CM-1042: To add multi-operand qualification suite in e2e tests

[arun717]

Summary

Adds an ordered Ginkgo e2e suite for CM-786 qualification when TrustManager and IstioCSR are enabled and installed at the same time. The suite patches the operator subscription to turn on both addon feature gates, creates both CRs concurrently, then runs baseline cert-manager sanity checks and automatable CM-786 doc steps (5–14).

Labels: Platform:Generic, Feature:MultipleOperands, TechPreview
https://docs.google.com/document/d/1bKI2OP7cZPVkGMWGhqEgJ6cCM35r2pUs7lqfDClUD9A/edit?tab=t.ovzsdk8nx64c#heading=h.edvlw82015i9

Run:
make test-e2e E2E_GINKGO_LABEL_FILTER='Platform:Generic && Feature:MultipleOperands'

Prerequisites: TechPreview cluster with cert-manager operator installed; OpenShift Service Mesh optional (steps 6–7 skip if absent).

Tests (Context: with operands installed concurrently)

#	Spec	Verifies
1	TrustManager and IstioCSR CRs ready after concurrent creation	TrustManager/cluster Ready + image; IstioCSR/default available with gRPC endpoint and image
2	CM-01: all operand deployments have desired replicas ready	Controller, webhook, cainjector, trust-manager, and namespace-scoped cert-manager-istio-csr deployments Available
3	CM-02: operand pods have no CrashLoopBackOff	No CrashLoopBackOff in operand + IstioCSR namespaces
4	CM-03: cert-manager webhook service has endpoints	Webhook Endpoints non-empty; webhook pods present
5	CM-10: issues a self-signed namespaced certificate	ClusterIssuer + Certificate → Ready; TLS secret with tls.crt / tls.key
6	CM-12: certificate with bogus issuer ref stays not Ready and does not break operands	Certificate Ready=False; target secret not created; operands and operator conditions still healthy
7	CM-786 step 5: IstioCSR operand resources exist with operator-managed labels	SA, Service, Deployment, ClusterRole with app.kubernetes.io/managed-by=part-of operator labels
8	CM-786 step 10: TrustManager qualification configuration is applied	Default CA ConfigMap; deployment args (--secret-targets-enabled, --filter-expired-certificates, --default-package-location); CR spec matches qualification policy
9	CM-786 step 10: Bundle propagates ConfigMap source to Secret in selected namespaces	Bundle syncs CM → Secret in namespace with istio-injection=enabled
10	CM-786 step 11: managed ClusterRoles are recreated after deletion	Trust-manager ClusterRole, IstioCSR ClusterRole, and cert-manager-controller-challenges (if present) recreated; operands stay Ready
11	CM-786 step 12: updating all three operator CRs keeps operands healthy	Label updates on CertManager, TrustManager, IstioCSR; operator conditions + deployments + operand readiness
12	CM-786 step 13: IstioCSR API updates reconcile successfully	logLevel 3 → 2 → 1 on IstioCSR CR; deployment --log-level args match each update
13	CM-786 step 14: IstioCSR gRPC CreateCertificate returns a cert chain	grpcurl Job succeeds; cert chain validates against test CA
14	CM-786 steps 6–7: Service Mesh uses istio-csr when Service Mesh is installed	If sailoperator.io/v1 Istio/default exists: spec.values.global.caAddress references istio-csr; istio-csr Service has endpoints — otherwise Skip

Summary by CodeRabbit

• Tests
  • Added a comprehensive end-to-end suite for multi-operand scenarios: operand readiness, pod/webhook health, certificate issuance and invalid-issuer behavior, bundle propagation, role recreation resilience, config updates without downtime, gRPC cert issuance, and optional Service Mesh checks.
  • Improved Vault e2e setup and diagnostics: dedicated setup/startup timeouts, richer pod failure reporting, and safer Vault command execution helpers.
• Chores
  • Pinned Vault test image tag, removed privileged flag from installer container spec, and updated test module dependencies.

