Refactor TLS cases

[gangwgr]

Summary by CodeRabbit

• Tests

  • Reorganized TLS test suite into distinct target categories, centralized config-map resolution and annotation handling, narrowed test helpers to specific target types, and made guest-side checks and config-change flows more deterministic.

• Refactor

  • Replaced a unified target model with explicit per-category target lists, simplified TLS probing and verification wiring, and streamlined stabilization/rollout verification for clearer, more maintainable tests.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Replaces a single polymorphic tlsTarget model with distinct typed target structs and per-category target lists; adds configMapContext and injectTLSAnnotation; narrows helper signatures; refactors HyperShift initialization/filtering and guest-side verification; reimplements ConfigMap restoration tests and updates wire-level TLS probing to serviceTarget.

Changes

Cohort / File(s)

Summary

TLS test refactor & annotation test/extended/tls/tls_observed_config.go

Replaces unified tlsTarget with multiple typed target structs and separate per-category lists (ObservedConfig, ConfigMap injection, deployment env-var, service/wire TLS, rollout). Introduces configMapContext and file-local injectTLSAnnotation; centralizes ConfigMap namespace/key defaults and injection handling; reimplements restoration tests (annotation deletion/false/servingInfo changes) using the new context; narrows helper signatures to typed targets; refactors HyperShift setup to lazy setupHyperShiftManagement() for config-change flows and updates guest-side verification to use typed filters; removes old dedupe logic and uses clusterOperatorNames and deploymentRolloutTargets; switches wire-level TLS probes to serviceTarget. Areas to review: typed-target iteration and skip logic, configMapContext resolution, annotation handling, updated helper signatures, HyperShift initialization changes, and service-target probe swap.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

---

Caution

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

• Ignore

❌ Failed checks (1 error, 4 inconclusive)

Check name	Status	Explanation	Resolution
Stable And Deterministic Test Names	❌ Error	Test file uses fmt.Sprintf() with variable interpolation in 8 test titles (lines 249, 260, 271, 282, 337, 344, 351, 358), which violates the requirement for static, deterministic test names.	Replace all fmt.Sprintf()-constructed test names with static descriptive strings and move namespace/port identifiers into test bodies instead of titles.
Title check	❓ Inconclusive	The title "Refactor TLS cases" is vague and generic, using non-descriptive language that doesn't convey meaningful information about the specific changes made to the codebase.	Consider a more specific title that highlights the main refactoring objective, such as "Replace polymorphic TLS targets with separate typed structs" or "Refactor TLS test structure with type-specific target lists".
Test Structure And Quality	❓ Inconclusive	Unable to access and review the modified test file to assess Ginkgo test quality requirements including single responsibility, setup/cleanup patterns, timeouts, assertion messages, and codebase consistency.	Provide direct access to test/extended/tls/tls_observed_config.go or verify the file path exists in the repository to enable comprehensive quality assessment.
Microshift Test Compatibility	❓ Inconclusive	The file test/extended/tls/tls_observed_config.go could not be located for verification of MicroShift API compatibility.	Verify the exact file path exists and provide access to examine test declarations for MicroShift-incompatible API usage like ClusterOperator without proper protection tags.
Ipv6 And Disconnected Network Test Compatibility	❓ Inconclusive	Test file test/extended/tls/tls_observed_config.go could not be located or accessed in the repository to assess IPv4 assumptions and external connectivity requirements.	Verify file path is correct and accessible, then examine for hardcoded IPv4 addresses, IPv6 bracket handling in URLs, external connectivity requirements, and IPv4-specific assertions.

✅ Passed checks (7 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 81.82% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	Tests refactor existing TLS verification without multi-node assumptions; port-forward, single replicas, and cluster-wide configurations work on SNO.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only modifies test code in test/extended/tls/ through internal refactoring. No changes to exported entities, operator code, or deployment manifests. Test code does not impose scheduling constraints on production clusters.
Ote Binary Stdout Contract	✅ Passed	The modified test file contains only Ginkgo test blocks with no process-level stdout writes in init, TestMain, suite functions, or top-level initializers.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/extended/tls/tls_observed_config.go`:
- Around line 897-899: The test currently only checks for the presence of the
injectTLSAnnotation key
(o.Expect(cm.Annotations).To(o.HaveKey(injectTLSAnnotation))) which allows a
"false" value to pass; update both places where that key is asserted (the call
sites using cm.Annotations and injectTLSAnnotation) to assert the annotation
value instead of just the key—for example replace the HaveKey check with an
assertion that cm.Annotations[injectTLSAnnotation] equals "true" (or use
HaveKeyWithValue(injectTLSAnnotation, "true")) and update the failure message
accordingly so the test fails when the annotation is present but set to "false".

