Skip to content

release-25.1: security: update TestTLSCipherRestrict test setup #146316

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 12, 2025
Merged

release-25.1: security: update TestTLSCipherRestrict test setup #146316

merged 1 commit into from
May 12, 2025
+98 −72

Conversation

blathers-crl[bot]
Copy link

@blathers-crl blathers-crl bot commented May 7, 2025
edited by souravcrl
Loading

Backport 1/1 commits from #146177 on behalf of @souravcrl.

Current test setup starts the test server only once and runs various tls cipher
configurations but this seems to fail the test as final cipher configuration set
by previous run of the test may not be overridden by current run, and we have
stale ciphers configured for the subtest. Another issue is the timout being set
is 2s which may fail and increasing it is not possible as the test may timeout
before that leading to leaky goroutines. Hence, handling the http client
response timeouts as a flake. Waitgroups are added for all client calls to
ensure there are no open connections during test breakdown.

fixes #145812
fixes #145527
fixes #145459
fixes #145313

Release Note: None

Release justification: needed to fix failing CI

@souravcrl
security: update TestTLSCipherRestrict test setup
f8ef317 
Current test setup starts the test server only once and runs various tls cipher
configurations but this seems to fail the test as final cipher configuration set
by previous run of the test may not be overridden by current run, and we have
stale ciphers configured for the subtest. Another issue is the timout being set
is 2s which may fail and increasing it is not possible as the test may timeout
before that leading to leaky goroutines. Hence, handling the http client
response timeouts as a flake. Waitgroups are added for all client calls to
ensure there are no open connections during test breakdown.

fixes #145812
fixes #145527
fixes #145459
fixes #145313

Release Note: None
@blathers-crl blathers-crl bot requested review from a team as code owners May 7, 2025 19:40
@blathers-crl blathers-crl bot added blathers-backport This is a backport that Blathers created automatically. O-robot Originated from a bot. labels May 7, 2025
@blathers-crl blathers-crl bot requested review from srosenberg and DarrylWong and removed request for a team May 7, 2025 19:40
@blathers-crl blathers-crl bot requested review from golgeek, pritesh-lahoti and a team May 7, 2025 19:40
@blathers-crl blathers[crl]
Copy link
Author

blathers-crl bot commented May 7, 2025

Thanks for opening a backport.

Please check the backport criteria before merging:

  • Backports should only be created for serious
    issues     or test-only changes.
  • Backports should not break backwards-compatibility.
  • Backports should change as little code as possible.
  • Backports should not change on-disk formats or node communication protocols.
  • Backports should not add new functionality (except as defined
    here).
  • Backports must not add, edit, or otherwise modify cluster versions; or add version gates.
  • All backports must be reviewed by the owning areas TL. For more information as to how that review should be conducted, please consult the backport
    policy    .
If your backport adds new functionality, please ensure that the following additional criteria are satisfied:
  • There is a high priority need for the functionality that cannot wait until the next release and is difficult to address in another way.
  • The new functionality is additive-only and only runs for clusters which have specifically “opted in” to it (e.g. by a cluster setting).
  • New code is protected by a conditional check that is trivial to verify and ensures that it only runs for opt-in clusters. State changes must be further protected such that nodes running old binaries will not be negatively impacted by the new state (with a mixed version test added).
  • The PM and TL on the team that owns the changed code have signed off that the change obeys the above rules.
  • Your backport must be accompanied by a post to the appropriate Slack
    channel (#db-backports-point-releases or #db-backports-XX-X-release) for awareness and discussion.

Also, please add a brief release justification to the body of your PR to justify this
backport.

@blathers-crl blathers-crl bot added the backport Label PR's that are backports to older release branches label May 7, 2025
@cockroach-teamcity
Copy link
Member

This change is Reviewable

@souravcrl souravcrl mentioned this pull request May 8, 2025
Closed
@souravcrl souravcrl merged commit c89c994 into release-25.1 May 12, 2025
14 of 15 checks passed
@souravcrl souravcrl deleted the blathers/backport-release-25.1-146177 branch May 12, 2025 05:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pritesh-lahoti pritesh-lahoti pritesh-lahoti approved these changes

@srosenberg srosenberg Awaiting requested review from srosenberg srosenberg is a code owner automatically assigned from cockroachdb/test-eng

@DarrylWong DarrylWong Awaiting requested review from DarrylWong DarrylWong is a code owner automatically assigned from cockroachdb/test-eng

@golgeek golgeek Awaiting requested review from golgeek

Assignees

@souravcrl souravcrl

Labels
backport Label PR's that are backports to older release branches blathers-backport This is a backport that Blathers created automatically. O-robot Originated from a bot. target-release-25.1.7
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cockroach-teamcity @pritesh-lahoti @souravcrl