[WIP]OCPBUGS-76334: Remove library-go bump from TLS 1.3 test fixes

[wangke19]

Summary

This PR re-adds the TLS 1.3 test improvements from PR #30746 (which was reverted in #30895) but uses a local tlsutil package instead of depending on library-go/pkg/crypto. This provides the test enhancements without the dependency issues that caused the original revert.

Background

PR #30746 introduced valuable TLS 1.3 (Modern profile) test support but bundled it with a library-go dependency bump that caused test instability in 4.22 payloads. PR #30895 reverted #30746 to restore stability. This PR reintroduces only the test improvements without the problematic dependency changes.

What This PR Does

1. Re-adds TLS 1.3 test improvements from #30746

• ✅ Support for testing Modern TLS profile (TLS 1.3 only)
• ✅ FIPS mode detection for ChaCha20-Poly1305 cipher handling
• ✅ ECDSA cipher suite handling (expect failure with RSA keys)
• ✅ Improved test logging and error messages

2. Creates local crypto helper package (test/extended/apiserver/tlsutil/)

Extracted six simple utility functions into a local package:

• DefaultTLSVersion() - Returns tls.VersionTLS12
• ValidTLSVersions() - Returns list of TLS version names
• TLSVersionOrDie(name) - Converts version name to uint16
• DefaultCiphers() - Returns list of default cipher suites
• ValidCipherSuites() - Returns list of cipher suite names
• CipherSuite(name) - Converts cipher suite name to uint16

These are all simple lookup/conversion functions with no transitive dependencies beyond crypto/tls.

3. No library-go dependency bump

• Uses local tlsutil package instead of library-go/pkg/crypto
• No changes to go.mod, go.sum, or vendor/ for library-go
• Removes coupling between test logic and library-go versions

Benefits

✅ Restores TLS 1.3 test coverage - Modern profile validation is back
✅ Removes dependency coupling - Test logic no longer tied to library-go versions
✅ Avoids supply chain risk - No dependency updates in test improvements
✅ Maintains stability - Based on #30895 revert, adds only test logic
✅ Better separation of concerns - Test improvements isolated from dependency management

Testing

• go build ./test/extended/apiserver/... passes
• Code compiles successfully
• gofmt formatting verified
• Rebased on latest upstream/main (includes CNTRLPLANE-2999:Revert PR #30746: TLS 1.3 test causing instability in 4.22 #30895 revert)

Related

• Original PR: OCPBUGS-76334: Add TLS 1.3 (Modern profile) support to TestTLSDefaults #30746 (merged, then reverted)
• Revert PR: CNTRLPLANE-2999:Revert PR #30746: TLS 1.3 test causing instability in 4.22 #30895 (merged - restored stability)
• JIRA: OCPBUGS-76334
• Follow-up issue: #30890 (organization fork migration for filepath-securejoin)
• Slack discussion: Test failures in 4.22 payloads (#forum-testplatform, 2026-03-17)

Commit Structure

Single commit that:

1. Creates tlsutil package with crypto helpers
2. Updates test to use tlsutil instead of library-go
3. Re-adds Modern TLS profile support, FIPS handling, ECDSA handling

Note: This PR is now based on upstream/main which includes the revert (#30895), so the library-go dependency revert is no longer needed as a separate commit.

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[openshift-ci-robot]

@wangke19: This pull request references Jira Issue OCPBUGS-76334, which is invalid:

• expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is ON_QA instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

This PR removes the unnecessary library-go dependency bump from PR #30746 by extracting the crypto utility functions into a local tlsutil package. This allows us to keep the valuable TLS 1.3 test improvements without the supply chain implications of bumping library-go.

Problem

PR #30746 bundled two distinct changes:

1. Test logic improvements: TLS 1.3 support, ECDSA handling, FIPS mode handling
2. Dependency update: library-go bump (v0.0.0-20251015151611 → v0.0.0-20260223145824)

The library-go bump was not required for the test functionality and has shown instability in CI (see Slack discussion in #forum-testplatform).