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: edee0025-9055-4d34-b53f-b5422803ec72

📥 Commits

Reviewing files that changed from the base of the PR and between 653bd69 and f64a461.

📒 Files selected for processing (1)

• test/extended/tls/tls_observed_config.go

[ingvagabund]

/lgtm

[openshift-ci]

New changes are detected. LGTM label has been removed.

[coderabbitai]

♻️ Duplicate comments (1)

test/extended/tls/tls_observed_config.go (1)

897-898: ⚠️ Potential issue | 🟡 Minor

Still unresolved: assert annotation value, not only key presence.

At Line 897 and Line 1594, HaveKey(injectTLSAnnotation) still passes when the value is "false", which can mask injection regressions in profile-switch verification.

Suggested fix

- o.Expect(cm.Annotations).To(o.HaveKey(injectTLSAnnotation),
- 	fmt.Sprintf("ConfigMap %s/%s is missing %s annotation", cmNamespace, t.configMapName, injectTLSAnnotation))
+ o.Expect(cm.Annotations).To(o.HaveKeyWithValue(injectTLSAnnotation, "true"),
+ 	fmt.Sprintf("ConfigMap %s/%s must have %s=true", cmNamespace, t.configMapName, injectTLSAnnotation))

- o.Expect(cm.Annotations).To(o.HaveKey(injectTLSAnnotation),
- 	fmt.Sprintf("ConfigMap %s/%s is missing %s annotation", cmNamespace, t.configMapName, injectTLSAnnotation))
+ o.Expect(cm.Annotations).To(o.HaveKeyWithValue(injectTLSAnnotation, "true"),
+ 	fmt.Sprintf("ConfigMap %s/%s must have %s=true", cmNamespace, t.configMapName, injectTLSAnnotation))

#!/bin/bash
# Verify any remaining key-only checks for injectTLSAnnotation.
# Expected after fix: no matches.
rg -n -C2 'HaveKey\(injectTLSAnnotation\)' --type=go

Also applies to: 1594-1595

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/extended/tls/tls_observed_config.go` around lines 897 - 898, Replace the
key-only assertion that uses o.HaveKey(injectTLSAnnotation) on cm.Annotations
with an assertion that checks the annotation value as well: use
o.Expect(cm.Annotations).To(o.HaveKeyWithValue(injectTLSAnnotation, "true")) (or
o.Expect(cm.Annotations).To(o.And(o.HaveKey(injectTLSAnnotation),
o.HaveKeyWithValue(injectTLSAnnotation, "true")))) so the test fails when the
annotation exists but is "false"; update both occurrences that currently call
o.Expect(cm.Annotations).To(o.HaveKey(injectTLSAnnotation), ...) to this
value-aware check referencing cm.Annotations and injectTLSAnnotation.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@test/extended/tls/tls_observed_config.go`:
- Around line 897-898: Replace the key-only assertion that uses
o.HaveKey(injectTLSAnnotation) on cm.Annotations with an assertion that checks
the annotation value as well: use
o.Expect(cm.Annotations).To(o.HaveKeyWithValue(injectTLSAnnotation, "true")) (or
o.Expect(cm.Annotations).To(o.And(o.HaveKey(injectTLSAnnotation),
o.HaveKeyWithValue(injectTLSAnnotation, "true")))) so the test fails when the
annotation exists but is "false"; update both occurrences that currently call
o.Expect(cm.Annotations).To(o.HaveKey(injectTLSAnnotation), ...) to this
value-aware check referencing cm.Annotations and injectTLSAnnotation.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 6cbc469d-4206-4546-8f21-4faae9d8e8e6

📥 Commits

Reviewing files that changed from the base of the PR and between f64a461 and d9f2092.

📒 Files selected for processing (1)

• test/extended/tls/tls_observed_config.go

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[coderabbitai]

Actionable comments posted: 3

♻️ Duplicate comments (1)

test/extended/tls/tls_observed_config.go (1)

695-697: ⚠️ Potential issue | 🟡 Minor

Require inject-tls=true in the switch verifiers.

