Merge ctlplane-tls-cert-rotation tests into ctlplane-tls-custom-issuers

Consolidate these two TLS-related kuttl tests into a single comprehensive test
suite that covers:

- TLS ingress-only to full pod-level TLS transitions
- Custom and default certificate issuer switching
- Certificate rotation triggered by secret deletion
- Custom certificate duration configuration
- Certificate fingerprint verification before/after rotation

Key changes:
- Remove ctlplane-tls-cert-rotation test suite (merged into custom-issuers)
- Renumber test steps (00-16) for proper sequencing
- Add certificate fingerprint comparison to rotation assertions
- Replace symlink with actual assert file for custom issuer deployment
- Increase timeout for certificate issuer assertions (60s → 900s)
- Improve error messages with namespace context

This reduces test execution time by eliminating redundant OpenStack
deployments while maintaining full TLS functionality coverage.

Co-authored-by: Claude Assistant assistant@cursor.sh

Author: abays

test/kuttl/common/osp_check_noapi_service_certs.sh

@@ -56,7 +56,7 @@ for service in "${!services_secrets[@]}"; do
         pod_cert=$(oc rsh -n "$NAMESPACE" openstackclient openssl s_client -connect "$cluster_ip:$port" -servername "$cluster_ip" </dev/null 2>/dev/null | sed -ne '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p')
 
         if [[ -z "$pod_cert" ]]; then
-            echo "Error retrieving certificate from $service at $cluster_ip:$port."
+            echo "Error retrieving certificate from $service at $cluster_ip:$port in namespace $NAMESPACE."
             continue
         fi
 

test/kuttl/tests/ctlplane-tls-cert-rotation/02-assert-endpoint-proto.yaml

@@ -300,11 +300,11 @@ commands:
       echo "Waiting for OpenStack control plane to be ready..."
       oc wait openstackcontrolplane -n $NAMESPACE --for=condition=Ready --timeout=400s -l core.openstack.org/openstackcontrolplane
   - script: |
-      echo "Fail if internal https endpoints are registered"
+      echo "Fail if internal https endpoints are registered (ingress-only mode)"
       oc exec -i openstackclient -n $NAMESPACE -- bash -c "openstack endpoint list --interface internal -f value -c URL" | grep 'https:' && exit 1
       exit 0
   - script: |
-      echo "check ovn sb internalDbAddress use tcp"
+      echo "check ovn sb internalDbAddress use tcp (not ssl)"
       oc get -n $NAMESPACE OVNDBCluster ovndbcluster-sb -o jsonpath={.status.internalDbAddress} | grep -q tcp
   - script: |
       echo "check ovn sb DB connection use tcp"
@@ -315,3 +315,4 @@ commands:
   - script: |
       echo "check neutron ovn_sb_connection url tcp address"
       oc exec -i deployment/neutron -n $NAMESPACE -- bash -c "grep ovn_sb_connection /etc/neutron/neutron.conf.d/01-neutron.conf | grep -q tcp"
+

test/kuttl/tests/ctlplane-tls-cert-rotation/02-get-endpoints-certs.yaml

@@ -1,5 +1,8 @@
+# Deploy with TLS ingress-only (podLevel.enabled: false)
+# This tests the transition from ingress-only TLS to full TLS
 apiVersion: kuttl.dev/v1beta1
 kind: TestStep
 commands:
   - script: |
       oc kustomize ../../../../config/samples/tls/tls_ingress | oc apply -n $NAMESPACE -f -
+

test/kuttl/tests/ctlplane-tls-cert-rotation/03-change-cert-duration.yaml

@@ -174,14 +174,28 @@ spec:
         replicas: 1
   tls:
     ingress:
-      enabled: true
       ca:
-        customIssuer: rootca-ingress-custom
+        duration: 87600h0m0s
+      cert:
+        duration: 43800h0m0s
+      enabled: true
     podLevel:
       enabled: true
       internal:
         ca:
-          customIssuer: rootca-internal-custom
+          duration: 87600h0m0s
+        cert:
+          duration: 43800h0m0s
+      libvirt:
+        ca:
+          duration: 87600h0m0s
+        cert:
+          duration: 43800h0m0s
+      ovn:
+        ca:
+          duration: 87600h0m0s
+        cert:
+          duration: 43800h0m0s
 status:
   conditions:
   - message: Setup complete
@@ -292,3 +306,28 @@ status:
     reason: Ready
     status: "True"
     type: OpenStackControlPlaneTestCMReadyCondition
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+timeout: 500
+commands:
+  - script: |
+      echo "Waiting for OpenStack control plane to be ready..."
+      oc wait openstackcontrolplane -n $NAMESPACE --for=condition=Ready --timeout=400s -l core.openstack.org/openstackcontrolplane
+  - script: |
+      echo "Fail if internal http endpoints are registered (full TLS mode)"
+      oc exec -i openstackclient -n $NAMESPACE -- bash -c "openstack endpoint list --interface internal -f value -c URL" | grep 'http:' && exit 1
+      exit 0
+  - script: |
+      echo "check ovn sb internalDbAddress use ssl"
+      oc get -n $NAMESPACE OVNDBCluster ovndbcluster-sb -o jsonpath={.status.internalDbAddress} | grep -q ssl
+  - script: |
+      echo "check ovn sb DB connection use ssl"
+      oc exec -i statefulset/ovsdbserver-sb -n $NAMESPACE -- bash -c "ovn-sbctl --no-leader-only get-connection | grep -q pssl"
+  - script: |
+      echo "check nova transport_url use ssl"
+      oc exec -i statefulset/nova-cell1-conductor -n $NAMESPACE -- bash -c "grep transport_url /etc/nova/nova.conf.d/01-nova.conf | grep -q 'ssl=1'"
+  - script: |
+      echo "check neutron ovn_sb_connection url ssl"
+      oc exec -i deployment/neutron -n $NAMESPACE -- bash -c "grep ovn_sb_connection /etc/neutron/neutron.conf.d/01-neutron.conf| grep -q ssl"
+

…rotation/00-assert-deploy-openstack.yaml …t-deploy-openstack-tls-ingress-only.yamltest/kuttl/tests/ctlplane-tls-cert-rotation/00-assert-deploy-openstack.yaml renamed to test/kuttl/tests/ctlplane-tls-custom-issuers/00-assert-deploy-openstack-tls-ingress-only.yaml test/kuttl/tests/ctlplane-tls-cert-rotation/00-assert-deploy-openstack.yaml renamed to test/kuttl/tests/ctlplane-tls-custom-issuers/00-assert-deploy-openstack-tls-ingress-only.yaml

@@ -0,0 +1,8 @@
+# Deploy with full TLS (podLevel.enabled: true)
+# This tests the transition from ingress-only TLS to full pod-level TLS
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: |
+      oc kustomize ../../../../config/samples/base/openstackcontrolplane | oc apply -n $NAMESPACE -f -
+