               SEPARATOR=\n
-...                                 apiServer:
-...                                 \ \ tls:
-...                                 \ \ \ \ minVersion: VersionTLS13
 ${TLS_12_CUSTOM_CIPHER}             SEPARATOR=\n
 ...                                 apiServer:
 ...                                 \ \ tls:
 ...                                 \ \ \ \ cipherSuites:
-...                                 \ \ \ \ - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+...                                 \ \ \ \ - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
 ...                                 \ \ \ \ minVersion: VersionTLS12
+${TLS_13_MIN_VERSION}               SEPARATOR=\n
+...                                 apiServer:
+...                                 \ \ tls:
+...                                 \ \ \ \ minVersion: VersionTLS13
+${APISERVER_ETCD_CLIENT_CERT}       /var/lib/microshift/certs/etcd-signer/apiserver-etcd-client
 
 
 *** Test Cases ***
@@ -142,37 +143,52 @@ Deploy MicroShift Without CSI Snapshotter
     ...    Remove Storage Drop In Config
     ...    Restart MicroShift
 
-Custom TLS 1_3 configuration
-    [Documentation]    Configure API server to use TLS 1.3 and verify only that
-    ...    version works
-    [Setup]    Setup TLS Configuration    ${TLS_13_MIN_VERSION}
+Custom TLS 1_2 configuration
+    [Documentation]    Configure a custom cipher suite using TLSv1.2 as min version and verify it is used
+    [Setup]    Setup TLS Configuration    ${TLS_12_CUSTOM_CIPHER}
+
+    ${config}=    Show Config    effective
+    Should Be Equal    ${config.apiServer.tls.minVersion}    VersionTLS12
+    Length Should Be    ${config.apiServer.tls.cipherSuites}    2
+    Should Contain    ${config.apiServer.tls.cipherSuites}    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+    Should Contain    ${config.apiServer.tls.cipherSuites}    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 
-    ${rc}=    Execute Command
-    ...    openssl s_client -connect ${USHIFT_HOST}:6443 -tls1_3 <<< "Q"
-    ...    sudo=True    return_stdout=False    return_stderr=False    return_rc=True
-    Should Be Equal As Integers    ${rc}    0
+    # on TLSv1.2, openssl ciphers string codes (defined by IANA) does not excatly match openshift ones
+    # custom cipher defined for this test
+    Check TLS Endpoints    0    TLSv1.2    ECDHE-RSA-CHACHA20-POLY1305    # TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+    Check TLS Endpoints    1    TLSv1.3    ECDHE-RSA-CHACHA20-POLY1305    # TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
 
-    ${rc}=    Execute Command
-    ...    openssl s_client -connect ${USHIFT_HOST}:6443 -tls1_2
-    ...    sudo=True    return_stdout=False    return_stderr=False    return_rc=True
-    Should Not Be Equal As Integers    ${rc}    0
+    # mandatory cipher needed for internal enpoints (i.e. etcd), set if not defined by the user
+    Check TLS Endpoints    0    TLSv1.2    ECDHE-RSA-AES128-GCM-SHA256    # TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+    Check TLS Endpoints    1    TLSv1.3    ECDHE-RSA-AES128-GCM-SHA256    # TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+
+    # when TLSv1.2 is set as min version, TLSv1.3 must also work
+    Check TLS Endpoints    1    TLSv1.2    TLS_AES_128_GCM_SHA256
+    Check TLS Endpoints    0    TLSv1.3    TLS_AES_128_GCM_SHA256
 
     [Teardown]    Run Keywords
     ...    Remove TLS Drop In Config
     ...    Restart MicroShift
 
-Custom TLS 1_2 configuration
-    [Documentation]    Configure a custom cipher suite using TLS 1.2 and verify
-    ...    it is used
-    [Setup]    Setup TLS Configuration    ${TLS_12_CUSTOM_CIPHER}
+Custom TLS 1_3 configuration
+    [Documentation]    Configure API server to use TLSv1.3 as min version and verify only that version works
+    ...    TLSv1.2 must fail and cipher suites for TLSv1.3 can not be config by the user, always 3 are enabled.
+    [Setup]    Setup TLS Configuration    ${TLS_13_MIN_VERSION}
 
