Skip to content

Expand FIPS TLS e2e coverage with host-run cipher probes and broader listener rejection checks#2031

Open
Elmo33 wants to merge 3 commits into
Altinity:0.27.2from
Elmo33:0.27.2-negative-tests
Open

Expand FIPS TLS e2e coverage with host-run cipher probes and broader listener rejection checks#2031
Elmo33 wants to merge 3 commits into
Altinity:0.27.2from
Elmo33:0.27.2-negative-tests

Conversation

@Elmo33

@Elmo33 Elmo33 commented Jul 6, 2026

Copy link
Copy Markdown
Contributor
  • Add host-run FIPS TLS cipher probes (test_030017) using local openssl s_server and an in-process fake Kubernetes API in steps_fips.py
  • Broaden test_030003 rejected-TLS coverage to all FIPS listeners (ClickHouse HTTPS/native/interserver, Keeper, backup API)
  • Tighten FIPS TLS config in test-030003 CHI/CHK manifests by disabling TLS 1.2
  • Move ACVP from separate test_acvp.py to the main regression suite
  • Small test harness fixes: safer namespace naming, non-blocking kubectl delete during cleanup

Changes

  • steps_fips.py: openssl s_client helpers, approved/rejected TLS case matrices, fake K8s API server, host-run operator/metrics-exporter TLS probe session
  • test_operator.py: new test_030017; updated test_030003 rejection step; clearer step wording across FIPS scenarios
  • Manifests: add test-030017-chi.yaml and test-030017-phase0-chi-tls12.yaml; update test-030003 CHI/CHK openssl settings
  • steps.py: derive test namespace from scenario id via regex
  • kubectl.py: add wait flag to delete_kind
  • regression.py: drop e2e.test_acvp

Important items to consider before making a Pull Request

Please check items PR complies to:

  • All commits in the PR are squashed. More info
  • The PR is made into dedicated next-release branch, not into master branch1. More info
  • The PR is signed. More info

Elmo33 added 3 commits July 6, 2026 15:27
…017)

- Add host-run openssl/fake-k8s TLS probe helpers in steps_fips.py
- Add test_030017 + CHI manifests for local operator TLS testing
- Broaden test_030003 rejected-TLS checks; disable TLS 1.2 in manifests
- Fix namespace derivation in steps.py; kubectl delete wait flag
- Drop ACVP test suite from regression
- Tidy FIPS test wording in test_operator.py
@sunsingerus sunsingerus added the planned for review This feature is planned for review label Jul 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

planned for review This feature is planned for review

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants