From d8486f682da395347be347513bde34078f2ea431 Mon Sep 17 00:00:00 2001
From: Francisco Herrera <fjglira@gmail.com>
Date: Wed, 11 Feb 2026 11:19:54 +0100
Subject: [PATCH 1/3] Improve scorecard test to avoid running on kind cluster
 inside OCP clusters

Signed-off-by: Francisco Herrera <fjglira@gmail.com>
---
 tests/scorecard-test.sh | 59 ++++++++++++++++++++++++++++++++---------
 1 file changed, 46 insertions(+), 13 deletions(-)

diff --git a/tests/scorecard-test.sh b/tests/scorecard-test.sh
index 8c11b3159..7d241f1b2 100755
--- a/tests/scorecard-test.sh
+++ b/tests/scorecard-test.sh
@@ -19,22 +19,55 @@ set -eux -o pipefail
 SCRIPTPATH="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 ROOT="$(dirname "${SCRIPTPATH}")"
 
-# shellcheck source=common/scripts/kind_provisioner.sh
-source "${ROOT}/common/scripts/kind_provisioner.sh"
+# OCP environment variable can be set to "true" to run tests against an existing OCP cluster instead of a Kind cluster
+OCP="${OCP:-false}"
 
-# Create a temporary kubeconfig
-KUBECONFIG="$(mktemp)"
-export KUBECONFIG
+if [[ "${OCP}" == "true" ]]; then
+    echo "Running scorecard tests against existing OCP cluster"
 
-# Create the kind cluster
-export KIND_CLUSTER_NAME="${KIND_CLUSTER_NAME:-kind}"
-export DEFAULT_CLUSTER_YAML="${ROOT}/tests/e2e/setup/config/default.yaml"
-export ARTIFACTS="${ARTIFACTS:-$(mktemp -d)}"
-export IP_FAMILY="${IP_FAMILY:-ipv4}"
-setup_kind_cluster "${KIND_CLUSTER_NAME}" "" "" "true" "true"
+    # Check if KUBECONFIG is set
+    if [ -z "${KUBECONFIG:-}" ]; then
+        echo "KUBECONFIG is not set. oc will not be able to connect to the cluster. Exiting."
+        exit 1
+    fi
 
-kind export kubeconfig --name="${KIND_CLUSTER_NAME}"
+    # Verify we can connect to the cluster
+    if ! oc cluster-info > /dev/null 2>&1; then
+        echo "Cannot connect to OpenShift cluster. Check your KUBECONFIG and cluster access."
+        exit 1
+    fi
+
+    echo "Connected to cluster: $(oc config current-context)"
+
+else
+    echo "Running scorecard tests against Kind cluster"
+
+    # shellcheck source=common/scripts/kind_provisioner.sh
+    source "${ROOT}/common/scripts/kind_provisioner.sh"
+
+    # Create a temporary kubeconfig
+    KUBECONFIG="$(mktemp)"
+    export KUBECONFIG
+
+    # Create the kind cluster
+    export KIND_CLUSTER_NAME="${KIND_CLUSTER_NAME:-kind}"
+    export DEFAULT_CLUSTER_YAML="${ROOT}/tests/e2e/setup/config/default.yaml"
+    export ARTIFACTS="${ARTIFACTS:-$(mktemp -d)}"
+    export IP_FAMILY="${IP_FAMILY:-ipv4}"
+    setup_kind_cluster "${KIND_CLUSTER_NAME}" "" "" "true" "true"
+
+    kind export kubeconfig --name="${KIND_CLUSTER_NAME}"
+fi
+
+# Determine namespace - use scorecard-test for OCP to avoid conflicts with any existing namespaces, and default for Kind since it's a fresh cluster
+NAMESPACE="${SCORECARD_NAMESPACE:-default}"
+if [[ "${OCP}" == "true" ]]; then
+    NAMESPACE="${SCORECARD_NAMESPACE:-scorecard-test}"
+    # Create namespace if it doesn't exist
+    oc create namespace "${NAMESPACE}" --dry-run=client -o yaml | oc apply -f -
+fi
 
 # Run the test
 OPERATOR_SDK="${OPERATOR_SDK:-operator-sdk}"
-${OPERATOR_SDK} scorecard --kubeconfig="${KUBECONFIG}" --namespace=default bundle
+echo "Running scorecard tests in namespace: ${NAMESPACE}"
+${OPERATOR_SDK} scorecard --kubeconfig="${KUBECONFIG}" --namespace="${NAMESPACE}" bundle

From d7140f3f80bedbdd7435b2793bc5c5021193df56 Mon Sep 17 00:00:00 2001
From: Francisco Herrera <fjglira@gmail.com>
Date: Wed, 11 Feb 2026 11:26:33 +0100
Subject: [PATCH 2/3] Adding default values to scorecard test

Signed-off-by: Francisco Herrera <fjglira@gmail.com>
---
 Makefile.core.mk | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Makefile.core.mk b/Makefile.core.mk
index 523e9c8b0..bb6a2677a 100644
--- a/Makefile.core.mk
+++ b/Makefile.core.mk
@@ -203,8 +203,8 @@ test.integration: envtest ## Run integration tests located in the tests/integrat
 	go run github.com/onsi/ginkgo/v2/ginkgo --tags=integration $(GINKGO_FLAGS) ./tests/integration/...
 
 .PHONY: test.scorecard
-test.scorecard: operator-sdk ## Run the operator scorecard test.
-	OPERATOR_SDK=$(OPERATOR_SDK) ${SOURCE_DIR}/tests/scorecard-test.sh
+test.scorecard: operator-sdk ## Run the operator scorecard test. Use OCP=true to run against an existing OCP cluster instead of Kind.
+	OCP=$${OCP:-false} OPERATOR_SDK=$(OPERATOR_SDK) SCORECARD_NAMESPACE="$${SCORECARD_NAMESPACE:-scorecard-test}" ${SOURCE_DIR}/tests/scorecard-test.sh
 
 .PHONY: test.e2e.ocp
 test.e2e.ocp: istioctl ## Run the end-to-end tests against an existing OCP cluster. While running on OCP in downstream you need to set ISTIOCTL_DOWNLOAD_URL to the URL where the istioctl productized binary.

From 36ff739231e6ed17f2f0f0db253f9fb932051e94 Mon Sep 17 00:00:00 2001
From: Francisco Herrera <fjglira@gmail.com>
Date: Wed, 11 Feb 2026 11:35:25 +0100
Subject: [PATCH 3/3] CHange from review

Signed-off-by: Francisco Herrera <fjglira@gmail.com>
---
 tests/scorecard-test.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/scorecard-test.sh b/tests/scorecard-test.sh
index 7d241f1b2..f4bdc9da4 100755
--- a/tests/scorecard-test.sh
+++ b/tests/scorecard-test.sh
@@ -64,7 +64,7 @@ NAMESPACE="${SCORECARD_NAMESPACE:-default}"
 if [[ "${OCP}" == "true" ]]; then
     NAMESPACE="${SCORECARD_NAMESPACE:-scorecard-test}"
     # Create namespace if it doesn't exist
-    oc create namespace "${NAMESPACE}" --dry-run=client -o yaml | oc apply -f -
+    oc create namespace "${NAMESPACE}" || true
 fi
 
 # Run the test