Skip to content

[WIP]Add automated e2e test for cert rotation sidecar behavior (OCPBUGS-60628)#1914

Open
wangke19 wants to merge 1 commit intoopenshift:mainfrom
wangke19:ocpbugs-60628-test
Open

[WIP]Add automated e2e test for cert rotation sidecar behavior (OCPBUGS-60628)#1914
wangke19 wants to merge 1 commit intoopenshift:mainfrom
wangke19:ocpbugs-60628-test

Conversation

@wangke19
Copy link
Copy Markdown
Contributor

@wangke19 wangke19 commented Aug 29, 2025
edited
Loading

Summary

This PR migrates the cert rotation sidecar e2e test to the OpenShift Tests Extension (OTE) framework for better integration with OpenShift CI/CD pipelines.

Changes

Test Migration to OTE/Ginkgo Format

  • Converted to Ginkgo/Gomega syntax:

    • Changed from standard Go testing.T to Ginkgo Describe()/It() blocks
    • Replaced require.NoError() with gomega.Expect().NotTo(gomega.HaveOccurred())
    • Moved setup to ginkgo.BeforeEach() and cleanup to ginkgo.AfterEach()
    • Added ginkgo.By() for test step descriptions

  • Added OTE labels: [Operator][Serial]

    • Matches suite qualifiers in cmd/cluster-kube-apiserver-operator-tests-ext/main.go
    • Ensures tests run serially (required for CVO manipulation)

New Files

  • cmd/cluster-kube-apiserver-operator-tests-ext/dependencymagnet.go
    • Imports test package to register Ginkgo tests with OTE framework
    • Required for OTE test discovery mechanism

Test Coverage

The migrated tests verify cert rotation sidecar behavior:

  1. Test 1: Verify metadata annotations are NOT restored by sidecar when operator is down
  2. Test 2: Verify metadata annotations ARE restored by operator when it's running (without cert rotation)
  3. Test 3: Verify cert rotation IS triggered by sidecar when certificate expires and operator is down

Testing

Build the test binary:

go build -o cluster-kube-apiserver-operator-tests-ext ./cmd/cluster-kube-apiserver-operator-tests-ext

List tests:

./cluster-kube-apiserver-operator-tests-ext list tests --suite=openshift/cluster-kube-apiserver-operator/operator/serial

Run tests (serial execution):

export KUBECONFIG=/path/to/kubeconfig
./cluster-kube-apiserver-operator-tests-ext run-suite openshift/cluster-kube-apiserver-operator/operator/serial -c 1

Expected Results:

  • Test 1: ✅ PASS (23 seconds)
  • Test 2: ✅ PASS (21 seconds)
  • Test 3: ✅ PASS (17 seconds)

Related

Notes

  • Tests must run serially (-c 1) to avoid conflicts when pausing/resuming CVO
  • KUBECONFIG must be set with absolute path (OTE spawns subprocesses that don't inherit env vars with relative paths)
  • Suite parallelism is already set to 1 in main.go, but -c 1 flag is still recommended for reliability

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Aug 29, 2025
edited
Loading

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)
  • do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9399f57b-07e5-489d-a53d-5917f8a6e45c

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review

Walkthrough

A new end-to-end test file introduces a comprehensive test for certificate rotation behavior via a sidecar in Kubernetes environments. The test validates three scenarios: operator downtime without metadata restoration, operator uptime with metadata restoration, and operator downtime with expired certificate triggering rotation. Helper functions manage CVO lifecycle, deployment scaling, and secret annotation patching.

Changes

Cohort / File(s) Change Summary
Certificate Rotation Sidecar E2E Test
test/e2e/cert_rotation_sidecar_test.go		 New file introducing TestCertRotationSidecarRefreshOnlyWhenExpired test function with three scenario subtests (operator down without restore, operator up with restore, operator down with expired cert rotation). Includes helper functions for CVO pause/resume, deployment scaling, secret annotation patching, and deployment scale verification. Uses wait.PollImmediate for state polling and require for assertions.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

  • Scenario coordination: Verify correct CVO pause/resume lifecycle and proper cleanup sequencing
  • Polling logic: Review wait.PollImmediate polling intervals and termination conditions across all helper functions
  • Test scenarios: Validate each of the three scenarios (ScenarioA, B, C) properly isolates state and makes correct assertions about metadata and certificate rotation behavior
  • Secret patching logic: Ensure annotation removal/restoration in patchAnnotationsOnSecret correctly simulates the sidecar behavior under different operator states
  • Deployment scaling verification: Confirm isDeploymentScaled and scaleDeployment correctly reflect and achieve desired replica states

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)
Check name Status Explanation Resolution
Description Check ❓ Inconclusive No description was provided, so there is insufficient information to understand the intent and scope of the changes from the author’s prose. Please add a brief description explaining the purpose and scope of the changes, including what ocpbugs-60628 is and how the new tests address it.
✅ Passed checks (2 passed)
Check name Status Explanation
Title Check ✅ Passed The title “[WIP]Add test for ocpbugs-60628” clearly reflects the primary intent of the changeset by specifying that tests are being added for bug ocpbugs-60628, so it accurately summarizes the main change.
Docstring Coverage ✅ Passed Docstring coverage is 80.56% which is sufficient. The required threshold is 80.00%.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 29, 2025
@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented Aug 29, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@wangke19 wangke19 force-pushed the ocpbugs-60628-test branch from 33b1d97 to 6b2a50f Compare October 5, 2025 19:35
@wangke19 wangke19 marked this pull request as ready for review October 5, 2025 19:36
@openshift-ci openshift-ci Bot requested review from benluddy and deads2k October 5, 2025 19:37
coderabbitai[bot]
coderabbitai Bot reviewed Oct 5, 2025
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 8

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 51e09bc and 6b2a50f.

⛔ Files ignored due to path filters (281)
  • go.sum is excluded by !**/*.sum
  • vendor/github.com/JeffAshton/win_pdh/AUTHORS is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/JeffAshton/win_pdh/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/JeffAshton/win_pdh/README.mdown is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/JeffAshton/win_pdh/pdh.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/.gitattributes is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/.gitignore is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/.golangci.yml is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/CODEOWNERS is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/SECURITY.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/backup.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/ea.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/file.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/fileinfo.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/hvsock.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/internal/fs/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/internal/fs/fs.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/internal/fs/security.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/internal/fs/zsyscall_windows.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/internal/socket/rawaddr.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/internal/socket/socket.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/internal/socket/zsyscall_windows.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/internal/stringbuffer/wstring.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/pipe.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/pkg/guid/guid.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/pkg/guid/guid_nonwindows.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/pkg/guid/guid_windows.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/pkg/guid/variant_string.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/privilege.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/reparse.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/sd.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/syscall.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/zsyscall_windows.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/.gitattributes is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/.gitignore is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/CODEOWNERS is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/SECURITY.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/errors.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/hns_v1.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/hnsaccelnet.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/hnsglobals.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/hnssupport.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/internal/hns/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/internal/hns/hns.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/internal/hns/hnsaccelnet.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/internal/hns/hnsendpoint.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/internal/hns/hnserrors.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/internal/hns/hnsfuncs.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/internal/hns/hnsglobals.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/internal/hns/hnsnetwork.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/internal/hns/hnspolicy.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/internal/hns/hnspolicylist.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/internal/hns/hnssupport.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/internal/hns/namespace.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/internal/hns/zsyscall_windows.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/internal/interop/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/internal/interop/interop.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/internal/interop/zsyscall_windows.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/armon/circbuf/.gitignore is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/armon/circbuf/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/armon/circbuf/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/armon/circbuf/circbuf.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/container-storage-interface/spec/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/container-storage-interface/spec/lib/go/csi/csi.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/services/containers/v1/containers.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/services/containers/v1/containers.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/services/containers/v1/containers_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/services/containers/v1/containers_ttrpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/services/containers/v1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/services/tasks/v1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/services/tasks/v1/tasks.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/services/tasks/v1/tasks.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/services/tasks/v1/tasks_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/services/tasks/v1/tasks_ttrpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/services/version/v1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/services/version/v1/version.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/services/version/v1/version.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/services/version/v1/version_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/services/version/v1/version_ttrpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/descriptor.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/descriptor.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/event.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/event.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/fieldpath.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/fieldpath.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/introspection.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/introspection.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/metrics.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/metrics.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/mount.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/mount.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/platform.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/platform.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/platform_helpers.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/sandbox.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/sandbox.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/task/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/task/task.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/task/task.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/errdefs/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/errdefs/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/errdefs/errors.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/errdefs/pkg/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/errdefs/pkg/errgrpc/grpc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/errdefs/pkg/internal/cause/cause.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/errdefs/pkg/internal/types/collapsible.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/errdefs/resolve.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/log/.golangci.yml is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/log/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/log/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/log/context.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/.gitattributes is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/.gitignore is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/.golangci.yml is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/Makefile is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/PROTOCOL.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/Protobuild.toml is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/channel.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/codec.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/config.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/errors.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/handshake.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/interceptor.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/metadata.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/request.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/request.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/server.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/services.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/stream.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/stream_server.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/test.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/unixcreds_linux.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/typeurl/v2/.gitignore is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/typeurl/v2/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/typeurl/v2/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/typeurl/v2/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/typeurl/v2/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/typeurl/v2/types_gogo.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/coreos/go-systemd/v22/dbus/dbus.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/coreos/go-systemd/v22/dbus/methods.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/coreos/go-systemd/v22/dbus/properties.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/coreos/go-systemd/v22/dbus/set.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/coreos/go-systemd/v22/dbus/subscription.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/coreos/go-systemd/v22/dbus/subscription_set.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/VERSION is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/gocompat_errors_go120.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/gocompat_errors_unsupported.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_go121.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_unsupported.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/join.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/lookup_linux.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/mkdir_linux.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/open_linux.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/openat2_linux.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/openat_linux.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/procfs_linux.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/vfs.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/distribution/reference/.gitattributes is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/distribution/reference/.gitignore is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/distribution/reference/.golangci.yml is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/distribution/reference/CODE-OF-CONDUCT.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/distribution/reference/CONTRIBUTING.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/distribution/reference/GOVERNANCE.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/distribution/reference/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/distribution/reference/MAINTAINERS is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/distribution/reference/Makefile is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/distribution/reference/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/distribution/reference/SECURITY.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/distribution/reference/distribution-logo.svg is excluded by !**/*.svg, !vendor/**, !**/vendor/**
  • vendor/github.com/distribution/reference/helpers.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/distribution/reference/normalize.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/distribution/reference/reference.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/distribution/reference/regexp.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/distribution/reference/sort.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/docker/go-units/CONTRIBUTING.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/docker/go-units/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/docker/go-units/MAINTAINERS is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/docker/go-units/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/docker/go-units/circle.yml is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/docker/go-units/duration.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/docker/go-units/size.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/docker/go-units/ulimit.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/euank/go-kmsg-parser/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/euank/go-kmsg-parser/kmsgparser/kmsgparser.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/euank/go-kmsg-parser/kmsgparser/log.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/CONTRIBUTING.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/MAINTAINERS is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/auth.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/auth_anonymous.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/auth_external.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/auth_sha1.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/call.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/conn.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/conn_darwin.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/conn_other.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/conn_unix.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/conn_windows.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/dbus.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/decoder.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/default_handler.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/encoder.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/escape.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/export.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/homedir.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/match.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/message.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/object.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/sequence.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/sequential_handler.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/server_interfaces.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/sig.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/transport_darwin.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/transport_generic.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/transport_nonce_tcp.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/transport_tcp.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/transport_unix.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/transport_unixcred_dragonfly.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/transport_unixcred_freebsd.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/transport_unixcred_linux.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/transport_unixcred_netbsd.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/transport_unixcred_openbsd.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/transport_zos.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/variant.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/variant_lexer.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/variant_parser.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/golang/protobuf/protoc-gen-go/descriptor/descriptor.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/golang/protobuf/ptypes/timestamp/timestamp.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/golang/protobuf/ptypes/wrappers/wrappers.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/AUTHORS is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/cache/memory/memory.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/collector/collector_manager.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/collector/config.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/collector/fakes.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/collector/generic_collector.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/collector/prometheus_collector.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/collector/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/collector/util.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/common/container_hints.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/common/fsHandler.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/common/helpers.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/common/inotify_watcher.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/container.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/containerd/client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/containerd/containers/containers.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/containerd/factory.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/containerd/grpc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/containerd/handler.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/containerd/identifiers/validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/containerd/install/install.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/containerd/namespaces/context.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/containerd/namespaces/grpc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/containerd/namespaces/store.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/containerd/namespaces/ttrpc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/containerd/pkg/dialer/dialer.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/containerd/pkg/dialer/dialer_unix.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/containerd/pkg/dialer/dialer_windows.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/containerd/plugin.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/crio/client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/crio/factory.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/crio/handler.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/crio/install/install.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/crio/plugin.go is excluded by !vendor/**, !**/vendor/**
📒 Files selected for processing (19)
  • go.mod (7 hunks)
  • test/extended/ckao.go (1 hunks)
  • test/extended/main.go (0 hunks)
  • test/extended/util/assert.go (1 hunks)
  • test/extended/util/client.go (1 hunks)
  • test/extended/util/clusters.go (1 hunks)
  • test/extended/util/framework.go (1 hunks)
  • test/extended/util/gomega_helpers.go (1 hunks)
  • test/extended/util/gwrapper.go (1 hunks)
  • test/extended/util/logext/log.go (1 hunks)
  • test/extended/util/nodes.go (1 hunks)
  • test/extended/util/oc_copy.go (1 hunks)
  • test/extended/util/pods.go (1 hunks)
  • test/extended/util/provider/config.go (1 hunks)
  • test/extended/util/provider/provider.go (1 hunks)
  • test/extended/util/resource_op.go (1 hunks)
  • test/extended/util/sar.go (1 hunks)
  • test/extended/util/template.go (1 hunks)
  • test/extended/util/test.go (1 hunks)
💤 Files with no reviewable changes (1)
  • test/extended/main.go
🧰 Additional context used
🪛 OSV Scanner (2.2.3)
go.mod

