Migrating user_certs_test to ote

[gangwgr]

Migrating user_certs_test to ote

## Summary
  Migrates the `TestNamedCertificates` test suite to the OTE (OpenShift Test Extended) Ginkgo framework while maintaining dual-compatibility with traditional Go tests.

  **Critical Performance Fix**: Initial OTE migration used `DescribeTable` with `BeforeAll/AfterAll`, which incorrectly triggered 19 separate API server rollouts (one per subtest), taking ~10 hours. Fixed by using a simple `g.It()` wrapper that calls the shared test function once, reducing test time to ~34 minutes.

  ## Changes

  ### Added `test/e2e/user_certs.go` (+420 lines)
  - Add Ginkgo test wrapper for OTE test discovery:
    - Simple `g.It()` wrapper that calls shared function once
    - **Avoids performance issues** with `DescribeTable` approach
  - Extract test logic into shared function with `testing.TB` interface:
    - `testNamedCertificates(t testing.TB)` - Tests all 19 named certificate scenarios
  - Add helper functions for certificate testing:
    - `newTestCertInfo()` - Creates test certificate info
    - `createTLSSecret()` - Creates TLS secrets
    - `deleteSecret()` - Deletes secrets
    - `updateAPIServerClusterConfigSpec()` - Updates API server config
    - `removeNamedCertificatesBySecretName()` - Cleanup helper
    - `serialNumberOfCertificateFromSecretOrFail()` - Gets cert serial numbers
    - `getReturnedCertSerialNumber()` - Verifies returned certificates
    - `getKubernetesServiceClusterIPOrFail()` - Gets service IP
    - `getExternalAPIServiceHostNameOrFail()` - Gets external hostname
    - `getInternalAPIServiceHostNameOrFail()` - Gets internal hostname

  ### Modified `test/e2e/user_certs_test.go` (+6/-397 = -391 net)
  - **Keep test runner** that calls shared function:
    ```go
    func TestNamedCertificates(t *testing.T) {
        testNamedCertificates(t)
    }
  - Remove all test implementation logic (moved to user_certs.go)

  Modified test/library/library.go (+1/-1)

  - Change GenerateNameForTest signature from *testing.T to testing.TB
  - Enables use in both standard Go tests and Ginkgo

  Modified test/library/crypto.go (+2/-2)

  - Change NewServerCertificate signature from *testing.T to testing.TB
  - Change NewCertificateAuthorityCertificate signature from *testing.T to testing.TB
  - Enables use in both standard Go tests and Ginkgo

  Modified test/e2e/serviceaccountissuer.go (+9/-6)

  - Minor refactoring for consistency with OTE pattern

  Modified test/e2e/serviceaccountissuer_test.go (+36/-6)

  - Updated test structure for OTE compatibility

  Net change: +30 lines (479 added - 449 removed across test files)

  Performance Fix

  Problem: Initial migration used g.Context with g.Ordered, BeforeAll/AfterAll, and DescribeTable with 19 entries. This caused:
  - 19 separate API server rollouts (one per Entry)
  - Each rollout: ~32 minutes
  - Total time: ~10 hours

  Solution: Simplified to single g.It() that calls testNamedCertificates() once:
  g.It("[Operator][Serial][Timeout:40m] TestNamedCertificates", func() {
      testNamedCertificates(g.GinkgoTB())
  })

  Result:
  - 1 API server rollout: ~32 minutes
  - All 19 test cases: ~2 minutes
  - Total time: ~34 minutes (94% reduction)

[coderabbitai]

Walkthrough

Refactors test helpers to accept testing.TB, adds a new end-to-end test that verifies API server named TLS certificates, updates TestNamedCertificates to call a shared helper, and removes an import and a wait-for-stabilization call from the service-account-issuer test.

Changes

Cohort / File(s)	Change Summary
Test library signature updates test/library/crypto.go, test/library/library.go	Changed signatures to accept testing.TB instead of *testing.T for NewServerCertificate, NewCertificateAuthorityCertificate, and GenerateNameForTest. No logic changes.
New E2E test test/e2e/user_certs.go	Added a Ginkgo/Gomega e2e test that generates CA and server certs, creates TLS secrets in openshift-config, configures API server named-cert entries, maps hostnames to expected certificate serials, polls the API server to verify presented certs, and cleans up secrets.
Test entry and minor refactor test/e2e/user_certs_test.go, test/e2e/serviceaccountissuer.go	TestNamedCertificates now delegates to testNamedCertificates. Removed testlibraryapi import alias and the call to wait for API server stabilization in the service-account-issuer test; updated test description string.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

✨ Finishing touches

• 📝 Generate docstrings

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gangwgr]

/test e2e-aws-ovn-serial-1of2

[gangwgr]

/test e2e-gcp-operator-serial-ote

[gangwgr]

/test e2e-gcp-operator-serial-ote

[gangwgr]

/test e2e-gcp-operator-serial-ote

[gangwgr]

