OCPBUGS-69758:CNTRLPLANE-2222:Migrate go test cert-rotation-tests.go to OTE by gangwgr · Pull Request #1983 · openshift/cluster-kube-apiserver-operator

gangwgr · 2025-12-12T06:27:35Z

CNTRLPLANE-2222:Migrate go test cert-rotation-tests.go to OTE

coderabbitai · 2025-12-12T06:27:45Z

Walkthrough

Adds a new Ginkgo-based E2E test file for kube-apiserver certificate rotation, refactors two existing tests to call shared helpers, promotes Ginkgo to a direct go.mod dependency, adds a dependency-magnet program to register tests, and inserts a migration comment in an existing test.

Changes

Cohort / File(s)	Summary
New Ginkgo E2E tests `test/e2e/certrotation.go`	New Ginkgo-based end-to-end tests implementing TestCertRotationTimeUpgradeable and TestCertRotationStompOnBadType with client initialization, polling, assertions, and cleanup.
Test delegations / refactor `test/e2e/certrotation_test.go`	Existing public `TestCertRotationTimeUpgradeable` and `TestCertRotationStompOnBadType` now delegate to shared helpers (`testCertRotationTimeUpgradeable(t)`, `testCertRotationStompOnBadType(t)`); imports reduced to `testing`.
Dependency / build registration `go.mod`, `cmd/cluster-kube-apiserver-operator-tests-ext/dependencymagnet.go`	`github.com/onsi/ginkgo/v2` added as a direct require in `go.mod`. New `dependencymagnet.go` blank-imports test package(s) to ensure test registration with the Ginkgo-based test framework.
Minor test comment `test/e2e/bound_sa_token_test.go`	Single comment added indicating intended migration to the OTE Ginkgo framework.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Review test/e2e/certrotation.go for correct polling intervals, timeouts, error handling, and cleanup of created ConfigMap/Secret.
Confirm the delegated helper functions referenced by test/e2e/certrotation_test.go are present and preserve previous test semantics.
Validate dependencymagnet.go blank-import path correctness and that the go.mod Ginkgo dependency aligns with project dependency management.

✨ Finishing touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between d7f1c7c and 01fae25.

📒 Files selected for processing (1)

go.mod (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

go.mod

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Actionable comments posted: 0

🧹 Nitpick comments (3)

test/e2e/certrotation.go (3)
67-69: Redundant ConfigMap deletion.

The ConfigMap is explicitly deleted at line 96, making this deferred delete redundant. The defer will execute after the explicit delete and silently fail (or succeed if the test fails early). Consider removing either the explicit delete or adjusting the defer to only clean up on test failure.
 	defer func() {
-		kubeClient.CoreV1().ConfigMaps(operatorclient.GlobalUserSpecifiedConfigNamespace).Delete(context.TODO(), "unsupported-cert-rotation-config", metav1.DeleteOptions{})
+		// Cleanup in case test fails before explicit deletion
+		_ = kubeClient.CoreV1().ConfigMaps(operatorclient.GlobalUserSpecifiedConfigNamespace).Delete(context.TODO(), "unsupported-cert-rotation-config", metav1.DeleteOptions{})
 	}()
71-92: Short polling timeout may cause flakiness.

The 5-second timeout for operator condition propagation may be insufficient in slower cluster environments. Consider increasing the timeout (e.g., 30-60 seconds) to reduce flakiness, as operator reconciliation loops and condition updates can take longer under load.
-	err = wait.PollImmediate(1*time.Second, 5*time.Second, func() (bool, error) {
+	err = wait.PollImmediate(1*time.Second, 30*time.Second, func() (bool, error) {
The same applies to the second poll at line 99.

128-140: Clarify the intentional use of invalid secret type.

The string "SecretTypeTLS" (line 135) differs from corev1.SecretTypeTLS ("kubernetes.io/tls"). This appears intentional to test that the operator corrects an invalid secret type, but a brief comment would improve readability.
 		if _, err := kubeClient.CoreV1().Secrets(operatorclient.OperatorNamespace).Create(context.TODO(), &corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{Namespace: operatorclient.OperatorNamespace, Name: "aggregator-client-signer"},
-			Type:       "SecretTypeTLS",
+			Type:       "SecretTypeTLS", // Intentionally invalid type; operator should correct to corev1.SecretTypeTLS
 		}, metav1.CreateOptions{}); err != nil {

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 2c58d2f and ceefaff.

📒 Files selected for processing (4)

cmd/cluster-kube-apiserver-operator-tests-ext/main.go (1 hunks)
pkg/operator/starter.go (1 hunks)
test/e2e/certrotation.go (1 hunks)
test/e2e/certrotation_test.go (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

pkg/operator/starter.go
cmd/cluster-kube-apiserver-operator-tests-ext/main.go
test/e2e/certrotation.go
test/e2e/certrotation_test.go

🧬 Code graph analysis (1)

test/e2e/certrotation.go (3)

test/library/client.go (1)

NewClientConfigForTest (12-20)

pkg/operator/starter.go (2)

ExtractStaticPodOperatorSpec (694-707)

ExtractStaticPodOperatorStatus (709-723)

pkg/operator/operatorclient/interfaces.go (2)

GlobalUserSpecifiedConfigNamespace (4-4)

OperatorNamespace (6-6)

🔇 Additional comments (4)

cmd/cluster-kube-apiserver-operator-tests-ext/main.go (1)

22-23: LGTM!

The blank import correctly registers the Ginkgo tests from the test/e2e package with the OTE framework. The comment appropriately documents the intent.

test/e2e/certrotation.go (1)

32-39: LGTM!