These assertions still pass when the annotation exists with value "false", so the Modern/Custom profile checks can report success while injection is actually disabled. Please assert the value here as well.

Also applies to: 1249-1251

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/extended/tls/tls_observed_config.go` around lines 695 - 697, The current
assertion only checks the presence of the injectTLSAnnotation key but not its
value, allowing "false" to pass; update the switch verifiers (e.g., in the block
using cm, configData := cm.Data[t.resolvedKey()], and the Expect call that
references injectTLSAnnotation, and the duplicate at lines 1249-1251) to assert
that cm.Annotations[injectTLSAnnotation] == "true" (or use the matcher that
checks the annotation value equals "true") so the test fails when injection is
explicitly disabled.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/extended/tls/tls_observed_config.go`:
- Around line 103-108: Restore a controlPlane flag on the
deploymentRolloutTarget struct and use it to filter out management-cluster-only
(control plane) deployments in guestSideDeploymentRolloutTargets: add a bool
field named controlPlane to deploymentRolloutTarget and update
guestSideDeploymentRolloutTargets to only return targets where controlPlane is
false (or explicitly exclude controlPlane==true); adjust any construction sites
of deploymentRolloutTarget to set the flag accordingly so existing callers
(including the HyperShift flow) regain the previous filtering behavior.
- Around line 688-694: The current loop over configMapTargets treats any error
from AdminKubeClient().CoreV1().ConfigMaps(...).Get as a "not found" skip;
change the error handling so you only continue when apierrors.IsNotFound(err) is
true and otherwise fail the test (or return the error) so
auth/transport/apiserver errors are surfaced; update the Get call handling in
the loop that uses configMapTargets and resolvedNamespace() (and its second
occurrence later in the file) to check apierrors.IsNotFound(err) before calling
e2e.Logf and continue, and for any other err call t.Fatalf/return the error (or
fail the test) so failures are not masked.
- Around line 153-163: The current wait logic iterates over clusterOperatorNames
even after computing the deduplicated seen set and the guest-specific guestCOs,
making the HyperShift guest/control-plane split a no-op; modify the waiting loop
to only wait on entries in guestCOs (or the filtered subset derived from seen)
instead of clusterOperatorNames and ensure the functions/variables
clusterOperatorNames, seen, and guestCOs are used to drive that filtered
iteration so operators not relevant to the guest side are not waited on (apply
same fix in the analogous block around lines 1703-1725).

---

Duplicate comments:
In `@test/extended/tls/tls_observed_config.go`:
- Around line 695-697: The current assertion only checks the presence of the
injectTLSAnnotation key but not its value, allowing "false" to pass; update the
switch verifiers (e.g., in the block using cm, configData :=
cm.Data[t.resolvedKey()], and the Expect call that references
injectTLSAnnotation, and the duplicate at lines 1249-1251) to assert that
cm.Annotations[injectTLSAnnotation] == "true" (or use the matcher that checks
the annotation value equals "true") so the test fails when injection is
explicitly disabled.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 0f9c9dd8-3a02-44ee-9d2a-cb63dce96b83

📥 Commits

Reviewing files that changed from the base of the PR and between d9f2092 and 6001380.

📒 Files selected for processing (1)

• test/extended/tls/tls_observed_config.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Keep guest rollout targets filterable.

guestSideDeploymentRolloutTargets() now returns the full list because deploymentRolloutTarget no longer carries any controlPlane metadata. In the HyperShift flow that reintroduces waits on management-cluster-only deployments, which can turn the profile-switch tests into false timeouts on guest clusters.

Also applies to: 165-170, 215-220

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/extended/tls/tls_observed_config.go` around lines 103 - 108, Restore a
controlPlane flag on the deploymentRolloutTarget struct and use it to filter out
management-cluster-only (control plane) deployments in
guestSideDeploymentRolloutTargets: add a bool field named controlPlane to
deploymentRolloutTarget and update guestSideDeploymentRolloutTargets to only
return targets where controlPlane is false (or explicitly exclude
controlPlane==true); adjust any construction sites of deploymentRolloutTarget to
set the flag accordingly so existing callers (including the HyperShift flow)
regain the previous filtering behavior.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

The HyperShift ClusterOperator split is currently a no-op.

seen and guestCOs are populated, but the code still waits on every entry in clusterOperatorNames. That defeats the guest/control-plane split and can block on operators that should not be part of guest-side stabilization.