[HIGH] 137-137: go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful 0.42.0: Memory exhaustion in go.opentelemetry.io/contrib/instrumentation

(GO-2023-2113)

[HIGH] 137-137: go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful 0.42.0: OpenTelemetry-Go Contrib vulnerable to denial of service in otelhttp due to unbound cardinality metrics

(GHSA-rcjv-mgp8-qvmr)

Comment thread go.mod Outdated
Comment thread test/extended/ckao.go Outdated
Comment on lines +101 to +141
o.Consistently(func() bool {
s, _ := kc.CoreV1().Secrets(ns).Get(ctx, secretName, metav1.GetOptions{})
ann := s.Annotations
_, comp := ann["auth.openshift.io/component"]
_, desc := ann["auth.openshift.io/description"]
dataNow := base64.StdEncoding.EncodeToString(s.Data["tls.crt"])
return !comp && !desc && dataNow == dataBefore
}, 2*time.Minute, 10*time.Second).Should(o.BeTrue())

// --- Scenario B
g.By("Scenario B: operator up, metadata restored without cert rotation")
scaleDeployment(oc, "openshift-kube-apiserver-operator", "openshift-kube-apiserver-operator", 1)

o.Eventually(func() bool {
s, _ := kc.CoreV1().Secrets(ns).Get(ctx, secretName, metav1.GetOptions{})
ann := s.Annotations
comp := ann["auth.openshift.io/component"] != ""
desc := ann["auth.openshift.io/description"] != ""
dataNow := base64.StdEncoding.EncodeToString(s.Data["tls.crt"])
return comp && desc && dataNow == dataBefore
}, 3*time.Minute, 10*time.Second).Should(o.BeTrue())

// --- Scenario C
g.By("Scenario C: operator down, expired not-after triggers sidecar rotation")
scaleDeployment(oc, "openshift-kube-apiserver-operator", "openshift-kube-apiserver-operator", 0)
past := "2000-01-01T00:00:00Z"
patchAnnotationsOnSecret(oc, ns, secretName, map[string]*string{
"auth.openshift.io/not-after": &past,
})

o.Eventually(func() bool {
s, _ := kc.CoreV1().Secrets(ns).Get(ctx, secretName, metav1.GetOptions{})
dataNow := base64.StdEncoding.EncodeToString(s.Data["tls.crt"])
ann := s.Annotations
na := ann["auth.openshift.io/not-after"]
if na == "" {
return false
}
// content rotated
return dataNow != dataBefore
}, 3*time.Minute, 10*time.Second).Should(o.BeTrue())
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Oct 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Handle secret Get errors before dereferencing the result

All three polling blocks ignore the error returned by kc.CoreV1().Secrets(...).Get. If that call transiently fails (network hiccup, API temporarily returning NotFound), s is nil and s.Annotations will panic, aborting the test instead of retrying. Ensure we check the error before touching the secret (and apply the same fix to the Scenario B and Scenario C loops).

-		o.Consistently(func() bool {
-			s, _ := kc.CoreV1().Secrets(ns).Get(ctx, secretName, metav1.GetOptions{})
+		o.Consistently(func() bool {
+			s, err := kc.CoreV1().Secrets(ns).Get(ctx, secretName, metav1.GetOptions{})
+			if err != nil {
+				return false
+			}
 			ann := s.Annotations
-		o.Eventually(func() bool {
-			s, _ := kc.CoreV1().Secrets(ns).Get(ctx, secretName, metav1.GetOptions{})
+		o.Eventually(func() bool {
+			s, err := kc.CoreV1().Secrets(ns).Get(ctx, secretName, metav1.GetOptions{})
+			if err != nil {
+				return false
+			}
-		o.Eventually(func() bool {
-			s, _ := kc.CoreV1().Secrets(ns).Get(ctx, secretName, metav1.GetOptions{})
+		o.Eventually(func() bool {
+			s, err := kc.CoreV1().Secrets(ns).Get(ctx, secretName, metav1.GetOptions{})
+			if err != nil {
+				return false
+			}
🤖 Prompt for AI Agents 
In test/extended/ckao.go around lines 101 to 141, each o.Consistently/Eventually
polling lambda ignores the error returned by kc.CoreV1().Secrets(...).Get and
dereferences s (s.Annotations/s.Data) which can panic if Get fails or returns
nil; update each lambda (Scenario A, B, and C) to check the returned error and
that s != nil before accessing s.Annotations or s.Data, and if err != nil or s
== nil return false (so the poll retries) rather than dereferencing; preserve
the existing return conditions when no error is present.

Comment thread test/extended/util/client.go Outdated
Comment on lines +153 to +161
f, err := os.CreateTemp("", "configfile")
if err != nil {
e2e.Failf("failure creating temporal kubeconfig file for user %s. %v", name, err)
}
c.configPath = f.Name()
err = clientcmd.WriteToFile(*kubeConfig, c.configPath)
if err != nil {
e2e.Failf("failure writing temporal kubeconfig file for user %s. %v", name, err)
}
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Oct 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Close the temp kubeconfig before reuse

We create a temp kubeconfig but never close its file descriptor. Because SetupProject calls ChangeUser for every test, this leaks one FD per spec until Go’s finalizer eventually runs, and large suites will easily hit “too many open files”. Close the handle before writing.

 	f, err := os.CreateTemp("", "configfile")
 	if err != nil {
 		e2e.Failf("failure creating temporal kubeconfig file for user %s. %v", name, err)
 	}
 	c.configPath = f.Name()
-	err = clientcmd.WriteToFile(*kubeConfig, c.configPath)
-	if err != nil {
-		e2e.Failf("failure writing temporal kubeconfig file for user %s. %v", name, err)
-	}
+	if err := f.Close(); err != nil {
+		e2e.Failf("failure closing temporal kubeconfig file for user %s. %v", name, err)
+	}
+	if err := clientcmd.WriteToFile(*kubeConfig, c.configPath); err != nil {
+		e2e.Failf("failure writing temporal kubeconfig file for user %s. %v", name, err)
+	}
🤖 Prompt for AI Agents 
In test/extended/util/client.go around lines 153 to 161, the code creates a temp
kubeconfig file but never closes its file descriptor before calling
clientcmd.WriteToFile, leaking FDs across tests; update the code to close the
temp file handle (call f.Close()) before calling WriteToFile and handle any
close error (fail the test or log the error) so the descriptor is released prior
to reuse.