/test e2e-gcp-operator-serial-ote

[gangwgr]

/test e2e-gcp-operator-serial-ote

[gangwgr]

/test e2e-gcp-operator-serial-ote

[gangwgr]

/test e2e-gcp-operator-serial-ote

[gangwgr]

/test e2e-gcp-operator-serial-ote

[gangwgr]

/test e2e-gcp-operator-serial-ote

[wangke19]

Update a Summary for PR, you can see my PR openshift/service-ca-operator#305, better let me know, such as:
Modified in test/e2e/e2e_test.go (+6/-129 = -123 net)

[wangke19]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gangwgr, wangke19

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• test/OWNERS [gangwgr,wangke19]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[p0lyn0mial]

ok, this reverts https://github.com/openshift/cluster-kube-apiserver-operator/pull/1997/changes#r2691135829

[p0lyn0mial]

should TestNamedCertificates be lower case ? xref: https://github.com/gangwgr/cluster-kube-apiserver-operator/blob/5a1225b4a0f5ce82f4efe748ba4414a560e8b3cf/test/e2e/serviceaccountissuer.go#L29

[gangwgr]

I keep the same name as gotest

[p0lyn0mial]

I think that this (It) should also describe the purpose

[p0lyn0mial]

this is interesting.

normally we would:

setup the test
then run cases as subtest

mhm, should we do that ?
what is the benefit of having subtests vs one single test ?

[p0lyn0mial]

@gangwgr @wangke19 what do you think about ^

[gangwgr]

#1993 (comment)

[p0lyn0mial]

/hold

@wangke19 i'm still reviewing the PR :)

[openshift-ci]

New changes are detected. LGTM label has been removed.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@test/e2e/user_certs.go`:
- Around line 228-245: The poll callback passed to wait.PollImmediate must not
call require.NoError (which calls t.FailNow); in both branches replace the
require.NoError inside the callback with returning (false, err) when
getReturnedCertSerialNumber(kubeConfig.Host, tc.serverName) fails, and
compare/return the boolean only otherwise; then after wait.PollImmediate
completes, call require.NoError(t, err, "test case %s failed", tc.name) (or
require.NoError(t, err) in the non-Ginkgo path) to fail the test with the poll
error—update the callback in both the non-Ginkgo and Ginkgo branches referencing
getReturnedCertSerialNumber and wait.PollImmediate accordingly.

🧹 Nitpick comments (2)

test/e2e/user_certs.go (2)

261-265: Consider adding MinVersion to TLS config for defense-in-depth.

The static analyzer flagged the missing MinVersion. While this is test code connecting to a trusted internal API server with InsecureSkipVerify: true (appropriate for certificate inspection), adding MinVersion: tls.VersionTLS12 would be a defense-in-depth measure.

♻️ Optional improvement

 	tlsConf := &tls.Config{
 		VerifyPeerCertificate: verifyPeerCertificate,
 		ServerName:            serverName,
 		InsecureSkipVerify:    true,
+		MinVersion:            tls.VersionTLS12,
 	}

---

317-317: Use corev1.TLSCertKey constant for consistency.

The hardcoded "tls.crt" string works but is inconsistent with createTLSSecret which uses the corev1.TLSCertKey constant on line 301.

♻️ Optional improvement

-	certificates, err := cert.ParseCertsPEM(secret.Data["tls.crt"])
+	certificates, err := cert.ParseCertsPEM(secret.Data[corev1.TLSCertKey])

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 5a1225b and 35b4311.

📒 Files selected for processing (2)

• test/e2e/serviceaccountissuer.go
• test/e2e/user_certs.go

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• test/e2e/user_certs.go
• test/e2e/serviceaccountissuer.go

🪛 ast-grep (0.40.5)

test/e2e/user_certs.go

[warning] 260-264: MinVersionis missing from this TLS configuration. By default, TLS 1.2 is currently used as the minimum when acting as a client, and TLS 1.0 when acting as a server. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. AddMinVersion: tls.VersionTLS13' to the TLS configuration to bump the minimum version to TLS 1.3.
Context: tls.Config{
VerifyPeerCertificate: verifyPeerCertificate,
ServerName: serverName,
InsecureSkipVerify: true,
}
Note: [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm [OWASP A03:2017]: Sensitive Data Exposure [OWASP A02:2021]: Cryptographic Failures [REFERENCES]
https://owasp.org/Top10/A02_2021-Cryptographic_Failures

(missing-ssl-minversion-go)

🔇 Additional comments (5)

test/e2e/serviceaccountissuer.go (1)

29-29: Verify the timeout removal is intentional.

The [Timeout:30m] tag was removed from the test description. Ensure this is intentional and that the test framework or CI configuration provides adequate timeout handling to prevent indefinitely hanging tests.

test/e2e/user_certs.go (4)

34-38: LGTM!

The Ginkgo wrapper is well-structured with a descriptive test name and appropriate 40-minute timeout given the expected ~34-minute runtime.