Also applies to: 1703-1725

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/extended/tls/tls_observed_config.go` around lines 153 - 163, The current
wait logic iterates over clusterOperatorNames even after computing the
deduplicated seen set and the guest-specific guestCOs, making the HyperShift
guest/control-plane split a no-op; modify the waiting loop to only wait on
entries in guestCOs (or the filtered subset derived from seen) instead of
clusterOperatorNames and ensure the functions/variables clusterOperatorNames,
seen, and guestCOs are used to drive that filtered iteration so operators not
relevant to the guest side are not waited on (apply same fix in the analogous
block around lines 1703-1725).

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gangwgr, ingvagabund

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• test/extended/tls/OWNERS [gangwgr,ingvagabund]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ingvagabund]

There should not be any defaulting for keys or for namespaces. It's safer to make it always explicit. Also, instead of de-duplicating this part of the code I suggest to first define the specific target types. It will remove the need for many checks and defaults. Also, specifying configMapContext is an artificial step that can be dropped by defining the specific target type.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (4)

test/extended/tls/tls_observed_config.go (4)

704-705: ⚠️ Potential issue | 🟡 Minor

Assert inject-tls=true, not just key presence.

Checking only for the annotation key lets "false" pass here, which can mask an injection regression during the profile-switch assertions.

Suggested fix

- o.Expect(cm.Annotations).To(o.HaveKey(injectTLSAnnotation),
- 	fmt.Sprintf("ConfigMap %s/%s is missing %s annotation", cmNamespace, t.configMapName, injectTLSAnnotation))
+ o.Expect(cm.Annotations).To(o.HaveKeyWithValue(injectTLSAnnotation, "true"),
+ 	fmt.Sprintf("ConfigMap %s/%s must have %s=true", cmNamespace, t.configMapName, injectTLSAnnotation))

Also applies to: 1258-1259

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/extended/tls/tls_observed_config.go` around lines 704 - 705, The test
currently only asserts the presence of the injectTLSAnnotation key in
cm.Annotations (using
o.Expect(cm.Annotations).To(o.HaveKey(injectTLSAnnotation)...)), which allows a
value of "false" to pass; change the assertion to verify the annotation value is
exactly "true" instead (e.g. assert cm.Annotations[injectTLSAnnotation] ==
"true" or use a Gomega matcher like HaveKeyWithValue) so injections are
correctly validated; apply the same fix to the other occurrence referenced
around the profile-switch assertion (injectTLSAnnotation check at the later
lines).

---

106-109: ⚠️ Potential issue | 🟠 Major

Restore control-plane metadata on rollout targets.

deploymentRolloutTarget no longer carries enough information to exclude management-cluster-only deployments, so guestSideDeploymentRolloutTargets() now returns the full list. In the HyperShift flow that reintroduces waits on non-guest rollouts and can turn the profile-switch tests into false timeouts.

Suggested direction

 type deploymentRolloutTarget struct {
 	namespace      string
 	deploymentName string
+	controlPlane   bool
 }
 
 func guestSideDeploymentRolloutTargets() []deploymentRolloutTarget {
 	var result []deploymentRolloutTarget
 	for _, t := range deploymentRolloutTargets {
-		result = append(result, t)
+		if !t.controlPlane {
+			result = append(result, t)
+		}
 	}
 	return result
 }

Also mark the management-cluster deployments accordingly in deploymentRolloutTargets.

Also applies to: 216-221

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/extended/tls/tls_observed_config.go` around lines 106 - 109, The struct
deploymentRolloutTarget currently only holds namespace and deploymentName which
loses control-plane/management-cluster metadata; update deploymentRolloutTarget
to include a boolean or enum (e.g., isManagement bool or controlPlaneRole
string) and populate that field in deploymentRolloutTargets() so
management-cluster deployments are marked, and change
guestSideDeploymentRolloutTargets() to filter based on that new field (returning
only guest targets) rather than assuming full list; ensure all call sites that
construct or consume deploymentRolloutTarget in tls_observed_config.go and
related functions handle the new field.

---

1711-1733: ⚠️ Potential issue | 🟠 Major

Use the filtered guest ClusterOperator list here.