[openshift-ci-robot]

@arun717: This pull request references CM-1042 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the sub-task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

Adds an ordered Ginkgo e2e suite for CM-786 qualification when TrustManager and IstioCSR are enabled and installed at the same time. The suite patches the operator subscription to turn on both addon feature gates, creates both CRs concurrently, then runs baseline cert-manager sanity checks and automatable CM-786 doc steps (5–14).

Labels: Platform:Generic, Feature:MultipleOperands, TechPreview
https://docs.google.com/document/d/1bKI2OP7cZPVkGMWGhqEgJ6cCM35r2pUs7lqfDClUD9A/edit?tab=t.ovzsdk8nx64c#heading=h.edvlw82015i9

Run:
make test-e2e E2E_GINKGO_LABEL_FILTER='Platform:Generic && Feature:MultipleOperands'

Prerequisites: TechPreview cluster with cert-manager operator installed; OpenShift Service Mesh optional (steps 6–7 skip if absent).

Tests (Context: with operands installed concurrently)

#	Spec	Verifies
1	TrustManager and IstioCSR CRs ready after concurrent creation	TrustManager/cluster Ready + image; IstioCSR/default available with gRPC endpoint and image
2	CM-01: all operand deployments have desired replicas ready	Controller, webhook, cainjector, trust-manager, and namespace-scoped cert-manager-istio-csr deployments Available
3	CM-02: operand pods have no CrashLoopBackOff	No CrashLoopBackOff in operand + IstioCSR namespaces
4	CM-03: cert-manager webhook service has endpoints	Webhook Endpoints non-empty; webhook pods present
5	CM-10: issues a self-signed namespaced certificate	ClusterIssuer + Certificate → Ready; TLS secret with tls.crt / tls.key
6	CM-12: certificate with bogus issuer ref stays not Ready and does not break operands	Certificate Ready=False; target secret not created; operands and operator conditions still healthy
7	CM-786 step 5: IstioCSR operand resources exist with operator-managed labels	SA, Service, Deployment, ClusterRole with app.kubernetes.io/managed-by=part-of operator labels
8	CM-786 step 10: TrustManager qualification configuration is applied	Default CA ConfigMap; deployment args (--secret-targets-enabled, --filter-expired-certificates, --default-package-location); CR spec matches qualification policy
9	CM-786 step 10: Bundle propagates ConfigMap source to Secret in selected namespaces	Bundle syncs CM → Secret in namespace with istio-injection=enabled
10	CM-786 step 11: managed ClusterRoles are recreated after deletion	Trust-manager ClusterRole, IstioCSR ClusterRole, and cert-manager-controller-challenges (if present) recreated; operands stay Ready
11	CM-786 step 12: updating all three operator CRs keeps operands healthy	Label updates on CertManager, TrustManager, IstioCSR; operator conditions + deployments + operand readiness
12	CM-786 step 13: IstioCSR API updates reconcile successfully	logLevel 3 → 2 → 1 on IstioCSR CR; deployment --log-level args match each update
13	CM-786 step 14: IstioCSR gRPC CreateCertificate returns a cert chain	grpcurl Job succeeds; cert chain validates against test CA
14	CM-786 steps 6–7: Service Mesh uses istio-csr when Service Mesh is installed	If sailoperator.io/v1 Istio/default exists: spec.values.global.caAddress references istio-csr; istio-csr Service has endpoints — otherwise Skip

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds a gated e2e suite validating concurrent TrustManager and IstioCSR operand behavior and improvements to the Vault e2e harness (timeouts, diagnostics, pinned image), plus a test module dependency adjustment.

