Skip to content

Add X25519MLKEM768 TLS verification test for OpenShift 4.21 #71151

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add X25519MLKEM768 TLS verification test for OpenShift 4.21 #71151

wants to merge 2 commits into from

Conversation

@kaleemsiddiqu
Copy link

@kaleemsiddiqu kaleemsiddiqu commented Nov 7, 2025

Summary

Add automated testing for post-quantum cryptography (PQC) TLS support in OpenShift 4.21 control plane components.

Changes

1. New Step Registry Test

Created openshift-e2e-test-qe-pq-tls-verify step that verifies all control plane components negotiate X25519MLKEM768 as the TLS1.3 group:

  • kube-apiserver (port 6443)
  • etcd (port 2379)
  • kube-scheduler (port 10259)
  • kube-controller-manager (port 10257)

Location: ci-operator/step-registry/openshift/e2e/test/qe/pq-tls-verify/

2. Periodic CI Test for 4.21

Added weekly periodic test:

  • Job: periodic-ci-openshift-release-master-ci-4.21-e2e-aws-ovn-pq-tls-verify
  • Schedule: Weekly (168h interval)
  • Platform: AWS
  • Purpose: Ensure PQC TLS negotiation works correctly in all control plane components

Test Methodology

The test uses:

  1. oc port-forward to connect to each control plane component pod
  2. openssl s_client to perform TLS handshake
  3. Verification that X25519MLKEM768 is negotiated
  4. Fails if ANY component does not negotiate the expected PQC group

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 7, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: kaleemsiddiqu
Once this PR has been reviewed and has the lgtm label, please assign neisw for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the do-not-merge/invalid-owners-file Indicates that a PR should not merge because it has an invalid OWNERS file in it. label Nov 7, 2025
@kaleemsiddiqu
Copy link
Author

kaleemsiddiqu commented Nov 7, 2025

/pj-rehearse periodic-ci-openshift-release-master-ci-4.21-e2e-aws-ovn-pq-tls-verify

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Nov 7, 2025

@kaleemsiddiqu: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@openshift-ci openshift-ci bot removed the do-not-merge/invalid-owners-file Indicates that a PR should not merge because it has an invalid OWNERS file in it. label Nov 7, 2025
@kaleemsiddiqu
Copy link
Author

kaleemsiddiqu commented Nov 7, 2025

/pj-rehearse periodic-ci-openshift-release-master-ci-4.21-e2e-aws-ovn-pq-tls-verify

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Nov 7, 2025

@kaleemsiddiqu: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@kaleemsiddiqu
Copy link
Author

kaleemsiddiqu commented Nov 7, 2025

/pj-rehearse abort

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Nov 7, 2025

@kaleemsiddiqu: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Nov 7, 2025

@kaleemsiddiqu: job(s): periodic-ci-openshift-release-master-ci-4.21-e2e-aws-ovn-pq-tls-verify either don't exist or were not found to be affected, and cannot be rehearsed

@kaleemsiddiqu
Copy link
Author

kaleemsiddiqu commented Nov 7, 2025

/pj-rehearse periodic-ci-openshift-release-master-ci-4.21-e2e-aws-pq-tls-verify

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Nov 7, 2025

@kaleemsiddiqu: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@kaleemsiddiqu
Copy link
Author

kaleemsiddiqu commented Nov 7, 2025

/pj-rehearse periodic-ci-openshift-release-master-ci-4.21-e2e-aws-pq-tls-verify

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Nov 7, 2025

@kaleemsiddiqu: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@kaleemsiddiqu
Copy link
Author

kaleemsiddiqu commented Nov 7, 2025

/pj-rehearse periodic-ci-openshift-release-master-ci-4.21-e2e-aws-pq-tls-verify

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Nov 7, 2025

@kaleemsiddiqu: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@kaleemsiddiqu
Add PQ TLS verification step for OpenShift control plane components
3f52ebe 
This step verifies that OpenShift control plane components (kube-apiserver,
etcd, kube-scheduler, kube-controller-manager) negotiate X25519MLKEM768 as
the TLS1.3 group for post-quantum cryptography support.

The test uses Fedora 41 base image with OpenSSL 3.5 which supports PQ crypto
groups. It installs oc CLI, uses port-forward to connect to each component,
and openssl s_client with -tls1_3 -groups X25519MLKEM768 to verify the TLS
handshake negotiates the expected post-quantum crypto group.
@kaleemsiddiqu
Add e2e-aws-pq-tls-verify periodic test for 4.21
1504ff9 
Adds weekly periodic test to verify post-quantum cryptography support
in OpenShift 4.21 control plane components.
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Nov 7, 2025

[REHEARSALNOTIFIER]
@kaleemsiddiqu: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name Repo Type Reason
periodic-ci-openshift-release-master-ci-4.21-e2e-aws-pq-tls-verify N/A periodic Periodic changed
Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

@kaleemsiddiqu
Copy link
Author

kaleemsiddiqu commented Nov 7, 2025

/pj-rehearse periodic-ci-openshift-release-master-ci-4.21-e2e-aws-pq-tls-verify

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Nov 7, 2025

@kaleemsiddiqu: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 7, 2025

@kaleemsiddiqu: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/ordered-prow-config 1504ff9 link true /test ordered-prow-config
ci/rehearse/periodic-ci-openshift-release-master-ci-4.21-e2e-aws-ovn-pq-tls-verify a33069f link unknown /pj-rehearse periodic-ci-openshift-release-master-ci-4.21-e2e-aws-ovn-pq-tls-verify
ci/rehearse/periodic-ci-openshift-release-master-ci-4.21-e2e-aws-pq-tls-verify 1504ff9 link unknown /pj-rehearse periodic-ci-openshift-release-master-ci-4.21-e2e-aws-pq-tls-verify

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bradmwilliams bradmwilliams Awaiting requested review from bradmwilliams

@petr-muller petr-muller Awaiting requested review from petr-muller

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kaleemsiddiqu @openshift-ci-robot