From 355cb3b0e41785c4cc496b0eef90a86fe975d615 Mon Sep 17 00:00:00 2001
From: Marcin Owsiany <porridge@redhat.com>
Date: Tue, 23 Jul 2024 11:21:57 +0200
Subject: [PATCH 1/5] tests: rewrite TLSChallengeTest in go, drop dead code

---
 .../nginx-lb-certs/ca-key.pem                 |  52 ----
 .../tls-challenge-test/nginx-lb-certs/ca.pem  |  29 --
 .../nginx-lb-certs/generate-certs.sh          |  21 --
 .../nginx-lb-certs/leaf-cert.pem              |  29 --
 .../nginx-lb-certs/leaf-key.pem               |  51 ----
 .../tls-challenge-test/nginx-proxy.conf       |  12 -
 .../orchestratormanager/Kubernetes.groovy     |  90 ------
 .../OrchestratorMain.groovy                   |   5 -
 .../main/groovy/util/ApplicationHealth.groovy |   5 -
 .../src/test/groovy/TLSChallengeTest.groovy   | 206 -------------
 .../nginx-loadbalancer.qa-tls-challenge.crt   |  25 ++
 .../nginx-loadbalancer.qa-tls-challenge.key   |  28 ++
 tests/bad-ca/root.crt                         |  46 +--
 tests/bad-ca/self-signed.invalid.crt          |  40 +--
 tests/bad-ca/ssl-certs.sh                     |  67 ++--
 tests/bad-ca/untrusted-root.invalid.crt       |  42 +--
 tests/common.go                               | 285 ++++++++++++++++++
 tests/common_test.go                          |  62 ++++
 tests/e2e/yaml/central-cr.envsubst.yaml       |   2 +-
 tests/tls_challenge_test.go                   | 232 ++++++++++++++
 20 files changed, 735 insertions(+), 594 deletions(-)
 delete mode 100644 qa-tests-backend/artifacts/tls-challenge-test/nginx-lb-certs/ca-key.pem
 delete mode 100644 qa-tests-backend/artifacts/tls-challenge-test/nginx-lb-certs/ca.pem
 delete mode 100755 qa-tests-backend/artifacts/tls-challenge-test/nginx-lb-certs/generate-certs.sh
 delete mode 100644 qa-tests-backend/artifacts/tls-challenge-test/nginx-lb-certs/leaf-cert.pem
 delete mode 100644 qa-tests-backend/artifacts/tls-challenge-test/nginx-lb-certs/leaf-key.pem
 delete mode 100644 qa-tests-backend/artifacts/tls-challenge-test/nginx-proxy.conf
 delete mode 100644 qa-tests-backend/src/test/groovy/TLSChallengeTest.groovy
 create mode 100644 tests/bad-ca/nginx-loadbalancer.qa-tls-challenge.crt
 create mode 100644 tests/bad-ca/nginx-loadbalancer.qa-tls-challenge.key
 create mode 100644 tests/common_test.go
 create mode 100644 tests/tls_challenge_test.go

diff --git a/qa-tests-backend/artifacts/tls-challenge-test/nginx-lb-certs/ca-key.pem b/qa-tests-backend/artifacts/tls-challenge-test/nginx-lb-certs/ca-key.pem
deleted file mode 100644
index d99f028d7b701..0000000000000
--- a/qa-tests-backend/artifacts/tls-challenge-test/nginx-lb-certs/ca-key.pem
+++ /dev/null
@@ -1,52 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDBLLJWeekuxnG6
-RoHE0QR2PJVRfv1ywWLFB+mrxKORI/fK8PFg5iQUI0AgJP2IL4yEdEbcNkBQHmZr
-7GT8qyzWVdsCCYQD9IU21fuan5ScF2P8jqaPkuG+I/lz4INss7EUWyTo0QsNbmTr
-EVaVe1oqAmcuBVHJw6eX/hjUKJ5zazFXWq0FjuAzp7W1o402vAUHqlnyiBcrNIi3
-WT+7fThLGpgdX1xlwMLDbGi4zU5r7yWJzd0PswtIZrtdvsjjuev/n7CNA9bj7Hcl
-oCjmaRj0s2853ZSSrjgUkxh3E2tlcoMUH8KxBlgwu07gzmmimMUOMoCFsPePyuDm
-QU8YIxWzAQoRoK9mFiPIAmr2smRhHBwIPM4TC+KEjvSDRKKweHb0w/FpkK+jvPdf
-vDQbWxRM6O6Pkn6aoLa5l9CScdJOa0slXFK+KN/dDbuoN6DSwG6NMU66cughBjFQ
-qZr2wvt9p5wBM+/tl6AE/04At+lwqlzphEq0TxbaU4E7lOT/DU7Lvecw9Bd55AXZ
-DxUjlKQwu27EDHM3BBnKUdJcsZFVfEqYIloD401GDTTd0/J9XrcXhWvNSIGJ7xJd
-kLe23ATL7xb/LLP6HHd+SP1fOkCDY3DU7WLSG0sYdw2ByK0t2X6epRjK4ei7JTDB
-ODPzd4UXMdAzpgDrMD/QJ0F5PFywDQIDAQABAoICAHoXUtvfD2cV21ldKLWJWaWV
-ItawSWXXHiLjnmeGz85zCjEE2bphmpnzsZrfZjJFwy0QBJ032KwKmrdJYIZldeA9
-wT7nXr3VNMD0u6H9jEKfcf1094a00eKIACih1M7GP3xbItfXD4I8rKH5glzV6qW0
-gRwQFqJL+8fPvEeTKJpQPI42bDagF8nuDKWxqhXW/eLbYyArrWEMQgCH8wT/3q1x
-MIUX+WECVNaI1SM/93m2W2Zea4J5qf7nlzJn27Y6kxMsDb0CmTXTBXcNY+xErpYy
-NnE/P6D5Zc5zLbpM1sr2diwo6rdSCDk8mVzyeMdggOM5PgvBTqZeFojQ7DmYKySv
-tjlBZ8SGcaE2pw/SYPpNgZnvZn2O8l97l/8W1ZIOINblbr/K4ImWmOGRDSGmIr7d
-vVtchTJ1SdGkg57x2ErICKEsr+NccOu/nok0RjC6bqjUZjRQvO1jtrAG9hWx4Bl0
-/U7SeNk6wdLRQR6mcxt4pMAvETdHCKult+6Oy0TWxoCkmUZs24B8qxzy9Lwot5r6
-NaiX78/hGypZpRe/kLLRoiTZyxg8UdIZuKMHaxkztKQP69uvphqGABHhgDbDwXkZ
-Dw7pq9ElylwMKio6wtynOz4iCMk6YbbgobMCGtBY8QFRrQZUMqTGd5lCbUYVcseW
-UkoFrn0qQckaUkTnucjhAoIBAQDiF3nBVofGylVvJ8ZtE+kX+P5Lf8soOwa9MhvB
-1xyl5fZpB/7KE2cIr5DXw7alXL4btNSZYosjMZ4XrB5NKN8J750bRmaNAhyh2d2y
-MQXXRZI2O1hvUtKMH1qt91VXjM3ByddHJ4AeP/I2RmHhrVSGyjEAFYhcA2V2Wdy7
-b46qlUoh9tmCWPdCsuogsV8mTFuwDox9YWWY3sjZ6TtpN5hU+gISeZAGXd1O5FEA
-9XMRdoraKpuk5rQW6Sbwg7Gd4dK6sbbVFJF/I6pINtrT5h7a6ziOXsrEnwL9v62i
-1VCgcCWF8kvF9772eZ+5eurQJerDsknOKaFs5cGuOxtSf/Y1AoIBAQDaun5cpJ9a
-zQFfYD79ZmSOoPZrKB3qSt/7xvlAvzkxxUFWSOp1t/puN1SB98vcFsR5zPEPEkoT
-8BKeATECJhjL5+Hvvn/RFyXxtI67mxgqiMzhaHus8CoWsC6GF7tzsNJqOdkWDT+p
-NJP8pJxDJE89iSkjNZu9YXMOicFWIbPWtGR5UpxE1NT3Bj+wyo2xutnV3itfoEQV
-x4o5YvgBbV8r+Ak4+ImfLg0u2xxlPEMmkdrHspIAWYzfDGtg5Xi8nitID5KKReeW
-g3MNrDeL56Z4yYNYR5Efzw0cDMtOCSTpS7g9AYZs58Bt5uBdiWXjL9mGbN9kZkky
-MS1IFfosci15AoIBAQC4pTl/p36d4FLjw9Uu8irUtDpiSI0PXx2C2HCI33h7GJMk
-di4ktLHaCyA8xo7dACAWmpliZ3OAm54kcSISHAYDpFhnlRhdotLlb/u58oV1qVDe
-z5rK2BYx781r9GoTZWAJGyGg7+aXTdwvbU21NIyqxGg+TFef5fowLPWzcklOkTwI
-/wPmi2fsZhgF+TXfHk9nOoqMP0XtEk1wgiVOKeRTyhZ1Jih0uqXqL1bkdJC0O17t
-DA0vIGcFqwZtOPCPI4WpiUfrP7AP6H3CGmKe2fprCd2XkF0DNWYI/Ej/ij0dulk6
-yoYNuOaRfwTuQy+QLNdNWccjAybdu8pw077dorndAoIBAQC3Ev2NAWU4FPsfH2nZ
-owhrsSJP0oYngoAzNvmNTgDLPbVQSTulSFZeRgV/uy5wisXsxLLH0KEcSwbqJUkl
-6Uk78lxT1HkbQ2rJAj2tnUT+5P3HdTJ/L42q69AlAFwvm0KjEsQ3BuPP9mgfQJBi
-SlPgx5sdE1PFkXlCI98k/pSOEvM98P1HR3TxRdOtX/x1VFXcAlb/dR9Hs3poSgQW
-/bp5DOR7QNu/1kXGgDMmMOhrsg0StM4raMjWMIj301nZVfIYIKChB52th1yXhxv/
-B+d4lgJPs6cunpj0b2kDaffxJSWSOmKPaPLRijslT0lufLBvKVVZrZt6XVrvSSXa
-ab7RAoIBAGTWF5/cmZOMvKxak5BuNGt6sy3zbcot0bXQj3YrYpvlbjGBjUPq/10o
-/A7lOdjAQZq62KnY/fZCIkSCOGNSdL18ewOgpfZLhViFnbJVR+n1IiakBNgaMA+A
-oaI9xoKaMY5GIrzGZSa4OliD/cGHRz2I5QwUhULNxlUtUbPvE5HtCQ4JHaeJT+J6
-QNBcfg3oUL6qLA8kBCTBvNuVMSsm+N9wGSpN5jHW+VOjrjDFu9lcAJefDsKnObBe
-fohMO1pJq5raSkVXjikwAU0+8xfElwfJSCkuTr1czhHr7VcHKw4rGVw37BgIQZ78
-MZxFCn137FPDj9x1uNHiKypit1s8cnU=
------END PRIVATE KEY-----
diff --git a/qa-tests-backend/artifacts/tls-challenge-test/nginx-lb-certs/ca.pem b/qa-tests-backend/artifacts/tls-challenge-test/nginx-lb-certs/ca.pem
deleted file mode 100644
index 2b712e92d65cc..0000000000000
--- a/qa-tests-backend/artifacts/tls-challenge-test/nginx-lb-certs/ca.pem
+++ /dev/null
@@ -1,29 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIE8DCCAtigAwIBAgIJAO3bObwJI2n+MA0GCSqGSIb3DQEBCwUAMC0xKzApBgNV
-BAMMIkxvYWRCYWxhbmNlciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjIwOTIy
-MTczNTU3WhcNMjcwOTIxMTczNTU3WjAtMSswKQYDVQQDDCJMb2FkQmFsYW5jZXIg
-Q2VydGlmaWNhdGUgQXV0aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
-CgKCAgEAwSyyVnnpLsZxukaBxNEEdjyVUX79csFixQfpq8SjkSP3yvDxYOYkFCNA
-ICT9iC+MhHRG3DZAUB5ma+xk/Kss1lXbAgmEA/SFNtX7mp+UnBdj/I6mj5LhviP5
-c+CDbLOxFFsk6NELDW5k6xFWlXtaKgJnLgVRycOnl/4Y1Ciec2sxV1qtBY7gM6e1
-taONNrwFB6pZ8ogXKzSIt1k/u304SxqYHV9cZcDCw2xouM1Oa+8lic3dD7MLSGa7
-Xb7I47nr/5+wjQPW4+x3JaAo5mkY9LNvOd2Ukq44FJMYdxNrZXKDFB/CsQZYMLtO
-4M5popjFDjKAhbD3j8rg5kFPGCMVswEKEaCvZhYjyAJq9rJkYRwcCDzOEwvihI70
-g0SisHh29MPxaZCvo7z3X7w0G1sUTOjuj5J+mqC2uZfQknHSTmtLJVxSvijf3Q27
-qDeg0sBujTFOunLoIQYxUKma9sL7faecATPv7ZegBP9OALfpcKpc6YRKtE8W2lOB
-O5Tk/w1Oy73nMPQXeeQF2Q8VI5SkMLtuxAxzNwQZylHSXLGRVXxKmCJaA+NNRg00
-3dPyfV63F4VrzUiBie8SXZC3ttwEy+8W/yyz+hx3fkj9XzpAg2Nw1O1i0htLGHcN
-gcitLdl+nqUYyuHouyUwwTgz83eFFzHQM6YA6zA/0CdBeTxcsA0CAwEAAaMTMBEw
-DwYDVR0TBAgwBgEB/wIBADANBgkqhkiG9w0BAQsFAAOCAgEAQD+6HNyvC2mI9r64
-N/x3dULe1YnqN8tkcT60HNXLsp85DyKE92C60hdnh5qLdugayyFm3cjpoHHSdEEp
-My6RoQyZquZvuVIVhR1e7STpGUxB2K2XQTPjtNNb5SexWTOcA00at/z8BlWAHqv2
-/SxPji8Yo32Fnq5oUUfjJIQ7vPTSie9f5MOnDbAfPjWWKLrvX47RJ1EtXDj3gi5u
-uJke3L5fKFZJAhEtvsTEkq3dNub054/8S7IG3Sd4N5VxVt6OuSgDr56rBI84hzLe
-v86QtjqyLjfR1YK876H7SJd5X5UJsgUJZK3985mAbEWgP+KnZmPNFnFC0AKYJ7TR
-WxlLSQW5FKOJ8yMaElRaj+y6md6RtMowosx3L4JpUSGY83WuXaI5cPdQtuMnyqlb
-F9lRLNP7Hehq4BaLqgONmyjGYsgE6JmaKRciJyRk92VyluTHNEdsAY4Jcfal36Z/
-bYwLSWtRKKJo8eWczSp2enbLbA6jUI65QtcvTTKM9Ruiubeay6MT3Jj4DX5akAwN
-uEXF3cmvYtSFYuVJFHk7un9mCUued4g5mmYf7nDAqH8ncVhLP44Un4/2ytOla7d7
-x174TkfUESlTvkILsZqwlseF2A69w4sQCmRx0H8XJVHDMEY6EwFUidvG/RRe4a1B
-n/h6TPs4x+aHHWsHXZVXkhQ7BRE=
------END CERTIFICATE-----
diff --git a/qa-tests-backend/artifacts/tls-challenge-test/nginx-lb-certs/generate-certs.sh b/qa-tests-backend/artifacts/tls-challenge-test/nginx-lb-certs/generate-certs.sh
deleted file mode 100755
index 2b97fdf1c2384..0000000000000
--- a/qa-tests-backend/artifacts/tls-challenge-test/nginx-lb-certs/generate-certs.sh
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/usr/bin/env bash
-set -exo pipefail
-
-root_ca_exts="
-  [req]
-  distinguished_name=dn
-  x509_extensions=ext
-  [ dn ]
-  [ ext ]
-  basicConstraints=CA:TRUE,pathlen:0
-"
-
-openssl req -config <(echo "${root_ca_exts}") -nodes -new -x509 -newkey 4096 -keyout ca-key.pem -out ca.pem -days 1825 -subj "/CN=LoadBalancer Certificate Authority"
-
-leaf_ca_exts="subjectAltName=DNS:nginx-loadbalancer.qa-tls-challenge"
-openssl genrsa -out leaf-key.pem 4096
-openssl req -new -key leaf-key.pem -subj "/CN=nginx LoadBalancer" | \
-     openssl x509 -sha256 -extfile <(echo "${leaf_ca_exts}") -req -CAcreateserial -CA ca.pem -CAkey ca-key.pem -out leaf-cert.pem -days 1825
-
-rm ca.srl
-
diff --git a/qa-tests-backend/artifacts/tls-challenge-test/nginx-lb-certs/leaf-cert.pem b/qa-tests-backend/artifacts/tls-challenge-test/nginx-lb-certs/leaf-cert.pem
deleted file mode 100644
index 5714d7dc0f68c..0000000000000
--- a/qa-tests-backend/artifacts/tls-challenge-test/nginx-lb-certs/leaf-cert.pem
+++ /dev/null
@@ -1,29 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIE/zCCAuegAwIBAgIJAPMA43zkAPjjMA0GCSqGSIb3DQEBCwUAMC0xKzApBgNV
-BAMMIkxvYWRCYWxhbmNlciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjIwOTIy
-MTczNTU4WhcNMjcwOTIxMTczNTU4WjAdMRswGQYDVQQDDBJuZ2lueCBMb2FkQmFs
-YW5jZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCZJrnH3McHOybt
-zzhkqrScSoUSkIXG7vEV2P/k4QLD57ZYyFZQiGpa129/9U242XRKrPtnwLuzbuYI
-h86nDoo0CD/u368FA2lO7jbp8a5ND2S0iJvlrK2/GxSs7fWknzHvGs1/i1G6PwZx
-rV676szPWHmVJqwvP5+06WtyAjg5+NFfN1Sl88XGsPlFQgV+VRS2e7st/jZAoMc/
-OMGwOFDW6lCTS0X5ED/OphTs/OSlU1SjX3h+tWKGxggMLcWYxvMUAFNI1XqqeVo+
-MQ6OxXlRquAchohE0fFjKSvFYLRz0fi/lUeWJ2Dp9bi1gZrg2nCmPJaTVfUVbX00
-vjXNwzQDW6ATZaNWw90GbqSZDnMcb+6LTjeyBgBCDB8dPehSrVWEEhy0A+v4H+uT
-DLFmJ3evBkousoCEmCWfzTvvZQSR1QgzkZmYV1K03K+rQ8kFa1BWNcmp7kAhuZ7V
-SbucbYMQVza/HEt+3oPB+SJNd9GVR4u6rpcQoSIINaZ+olZw4BDEwQhysAVi3gFF
-npCiHb9uioO0fsG9j/pbVfcxi/o25FByTyJpMFElsP7Fu/jVgDW0i2rHkCPKUbG0
-GjWinrg4ZN0Y2WCcYPNU+oi2DRM+5Q1LoRg/y/x9puIPvS06NC8bCYBTKntHUyHm
-KgcT91aeCkNJNm5m/VwUySWeH/KiswIDAQABozIwMDAuBgNVHREEJzAlgiNuZ2lu
-eC1sb2FkYmFsYW5jZXIucWEtdGxzLWNoYWxsZW5nZTANBgkqhkiG9w0BAQsFAAOC
-AgEAKV9TMVOVGRMtUd/9uJ0+MFT85Q1CnGsU7xs1A9K/SpEiaFyZQngsREzfTtkA
-8h51SzH+qabSESkPjBk1sXPsVKlkqcQmNq/k3mY2+/u5SUKQEoJll1jjwqgdK/7c
-rCWffF6sqqlSzw/iR9+8AJtppb4lDrDV5lY0cz/8siKUMUUY3X0epnAtm/kKk5Xo
-gMqFwl1fMxzAlG+586e0szNBYOUoGc3+Hvdwgq0eWcEsLHBTaGJzSDocBwKWD97F
-Vbd6OR5J1vi13SaqrML8EJHHV0djzdSnJQN/fSlM635GxdgkBxR8ZFpTDLwlltK4
-HzYWCD7UfgY9ywUiBs7DFj4bdl/EmxyaJKgMsVOJc02xw9y3bkg1isKy+deMASTi
-csKazE+TA1UZj4i2TkpcsRd0Qi9mqIb+8lr2fsFZiiQPGGUoXsY3a4ONyszAGvUd
-t3Y1iWRIC3q67ehl7nhzEoxkAbKjsWnKe+dmm/9Wa8dX40ZXfZ1tiBB7vgwb2PQd
-n5I8vP7mLilAkiD4PGnpJfHSavk1t4TsPgChEBqNR7KOBs0FaL5GQK4pto96Kknn
-dYCludXmV2SuJ35OjDTgDssY8PqAyc6wPbOR69Mo91LLiVMZepkKl1pOTDImqFM+
-Vc9QK9pwtMB10mEwXYUg4JM6Em62kuHRTK63XYAGkDZtu2k=
------END CERTIFICATE-----
diff --git a/qa-tests-backend/artifacts/tls-challenge-test/nginx-lb-certs/leaf-key.pem b/qa-tests-backend/artifacts/tls-challenge-test/nginx-lb-certs/leaf-key.pem
deleted file mode 100644
index 234ed344bb687..0000000000000
--- a/qa-tests-backend/artifacts/tls-challenge-test/nginx-lb-certs/leaf-key.pem
+++ /dev/null
@@ -1,51 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIJKQIBAAKCAgEAmSa5x9zHBzsm7c84ZKq0nEqFEpCFxu7xFdj/5OECw+e2WMhW
-UIhqWtdvf/VNuNl0Sqz7Z8C7s27mCIfOpw6KNAg/7t+vBQNpTu426fGuTQ9ktIib
-5aytvxsUrO31pJ8x7xrNf4tRuj8Gca1eu+rMz1h5lSasLz+ftOlrcgI4OfjRXzdU
-pfPFxrD5RUIFflUUtnu7Lf42QKDHPzjBsDhQ1upQk0tF+RA/zqYU7PzkpVNUo194
-frVihsYIDC3FmMbzFABTSNV6qnlaPjEOjsV5UargHIaIRNHxYykrxWC0c9H4v5VH
-lidg6fW4tYGa4NpwpjyWk1X1FW19NL41zcM0A1ugE2WjVsPdBm6kmQ5zHG/ui043
-sgYAQgwfHT3oUq1VhBIctAPr+B/rkwyxZid3rwZKLrKAhJgln80772UEkdUIM5GZ
-mFdStNyvq0PJBWtQVjXJqe5AIbme1Um7nG2DEFc2vxxLft6DwfkiTXfRlUeLuq6X
-EKEiCDWmfqJWcOAQxMEIcrAFYt4BRZ6Qoh2/boqDtH7BvY/6W1X3MYv6NuRQck8i
-aTBRJbD+xbv41YA1tItqx5AjylGxtBo1op64OGTdGNlgnGDzVPqItg0TPuUNS6EY
-P8v8fabiD70tOjQvGwmAUyp7R1Mh5ioHE/dWngpDSTZuZv1cFMklnh/yorMCAwEA
-AQKCAgEAgxKSo4u/RuAINDVKRVWX178rXrUT2Sr8aD9c2mz86d9wv1FOFgR6SZ7h
-zXiK+S4aiiK705Mu0aWS+DAK3AzkmR2KYg1MhBTkVuonU1dFXqxS+vODwTBlTw6F
-Rm8t8aNRoBqnT4ZT/vsbr8S6NEgC214USGNdr95a+AFhtKRTrMHXpw76wkD8vk0O
-OYkEnJeCb587lmRf2DYB8IjJs+CuxxCovzcH/t46Tcj0VdMmeJv17xCxVng0h7YK
-gynVWCjFNxQEM2yJXEcZxepEVEqLxypgPemhzIyFc+FzlaxrJEjLBGRlbQvstK9Z
-UvZGMDSjfpKSKCzD4X/gTXiRIbXz16zJ8kXRHtByOItG67/Mek9VjavZUYvDnJiu
-0RSKTUDdoR4ygr6LJ4MwhNxRQwkR8jAk4K9wI8WWt4ooL0g0oVSjDo5g4K0kqNBD
-GzbGgrjH1fkwZR6xp3KD+D+don+q7YZ/I8vZPaY7eTk5QT0M1SsoEG9XoYwUUQNg
-IVAmUKtCnk0OX/Culp49PQuKb3T7RsB1Yzb459pFnwcr8AVI62g8FuBpL5aa7mH4
-Tes+ZZEL5jGesk63+FBk/Pl6IeHhf7LBhXi8m3SE+zRHuaFG75bJspWmVvU8+dCL
-2gOi4HTwceI51M3+vKvfJMCAHF+eEvxrOnvqHbF5Omj4lsTqKbECggEBAMwADcrg
-WdFrLgZyze9QnCWwQTq0ctWDQQZcVrkpMzevZCyQe7EC2ngGEsdKGgP4ra/q1McL
-33c2Dzw++F4P0mARwZmOogV8hwU7IyfoXQkdkT8QPQkYsNFZgspL5bhn/+OIkiuW
-69z9CZfTnKR1chlt/RqzJDPcV6QA5u4bEi5DMeiuO8YEeRtdNqceSKL0HBEdXcfy
-mv+cqlJFd5Llq7GAyoEffwzl6iGWag4J0IzC77gND5tCqtNKu6YGcIF1HDFvcaAw
-TYQJWPyJPcDqw3P/FCXV+93fxiC4yfPUawLRmyWe6JvvhyZmT2vyWONG8ckoe80n
-6cxopIO0TexH/ssCggEBAMAwi9Qw3iG4Y6c0k9Ud07EpWVGYOf64RdEkpWm3PdMC
-eLwMIZuTydCghb+1ihmyaQx5Pp2LxU/YGrFLbPkJJInXjdFJU6qEW3hUO8Az63LA
-Akdd9mP3VFW1a2IxuiSURQUljzBQ7B6Lclb0IqjI828yGBQwYOfph4wrT4Zfbql2
-hL900IVoIEHhrsJlJAyuHy29Ie/Y2S9UV7jL2dWfFzaFAgXCB8GY3FtEmABqfqzs
-1QDW5v44kozljA6gXOKXroJIVw1vqG4C/iLanVcfjibEiRndQLkzMyRxmmPwyWyv
-rtM30OCVn+A4Q/tg46CzHPuM3bo9tsLSg1y/T8jARrkCggEADb4nL7ajdl8xD5Am
-XWvhyQwxqMHFRqr783C/CuRCpgqzxejJ3Gfjzdgi5bgRPpk/Ii3AvdQH7uD+b8GS
-O8v3ES/BChY4xgPYmLqeKK8XrWiHg2cVpYo7Ry8vh29Lf3vKGkr2Bee55f5J6ieA
-UvfygtINDgJpevDqGotRA1NhiypNr24laracbgJ+jw2UOR4W0fRXgAPQ+01TkA1L
-++JrCZ8yhTZY+cZ3WmHmrSFuIj1zpsOCfKQmG+vZ7lpas+3uw0nNrsvyPOXgT8rz
-FQ77sdHKSq46tHzBvSyVtk5mEx+JwyQMaYzeXvDfgtcls9Hwset/Q5ffwTx/cLvx
-z+wdtwKCAQEAms1/k6bZBWg0PJYJDXw861JW83YeIKHk+pT996z1S2WOQkmzOFFO
-GZFyqfxcBF7EZpuyZ8wRXkK/HVeXqvBGUhEh1hWuIocB9mZCyooHeCJYs4tnzxWF
-BJRgrnNHb/dNsNuT/mLwDZpcutVipXlXO5Wp93kQVTyxRaINKDruM+mW+2/oFczN
-TsOttD8rTltiGcFh+IM+TPUuw1bPW1YNqIhyHJkxDitGMu2JUax15GvPFiIDZXnD
-8WFj8tQQfSOYGLCUDeqGTDZ05TYZzfdI1MkxdXfVjldDNnOa3C0y0SyhMNigkoVy
-hXRMrcpZDzO2gJfycPUMpNhTnv0qEpVtYQKCAQBoyUPk5y/OmGS7D2Y+O6QKuyOu
-Hji2u98vjGLFUNru+ElDwZZgAwxEfOJAsBWjrD/hGlol9aC+ZklImu9YxVY8vQUp
-tU/iPDaxkf/zEBCwabL3KS2pe58N+8DOdCRc+cOW9UEWym9WTb92K8d1aMKmEqFZ
-kffmNi1mclfOh6VpAoz2e8S4R2JzWa4t5LZcHwlndPnB9xdx3o8adS2I4odd825T
-wo1wxwQLk3E5c7NMGGlnVPsRNL6sHUPylmchx1uNjFDMQ8QkVqpZ2M/xle6hp3d2
-zyT8MySNOZFjeioHgg1JE1IU3bJr8wLaAI2DFTUMOozbfzuQiNY8QayU+z2+
------END RSA PRIVATE KEY-----
diff --git a/qa-tests-backend/artifacts/tls-challenge-test/nginx-proxy.conf b/qa-tests-backend/artifacts/tls-challenge-test/nginx-proxy.conf
deleted file mode 100644
index 185e11e0f2e16..0000000000000
--- a/qa-tests-backend/artifacts/tls-challenge-test/nginx-proxy.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-server {
-	listen 8443 ssl http2;
-
-	ssl_certificate     /run/secrets/tls/tls.crt;
-	ssl_certificate_key /run/secrets/tls/tls.key;
-
-	location / {
-        client_max_body_size 50M;
-		grpc_pass grpcs://central.stackrox:443;
-		grpc_ssl_verify off;
-	}
-}
diff --git a/qa-tests-backend/src/main/groovy/orchestratormanager/Kubernetes.groovy b/qa-tests-backend/src/main/groovy/orchestratormanager/Kubernetes.groovy
index c44c783751666..d8e26ae1979cd 100644
--- a/qa-tests-backend/src/main/groovy/orchestratormanager/Kubernetes.groovy
+++ b/qa-tests-backend/src/main/groovy/orchestratormanager/Kubernetes.groovy
@@ -59,7 +59,6 @@ import io.fabric8.kubernetes.api.model.apps.DaemonSetBuilder
 import io.fabric8.kubernetes.api.model.apps.DaemonSetList
 import io.fabric8.kubernetes.api.model.apps.DaemonSetSpec
 import io.fabric8.kubernetes.api.model.apps.Deployment as K8sDeployment
-import io.fabric8.kubernetes.api.model.apps.DeploymentBuilder
 import io.fabric8.kubernetes.api.model.apps.DeploymentList
 import io.fabric8.kubernetes.api.model.apps.DeploymentSpec
 import io.fabric8.kubernetes.api.model.apps.StatefulSet as K8sStatefulSet
@@ -308,40 +307,6 @@ class Kubernetes implements OrchestratorMain {
         client.pods().inNamespace(ns).withLabels(labels).delete()
     }
 