Changes

Multi-Operand E2E + Vault Changes

Layer / File(s)	Summary
Test file scaffold & constants test/e2e/multiple_operands_test.go	//go:build e2e scaffold, CM-786 constants, operand descriptors, and ordered Ginkgo suite setup/teardown.
Suite setup/teardown and env patching test/e2e/multiple_operands_test.go	Client init, MicroShift skip, stale SA cleanup, operator subscription env var patch/restore (feature gates), CA bundle generation, and test cleanup.
Concurrent install & readiness test/e2e/multiple_operands_test.go	Builders and helpers to create TrustManager and IstioCSR concurrently and wait for both operands and deployments/webhooks to become ready.
Deployment & webhook checks test/e2e/multiple_operands_test.go	Deployment replica readiness assertions and webhook endpoint/pod matching checks.
CM-10 self-signed issuance test test/e2e/multiple_operands_test.go	Creates ClusterIssuer/Certificate, waits for readiness, and asserts Secret contains tls.crt/tls.key.
CM-12 bogus issuer test test/e2e/multiple_operands_test.go	Creates Certificate with nonexistent issuer, asserts NotReady condition and absence of Secret, verifies operands/operator remain healthy.
IstioCSR operand resources validation test/e2e/multiple_operands_test.go	Asserts existence and operator-managed labels for IstioCSR ServiceAccount, Service, Deployment, and ClusterRole(s).
TrustManager qualification checks test/e2e/multiple_operands_test.go	Validates TrustManager deployment container args and TrustManager CR spec policies/targets.
Bundle propagation test test/e2e/multiple_operands_test.go	Creates qualification bundle (ConfigMap source -> Bundle -> Secret target), waits for sync, and asserts propagated data.
Managed ClusterRole recreation test test/e2e/multiple_operands_test.go	Deletes operator-managed ClusterRoles and verifies operator recreates them while operands stay ready.
Operator CR updates & reconciliation test/e2e/multiple_operands_test.go	Updates CertManager/TrustManager/IstioCSR CRs via retry-on-conflict and asserts continued health/readiness.
IstioCSR spec reconcile & log-level checks test/e2e/multiple_operands_test.go	Updates IstioCSR spec across log levels and asserts deployment container args reflect --log-level.
IstioCSR gRPC CreateCertificate test test/e2e/multiple_operands_test.go	Generates CSR, runs grpcurl job, parses JSON logs, validates returned certificate chain entries.
Conditional Service Mesh integration checks test/e2e/multiple_operands_test.go	If installed, verifies Service Mesh Istio CR CA address references IstioCSR service identifier and checks endpoints.
Helpers & utilities test/e2e/multiple_operands_test.go	CSR generation, template loader, unstructured field extractors, deletion/cleanup tolerant helpers, pod crash detection, label merging, ensure-CR-absent checks.
Vault setup timeouts & pod status formatting test/e2e/utils_test.go	Adds vaultSetupTimeout, vaultPodStartTimeout, formatVaultPodsStatus, and improves Vault pod startup polling with earlier failure detection and richer timeout errors.
Vault issuer setup context usage test/e2e/issuer_vault_test.go	Calls setupVaultServer and configureVaultPKI using a dedicated setupCtx with vaultSetupTimeout.
Pinned Vault test image test/e2e/testdata/vault/helm-values.yaml	Pins Vault Docker image tag to 1.17.2 (was latest).
Test module dependency test/go.mod	Moves golang.org/x/sync v0.19.0 to the primary require block (removed from // indirect).

