LCORE-2035: konflux tls e2e fix

.tekton/integration-tests/pipeline/lightspeed-stack-integration-test.yaml

@@ -167,6 +167,8 @@ spec:
               echo "========== End parameters =========="
     - name: lightspeed-stack-integration-tests
       description: Task to run integration tests from lightspeed-stack repository
+      # Full Behave suite (proxy + tls) can exceed 2h; needs PipelineRun timeouts >= this value.
+      timeout: 3h
       params:
         - name: SNAPSHOT
           value: $(params.SNAPSHOT)

tests/e2e-prow/rhoai/manifests/lightspeed/e2e-mock-tls-inference.yaml

@@ -0,0 +1,104 @@
+# Mock HTTPS OpenAI API for tls.feature (Konflux / Prow; no Docker Compose).
+# Llama Stack run.yaml uses https://e2e-mock-tls-inference.<ns>.svc.cluster.local:8443|8444|8445/v1
+apiVersion: v1
+kind: Pod
+metadata:
+  name: e2e-mock-tls-inference
+  labels:
+    app: e2e-mock-tls-inference
+spec:
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+  containers:
+    - name: e2e-mock-tls-inference
+      image: python:3.12-slim
+      securityContext:
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop: ["ALL"]
+        runAsNonRoot: true
+        runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
+      env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: PYTHONPATH
+          value: /app:/tmp/pydeps
+      command:
+        - /bin/sh
+        - -c
+        - |
+          set -e
+          pip install --quiet --no-cache-dir --target /tmp/pydeps 'trustme>=1.2.1' 'cryptography>=42.0.0'
+          NS="${POD_NAMESPACE:-default}"
+          export TLS_CERT_DNS_NAMES="mock-tls-inference,localhost,127.0.0.1,e2e-mock-tls-inference,e2e-mock-tls-inference.${NS}.svc.cluster.local"
+          exec python /app/server.py
+      ports:
+        - containerPort: 8443
+          name: tls
+        - containerPort: 8444
+          name: mtls
+        - containerPort: 8445
+          name: mismatch
+      volumeMounts:
+        - name: server-script
+          mountPath: /app/server.py
+          subPath: server.py
+          readOnly: true
+        - name: certs-work
+          mountPath: /certs
+      readinessProbe:
+        exec:
+          command:
+            - python3
+            - -c
+            - |
+              import ssl, urllib.request
+              ctx = ssl.create_default_context()
+              ctx.check_hostname = False
+              ctx.verify_mode = ssl.CERT_NONE
+              urllib.request.urlopen("https://localhost:8443/health", context=ctx)
+        initialDelaySeconds: 8
+        periodSeconds: 5
+      livenessProbe:
+        exec:
+          command:
+            - python3
+            - -c
+            - |
+              import ssl, urllib.request
+              ctx = ssl.create_default_context()
+              ctx.check_hostname = False
+              ctx.verify_mode = ssl.CERT_NONE
+              urllib.request.urlopen("https://localhost:8443/health", context=ctx)
+        initialDelaySeconds: 15
+        periodSeconds: 20
+  volumes:
+    - name: server-script
+      configMap:
+        name: e2e-mock-tls-inference-script
+    - name: certs-work
+      emptyDir: {}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: e2e-mock-tls-inference
+spec:
+  selector:
+    app: e2e-mock-tls-inference
+  ports:
+    - name: tls
+      port: 8443
+      targetPort: tls
+    - name: mtls
+      port: 8444
+      targetPort: mtls
+    - name: mismatch
+      port: 8445
+      targetPort: mismatch

tests/e2e-prow/rhoai/manifests/lightspeed/llama-stack-openai.yaml

@@ -206,6 +206,10 @@ spec:
           mountPath: /tmp/interception-proxy-ca.pem
           subPath: ca.pem
           readOnly: true
+        # tls.feature: client/CA PEMs from Secret e2e-mock-tls-certs (optional).
+        - name: mock-tls-certs
+          mountPath: /certs
+          readOnly: true
   volumes:
     - name: app-root
       emptyDir: {}
@@ -222,3 +226,7 @@ spec:
       secret:
         secretName: e2e-interception-proxy-ca
         optional: true
+    - name: mock-tls-certs
+      secret:
+        secretName: e2e-mock-tls-certs
+        optional: true