-    void deleteAllPodsAndWait(String ns, Map<String, String> labels) {
-        log.debug "Will delete all pods in ${ns} with labels ${labels} and wait for deletion"
-
-        List<Pod> beforePods = evaluateWithRetry(2, 3) {
-            client.pods().inNamespace(ns).withLabels(labels).list().getItems()
-        }
-        beforePods.each { pod ->
-            evaluateWithRetry(2, 3) {
-                client.pods().inNamespace(ns).withName(pod.metadata.name).delete()
-            }
-        }
-
-        Timer t = new Timer(30, 5)
-        Boolean allDeleted = false
-        while (!allDeleted && t.IsValid()) {
-            allDeleted = true
-            beforePods.each { deleted ->
-                Pod pod = evaluateWithRetry(2, 3) {
-                    client.pods().inNamespace(ns).withName(deleted.metadata.name).get()
-                }
-                if (pod == null) {
-                    log.debug "${deleted.metadata.name} is deleted"
-                }
-                else {
-                    log.debug "${deleted.metadata.name} is not deleted"
-                    allDeleted = false
-                }
-            }
-        }
-        if (!allDeleted) {
-            throw new OrchestratorManagerException("Gave up trying to delete all pods")
-        }
-    }
-
     Boolean deletePodAndWait(String ns, String name, int retries, int intervalSeconds) {
         deletePod(ns, name, null)
         log.debug "Deleting pod ${name}"
@@ -358,15 +323,6 @@ class Kubernetes implements OrchestratorMain {
         throw new OrchestratorManagerException("Could not delete pod ${ns}/${name}")
     }
 
-    Boolean restartPodByLabelWithExecKill(String ns, Map<String, String> labels) {
-        Pod pod = getPodsByLabel(ns, labels).get(0)
-        int prevRestartCount = pod.status.containerStatuses.get(0).restartCount
-        def cmds = ["sh", "-c", "kill -15 1"] as String[]
-        execInContainerByPodName(pod.metadata.name, pod.metadata.namespace, cmds)
-        log.debug "Killed pod ${pod.metadata.name}"
-        return waitForPodRestart(pod.metadata.namespace, pod.metadata.name, prevRestartCount, 25, 5)
-    }
-
     def restartPodByLabels(String ns, Map<String, String> labels, int retries, int intervalSecond) {
         Pod pod = getPodsByLabel(ns, labels).get(0)
 
@@ -554,52 +510,6 @@ class Kubernetes implements OrchestratorMain {
                         .portForward(port)
     }
 
-    EnvVar getDeploymentEnv(String ns, String name, String key) {
-        def deployment = client.apps().deployments().inNamespace(ns).withName(name).get()
-        if (deployment == null) {
-            throw new OrchestratorManagerException("Did not find deployment ${ns}/${name}")
-        }
-
-        List<EnvVar> envVars = client.apps().deployments().inNamespace(ns).withName(name).get().spec.template
-                .spec.containers.get(0).env
-        int index = envVars.findIndexOf { EnvVar it -> it.name == key }
-        if (index < 0) {
-            throw new OrchestratorManagerException("Did not find env variable ${key} in ${ns}/${name}")
-        }
-        return envVars.get(index)
-    }
-
-    def updateDeploymentEnv(String ns, String name, String key, String value) {
-        log.debug "Update env var in ${ns}/${name}: ${key} = ${value}"
-        List<EnvVar> envVars = client.apps().deployments().inNamespace(ns).withName(name).get().spec.template
-                .spec.containers.get(0).env
-
-        int index = envVars.findIndexOf { EnvVar it -> it.name == key }
-        if (index > -1) {
-            log.debug "Env var ${key} found on index: ${index}"
-            envVars.get(index).value = value
-        }
-        else {
-            log.debug "Env var ${key} not found. Adding it now"
-            envVars.add(new EnvVarBuilder().withName(key).withValue(value).build())
-        }
-
-        withRetry(2, 3) {
-            client.apps().deployments().inNamespace(ns).withName(name)
-                .edit { d -> new DeploymentBuilder(d)
-                    .editSpec()
-                    .editTemplate()
-                    .editSpec()
-                    .editContainer(0)
-                    .withEnv(envVars)
-                    .endContainer()
-                    .endSpec()
-                    .endTemplate()
-                    .endSpec()
-                .build() }
-        }
-    }
-
     def scaleDeployment(String ns, String name, Integer replicas) {
         Exception mostRecentException
         Timer t = new Timer(30, 5)
diff --git a/qa-tests-backend/src/main/groovy/orchestratormanager/OrchestratorMain.groovy b/qa-tests-backend/src/main/groovy/orchestratormanager/OrchestratorMain.groovy
index 1bee6b458dc61..017b22a6fd60e 100644
--- a/qa-tests-backend/src/main/groovy/orchestratormanager/OrchestratorMain.groovy
+++ b/qa-tests-backend/src/main/groovy/orchestratormanager/OrchestratorMain.groovy
@@ -1,6 +1,5 @@
 package orchestratormanager
 
-import io.fabric8.kubernetes.api.model.EnvVar
 import io.fabric8.kubernetes.api.model.ObjectMeta
 import io.fabric8.kubernetes.api.model.Pod
 import io.fabric8.kubernetes.api.model.admissionregistration.v1.ValidatingWebhookConfiguration
@@ -26,8 +25,6 @@ interface OrchestratorMain {
     Boolean deletePod(String ns, String podName, Long gracePeriodSecs)
     Boolean deletePodAndWait(String ns, String podName, int retries, int intervalSeconds)
     def deleteAllPods(String ns, Map<String, String> labels)
-    void deleteAllPodsAndWait(String ns, Map<String, String> labels)
-    Boolean restartPodByLabelWithExecKill(String ns, Map<String, String> labels)
     def restartPodByLabels(String ns, Map<String, String> labels, int retries, int intervalSecond)
     def waitForAllPodsToBeRemoved(String ns, Map<String, String>labels, int iterations, int intervalSeconds)
     def waitForPodsReady(String ns, Map<String, String> labels, int minReady, int iterations, int intervalSeconds)
@@ -56,8 +53,6 @@ interface OrchestratorMain {
     def getDeploymentCount(String ns)
     Set<String> getDeploymentSecrets(Deployment deployment)
     def createPortForward(int port, Deployment deployment)
-    def updateDeploymentEnv(String ns, String name, String key, String value)
-    EnvVar getDeploymentEnv(String ns, String name, String key)
     def scaleDeployment(String ns, String name, Integer replicas)
     List<String> getDeployments(String ns)
     boolean deploymentReady(String ns, String name)
diff --git a/qa-tests-backend/src/main/groovy/util/ApplicationHealth.groovy b/qa-tests-backend/src/main/groovy/util/ApplicationHealth.groovy
index 74243dd46189b..6a720cd218c74 100644
--- a/qa-tests-backend/src/main/groovy/util/ApplicationHealth.groovy
+++ b/qa-tests-backend/src/main/groovy/util/ApplicationHealth.groovy
@@ -23,11 +23,6 @@ class ApplicationHealth {
         this.waitTimeForHealthiness = waitTimeForHealthiness
     }
 