-    ${rc}=    Execute Command
-    ...    openssl s_client -connect ${USHIFT_HOST}:6443 -tls1_2 <<< "Q" 2>/dev/null | grep "Cipher is ECDHE-RSA-AES128-GCM-SHA256"
-    ...    sudo=True
-    ...    return_stdout=False
-    ...    return_stderr=False
-    ...    return_rc=True
-    Should Be Equal As Integers    ${rc}    0
+    ${config}=    Show Config    effective
+    Should Be Equal    ${config.apiServer.tls.minVersion}    VersionTLS13
+    Length Should Be    ${config.apiServer.tls.cipherSuites}    3
+    Should Contain    ${config.apiServer.tls.cipherSuites}    TLS_AES_128_GCM_SHA256
+    Should Contain    ${config.apiServer.tls.cipherSuites}    TLS_AES_256_GCM_SHA384
+    Should Contain    ${config.apiServer.tls.cipherSuites}    TLS_CHACHA20_POLY1305_SHA256
+
+    # checking the 3 ciphers available for TLSv1.3 on openshift
+    Check TLS Endpoints    1    TLSv1.2    TLS_AES_128_GCM_SHA256
+    Check TLS Endpoints    0    TLSv1.3    TLS_AES_128_GCM_SHA256
+    Check TLS Endpoints    1    TLSv1.2    TLS_AES_256_GCM_SHA384
+    Check TLS Endpoints    0    TLSv1.3    TLS_AES_256_GCM_SHA384
+    Check TLS Endpoints    1    TLSv1.2    TLS_CHACHA20_POLY1305_SHA256
+    Check TLS Endpoints    0    TLSv1.3    TLS_CHACHA20_POLY1305_SHA256
 
     [Teardown]    Run Keywords
     ...    Remove TLS Drop In Config
@@ -255,3 +271,35 @@ LVMS Is Deployed
 CSI Snapshot Controller Is Deployed
     [Documentation]    Wait for CSI snapshot controller to be deployed
     Named Deployment Should Be Available    csi-snapshot-controller    kube-system    120s
+
+Openssl Connect Command
+    [Documentation]    Run Openssl Connect Command in the remote server
+    [Arguments]    ${host_and_port}    ${args}
+    ${stdout}    ${rc}=    Execute Command
+    ...    openssl s_client -connect ${host_and_port} ${args} <<< "Q"
+    ...    sudo=True    return_stdout=True    return_stderr=False    return_rc=True
+    RETURN    ${stdout}    ${rc}
+
+Check TLS Endpoints
+    [Documentation]    Run Openssl Connect Command to check k8s internal endpoints
+    [Arguments]    ${return_code}    ${tls_version}    ${cipher}
+    IF    "${tls_version}" == "TLSv1.2"
+        Set Test Variable    ${TLS_AND_CIPHER_ARGS}    -tls1_2 -cipher ${cipher}
+    ELSE IF    "${tls_version}" == "TLSv1.3"
+        Set Test Variable    ${TLS_AND_CIPHER_ARGS}    -tls1_3 -ciphersuites ${cipher}
+    END
+
+    # api server, kubelet, kube controller manager and kube scheduler endpoint ports
+    FOR    ${port}    IN    6443    10250    10257    10259
+        ${stdout}    ${rc}=    Openssl Connect Command    ${USHIFT_HOST}:${port}    ${TLS_AND_CIPHER_ARGS}
+        Should Be Equal As Integers    ${return_code}    ${rc}
+        IF    "${rc}" == "0"
+            Should Contain    ${stdout}    ${tls_version}, Cipher is ${cipher}
+        END
+    END
+
+    # etcd endpoint, need to use cert and key because etcd requires mTLS
+    Set Test Variable    ${CERT_ARG}    -cert ${APISERVER_ETCD_CLIENT_CERT}/client.crt
+    Set Test Variable    ${KEY_ARG}    -key ${APISERVER_ETCD_CLIENT_CERT}/client.key
+    ${stdout}    ${rc}=    Openssl Connect Command    localhost:2379    ${TLS_AND_CIPHER_ARGS} ${CERT_ARG} ${KEY_ARG}
+    Should Be Equal As Integers    ${return_code}    ${rc}