Comment thread test/extended/util/client.go Outdated
Comment on lines +639 to +673
// This function also override the default 'stdout' to redirect all output
// to a buffer and prepare the global flags such as namespace and config path.
func (c *CLI) Run(commands ...string) *CLI {
in, out, errout := &bytes.Buffer{}, &bytes.Buffer{}, &bytes.Buffer{}
nc := &CLI{
execPath: c.execPath,
verb: commands[0],
kubeFramework: c.KubeFramework(),
adminConfigPath: c.adminConfigPath,
configPath: c.configPath,
showInfo: c.showInfo,
guestConfigPath: c.guestConfigPath,
user: c.user,
globalArgs: commands,
}
if !c.withoutKubeconf {
if c.asGuestKubeconf {
if c.guestConfigPath != "" {
nc.globalArgs = append([]string{fmt.Sprintf("--kubeconfig=%s", c.guestConfigPath)}, nc.globalArgs...)
} else {
e2e.Failf("want to use guest cluster kubeconfig, but it is not set, so please use oc.SetGuestKubeconf to set it firstly")
}
} else {
nc.globalArgs = append([]string{fmt.Sprintf("--kubeconfig=%s", c.configPath)}, nc.globalArgs...)
}
}
if c.asGuestKubeconf && !c.withoutNamespace {
e2e.Failf("you are doing something in ns of guest cluster, please use WithoutNamespace and set ns in Args, for example, oc.AsGuestKubeconf().WithoutNamespace().Run(\"get\").Args(\"pods\", \"-n\", \"guestclusterns\").Output()")
}
if !c.withoutNamespace {
nc.globalArgs = append([]string{fmt.Sprintf("--namespace=%s", c.Namespace())}, nc.globalArgs...)
}
nc.stdin, nc.stdout, nc.stderr = in, out, errout
return nc.setOutput(c.stdout)
}
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Oct 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Run drops the verb when Args isn’t called

Run() never seeds finalArgs, so oc.Run("whoami").Output() (and any call that relies only on the verb or arguments passed via Run) executes plain oc with no subcommand. That’s a hard functional bug.

 	if !c.withoutNamespace {
 		nc.globalArgs = append([]string{fmt.Sprintf("--namespace=%s", c.Namespace())}, nc.globalArgs...)
 	}
-	nc.stdin, nc.stdout, nc.stderr = in, out, errout
-	return nc.setOutput(c.stdout)
+	nc.stdin, nc.stdout, nc.stderr = in, out, errout
+	nc.finalArgs = slices.Clone(nc.globalArgs)
+	return nc.setOutput(c.stdout)
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
// This function also override the default 'stdout' to redirect all output
// to a buffer and prepare the global flags such as namespace and config path.
func (c *CLI) Run(commands ...string) *CLI {
in, out, errout := &bytes.Buffer{}, &bytes.Buffer{}, &bytes.Buffer{}
nc := &CLI{
execPath: c.execPath,
verb: commands[0],
kubeFramework: c.KubeFramework(),
adminConfigPath: c.adminConfigPath,
configPath: c.configPath,
showInfo: c.showInfo,
guestConfigPath: c.guestConfigPath,
user: c.user,
globalArgs: commands,
}
if !c.withoutKubeconf {
if c.asGuestKubeconf {
if c.guestConfigPath != "" {
nc.globalArgs = append([]string{fmt.Sprintf("--kubeconfig=%s", c.guestConfigPath)}, nc.globalArgs...)
} else {
e2e.Failf("want to use guest cluster kubeconfig, but it is not set, so please use oc.SetGuestKubeconf to set it firstly")
}
} else {
nc.globalArgs = append([]string{fmt.Sprintf("--kubeconfig=%s", c.configPath)}, nc.globalArgs...)
}
}
if c.asGuestKubeconf && !c.withoutNamespace {
e2e.Failf("you are doing something in ns of guest cluster, please use WithoutNamespace and set ns in Args, for example, oc.AsGuestKubeconf().WithoutNamespace().Run(\"get\").Args(\"pods\", \"-n\", \"guestclusterns\").Output()")
}
if !c.withoutNamespace {
nc.globalArgs = append([]string{fmt.Sprintf("--namespace=%s", c.Namespace())}, nc.globalArgs...)
}
nc.stdin, nc.stdout, nc.stderr = in, out, errout
return nc.setOutput(c.stdout)
}
// This function also override the default 'stdout' to redirect all output
// to a buffer and prepare the global flags such as namespace and config path.
func (c *CLI) Run(commands ...string) *CLI {
in, out, errout := &bytes.Buffer{}, &bytes.Buffer{}, &bytes.Buffer{}
nc := &CLI{
execPath: c.execPath,
verb: commands[0],
kubeFramework: c.KubeFramework(),
adminConfigPath: c.adminConfigPath,
configPath: c.configPath,
showInfo: c.showInfo,
guestConfigPath: c.guestConfigPath,
user: c.user,
globalArgs: commands,
}
if !c.withoutKubeconf {
if c.asGuestKubeconf {
if c.guestConfigPath != "" {
nc.globalArgs = append([]string{fmt.Sprintf("--kubeconfig=%s", c.guestConfigPath)}, nc.globalArgs...)
} else {
e2e.Failf("want to use guest cluster kubeconfig, but it is not set, so please use oc.SetGuestKubeconf to set it firstly")
}
} else {
nc.globalArgs = append([]string{fmt.Sprintf("--kubeconfig=%s", c.configPath)}, nc.globalArgs...)
}
}
if c.asGuestKubeconf && !c.withoutNamespace {
e2e.Failf("you are doing something in ns of guest cluster, please use WithoutNamespace and set ns in Args, for example, oc.AsGuestKubeconf().WithoutNamespace().Run(\"get\").Args(\"pods\", \"-n\", \"guestclusterns\").Output()")
}
if !c.withoutNamespace {
nc.globalArgs = append([]string{fmt.Sprintf("--namespace=%s", c.Namespace())}, nc.globalArgs...)
}
nc.stdin, nc.stdout, nc.stderr = in, out, errout
nc.finalArgs = slices.Clone(nc.globalArgs)
return nc.setOutput(c.stdout)
}
🤖 Prompt for AI Agents 
In test/extended/util/client.go around lines 639 to 673, Run currently sets
nc.verb = commands[0] but does not ensure the verb is present in nc.globalArgs
so calls like oc.Run("whoami").Output() end up invoking just "oc" with no
subcommand; fix by ensuring the verb is seeded into nc.globalArgs when building
nc (i.e., initialize nc.globalArgs to include commands[0] as the first element,
followed by any additional command tokens, instead of only using commands as-is)
so that invocations that rely solely on the verb execute the subcommand
correctly.

Comment thread test/extended/util/nodes.go Outdated
Comment on lines +88 to +95
defaultNodeSelector, getNodeSelectorErr := oc.AsAdmin().WithoutNamespace().Run("get").Args("scheduler", "cluster", "-o=jsonpath={.spec.defaultNodeSelector}").Output()
if getNodeSelectorErr != nil && strings.Contains(defaultNodeSelector, `the server doesn't have a resource type`) {
e2e.Logf("WARNING: The scheduler API is not supported on the test cluster")
return false
}
o.Expect(getNodeSelectorErr).NotTo(o.HaveOccurred(), "Fail to get cluster scheduler defaultNodeSelector got error: %v\n", getNodeSelectorErr)
return !strings.EqualFold(defaultNodeSelector, "")
}
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Oct 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Fix scheduler API fallback check

When oc get scheduler cluster hits a cluster that doesn’t expose the scheduler API, the error text lives in getNodeSelectorErr, not in the (empty) defaultNodeSelector output. The current guard never fires, so we fall through to the Expect and fail every time on clusters without that API. Please test the error string instead so we actually return false in this scenario.

-	defaultNodeSelector, getNodeSelectorErr := oc.AsAdmin().WithoutNamespace().Run("get").Args("scheduler", "cluster", "-o=jsonpath={.spec.defaultNodeSelector}").Output()
-	if getNodeSelectorErr != nil && strings.Contains(defaultNodeSelector, `the server doesn't have a resource type`) {
+	defaultNodeSelector, getNodeSelectorErr := oc.AsAdmin().WithoutNamespace().Run("get").Args("scheduler", "cluster", "-o=jsonpath={.spec.defaultNodeSelector}").Output()
+	if getNodeSelectorErr != nil && strings.Contains(getNodeSelectorErr.Error(), `the server doesn't have a resource type`) {
 		e2e.Logf("WARNING: The scheduler API is not supported on the test cluster")
 		return false
 	}
 	o.Expect(getNodeSelectorErr).NotTo(o.HaveOccurred(), "Fail to get cluster scheduler defaultNodeSelector got error: %v\n", getNodeSelectorErr)
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
defaultNodeSelector, getNodeSelectorErr := oc.AsAdmin().WithoutNamespace().Run("get").Args("scheduler", "cluster", "-o=jsonpath={.spec.defaultNodeSelector}").Output()
if getNodeSelectorErr != nil && strings.Contains(defaultNodeSelector, `the server doesn't have a resource type`) {
e2e.Logf("WARNING: The scheduler API is not supported on the test cluster")
return false
}
o.Expect(getNodeSelectorErr).NotTo(o.HaveOccurred(), "Fail to get cluster scheduler defaultNodeSelector got error: %v\n", getNodeSelectorErr)
return !strings.EqualFold(defaultNodeSelector, "")
}
defaultNodeSelector, getNodeSelectorErr := oc.AsAdmin().WithoutNamespace().Run("get").Args("scheduler", "cluster", "-o=jsonpath={.spec.defaultNodeSelector}").Output()
if getNodeSelectorErr != nil && strings.Contains(getNodeSelectorErr.Error(), `the server doesn't have a resource type`) {
e2e.Logf("WARNING: The scheduler API is not supported on the test cluster")
return false
}
o.Expect(getNodeSelectorErr).NotTo(o.HaveOccurred(), "Fail to get cluster scheduler defaultNodeSelector got error: %v\n", getNodeSelectorErr)
return !strings.EqualFold(defaultNodeSelector, "")
}
🤖 Prompt for AI Agents 
In test/extended/util/nodes.go around lines 88-95, the guard checking for a
scheduler-API-missing condition inspects the (empty) defaultNodeSelector string
instead of the error; update the logic to test the error object (e.g., if
getNodeSelectorErr != nil && strings.Contains(getNodeSelectorErr.Error(), "the
server doesn't have a resource type") { log and return false }) and ensure the
Expect(...) call is only executed when getNodeSelectorErr is nil (so we don't
call Expect on clusters that lack the scheduler API).