-    void waitForSensorHealthiness() {
-        Deployment sensor = new Deployment().setNamespace(Constants.STACKROX_NAMESPACE).setName("sensor")
-        waitForHealthiness(sensor)
-    }
-
     void waitForCollectorHealthiness() {
         Deployment collector = new DaemonSet().setNamespace(Constants.STACKROX_NAMESPACE).setName("collector")
         waitForHealthiness(collector)
diff --git a/qa-tests-backend/src/test/groovy/TLSChallengeTest.groovy b/qa-tests-backend/src/test/groovy/TLSChallengeTest.groovy
deleted file mode 100644
index a77f238e2a72e..0000000000000
--- a/qa-tests-backend/src/test/groovy/TLSChallengeTest.groovy
+++ /dev/null
@@ -1,206 +0,0 @@
-import static io.stackrox.proto.storage.ClusterOuterClass.ClusterHealthStatus.HealthStatusLabel
-import static util.Helpers.withRetry
-
-import java.nio.file.Files
-import java.nio.file.Paths
-
-import io.fabric8.kubernetes.api.model.EnvVar
-import orchestratormanager.OrchestratorManagerException
-
-import io.stackrox.proto.storage.ClusterOuterClass
-
-import objects.ConfigMap
-import objects.Deployment
-import objects.Secret
-import util.ApplicationHealth
-import util.Timer
-
-import spock.lang.Shared
-import spock.lang.Tag
-import spock.lang.IgnoreIf
-import util.Env
-
-// skip if executed in a test environment with just secured-cluster deployed in the test cluster
-// i.e. central is deployed elsewhere
-@IgnoreIf({ Env.ONLY_SECURED_CLUSTER == "true" })
-@Tag("PZ")
-class TLSChallengeTest extends BaseSpecification {
-    @Shared
-    private EnvVar originalCentralEndpoint = new EnvVar()
-    private final static String PROXY_NAMESPACE = "qa-tls-challenge"
-    private final static String CENTRAL_PROXY_ENDPOINT = "nginx-loadbalancer.${PROXY_NAMESPACE}:443"
-    private final static String ASSETS_DIR = Paths.get(
-            System.getProperty("user.dir"), "artifacts", "tls-challenge-test")
-
-    private final static LEAF_KEY_CONTENT = Files.readAllBytes(
-            Paths.get(ASSETS_DIR, "nginx-lb-certs", "leaf-key.pem"))
-    private final static LEAF_CERT_CONTENT = Files.readAllBytes(
-            Paths.get(ASSETS_DIR, "nginx-lb-certs", "leaf-cert.pem"))
-    private final static CA_CERT_CONTENT = Files.readAllBytes(
-            Paths.get(ASSETS_DIR, "nginx-lb-certs", "ca.pem"))
-
-    def setupSpec() {
-        originalCentralEndpoint = orchestrator.getDeploymentEnv("stackrox", "sensor", "ROX_CENTRAL_ENDPOINT")
-        orchestrator.ensureNamespaceExists(PROXY_NAMESPACE)
-        addStackroxImagePullSecret(PROXY_NAMESPACE)
-
-        ByteArrayOutputStream out = new ByteArrayOutputStream()
-        out.write(LEAF_CERT_CONTENT)
-        out.write(CA_CERT_CONTENT)
-        def certChain = out.toByteArray()
-
-        deployNGINXProxy(certChain, LEAF_KEY_CONTENT)
-    }
-
-    def cleanupSpec() {
-        orchestrator.deleteNamespace(PROXY_NAMESPACE)
-        orchestrator.waitForNamespaceDeletion(PROXY_NAMESPACE)
-
-        orchestrator.deleteSecret("additional-ca", "stackrox")
-        orchestrator.restartPodByLabelWithExecKill("stackrox", [app: "central"])
-        orchestrator.waitForPodsReady("stackrox", [app: "central"], 1, 50, 3)
-
-        // Ensure Central API is reachable.
-        withRetry(30, 2) { Services.getMetadataClient().getMetadata() }
-
-        // Restart sensor to reset the gRPC connection to central.
-        // Scale to 0 and back to 1 so that the check for sensor healthiness is based on the restarted sensor pod.
-        orchestrator.scaleDeployment("stackrox", "sensor", 0)
-        orchestrator.waitForAllPodsToBeRemoved("stackrox", ["app": "sensor"], 30, 5)
-        orchestrator.updateDeploymentEnv("stackrox", "sensor",
-                originalCentralEndpoint.name, originalCentralEndpoint.value)
-        orchestrator.scaleDeployment("stackrox", "sensor", 1)
-        ApplicationHealth ah = new ApplicationHealth(orchestrator, 600)
-        ah.waitForSensorHealthiness()
-
-        orchestrator.deleteAllPodsAndWait("stackrox", [app: "collector"])
-        ah.waitForCollectorHealthiness()
-
-        withRetry(30, 1) { Services.getMetadataClient().getMetadata() }
-        waitUntilCentralSensorConnectionIs(HealthStatusLabel.HEALTHY)
-    }
-
-    @Tag("SensorBounceNext")
-    def "Verify sensor can communicate with central behind an untrusted load balancer"() {
-        when:
-        "Deploying Sensor without root CA certs can't connect to load balancer"
-
-        log.info("Setting sensor ROX_CENTRAL_ENDPOINT to ${CENTRAL_PROXY_ENDPOINT}")
-        orchestrator.updateDeploymentEnv("stackrox", "sensor", "ROX_CENTRAL_ENDPOINT", CENTRAL_PROXY_ENDPOINT)
-        log.info("Waiting for sensor to be restarted")
-        orchestrator.waitForPodsReady("stackrox", [app: "sensor"], 1, 10, 5)
-
-        then:
-        "Sensor connection to Central becomes unhealthy because root CAs are missing"
-        log.info("Waiting until Sensor connection is marked as UNHEALTHY or DEGRADED in Centrals clusters health")
-        assert waitUntilCentralSensorConnectionIs(HealthStatusLabel.UNHEALTHY, HealthStatusLabel.DEGRADED)
-
-        when:
-        "Central receives additional CA configurations after restart"
-
-        log.info("Creating additional-ca secret")
-        Secret additionalCASecret = new Secret(
-                name: "additional-ca",
-                namespace: "stackrox",
-                type: "Opaque",
-                data: [ "ca.crt": Base64.getEncoder().encodeToString(CA_CERT_CONTENT) ]
-        )
-        orchestrator.createSecret(additionalCASecret)
-
-        log.info("Restarting central to pick up the optional additional-ca secret")
-        // restart with "kill 1" to prevent deletion of PVs on local machines
-        assert orchestrator.restartPodByLabelWithExecKill("stackrox", [app: "central"])
-        log.info("Waiting for central pod being ready again")
-        orchestrator.waitForPodsReady("stackrox", [app: "central"], 1, 50, 3)
-
-        log.info("Restarting central proxy")
-        orchestrator.restartPodByLabels(PROXY_NAMESPACE, [app: "nginx"], 30, 5)
-
-        then:
-        "Sensor receives root CAs from central after restart and is connected to central"
-
-        // delete sensor to force reconnect
-        log.info("Restarting Sensor, should connect to ${CENTRAL_PROXY_ENDPOINT}")
-        orchestrator.restartPodByLabels("stackrox", [app: "sensor"], 30, 5)
-
-        log.info("Waiting until Sensor is ready again")
-        assert Services.waitForDeployment(new Deployment(name: "sensor", namespace: "stackrox"))
-
-        // Check connection details Sensor <> Central
-        assert checkSensorLogs()
-        assert waitUntilCentralSensorConnectionIs(HealthStatusLabel.HEALTHY)
-    }
-
-    boolean checkSensorLogs() {
-        def logs = ""
-        Timer t = new Timer(40, 5)
-        while (t.IsValid()) {
-            def pod = orchestrator.getPods("stackrox", "sensor").get(0)
-            logs = orchestrator.getPodLog("stackrox", pod.metadata.name)
-
-            // Check if sensor logs contain expected connection information
-            if (logs.contains("Connecting to Central server ${CENTRAL_PROXY_ENDPOINT}")
-                && logs.contains("Communication with central started")) {
-                log.info("Found successful connection logs in sensor pod")
-                return true
-            }
-        }
-
-        log.error("Sensor did not establish connection to central via ${CENTRAL_PROXY_ENDPOINT}")
-        log.info logs
-        return false
-    }
-
-    boolean waitUntilCentralSensorConnectionIs(HealthStatusLabel... healthStatusLabels) {
-        Timer t = new Timer(60, 5)
-        while (t.IsValid()) {
-            List<ClusterOuterClass.Cluster> list = Services.getClusterClient().getClusters().getClustersList()
-            if (list.empty) {
-                throw new OrchestratorManagerException("Central does not know about any secured clusters.")
-            }
-            if (list.size() > 1) {
-                throw new OrchestratorManagerException("Central knows about more than one secured cluster.")
-            }
-
-            log.info("Receiving cluster status from central, checking sensor connection")
-            HealthStatusLabel healthStatusLabel = list.get(0).getHealthStatus().getSensorHealthStatus()
-            log.info("Status is: ${healthStatusLabel}")
-            if (healthStatusLabels.find { it == healthStatusLabel }) {
-                return true
-            }
-        }
-        return false
-    }
-
-    def deployNGINXProxy(byte[] certChain, byte[] leafKeyContent) {
-        def nginxConfig = new String(Files.readAllBytes(Paths.get(ASSETS_DIR, "nginx-proxy.conf")))
-        ConfigMap nginxConfigMap = new ConfigMap(
-                name: "nginx-proxy-conf",
-                data: ["nginx-proxy-grpc-tls.conf": nginxConfig],
-                namespace: PROXY_NAMESPACE
-        )
-        orchestrator.createConfigMap(nginxConfigMap)
-
-        Secret tlsConfSecret = new Secret()
-        tlsConfSecret.name = "nginx-tls-conf"
-        tlsConfSecret.type = "tls"
-        tlsConfSecret.namespace = PROXY_NAMESPACE
-        tlsConfSecret.data = [
-                "tls.crt": Base64.getEncoder().encodeToString(certChain),
-                "tls.key": Base64.getEncoder().encodeToString(leafKeyContent),
-        ]
-        orchestrator.createSecret(tlsConfSecret)
-
-        Deployment loadBalancerDeployment = new Deployment()
-        loadBalancerDeployment.setNamespace(PROXY_NAMESPACE)
-                .setName("nginx-loadbalancer")
-                .setExposeAsService(true)
-                .setImage("quay.io/rhacs-eng/qa-multi-arch:nginx-1-17-1")
-                .addVolumeFromConfigMap(nginxConfigMap, "/etc/nginx/conf.d/")
-                .addVolumeFromSecret(tlsConfSecret, "/run/secrets/tls/")
-                .setTargetPort(8443)
-                .setPorts([443: "TCP"])
-        loadBalancerDeployment.setLabels([app: "nginx"])
-        orchestrator.createDeployment(loadBalancerDeployment)
-    }
-}
diff --git a/tests/bad-ca/nginx-loadbalancer.qa-tls-challenge.crt b/tests/bad-ca/nginx-loadbalancer.qa-tls-challenge.crt
new file mode 100644
index 0000000000000..b300dad8ca094
--- /dev/null
+++ b/tests/bad-ca/nginx-loadbalancer.qa-tls-challenge.crt
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIENzCCAp+gAwIBAgIUXGVn9On48RWFyZUofTNpWAdR83EwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLQ3VzdG9tIFJvb3QwIBcNMjQwNzIyMDYwNjU2WhgPMjA3
+NTAzMTcwNjA2NTZaMF8xLjAsBgNVBAMMJSoubmdpbngtbG9hZGJhbGFuY2VyLnFh
+LXRscy1jaGFsbGVuZ2UxFzAVBgNVBAoMDlN0YWNrcm94IFRlc3RzMRQwEgYDVQQL
+DAtTdGFja3JveCBRQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFH
+ViGa3rCHjberepa+4f5ILQP63ZtHqiud6OgQ/PMuylK5AVRH2OoZZRRFbYGDyhFL
+myG8m9pYngr51URpHRDc2Ne5xtOvx484ckALnRh39NVUEgJ0kEkkw2twg4fVq2yW
++dP75iDd1kSdaBgMHx5vnvKGt6U+Ovr/QZlmS2FlBC8VUlfUPeTVizlJk1CvHhE6
+myQ2IO6PJjkyFGOkrmDUmTIwYcJiJRgmgDwzfCUoQcuudKp4YlnMS6E94bIFqUdT
+qLp0ie0q7VjKXl8goucr8UJi2GlqZy+ca9X+MKsd/a+GgrYDya3IKmcwuua3KGV/
+1yGuGCehVlxB3MlOSIcCAwEAAaOBsTCBrjBbBgNVHREEVDBSgiNuZ2lueC1sb2Fk
+YmFsYW5jZXIucWEtdGxzLWNoYWxsZW5nZYIlKi5uZ2lueC1sb2FkYmFsYW5jZXIu
+cWEtdGxzLWNoYWxsZW5nZYcEfwAAATAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAww
+CgYIKwYBBQUHAwEwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQ2wsm8n+xYss+9Gcqf
+garhMSyn4jANBgkqhkiG9w0BAQsFAAOCAYEAqGTwBZ9I3y0GlivK4aQnjHmSrLzf
+TAZxzRaHkB5JDGJc6Ca58ZufB7mlKcUAgzWSRdd7CRKxt9U7/P/hsw/H7Isb8Dmp
+vSLuhd8wymwkDjLtwsHM898rxht9q0CmYjqmW0qWOPNGUPkGfqs7+NjPXfoTJsqw
+NhJQXHC3QqQ/CA57T4HokxvJkA7oAuqCIQwP8j8eA/O0MkQoOaAXSm+HfCoPTRiV
+eHY6RzhC2jA9IPo9ykpRSg8RVLZJIYqhGq7o908x8fLvGqmzCN1w0CyTWtDAOkd0
+uslHXwnAd0HwPVsBRBO/o+61tfMZ5YDJx9EApde3H7tYpfsvayURMz7sbt/uVcdr
+3Fk6gS4b3UI3FC8kF9apkuo5mg/w9CWbqS+vOsLyBcg5vwE/4C3IJHrMQJKelFCi
+n+4Bo6ZZqXTq/NzheXwxOFKkYHv3NawSB5OzViDEf7K9bLqnKhptNxQxez26NGGe
+MwdxmVjQOisC34GBXADpy6AeyEkZ7i9Vn3Bj
+-----END CERTIFICATE-----
diff --git a/tests/bad-ca/nginx-loadbalancer.qa-tls-challenge.key b/tests/bad-ca/nginx-loadbalancer.qa-tls-challenge.key
new file mode 100644
index 0000000000000..60acfe38ae68c
--- /dev/null
+++ b/tests/bad-ca/nginx-loadbalancer.qa-tls-challenge.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDBR1Yhmt6wh423
+q3qWvuH+SC0D+t2bR6ornejoEPzzLspSuQFUR9jqGWUURW2Bg8oRS5shvJvaWJ4K
++dVEaR0Q3NjXucbTr8ePOHJAC50Yd/TVVBICdJBJJMNrcIOH1atslvnT++Yg3dZE
+nWgYDB8eb57yhrelPjr6/0GZZkthZQQvFVJX1D3k1Ys5SZNQrx4ROpskNiDujyY5
+MhRjpK5g1JkyMGHCYiUYJoA8M3wlKEHLrnSqeGJZzEuhPeGyBalHU6i6dIntKu1Y
+yl5fIKLnK/FCYthpamcvnGvV/jCrHf2vhoK2A8mtyCpnMLrmtyhlf9chrhgnoVZc
+QdzJTkiHAgMBAAECggEAVyH60XGJHRovKHM088qgBUuyh43L49n9/GXW/u/RqSwZ
+6Ashb0ZoorjKGcZm5LFuIjfsetwVguzaauZQX+PnR5fYZgCJgxtGoul2kCrsKoDB
+rn6VE+hKt77MHp59nXoVKwIxJID2MTDxDMPNjrHAQa9ef8V9+w+/9TGn+CjmqMPg
+MpsD3nfn9YawGaU6Xxnis3ggrwX5ZrGgk5DZa738hWZLTzX+EhAI9u0uO4105/06
+3pvQeXbaqrbt1g/NyL3L6tu6SzXXFAC3AnLsa+Xjle5qdWQtOA0iR4O0l6g6mqa2
+83ZAl04/C1hxJZ4BuS+5dVKFaHuvUPWLd+3X5/wL8QKBgQD+Mcu5dbAKjvAV/4/S
+hlJec4LtIbb6daFMUzb0lCssFL81+Jde6ts27zmGUhYF0Garj1QYqE+azvNXn8Rd
+IdsgDMSd9W/DoyV54mlx+MPCO4hekloColLnZplB2JDcgeQEildeqx1S/xhx5iBF
+Bn+90IAXsQNXZj7mlq9WGIY9DwKBgQDCpsbb/w7AZw46kie51qfFBRJ1fzhUYY9e
+T7aT2jB9JaGIpMcsqFITOl3XhIyyQKuNunZjn1FSGG7XAULcpyYRaCxOUg25Ble9
+cwRrcaZ4yBx+rrHTuODoi4k9zZctXrhIX8puEcFmxM2k/Zn1WZagry8ezeYd6/+7
+lY7sS32tCQKBgEq51MwGfuP7tTSiVmNrPVeq2XhgiuwCHJLVe7hWvoJM7xEsrUMo
+A52Yoe6MvxCifSw+DFjbUduOrxa5Tv6Z71LyrfJJrrtygJfeKWVp3hKBcctrdq6D
+jZ+dF7y1r5BDVwbGrHyWDR7TAxqorh/ckzz3yFAup27QDfm3nn/O4dedAoGAJc/2
+E2hxuiiK2A/qTayIPLqmglKrY6DsE9sSUZhyEO2Nepjf5Cnyf6+36RTjrADqEocl
+VmbtijAa4ANrtKd3uqvs524DIm08AB5mvmR+fToKZwWSn9lrP2FT0MCuXG7pB44s
+KcOjOU6D0Eg/byzvGNnPIoHG8QsWS59a+0YS7NkCgYEAkXmpZrnMsA37otdPYeBi
+utCB1zresb7Ac16mStWBz1yxFM4gNYndFz0/ouyGDkkTURqFuRbtwalaS/tm981v
+TqiRlxrlJ87SsM/HYMq+6LJedd1Z5GtgvnluWln4O/8vZ0Oy2ZV/tIylL1XU4JRp
+p5loTDUld/qNEmbTFUAQ4QI=
+-----END PRIVATE KEY-----
diff --git a/tests/bad-ca/root.crt b/tests/bad-ca/root.crt
index 374d4478c1e5d..0b1d1c76fd33d 100644
--- a/tests/bad-ca/root.crt
+++ b/tests/bad-ca/root.crt
@@ -1,25 +1,25 @@
 -----BEGIN CERTIFICATE-----
-MIIEIjCCAoqgAwIBAgIUJWP+1FiRwEMQxeih4vKaGzkp3hAwDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAwwLQ3VzdG9tIFJvb3QwIBcNMjQwNzA5MDg0NjA3WhgPMjA3
-NTAzMDQwODQ2MDdaMBYxFDASBgNVBAMMC0N1c3RvbSBSb290MIIBojANBgkqhkiG
-9w0BAQEFAAOCAY8AMIIBigKCAYEA4d4SzHTGdHnGg2XOMMT/ykhm8Cf83M52MloV
-PM/J9eZRsVezq6Ieb65swvOM4qOnGs5+gt1TbSiHk86MHhvIMFPvGQmJCnH46eIf
-Qi7t+/qD5xJafiZoRRpAsMGoacwEsqtyUDq46+C0+a+grFrPazvEFxDezYLfGq0t
-rb3IEBIG8atFe6t9Q4GsO2JjUeNodLxb7DGbcznz1z+4n6vNA2vAh9vxLQyvmfhh
-ybHipYvLAbb/4sq7eMMVi6iCBA9QWg9TX/XtqTRCzt/V6AlaILwtTRSKiZdZx3/M
-G4q3OwhlvRlmWOUCV3XN+rLp5Ht5jyuk/4siUKd9aawv21eVb41z9REAtNO7HTF+
-PnApCtb05AIUzBAm7WnwYPuka7WQpDAd/BH/4K2SDxyarJFeOvP9GtwTvQpv7J4s
-24PQhEkXfneJcWAtqyfdJbwMYfD2djdKMVWz4fHjbAu6W+1qNG/XcS1eHpdeby7H
-aMSd0efde85MifZDUkW4SngONSCjAgMBAAGjZjBkMB8GA1UdIwQYMBaAFKcj2vdI
-RZx2xpekXDdkJzRih9dfMA4GA1UdDwEB/wQEAwICBDASBgNVHRMBAf8ECDAGAQH/
-AgEAMB0GA1UdDgQWBBSnI9r3SEWcdsaXpFw3ZCc0YofXXzANBgkqhkiG9w0BAQsF
-AAOCAYEAIYa4lPKtWF2LxN5gpFcBqfr7HznkPP1+3UKWWL+s7M2m2wqNls3rR51b
-NFtlP4MjGGBkC6kyBONDfp1p2QuEpG71lJM52gxW3W2w038S1JrFGhSeAynEK3Ym
-S0Tj8t4/PB7ob0MmMbAbZj/fkVprS2n6Td+GZ6KsoXvqZfl30kcPwLAhI8w1RvSW
-SawZEvcDQaWdOLROr9JjKBA1jQ1dveFLsC9dHaYGvJDtUDpn5Tu5LtCUlI+8pUhQ
-iZnkIK0LmMtjyhLIMJGfGm6QACP8U8860bRcSO7ib6ooBv0hlQnjiqqsHCKdKxZZ
-sqyajs+kw6VqtV7s5cytvJM73JLzbEIvagzY648y9oY8yh7hmoQj+JWbsSKXCOzo
-s/pniV2ZaaVCydVlTsPI904dRiN3xCDQORR+Sn9c9QQtCte5kShGpczAUznoAvO2
-9X5QoO+121MV7PE+Usj+g71JHF7LiJREwW1gL1YaYMwE/mdkNvrYrM5ZFj4401gX
-JowEWG8u
+MIIEIjCCAoqgAwIBAgIUexFAF9aU9qh6nDbDNdNZfTOmPuowDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLQ3VzdG9tIFJvb3QwIBcNMjQwNzIyMDYwNjU2WhgPMjA3
+NTAzMTcwNjA2NTZaMBYxFDASBgNVBAMMC0N1c3RvbSBSb290MIIBojANBgkqhkiG
+9w0BAQEFAAOCAY8AMIIBigKCAYEAvzciE8qHy4ahuCXFe0smEJqwU6j2W6TWskdR
+fUGVR8uEcyUScyowxlI/V47R0WBpOeJOeBWekpKZkK+Yp60AbsVXHQRcVdWEsfC9
+in0sxPbDVFaIJ7r2dI0F/gbxnNxwE2Hdx05WCWbk90VXZuzBuvXfQB6nd8FCR9Py
+tc0PZI3URTJwdxco/QevH15S9ByGuEblM61CinMgiDK4hL88zK0jd0yYscyc9apc
+TTtyxKSeKfSzDebdvxf/7vO241yW2jcKMM7GABFs1NvroTwYz9mmVBaJqgkFJWoh
+MMUinA5X1+EM5H3iXyMg/XHejBxiKeq/XETw68aykUScThSnKOZFJBtC0o4+vYrE
+9zpX3CnefNmnUh7x7TsMYiHZoApIKvFK68GLyEuonu3n6Sfiyw+lUl2HD6eJ3wu3
+BJbEnPcPzoCS5/FO6AnccRNJmBbmufujAcb3EBvuU5Ms8wPneuCblmiQkvQm2obK
+NAcuMvJ20RD3W1hpaHzQ/o1GkawPAgMBAAGjZjBkMB8GA1UdIwQYMBaAFDbCybyf
+7Fiyz70Zyp+BquExLKfiMA4GA1UdDwEB/wQEAwICBDASBgNVHRMBAf8ECDAGAQH/
+AgEAMB0GA1UdDgQWBBQ2wsm8n+xYss+9GcqfgarhMSyn4jANBgkqhkiG9w0BAQsF
+AAOCAYEAo1hnl0hQ+76bfoA2nUcrVKy49Ill9/0kCv5TVmk00i9ap+r/SmA/aqW2
+OYqoKzzGpwEN84cwaXiMqxU7XIGeNTMwBFQXFwCCiK16rHi6zNUhZip/DJ2M95K+
+ieDrMA1P/i18r+0FyNG605zSk5fC08vPj6iSyuX53bMD4rDFvcu2G+9E/FQ65HQC
+2b3vIMwQAyuBF5CNIykxOplffTG2ERaSiXW4jDLcesDo2yamiFx2LrqYTmYCKFJ7
+htT71UdlgB/kJ8r7jwyAHKgm4r4hhHw5K+wyZJ8SBAdWv7tgEzK/q5Le5gjyMh90
+k1QW6Y1fRVRBRK99PHIJWbZbzBBS2xUCb9fiYTuYW1iftom2/wsp++4WsM8dbF67
+khGHhZxJnLy3SQivLW9OcClGXJoJxX1Dezhpt3s03ImpB45cc1qcGSM0cCNnxQNH
+28iyrZgsE/mpnyCw0OATSuQBMJ67k7g1k7BqDA3iFaAhywniZOjU3vrisuHJ+J4k
+yttbu5D3
 -----END CERTIFICATE-----
diff --git a/tests/bad-ca/self-signed.invalid.crt b/tests/bad-ca/self-signed.invalid.crt
index e6fb49165154e..09ef786c93400 100644
--- a/tests/bad-ca/self-signed.invalid.crt
+++ b/tests/bad-ca/self-signed.invalid.crt
@@ -1,24 +1,24 @@
 -----BEGIN CERTIFICATE-----
-MIIEBzCCAm+gAwIBAgIUEhj8ayXGpCpWoI8uS0Hf8ePH7ncwDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAwwLQ3VzdG9tIFJvb3QwIBcNMjQwNzA5MDg0NjA2WhgPMjA3
-NTAzMDQwODQ2MDZaME8xHjAcBgNVBAMMFSouc2VsZi1zaWduZWQuaW52YWxpZDEX
-MBUGA1UECgwOU3RhY2tyb3gsIEluYy4xFDASBgNVBAsMC1N0YWNrcm94IFFBMIIB
-IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsOkmw6DEe0zjNoVSpXlCpdi+
-zZN4S1yUsEOwkQaycNqx4z+DpsBEHNBYAl3RL2ms6B3jJNDp4gI0HACfH3KQQi7q
-eBFGHiF9ZkRALCsqtyO/dqzQkyjvMR9marutrCMz7GakOSL65b9r2LT5ioKTkalq
-Ok3aWDXhUMkO3zUDn7lPYKl+FVMK0z6t34t3sYu2CsK+1qqaNlavOwG1w2Ln/vOg
-ufGZlrMOFoKvxFyM9V3xMQnOM9RrwewBb873B2ddQeo5n+Jb9jAyGMQ0+x4F91Bb
-fFJgLc2ibBONu/+IHgwB5vqFXyvHUcoxoaeABx27EkhvSZvaBt2rkC8oQRGImwID
+MIIEBzCCAm+gAwIBAgIUcN2APjWipFiHODJfdDUcD+IDLY8wDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLQ3VzdG9tIFJvb3QwIBcNMjQwNzIyMDYwNjU2WhgPMjA3
+NTAzMTcwNjA2NTZaME8xHjAcBgNVBAMMFSouc2VsZi1zaWduZWQuaW52YWxpZDEX
+MBUGA1UECgwOU3RhY2tyb3ggVGVzdHMxFDASBgNVBAsMC1N0YWNrcm94IFFBMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3VEl+brif4L4Fp2D8tkRYDp5
+TY70tmfiV9L6nEDXDaoxxo1XELQC1K/vwdGdurImR7IJ4TE09Kr4LY/GdQM3v3WA
+4guV0ihgcbvguEkZXhss9x2xC9lFgtGXFdg4g62V/SKCBQBLgZDk4qwCs3dZsvU8
+iDRsR/3vYo4Q3voaUm9G9IggvFnuziPr+JxlOUtA/b+icYa54XsPhFPrrztky22m
+YgfLrh/AWKnm2z469I4zL4Rw+h3DTpJCY5PMSyKP27blCzjRAqAO+caMGpiLk58W
+nfubdfYVG+MQP0shZ2GWc2+LUsnBOIDEu3b00G9EVdnm2vJxemjaJjijNJTbjQID
 AQABo4GRMIGOMDsGA1UdEQQ0MDKCE3NlbGYtc2lnbmVkLmludmFsaWSCFSouc2Vs
 Zi1zaWduZWQuaW52YWxpZIcEfwAAATAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAww
-CgYIKwYBBQUHAwEwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSr/reW0zsiocTRJh99
-AulrF7gvSjANBgkqhkiG9w0BAQsFAAOCAYEAPF8svXBGXcQfay6UoDT959+h8wg6
-gt7uIAuosfpv7s6KPakMiUj+FS4lUIAaWwpfuI/AC6gIy7n1leI0BxA456nTfNNC
-e5LwHoSqF/lnyIEqO2tpcVHsrzgNbSR314tV8nTsDXn1vi5KC7cFQ7gYhXczD9od
-j+FIDNMnpNkdZiZFXloGpxRUEq+rbL5lYkiUwJwgZ1iRJ9s0DpyyGPnkSWYMK5P1
-iFoAnt8GeKfleqMMIqHIXZGLuY7IMV8pUP9EFGE8Qk52dJr+s4FfWvMe+jp7sf/q
-ki2d+lIgDpxdYKnQzX6vNn2Eh2ZUXiU2tKLg41nFagmh9h3jvSS2EP+ziRV7sAd8
-qlS5026bffnQ4Zna/31Xabrg+kpySbPluOU2er2MMKyXojmMXn+XEFkefiHYtbyT
-DUptozSvhJ+CYAPdWq9bGD5atSsmzaaDfMwVQu9nGEDhUzAXYoYWrb0X9yC/TX6v
-ns8AgzMtECeutc6h3CfzGdpJkws/rHaCvF68
+CgYIKwYBBQUHAwEwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBRN22pXvhW9JiyqRk4T
+jtbFswOA2TANBgkqhkiG9w0BAQsFAAOCAYEAzpBWDqOXJdgWmNAb4avFIlR4jIck
+NEwB730PA2tME8DbDtGWe+bQoBkAawkkxZKEvTwz3b45/WHLiS7ar8pft0MdCicL
+68K5kHIVvD7QGGQ4GMoac04TNSkF9L4Q3nd4NWs164bRQXGewyeshgCzJ7hQvUfr
+MpCDosmqSGTnneIgcC8NKw/ZUgf70DOIPbwWL0ZVXbuvQBXfEMeyGP9ZPgqMn29I
+uoPXmGOuNiznFNh0MrDkS+3WDk9VFHB84a6g9cpaop8NzbSJLIIgcdPIBYdO3nrz
+eyeVJbOWCt6TqumIJHrVPd/uq6OJR1SIS0YQqhkj00m6JfCz+fqEAGceaNYpTQkq
+4BBw0CNiRNR20DsuqfDG2QdtfPATj4nd/PhYBFttkLP+VQeWbE1aUOLf9um4MnF9
+hRO1e+LHmbxvqV63Q04iImW//wVBTy2eW2UMnCnLEp6lH/Uf5FCYZFrBY7mwHhn+
+woFTESHbRJ+dYie3OmcpQJs3T4VZauqA4phC
 -----END CERTIFICATE-----
diff --git a/tests/bad-ca/ssl-certs.sh b/tests/bad-ca/ssl-certs.sh
index 5f4bb82136ff1..4e8e9086fd0aa 100755
--- a/tests/bad-ca/ssl-certs.sh
+++ b/tests/bad-ca/ssl-certs.sh
@@ -4,11 +4,11 @@
 # See https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309
 