Solution

1. Create local crypto helper package (test/extended/apiserver/tlsutil/)

Extracted the six simple utility functions the test uses from library-go:

• DefaultTLSVersion() - Returns tls.VersionTLS12
• ValidTLSVersions() - Returns list of TLS version names
• TLSVersionOrDie(name) - Converts version name to uint16
• DefaultCiphers() - Returns list of default cipher suites
• ValidCipherSuites() - Returns list of cipher suite names
• CipherSuite(name) - Converts cipher suite name to uint16

These are all simple lookup/conversion functions with no transitive dependencies beyond crypto/tls.

2. Revert library-go version

• Reverted from v0.0.0-20260223145824-7b234b47a906 back to v0.0.0-20251015151611-6fc7a74b67c5
• Updated go.mod, go.sum, and vendor/ accordingly

3. Personal fork handling

The personal fork replace directive for filepath-securejoin is retained because:

• It's required for runc v1.2.5 compatibility with filepath-securejoin v0.6.0
• The v0.6.0 requirement comes from opencontainers/selinux@v1.13.0 (transitive dependency)
• Migration to organization fork is tracked in issue #30890

Benefits

✅ Removes unnecessary dependency coupling - Test logic no longer tied to library-go versions
✅ Avoids supply chain risk - No personal fork in library-go dependency chain
✅ Maintains test improvements - All TLS 1.3, ECDSA, and FIPS handling logic preserved
✅ Better separation of concerns - Dependency updates separated from test logic

Testing

• go build ./test/extended/apiserver/... passes
• Code compiles successfully with reverted library-go version
• No functional changes to test logic (only dependency source changed)

Related

• Original PR: OCPBUGS-76334: Add TLS 1.3 (Modern profile) support to TestTLSDefaults #30746 (merged)
• JIRA: OCPBUGS-76334
• Follow-up issue: #30890 (organization fork migration)
• Slack discussion: Test instability observed in 4.22 payloads

Commits

Following the two-commit structure:

1. Code changes: Extract crypto utilities to local package, update imports
2. Dependencies: Revert library-go, update go.mod/go.sum/vendor/

/hold

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Excluded labels (none allowed) (1)

• do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3200a239-1aae-4600-8317-151951484ab1

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

Updates the OpenShift library-go dependency version and redirects Kubernetes modules to OpenShift staging equivalents in go.mod. Refactors TLS utilities by extracting version and cipher suite management into a new tlsutil package, with test code updated to use the new utilities instead of direct crypto package references.

Changes

Cohort / File(s)	Summary
Dependency Management go.mod	Bumps library-go dependency to an earlier pseudo-version and updates module replace directives to redirect Kubernetes API packages to OpenShift staging equivalents.
TLS Utilities Refactoring test/extended/apiserver/tlsutil/crypto.go	New utility module providing TLS version and cipher suite mappings, with functions for version/cipher resolution, validation, and defaults (DefaultTLSVersion, DefaultCiphers, TLSVersion, TLSVersionOrDie, CipherSuite, ValidTLSVersions, ValidCipherSuites).
TLS Test Updates test/extended/apiserver/tls.go	Migrates TLS utilities from crypto package to tlsutil, updating all references to TLS version and cipher suite functions and adjusting imports accordingly.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: wangke19
Once this PR has been reviewed and has the lgtm label, please assign xueqzhan for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[wangke19]

/unhold

Fixed gofmt issue - imports are now properly sorted.

[openshift-ci-robot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[openshift-ci-robot]

@wangke19: This pull request references Jira Issue OCPBUGS-76334, which is invalid:

• expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is ON_QA instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

This PR removes the unnecessary library-go dependency bump from PR #30746 by extracting the crypto utility functions into a local tlsutil package. This allows us to keep the valuable TLS 1.3 test improvements without the supply chain implications of bumping library-go.

Problem

PR #30746 bundled two distinct changes:

1. Test logic improvements: TLS 1.3 support, ECDSA handling, FIPS mode handling
2. Dependency update: library-go bump (v0.0.0-20251015151611 → v0.0.0-20260223145824)

The library-go bump was not required for the test functionality and has shown instability in CI, with multiple test failures observed in periodic-ci-openshift-release-master-nightly-4.22-e2e-aws-ovn-upgrade jobs (see Slack discussion in #forum-testplatform on 2026-03-17).