Comment thread test/extended/util/pods.go Outdated
Comment on lines +75 to +86
var filterCmd = ""
if filter != "" {
filterCmd = " | grep -i " + filter
}
var filteredLogs []byte
var errCmd error
if combined {
filteredLogs, errCmd = exec.Command("bash", "-c", "cat "+podLogs+filterCmd).CombinedOutput()
} else {
filteredLogs, errCmd = exec.Command("bash", "-c", "cat "+podLogs+filterCmd).Output()
}
return string(filteredLogs), errCmd
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Oct 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Stop shelling out with unescaped filter

bash -c "cat … | grep -i <filter>" lets the caller inject arbitrary shell syntax (spaces, quotes, ;, etc.) and even breaks for perfectly valid multi-word filters. Build the command without invoking a shell so every argument is kept literal.

-	var filterCmd = ""
-	if filter != "" {
-		filterCmd = " | grep -i " + filter
-	}
-	var filteredLogs []byte
-	var errCmd error
-	if combined {
-		filteredLogs, errCmd = exec.Command("bash", "-c", "cat "+podLogs+filterCmd).CombinedOutput()
-	} else {
-		filteredLogs, errCmd = exec.Command("bash", "-c", "cat "+podLogs+filterCmd).Output()
-	}
-	return string(filteredLogs), errCmd
+	var cmd *exec.Cmd
+	if filter == "" {
+		cmd = exec.Command("cat", podLogs)
+	} else {
+		cmd = exec.Command("grep", "-i", "--", filter, podLogs)
+	}
+	if combined {
+		filteredLogs, errCmd := cmd.CombinedOutput()
+		return string(filteredLogs), errCmd
+	}
+	filteredLogs, errCmd := cmd.Output()
+	return string(filteredLogs), errCmd
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
var filterCmd = ""
if filter != "" {
filterCmd = " | grep -i " + filter
}
var filteredLogs []byte
var errCmd error
if combined {
filteredLogs, errCmd = exec.Command("bash", "-c", "cat "+podLogs+filterCmd).CombinedOutput()
} else {
filteredLogs, errCmd = exec.Command("bash", "-c", "cat "+podLogs+filterCmd).Output()
}
return string(filteredLogs), errCmd
var cmd *exec.Cmd
if filter == "" {
cmd = exec.Command("cat", podLogs)
} else {
cmd = exec.Command("grep", "-i", "--", filter, podLogs)
}
if combined {
filteredLogs, errCmd := cmd.CombinedOutput()
return string(filteredLogs), errCmd
}
filteredLogs, errCmd := cmd.Output()
return string(filteredLogs), errCmd
🤖 Prompt for AI Agents 
In test/extended/util/pods.go around lines 75-86, stop invoking bash -c with an
unescaped filter (which allows shell injection); instead read the podLogs file
with os.ReadFile (return the read error if any) and if filter is non-empty
perform a case-insensitive line-by-line filter in Go (e.g., strings.ToLower on
line and filter, include matching lines, join with "\n"), then return the
resulting string and nil error; this removes the need to shell out and preserves
literal filter content safely.

Comment thread test/extended/util/provider/provider.go Outdated
Comment on lines +35 to +52
providerInfo := &ClusterConfiguration{}
if err := json.Unmarshal([]byte(envVar), &providerInfo); err != nil {
return fmt.Errorf("provider must be a JSON object with the 'type' key at a minimum: %v", err)
}

// update context with loaded config
context.Provider = providerInfo.ProviderName
context.CloudConfig = e2e.CloudConfig{
ProjectID: providerInfo.ProjectID,
Region: providerInfo.Region,
Zone: providerInfo.Zone,
Zones: providerInfo.Zones,
NumNodes: providerInfo.NumNodes,
MultiMaster: providerInfo.MultiMaster,
MultiZone: providerInfo.MultiZone,
ConfigFile: providerInfo.ConfigFile,
}
return nil
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Oct 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Reject null or missing-type provider configs to avoid panics

If TEST_PROVIDER is the valid JSON literal null, json.Unmarshal leaves providerInfo as nil, and the subsequent providerInfo.ProviderName dereference panics before we can report a useful error. Likewise, a JSON object without "type" silently yields an empty provider name. Guard both cases so we fail fast with a clear message instead of crashing.

-	providerInfo := &ClusterConfiguration{}
-	if err := json.Unmarshal([]byte(envVar), &providerInfo); err != nil {
+	providerInfo := &ClusterConfiguration{}
+	if err := json.Unmarshal([]byte(envVar), providerInfo); err != nil {
 		return fmt.Errorf("provider must be a JSON object with the 'type' key at a minimum: %v", err)
 	}
+	if providerInfo == nil {
+		return fmt.Errorf("provider must be a non-null JSON object with the 'type' key at a minimum")
+	}
+	if providerInfo.ProviderName == "" {
+		return fmt.Errorf("provider configuration must include a non-empty \"type\" field")
+	}
 
 	// update context with loaded config
 	context.Provider = providerInfo.ProviderName
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
providerInfo := &ClusterConfiguration{}
if err := json.Unmarshal([]byte(envVar), &providerInfo); err != nil {
return fmt.Errorf("provider must be a JSON object with the 'type' key at a minimum: %v", err)
}
// update context with loaded config
context.Provider = providerInfo.ProviderName
context.CloudConfig = e2e.CloudConfig{
ProjectID: providerInfo.ProjectID,
Region: providerInfo.Region,
Zone: providerInfo.Zone,
Zones: providerInfo.Zones,
NumNodes: providerInfo.NumNodes,
MultiMaster: providerInfo.MultiMaster,
MultiZone: providerInfo.MultiZone,
ConfigFile: providerInfo.ConfigFile,
}
return nil
providerInfo := &ClusterConfiguration{}
if err := json.Unmarshal([]byte(envVar), providerInfo); err != nil {
return fmt.Errorf("provider must be a JSON object with the 'type' key at a minimum: %v", err)
}
if providerInfo == nil {
return fmt.Errorf("provider must be a non-null JSON object with the 'type' key at a minimum")
}
if providerInfo.ProviderName == "" {
return fmt.Errorf("provider configuration must include a non-empty \"type\" field")
}
// update context with loaded config
context.Provider = providerInfo.ProviderName
context.CloudConfig = e2e.CloudConfig{
ProjectID: providerInfo.ProjectID,
Region: providerInfo.Region,
Zone: providerInfo.Zone,
Zones: providerInfo.Zones,
NumNodes: providerInfo.NumNodes,
MultiMaster: providerInfo.MultiMaster,
MultiZone: providerInfo.MultiZone,
ConfigFile: providerInfo.ConfigFile,
}
return nil
🤖 Prompt for AI Agents 
In test/extended/util/provider/provider.go around lines 35 to 52, guard against
JSON null and missing provider type: ensure json.Unmarshal writes into the
ClusterConfiguration value (not a pointer-to-pointer), then after unmarshalling
check if providerInfo is nil or providerInfo.ProviderName is empty and return a
clear error (e.g. "TEST_PROVIDER must be a non-null JSON object containing a
non-empty 'type' field") instead of proceeding to dereference and panic; update
the error paths accordingly so the function fails fast with that message.

Comment thread test/extended/util/resource_op.go Outdated
Comment on lines +39 to +40
cargs = append(cargs, resourceKindAndName, "-o=jsonpath={.metadata.labels."+labelName+"}")
return oc.AsAdmin().WithoutNamespace().Run("get").Args(cargs...).Output()
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Oct 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Quote label keys in JSONPath

Label keys like app.kubernetes.io/name include dots, so .metadata.labels.app.kubernetes.io/name is parsed as nested fields and fails. Use bracket notation so the entire key is treated literally.

-	cargs = append(cargs, resourceKindAndName, "-o=jsonpath={.metadata.labels."+labelName+"}")
+	cargs = append(cargs, resourceKindAndName, "-o=jsonpath={.metadata.labels['"+labelName+"']}")
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
cargs = append(cargs, resourceKindAndName, "-o=jsonpath={.metadata.labels."+labelName+"}")
return oc.AsAdmin().WithoutNamespace().Run("get").Args(cargs...).Output()
cargs = append(cargs, resourceKindAndName, "-o=jsonpath={.metadata.labels['"+labelName+"']}")
return oc.AsAdmin().WithoutNamespace().Run("get").Args(cargs...).Output()
🤖 Prompt for AI Agents 
In test/extended/util/resource_op.go around lines 39-40, the JSONPath output
uses dot notation for label keys which fails for keys with dots; change the
JSONPath to use bracket notation so the entire label key is treated literally:
construct the -o=jsonpath argument as {.metadata.labels['<labelName>']} (i.e.
"-o=jsonpath={.metadata.labels['"+labelName+"']}") making sure the quotes are
placed/escaped correctly when building the string.

coderabbitai[bot]
coderabbitai Bot reviewed Oct 11, 2025
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

♻️ Duplicate comments (4)
go.mod (1)

135-135: Upgrade otelrestful to a patched release.

go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful@v0.42.0 carries GO-2023-2113 / GHSA-rcjv-mgp8-qvmr (high-severity DoS). Please bump to a fixed build (e.g. v0.58.0, which ships alongside the other 0.58.x contrib packages already in this module) and refresh go.sum. The existing bot comment on this line is still unresolved.