 function generate() {
-	name="Stackrox, Inc."
-	base=$1
-	root=$2
+	name="Stackrox Tests"
+	root=$1
+	shift
 
-	echo "create root key and certificate"
+	echo "creating $root root key and certificate"
 	openssl genrsa -out "${root}.key" 3072
 	openssl req -x509 -nodes -sha256 -new -key "${root}.key" -out "${root}.crt" -days 18500 \
 		-subj "/CN=Custom Root" \
@@ -16,37 +16,46 @@ function generate() {
 		-addext "basicConstraints = critical, CA:TRUE, pathlen:0" \
 		-addext "subjectKeyIdentifier = hash"
 
-	echo "create our key and certificate signing request"
-	openssl genrsa -out "${base}.key" 2048
-	openssl req -sha256 -new -key "${base}.key" -out "${base}.csr" \
-		-subj "/CN=*.${base}/O=${name}/OU=Stackrox QA" \
-		-reqexts SAN -config <(echo -e "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[SAN]\nsubjectAltName=DNS:${base},DNS:*.${base},IP:127.0.0.1\n")
-
-	echo "create our final certificate and sign it"
-	openssl x509 -req -sha256 -in "${base}.csr" -out "${base}.crt" -days 18500 \
-		-CAkey "${root}.key" -CA "${root}.crt" -CAcreateserial -extfile <(
-			cat <<END
-    subjectAltName = DNS:${base},DNS:*.${base},IP:127.0.0.1
-    keyUsage = critical, digitalSignature, keyEncipherment
-    extendedKeyUsage = serverAuth
-    basicConstraints = CA:FALSE
-    authorityKeyIdentifier = keyid:always
-    subjectKeyIdentifier = none
+    for base in "$@"
+    do
+        echo "creating $base key and certificate signing request"
+        openssl genrsa -out "${base}.key" 2048
+        openssl req -sha256 -new -key "${base}.key" -out "${base}.csr" \
+            -subj "/CN=*.${base}/O=${name}/OU=Stackrox QA" \
+            -reqexts SAN -config <(echo -e "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[SAN]\nsubjectAltName=DNS:${base},DNS:*.${base},IP:127.0.0.1\n")
+
+        echo "creating $base certificate"
+        openssl x509 -req -sha256 -in "${base}.csr" -out "${base}.crt" -days 18500 \
+            -CAkey "${root}.key" -CA "${root}.crt" -CAcreateserial -extfile <(
+                cat <<END
+        subjectAltName = DNS:${base},DNS:*.${base},IP:127.0.0.1
+        keyUsage = critical, digitalSignature, keyEncipherment
+        extendedKeyUsage = serverAuth
+        basicConstraints = CA:FALSE
+        authorityKeyIdentifier = keyid:always
+        subjectKeyIdentifier = none
 END
-		)
+            )
 
-	echo "remove unused files"
-	rm "${root}.key" "${root}.srl" "${base}.csr" "${base}.key" "${base}.csr"
+        echo "removing unused leaf files"
+        rm "${base}.csr"
+    done
+
+	echo "removing unused CA files"
+	rm "${root}.key" "${root}.srl"
 
 	echo "review files"
 	echo "--"
 	openssl x509 -in "${root}.crt" -noout -text
-	echo "--"
-	openssl x509 -in "${base}.crt" -noout -text
+	for base in "$@"
+	do
+        echo "--"
+        openssl x509 -in "${base}.crt" -noout -text
+    done
 	echo "--"
 }
 
-generate "self-signed.invalid" "unknown-root"
-generate "untrusted-root.invalid" "root"
-
-rm unknown-root.crt
+generate "unknown-root" "self-signed.invalid"
+generate "root" "untrusted-root.invalid" "nginx-loadbalancer.qa-tls-challenge"
+echo "removing remaining unused files"
+rm unknown-root.crt self-signed.invalid.key untrusted-root.invalid.key
diff --git a/tests/bad-ca/untrusted-root.invalid.crt b/tests/bad-ca/untrusted-root.invalid.crt
index af273d10d208f..3600a1aa42a19 100644
--- a/tests/bad-ca/untrusted-root.invalid.crt
+++ b/tests/bad-ca/untrusted-root.invalid.crt
@@ -1,24 +1,24 @@
 -----BEGIN CERTIFICATE-----
-MIIEEDCCAnigAwIBAgIUCwvQ25OJYFflG9ci62qqR5i4JxYwDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAwwLQ3VzdG9tIFJvb3QwIBcNMjQwNzA5MDg0NjA3WhgPMjA3
-NTAzMDQwODQ2MDdaMFIxITAfBgNVBAMMGCoudW50cnVzdGVkLXJvb3QuaW52YWxp
-ZDEXMBUGA1UECgwOU3RhY2tyb3gsIEluYy4xFDASBgNVBAsMC1N0YWNrcm94IFFB
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1bMQdpWEkpjy877g6N6M
-jOdAmP189edELvC6dlIFu6akcZOmWCEb2D6bnKru9p0xn6mL7Xm0o8A1n06VTDTg
-NpgD/GBwbcNBJwBAgo4co/tUxXNsj0vDKVMpvR2vzfzIGOhu5iBOj8S5N6QYXkcY
-ZpVi6TWJo74yxj+122GiIiF6wIOLGFNOmEk/a4HsT14ZYH8mwRUUvdCJoiSrQfCk
-QxuiyHwByP5/gfcYfdxzxG8jvFhBZz99889ORS7YYWeKB8pdcQ+g/i2m7zGJ8Ykd
-wuHBVylK3ECt9rxip23NWSkL1eTqBMmqqvZNWROLeEFj+LlaJKQd29S2zxw+gC53
-2wIDAQABo4GXMIGUMEEGA1UdEQQ6MDiCFnVudHJ1c3RlZC1yb290LmludmFsaWSC
+MIIEEDCCAnigAwIBAgIUXGVn9On48RWFyZUofTNpWAdR83AwDQYJKoZIhvcNAQEL
+BQAwFjEUMBIGA1UEAwwLQ3VzdG9tIFJvb3QwIBcNMjQwNzIyMDYwNjU2WhgPMjA3
+NTAzMTcwNjA2NTZaMFIxITAfBgNVBAMMGCoudW50cnVzdGVkLXJvb3QuaW52YWxp
+ZDEXMBUGA1UECgwOU3RhY2tyb3ggVGVzdHMxFDASBgNVBAsMC1N0YWNrcm94IFFB
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmx+0giRpEWq2v7awlRVQ
+bbiH2TY7r7tfROsSdLXm8X4bpG97T3Bi3qq5kqgXNKDXStMFU2I3cWRUSNAJ/tfn
+68Qmw5x5PazchLiT4d5C3ss9PpIA3qbSJPib8uNI+OvGga2tnQeOZbroZIBMowAw
+0DJrvAxbH+ylNujX5lx9GRX0Y/jd8y0KYczjydjahBU1O+02ngWGbojPCXwJZ1Qd
+LUfu05UR4fWDEDlAHD0CAXdEmouWJnm9DERc1bCGlw/RkV+00BZ3U4yiy90DyGBB
+YIXkkxBYCsNDo18kRmzMYfrCMMSUqP293cIxQPhoHiAZJMEUe4k9NbLSzeTJ6Uhc
+dwIDAQABo4GXMIGUMEEGA1UdEQQ6MDiCFnVudHJ1c3RlZC1yb290LmludmFsaWSC
 GCoudW50cnVzdGVkLXJvb3QuaW52YWxpZIcEfwAAATAOBgNVHQ8BAf8EBAMCBaAw
-EwYDVR0lBAwwCgYIKwYBBQUHAwEwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBSnI9r3
-SEWcdsaXpFw3ZCc0YofXXzANBgkqhkiG9w0BAQsFAAOCAYEALCsj+cvaK1Ob3qjd
-/hgDuJiJMZVn8Gj9E0fsOsWSrf0q8uxcFuxhVk4nbpZ2zOmKOQR1yKH8lNY3SIWW
-kCmc6PZ1m8nMZt5QkKLxXEZSeqUot8W+ETvxJ45/Tzd3GiNFD/2kESslxrfD6NDO
-1KLzff0X0g5K16ZiAcyZ2OnmnH3nfzI8F3vjE0Jn3v2fKOc6fdpplDg090lC1Dec
-3hNBm0sw0PIKF7ht6w5G+sfTHEJtvd4chObDOpBUk9Ao5xWd3V6TCX5lyJ40aAga
-5L1Om+LL7QXE2VKsejrtjQUFR61jD2R+hn4BEpniMDN8ujv72AoGNn3HoIBvssae
-+4bY2e3+nsGrBZRXo2gkaM1+kXlONOejmfudHkFH54THkBiyk5XJj1nhWUr2Rre4
-aRDc8w3ziRl7F3jszS3stKMM/aoQl1ghR/D7XbtSuoFvQCZonrfetOP1rsofN6xY
-f1maOuztjUjZ5jiRQmQfTHm7f+wwnqGJ3NjIUdPAQFu7ew/w
+EwYDVR0lBAwwCgYIKwYBBQUHAwEwCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQ2wsm8
+n+xYss+9GcqfgarhMSyn4jANBgkqhkiG9w0BAQsFAAOCAYEAgi/JjXPy/gRE57pF
+PBmbwzUufms7TLEKdpwIix0GQdZJx2QgRNBNYMY370Rj2pI2ACgW10+rkSsep+hQ
+73Nd+vkm+B28uebCR6NjymZ64VJcq2k6gy4TRgN5exT7PgBMKsU2BFOVkWWmTn4K
+pvO3jMTO+7RlhIw0Y3T6lL5x8VmzV6daQJG2yv5j58dgsL6MrViKYVnpEGmfInbj
+WvWZtOZeWOPiVvpsuZvwrTJPg7fGxvNaiv7MwBPEGflMaPO9p+6ngDlyiBTpj95O
+pAc+YIeyPAO21WJ/JDfgUzaxH1jCpAmFO3s0SdAnE4GPM4+WB4kIx11r6h/vk/XQ
+QPHu9qnhWzmbVunj+RVdG5rY3vz0RRJyeVdOyG54kLwMKUyZ7E10/+SO4mEECqFu
+/nK9dt1JxAiPiDzVQ1GNhkj1DtMNRjOw8WutUPQ/uqHdeFk7vRKyaClpJGYjxrTx
+H+AaMGpOwnf6I6uDAorUVk35O3xNH0e6ElwKSxrD9MVlvNwO
 -----END CERTIFICATE-----
diff --git a/tests/common.go b/tests/common.go
index 4524d6914198d..3016504ef3c92 100644
--- a/tests/common.go
+++ b/tests/common.go
@@ -3,11 +3,17 @@
 package tests
 
 import (
+	"bufio"
 	"bytes"
 	"context"
+	"errors"
 	"fmt"
+	"io"
+	"math"
 	"os"
 	"os/exec"
+	"regexp"
+	"strings"
 	"testing"
 	"time"
 