The Ginkgo test suite is correctly structured with [Operator][Serial] tags that match the suite qualifiers defined in main.go. Using g.GinkgoTB() allows the helper functions to work with both Ginkgo and standard Go testing.

test/e2e/certrotation_test.go (1)

3-11: LGTM!

Clean refactor that delegates to shared helper functions, enabling tests to run both via standard go test and through the Ginkgo framework. This maintains backward compatibility while supporting the new OTE integration.

pkg/operator/starter.go (1)

132-134: LGTM - Cluster-scoped informer fix.

The change correctly removes the empty namespace parameter to avoid unnecessary cluster-wide namespace watching. The clusterInformers.InformersFor("") calls (lines 309, 327, 471-472) properly retrieve cluster-scoped informers for resources like Nodes, while kubeInformersForNamespaces (initialized with specific namespaces on line 122) handles namespace-scoped resources.

coderabbitai

Actionable comments posted: 1

🧹 Nitpick comments (1)

test/e2e/certrotation.go (1)
135-135: Clarify the intentionally invalid secret type.

Line 135 uses the string literal "SecretTypeTLS" instead of the constant corev1.SecretTypeTLS (which equals "kubernetes.io/tls"). Given the test name "StompOnBadType" and the subsequent check at line 151 for corev1.SecretTypeTLS, this appears intentional—testing that the operator corrects an invalid secret type.

However, "SecretTypeTLS" is misleadingly similar to the constant name. Consider using a more obviously invalid type (e.g., "bad-type" or "invalid-secret-type") and adding a comment explaining the test verifies the operator corrects incorrectly-typed secrets.
-		if _, err := kubeClient.CoreV1().Secrets(operatorclient.OperatorNamespace).Create(context.TODO(), &corev1.Secret{
-			ObjectMeta: metav1.ObjectMeta{Namespace: operatorclient.OperatorNamespace, Name: "aggregator-client-signer"},
-			Type:       "SecretTypeTLS",
+		// Create secret with invalid type to test operator correction behavior
+		if _, err := kubeClient.CoreV1().Secrets(operatorclient.OperatorNamespace).Create(context.TODO(), &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{Namespace: operatorclient.OperatorNamespace, Name: "aggregator-client-signer"},
+			Type:       "bad-type", // Intentionally invalid; operator should correct to corev1.SecretTypeTLS

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between ceefaff and 814d6df.

📒 Files selected for processing (2)

test/e2e/certrotation.go (1 hunks)
test/e2e/certrotation_test.go (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

test/e2e/certrotation_test.go

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

test/e2e/certrotation.go

🔇 Additional comments (2)

test/e2e/certrotation.go (2)

1-39: LGTM! Clean test structure.

The Ginkgo test registration properly delegates to helper functions, and the [Serial] tag is appropriate for end-to-end tests that modify cluster state.

10-27: No issues found. All imported libraries are properly versioned and compatible. The k8s.io packages (v0.32.1) are aligned, and the OpenShift libraries use appropriate commit-based versioning for active development. The imports themselves are standard and well-established.

coderabbitai · 2025-12-12T07:04:29Z

+	err = wait.PollImmediate(1*time.Second, 5*time.Second, func() (bool, error) {
+		_, operatorStatus, _, err := operatorClient.GetStaticPodOperatorStateWithQuorum(ctx)
+		if err != nil {
+			return false, err
+		}
+		clusteroperator, err := configClient.ClusterOperators().Get(context.TODO(), "kube-apiserver", metav1.GetOptions{})
+		if err != nil {
+			return false, err
+		}
+
+		certRotationCondition := v1helpers.FindOperatorCondition(operatorStatus.Conditions, "CertRotationTimeUpgradeable")
+		upgradeableCondition := configv1helpers.FindStatusCondition(clusteroperator.Status.Conditions, "Upgradeable")
+		if certRotationCondition == nil || upgradeableCondition == nil {
+			return false, fmt.Errorf("Couldn't find CertRotationTimeUpgradeable or Upgradeable condition")
+		}
+		if certRotationCondition.Status == operatorv1.ConditionFalse &&
+			upgradeableCondition.Status == configv1.ConditionFalse && strings.Contains(upgradeableCondition.Reason, "CertRotationTime") {
+			return true, nil
+		}
+		t.Logf("\nCertRotationTimeUpgradeable: %#v\nUpgradeable: %#v", certRotationCondition, upgradeableCondition)
+		return false, nil
+	})
+	require.NoError(t, err)


⚠️ Potential issue | 🟠 Major

Short timeout may cause test flakes in slower environments.

The 5-second timeout in both polling loops may be insufficient for end-to-end tests, especially in resource-constrained CI/CD environments where operator reconciliation can be slower. Consider increasing to at least 30-60 seconds to reduce flakiness.

Apply this diff to increase the timeouts:

- err = wait.PollImmediate(1*time.Second, 5*time.Second, func() (bool, error) { + err = wait.PollImmediate(1*time.Second, 30*time.Second, func() (bool, error) {

And similarly for the second polling loop:

- err = wait.PollImmediate(1*time.Second, 5*time.Second, func() (bool, error) { + err = wait.PollImmediate(1*time.Second, 30*time.Second, func() (bool, error) {

Additionally, the polling logic is duplicated between lines 71-92 and 99-119 with only minor differences in the conditions checked. Consider extracting a helper function to reduce duplication and improve maintainability.

