Skip to content

USHIFT-6746: migrate 23 OTP router tests to Robot Framework #6730

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
agullon wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

USHIFT-6746: migrate 23 OTP router tests to Robot Framework #6730

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
42f5ec7
USHIFT-6746: migrate 23 OTP router tests to Robot Framework
agullon May 25, 2026
ba69fa0
USHIFT-6746: move router-extended scenarios to releases only
agullon May 25, 2026
d8a7c7f
USHIFT-6746: refactor router tests to comply with robocop limits
agullon May 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions test/assets/router/error-page-404.http
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
HTTP/1.0 404 Not Found
Connection: close
Content-Type: text/html

<html>
<head><title>Custom:Not Found</title></head>
<body>
<p>Custom error page:The requested document was not found.</p>
</body>
</html>
10 changes: 10 additions & 0 deletions test/assets/router/error-page-503.http
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
HTTP/1.0 503 Service Unavailable
Connection: close
Content-Type: text/html

<html>
<head><title>Custom:Application Unavailable</title></head>
<body>
<p>Custom error page:The requested application is not available.</p>
</body>
</html>
19 changes: 19 additions & 0 deletions test/assets/router/microshift-ingress-destca.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-ms-reen
annotations:
route.openshift.io/destination-ca-certificate-secret: service-secret
route.openshift.io/termination: reencrypt
spec:
rules:
- host: service-secure-test.example.com
http:
paths:
- backend:
service:
name: service-secure
port:
number: 27443
path: "/"
pathType: Prefix
16 changes: 16 additions & 0 deletions test/assets/router/microshift-ingress-http.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-on-microshift
spec:
rules:
- host: service-unsecure-test.example.com
http:
paths:
- backend:
service:
name: service-unsecure
port:
number: 27017
path: "/"
pathType: Prefix
20 changes: 20 additions & 0 deletions test/assets/router/rsyslogd-pod.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
kind: Pod
apiVersion: v1
metadata:
name: rsyslogd-pod
labels:
name: rsyslogd
spec:
containers:
- image: quay.io/openshifttest/rsyslogd-container@sha256:e806eb41f05d7cc6eec96bf09c7bcb692f97562d4a983cb019289bd048d9aee2
name: rsyslogd-container
securityContext:
privileged: true
ports:
- containerPort: 514
protocol: TCP
- containerPort: 514
protocol: UDP
resources:
limits:
memory: 340Mi
22 changes: 22 additions & 0 deletions test/assets/router/test-client-pod.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
apiVersion: v1
kind: Pod
metadata:
labels:
app: hello-pod
name: hello-pod
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- image: quay.io/openshifttest/nginx-alpine@sha256:cee6930776b92dc1e93b73f9e5965925d49cff3d2e91e1d071c2f0ff72cbca29
name: hello-pod
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
ports:
- containerPort: 8080
- containerPort: 8443
57 changes: 57 additions & 0 deletions test/assets/router/web-server-deploy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
apiVersion: v1
kind: List
items:
- apiVersion: apps/v1
kind: Deployment
metadata:
name: web-server-deploy
labels:
app: web-server-deploy
spec:
replicas: 1
selector:
matchLabels:
name: web-server-deploy
template:
metadata:
labels:
name: web-server-deploy
spec:
containers:
- name: nginx
image: quay.io/openshifttest/nginx-alpine@sha256:cee6930776b92dc1e93b73f9e5965925d49cff3d2e91e1d071c2f0ff72cbca29
ports:
- containerPort: 8080
name: http
protocol: TCP
- containerPort: 8443
name: https
protocol: TCP
- kind: Service
apiVersion: v1
metadata:
labels:
name: service-secure
name: service-secure
spec:
ports:
- name: https
protocol: TCP
port: 27443
targetPort: 8443
selector:
name: web-server-deploy
- apiVersion: v1
kind: Service
metadata:
labels:
name: service-unsecure
name: service-unsecure
spec:
ports:
- name: http
port: 27017
protocol: TCP
targetPort: 8080
selector:
name: web-server-deploy
94 changes: 94 additions & 0 deletions test/assets/router/web-server-signed-deploy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
apiVersion: v1
kind: List
items:
- apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-config
data:
nginx.conf: |
events {
worker_connections 1024;
}