@@ -15,12 +21,19 @@ import (
 	"github.com/stackrox/rox/generated/storage"
 	"github.com/stackrox/rox/pkg/logging"
 	"github.com/stackrox/rox/pkg/pointers"
+	"github.com/stackrox/rox/pkg/retry"
 	"github.com/stackrox/rox/pkg/search"
 	"github.com/stackrox/rox/pkg/testutils"
 	"github.com/stackrox/rox/pkg/testutils/centralgrpc"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	appsV1 "k8s.io/api/apps/v1"
 	coreV1 "k8s.io/api/core/v1"
+	apiErrors "k8s.io/apimachinery/pkg/api/errors"
 	metaV1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/util/yaml"
 	"k8s.io/client-go/kubernetes"
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
@@ -43,6 +56,33 @@ var (
 	log = logging.LoggerForModule()
 )
 
+// logf logs using the testing logger, prefixing a high-resolution timestamp.
+// Using testing.T.Logf means that the output is hidden unless the test fails or verbose logging is enabled with -v.
+func logf(t *testing.T, format string, args ...any) {
+	t.Logf(time.Now().Format(time.StampMilli)+" "+format, args...)
+}
+
+// testContexts returns a couple of contexts for the given test: with a timeout for the testing logic and another
+// with an additional longer timeout for debug artifact gathering and cleanup.
+func testContexts(t *testing.T, name string, timeout time.Duration) (testCtx context.Context, overallCtx context.Context, cancel func()) {
+	var (
+		overallCancel func()
+		testCancel    func()
+	)
+	cleanupTimeout := 15 * time.Minute
+	t.Logf("Running %s with a timeout of %s plus %s for cleanup", name, timeout, cleanupTimeout)
+	overallTimeout := timeout + cleanupTimeout
+	overallErr := fmt.Errorf("overall %s test+cleanup timeout of %s reached", name, overallTimeout)
+	testErr := fmt.Errorf("%s test timeout of %s reached", name, timeout)
+	overallCtx, overallCancel = context.WithTimeoutCause(context.Background(), overallTimeout, overallErr)
+	testCtx, testCancel = context.WithTimeoutCause(overallCtx, timeout, testErr)
+	cancel = func() {
+		testCancel()
+		overallCancel()
+	}
+	return
+}
+
 func retrieveDeployment(service v1.DeploymentServiceClient, deploymentID string) (*storage.Deployment, error) {
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
@@ -292,3 +332,248 @@ func waitForCondition(t testutils.T, condition func() bool, desc string, timeout
 		}
 	}
 }
+
+type logMatcher interface {
+	Match(reader io.Reader) (bool, error)
+	fmt.Stringer
+}
+
+// waitUntilLog waits until ctx expires or logs of container in all pods matching podLabels satisfy all logMatchers.
+func waitUntilLog(t *testing.T, ctx context.Context, k8s kubernetes.Interface, namespace string, podLabels map[string]string, container string, description string, logMatchers ...logMatcher) {
+	ls := labels.SelectorFromSet(podLabels).String()
+	checkLogs := func() error {
+		podList, err := k8s.CoreV1().Pods(namespace).List(ctx, metaV1.ListOptions{LabelSelector: ls})
+		if err != nil {
+			return fmt.Errorf("could not list pods matching %q in namespace %q: %w", ls, namespace, err)
+		}
+		if len(podList.Items) == 0 {
+			if ok, err := allMatch(strings.NewReader(""), logMatchers...); ok {
+				return nil
+			} else if err != nil {
+				return fmt.Errorf("empty list of pods caused failure: %w", err)
+			}
+			return fmt.Errorf("empty list of pods does not satisfy the condition")
+		}
+		for _, pod := range podList.Items {
+			resp := k8s.CoreV1().Pods(namespace).GetLogs(pod.GetName(), &coreV1.PodLogOptions{Container: container}).Do(ctx)
+			log, err := resp.Raw()
+			if err != nil {
+				return fmt.Errorf("retrieving logs of pod %q in namespace %q failed: %w", pod.GetName(), namespace, err)
+			}
+			if ok, err := allMatch(bytes.NewReader(log), logMatchers...); ok {
+				continue
+			} else if err != nil {
+				return fmt.Errorf("log of pod %q in namespace %q caused failure: %w", pod.GetName(), namespace, err)
+			}
+			return fmt.Errorf("log of pod %q in namespace %q does not satisfy the condition", pod.GetName(), namespace)
+		}
+		return nil
+	}
+	logf(t, "Waiting until %q pods logs "+description+": %s", ls, logMatchers)
+	mustEventually(t, ctx, checkLogs, 10*time.Second, fmt.Sprintf("Not all %q pods logs "+description, ls))
+}
+
+// containsLineMatching returns a simple line-based regex matcher to go with waitUntilLog.
+// Note: currently limited by bufio.Reader default buffer size (4KB) for simplicity.
+func containsLineMatching(re *regexp.Regexp) *lineMatcher {
+	return &lineMatcher{re: re}
+}
+
+func allMatch(reader io.ReadSeeker, matchers ...logMatcher) (ok bool, err error) {
+	for i, matcher := range matchers {
+		_, err := reader.Seek(0, io.SeekStart)
+		if err != nil {
+			return false, fmt.Errorf("could not rewind the reader: %w", err)
+		}
+		ok, err := matcher.Match(reader)
+		if err != nil {
+			return false, fmt.Errorf("matcher %d returned an error: %w", i, err)
+		}
+		if !ok {
+			return false, nil
+		}
+	}
+	return true, nil
+}
+
+// mustEventually retries every pauseInterval until ctx expires or f succeeds.
+func mustEventually(t *testing.T, ctx context.Context, f func() error, pauseInterval time.Duration, failureMsgPrefix string) {
+	require.NoError(t, retry.WithRetry(f,
+		retry.Tries(math.MaxInt),
+		retry.WithContext(ctx),
+		retry.BetweenAttempts(func(_ int) {
+			time.Sleep(pauseInterval)
+		}),
+		retry.OnFailedAttempts(func(err error) { logf(t, failureMsgPrefix+": %s", err) })))
+}
+
+type lineMatcher struct {
+	re *regexp.Regexp
+}
+
+func (lm *lineMatcher) String() string {
+	return fmt.Sprintf("contains line matching %q", lm.re)
+}
+
+func (lm *lineMatcher) Match(reader io.Reader) (ok bool, err error) {
+	br := bufio.NewReader(reader)
+	for {
+		// We do not care about partial reads, as the things we look for should fit in default buf size.
+		line, _, err := br.ReadLine()
+		if errors.Is(err, io.EOF) {
+			return false, nil
+		}
+		if err != nil {
+			return false, err
+		}
+		if lm.re.Match(line) {
+			return true, nil
+		}
+	}
+}
+
+// createService creates a k8s Service object.
+func createService(t *testing.T, ctx context.Context, k8s kubernetes.Interface, namespace string, name string, labels map[string]string, ports map[int32]int32) {
+	svc := &coreV1.Service{
+		ObjectMeta: metaV1.ObjectMeta{
+			Name:   name,
+			Labels: labels,
+		},
+		Spec: coreV1.ServiceSpec{
+			Selector: labels,
+			Type:     coreV1.ServiceTypeClusterIP,
+		},
+	}
+	for portNum, targetPortNum := range ports {
+		svc.Spec.Ports = append(svc.Spec.Ports, coreV1.ServicePort{
+			Name:       fmt.Sprintf("%d", portNum),
+			Protocol:   coreV1.ProtocolTCP,
+			Port:       portNum,
+			TargetPort: intstr.IntOrString{IntVal: targetPortNum},
+		})
+	}
+	_, err := k8s.CoreV1().Services(namespace).Create(ctx, svc, metaV1.CreateOptions{})
+	require.NoError(t, err, "cannot create service %q in namespace %q", name, namespace)
+}
+
+// ensureSecretExists creates a k8s Secret object. If one exists, it makes sure the type and data matches.
+func ensureSecretExists(t *testing.T, ctx context.Context, k8s kubernetes.Interface, namespace string, name string, secretType coreV1.SecretType, data map[string][]byte) {
+	secret := &coreV1.Secret{
+		ObjectMeta: metaV1.ObjectMeta{
+			Name: name,
+		},
+		Type: secretType,
+		Data: data,
+	}
+	if _, err := k8s.CoreV1().Secrets(namespace).Create(ctx, secret, metaV1.CreateOptions{}); err != nil {
+		if apiErrors.IsAlreadyExists(err) {
+			actualSecret, err := k8s.CoreV1().Secrets(namespace).Get(ctx, name, metaV1.GetOptions{})
+			require.NoError(t, err, "secret %q in namespace %q already exists but cannot retrieve it for verification", name, namespace)
+			assert.Equal(t, secretType, actualSecret.Type, "secret %q in namespace %q already exists but its type is not as expected", name, namespace)
+			assert.Equal(t, data, actualSecret.Data, "secret %q in namespace %q already exists but its data is not as expected", name, namespace)
+			require.False(t, t.Failed(), "secrets do not match")
+		}
+		require.NoError(t, err, "cannot create secret %q in namespace %q", name, namespace)
+	}
+}
+
+// ensureConfigMapExists creates a k8s ConfigMap object. If one exists, it makes sure the data matches.
+func ensureConfigMapExists(t *testing.T, ctx context.Context, k8s kubernetes.Interface, namespace string, name string, data map[string]string) {
+	cm := &coreV1.ConfigMap{
+		ObjectMeta: metaV1.ObjectMeta{
+			Name: name,
+		},
+		Data: data,
+	}
+	if _, err := k8s.CoreV1().ConfigMaps(namespace).Create(ctx, cm, metaV1.CreateOptions{}); err != nil {
+		if apiErrors.IsAlreadyExists(err) {
+			actualCM, err := k8s.CoreV1().ConfigMaps(namespace).Get(ctx, name, metaV1.GetOptions{})
+			require.NoError(t, err, "configMap %q in namespace %q already exists but cannot retrieve it for verification", name, namespace)
+			require.Equal(t, data, actualCM.Data, "configMap %q in namespace %q already exists but its data is not as expected", name, namespace)
+		}
+		require.NoError(t, err, "cannot create configMap %q in namespace %q", name, namespace)
+	}
+}
+
+// waitUntilCentralSensorConnectionIs makes sure there is only one cluster defined on central, and its status is eventually
+// one of the specified statuses.
+func waitUntilCentralSensorConnectionIs(t *testing.T, ctx context.Context, statuses ...storage.ClusterHealthStatus_HealthStatusLabel) {
+	logf(t, "Waiting until central-sensor connection is in state(s) %s...", statuses)
+	conn := centralgrpc.GRPCConnectionToCentral(t)
+	checkCentralSensorConnection := func() error {
+		clustersSvc := v1.NewClustersServiceClient(conn)
+		clusters, err := clustersSvc.GetClusters(ctx, &v1.GetClustersRequest{})
+		if err != nil {
+			return fmt.Errorf("failed to retrieve clusters from central: %w", err)
+		}
+		if len(clusters.Clusters) != 1 {
+			var clusterNames []string
+			for _, cluster := range clusters.Clusters {
+				clusterNames = append(clusterNames, cluster.Name)
+			}
+			return fmt.Errorf("expected one cluster, found %d: %+v", len(clusters.Clusters), clusterNames)
+		}
+		clusterStatus := clusters.Clusters[0].GetHealthStatus().GetSensorHealthStatus()
+		for _, status := range statuses {
+			if clusterStatus == status {
+				logf(t, "Central-sensor connection now in state %q.", clusterStatus)
+				return nil
+			}
+		}
+		return fmt.Errorf("encountered cluster status %q", clusterStatus.String())
+	}
+	mustEventually(t, ctx, checkCentralSensorConnection, 10*time.Second, "Central-sensor connection not in desired state (yet)")
+}
+
+// setDeploymentEnvVal sets the specified env variable on a container in a deployment using strategic merge patch, or fails the test.
+func setDeploymentEnvVal(t *testing.T, ctx context.Context, k8s kubernetes.Interface, namespace string, deployment string, container string, envVar string, value string) {
+	patch := []byte(fmt.Sprintf(`{"spec":{"template":{"spec":{"containers":[{"name":%q,"env":[{"name":%q,"value":%q}]}]}}}}`,
+		container, envVar, value))
+	logf(t, "Setting variable %q on deployment %q in namespace %q to %q", envVar, deployment, namespace, value)
+	_, err := k8s.AppsV1().Deployments(namespace).Patch(ctx, deployment, types.StrategicMergePatchType, patch, metaV1.PatchOptions{})
+	require.NoError(t, err, "cannot patch deployment %q in namespace %q", deployment, namespace)
+
+}
+
+// getDeploymentEnvVal retrieves the value of environment variable in a deployment, or fails the test.
+func getDeploymentEnvVal(t *testing.T, ctx context.Context, k8s kubernetes.Interface, namespace string, deployment string, container string, envVar string) string {
+	d, err := k8s.AppsV1().Deployments(namespace).Get(ctx, deployment, metaV1.GetOptions{})
+	require.NoError(t, err, "cannot retrieve deployment %q in namespace %q", deployment, namespace)
+	c, err := getContainer(d, container)
+	require.NoError(t, err, "cannot find container %q in deployment %q in namespace %q", container, deployment, namespace)
+	val, err := getEnvVal(c, envVar)
+	require.NoError(t, err, "cannot find envVar %q in container %q in deployment %q in namespace %q", envVar, container, deployment, namespace)
+	return val
+}
+
+// getEnvVal returns the value of envVar from a given container or returns a helpful error.
+func getEnvVal(c *coreV1.Container, envVar string) (string, error) {
+	var vars []string
+	for _, v := range c.Env {
+		if v.Name == envVar {
+			return v.Value, nil
+		}
+		vars = append(vars, v.Name)
+	}
+	return "", fmt.Errorf("actual vars are %q", vars)
+}
+
+// getEnvVal returns the given container from a deployment or returns a helpful error.
+func getContainer(deployment *appsV1.Deployment, container string) (*coreV1.Container, error) {
+	var containers []string
+	for _, c := range deployment.Spec.Template.Spec.Containers {
+		if c.Name == container {
+			return &c, nil
+		}
+		containers = append(containers, c.Name)
+	}
+	return nil, fmt.Errorf("actual containers are %q", containers)
+}
+
+// collectLogs collects service logs from a given namespace into a subdirectory that will be gathered by the CI scripts.
+func collectLogs(t *testing.T, ns string, dir string) {
+	err := exec.Command("../scripts/ci/collect-service-logs.sh", ns, "/tmp/e2e-test-logs/"+dir).Run()
+	if err != nil {
+		t.Logf("Collecting %q logs returned error %s", ns, err)
+	}
+}
diff --git a/tests/common_test.go b/tests/common_test.go
new file mode 100644
index 0000000000000..4ccb483a3fd26
--- /dev/null
+++ b/tests/common_test.go
@@ -0,0 +1,62 @@
+//go:build test_e2e
+
+package tests
+
+import (
+	"bytes"
+	"fmt"
+	"regexp"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+var text = []byte(`Here is some text.
+Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore
+magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo
+consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.
+Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.`)
+
+func TestLogMatcher(t *testing.T) {
+	tests := map[string]struct {
+		funcs          []logMatcher
+		expectedResult assert.BoolAssertionFunc
+		expectedError  assert.ErrorAssertionFunc
+		expectedString string
+	}{
+		"one match": {
+			funcs: []logMatcher{
+				containsLineMatching(regexp.MustCompile("sunt in culpa qui officia deserunt")),
+			},
+			expectedResult: assert.True,
+			expectedError:  assert.NoError,
+			expectedString: `[contains line matching "sunt in culpa qui officia deserunt"]`,
+		},
+		"two matches": {
+			funcs: []logMatcher{
+				containsLineMatching(regexp.MustCompile("Lorem ipsum dolor")),
+				containsLineMatching(regexp.MustCompile("Duis aute irure")),
+			},
+			expectedResult: assert.True,
+			expectedError:  assert.NoError,
+			expectedString: `[contains line matching "Lorem ipsum dolor" contains line matching "Duis aute irure"]`,
+		},
+		"text divided with newline": {
+			funcs: []logMatcher{
+				containsLineMatching(regexp.MustCompile("labore et dolore.*magna aliqua")),
+			},
+			expectedResult: assert.False,
+			expectedError:  assert.NoError,
+			expectedString: `[contains line matching "labore et dolore.*magna aliqua"]`,
+		},
+	}
+	r := bytes.NewReader(text)
+	for name, test := range tests {
+		t.Run(name, func(t *testing.T) {
+			actual, actualErr := allMatch(r, test.funcs...)
+			test.expectedResult(t, actual)
+			test.expectedError(t, actualErr)
+			assert.Equal(t, test.expectedString, fmt.Sprintf("%s", test.funcs))
+		})
+	}
+}
diff --git a/tests/e2e/yaml/central-cr.envsubst.yaml b/tests/e2e/yaml/central-cr.envsubst.yaml
index 3e118e1f42e6a..b75753f36c831 100644
--- a/tests/e2e/yaml/central-cr.envsubst.yaml
+++ b/tests/e2e/yaml/central-cr.envsubst.yaml
@@ -30,7 +30,7 @@ spec:
 ${disableSpecTLS}  tls:
 ${disableSpecTLS}    additionalCAs:
 ${disableSpecTLS}    - name: additional-ca
-${disableSpecTLS}      content:
+${disableSpecTLS}      content: |
 $centralAdditionalCAIndented
   customize:
     envVars:$customize_envVars
diff --git a/tests/tls_challenge_test.go b/tests/tls_challenge_test.go
new file mode 100644
index 0000000000000..21858d4dbff01
--- /dev/null
+++ b/tests/tls_challenge_test.go
@@ -0,0 +1,232 @@
+//go:build test_e2e
+
+package tests
+
+import (
+	"context"
+	_ "embed"
+	"encoding/base64"
+	"fmt"
+	"os"
+	"regexp"
+	"testing"
+	"time"
+
+	"github.com/stackrox/rox/generated/storage"
+	"github.com/stackrox/rox/pkg/namespaces"
+	"github.com/stretchr/testify/require"
+	appsV1 "k8s.io/api/apps/v1"
+	v1 "k8s.io/api/core/v1"
+	apiErrors "k8s.io/apimachinery/pkg/api/errors"
+	metaV1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/kubernetes"
+)
+
+//go:embed "bad-ca/root.crt"
+var additionalCA []byte
+
+//go:embed "bad-ca/nginx-loadbalancer.qa-tls-challenge.crt"
+var leafCert []byte
+
+//go:embed "bad-ca/nginx-loadbalancer.qa-tls-challenge.key"
+var leafKey []byte
+
+func TestTLSChallenge(t *testing.T) {
+	const (
+		s                  = namespaces.StackRox // for brevity
+		sensorDeployment   = "sensor"
+		sensorContainer    = "sensor"
+		centralEndpointVar = "ROX_CENTRAL_ENDPOINT"
+		proxyServiceName   = "nginx-loadbalancer"
+		proxyNs            = "qa-tls-challenge" // Must match the additionalCA X509v3 Subject Alternative Name
+		proxyEndpoint      = proxyServiceName + "." + proxyNs + ":443"
+	)
+
+	ctx, cleanupCtx, cancel := testContexts(t, "TestTLSChallenge", 20*time.Minute)
+	defer cancel()
+
+	// Check sanity before and after test.
+	waitUntilCentralSensorConnectionIs(t, ctx, storage.ClusterHealthStatus_HEALTHY)
+	defer waitUntilCentralSensorConnectionIs(t, cleanupCtx, storage.ClusterHealthStatus_HEALTHY)
+
+	k8s := createK8sClient(t)
+
+	logf(t, "Gathering original central endpoint value from sensor...")
+	originalCentralEndpoint := getDeploymentEnvVal(t, ctx, k8s, s, sensorDeployment, sensorContainer, centralEndpointVar)
+	logf(t, "Original value is %q. (Will restore this value on cleanup.)", originalCentralEndpoint)
+	defer setDeploymentEnvVal(t, cleanupCtx, k8s, s, sensorDeployment, sensorContainer, centralEndpointVar, originalCentralEndpoint)
+
+	setupProxy(t, ctx, k8s, proxyNs, originalCentralEndpoint)
+	defer cleanupProxy(t, cleanupCtx, k8s, proxyNs)
+
+	logf(t, "Pointing sensor at the proxy...")
+	setDeploymentEnvVal(t, ctx, k8s, s, sensorDeployment, sensorContainer, centralEndpointVar, proxyEndpoint)
+	logf(t, "Sensor will now attempt connecting via the nginx proxy.")
+
+	waitUntilLog(t, ctx, k8s, s, map[string]string{"app": "sensor"}, "sensor", "contain info about successful connection",
+		containsLineMatching(regexp.MustCompile("Info: Add central CA cert with CommonName: 'Custom Root'")),
+		containsLineMatching(regexp.MustCompile("Info: Connecting to Central server "+proxyEndpoint)),
+		containsLineMatching(regexp.MustCompile("Info: Established connection to Central.")),
+		containsLineMatching(regexp.MustCompile("Info: Communication with central started.")),
+	)
+	waitUntilCentralSensorConnectionIs(t, ctx, storage.ClusterHealthStatus_HEALTHY)
+}
+
+func setupProxy(t *testing.T, ctx context.Context, k8s kubernetes.Interface, proxyNs string, centralEndpoint string) {
+	name := "nginx-loadbalancer"
+	nginxLabels := map[string]string{"app": "nginx"}
+	nginxTLSSecretName := "nginx-tls-conf"
+	nginxConfigName := "nginx-proxy-conf"
+	logf(t, "Setting up nginx proxy in namespace %q...", proxyNs)
+	createProxyNamespace(t, ctx, k8s, proxyNs)
+	installImagePullSecret(t, ctx, k8s, proxyNs)
+	createProxyTLSSecret(t, ctx, k8s, proxyNs, nginxTLSSecretName)
+	createProxyConfigMap(t, ctx, k8s, proxyNs, centralEndpoint, nginxConfigName)
+	createService(t, ctx, k8s, proxyNs, name, nginxLabels, map[int32]int32{443: 8443})
+	createProxyDeployment(t, ctx, k8s, proxyNs, name, nginxLabels, nginxConfigName, nginxTLSSecretName)
+	logf(t, "Nginx proxy is now set up in namespace %q.", proxyNs)
+}
+
+func createProxyNamespace(t *testing.T, ctx context.Context, k8s kubernetes.Interface, proxyNs string) {
+	_, err := k8s.CoreV1().Namespaces().Create(ctx, &v1.Namespace{ObjectMeta: metaV1.ObjectMeta{Name: proxyNs}}, metaV1.CreateOptions{})
+	if apiErrors.IsAlreadyExists(err) {
+		return
+	}
+	require.NoError(t, err, "cannot create proxy namespace %q", proxyNs)
+}
+
+func installImagePullSecret(t *testing.T, ctx context.Context, k8s kubernetes.Interface, proxyNs string) {
+	auth := fmt.Sprintf("%s:%s", os.Getenv("REGISTRY_USERNAME"), os.Getenv("REGISTRY_PASSWORD"))
+	b64Auth := []byte(base64.StdEncoding.EncodeToString([]byte(auth)))
+	data := map[string][]byte{
+		v1.DockerConfigJsonKey: []byte(fmt.Sprintf(`{"auths":{%q:{"auth":%q}}}`, "https://quay.io", b64Auth)),
+	}
+	ensureSecretExists(t, ctx, k8s, proxyNs, "quay", v1.SecretTypeDockerConfigJson, data)
+
+	patch := []byte(`{"imagePullSecrets":[{"name":"quay"}]}`)
+	_, err := k8s.CoreV1().ServiceAccounts(proxyNs).Patch(ctx, namespaces.Default, types.StrategicMergePatchType, patch, metaV1.PatchOptions{})
+	require.NoError(t, err, "cannot patch service account %q in namespace %q", "default", proxyNs)
+}
+
+func createProxyTLSSecret(t *testing.T, ctx context.Context, k8s kubernetes.Interface, proxyNs string, nginxTLSSecretName string) {
+	var certChain []byte
+	certChain = append(certChain, leafCert...)
+	certChain = append(certChain, additionalCA...)
+	ensureSecretExists(t, ctx, k8s, proxyNs, nginxTLSSecretName, v1.SecretTypeTLS, map[string][]byte{
+		v1.TLSCertKey:       certChain,
+		v1.TLSPrivateKeyKey: leafKey,
+	})
+}
+
+func createProxyConfigMap(t *testing.T, ctx context.Context, k8s kubernetes.Interface, proxyNs string, centralEndpoint string, nginxConfigName string) {
+	const nginxConfigTmpl = `
+server {
+    listen 8443 ssl http2;
+
+    ssl_certificate     /run/secrets/tls/tls.crt;
+    ssl_certificate_key /run/secrets/tls/tls.key;
+
+    proxy_temp_path       /tmp/nginx_proxy_temp;
+    client_body_temp_path /tmp/nginx_client_temp;
+    fastcgi_temp_path     /tmp/nginx_fastcgi;
+    uwsgi_temp_path       /tmp/nginx_uwsgi;
+    scgi_temp_path        /tmp/nginx_scgi;
+
+    location / {
+        client_max_body_size 50M;
+        grpc_pass grpcs://%s;
+        grpc_ssl_verify off;
+	}
+}
+`
+	ensureConfigMapExists(t, ctx, k8s, proxyNs, nginxConfigName, map[string]string{
+		"nginx-proxy-grpc-tls.conf": fmt.Sprintf(nginxConfigTmpl, centralEndpoint),
+	})
+}
+
+func createProxyDeployment(t *testing.T, ctx context.Context, k8s kubernetes.Interface, proxyNs string, name string, nginxLabels map[string]string, nginxConfigName string, nginxTLSSecretName string) {
+	d := &appsV1.Deployment{
+		ObjectMeta: metaV1.ObjectMeta{
+			Name:   name,
+			Labels: nginxLabels,
+		},
+		Spec: appsV1.DeploymentSpec{
+			Selector: &metaV1.LabelSelector{
+				MatchLabels: nginxLabels,
+			},
+			MinReadySeconds: 15,
+			Template: v1.PodTemplateSpec{
+				ObjectMeta: metaV1.ObjectMeta{
+					Labels: nginxLabels,
+				},
+				Spec: v1.PodSpec{
+					Containers: []v1.Container{
+						{
+							Image: "quay.io/rhacs-eng/qa-multi-arch:nginx-1-17-1",
+							Name:  "nginx-loadbalancer",
+							VolumeMounts: []v1.VolumeMount{
+								{
+									Name:      "config",
+									ReadOnly:  true,
+									MountPath: "/etc/nginx/conf.d/",
+								},
+								{
+									Name:      "tls",
+									ReadOnly:  true,
+									MountPath: "/run/secrets/tls",
+								},
+								{
+									Name:      "varrun",
+									MountPath: "/var/run",
+								},
+							},
+						},
+					},
+					Volumes: []v1.Volume{
+						{
+							Name: "config",
+							VolumeSource: v1.VolumeSource{
+								ConfigMap: &v1.ConfigMapVolumeSource{
+									LocalObjectReference: v1.LocalObjectReference{
+										Name: nginxConfigName,
+									},
+								},
+							},
+						},
+						{
+							Name: "tls",
+							VolumeSource: v1.VolumeSource{
+								Secret: &v1.SecretVolumeSource{
+									SecretName: nginxTLSSecretName,
+								},
+							},
+						},
+						{
+							Name: "varrun",
+							VolumeSource: v1.VolumeSource{
+								EmptyDir: &v1.EmptyDirVolumeSource{},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+	_, err := k8s.AppsV1().Deployments(proxyNs).Create(ctx, d, metaV1.CreateOptions{})
+	require.NoError(t, err, "cannot create deployment %q in namespace %q", name, proxyNs)
+}
+
+func cleanupProxy(t *testing.T, ctx context.Context, k8s kubernetes.Interface, proxyNs string) {
+	if t.Failed() {
+		logf(t, "Test failed. Collecting k8s artifacts before cleanup.")
+		collectLogs(t, namespaces.StackRox, "tls-challenge-failure")
+		collectLogs(t, proxyNs, "tls-challenge-failure")
+	}
+	logf(t, "Cleaning up nginx proxy in namespace %q...", proxyNs)
+	err := k8s.CoreV1().Namespaces().Delete(ctx, proxyNs, metaV1.DeleteOptions{})
+	if apiErrors.IsNotFound(err) {
+		return
+	}
+	require.NoError(t, err, "cannot delete proxy namespace %q", proxyNs)
+}

