fix: new unit test for custom and empty tls configuration

ingvagabund · ingvagabund · commit 6c61567611a3 · 2026-03-16T12:39:06.000+01:00
diff --git a/lib/resourcebuilder/core.go b/lib/resourcebuilder/core.go
@@ -158,9 +158,12 @@ func updateRNodeWithTLSSettings(rnode *yaml.RNode, minTLSVersion string, minTLSF
 		return err
 	}
 
-	if ciphersFound && len(cipherSuites) > 0 {
+	if ciphersFound {
 		currentCiphers, err := getSortedCipherSuites(servingInfo)
-		if err != nil || !slices.Equal(currentCiphers, cipherSuites) {
+		if err != nil {
+			return err
+		}
+		if !slices.Equal(currentCiphers, cipherSuites) {
 			// Create a sequence node with the cipher suites
 			seqNode := yaml.NewListRNode(cipherSuites...)
 			if err := servingInfo.PipeE(yaml.SetField("cipherSuites", seqNode)); err != nil {
@@ -170,7 +173,7 @@ func updateRNodeWithTLSSettings(rnode *yaml.RNode, minTLSVersion string, minTLSF
 	}
 
 	// Update minTLSVersion if found
-	if minTLSFound && minTLSVersion != "" {
+	if minTLSFound {
 		if err := servingInfo.PipeE(yaml.SetField("minTLSVersion", yaml.NewStringRNode(minTLSVersion))); err != nil {
 			return err
 		}
diff --git a/lib/resourcebuilder/core_test.go b/lib/resourcebuilder/core_test.go
@@ -527,6 +527,55 @@ servingInfo:
 				}
 			},
 		},
+		{
+			name: "ConfigMap with APIServer custom profile with empty ciphers and minTLSVersion - update to empty values",
+			configMap: makeConfigMap(true, map[string]string{
+				genericOperatorConfigCMKey: makeGenericOperatorConfigYAML(testCipherSuites, tlsVersion12),
+			}),
+			apiServer:   makeAPIServerConfig(withCustomTLSProfile([]string{}, "")),
+			expectError: false,
+			validateConfigMap: func(t *testing.T, original, modified *corev1.ConfigMap) {
+				// When Custom profile has empty ciphers/minTLSVersion, it should fall back to default Intermediate profile
+				defaultTLSConfigMap := makeConfigMap(true, map[string]string{
+					genericOperatorConfigCMKey: makeGenericOperatorConfigYAML([]string{}, ""),
+				})
+				if err := validateConfigMapsEqual(defaultTLSConfigMap, modified); err != nil {
+					t.Fatalf("validation failed: %v", err)
+				}
+			},
+		},
+		{
+			name: "ConfigMap with APIServer custom profile with non-empty ciphers and empty minTLSVersion - update minTLSVersion to an empty value",
+			configMap: makeConfigMap(true, map[string]string{
+				genericOperatorConfigCMKey: makeGenericOperatorConfigYAML(testCipherSuites, tlsVersion12),
+			}),
+			apiServer:   makeAPIServerConfig(withCustomTLSProfile(testOpenSSLCipherSuites2, "")),
+			expectError: false,
+			validateConfigMap: func(t *testing.T, original, modified *corev1.ConfigMap) {
+				expectedConfigMap := makeConfigMap(true, map[string]string{
+					genericOperatorConfigCMKey: makeGenericOperatorConfigYAML(testCipherSuites2, ""),
+				})
+				if err := validateConfigMapsEqual(expectedConfigMap, modified); err != nil {
+					t.Fatalf("validation failed: %v", err)
+				}
+			},
+		},
+		{
+			name: "ConfigMap with APIServer custom profile with empty ciphers and non-empty minTLSVersion - update ciphers to an empty value",
+			configMap: makeConfigMap(true, map[string]string{
+				genericOperatorConfigCMKey: makeGenericOperatorConfigYAML(testCipherSuites, tlsVersion12),
+			}),
+			apiServer:   makeAPIServerConfig(withCustomTLSProfile([]string{}, tlsVersion12)),
+			expectError: false,
+			validateConfigMap: func(t *testing.T, original, modified *corev1.ConfigMap) {
+				expectedConfigMap := makeConfigMap(true, map[string]string{
+					genericOperatorConfigCMKey: makeGenericOperatorConfigYAML([]string{}, tlsVersion12),
+				})
+				if err := validateConfigMapsEqual(expectedConfigMap, modified); err != nil {
+					t.Fatalf("validation failed: %v", err)
+				}
+			},
+		},
 	}
 
 	for _, tt := range tests {