Also applies to: 99-120

🤖 Prompt for AI Agents

In test/e2e/certrotation.go around lines 71 to 93, the polling timeout is only 5 seconds which is too short and causes flakes; increase the PollImmediate timeout/duration to a more robust value (e.g., use PollImmediate(1*time.Second, 30*time.Second) or 60s) for both polling loops and update any matching second loop (lines ~99-120). Also refactor the duplicated polling logic into a small helper function that accepts the context, operatorClient, configClient, logger, and a predicate that checks the two conditions so both places call the same helper to reduce duplication and improve maintainability.

coderabbitai

Actionable comments posted: 0

🧹 Nitpick comments (1)

go.mod (1)
40-41: Keep go.mod in canonical form (avoid standalone require unless intentional).
require github.com/onsi/ginkgo/v2 v2.21.0 is fine, but most repos standardize on a single require (...) block and rely on go mod tidy to avoid formatting churn across branches/Go versions. Consider folding this into the existing require ( block and ensuring go mod tidy is run.
 require (
   github.com/apparentlymart/go-cidr v1.0.1
   github.com/blang/semver/v4 v4.0.0
   ...
+  github.com/onsi/ginkgo/v2 v2.21.0
   sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96
 )
-
-require github.com/onsi/ginkgo/v2 v2.21.0

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 814d6df and 9b116cb.

⛔ Files ignored due to path filters (126)

go.sum is excluded by !**/*.sum
vendor/github.com/go-task/slim-sprig/v3/.editorconfig is excluded by !vendor/**, !**/vendor/**
vendor/github.com/go-task/slim-sprig/v3/.gitattributes is excluded by !vendor/**, !**/vendor/**
vendor/github.com/go-task/slim-sprig/v3/.gitignore is excluded by !vendor/**, !**/vendor/**
vendor/github.com/go-task/slim-sprig/v3/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/go-task/slim-sprig/v3/LICENSE.txt is excluded by !vendor/**, !**/vendor/**
vendor/github.com/go-task/slim-sprig/v3/README.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/go-task/slim-sprig/v3/Taskfile.yml is excluded by !vendor/**, !**/vendor/**
vendor/github.com/go-task/slim-sprig/v3/crypto.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/go-task/slim-sprig/v3/date.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/go-task/slim-sprig/v3/defaults.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/go-task/slim-sprig/v3/dict.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/go-task/slim-sprig/v3/doc.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/go-task/slim-sprig/v3/functions.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/go-task/slim-sprig/v3/list.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/go-task/slim-sprig/v3/network.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/go-task/slim-sprig/v3/numeric.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/go-task/slim-sprig/v3/reflect.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/go-task/slim-sprig/v3/regex.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/go-task/slim-sprig/v3/strings.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/go-task/slim-sprig/v3/url.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/.gitignore is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/CONTRIBUTING.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/LICENSE is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/Makefile is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/README.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/RELEASING.md is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/config/deprecated.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/core_dsl.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/decorator_dsl.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/deprecated_dsl.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/formatter/colorable_others.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/formatter/colorable_windows.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/formatter/formatter.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/build/build_command.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/command/abort.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/command/command.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/command/program.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/boostrap_templates.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/bootstrap_command.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/generate_command.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/generate_templates.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/generators/generators_common.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/compile.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/gocovmerge.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/profiles_and_reports.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/run.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/test_suite.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/utils.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/internal/verify_version.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/labels/labels_command.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/main.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/outline/ginkgo.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/outline/import.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/outline/outline.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/outline/outline_command.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/run/run_command.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/unfocus/unfocus_command.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/delta.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/delta_tracker.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/dependencies.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/package_hash.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/package_hashes.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/suite.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo/watch/watch_command.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo_cli_dependencies.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/ginkgo_t_dsl.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/counter.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/failer.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/focus.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/global/init.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/group.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/interrupt_handler/interrupt_handler.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/interrupt_handler/sigquit_swallower_unix.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/interrupt_handler/sigquit_swallower_windows.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/node.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/ordering.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/output_interceptor.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/output_interceptor_unix.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/output_interceptor_wasm.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/output_interceptor_win.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/client_server.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/http_client.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/http_server.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/rpc_client.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/rpc_server.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/parallel_support/server_handler.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/progress_report.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/progress_report_bsd.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/progress_report_unix.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/progress_report_wasm.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/progress_report_win.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/progress_reporter_manager.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/report_entry.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/spec.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/spec_context.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/suite.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/testingtproxy/testing_t_proxy.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/tree.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/internal/writer.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/reporters/default_reporter.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/reporters/deprecated_reporter.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/reporters/json_report.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/reporters/junit_report.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/reporters/reporter.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/reporters/teamcity_report.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/reporting_dsl.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/table_dsl.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/types/code_location.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/types/config.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/types/deprecated_types.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/types/deprecation_support.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/types/enum_support.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/types/errors.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/types/file_filter.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/types/flags.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/types/label_filter.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/types/report_entry.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/types/types.go is excluded by !vendor/**, !**/vendor/**
vendor/github.com/onsi/ginkgo/v2/types/version.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/cover/profile.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/ast/inspector/inspector.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/ast/inspector/iter.go is excluded by !vendor/**, !**/vendor/**
vendor/golang.org/x/tools/go/ast/inspector/typeof.go is excluded by !vendor/**, !**/vendor/**
vendor/modules.txt is excluded by !vendor/**, !**/vendor/**

📒 Files selected for processing (1)

go.mod (2 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

go.mod

🔇 Additional comments (1)

go.mod (1)

62-63: Looks fine—just ensure go.sum and tidiness are consistent.
Adding github.com/go-task/slim-sprig/v3 v3.0.0 // indirect is expected as a transitive dep (likely from the new test stack). Please confirm the PR also includes the corresponding go.sum updates and passes whatever “tidy check” CI enforces.

openshift-ci-robot · 2025-12-12T07:09:59Z

@gangwgr: This pull request references CNTRLPLANE-2222 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.21.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot · 2025-12-12T07:10:08Z

@gangwgr: This pull request references CNTRLPLANE-2222 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.21.0" version, but no target version was set.

