E2E: verify RTE metrics endpoint TLS compliance

[mrniranjan]

Add e2e tests that probe each RTE pod's metrics port directly over port-forward to confirm:

• the TLS handshake succeeds and the negotiated version meets the cluster TLS profile minimum
• the /metrics endpoint returns a valid response body
• connections using a version or cipher incompatible with the cluster profile are rejected

Add FetchMetrics helper in test/internal/tls to perform an HTTPS GET /metrics over a port-forwarded connection, reusing the existing port-forward and TLS probing infrastructure.

AI Attribution: AIA Human-AI blend, New content, Human-initiated, Reviewed, Cursor 3.0.16 v1.0

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mrniranjan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• test/OWNERS [mrniranjan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: d40825bc-5dd0-41c3-a539-9a0208358707

📥 Commits

Reviewing files that changed from the base of the PR and between 292c70e and 837c0d5.

📒 Files selected for processing (2)

• test/e2e/tls/tls_test.go
• test/internal/tls/tls.go

---

📝 Walkthrough

Walkthrough

Adds cluster-TLS-derived helpers and a single-connection HTTPS metrics fetcher, then updates E2E tests to validate RTE pod /metrics endpoints negotiate at-or-above the cluster minimum TLS and reject below-minimum versions or disallowed ciphers when applicable.

Changes

RTE Metrics TLS Compliance Testing

Layer / File(s)	Summary
Negative TLS compatibility test updates test/e2e/tls/tls_test.go	Replace inline TLS-profile/min-version derivation with GetClusterTLSProfile and add conditional probing for a disallowed TLS 1.2 cipher in the negative compatibility test.
RTE metrics endpoint E2E context and discovery test/e2e/tls/tls_test.go	Replace prior DaemonSet flag alignment test with an ordered “RTE Metrics end point TLS Compliance” context that loads cluster TLS settings, discovers RTE pods from NRO NodeGroups/DaemonSets, and runs positive/negative metrics TLS checks.
FetchMetrics and transport internals test/internal/tls/tls.go	Add FetchMetrics which port-forwards to a pod metrics port and issues an HTTPS GET /metrics using a custom transport that disables keep-alives, skips verification, and enforces a single dial; reads and returns the full body and errors on non-200 statuses.
Cluster TLS profile helpers and wiring test/internal/tls/tls.go	Add GetClusterTLSProfile, RTESettingsFromClusterProfile, CheckRTEDaemonSetTLSFlagsMatchClusterProfile, refactor CheckRTEDaemonSetTLSFlags to use getNROWithNodeGroups, and add helpers to convert TLSProfileSpec into *tls.Config using controller-runtime TLS utilities.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 35.71% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and specifically describes the main change: adding e2e tests to verify RTE metrics endpoint TLS compliance, which aligns with the changeset's core objective.
Description check	✅ Passed	The description is clearly related to the changeset, detailing the new e2e tests for RTE metrics TLS compliance, the FetchMetrics helper, and the specific validations performed.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

test/internal/tls/tls.go (1)

256-275: ⚡ Quick win

Add a request timeout to the metrics HTTP client.

The client and request (context.Background()) have no deadline, so httpCli.Do/io.ReadAll over the port-forward can block indefinitely if the server stalls. The table node has no SpecTimeout, so a hang would only be interrupted at suite level. A client-level timeout bounds this cheaply.

♻️ Bound the request with a timeout

 	return &http.Client{Transport: tr}
+	return &http.Client{Transport: tr, Timeout: 30 * time.Second}

Add the import:

 	"net/http"
 	"strings"
+	"time"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/internal/tls/tls.go` around lines 256 - 275, The metrics HTTP client
returned by buildMetricsHTTPClient lacks any deadline and can hang; set a
client-level timeout (e.g., assign the Timeout field on the returned
*http.Client) so all requests via that client are bounded, and add the time
import; update buildMetricsHTTPClient to construct &http.Client{Transport: tr,
Timeout: <reasonable duration>} so http.Client and buildMetricsHTTPClient (and
the transport tr) enforce a request timeout.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/internal/tls/tls.go`:
- Around line 256-275: The metrics HTTP client returned by
buildMetricsHTTPClient lacks any deadline and can hang; set a client-level
timeout (e.g., assign the Timeout field on the returned *http.Client) so all
requests via that client are bounded, and add the time import; update
buildMetricsHTTPClient to construct &http.Client{Transport: tr, Timeout:
<reasonable duration>} so http.Client and buildMetricsHTTPClient (and the
transport tr) enforce a request timeout.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: cf30fd60-4c84-4d28-8e74-4645014ce7fe

📥 Commits

Reviewing files that changed from the base of the PR and between 5934cef and 292c70e.

📒 Files selected for processing (2)

• test/e2e/tls/tls_test.go
• test/internal/tls/tls.go

[shajmakh]

The amount of shared code between positive and negative is small, while verifyRTETLSPositive and verifyRTETLSVersionRejected+verifyRTETLSCipherRejected are having most of the verification.
I think the goal of describeTable is lost here and having It() spec per test would serve readability better. WDYT?

[mrniranjan]

agree, addressed in latest commit

[shajmakh]

haven't this been used before by the existing tests? if so, can we make it an test/internal/tls/tls.go function ?

[mrniranjan]

addressed in latest commit

[shajmakh]

if these are used only once let's have them inlined please.

[mrniranjan]

addressed in latest commit