-	go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful v0.42.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful v0.58.0 // indirect
test/extended/util/provider/provider.go (1)

35-52: Critical issue already flagged: nil pointer dereference on JSON null.

The past review correctly identifies that passing &providerInfo (pointer-to-pointer) to json.Unmarshal allows JSON null to set providerInfo to nil, causing a panic at line 41 when dereferencing providerInfo.ProviderName. Additionally, an empty ProviderName from a JSON object missing the "type" field should be validated. The suggested fix in the past review addresses both concerns.

test/extended/util/resource_op.go (1)

39-41: Quote label keys in the JSONPath selector

Keys like app.kubernetes.io/name currently break because .metadata.labels.<key> is parsed as nested fields. Wrap the key in brackets so it’s treated literally.

-	cargs = append(cargs, resourceKindAndName, "-o=jsonpath={.metadata.labels."+labelName+"}")
+	cargs = append(cargs, resourceKindAndName, "-o=jsonpath={.metadata.labels['"+labelName+"']}")
test/extended/util/pods.go (1)

75-86: Stop shelling out with unescaped filter – CRITICAL shell injection vulnerability.

Lines 77, 82, and 84 construct and execute a shell command with an unescaped filter parameter, allowing arbitrary command injection. This is the same critical security issue previously flagged. Any caller passing a filter like foo; rm -rf / would execute the malicious command.

Apply this diff to eliminate the shell invocation and perform filtering safely in Go:

-	var filterCmd = ""
-	if filter != "" {
-		filterCmd = " | grep -i " + filter
-	}
-	var filteredLogs []byte
-	var errCmd error
-	if combined {
-		filteredLogs, errCmd = exec.Command("bash", "-c", "cat "+podLogs+filterCmd).CombinedOutput()
-	} else {
-		filteredLogs, errCmd = exec.Command("bash", "-c", "cat "+podLogs+filterCmd).Output()
-	}
-	return string(filteredLogs), errCmd
+	// Read the log file
+	logContent, err := os.ReadFile(podLogs)
+	if err != nil {
+		return "", fmt.Errorf("failed to read log file: %w", err)
+	}
+	
+	// Apply filter if provided
+	if filter == "" {
+		return string(logContent), nil
+	}
+	
+	// Case-insensitive line-by-line filtering
+	filterLower := strings.ToLower(filter)
+	var filteredLines []string
+	for _, line := range strings.Split(string(logContent), "\n") {
+		if strings.Contains(strings.ToLower(line), filterLower) {
+			filteredLines = append(filteredLines, line)
+		}
+	}
+	return strings.Join(filteredLines, "\n"), nil

Note: This implementation also renders the combined parameter obsolete since we're reading from a file rather than capturing command output. If combined stderr/stdout is required, it should be handled when writing to podLogs.txt (line 70), not during filtering.

🧹 Nitpick comments (6)
test/extended/util/sar.go (1)

16-21: Propagate the poll context to the SelfSAR call

Right now we drop the poll loop’s context and always call the API with context.Background(), so cancellations/timeouts aren’t honored by the request. Please pass the provided context through to Create instead.

-	err := wait.PollUntilContextTimeout(context.Background(), interval, timeout, true, func(_ context.Context) (bool, error) {
-		res, err := c.AuthorizationV1().SelfSubjectAccessReviews().Create(context.Background(),
+	err := wait.PollUntilContextTimeout(context.Background(), interval, timeout, true, func(ctx context.Context) (bool, error) {
+		res, err := c.AuthorizationV1().SelfSubjectAccessReviews().Create(ctx,
test/extended/util/resource_op.go (1)

124-132: Use the input length when preallocating the new slice

The helper always allocates capacity 10, forcing extra allocations for larger inputs. Size it to the source slice instead.

-	var newStringsSlice = make([]string, 0, 10)
+	newStringsSlice := make([]string, 0, len(stringsSlice))
test/extended/util/assert.go (1)

36-36: Fix typo in comment.

"ane error" should be "an error".

test/extended/util/template.go (2)

69-81: Eliminate code duplication in resource operations.

The namespace handling logic is duplicated across create and apply branches. Extract the common pattern to reduce duplication.

Apply this diff:

 	var resourceErr error
+	operation := "create"
 	if create {
-		if namespace != "" {
-			resourceErr = oc.AsAdmin().WithoutNamespace().Run("create").Args("-f", configFile, "-n", namespace).Execute()
-		} else {
-			resourceErr = oc.AsAdmin().WithoutNamespace().Run("create").Args("-f", configFile).Execute()
-		}
+		operation = "create"
 	} else {
-		if namespace != "" {
-			resourceErr = oc.AsAdmin().WithoutNamespace().Run("apply").Args("-f", configFile, "-n", namespace).Execute()
-		} else {
-			resourceErr = oc.AsAdmin().WithoutNamespace().Run("apply").Args("-f", configFile).Execute()
-		}
+		operation = "apply"
+	}
+	args := []string{"-f", configFile}
+	if namespace != "" {
+		args = append(args, "-n", namespace)
 	}
+	resourceErr = oc.AsAdmin().WithoutNamespace().Run(operation).Args(args...).Execute()

47-88: Consider cleanup of generated config files.

The function generates temporary config files (line 50) but never cleans them up. While this might be acceptable for test environments, consider adding cleanup logic or documenting that callers are responsible for cleanup.

test/extended/util/pods.go (1)

105-105: Consider extracting the complex jsonpath template to a constant.

The jsonpath template on line 105 is long and complex, making the code harder to read. Extracting it to a package-level constant with a descriptive name would improve maintainability.

For example:

const podReadyStatusTemplate = "'{{- range .items -}}{{- range .status.conditions -}}{{- if ne .reason \"PodCompleted\" -}}{{- if eq .type \"Ready\" -}}{{- .status}} {{\" \"}}{{- end -}}{{- end -}}{{- end -}}{{- end -}}'"

Then use template := podReadyStatusTemplate on line 105.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 6b2a50f and 8568377.