Details

In response to this:

CNTRLPLANE-2222:Migrate go test cert-rotation-tests.go to OTE

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

coderabbitai

Actionable comments posted: 1

♻️ Duplicate comments (1)

test/e2e/certrotation.go (1)
71-93: Short timeout may cause test flakes in slower environments.

The 5-second timeout in both polling loops may be insufficient for end-to-end tests, especially in resource-constrained CI/CD environments where operator reconciliation can be slower. Consider increasing to at least 30-60 seconds to reduce flakiness.

Additionally, the polling logic is duplicated between lines 71-92 and 99-119 with only minor differences in the conditions checked. Consider extracting a helper function to reduce duplication and improve maintainability.

Apply this diff to increase the timeouts:
-	err = wait.PollImmediate(1*time.Second, 5*time.Second, func() (bool, error) {
+	err = wait.PollImmediate(1*time.Second, 30*time.Second, func() (bool, error) {
And similarly for the second polling loop:
-	err = wait.PollImmediate(1*time.Second, 5*time.Second, func() (bool, error) {
+	err = wait.PollImmediate(1*time.Second, 30*time.Second, func() (bool, error) {
Also applies to: 99-120

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 85c2e1d and af1f71c.

📒 Files selected for processing (3)

cmd/cluster-kube-apiserver-operator-tests-ext/main.go (1 hunks)
test/e2e/certrotation.go (1 hunks)
test/e2e/certrotation_test.go (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

test/e2e/certrotation.go
test/e2e/certrotation_test.go
cmd/cluster-kube-apiserver-operator-tests-ext/main.go

🔇 Additional comments (3)

cmd/cluster-kube-apiserver-operator-tests-ext/main.go (1)

22-23: LGTM!

The blank import correctly registers the E2E tests with the Ginkgo framework, following standard Go conventions for side-effect imports.

test/e2e/certrotation_test.go (1)

5-11: LGTM!

The refactoring to delegate test bodies to helper functions improves code reusability while maintaining the public test interface. This aligns well with the new Ginkgo-based test framework.

test/e2e/certrotation.go (1)

32-39: LGTM!

The Ginkgo test suite is properly structured with appropriate tags [Operator][Serial] that match the suite configuration defined in the main test entrypoint.

coderabbitai · 2025-12-12T09:04:27Z

+		}
+		if _, err := kubeClient.CoreV1().Secrets(operatorclient.OperatorNamespace).Create(context.TODO(), &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{Namespace: operatorclient.OperatorNamespace, Name: "aggregator-client-signer"},
+			Type:       "SecretTypeTLS",


⚠️ Potential issue | 🔴 Critical

Use the proper Secret type constant.

The string literal "SecretTypeTLS" should be replaced with the proper Kubernetes constant corev1.SecretTypeTLS for type safety and correctness. The current string literal is invalid and will not match the expected type.

Apply this diff:

- Type: "SecretTypeTLS", + Type: corev1.SecretTypeTLS,

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

Type: "SecretTypeTLS",

Type: corev1.SecretTypeTLS,

🤖 Prompt for AI Agents

In test/e2e/certrotation.go around line 135, the Secret Type field is set to the string literal "SecretTypeTLS"; replace this with the proper Kubernetes constant corev1.SecretTypeTLS (ensure the corev1 package is imported/aliased appropriately) so the Secret uses the correct typed constant instead of an invalid string literal.

gangwgr · 2025-12-12T11:41:33Z

/test e2e-aws-ovn-serial-1of2

p0lyn0mial

please also add a todo and a link to a jira issue (migration) for https://github.com/openshift/cluster-kube-apiserver-operator/blob/main/test/e2e/bound_sa_token_test.go#L35

p0lyn0mial · 2025-12-12T11:37:15Z


 	"github.com/openshift/cluster-kube-apiserver-operator/pkg/version"
+	// Import test packages to register Ginkgo tests
+	_ "github.com/openshift/cluster-kube-apiserver-operator/test/e2e"


could you create a new file dependencymagnet.go which would contain these imports ?

the file should be in the same dir/pkg as the main.go file.

@p0lyn0mial Why we need dependencymagnet.go, it is one time line to import cases, in next pr we don't need it

just a personal preference, similar to https://github.com/openshift/cluster-kube-apiserver-operator/blob/main/pkg/dependencymagnet/doc.go

in the future we will also reference the other tests: https://github.com/openshift/cluster-kube-apiserver-operator/tree/main/test

p0lyn0mial · 2025-12-12T11:39:10Z

-)
+import "testing"

 func TestCertRotationTimeUpgradeable(t *testing.T) {


let's add a comment:

// This test calls the shared function which // can be called from both standard Go tests and Ginkgo // // This situation is temporary until we test the new e2e-gcp-operator-serial-ote job. // Eventually all tests will be run only as part of the OTE framework.

p0lyn0mial · 2025-12-12T11:39:17Z

+	testCertRotationTimeUpgradeable(t)
 }

 func TestCertRotationStompOnBadType(t *testing.T) {


p0lyn0mial · 2025-12-12T11:39:35Z

 	sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96
 )

+require github.com/onsi/ginkgo/v2 v2.21.0


could this be part of the require block above ?

coderabbitai

Actionable comments posted: 1

♻️ Duplicate comments (2)

test/e2e/certrotation.go (2)

71-93: Increase 5s polling timeouts (will flake)
Both polling loops (Line 71 and Line 99) use a 5s timeout, which is very short for operator reconciliation in CI.