🎯 3 (Moderate) | ⏱️ ~25 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 3 warnings)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	VAULT_TOKEN embedded in command array passed to PodExecOptions, exposing it in Kubernetes audit logs despite stderr removal improvement.	Pass VAULT_TOKEN via environment outside Command array or use stdin to prevent exposure in Kubernetes API audit logs.
Docstring Coverage	⚠️ Warning	Docstring coverage is 26.47% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	104 Expect assertions lack explicit failure messages (only 3 have messages), violating requirement 4. Only 5 DeferCleanup usages for numerous resource creations, risking resource leaks.	Add failure messages to Expect assertions and ensure all helper functions that create resources have corresponding cleanup logic via DeferCleanup.
Ipv6 And Disconnected Network Test Compatibility	⚠️ Warning	Test requires pulling fullstorydev/grpcurl:v1.9.2-alpine image from external Docker Hub registry, which will fail in disconnected IPv6-only environments with no external internet access.	Add [Skipped:Disconnected] to the test name: "CM-786 step 14: IstioCSR gRPC CreateCertificate returns a cert chain [Skipped:Disconnected]" or mirror the grpcurl image to internal registry and use image pull policy never.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding a multi-operand qualification test suite for CM-786 in e2e tests, which is the primary focus of the changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test titles in multiple_operands_test.go use static, descriptive strings with no dynamic content (no pod names, timestamps, UUIDs, IPs, or variable interpolation). Test names are stable.
Microshift Test Compatibility	✅ Passed	Test protected via [Skipped:MicroShift] label in main Describe, runtime isMicroShiftCluster() check in BeforeAll, nested It blocks, and graceful skips for optional APIs.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No multi-node assumptions: no pod affinity, node scheduling, failover, or cross-node communication detected. Tests deployment replicas, health, endpoints, certs, and CRs which all work on SNO.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds only test code and optional scheduling APIs. Deployment manifests lack affinity rules, topology constraints, maxUnavailable:0, and control-plane selectors—no topology incompatibilities.
Ote Binary Stdout Contract	✅ Passed	No stdout writes in process-level code. Ginkgo By() uses reporter; log.Printf uses stderr. Top-level vars contain simple data with no function calls.
No-Weak-Crypto	✅ Passed	No weak cryptographic algorithms, custom crypto implementations, or unsafe secret comparisons found. All crypto uses Go standard library with secure algorithms.
Container-Privileges	✅ Passed	No privileged containers, hostPID/hostNetwork, SYS_ADMIN, or allowPrivilegeEscalation found. Only securityContext in acme/deployment.yaml uses restrictive settings.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: arun717
Once this PR has been reviewed and has the lgtm label, please assign swghosh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/e2e/multiple_operands_test.go`:
- Around line 119-122: The teardown code is discarding errors from Delete calls;
update the cleanup to check and handle returned errors from
trustManagerClient().Delete(ctx, "cluster", metav1.DeleteOptions{}) and from
certmanageroperatorclient.OperatorV1alpha1().IstioCSRs(istioNS.Name).Delete(ctx,
istioCSRResourceName, metav1.DeleteOptions{}) (and the other similar delete
sites noted) — e.g., capture the error, and if non-nil either log it via the
test logger/t.Fatalf or accumulate/report it so failures aren’t silently
ignored; ensure you reference istioNS and istioCSRResourceName when building the
diagnostic message.
- Around line 76-104: This e2e suite uses operator Subscription/OLM behavior and
must be skipped on MicroShift; add a MicroShift guard by annotating the Describe
block or adding a runtime check in BeforeAll: either add the label/tag
`[Skipped:MicroShift]` to the Describe(...) call or call
exutil.IsMicroShiftCluster() at the start of BeforeAll (or test setup) and call
Skip("MicroShift: OLM not available") when true; update the Describe signature
or the BeforeAll in multiple_operands_test.go (referencing the Describe(...) and
BeforeAll(...) symbols) to ensure the suite is not executed on MicroShift
clusters.
- Around line 488-494: The test creates a fixed namespace "cm786-bundle-target"
which can conflict on reruns; change the Namespace creation to use
ObjectMeta.GenerateName (e.g. "cm786-bundle-target-") instead of a fixed Name so
Kubernetes generates a unique name, leaving other fields (Labels) intact and
still assigning the result to targetNS from
k8sClientSet.CoreV1().Namespaces().Create; update any subsequent references that
rely on the exact name to use targetNS.Name.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: d2e57b5d-e96f-46d8-9ee5-f93c808b598b

📥 Commits

Reviewing files that changed from the base of the PR and between e8a646d and 0fc92c4.

📒 Files selected for processing (1)

• test/e2e/multiple_operands_test.go

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/e2e/utils_test.go`:
- Around line 1737-1760: formatVaultPodsStatus currently writes raw container
and condition messages (pod.Status.ContainerStatuses and pod.Status.Conditions)
to CI logs; change it to avoid emitting full freeform messages by only logging
structured reason codes and statuses (e.g., cs.State.Waiting.Reason,
cs.State.Terminated.Reason, cond.Type and cond.Status) and either omit
cond.Message/cs.*.Message entirely or replace them with a sanitized placeholder
or a fixed-length truncated/redacted string; update the loop over
pod.Status.ContainerStatuses and pod.Status.Conditions in formatVaultPodsStatus
to remove raw message output and include a clear placeholder like "<redacted>"
or a short truncation function instead.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 9d7652ef-c5ea-4553-a6ee-9931aeaf8b54

📥 Commits

Reviewing files that changed from the base of the PR and between 4f003de and cec7646.