From fbb8096f8be512bff2db82e94be399a142821366 Mon Sep 17 00:00:00 2001
From: Marcin Owsiany <porridge@redhat.com>
Date: Tue, 6 Aug 2024 11:40:52 +0200
Subject: [PATCH 2/5] use a suite; json-serialize

---
 tests/common.go             |  73 +++++++++++---------
 tests/tls_challenge_test.go | 129 ++++++++++++++++++++----------------
 2 files changed, 113 insertions(+), 89 deletions(-)

diff --git a/tests/common.go b/tests/common.go
index 3016504ef3c92..c973f54fddfc9 100644
--- a/tests/common.go
+++ b/tests/common.go
@@ -25,8 +25,8 @@ import (
 	"github.com/stackrox/rox/pkg/search"
 	"github.com/stackrox/rox/pkg/testutils"
 	"github.com/stackrox/rox/pkg/testutils/centralgrpc"
-	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/stretchr/testify/suite"
 	appsV1 "k8s.io/api/apps/v1"
 	coreV1 "k8s.io/api/core/v1"
 	apiErrors "k8s.io/apimachinery/pkg/api/errors"
@@ -333,16 +333,25 @@ func waitForCondition(t testutils.T, condition func() bool, desc string, timeout
 	}
 }
 
+type KubernetesSuite struct {
+	suite.Suite
+	k8s kubernetes.Interface
+}
+
+func (ks *KubernetesSuite) SetupSuite() {
+	ks.k8s = createK8sClient(ks.T())
+}
+
 type logMatcher interface {
 	Match(reader io.Reader) (bool, error)
 	fmt.Stringer
 }
 
 // waitUntilLog waits until ctx expires or logs of container in all pods matching podLabels satisfy all logMatchers.
-func waitUntilLog(t *testing.T, ctx context.Context, k8s kubernetes.Interface, namespace string, podLabels map[string]string, container string, description string, logMatchers ...logMatcher) {
+func (ks *KubernetesSuite) waitUntilLog(ctx context.Context, namespace string, podLabels map[string]string, container string, description string, logMatchers ...logMatcher) {
 	ls := labels.SelectorFromSet(podLabels).String()
 	checkLogs := func() error {
-		podList, err := k8s.CoreV1().Pods(namespace).List(ctx, metaV1.ListOptions{LabelSelector: ls})
+		podList, err := ks.k8s.CoreV1().Pods(namespace).List(ctx, metaV1.ListOptions{LabelSelector: ls})
 		if err != nil {
 			return fmt.Errorf("could not list pods matching %q in namespace %q: %w", ls, namespace, err)
 		}
@@ -355,7 +364,7 @@ func waitUntilLog(t *testing.T, ctx context.Context, k8s kubernetes.Interface, n
 			return fmt.Errorf("empty list of pods does not satisfy the condition")
 		}
 		for _, pod := range podList.Items {
-			resp := k8s.CoreV1().Pods(namespace).GetLogs(pod.GetName(), &coreV1.PodLogOptions{Container: container}).Do(ctx)
+			resp := ks.k8s.CoreV1().Pods(namespace).GetLogs(pod.GetName(), &coreV1.PodLogOptions{Container: container}).Do(ctx)
 			log, err := resp.Raw()
 			if err != nil {
 				return fmt.Errorf("retrieving logs of pod %q in namespace %q failed: %w", pod.GetName(), namespace, err)
@@ -369,8 +378,8 @@ func waitUntilLog(t *testing.T, ctx context.Context, k8s kubernetes.Interface, n
 		}
 		return nil
 	}
-	logf(t, "Waiting until %q pods logs "+description+": %s", ls, logMatchers)
-	mustEventually(t, ctx, checkLogs, 10*time.Second, fmt.Sprintf("Not all %q pods logs "+description, ls))
+	logf(ks.T(), "Waiting until %q pods logs "+description+": %s", ls, logMatchers)
+	mustEventually(ks.T(), ctx, checkLogs, 10*time.Second, fmt.Sprintf("Not all %q pods logs "+description, ls))
 }
 
 // containsLineMatching returns a simple line-based regex matcher to go with waitUntilLog.
@@ -433,7 +442,7 @@ func (lm *lineMatcher) Match(reader io.Reader) (ok bool, err error) {
 }
 
 // createService creates a k8s Service object.
-func createService(t *testing.T, ctx context.Context, k8s kubernetes.Interface, namespace string, name string, labels map[string]string, ports map[int32]int32) {
+func (ks *KubernetesSuite) createService(ctx context.Context, namespace string, name string, labels map[string]string, ports map[int32]int32) {
 	svc := &coreV1.Service{
 		ObjectMeta: metaV1.ObjectMeta{
 			Name:   name,
@@ -452,12 +461,12 @@ func createService(t *testing.T, ctx context.Context, k8s kubernetes.Interface,
 			TargetPort: intstr.IntOrString{IntVal: targetPortNum},
 		})
 	}
-	_, err := k8s.CoreV1().Services(namespace).Create(ctx, svc, metaV1.CreateOptions{})
-	require.NoError(t, err, "cannot create service %q in namespace %q", name, namespace)
+	_, err := ks.k8s.CoreV1().Services(namespace).Create(ctx, svc, metaV1.CreateOptions{})
+	ks.Require().NoError(err, "cannot create service %q in namespace %q", name, namespace)
 }
 
 // ensureSecretExists creates a k8s Secret object. If one exists, it makes sure the type and data matches.
-func ensureSecretExists(t *testing.T, ctx context.Context, k8s kubernetes.Interface, namespace string, name string, secretType coreV1.SecretType, data map[string][]byte) {
+func (ks *KubernetesSuite) ensureSecretExists(ctx context.Context, namespace string, name string, secretType coreV1.SecretType, data map[string][]byte) {
 	secret := &coreV1.Secret{
 		ObjectMeta: metaV1.ObjectMeta{
 			Name: name,
@@ -465,33 +474,33 @@ func ensureSecretExists(t *testing.T, ctx context.Context, k8s kubernetes.Interf
 		Type: secretType,
 		Data: data,
 	}
-	if _, err := k8s.CoreV1().Secrets(namespace).Create(ctx, secret, metaV1.CreateOptions{}); err != nil {
+	if _, err := ks.k8s.CoreV1().Secrets(namespace).Create(ctx, secret, metaV1.CreateOptions{}); err != nil {
 		if apiErrors.IsAlreadyExists(err) {
-			actualSecret, err := k8s.CoreV1().Secrets(namespace).Get(ctx, name, metaV1.GetOptions{})
-			require.NoError(t, err, "secret %q in namespace %q already exists but cannot retrieve it for verification", name, namespace)
-			assert.Equal(t, secretType, actualSecret.Type, "secret %q in namespace %q already exists but its type is not as expected", name, namespace)
-			assert.Equal(t, data, actualSecret.Data, "secret %q in namespace %q already exists but its data is not as expected", name, namespace)
-			require.False(t, t.Failed(), "secrets do not match")
+			actualSecret, err := ks.k8s.CoreV1().Secrets(namespace).Get(ctx, name, metaV1.GetOptions{})
+			ks.Require().NoError(err, "secret %q in namespace %q already exists but cannot retrieve it for verification", name, namespace)
+			ks.Equal(secretType, actualSecret.Type, "secret %q in namespace %q already exists but its type is not as expected", name, namespace)
+			ks.Equal(data, actualSecret.Data, "secret %q in namespace %q already exists but its data is not as expected", name, namespace)
+			ks.Require().False(ks.T().Failed(), "secrets do not match")
 		}
-		require.NoError(t, err, "cannot create secret %q in namespace %q", name, namespace)
+		ks.Require().NoError(err, "cannot create secret %q in namespace %q", name, namespace)
 	}
 }
 
 // ensureConfigMapExists creates a k8s ConfigMap object. If one exists, it makes sure the data matches.
-func ensureConfigMapExists(t *testing.T, ctx context.Context, k8s kubernetes.Interface, namespace string, name string, data map[string]string) {
+func (ks *KubernetesSuite) ensureConfigMapExists(ctx context.Context, namespace string, name string, data map[string]string) {
 	cm := &coreV1.ConfigMap{
 		ObjectMeta: metaV1.ObjectMeta{
 			Name: name,
 		},
 		Data: data,
 	}
-	if _, err := k8s.CoreV1().ConfigMaps(namespace).Create(ctx, cm, metaV1.CreateOptions{}); err != nil {
+	if _, err := ks.k8s.CoreV1().ConfigMaps(namespace).Create(ctx, cm, metaV1.CreateOptions{}); err != nil {
 		if apiErrors.IsAlreadyExists(err) {
-			actualCM, err := k8s.CoreV1().ConfigMaps(namespace).Get(ctx, name, metaV1.GetOptions{})
-			require.NoError(t, err, "configMap %q in namespace %q already exists but cannot retrieve it for verification", name, namespace)
-			require.Equal(t, data, actualCM.Data, "configMap %q in namespace %q already exists but its data is not as expected", name, namespace)
+			actualCM, err := ks.k8s.CoreV1().ConfigMaps(namespace).Get(ctx, name, metaV1.GetOptions{})
+			ks.Require().NoError(err, "configMap %q in namespace %q already exists but cannot retrieve it for verification", name, namespace)
+			ks.Require().Equal(data, actualCM.Data, "configMap %q in namespace %q already exists but its data is not as expected", name, namespace)
 		}
-		require.NoError(t, err, "cannot create configMap %q in namespace %q", name, namespace)
+		ks.Require().NoError(err, "cannot create configMap %q in namespace %q", name, namespace)
 	}
 }
 