@@
-	err = wait.PollImmediate(1*time.Second, 5*time.Second, func() (bool, error) {
+	err = wait.PollImmediate(1*time.Second, 60*time.Second, func() (bool, error) {
@@
-	err = wait.PollImmediate(1*time.Second, 5*time.Second, func() (bool, error) {
+	err = wait.PollImmediate(1*time.Second, 60*time.Second, func() (bool, error) {

Also applies to: 99-120

128-141: Don’t ignore all delete/create errors + fix SecretTypeTLS literal
The loop on Line 129 currently treats any delete/create error as retryable (return false, nil), which can mask real failures (RBAC, connectivity). Also Line 135 uses "SecretTypeTLS" which won’t match the actual secret type constant.

@@
 	// this is inherently racy against a controller
 	err = wait.PollImmediate(10*time.Millisecond, 5*time.Second, func() (done bool, err error) {
-		if err := kubeClient.CoreV1().Secrets(operatorclient.OperatorNamespace).Delete(context.TODO(), "aggregator-client-signer", metav1.DeleteOptions{}); err != nil {
-			return false, nil
-		}
-		if _, err := kubeClient.CoreV1().Secrets(operatorclient.OperatorNamespace).Create(context.TODO(), &corev1.Secret{
+		if err := kubeClient.CoreV1().Secrets(operatorclient.OperatorNamespace).Delete(context.TODO(), "aggregator-client-signer", metav1.DeleteOptions{}); err != nil && !errors.IsNotFound(err) {
+			return false, err
+		}
+		if _, err := kubeClient.CoreV1().Secrets(operatorclient.OperatorNamespace).Create(context.TODO(), &corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{Namespace: operatorclient.OperatorNamespace, Name: "aggregator-client-signer"},
-			Type:       "SecretTypeTLS",
+			Type:       corev1.SecretTypeTLS,
 		}, metav1.CreateOptions{}); err != nil {
-			return false, nil
+			return false, err
 		}
 		return true, nil
 	})

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between e15618c and 1015f8b.

📒 Files selected for processing (5)

cmd/cluster-kube-apiserver-operator-tests-ext/dependencymagnet.go (1 hunks)
go.mod (1 hunks)
test/e2e/bound_sa_token_test.go (1 hunks)
test/e2e/certrotation.go (1 hunks)
test/e2e/certrotation_test.go (1 hunks)

✅ Files skipped from review due to trivial changes (1)

test/e2e/bound_sa_token_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

go.mod

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

cmd/cluster-kube-apiserver-operator-tests-ext/dependencymagnet.go
test/e2e/certrotation_test.go
test/e2e/certrotation.go

🧬 Code graph analysis (1)

test/e2e/certrotation.go (2)

test/library/client.go (1)

NewClientConfigForTest (12-20)

pkg/operator/operatorclient/interfaces.go (2)

GlobalUserSpecifiedConfigNamespace (4-4)

OperatorNamespace (6-6)

🔇 Additional comments (3)

cmd/cluster-kube-apiserver-operator-tests-ext/dependencymagnet.go (1)

1-8: Ensure this “magnet” only builds into the intended tests-ext binary
Blank-importing test/e2e is fine for OTE registration, but please verify this cmd/cluster-kube-apiserver-operator-tests-ext program is not pulled into any non-test/production build targets (otherwise it drags all e2e deps in). If there’s any ambiguity, consider a build tag or explicit wiring in the build tooling.

test/e2e/certrotation_test.go (1)

5-21: Wrapper tests + migration comment look good
The public go test entrypoints now cleanly delegate to shared helpers, and the temporary-migration comment clarifies intent.

test/e2e/certrotation.go (1)

32-39: Ginkgo registration + shared-helper invocation is straightforward
The Describe/It blocks calling the shared helpers via g.GinkgoTB() look consistent with the migration goal.

coderabbitai · 2025-12-12T12:20:08Z

+	ctx := context.Background()
+	_, operatorStatus, _, err := operatorClient.GetStaticPodOperatorStateWithQuorum(ctx)
+	require.NoError(t, err)
+	require.True(t, v1helpers.IsOperatorConditionTrue(operatorStatus.Conditions, "CertRotationTimeUpgradeable"))
+
+	kubeClient := kubernetes.NewForConfigOrDie(kubeConfig)
+	t.Logf("Creating unsupported-cert-rotation-config...")
+	_, err = kubeClient.CoreV1().ConfigMaps(operatorclient.GlobalUserSpecifiedConfigNamespace).Create(context.TODO(), &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{Namespace: operatorclient.GlobalUserSpecifiedConfigNamespace, Name: "unsupported-cert-rotation-config"},
+		Data:       map[string]string{"base": "2y"},
+	}, metav1.CreateOptions{})
+	require.NoError(t, err)
+	defer func() {
+		kubeClient.CoreV1().ConfigMaps(operatorclient.GlobalUserSpecifiedConfigNamespace).Delete(context.TODO(), "unsupported-cert-rotation-config", metav1.DeleteOptions{})
+	}()
+


⚠️ Potential issue | 🟠 Major

Make ConfigMap create/delete idempotent to reduce flakes
On Line 62, Create(...) will fail if the ConfigMap already exists (e.g., leftover from a prior failed run). Also the deferred Delete ignores errors. Consider “delete if exists, then create”, and ignore NotFound on cleanup.