---

40-113: LGTM!

The test setup properly initializes clients, creates test certificates with appropriate cleanup via defer, and retrieves baseline certificate serial numbers for comparison. Good use of assert.NoError in cleanup defers vs require.NoError for critical setup steps.

---

278-304: LGTM!

Secret management helpers are well-implemented with proper error handling and use of standard Kubernetes constants.

---

353-420: LGTM!

API hostname retrieval and test certificate helpers are clean and follow consistent patterns with appropriate error handling and logging.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Avoid require.NoError inside poll callbacks.

Using require.NoError inside wait.PollImmediate callbacks is problematic because require calls t.FailNow(), which uses runtime.Goexit(). This can cause unexpected behavior when called from goroutines or callbacks. Instead, return the error from the callback and handle it after the poll completes.

🐛 Proposed fix

 			err := wait.PollImmediate(time.Second, time.Minute, func() (bool, error) {
 				// connect to apiserver using a custom ServerName and examine the returned certificate's
 				// serial number to determine if the expected serving certificate was returned.
 				serialNumber, err := getReturnedCertSerialNumber(kubeConfig.Host, tc.serverName)
-				require.NoError(t, err)
+				if err != nil {
+					return false, nil // retry on error
+				}
 				return tc.expectedSerialNumber == serialNumber, nil
 			})
 			require.NoError(t, err)

Apply the same fix to the Ginkgo path (lines 240-244):

 		err = wait.PollImmediate(time.Second, time.Minute, func() (bool, error) {
 			serialNumber, err := getReturnedCertSerialNumber(kubeConfig.Host, tc.serverName)
-			require.NoError(t, err)
+			if err != nil {
+				return false, nil // retry on error
+			}
 			return tc.expectedSerialNumber == serialNumber, nil
 		})
 		require.NoError(t, err, "test case %s failed", tc.name)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	err := wait.PollImmediate(time.Second, time.Minute, func() (bool, error) {
	// connect to apiserver using a custom ServerName and examine the returned certificate's
	// serial number to determine if the expected serving certificate was returned.
	serialNumber, err := getReturnedCertSerialNumber(kubeConfig.Host, tc.serverName)
	require.NoError(t, err)
	return tc.expectedSerialNumber == serialNumber, nil
	})
	require.NoError(t, err)
	})
	} else {
	// Ginkgo path - no subtests available
	t.Logf("Running test case: %s", tc.name)
	err = wait.PollImmediate(time.Second, time.Minute, func() (bool, error) {
	serialNumber, err := getReturnedCertSerialNumber(kubeConfig.Host, tc.serverName)
	require.NoError(t, err)
	return tc.expectedSerialNumber == serialNumber, nil
	})
	require.NoError(t, err, "test case %s failed", tc.name)
	err := wait.PollImmediate(time.Second, time.Minute, func() (bool, error) {
	// connect to apiserver using a custom ServerName and examine the returned certificate's
	// serial number to determine if the expected serving certificate was returned.
	serialNumber, err := getReturnedCertSerialNumber(kubeConfig.Host, tc.serverName)
	if err != nil {
	return false, nil // retry on error
	}
	return tc.expectedSerialNumber == serialNumber, nil
	})
	require.NoError(t, err)
	} else {
	// Ginkgo path - no subtests available
	t.Logf("Running test case: %s", tc.name)
	err = wait.PollImmediate(time.Second, time.Minute, func() (bool, error) {
	serialNumber, err := getReturnedCertSerialNumber(kubeConfig.Host, tc.serverName)
	if err != nil {
	return false, nil // retry on error
	}
	return tc.expectedSerialNumber == serialNumber, nil
	})
	require.NoError(t, err, "test case %s failed", tc.name)

🤖 Prompt for AI Agents

In `@test/e2e/user_certs.go` around lines 228 - 245, The poll callback passed to
wait.PollImmediate must not call require.NoError (which calls t.FailNow); in
both branches replace the require.NoError inside the callback with returning
(false, err) when getReturnedCertSerialNumber(kubeConfig.Host, tc.serverName)
fails, and compare/return the boolean only otherwise; then after
wait.PollImmediate completes, call require.NoError(t, err, "test case %s
failed", tc.name) (or require.NoError(t, err) in the non-Ginkgo path) to fail
the test with the poll error—update the callback in both the non-Ginkgo and
Ginkgo branches referencing getReturnedCertSerialNumber and wait.PollImmediate
accordingly.

[gangwgr]

/close
for https://redhat-internal.slack.com/archives/CC3CZCQHM/p1768565818656259?thread_ts=1768456327.979689&cid=CC3CZCQHM

[openshift-ci]

@gangwgr: Closed this PR.

Details

In response to this:

/close
for https://redhat-internal.slack.com/archives/CC3CZCQHM/p1768565818656259?thread_ts=1768456327.979689&cid=CC3CZCQHM

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.