@@ -526,23 +535,23 @@ func waitUntilCentralSensorConnectionIs(t *testing.T, ctx context.Context, statu
 }
 
 // setDeploymentEnvVal sets the specified env variable on a container in a deployment using strategic merge patch, or fails the test.
-func setDeploymentEnvVal(t *testing.T, ctx context.Context, k8s kubernetes.Interface, namespace string, deployment string, container string, envVar string, value string) {
+func (ks *KubernetesSuite) setDeploymentEnvVal(ctx context.Context, namespace string, deployment string, container string, envVar string, value string) {
 	patch := []byte(fmt.Sprintf(`{"spec":{"template":{"spec":{"containers":[{"name":%q,"env":[{"name":%q,"value":%q}]}]}}}}`,
 		container, envVar, value))
-	logf(t, "Setting variable %q on deployment %q in namespace %q to %q", envVar, deployment, namespace, value)
-	_, err := k8s.AppsV1().Deployments(namespace).Patch(ctx, deployment, types.StrategicMergePatchType, patch, metaV1.PatchOptions{})
-	require.NoError(t, err, "cannot patch deployment %q in namespace %q", deployment, namespace)
+	logf(ks.T(), "Setting variable %q on deployment %q in namespace %q to %q", envVar, deployment, namespace, value)
+	_, err := ks.k8s.AppsV1().Deployments(namespace).Patch(ctx, deployment, types.StrategicMergePatchType, patch, metaV1.PatchOptions{})
+	ks.Require().NoError(err, "cannot patch deployment %q in namespace %q", deployment, namespace)
 
 }
 
 // getDeploymentEnvVal retrieves the value of environment variable in a deployment, or fails the test.
-func getDeploymentEnvVal(t *testing.T, ctx context.Context, k8s kubernetes.Interface, namespace string, deployment string, container string, envVar string) string {
-	d, err := k8s.AppsV1().Deployments(namespace).Get(ctx, deployment, metaV1.GetOptions{})
-	require.NoError(t, err, "cannot retrieve deployment %q in namespace %q", deployment, namespace)
+func (ks *KubernetesSuite) getDeploymentEnvVal(ctx context.Context, namespace string, deployment string, container string, envVar string) string {
+	d, err := ks.k8s.AppsV1().Deployments(namespace).Get(ctx, deployment, metaV1.GetOptions{})
+	ks.Require().NoError(err, "cannot retrieve deployment %q in namespace %q", deployment, namespace)
 	c, err := getContainer(d, container)
-	require.NoError(t, err, "cannot find container %q in deployment %q in namespace %q", container, deployment, namespace)
+	ks.Require().NoError(err, "cannot find container %q in deployment %q in namespace %q", container, deployment, namespace)
 	val, err := getEnvVal(c, envVar)
-	require.NoError(t, err, "cannot find envVar %q in container %q in deployment %q in namespace %q", envVar, container, deployment, namespace)
+	ks.Require().NoError(err, "cannot find envVar %q in container %q in deployment %q in namespace %q", envVar, container, deployment, namespace)
 	return val
 }
 
diff --git a/tests/tls_challenge_test.go b/tests/tls_challenge_test.go
index 21858d4dbff01..e46f45003bdde 100644
--- a/tests/tls_challenge_test.go
+++ b/tests/tls_challenge_test.go
@@ -5,7 +5,7 @@ package tests
 import (
 	"context"
 	_ "embed"
-	"encoding/base64"
+	"encoding/json"
 	"fmt"
 	"os"
 	"regexp"
@@ -13,14 +13,14 @@ import (
 	"time"
 
 	"github.com/stackrox/rox/generated/storage"
+	"github.com/stackrox/rox/pkg/docker/config"
 	"github.com/stackrox/rox/pkg/namespaces"
-	"github.com/stretchr/testify/require"
+	"github.com/stretchr/testify/suite"
 	appsV1 "k8s.io/api/apps/v1"
 	v1 "k8s.io/api/core/v1"
 	apiErrors "k8s.io/apimachinery/pkg/api/errors"
 	metaV1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/client-go/kubernetes"
 )
 
 //go:embed "bad-ca/root.crt"
@@ -33,6 +33,19 @@ var leafCert []byte
 var leafKey []byte
 
 func TestTLSChallenge(t *testing.T) {
+	suite.Run(t, new(TLSChallengeSuite))
+}
+
+type TLSChallengeSuite struct {
+	KubernetesSuite
+}
+
+func (ts *TLSChallengeSuite) SetupSuite() {
+	ts.KubernetesSuite.SetupSuite()
+}
+
+func (ts *TLSChallengeSuite) TestTLSChallenge() {
+
 	const (
 		s                  = namespaces.StackRox // for brevity
 		sensorDeployment   = "sensor"
@@ -43,83 +56,85 @@ func TestTLSChallenge(t *testing.T) {
 		proxyEndpoint      = proxyServiceName + "." + proxyNs + ":443"
 	)
 
-	ctx, cleanupCtx, cancel := testContexts(t, "TestTLSChallenge", 20*time.Minute)
+	ctx, cleanupCtx, cancel := testContexts(ts.T(), "TestTLSChallenge", 20*time.Minute)
 	defer cancel()
 
 	// Check sanity before and after test.
-	waitUntilCentralSensorConnectionIs(t, ctx, storage.ClusterHealthStatus_HEALTHY)
-	defer waitUntilCentralSensorConnectionIs(t, cleanupCtx, storage.ClusterHealthStatus_HEALTHY)
+	waitUntilCentralSensorConnectionIs(ts.T(), ctx, storage.ClusterHealthStatus_HEALTHY)
+	defer waitUntilCentralSensorConnectionIs(ts.T(), cleanupCtx, storage.ClusterHealthStatus_HEALTHY)
 
-	k8s := createK8sClient(t)
+	logf(ts.T(), "Gathering original central endpoint value from sensor...")
+	originalCentralEndpoint := ts.getDeploymentEnvVal(ctx, s, sensorDeployment, sensorContainer, centralEndpointVar)
+	logf(ts.T(), "Original value is %q. (Will restore this value on cleanup.)", originalCentralEndpoint)
+	defer ts.setDeploymentEnvVal(cleanupCtx, s, sensorDeployment, sensorContainer, centralEndpointVar, originalCentralEndpoint)
 
-	logf(t, "Gathering original central endpoint value from sensor...")
-	originalCentralEndpoint := getDeploymentEnvVal(t, ctx, k8s, s, sensorDeployment, sensorContainer, centralEndpointVar)
-	logf(t, "Original value is %q. (Will restore this value on cleanup.)", originalCentralEndpoint)
-	defer setDeploymentEnvVal(t, cleanupCtx, k8s, s, sensorDeployment, sensorContainer, centralEndpointVar, originalCentralEndpoint)
+	ts.setupProxy(ctx, proxyNs, originalCentralEndpoint)
+	defer ts.cleanupProxy(cleanupCtx, proxyNs)
 
-	setupProxy(t, ctx, k8s, proxyNs, originalCentralEndpoint)
-	defer cleanupProxy(t, cleanupCtx, k8s, proxyNs)
+	logf(ts.T(), "Pointing sensor at the proxy...")
+	ts.setDeploymentEnvVal(ctx, s, sensorDeployment, sensorContainer, centralEndpointVar, proxyEndpoint)
+	logf(ts.T(), "Sensor will now attempt connecting via the nginx proxy.")
 
-	logf(t, "Pointing sensor at the proxy...")
-	setDeploymentEnvVal(t, ctx, k8s, s, sensorDeployment, sensorContainer, centralEndpointVar, proxyEndpoint)
-	logf(t, "Sensor will now attempt connecting via the nginx proxy.")
-
-	waitUntilLog(t, ctx, k8s, s, map[string]string{"app": "sensor"}, "sensor", "contain info about successful connection",
+	ts.waitUntilLog(ctx, s, map[string]string{"app": "sensor"}, "sensor", "contain info about successful connection",
 		containsLineMatching(regexp.MustCompile("Info: Add central CA cert with CommonName: 'Custom Root'")),
 		containsLineMatching(regexp.MustCompile("Info: Connecting to Central server "+proxyEndpoint)),
 		containsLineMatching(regexp.MustCompile("Info: Established connection to Central.")),
 		containsLineMatching(regexp.MustCompile("Info: Communication with central started.")),
 	)
-	waitUntilCentralSensorConnectionIs(t, ctx, storage.ClusterHealthStatus_HEALTHY)
+	waitUntilCentralSensorConnectionIs(ts.T(), ctx, storage.ClusterHealthStatus_HEALTHY)
 }
 
-func setupProxy(t *testing.T, ctx context.Context, k8s kubernetes.Interface, proxyNs string, centralEndpoint string) {
+func (ts *TLSChallengeSuite) setupProxy(ctx context.Context, proxyNs string, centralEndpoint string) {
 	name := "nginx-loadbalancer"
 	nginxLabels := map[string]string{"app": "nginx"}
 	nginxTLSSecretName := "nginx-tls-conf"
 	nginxConfigName := "nginx-proxy-conf"
-	logf(t, "Setting up nginx proxy in namespace %q...", proxyNs)
-	createProxyNamespace(t, ctx, k8s, proxyNs)
-	installImagePullSecret(t, ctx, k8s, proxyNs)
-	createProxyTLSSecret(t, ctx, k8s, proxyNs, nginxTLSSecretName)
-	createProxyConfigMap(t, ctx, k8s, proxyNs, centralEndpoint, nginxConfigName)
-	createService(t, ctx, k8s, proxyNs, name, nginxLabels, map[int32]int32{443: 8443})
-	createProxyDeployment(t, ctx, k8s, proxyNs, name, nginxLabels, nginxConfigName, nginxTLSSecretName)
-	logf(t, "Nginx proxy is now set up in namespace %q.", proxyNs)
+	logf(ts.T(), "Setting up nginx proxy in namespace %q...", proxyNs)
+	ts.createProxyNamespace(ctx, proxyNs)
+	ts.installImagePullSecret(ctx, proxyNs)
+	ts.createProxyTLSSecret(ctx, proxyNs, nginxTLSSecretName)
+	ts.createProxyConfigMap(ctx, proxyNs, centralEndpoint, nginxConfigName)
+	ts.createService(ctx, proxyNs, name, nginxLabels, map[int32]int32{443: 8443})
+	ts.createProxyDeployment(ctx, proxyNs, name, nginxLabels, nginxConfigName, nginxTLSSecretName)
+	logf(ts.T(), "Nginx proxy is now set up in namespace %q.", proxyNs)
 }
 
-func createProxyNamespace(t *testing.T, ctx context.Context, k8s kubernetes.Interface, proxyNs string) {
-	_, err := k8s.CoreV1().Namespaces().Create(ctx, &v1.Namespace{ObjectMeta: metaV1.ObjectMeta{Name: proxyNs}}, metaV1.CreateOptions{})
+func (ts *TLSChallengeSuite) createProxyNamespace(ctx context.Context, proxyNs string) {
+	_, err := ts.k8s.CoreV1().Namespaces().Create(ctx, &v1.Namespace{ObjectMeta: metaV1.ObjectMeta{Name: proxyNs}}, metaV1.CreateOptions{})
 	if apiErrors.IsAlreadyExists(err) {
 		return
 	}
-	require.NoError(t, err, "cannot create proxy namespace %q", proxyNs)
+	ts.Require().NoError(err, "cannot create proxy namespace %q", proxyNs)
 }
 
-func installImagePullSecret(t *testing.T, ctx context.Context, k8s kubernetes.Interface, proxyNs string) {
-	auth := fmt.Sprintf("%s:%s", os.Getenv("REGISTRY_USERNAME"), os.Getenv("REGISTRY_PASSWORD"))
-	b64Auth := []byte(base64.StdEncoding.EncodeToString([]byte(auth)))
-	data := map[string][]byte{
-		v1.DockerConfigJsonKey: []byte(fmt.Sprintf(`{"auths":{%q:{"auth":%q}}}`, "https://quay.io", b64Auth)),
-	}
-	ensureSecretExists(t, ctx, k8s, proxyNs, "quay", v1.SecretTypeDockerConfigJson, data)
-
-	patch := []byte(`{"imagePullSecrets":[{"name":"quay"}]}`)
-	_, err := k8s.CoreV1().ServiceAccounts(proxyNs).Patch(ctx, namespaces.Default, types.StrategicMergePatchType, patch, metaV1.PatchOptions{})
-	require.NoError(t, err, "cannot patch service account %q in namespace %q", "default", proxyNs)
+func (ts *TLSChallengeSuite) installImagePullSecret(ctx context.Context, proxyNs string) {
+	configBytes, err := json.Marshal(config.DockerConfigJSON{
+		Auths: map[string]config.DockerConfigEntry{
+			"https://quay.io": {
+				Username: os.Getenv("REGISTRY_USERNAME"),
+				Password: os.Getenv("REGISTRY_PASSWORD"),
+			},
+		},
+	})
+	secretName := "quay"
+	ts.Require().NoError(err, "cannot serialize docker config for image pull secret %q in namespace %q", secretName, proxyNs)
+	ts.ensureSecretExists(ctx, proxyNs, secretName, v1.SecretTypeDockerConfigJson, map[string][]byte{v1.DockerConfigJsonKey: configBytes})
+	patch := []byte(fmt.Sprintf(`{"imagePullSecrets":[{"name":%q}]}`, secretName))
+	_, err = ts.k8s.CoreV1().ServiceAccounts(proxyNs).Patch(ctx, "default", types.StrategicMergePatchType, patch, metaV1.PatchOptions{})
+	ts.Require().NoError(err, "cannot patch service account %q in namespace %q", "default", proxyNs)
 }
 
-func createProxyTLSSecret(t *testing.T, ctx context.Context, k8s kubernetes.Interface, proxyNs string, nginxTLSSecretName string) {
+func (ts *TLSChallengeSuite) createProxyTLSSecret(ctx context.Context, proxyNs string, nginxTLSSecretName string) {
 	var certChain []byte
 	certChain = append(certChain, leafCert...)
 	certChain = append(certChain, additionalCA...)
-	ensureSecretExists(t, ctx, k8s, proxyNs, nginxTLSSecretName, v1.SecretTypeTLS, map[string][]byte{
+	ts.ensureSecretExists(ctx, proxyNs, nginxTLSSecretName, v1.SecretTypeTLS, map[string][]byte{
 		v1.TLSCertKey:       certChain,
 		v1.TLSPrivateKeyKey: leafKey,
 	})
 }
 
-func createProxyConfigMap(t *testing.T, ctx context.Context, k8s kubernetes.Interface, proxyNs string, centralEndpoint string, nginxConfigName string) {
+func (ts *TLSChallengeSuite) createProxyConfigMap(ctx context.Context, proxyNs string, centralEndpoint string, nginxConfigName string) {
 	const nginxConfigTmpl = `
 server {
     listen 8443 ssl http2;
@@ -140,12 +155,12 @@ server {
 	}
 }
 `
-	ensureConfigMapExists(t, ctx, k8s, proxyNs, nginxConfigName, map[string]string{
+	ts.ensureConfigMapExists(ctx, proxyNs, nginxConfigName, map[string]string{
 		"nginx-proxy-grpc-tls.conf": fmt.Sprintf(nginxConfigTmpl, centralEndpoint),
 	})
 }
 
-func createProxyDeployment(t *testing.T, ctx context.Context, k8s kubernetes.Interface, proxyNs string, name string, nginxLabels map[string]string, nginxConfigName string, nginxTLSSecretName string) {
+func (ts *TLSChallengeSuite) createProxyDeployment(ctx context.Context, proxyNs string, name string, nginxLabels map[string]string, nginxConfigName string, nginxTLSSecretName string) {
 	d := &appsV1.Deployment{
 		ObjectMeta: metaV1.ObjectMeta{
 			Name:   name,
@@ -213,20 +228,20 @@ func createProxyDeployment(t *testing.T, ctx context.Context, k8s kubernetes.Int
 			},
 		},
 	}
-	_, err := k8s.AppsV1().Deployments(proxyNs).Create(ctx, d, metaV1.CreateOptions{})
-	require.NoError(t, err, "cannot create deployment %q in namespace %q", name, proxyNs)
+	_, err := ts.k8s.AppsV1().Deployments(proxyNs).Create(ctx, d, metaV1.CreateOptions{})
+	ts.Require().NoError(err, "cannot create deployment %q in namespace %q", name, proxyNs)
 }
 
-func cleanupProxy(t *testing.T, ctx context.Context, k8s kubernetes.Interface, proxyNs string) {
-	if t.Failed() {
-		logf(t, "Test failed. Collecting k8s artifacts before cleanup.")
-		collectLogs(t, namespaces.StackRox, "tls-challenge-failure")
-		collectLogs(t, proxyNs, "tls-challenge-failure")
+func (ts *TLSChallengeSuite) cleanupProxy(ctx context.Context, proxyNs string) {
+	if ts.T().Failed() {
+		logf(ts.T(), "Test failed. Collecting k8s artifacts before cleanup.")
+		collectLogs(ts.T(), namespaces.StackRox, "tls-challenge-failure")
+		collectLogs(ts.T(), proxyNs, "tls-challenge-failure")
 	}
-	logf(t, "Cleaning up nginx proxy in namespace %q...", proxyNs)
-	err := k8s.CoreV1().Namespaces().Delete(ctx, proxyNs, metaV1.DeleteOptions{})
+	logf(ts.T(), "Cleaning up nginx proxy in namespace %q...", proxyNs)
+	err := ts.k8s.CoreV1().Namespaces().Delete(ctx, proxyNs, metaV1.DeleteOptions{})
 	if apiErrors.IsNotFound(err) {
 		return
 	}
-	require.NoError(t, err, "cannot delete proxy namespace %q", proxyNs)
+	ts.Require().NoError(err, "cannot delete proxy namespace %q", proxyNs)
 }

From 2787256c2e43bc932d2a7501154542a726ec3a89 Mon Sep 17 00:00:00 2001
From: Marcin Owsiany <porridge@redhat.com>
Date: Tue, 6 Aug 2024 12:03:08 +0200
Subject: [PATCH 3/5] teardown, not defer

---
 tests/tls_challenge_test.go | 63 ++++++++++++++++++++++---------------
 1 file changed, 37 insertions(+), 26 deletions(-)

diff --git a/tests/tls_challenge_test.go b/tests/tls_challenge_test.go
index e46f45003bdde..f8c89cd11ee13 100644
--- a/tests/tls_challenge_test.go
+++ b/tests/tls_challenge_test.go
@@ -23,6 +23,14 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 )
 
+const (
+	s                  = namespaces.StackRox // for brevity
+	proxyNs            = "qa-tls-challenge"  // Must match the additionalCA X509v3 Subject Alternative Name
+	sensorDeployment   = "sensor"
+	sensorContainer    = "sensor"
+	centralEndpointVar = "ROX_CENTRAL_ENDPOINT"
+)
+
 //go:embed "bad-ca/root.crt"
 var additionalCA []byte
 
@@ -38,50 +46,53 @@ func TestTLSChallenge(t *testing.T) {
 
 type TLSChallengeSuite struct {
 	KubernetesSuite
+	ctx                     context.Context
+	cleanupCtx              context.Context
+	cancel                  func()
+	originalCentralEndpoint string
 }
 
 func (ts *TLSChallengeSuite) SetupSuite() {
 	ts.KubernetesSuite.SetupSuite()
-}
-
-func (ts *TLSChallengeSuite) TestTLSChallenge() {
+	ts.ctx, ts.cleanupCtx, ts.cancel = testContexts(ts.T(), "TestTLSChallenge", 20*time.Minute)
 