@@ t.Logf("Creating unsupported-cert-rotation-config...") - _, err = kubeClient.CoreV1().ConfigMaps(operatorclient.GlobalUserSpecifiedConfigNamespace).Create(context.TODO(), &corev1.ConfigMap{ + _ = kubeClient.CoreV1().ConfigMaps(operatorclient.GlobalUserSpecifiedConfigNamespace). + Delete(ctx, "unsupported-cert-rotation-config", metav1.DeleteOptions{}) + _, err = kubeClient.CoreV1().ConfigMaps(operatorclient.GlobalUserSpecifiedConfigNamespace).Create(ctx, &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{Namespace: operatorclient.GlobalUserSpecifiedConfigNamespace, Name: "unsupported-cert-rotation-config"}, Data: map[string]string{"base": "2y"}, }, metav1.CreateOptions{}) require.NoError(t, err) defer func() { - kubeClient.CoreV1().ConfigMaps(operatorclient.GlobalUserSpecifiedConfigNamespace).Delete(context.TODO(), "unsupported-cert-rotation-config", metav1.DeleteOptions{}) + if err := kubeClient.CoreV1().ConfigMaps(operatorclient.GlobalUserSpecifiedConfigNamespace). + Delete(ctx, "unsupported-cert-rotation-config", metav1.DeleteOptions{}); err != nil && !errors.IsNotFound(err) { + t.Logf("cleanup: failed to delete configmap unsupported-cert-rotation-config: %v", err) + } }()

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

ctx := context.Background()

_, operatorStatus, _, err := operatorClient.GetStaticPodOperatorStateWithQuorum(ctx)

require.NoError(t, err)

require.True(t, v1helpers.IsOperatorConditionTrue(operatorStatus.Conditions, "CertRotationTimeUpgradeable"))

kubeClient := kubernetes.NewForConfigOrDie(kubeConfig)

t.Logf("Creating unsupported-cert-rotation-config...")

_, err = kubeClient.CoreV1().ConfigMaps(operatorclient.GlobalUserSpecifiedConfigNamespace).Create(context.TODO(), &corev1.ConfigMap{

ObjectMeta: metav1.ObjectMeta{Namespace: operatorclient.GlobalUserSpecifiedConfigNamespace, Name: "unsupported-cert-rotation-config"},

Data: map[string]string{"base": "2y"},

}, metav1.CreateOptions{})

require.NoError(t, err)

defer func() {

kubeClient.CoreV1().ConfigMaps(operatorclient.GlobalUserSpecifiedConfigNamespace).Delete(context.TODO(), "unsupported-cert-rotation-config", metav1.DeleteOptions{})

}()

ctx := context.Background()

_, operatorStatus, _, err := operatorClient.GetStaticPodOperatorStateWithQuorum(ctx)

require.NoError(t, err)

require.True(t, v1helpers.IsOperatorConditionTrue(operatorStatus.Conditions, "CertRotationTimeUpgradeable"))

kubeClient := kubernetes.NewForConfigOrDie(kubeConfig)

t.Logf("Creating unsupported-cert-rotation-config...")

_ = kubeClient.CoreV1().ConfigMaps(operatorclient.GlobalUserSpecifiedConfigNamespace).

Delete(ctx, "unsupported-cert-rotation-config", metav1.DeleteOptions{})

_, err = kubeClient.CoreV1().ConfigMaps(operatorclient.GlobalUserSpecifiedConfigNamespace).Create(ctx, &corev1.ConfigMap{

ObjectMeta: metav1.ObjectMeta{Namespace: operatorclient.GlobalUserSpecifiedConfigNamespace, Name: "unsupported-cert-rotation-config"},

Data: map[string]string{"base": "2y"},

}, metav1.CreateOptions{})

require.NoError(t, err)

defer func() {

if err := kubeClient.CoreV1().ConfigMaps(operatorclient.GlobalUserSpecifiedConfigNamespace).

Delete(ctx, "unsupported-cert-rotation-config", metav1.DeleteOptions{}); err != nil && !errors.IsNotFound(err) {

t.Logf("cleanup: failed to delete configmap unsupported-cert-rotation-config: %v", err)

}

}()

🤖 Prompt for AI Agents

In test/e2e/certrotation.go around lines 55 to 70, the ConfigMap Create will fail if the object already exists and the deferred Delete currently ignores all errors; make the operation idempotent by first attempting to delete the ConfigMap (ignore NotFound) before calling Create so Create succeeds even if a prior run left the resource, and update the deferred cleanup to call Delete but explicitly ignore NotFound errors while surface/logging any other delete error; use the same context variable (ctx) for both calls and ensure errors from the pre-create delete are handled/ignored only for NotFound, and require.NoError on the Create call as before.

gangwgr · 2025-12-12T12:20:19Z

please also add a todo and a link to a jira issue (migration) for https://github.com/openshift/cluster-kube-apiserver-operator/blob/main/test/e2e/bound_sa_token_test.go#L35

Updated

wangke19 · 2025-12-15T09:30:19Z

One question:
Tests don't support graceful shutdown. If test suite is cancelled, resources might not be cleaned up.
Recommendation: Use context.WithCancel and cleanup on signal.

wangke19 · 2025-12-15T09:13:04Z

+
+	kubeClient := kubernetes.NewForConfigOrDie(kubeConfig)
+	t.Logf("Creating unsupported-cert-rotation-config...")
+	_, err = kubeClient.CoreV1().ConfigMaps(operatorclient.GlobalUserSpecifiedConfigNamespace).Create(context.TODO(), &corev1.ConfigMap{