⛔ Files ignored due to path filters (278)
  • go.sum is excluded by !**/*.sum
  • vendor/github.com/JeffAshton/win_pdh/AUTHORS is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/JeffAshton/win_pdh/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/JeffAshton/win_pdh/README.mdown is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/JeffAshton/win_pdh/pdh.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/.gitattributes is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/.gitignore is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/.golangci.yml is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/CODEOWNERS is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/SECURITY.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/backup.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/ea.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/file.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/fileinfo.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/hvsock.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/internal/fs/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/internal/fs/fs.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/internal/fs/security.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/internal/fs/zsyscall_windows.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/internal/socket/rawaddr.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/internal/socket/socket.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/internal/socket/zsyscall_windows.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/internal/stringbuffer/wstring.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/pipe.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/pkg/guid/guid.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/pkg/guid/guid_nonwindows.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/pkg/guid/guid_windows.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/pkg/guid/variant_string.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/privilege.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/reparse.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/sd.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/syscall.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/go-winio/zsyscall_windows.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/.gitattributes is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/.gitignore is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/CODEOWNERS is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/SECURITY.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/errors.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/hns_v1.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/hnsaccelnet.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/hnsglobals.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/hnssupport.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/internal/hns/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/internal/hns/hns.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/internal/hns/hnsaccelnet.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/internal/hns/hnsendpoint.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/internal/hns/hnserrors.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/internal/hns/hnsfuncs.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/internal/hns/hnsglobals.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/internal/hns/hnsnetwork.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/internal/hns/hnspolicy.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/internal/hns/hnspolicylist.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/internal/hns/hnssupport.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/internal/hns/namespace.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/internal/hns/zsyscall_windows.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/internal/interop/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/internal/interop/interop.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Microsoft/hnslib/internal/interop/zsyscall_windows.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/armon/circbuf/.gitignore is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/armon/circbuf/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/armon/circbuf/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/armon/circbuf/circbuf.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/container-storage-interface/spec/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/container-storage-interface/spec/lib/go/csi/csi.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/services/containers/v1/containers.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/services/containers/v1/containers.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/services/containers/v1/containers_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/services/containers/v1/containers_ttrpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/services/containers/v1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/services/tasks/v1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/services/tasks/v1/tasks.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/services/tasks/v1/tasks.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/services/tasks/v1/tasks_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/services/tasks/v1/tasks_ttrpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/services/version/v1/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/services/version/v1/version.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/services/version/v1/version.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/services/version/v1/version_grpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/services/version/v1/version_ttrpc.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/descriptor.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/descriptor.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/event.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/event.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/fieldpath.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/fieldpath.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/introspection.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/introspection.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/metrics.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/metrics.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/mount.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/mount.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/platform.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/platform.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/platform_helpers.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/sandbox.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/sandbox.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/task/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/task/task.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/containerd/api/types/task/task.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/errdefs/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/errdefs/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/errdefs/errors.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/errdefs/pkg/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/errdefs/pkg/errgrpc/grpc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/errdefs/pkg/internal/cause/cause.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/errdefs/pkg/internal/types/collapsible.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/errdefs/resolve.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/log/.golangci.yml is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/log/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/log/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/log/context.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/.gitattributes is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/.gitignore is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/.golangci.yml is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/Makefile is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/PROTOCOL.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/Protobuild.toml is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/channel.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/codec.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/config.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/errors.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/handshake.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/interceptor.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/metadata.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/request.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/request.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/server.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/services.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/stream.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/stream_server.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/test.proto is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/ttrpc/unixcreds_linux.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/typeurl/v2/.gitignore is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/typeurl/v2/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/typeurl/v2/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/typeurl/v2/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/typeurl/v2/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/containerd/typeurl/v2/types_gogo.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/coreos/go-systemd/v22/dbus/dbus.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/coreos/go-systemd/v22/dbus/methods.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/coreos/go-systemd/v22/dbus/properties.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/coreos/go-systemd/v22/dbus/set.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/coreos/go-systemd/v22/dbus/subscription.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/coreos/go-systemd/v22/dbus/subscription_set.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/VERSION is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/gocompat_errors_go120.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/gocompat_errors_unsupported.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_go121.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_unsupported.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/join.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/lookup_linux.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/mkdir_linux.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/open_linux.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/openat2_linux.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/openat_linux.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/procfs_linux.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/cyphar/filepath-securejoin/vfs.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/distribution/reference/.gitattributes is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/distribution/reference/.gitignore is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/distribution/reference/.golangci.yml is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/distribution/reference/CODE-OF-CONDUCT.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/distribution/reference/CONTRIBUTING.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/distribution/reference/GOVERNANCE.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/distribution/reference/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/distribution/reference/MAINTAINERS is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/distribution/reference/Makefile is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/distribution/reference/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/distribution/reference/SECURITY.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/distribution/reference/distribution-logo.svg is excluded by !**/*.svg, !vendor/**, !**/vendor/**
  • vendor/github.com/distribution/reference/helpers.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/distribution/reference/normalize.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/distribution/reference/reference.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/distribution/reference/regexp.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/distribution/reference/sort.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/docker/go-units/CONTRIBUTING.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/docker/go-units/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/docker/go-units/MAINTAINERS is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/docker/go-units/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/docker/go-units/circle.yml is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/docker/go-units/duration.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/docker/go-units/size.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/docker/go-units/ulimit.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/euank/go-kmsg-parser/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/euank/go-kmsg-parser/kmsgparser/kmsgparser.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/euank/go-kmsg-parser/kmsgparser/log.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/CONTRIBUTING.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/MAINTAINERS is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/auth.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/auth_anonymous.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/auth_external.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/auth_sha1.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/call.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/conn.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/conn_darwin.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/conn_other.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/conn_unix.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/conn_windows.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/dbus.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/decoder.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/default_handler.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/encoder.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/escape.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/export.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/homedir.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/match.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/message.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/object.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/sequence.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/sequential_handler.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/server_interfaces.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/sig.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/transport_darwin.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/transport_generic.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/transport_nonce_tcp.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/transport_tcp.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/transport_unix.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/transport_unixcred_dragonfly.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/transport_unixcred_freebsd.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/transport_unixcred_linux.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/transport_unixcred_netbsd.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/transport_unixcred_openbsd.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/transport_zos.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/variant.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/variant_lexer.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/godbus/dbus/v5/variant_parser.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/golang/protobuf/protoc-gen-go/descriptor/descriptor.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/golang/protobuf/ptypes/timestamp/timestamp.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/golang/protobuf/ptypes/wrappers/wrappers.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/AUTHORS is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/cache/memory/memory.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/collector/collector_manager.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/collector/config.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/collector/fakes.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/collector/generic_collector.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/collector/prometheus_collector.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/collector/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/collector/util.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/common/container_hints.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/common/fsHandler.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/common/helpers.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/common/inotify_watcher.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/container.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/containerd/client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/containerd/containers/containers.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/containerd/factory.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/containerd/grpc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/containerd/handler.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/containerd/identifiers/validate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/containerd/install/install.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/containerd/namespaces/context.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/containerd/namespaces/grpc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/containerd/namespaces/store.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/containerd/namespaces/ttrpc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/containerd/pkg/dialer/dialer.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/containerd/pkg/dialer/dialer_unix.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/containerd/pkg/dialer/dialer_windows.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/containerd/plugin.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/crio/client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/google/cadvisor/container/crio/factory.go is excluded by !vendor/**, !**/vendor/**
📒 Files selected for processing (19)
  • go.mod (7 hunks)
  • test/extended/ckao.go (1 hunks)
  • test/extended/main.go (0 hunks)
  • test/extended/util/assert.go (1 hunks)
  • test/extended/util/client.go (1 hunks)
  • test/extended/util/clusters.go (1 hunks)
  • test/extended/util/framework.go (1 hunks)
  • test/extended/util/gomega_helpers.go (1 hunks)
  • test/extended/util/gwrapper.go (1 hunks)
  • test/extended/util/logext/log.go (1 hunks)
  • test/extended/util/nodes.go (1 hunks)
  • test/extended/util/oc_copy.go (1 hunks)
  • test/extended/util/pods.go (1 hunks)
  • test/extended/util/provider/config.go (1 hunks)
  • test/extended/util/provider/provider.go (1 hunks)
  • test/extended/util/resource_op.go (1 hunks)
  • test/extended/util/sar.go (1 hunks)
  • test/extended/util/template.go (1 hunks)
  • test/extended/util/test.go (1 hunks)
💤 Files with no reviewable changes (1)
  • test/extended/main.go
🚧 Files skipped from review as they are similar to previous changes (7)
  • test/extended/util/clusters.go
  • test/extended/ckao.go
  • test/extended/util/nodes.go
  • test/extended/util/oc_copy.go
  • test/extended/util/test.go
  • test/extended/util/provider/config.go
  • test/extended/util/client.go
🧰 Additional context used
🪛 OSV Scanner (2.2.3)
go.mod

[HIGH] 135-135: go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful 0.42.0: Memory exhaustion in go.opentelemetry.io/contrib/instrumentation

(GO-2023-2113)

[HIGH] 135-135: go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful 0.42.0: OpenTelemetry-Go Contrib vulnerable to denial of service in otelhttp due to unbound cardinality metrics

(GHSA-rcjv-mgp8-qvmr)

🔇 Additional comments (6)
test/extended/util/provider/provider.go (3)

1-17: LGTM!

Package declaration, imports, and constant definition are appropriate. The blank import ensures cloud provider initialization at vendor time.

19-24: LGTM!

The empty environment variable handling is correct, allowing the e2e framework to default to the skeleton provider.

25-33: LGTM!

The validation logic correctly handles both JSON and plain provider names, with appropriate fallback to known providers from the e2e framework.

test/extended/util/framework.go (1)

58-61: LGTM!

Clean helper function that returns the KUBECONFIG environment variable. The comment explaining why Gomega isn't used is helpful.

test/extended/util/pods.go (1)

26-31: LGTM!

The Create method correctly orchestrates pod creation by building template parameters, delegating to the template helper, and waiting for readiness. The hardcoded NAME parameter requirement is clearly documented in the comment.

test/extended/util/template.go (1)

60-64: Fix inconsistent error handling logic.

When returnError is true, the function should return the error immediately without calling AssertWaitPollNoErr (which would fail the test). Currently, line 64 calls AssertWaitPollNoErr even after line 62 returns the error, making the return statement unreachable when an error occurs.

Apply this diff to fix the inconsistency at both error handling sites (lines 60-64 and 82-86):

-	if returnError && err != nil {
-		e2e.Logf("fail to process %v", parameters)
-		return err
-	}
-	AssertWaitPollNoErr(err, fmt.Sprintf("fail to process %v", parameters))
+	if err != nil {
+		if returnError {
+			e2e.Logf("fail to process %v", parameters)
+			return err
+		}
+		AssertWaitPollNoErr(err, fmt.Sprintf("fail to process %v", parameters))
+	}

Apply the same pattern at lines 82-86 for the resource creation error handling.

Likely an incorrect or invalid review comment.

Comment thread test/extended/util/assert.go Outdated
Comment on lines +26 to +28
if errors.Is(e, context.DeadlineExceeded) ||
strings.Compare(e.Error(), "timed out waiting for the condition") == 0 ||
strings.Compare(e.Error(), "context deadline exceeded") == 0 {
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Oct 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion | 🟠 Major

Replace fragile string comparisons with error type checks.

Line 27 uses string comparison to detect timeout errors, which is brittle if error message formatting changes. The errors.Is check on line 26 is correct, but the string comparisons on lines 27-28 should be replaced with proper error type checking or removed since line 26 already handles context.DeadlineExceeded.

Apply this diff:

 	var err error
-	if errors.Is(e, context.DeadlineExceeded) ||
-		strings.Compare(e.Error(), "timed out waiting for the condition") == 0 ||
-		strings.Compare(e.Error(), "context deadline exceeded") == 0 {
+	if errors.Is(e, context.DeadlineExceeded) ||
+		errors.Is(e, wait.ErrWaitTimeout) {
 		err = fmt.Errorf("case: %v\nerror: %s", g.CurrentSpecReport().FullText(), msg)
 	} else {

If wait.ErrWaitTimeout is not exported, check the k8s.io/apimachinery/pkg/util/wait package for the appropriate sentinel error.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if errors.Is(e, context.DeadlineExceeded) ||
strings.Compare(e.Error(), "timed out waiting for the condition") == 0 ||
strings.Compare(e.Error(), "context deadline exceeded") == 0 {
var err error
- if errors.Is(e, context.DeadlineExceeded) ||
- strings.Compare(e.Error(), "timed out waiting for the condition") == 0 ||
if errors.Is(e, context.DeadlineExceeded) ||
errors.Is(e, wait.ErrWaitTimeout) {
err = fmt.Errorf("case: %v\nerror: %s", g.CurrentSpecReport().FullText(), msg)
} else {
🤖 Prompt for AI Agents 
In test/extended/util/assert.go around lines 26 to 28, the code uses fragile
string comparisons to detect timeout errors; replace those comparisons with a
proper sentinel error check by adding errors.Is(e, wait.ErrWaitTimeout) (and
keep the existing errors.Is(e, context.DeadlineExceeded) check), and add the
import for "k8s.io/apimachinery/pkg/util/wait" if not present; if
wait.ErrWaitTimeout is unavailable, simply remove the string comparisons so only
errors.Is(e, context.DeadlineExceeded) is used.

Comment thread test/extended/util/assert.go Outdated
Comment on lines +40 to +50
func OrFail[T any](vals ...any) T {

for _, val := range vals {
err, ok := val.(error)
if ok {
o.ExpectWithOffset(1, err).NotTo(o.HaveOccurred())
}
}

return vals[0].(T)
}
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Oct 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Add safety checks to prevent panics.