http {
server {
listen 8080;
listen [::]:8080;
location / {
root /data/http;
}
}

server {
listen 8443 ssl http2 default;
listen [::]:8443 ssl http2 default;
server_name _;
ssl_certificate certs/tls.crt;
ssl_certificate_key certs/tls.key;
location / {
root /data/https-default;
}
}
}
- apiVersion: apps/v1
kind: Deployment
metadata:
name: web-server-deploy
labels:
name: web-server-deploy
spec:
replicas: 1
selector:
matchExpressions:
- {key: name, operator: In, values: [web-server-deploy]}
template:
metadata:
labels:
name: web-server-deploy
spec:
containers:
- name: nginx
image: quay.io/openshifttest/nginx-alpine@sha256:cee6930776b92dc1e93b73f9e5965925d49cff3d2e91e1d071c2f0ff72cbca29
volumeMounts:
- name: service-secret
mountPath: /etc/nginx/certs/
- name: nginx-config
mountPath: /etc/nginx/
volumes:
Comment on lines +50 to +58
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add an explicit container securityContext.

Line 52 currently allows default runtime behavior, which can permit root execution and privilege escalation. Please harden this container explicitly.

Suggested patch 
         containers:
         - name: nginx
           image: quay.io/openshifttest/nginx-alpine@sha256:cee6930776b92dc1e93b73f9e5965925d49cff3d2e91e1d071c2f0ff72cbca29
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            capabilities:
+              drop:
+              - ALL
           volumeMounts:
           - name: service-secret
             mountPath: /etc/nginx/certs/
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
containers:
- name: nginx
image: quay.io/openshifttest/nginx-alpine@sha256:cee6930776b92dc1e93b73f9e5965925d49cff3d2e91e1d071c2f0ff72cbca29
volumeMounts:
- name: service-secret
mountPath: /etc/nginx/certs/
- name: nginx-config
mountPath: /etc/nginx/
volumes:
containers:
- name: nginx
image: quay.io/openshifttest/nginx-alpine@sha256:cee6930776b92dc1e93b73f9e5965925d49cff3d2e91e1d071c2f0ff72cbca29
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
capabilities:
drop:
- ALL
volumeMounts:
- name: service-secret
mountPath: /etc/nginx/certs/
- name: nginx-config
mountPath: /etc/nginx/
volumes:
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/assets/router/web-server-signed-deploy.yaml` around lines 50 - 58, The
nginx container currently lacks an explicit securityContext; update the
container spec for the container named "nginx" to add a securityContext that
enforces non-root execution and reduces privileges (e.g., set runAsNonRoot:
true, runAsUser to a non-root UID such as 1000, set allowPrivilegeEscalation:
false, set readOnlyRootFilesystem: true, and drop capabilities like ["ALL"]);
place this securityContext block under the nginx container entry so the pod
explicitly hardens runtime privileges.

- name: service-secret
secret:
secretName: service-secret
- name: nginx-config
configMap:
name: nginx-config
- kind: Service
apiVersion: v1
metadata:
annotations:
service.beta.openshift.io/serving-cert-secret-name: service-secret
labels:
name: service-secure
name: service-secure
spec:
ports:
- name: https
protocol: TCP
port: 27443
targetPort: 8443
selector:
name: web-server-deploy
- apiVersion: v1
kind: Service
metadata:
labels:
name: service-unsecure
name: service-unsecure
spec:
ports:
- name: http
port: 27017
protocol: TCP
targetPort: 8080
selector:
name: web-server-deploy
Loading