The code creates a ctx variable but doesn't use it consistently. But operation uses context.TODO() while others could use the existing ctx.

wangke19 · 2025-12-15T09:13:16Z

+	}, metav1.CreateOptions{})
+	require.NoError(t, err)
+	defer func() {
+		kubeClient.CoreV1().ConfigMaps(operatorclient.GlobalUserSpecifiedConfigNamespace).Delete(context.TODO(), "unsupported-cert-rotation-config", metav1.DeleteOptions{})


The code creates a ctx variable but doesn't use it consistently. But operation uses context.TODO() while others could use the existing ctx.

wangke19 · 2025-12-15T09:13:27Z

+		if err != nil {
+			return false, err
+		}
+		clusteroperator, err := configClient.ClusterOperators().Get(context.TODO(), "kube-apiserver", metav1.GetOptions{})


The code creates a ctx variable but doesn't use it consistently. But operation uses context.TODO() while others could use the existing ctx.

wangke19 · 2025-12-15T09:14:53Z

+	// this is inherently racy against a controller
+	err = wait.PollImmediate(10*time.Millisecond, 5*time.Second, func() (done bool, err error) {
+		if err := kubeClient.CoreV1().Secrets(operatorclient.OperatorNamespace).Delete(context.TODO(), "aggregator-client-signer", metav1.DeleteOptions{}); err != nil {
+			return false, nil


Error swallowed

Suggested change

return false, nil

return false, fmt.Errorf("failed to delete secret: %w", err)

wangke19 · 2025-12-15T09:20:11Z

+			ObjectMeta: metav1.ObjectMeta{Namespace: operatorclient.OperatorNamespace, Name: "aggregator-client-signer"},
+			Type:       "SecretTypeTLS",
+		}, metav1.CreateOptions{}); err != nil {
+			return false, nil


Error swallowed

wangke19 · 2025-12-15T09:22:30Z

+		certRotationCondition := v1helpers.FindOperatorCondition(operatorStatus.Conditions, "CertRotationTimeUpgradeable")
+		upgradeableCondition := configv1helpers.FindStatusCondition(clusteroperator.Status.Conditions, "Upgradeable")
+		if certRotationCondition == nil || upgradeableCondition == nil {
+			return false, fmt.Errorf("Couldn't find CertRotationTimeUpgradeable or Upgradeable condition")


Error Message Capitalization

Suggested change

return false, fmt.Errorf("Couldn't find CertRotationTimeUpgradeable or Upgradeable condition")

return false, fmt.Errorf("couldn't find CertRotationTimeUpgradeable or Upgradeable condition")

wangke19 · 2025-12-15T09:23:47Z

+		Data:       map[string]string{"base": "2y"},
+	}, metav1.CreateOptions{})
+	require.NoError(t, err)
+	defer func() {


Resource Cleanup: Missing Error Handling

wangke19 · 2025-12-15T09:27:21Z

+		}
+		if _, err := kubeClient.CoreV1().Secrets(operatorclient.OperatorNamespace).Create(context.TODO(), &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{Namespace: operatorclient.OperatorNamespace, Name: "aggregator-client-signer"},
+			Type:       "SecretTypeTLS",


I think it's should be Type: "kubernetes.io/tls", I remember that we have one bug to migrate type of this.
see: openshift/library-go#1681

gangwgr · 2025-12-15T09:55:03Z

@wangke19 It is dev code test we are not changing anything nothing should be changed. And we also should not change. If we are doing changing it will impact cases. Better should not change in original case code when it is running fine. It is just copied from existing gotest, nothing should be change

p0lyn0mial · 2025-12-15T10:22:53Z

@wangke19 It is dev code test we are not changing anything nothing should be changed. And we also should not change. If we are doing changing it will impact cases. Better should not change in original case code when it is running fine. It is just copied from existing gotest, nothing should be change

yeah, for now, let's migrate the tests as is, in the future we can refactor. does it make sense ?

p0lyn0mial · 2025-12-15T10:27:57Z

+})
+
+func testCertRotationTimeUpgradeable(t testing.TB) {
+	kubeConfig, err := testlibrary.NewClientConfigForTest()


could you adda a new tmp commit with t.Fail() just to see if the expected CI jobs will fail?

other than that LGTM

gangwgr · 2025-12-15T11:32:16Z

@wangke19 It is dev code test we are not changing anything nothing should be changed. And we also should not change. If we are doing changing it will impact cases. Better should not change in original case code when it is running fine. It is just copied from existing gotest, nothing should be change

yeah, for now, let's migrate the tests as is, in the future we can refactor. does it make sense ?
@p0lyn0mial I think we can change those are minor fixes not logic changes we can change

wangke19 · 2025-12-15T11:55:26Z

/lgtm

p0lyn0mial · 2025-12-15T15:19:09Z

 })

 func testCertRotationTimeUpgradeable(t testing.TB) {
+	t.Fail() // Temporary: Testing if CI jobs detect failures


thanks, it worked, we can remove it.

gangwgr · 2025-12-17T07:02:22Z

/test okd-scos-images

gangwgr · 2025-12-17T07:45:36Z

/test okd-scos-images

gangwgr · 2025-12-17T08:20:30Z

/retest-required

gangwgr · 2025-12-17T09:03:25Z

/test okd-scos-images

p0lyn0mial · 2025-12-17T09:28:04Z

/lgtm

openshift-ci · 2025-12-17T09:28:31Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gangwgr, p0lyn0mial, wangke19

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [p0lyn0mial]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

p0lyn0mial · 2025-12-17T09:30:24Z

@gangwgr let's open a new PR (after this merges) to address @wangke19's comments.

gangwgr · 2025-12-18T04:32:26Z

/test okd-scos-images

gangwgr · 2025-12-18T07:38:56Z

/verified by ci runs

openshift-ci-robot · 2025-12-18T07:39:08Z

@gangwgr: This PR has been marked as verified by ci runs.