The OrFail function has two critical issues:

  1. Line 49 performs an unsafe type assertion that will panic if vals[0] cannot be cast to type T
  2. No check for empty vals slice, which will panic on line 49

Apply this diff:

 func OrFail[T any](vals ...any) T {
+	o.ExpectWithOffset(1, vals).NotTo(o.BeEmpty(), "OrFail called with no values")
 
 	for _, val := range vals {
 		err, ok := val.(error)
 		if ok {
 			o.ExpectWithOffset(1, err).NotTo(o.HaveOccurred())
 		}
 	}
 
-	return vals[0].(T)
+	result, ok := vals[0].(T)
+	o.ExpectWithOffset(1, ok).To(o.BeTrue(), "OrFail: first value cannot be cast to expected type")
+	return result
 }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
func OrFail[T any](vals ...any) T {
for _, val := range vals {
err, ok := val.(error)
if ok {
o.ExpectWithOffset(1, err).NotTo(o.HaveOccurred())
}
}
return vals[0].(T)
}
func OrFail[T any](vals ...any) T {
o.ExpectWithOffset(1, vals).NotTo(o.BeEmpty(), "OrFail called with no values")
for _, val := range vals {
err, ok := val.(error)
if ok {
o.ExpectWithOffset(1, err).NotTo(o.HaveOccurred())
}
}
result, ok := vals[0].(T)
o.ExpectWithOffset(1, ok).To(o.BeTrue(), "OrFail: first value cannot be cast to expected type")
return result
}

Comment thread test/extended/util/framework.go Outdated
Comment on lines +24 to +26
waitFn := func(_ context.Context) (bool, error) {
countOutput++
sc, err := c.Get(context.Background(), name, metav1.GetOptions{})
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Oct 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Use the context passed to the wait function.

Line 26 creates a new context.Background() inside the wait function, but the waitFn already receives a context parameter (line 24) that should be used instead. This ensures proper cancellation propagation and timeout handling.

Apply this diff:

-	waitFn := func(_ context.Context) (bool, error) {
+	waitFn := func(ctx context.Context) (bool, error) {
 		countOutput++
-		sc, err := c.Get(context.Background(), name, metav1.GetOptions{})
+		sc, err := c.Get(ctx, name, metav1.GetOptions{})
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
waitFn := func(_ context.Context) (bool, error) {
countOutput++
sc, err := c.Get(context.Background(), name, metav1.GetOptions{})
waitFn := func(ctx context.Context) (bool, error) {
countOutput++
sc, err := c.Get(ctx, name, metav1.GetOptions{})
🤖 Prompt for AI Agents 
In test/extended/util/framework.go around lines 24 to 26, the waitFn is creating
a new context with context.Background() instead of using the ctx parameter
passed into the function; replace the call to c.Get(context.Background(), ...)
with c.Get(ctx, ...) so cancellation and timeouts propagate correctly from the
caller to the Get call.

@wangke19
Copy link
Copy Markdown
Contributor Author

wangke19 commented Oct 11, 2025

/test k8s-e2e-gcp

@wangke19
Copy link
Copy Markdown
Contributor Author

wangke19 commented Oct 11, 2025

/test e2e-aws-ovn

@wangke19 wangke19 changed the title [WIP]Add test for ocpbugs-60628 Add automated e2e test for cert rotation sidecar behavior (OCPBUGS-60628) Dec 15, 2025
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 15, 2025
@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 15, 2025
coderabbitai[bot]
coderabbitai Bot reviewed Dec 15, 2025
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (2)
test/e2e/cert_rotation_sidecar_test.go (2)

139-140: Annotation existence check should use comma-ok idiom.

Checking ann["key"] != "" differs from checking if the key exists. If the annotation exists with an empty value, this would incorrectly report false.

-		hasComponent := ann["auth.openshift.io/component"] != ""
-		hasDescription := ann["auth.openshift.io/description"] != ""
+		_, hasComponent := ann["auth.openshift.io/component"]
+		_, hasDescription := ann["auth.openshift.io/description"]

253-268: Consider using json.Marshal for safer JSON construction.

Building JSON via string concatenation is fragile and could break with special characters in annotation keys/values. While it works for the current hardcoded annotations, using encoding/json would be more robust.

import "encoding/json"

func patchAnnotationsOnSecret(t *testing.T, ctx context.Context, kubeClient *kubernetes.Clientset, namespace, name string, annotations map[string]*string) {
	patchData := map[string]interface{}{
		"metadata": map[string]interface{}{
			"annotations": annotations,
		},
	}
	patch, err := json.Marshal(patchData)
	require.NoError(t, err)

	_, err = kubeClient.CoreV1().Secrets(namespace).Patch(ctx, name, types.MergePatchType, patch, metav1.PatchOptions{})
	require.NoError(t, err)
}
📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 8568377 and a1a578b.

📒 Files selected for processing (1)
  • test/e2e/cert_rotation_sidecar_test.go (1 hunks)
🧰 Additional context used
📓 Path-based instructions (1)
**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

  • test/e2e/cert_rotation_sidecar_test.go
🧬 Code graph analysis (1)
test/e2e/cert_rotation_sidecar_test.go (1)
test/library/client.go (1)
  • NewClientConfigForTest (12-20)
🔇 Additional comments (2)
test/e2e/cert_rotation_sidecar_test.go (2)

154-197: LGTM!

The logic correctly waits for the sidecar to rotate the certificate when the not-after annotation indicates expiry.

199-217: LGTM!

The CVO pause/resume pattern is appropriate. Using require.NoError for pause and a warning log for resume cleanup is correct behavior.

Comment thread test/e2e/cert_rotation_sidecar_test.go Outdated
Comment on lines +96 to +115
err = wait.PollImmediate(10*time.Second, 2*time.Minute, func() (bool, error) {
s, err := kubeClient.CoreV1().Secrets(targetNamespace).Get(ctx, secretName, metav1.GetOptions{})
if err != nil {
return false, err
}

ann := s.Annotations
_, hasComponent := ann["auth.openshift.io/component"]
_, hasDescription := ann["auth.openshift.io/description"]
dataNow := base64.StdEncoding.EncodeToString(s.Data["tls.crt"])

// If annotations are present or cert changed, fail
if hasComponent || hasDescription || dataNow != dataBefore {
return false, fmt.Errorf("unexpected change: hasComponent=%v, hasDescription=%v, certChanged=%v",
hasComponent, hasDescription, dataNow != dataBefore)
}

return true, nil
})
require.NoError(t, err, "annotations should not be re-added and cert should not rotate when operator is down")
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Logic bug: Poll succeeds immediately without verifying persistence over time.

The poll returns true, nil on the first check when annotations are absent and cert is unchanged. Since annotations were just removed, this condition is immediately true, and the poll succeeds without actually verifying that the sidecar doesn't restore them over time.

To test that annotations remain removed, consider one of these approaches:

  1. Use a time.Sleep to wait a reasonable period, then check once
  2. Invert the poll logic to wait for the undesired state and treat timeout as success

Example fix using approach 2 (timeout-as-success):

-	// Verify that annotations are not re-added and cert is not rotated
-	err = wait.PollImmediate(10*time.Second, 2*time.Minute, func() (bool, error) {
+	// Wait and verify annotations are not re-added and cert is not rotated
+	// We expect this poll to timeout (which indicates success - no changes occurred)
+	err = wait.PollImmediate(10*time.Second, 2*time.Minute, func() (bool, error) {
 		s, err := kubeClient.CoreV1().Secrets(targetNamespace).Get(ctx, secretName, metav1.GetOptions{})
 		if err != nil {
 			return false, err
 		}

 		ann := s.Annotations
 		_, hasComponent := ann["auth.openshift.io/component"]
 		_, hasDescription := ann["auth.openshift.io/description"]
 		dataNow := base64.StdEncoding.EncodeToString(s.Data["tls.crt"])

-		// If annotations are present or cert changed, fail
+		// If annotations are present or cert changed, fail immediately
 		if hasComponent || hasDescription || dataNow != dataBefore {
 			return false, fmt.Errorf("unexpected change: hasComponent=%v, hasDescription=%v, certChanged=%v",
 				hasComponent, hasDescription, dataNow != dataBefore)
 		}

-		return true, nil
+		// Keep polling - we want to verify state remains unchanged
+		return false, nil
 	})
-	require.NoError(t, err, "annotations should not be re-added and cert should not rotate when operator is down")
+	// Timeout is expected (means no changes occurred during the wait period)
+	if err != nil && !wait.Interrupted(err) {
+		require.NoError(t, err, "annotations should not be re-added and cert should not rotate when operator is down")
+	}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
err = wait.PollImmediate(10*time.Second, 2*time.Minute, func() (bool, error) {
s, err := kubeClient.CoreV1().Secrets(targetNamespace).Get(ctx, secretName, metav1.GetOptions{})
if err != nil {
return false, err
}
ann := s.Annotations
_, hasComponent := ann["auth.openshift.io/component"]
_, hasDescription := ann["auth.openshift.io/description"]
dataNow := base64.StdEncoding.EncodeToString(s.Data["tls.crt"])
// If annotations are present or cert changed, fail
if hasComponent || hasDescription || dataNow != dataBefore {
return false, fmt.Errorf("unexpected change: hasComponent=%v, hasDescription=%v, certChanged=%v",
hasComponent, hasDescription, dataNow != dataBefore)
}
return true, nil
})
require.NoError(t, err, "annotations should not be re-added and cert should not rotate when operator is down")
err = wait.PollImmediate(10*time.Second, 2*time.Minute, func() (bool, error) {
s, err := kubeClient.CoreV1().Secrets(targetNamespace).Get(ctx, secretName, metav1.GetOptions{})
if err != nil {
return false, err
}
ann := s.Annotations
_, hasComponent := ann["auth.openshift.io/component"]
_, hasDescription := ann["auth.openshift.io/description"]
dataNow := base64.StdEncoding.EncodeToString(s.Data["tls.crt"])
// If annotations are present or cert changed, fail immediately
if hasComponent || hasDescription || dataNow != dataBefore {
return false, fmt.Errorf("unexpected change: hasComponent=%v, hasDescription=%v, certChanged=%v",
hasComponent, hasDescription, dataNow != dataBefore)
}
// Keep polling - we want to verify state remains unchanged over time
return false, nil
})
// Timeout is expected (means no changes occurred during the wait period)
if err != nil && err != wait.ErrWaitTimeout {
require.NoError(t, err, "annotations should not be re-added and cert should not rotate when operator is down")
}
🤖 Prompt for AI Agents 
In test/e2e/cert_rotation_sidecar_test.go around lines 96 to 115, the poll
currently returns success immediately when annotations are absent and cert
unchanged, so it doesn't verify persistence; change the polling to wait for the
undesired state instead and treat a timeout as success: implement the poll
callback to return true (stop) if hasComponent || hasDescription || cert changed
(i.e., the sidecar restored annotations or rotated the cert) and return
false,nil otherwise; after wait.PollImmediate completes, assert that the
returned error is a timeout error (meaning the undesired state never appeared)
and treat that as success, failing the test only if the poll found the undesired
state within the timeout.