-	const (
-		s                  = namespaces.StackRox // for brevity
-		sensorDeployment   = "sensor"
-		sensorContainer    = "sensor"
-		centralEndpointVar = "ROX_CENTRAL_ENDPOINT"
-		proxyServiceName   = "nginx-loadbalancer"
-		proxyNs            = "qa-tls-challenge" // Must match the additionalCA X509v3 Subject Alternative Name
-		proxyEndpoint      = proxyServiceName + "." + proxyNs + ":443"
-	)
+	// Check sanity before test.
+	waitUntilCentralSensorConnectionIs(ts.T(), ts.ctx, storage.ClusterHealthStatus_HEALTHY)
 
-	ctx, cleanupCtx, cancel := testContexts(ts.T(), "TestTLSChallenge", 20*time.Minute)
-	defer cancel()
+	logf(ts.T(), "Gathering original central endpoint value from sensor...")
+	ts.originalCentralEndpoint = ts.getDeploymentEnvVal(ts.ctx, s, sensorDeployment, sensorContainer, centralEndpointVar)
+	logf(ts.T(), "Original value is %q. (Will restore this value on cleanup.)", ts.originalCentralEndpoint)
 
-	// Check sanity before and after test.
-	waitUntilCentralSensorConnectionIs(ts.T(), ctx, storage.ClusterHealthStatus_HEALTHY)
-	defer waitUntilCentralSensorConnectionIs(ts.T(), cleanupCtx, storage.ClusterHealthStatus_HEALTHY)
+	ts.setupProxy(ts.ctx, proxyNs, ts.originalCentralEndpoint)
+}
 
-	logf(ts.T(), "Gathering original central endpoint value from sensor...")
-	originalCentralEndpoint := ts.getDeploymentEnvVal(ctx, s, sensorDeployment, sensorContainer, centralEndpointVar)
-	logf(ts.T(), "Original value is %q. (Will restore this value on cleanup.)", originalCentralEndpoint)
-	defer ts.setDeploymentEnvVal(cleanupCtx, s, sensorDeployment, sensorContainer, centralEndpointVar, originalCentralEndpoint)
+func (ts *TLSChallengeSuite) TearDownSuite() {
+	ts.cleanupProxy(ts.cleanupCtx, proxyNs)
+	if ts.originalCentralEndpoint != "" {
+		ts.setDeploymentEnvVal(ts.cleanupCtx, s, sensorDeployment, sensorContainer, centralEndpointVar, ts.originalCentralEndpoint)
+	}
+	// Check sanity after test.
+	waitUntilCentralSensorConnectionIs(ts.T(), ts.cleanupCtx, storage.ClusterHealthStatus_HEALTHY)
+	ts.cancel()
+}
 
-	ts.setupProxy(ctx, proxyNs, originalCentralEndpoint)
-	defer ts.cleanupProxy(cleanupCtx, proxyNs)
+func (ts *TLSChallengeSuite) TestTLSChallenge() {
+	const (
+		proxyServiceName = "nginx-loadbalancer"
+		proxyEndpoint    = proxyServiceName + "." + proxyNs + ":443"
+	)
 
 	logf(ts.T(), "Pointing sensor at the proxy...")
-	ts.setDeploymentEnvVal(ctx, s, sensorDeployment, sensorContainer, centralEndpointVar, proxyEndpoint)
+	ts.setDeploymentEnvVal(ts.ctx, s, sensorDeployment, sensorContainer, centralEndpointVar, proxyEndpoint)
 	logf(ts.T(), "Sensor will now attempt connecting via the nginx proxy.")
 
-	ts.waitUntilLog(ctx, s, map[string]string{"app": "sensor"}, "sensor", "contain info about successful connection",
+	ts.waitUntilLog(ts.ctx, s, map[string]string{"app": "sensor"}, sensorContainer, "contain info about successful connection",
 		containsLineMatching(regexp.MustCompile("Info: Add central CA cert with CommonName: 'Custom Root'")),
 		containsLineMatching(regexp.MustCompile("Info: Connecting to Central server "+proxyEndpoint)),
 		containsLineMatching(regexp.MustCompile("Info: Established connection to Central.")),
 		containsLineMatching(regexp.MustCompile("Info: Communication with central started.")),
 	)
-	waitUntilCentralSensorConnectionIs(ts.T(), ctx, storage.ClusterHealthStatus_HEALTHY)
+	waitUntilCentralSensorConnectionIs(ts.T(), ts.ctx, storage.ClusterHealthStatus_HEALTHY)
 }
 
 func (ts *TLSChallengeSuite) setupProxy(ctx context.Context, proxyNs string, centralEndpoint string) {

From 6ff4cf1fe080fce27c50b0def70f8ad272d4d971 Mon Sep 17 00:00:00 2001
From: Marcin Owsiany <porridge@redhat.com>
Date: Tue, 6 Aug 2024 15:31:21 +0200
Subject: [PATCH 4/5] ts.logf

---
 tests/common.go             |  8 ++++++--
 tests/tls_challenge_test.go | 16 ++++++++--------
 2 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/tests/common.go b/tests/common.go
index c973f54fddfc9..7eb1d2fca29fe 100644
--- a/tests/common.go
+++ b/tests/common.go
@@ -342,6 +342,10 @@ func (ks *KubernetesSuite) SetupSuite() {
 	ks.k8s = createK8sClient(ks.T())
 }
 
+func (ks *KubernetesSuite) logf(format string, args ...any) {
+	logf(ks.T(), format, args...)
+}
+
 type logMatcher interface {
 	Match(reader io.Reader) (bool, error)
 	fmt.Stringer
@@ -378,7 +382,7 @@ func (ks *KubernetesSuite) waitUntilLog(ctx context.Context, namespace string, p
 		}
 		return nil
 	}
-	logf(ks.T(), "Waiting until %q pods logs "+description+": %s", ls, logMatchers)
+	ks.logf("Waiting until %q pods logs "+description+": %s", ls, logMatchers)
 	mustEventually(ks.T(), ctx, checkLogs, 10*time.Second, fmt.Sprintf("Not all %q pods logs "+description, ls))
 }
 
@@ -538,7 +542,7 @@ func waitUntilCentralSensorConnectionIs(t *testing.T, ctx context.Context, statu
 func (ks *KubernetesSuite) setDeploymentEnvVal(ctx context.Context, namespace string, deployment string, container string, envVar string, value string) {
 	patch := []byte(fmt.Sprintf(`{"spec":{"template":{"spec":{"containers":[{"name":%q,"env":[{"name":%q,"value":%q}]}]}}}}`,
 		container, envVar, value))
-	logf(ks.T(), "Setting variable %q on deployment %q in namespace %q to %q", envVar, deployment, namespace, value)
+	ks.logf("Setting variable %q on deployment %q in namespace %q to %q", envVar, deployment, namespace, value)
 	_, err := ks.k8s.AppsV1().Deployments(namespace).Patch(ctx, deployment, types.StrategicMergePatchType, patch, metaV1.PatchOptions{})
 	ks.Require().NoError(err, "cannot patch deployment %q in namespace %q", deployment, namespace)
 
diff --git a/tests/tls_challenge_test.go b/tests/tls_challenge_test.go
index f8c89cd11ee13..ab6acc81d570d 100644
--- a/tests/tls_challenge_test.go
+++ b/tests/tls_challenge_test.go
@@ -59,9 +59,9 @@ func (ts *TLSChallengeSuite) SetupSuite() {
 	// Check sanity before test.
 	waitUntilCentralSensorConnectionIs(ts.T(), ts.ctx, storage.ClusterHealthStatus_HEALTHY)
 
-	logf(ts.T(), "Gathering original central endpoint value from sensor...")
+	ts.logf("Gathering original central endpoint value from sensor...")
 	ts.originalCentralEndpoint = ts.getDeploymentEnvVal(ts.ctx, s, sensorDeployment, sensorContainer, centralEndpointVar)
-	logf(ts.T(), "Original value is %q. (Will restore this value on cleanup.)", ts.originalCentralEndpoint)
+	ts.logf("Original value is %q. (Will restore this value on cleanup.)", ts.originalCentralEndpoint)
 
 	ts.setupProxy(ts.ctx, proxyNs, ts.originalCentralEndpoint)
 }
@@ -82,9 +82,9 @@ func (ts *TLSChallengeSuite) TestTLSChallenge() {
 		proxyEndpoint    = proxyServiceName + "." + proxyNs + ":443"
 	)
 
-	logf(ts.T(), "Pointing sensor at the proxy...")
+	ts.logf("Pointing sensor at the proxy...")
 	ts.setDeploymentEnvVal(ts.ctx, s, sensorDeployment, sensorContainer, centralEndpointVar, proxyEndpoint)
-	logf(ts.T(), "Sensor will now attempt connecting via the nginx proxy.")
+	ts.logf("Sensor will now attempt connecting via the nginx proxy.")
 
 	ts.waitUntilLog(ts.ctx, s, map[string]string{"app": "sensor"}, sensorContainer, "contain info about successful connection",
 		containsLineMatching(regexp.MustCompile("Info: Add central CA cert with CommonName: 'Custom Root'")),
@@ -100,14 +100,14 @@ func (ts *TLSChallengeSuite) setupProxy(ctx context.Context, proxyNs string, cen
 	nginxLabels := map[string]string{"app": "nginx"}
 	nginxTLSSecretName := "nginx-tls-conf"
 	nginxConfigName := "nginx-proxy-conf"
-	logf(ts.T(), "Setting up nginx proxy in namespace %q...", proxyNs)
+	ts.logf("Setting up nginx proxy in namespace %q...", proxyNs)
 	ts.createProxyNamespace(ctx, proxyNs)
 	ts.installImagePullSecret(ctx, proxyNs)
 	ts.createProxyTLSSecret(ctx, proxyNs, nginxTLSSecretName)
 	ts.createProxyConfigMap(ctx, proxyNs, centralEndpoint, nginxConfigName)
 	ts.createService(ctx, proxyNs, name, nginxLabels, map[int32]int32{443: 8443})
 	ts.createProxyDeployment(ctx, proxyNs, name, nginxLabels, nginxConfigName, nginxTLSSecretName)
-	logf(ts.T(), "Nginx proxy is now set up in namespace %q.", proxyNs)
+	ts.logf("Nginx proxy is now set up in namespace %q.", proxyNs)
 }
 
 func (ts *TLSChallengeSuite) createProxyNamespace(ctx context.Context, proxyNs string) {
@@ -245,11 +245,11 @@ func (ts *TLSChallengeSuite) createProxyDeployment(ctx context.Context, proxyNs
 
 func (ts *TLSChallengeSuite) cleanupProxy(ctx context.Context, proxyNs string) {
 	if ts.T().Failed() {
-		logf(ts.T(), "Test failed. Collecting k8s artifacts before cleanup.")
+		ts.logf("Test failed. Collecting k8s artifacts before cleanup.")
 		collectLogs(ts.T(), namespaces.StackRox, "tls-challenge-failure")
 		collectLogs(ts.T(), proxyNs, "tls-challenge-failure")
 	}
-	logf(ts.T(), "Cleaning up nginx proxy in namespace %q...", proxyNs)
+	ts.logf("Cleaning up nginx proxy in namespace %q...", proxyNs)
 	err := ts.k8s.CoreV1().Namespaces().Delete(ctx, proxyNs, metaV1.DeleteOptions{})
 	if apiErrors.IsNotFound(err) {
 		return

From fa0fb0b6ef19059ff6f1095666d30f5048449870 Mon Sep 17 00:00:00 2001
From: Marcin Owsiany <porridge@redhat.com>
Date: Tue, 6 Aug 2024 15:38:02 +0200
Subject: [PATCH 5/5] ctx field

---
 tests/tls_challenge_test.go | 38 ++++++++++++++++++-------------------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/tests/tls_challenge_test.go b/tests/tls_challenge_test.go
index ab6acc81d570d..679ae94102e50 100644
--- a/tests/tls_challenge_test.go
+++ b/tests/tls_challenge_test.go
@@ -63,7 +63,7 @@ func (ts *TLSChallengeSuite) SetupSuite() {
 	ts.originalCentralEndpoint = ts.getDeploymentEnvVal(ts.ctx, s, sensorDeployment, sensorContainer, centralEndpointVar)
 	ts.logf("Original value is %q. (Will restore this value on cleanup.)", ts.originalCentralEndpoint)
 
-	ts.setupProxy(ts.ctx, proxyNs, ts.originalCentralEndpoint)
+	ts.setupProxy(proxyNs, ts.originalCentralEndpoint)
 }
 
 func (ts *TLSChallengeSuite) TearDownSuite() {
@@ -95,30 +95,30 @@ func (ts *TLSChallengeSuite) TestTLSChallenge() {
 	waitUntilCentralSensorConnectionIs(ts.T(), ts.ctx, storage.ClusterHealthStatus_HEALTHY)
 }
 
-func (ts *TLSChallengeSuite) setupProxy(ctx context.Context, proxyNs string, centralEndpoint string) {
+func (ts *TLSChallengeSuite) setupProxy(proxyNs string, centralEndpoint string) {
 	name := "nginx-loadbalancer"
 	nginxLabels := map[string]string{"app": "nginx"}
 	nginxTLSSecretName := "nginx-tls-conf"
 	nginxConfigName := "nginx-proxy-conf"
 	ts.logf("Setting up nginx proxy in namespace %q...", proxyNs)
-	ts.createProxyNamespace(ctx, proxyNs)
-	ts.installImagePullSecret(ctx, proxyNs)
-	ts.createProxyTLSSecret(ctx, proxyNs, nginxTLSSecretName)
-	ts.createProxyConfigMap(ctx, proxyNs, centralEndpoint, nginxConfigName)
-	ts.createService(ctx, proxyNs, name, nginxLabels, map[int32]int32{443: 8443})
-	ts.createProxyDeployment(ctx, proxyNs, name, nginxLabels, nginxConfigName, nginxTLSSecretName)
+	ts.createProxyNamespace(proxyNs)
+	ts.installImagePullSecret(proxyNs)
+	ts.createProxyTLSSecret(proxyNs, nginxTLSSecretName)
+	ts.createProxyConfigMap(proxyNs, centralEndpoint, nginxConfigName)
+	ts.createService(ts.ctx, proxyNs, name, nginxLabels, map[int32]int32{443: 8443})
+	ts.createProxyDeployment(proxyNs, name, nginxLabels, nginxConfigName, nginxTLSSecretName)
 	ts.logf("Nginx proxy is now set up in namespace %q.", proxyNs)
 }
 
-func (ts *TLSChallengeSuite) createProxyNamespace(ctx context.Context, proxyNs string) {
-	_, err := ts.k8s.CoreV1().Namespaces().Create(ctx, &v1.Namespace{ObjectMeta: metaV1.ObjectMeta{Name: proxyNs}}, metaV1.CreateOptions{})
+func (ts *TLSChallengeSuite) createProxyNamespace(proxyNs string) {
+	_, err := ts.k8s.CoreV1().Namespaces().Create(ts.ctx, &v1.Namespace{ObjectMeta: metaV1.ObjectMeta{Name: proxyNs}}, metaV1.CreateOptions{})
 	if apiErrors.IsAlreadyExists(err) {
 		return
 	}
 	ts.Require().NoError(err, "cannot create proxy namespace %q", proxyNs)
 }
 
-func (ts *TLSChallengeSuite) installImagePullSecret(ctx context.Context, proxyNs string) {
+func (ts *TLSChallengeSuite) installImagePullSecret(proxyNs string) {
 	configBytes, err := json.Marshal(config.DockerConfigJSON{
 		Auths: map[string]config.DockerConfigEntry{
 			"https://quay.io": {
@@ -129,23 +129,23 @@ func (ts *TLSChallengeSuite) installImagePullSecret(ctx context.Context, proxyNs
 	})
 	secretName := "quay"
 	ts.Require().NoError(err, "cannot serialize docker config for image pull secret %q in namespace %q", secretName, proxyNs)
-	ts.ensureSecretExists(ctx, proxyNs, secretName, v1.SecretTypeDockerConfigJson, map[string][]byte{v1.DockerConfigJsonKey: configBytes})
+	ts.ensureSecretExists(ts.ctx, proxyNs, secretName, v1.SecretTypeDockerConfigJson, map[string][]byte{v1.DockerConfigJsonKey: configBytes})
 	patch := []byte(fmt.Sprintf(`{"imagePullSecrets":[{"name":%q}]}`, secretName))
-	_, err = ts.k8s.CoreV1().ServiceAccounts(proxyNs).Patch(ctx, "default", types.StrategicMergePatchType, patch, metaV1.PatchOptions{})
+	_, err = ts.k8s.CoreV1().ServiceAccounts(proxyNs).Patch(ts.ctx, "default", types.StrategicMergePatchType, patch, metaV1.PatchOptions{})
 	ts.Require().NoError(err, "cannot patch service account %q in namespace %q", "default", proxyNs)
 }
 
-func (ts *TLSChallengeSuite) createProxyTLSSecret(ctx context.Context, proxyNs string, nginxTLSSecretName string) {
+func (ts *TLSChallengeSuite) createProxyTLSSecret(proxyNs string, nginxTLSSecretName string) {
 	var certChain []byte
 	certChain = append(certChain, leafCert...)
 	certChain = append(certChain, additionalCA...)
-	ts.ensureSecretExists(ctx, proxyNs, nginxTLSSecretName, v1.SecretTypeTLS, map[string][]byte{
+	ts.ensureSecretExists(ts.ctx, proxyNs, nginxTLSSecretName, v1.SecretTypeTLS, map[string][]byte{
 		v1.TLSCertKey:       certChain,
 		v1.TLSPrivateKeyKey: leafKey,
 	})
 }
 
-func (ts *TLSChallengeSuite) createProxyConfigMap(ctx context.Context, proxyNs string, centralEndpoint string, nginxConfigName string) {
+func (ts *TLSChallengeSuite) createProxyConfigMap(proxyNs string, centralEndpoint string, nginxConfigName string) {
 	const nginxConfigTmpl = `
 server {
     listen 8443 ssl http2;
@@ -166,12 +166,12 @@ server {
 	}
 }
 `
-	ts.ensureConfigMapExists(ctx, proxyNs, nginxConfigName, map[string]string{
+	ts.ensureConfigMapExists(ts.ctx, proxyNs, nginxConfigName, map[string]string{
 		"nginx-proxy-grpc-tls.conf": fmt.Sprintf(nginxConfigTmpl, centralEndpoint),
 	})
 }
 
-func (ts *TLSChallengeSuite) createProxyDeployment(ctx context.Context, proxyNs string, name string, nginxLabels map[string]string, nginxConfigName string, nginxTLSSecretName string) {
+func (ts *TLSChallengeSuite) createProxyDeployment(proxyNs string, name string, nginxLabels map[string]string, nginxConfigName string, nginxTLSSecretName string) {
 	d := &appsV1.Deployment{
 		ObjectMeta: metaV1.ObjectMeta{
 			Name:   name,
@@ -239,7 +239,7 @@ func (ts *TLSChallengeSuite) createProxyDeployment(ctx context.Context, proxyNs
 			},
 		},
 	}
-	_, err := ts.k8s.AppsV1().Deployments(proxyNs).Create(ctx, d, metaV1.CreateOptions{})
+	_, err := ts.k8s.AppsV1().Deployments(proxyNs).Create(ts.ctx, d, metaV1.CreateOptions{})
 	ts.Require().NoError(err, "cannot create deployment %q in namespace %q", name, proxyNs)
 }