Details

In response to this:

/verified by ci runs

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot · 2025-12-18T08:13:48Z

@gangwgr: This pull request references Jira Issue OCPBUGS-69758, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target version (4.22.0) matches configured target version for branch (4.22.0)
bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @wangke19

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

CNTRLPLANE-2222:Migrate go test cert-rotation-tests.go to OTE

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci · 2025-12-18T10:59:12Z

@gangwgr: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-ci-robot · 2025-12-18T11:02:01Z

@gangwgr: Jira Issue Verification Checks: Jira Issue OCPBUGS-69758
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-69758 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

CNTRLPLANE-2222:Migrate go test cert-rotation-tests.go to OTE

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci Bot requested review from tkashem and xingxingxia December 12, 2025 06:28

coderabbitai Bot reviewed Dec 12, 2025

View reviewed changes

gangwgr force-pushed the cert-test branch from ceefaff to 814d6df Compare December 12, 2025 07:01

openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 12, 2025

coderabbitai Bot reviewed Dec 12, 2025

View reviewed changes

openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 12, 2025

coderabbitai Bot reviewed Dec 12, 2025

View reviewed changes

openshift-ci Bot removed the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 12, 2025

gangwgr changed the title ~~Cert test~~ CNTRLPLANE-2222:Migrate go test cert-rotation-tests.go to OTE Dec 12, 2025

openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Dec 12, 2025

gangwgr force-pushed the cert-test branch from 9b116cb to 85c2e1d Compare December 12, 2025 07:13

openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 12, 2025

gangwgr force-pushed the cert-test branch from 85c2e1d to af1f71c Compare December 12, 2025 09:02

coderabbitai Bot reviewed Dec 12, 2025

View reviewed changes

p0lyn0mial reviewed Dec 12, 2025

View reviewed changes

p0lyn0mial mentioned this pull request Dec 12, 2025

OCPBUGS-69755:CNTRLPLANE-2158:Migrating TestTokenRequestAndReview to ginkgo #1978

Merged

Add cert rotation tests with Ginkgo integration

c61b8b3

gangwgr force-pushed the cert-test branch from e15618c to 1015f8b Compare December 12, 2025 12:17

coderabbitai Bot reviewed Dec 12, 2025

View reviewed changes

wangke19 reviewed Dec 15, 2025

View reviewed changes

p0lyn0mial reviewed Dec 15, 2025

View reviewed changes

openshift-ci Bot assigned wangke19 Dec 15, 2025

openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Dec 15, 2025

p0lyn0mial reviewed Dec 15, 2025

View reviewed changes

Update go.mod

01fae25

gangwgr force-pushed the cert-test branch from d7f1c7c to 01fae25 Compare December 17, 2025 05:21

openshift-ci Bot removed the lgtm Indicates that a PR is ready to be merged. label Dec 17, 2025

openshift-ci Bot assigned p0lyn0mial Dec 17, 2025

openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Dec 17, 2025

openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 17, 2025

wangke19 mentioned this pull request Dec 17, 2025

[WIP]Add automated e2e test for cert rotation sidecar behavior (OCPBUGS-60628) #1914

Open

openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Dec 18, 2025

gangwgr changed the title ~~CNTRLPLANE-2222:Migrate go test cert-rotation-tests.go to OTE~~ OCPBUGS-69758:CNTRLPLANE-2222:Migrate go test cert-rotation-tests.go to OTE Dec 18, 2025

openshift-ci-robot added the jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. label Dec 18, 2025

openshift-ci Bot requested a review from wangke19 December 18, 2025 08:13

openshift-merge-bot Bot merged commit 3fb92ce into openshift:main Dec 18, 2025
14 checks passed

	return false, nil
	return false, fmt.Errorf("failed to delete secret: %w", err)

	return false, fmt.Errorf("Couldn't find CertRotationTimeUpgradeable or Upgradeable condition")
	return false, fmt.Errorf("couldn't find CertRotationTimeUpgradeable or Upgradeable condition")

Conversation

gangwgr commented Dec 12, 2025 • edited by openshift-ci Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

coderabbitai Bot commented Dec 12, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Estimated code review effort

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot Dec 12, 2025

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

openshift-ci-robot commented Dec 12, 2025 • edited by openshift-ci Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-ci-robot commented Dec 12, 2025 • edited by openshift-ci Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot Dec 12, 2025

Choose a reason for hiding this comment

Uh oh!

gangwgr commented Dec 12, 2025

Uh oh!

p0lyn0mial left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot Dec 12, 2025

Choose a reason for hiding this comment

Uh oh!

gangwgr commented Dec 12, 2025

Uh oh!

wangke19 commented Dec 15, 2025

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

gangwgr commented Dec 12, 2025 •

edited by openshift-ci Bot

Loading

coderabbitai Bot commented Dec 12, 2025 •

edited

Loading

openshift-ci-robot commented Dec 12, 2025 •

edited by openshift-ci Bot

Loading

openshift-ci-robot commented Dec 12, 2025 •

edited by openshift-ci Bot

Loading

gangwgr commented Dec 15, 2025 •

edited

Loading