@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 15, 2025
@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 15, 2025
@wangke19 wangke19 changed the title Add automated e2e test for cert rotation sidecar behavior (OCPBUGS-60628) [WIP]Add automated e2e test for cert rotation sidecar behavior (OCPBUGS-60628) Dec 15, 2025
@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 15, 2025
coderabbitai[bot]
coderabbitai Bot reviewed Dec 15, 2025
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

♻️ Duplicate comments (1)
test/e2e/cert_rotation_sidecar_test.go (1)

96-115: Logic bug: Poll succeeds immediately without verifying persistence.

The poll returns true, nil on the first successful check when annotations are absent and cert is unchanged. Since annotations were just removed, this passes immediately without verifying that the sidecar doesn't restore them over time.

The fix from the previous review should be applied: invert the poll to wait for the undesired state and treat timeout as success.

🧹 Nitpick comments (2)
test/e2e/cert_rotation_sidecar_test.go (2)

184-192: Consider simplifying the rotation check.

The notAfter == "" check on line 184 is potentially confusing since you just set not-after to a past date. The actual indicator of successful rotation is the cert data change. Consider whether this check is necessary or if it could be clarified with a comment explaining what state you're expecting (e.g., waiting for the sidecar to update the annotation with the new cert's expiry).

250-272: Consider using json.Marshal for safer JSON construction.

The manual JSON string building works for this use case but is fragile if annotation keys or values contain special characters. Using json.Marshal would be safer.

+import "encoding/json"
+
 // patchAnnotationsOnSecret patches annotations on a Secret.
 // Pass nil values in the map to remove annotations.
 func patchAnnotationsOnSecret(t *testing.T, ctx context.Context, kubeClient *kubernetes.Clientset, namespace, name string, annotations map[string]*string) {
-	patch := `{"metadata":{"annotations":{`
-	first := true
-
-	for k, v := range annotations {
-		if !first {
-			patch += ","
-		}
-		if v == nil {
-			patch += fmt.Sprintf("%q:null", k)
-		} else {
-			patch += fmt.Sprintf("%q:%q", k, *v)
-		}
-		first = false
-	}
-
-	patch += "}}}"
-
-	_, err := kubeClient.CoreV1().Secrets(namespace).Patch(ctx, name, types.MergePatchType, []byte(patch), metav1.PatchOptions{})
+	patchData := map[string]interface{}{
+		"metadata": map[string]interface{}{
+			"annotations": annotations,
+		},
+	}
+	patch, err := json.Marshal(patchData)
+	require.NoError(t, err)
+
+	_, err = kubeClient.CoreV1().Secrets(namespace).Patch(ctx, name, types.MergePatchType, patch, metav1.PatchOptions{})
 	require.NoError(t, err)
 }
📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between a1a578b and 6427d20.

📒 Files selected for processing (1)
  • test/e2e/cert_rotation_sidecar_test.go (1 hunks)
🧰 Additional context used
📓 Path-based instructions (1)
**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

  • test/e2e/cert_rotation_sidecar_test.go
🧬 Code graph analysis (1)
test/e2e/cert_rotation_sidecar_test.go (1)
test/library/client.go (1)
  • NewClientConfigForTest (12-20)
🔇 Additional comments (5)
test/e2e/cert_rotation_sidecar_test.go (5)

1-30: LGTM!

The imports are appropriate for the e2e test, and the constants are well-organized and clearly named.

32-74: LGTM!

The test structure is well-organized with proper CVO lifecycle management. The defer pattern ensures cleanup happens even if tests fail.

118-152: LGTM!

The polling logic correctly waits for the operator to restore metadata while verifying the certificate remains unchanged.

199-217: LGTM!

The CVO pause/resume helpers correctly manage the operator lifecycle with appropriate override patches. The asymmetric error handling (fail on pause, warn on resume) is reasonable for cleanup scenarios.

219-248: LGTM!

The deployment scaling helper correctly patches replicas and waits for both the spec and ready replica count to match the expected value.

@openshift-ci openshift-ci Bot removed the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 17, 2025
@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 22, 2025
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 22, 2025
@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 22, 2025
@wangke19
Copy link
Copy Markdown
Contributor Author

wangke19 commented Dec 23, 2025

/retest

@wangke19
Add automated e2e test for cert rotation sidecar behavior (OCPBUGS-60…
6fdf035 
…628)

This commit adds a new automated e2e test that validates the cert rotation
sidecar behavior when certificates expire and the operator is scaled down.

Test Scenarios:
- Scenario A: When operator is down, sidecar should not restore metadata annotations
- Scenario B: When operator is up, metadata is restored without cert rotation
- Scenario C: When operator is down and cert expires, sidecar rotates the certificate

The test follows the OTE (OpenShift Tests Extension) framework pattern used
in test/e2e/, using standard Go testing with testify/require for assertions.

Changes:
- Add test/e2e/cert_rotation_sidecar_test.go: New automated test for OCPBUGS-60628
- Remove test/extended/ckao.go: Prototype/draft test code

Related: OCPBUGS-60628

Migrate cert rotation sidecar test to OTE framework

Convert test/e2e/cert_rotation_sidecar_test.go to Ginkgo format
for OpenShift Tests Extension (OTE) compatibility.

Changes:
- Rename cert_rotation_sidecar_test.go -> cert_rotation_sidecar.go
  (non-test file required for OTE test discovery)
- Convert from standard Go testing to Ginkgo/Gomega
- Add [Operator][Serial] labels for suite filtering
- Create dependencymagnet.go to register test package
- Fix deployment name (kube-apiserver-operator)
- Update test logic:
  - Test 1: Verify metadata not restored when operator down
  - Test 2: Verify metadata restored when operator up
  - Test 3: Verify cert rotation on expiry by sidecar
- Use auth.openshift.io/certificate-not-after for cert expiry

Tests can be executed with:
./cluster-kube-apiserver-operator-tests-ext run-suite \
  openshift/cluster-kube-apiserver-operator/operator/serial -c 1

Related: OCPBUGS-60628

Fix cert rotation sidecar test annotation keys

Use correct annotation keys that match the cert rotation controller:
- openshift.io/owning-component (not auth.openshift.io/component)
- openshift.io/description (not auth.openshift.io/description)

This fixes test timeout issues where annotations were never restored
because the test was checking for non-existent annotation keys.

Test results:
- Before: Test 2 timed out after 3 minutes
- After: Test 2 passes in 21 seconds

Related: OCPBUGS-60628
@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented Dec 25, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: wangke19
Once this PR has been reviewed and has the lgtm label, please assign sanchezl for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot removed the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 25, 2025
@openshift-ci openshift-ci Bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 23, 2026
@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented Mar 23, 2026

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented Apr 7, 2026

@wangke19: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-operator-disruptive-single-node 6b2a50f link false /test e2e-aws-operator-disruptive-single-node
ci/prow/e2e-aws-ovn-single-node 6b2a50f link false /test e2e-aws-ovn-single-node
ci/prow/e2e-azure-ovn 6b2a50f link false /test e2e-azure-ovn
ci/prow/e2e-gcp-operator-single-node 6b2a50f link false /test e2e-gcp-operator-single-node
ci/prow/okd-scos-e2e-aws-ovn 8568377 link false /test okd-scos-e2e-aws-ovn
ci/prow/e2e-gcp-operator-encryption-rotation-aesgcm 6e4dc97 link false /test e2e-gcp-operator-encryption-rotation-aesgcm
ci/prow/e2e-gcp-operator-encryption-aescbc 6e4dc97 link false /test e2e-gcp-operator-encryption-aescbc
ci/prow/e2e-gcp-operator-encryption-rotation-single-node 6e4dc97 link false /test e2e-gcp-operator-encryption-rotation-single-node
ci/prow/e2e-gcp-operator-encryption-single-node 6e4dc97 link false /test e2e-gcp-operator-encryption-single-node
ci/prow/e2e-gcp-operator-encryption-perf-aesgcm 6e4dc97 link false /test e2e-gcp-operator-encryption-perf-aesgcm
ci/prow/e2e-gcp-operator-encryption-perf-aescbc 6e4dc97 link false /test e2e-gcp-operator-encryption-perf-aescbc
ci/prow/e2e-gcp-operator-encryption-perf-single-node 6e4dc97 link false /test e2e-gcp-operator-encryption-perf-single-node
ci/prow/e2e-gcp-operator-encryption-aesgcm 6e4dc97 link false /test e2e-gcp-operator-encryption-aesgcm
ci/prow/e2e-gcp-operator-encryption-rotation-aescbc 6e4dc97 link false /test e2e-gcp-operator-encryption-rotation-aescbc
ci/prow/e2e-gcp-operator-serial-ote 6fdf035 link false /test e2e-gcp-operator-serial-ote
ci/prow/okd-scos-images 6fdf035 link true /test okd-scos-images
ci/prow/periodics-images 6fdf035 link true /test periodics-images
ci/prow/e2e-gcp-operator 6fdf035 link true /test e2e-gcp-operator

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@benluddy benluddy Awaiting requested review from benluddy

@deads2k deads2k Awaiting requested review from deads2k

Assignees

No one assigned

Labels

do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@wangke19 @openshift-merge-robot