Solution

1. Create local crypto helper package (test/extended/apiserver/tlsutil/)

Extracted the six simple utility functions the test uses from library-go:

• DefaultTLSVersion() - Returns tls.VersionTLS12
• ValidTLSVersions() - Returns list of TLS version names
• TLSVersionOrDie(name) - Converts version name to uint16
• DefaultCiphers() - Returns list of default cipher suites
• ValidCipherSuites() - Returns list of cipher suite names
• CipherSuite(name) - Converts cipher suite name to uint16

These are all simple lookup/conversion functions with no transitive dependencies beyond crypto/tls.

2. Revert library-go version

• Reverted from v0.0.0-20260223145824-7b234b47a906 back to v0.0.0-20251015151611-6fc7a74b67c5
• Updated go.mod, go.sum, and vendor/ accordingly

3. Personal fork handling

The personal fork replace directive for filepath-securejoin is retained because:

• It's required for runc v1.2.5 compatibility with filepath-securejoin v0.6.0
• The v0.6.0 requirement comes from opencontainers/selinux@v1.13.0 (transitive dependency)
• Migration to organization fork is tracked in issue #30890

Benefits

✅ Removes unnecessary dependency coupling - Test logic no longer tied to library-go versions
✅ Avoids supply chain risk - No personal fork in library-go dependency chain
✅ Maintains test improvements - All TLS 1.3, ECDSA, and FIPS handling logic preserved
✅ Better separation of concerns - Dependency updates separated from test logic
✅ Restores test stability - Addresses CI failures in 4.22 payloads

Parallel Processing Options

Two approaches are available for quick resolution:

Option A - This PR (surgical fix):

• Merge this PR directly to replace OCPBUGS-76334: Add TLS 1.3 (Modern profile) support to TestTLSDefaults #30746's functionality without the dependency issues
• Best if all CI checks pass cleanly

Option B - Revert + Replace:

• First merge PR CNTRLPLANE-2999:Revert PR #30746: TLS 1.3 test causing instability in 4.22 #30895 (revert of OCPBUGS-76334: Add TLS 1.3 (Modern profile) support to TestTLSDefaults #30746) to restore stability immediately
• Then merge this PR to add back the test improvements
• Safer if this PR needs additional work

Both PRs can be evaluated in parallel to speed up the process.

Testing

• go build ./test/extended/apiserver/... passes
• Code compiles successfully with reverted library-go version
• No functional changes to test logic (only dependency source changed)
• gofmt formatting verified

Related

• Original PR: OCPBUGS-76334: Add TLS 1.3 (Modern profile) support to TestTLSDefaults #30746 (merged, causing instability)
• Revert PR: CNTRLPLANE-2999:Revert PR #30746: TLS 1.3 test causing instability in 4.22 #30895 (provides immediate stability restoration option)
• JIRA: OCPBUGS-76334
• Follow-up issue: #30890 (organization fork migration)
• Slack discussion: Test failures in 4.22 payloads (#forum-testplatform, 2026-03-17)

Commits

Following the two-commit structure:

1. Code changes: Extract crypto utilities to local package, update imports
2. Dependencies: Revert library-go, update go.mod/go.sum/vendor/

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@wangke19: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-metal-ipi-ovn-ipv6	478de61	link	true	/test e2e-metal-ipi-ovn-ipv6
ci/prow/e2e-aws-ovn-microshift	478de61	link	true	/test e2e-aws-ovn-microshift

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[wangke19]

Rebased on latest upstream/main which now includes PR #30895 (the revert of #30746).

Changes in this rebase:

• ✅ Single commit now (library-go revert no longer needed since upstream includes it)
• ✅ Re-adds all TLS 1.3 test improvements from original OCPBUGS-76334: Add TLS 1.3 (Modern profile) support to TestTLSDefaults #30746
• ✅ Uses local tlsutil package instead of library-go/pkg/crypto
• ✅ Build verified: go build ./test/extended/apiserver/... passes
• ✅ gofmt clean

The PR is now a clean addition of test improvements on top of the reverted state, with no dependency changes.