📒 Files selected for processing (4)

• test/e2e/issuer_vault_test.go
• test/e2e/testdata/vault/helm-values.yaml
• test/e2e/utils_test.go
• test/go.mod

✅ Files skipped from review due to trivial changes (1)

• test/e2e/testdata/vault/helm-values.yaml

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

test/e2e/issuer_vault_test.go (1)

103-142: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Start the test-body timeout after the Vault bootstrap.

Line 104 starts a 10-minute ctx before the 30-minute setup path on Lines 120-141. On a slow cluster, setup can finish with ctx already expired, and every later client call in the It body will then fail immediately with context deadline exceeded. Create the post-setup context after Vault is ready, or give the test body its own fresh timeout. Based on learnings, "Applies to **/*_test.go : Review Ginkgo test code for quality requirements: (3) Timeouts - include appropriate timeouts on Eventually/Consistently and cluster operations."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e/issuer_vault_test.go` around lines 103 - 142, The test creates the
test-body context (ctx, cancel) with highTimeout before the long Vault setup so
that ctx can expire during setup; fix by creating the test-body context only
after Vault bootstrap completes (i.e., move the context.WithTimeout(ctx,
highTimeout) / DeferCleanup(cancel) lines to after configureVaultPKI returns) or
alternatively create a fresh context for the It test body after setup (e.g.,
keep setupCtx/setupCancel for setup and then call context.WithTimeout for
ctx/cancel afterwards); update references to ctx/cancel accordingly so all
subsequent client calls use the post-setup ctx.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/e2e/issuer_vault_test.go`:
- Around line 154-155: The test uses execVaultShellInPod with shell-interpolated
strings (e.g., vaultCmd at the top and similar blocks at other spots) which
risks shell injection and unpredictable parsing; replace those with multiple
calls to execVaultInPod (or a new helper that accepts argv slices) passing the
vault binary and each argument as discrete strings (e.g.,
"vault","auth","enable","approle" and
"vault","write","auth/approle/role/<role>","token_policies=cert-manager",...).
Change each chained or sh -c invocation (references: execVaultShellInPod,
vaultCmd, and the JWT/oidc setup blocks called around the other ranges) to split
into separate execVaultInPod calls with explicit args so no shell interpolation
is used.

In `@test/e2e/utils_test.go`:
- Around line 1461-1475: The current execVaultInPod and execVaultShellInPod
embed the rootToken in the command argv which ends up in the PodExecOptions
payload; change the approach so the token is not passed as an exec argument:
update execInPod to support streaming stdin (set PodExecOptions.Stdin = true)
and have execVaultInPod / execVaultShellInPod send the VAULT_TOKEN value over
stdin (or another out-of-band channel) instead of building
"VAULT_TOKEN=<rootToken>" into the command slice; keep the visible command
arguments free of secrets and reference execInPod, execVaultInPod and
execVaultShellInPod when making the change.

---

Outside diff comments:
In `@test/e2e/issuer_vault_test.go`:
- Around line 103-142: The test creates the test-body context (ctx, cancel) with
highTimeout before the long Vault setup so that ctx can expire during setup; fix
by creating the test-body context only after Vault bootstrap completes (i.e.,
move the context.WithTimeout(ctx, highTimeout) / DeferCleanup(cancel) lines to
after configureVaultPKI returns) or alternatively create a fresh context for the
It test body after setup (e.g., keep setupCtx/setupCancel for setup and then
call context.WithTimeout for ctx/cancel afterwards); update references to
ctx/cancel accordingly so all subsequent client calls use the post-setup ctx.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 399d5496-f611-4543-bc93-bfcee40a183f

📥 Commits

Reviewing files that changed from the base of the PR and between 10e2465 and b26b533.

📒 Files selected for processing (2)

• test/e2e/issuer_vault_test.go
• test/e2e/utils_test.go

[arun717]

/retest-required

[arun717]

/test e2e-operator-tech-preview

[openshift-ci]

@arun717: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.