This split is still effectively a no-op: seen and guestCOs are populated, but the wait loop still iterates every entry in clusterOperatorNames. That makes the HyperShift guest-side stabilization path block on management-only operators again.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/extended/tls/tls_observed_config.go` around lines 1711 - 1733, The loop
currently iterates all clusterOperatorNames but should only wait on
guest-visible operators; change the for loop that calls
waitForClusterOperatorStable to skip entries not present in the seen or guestCOs
maps (use the existing seen and guestCOs lookups) so only guest-side
ClusterOperators are waited on (keep references to clusterOperatorNames, seen,
guestCOs, profileLabel, and waitForClusterOperatorStable).

---

696-701: ⚠️ Potential issue | 🟠 Major

Only skip on NotFound when reading ConfigMaps.

Both paths currently continue on any ConfigMaps(...).Get error and log it as “not found”. That masks auth, transport, and apiserver failures as passing skips and can hide real regressions.

Safer error handling

 cm, err := oc.AdminKubeClient().CoreV1().ConfigMaps(cmNamespace).Get(ctx, t.configMapName, metav1.GetOptions{})
- if err != nil {
+ if apierrors.IsNotFound(err) {
 	e2e.Logf("SKIP: ConfigMap %s/%s not found: %v", cmNamespace, t.configMapName, err)
 	continue
 }
+ o.Expect(err).NotTo(o.HaveOccurred(),
+ 	fmt.Sprintf("failed to get ConfigMap %s/%s", cmNamespace, t.configMapName))

Also applies to: 1252-1255

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/extended/tls/tls_observed_config.go` around lines 696 - 701, The loop
that calls oc.AdminKubeClient().CoreV1().ConfigMaps(...).Get currently treats
all errors as "not found" and continues; change the error handling in the block
that calls ConfigMaps(...).Get (and the duplicate at the other occurrence around
lines 1252-1255) to check metav1.IsNotFound(err) and only log/continue for
NotFound errors, while for any other error return/fail the test or propagate the
error (e.g., t.Fatalf/t.Fatalf-like behavior or return the error) so
auth/transport/apiserver failures aren’t masked; keep the existing e2e.Logf
message for the NotFound case and use a clear error log/failed assertion for
other errors.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/extended/tls/tls_observed_config.go`:
- Around line 945-947: Before mutating shared ConfigMap state capture the
original annotation/data and register a cleanup to restore it using
g.DeferCleanup: read and store the original cm.Annotations (and any other fields
you will change), call g.DeferCleanup with a closure that sets the saved
annotations back and calls cmCtx.update to restore, and only then perform the
delete and cmCtx.update; apply the same pattern for the other mutation sites
referenced (around the uses of injectTLSAnnotation, cm.Annotations, and
cmCtx.update at the other ranges). Ensure the closure uses the saved snapshot
(not a pointer to the mutated object) so restoration reliably re-applies the
original state.

---

Duplicate comments:
In `@test/extended/tls/tls_observed_config.go`:
- Around line 704-705: The test currently only asserts the presence of the
injectTLSAnnotation key in cm.Annotations (using
o.Expect(cm.Annotations).To(o.HaveKey(injectTLSAnnotation)...)), which allows a
value of "false" to pass; change the assertion to verify the annotation value is
exactly "true" instead (e.g. assert cm.Annotations[injectTLSAnnotation] ==
"true" or use a Gomega matcher like HaveKeyWithValue) so injections are
correctly validated; apply the same fix to the other occurrence referenced
around the profile-switch assertion (injectTLSAnnotation check at the later
lines).
- Around line 106-109: The struct deploymentRolloutTarget currently only holds
namespace and deploymentName which loses control-plane/management-cluster
metadata; update deploymentRolloutTarget to include a boolean or enum (e.g.,
isManagement bool or controlPlaneRole string) and populate that field in
deploymentRolloutTargets() so management-cluster deployments are marked, and
change guestSideDeploymentRolloutTargets() to filter based on that new field
(returning only guest targets) rather than assuming full list; ensure all call
sites that construct or consume deploymentRolloutTarget in
tls_observed_config.go and related functions handle the new field.
- Around line 1711-1733: The loop currently iterates all clusterOperatorNames
but should only wait on guest-visible operators; change the for loop that calls
waitForClusterOperatorStable to skip entries not present in the seen or guestCOs
maps (use the existing seen and guestCOs lookups) so only guest-side
ClusterOperators are waited on (keep references to clusterOperatorNames, seen,
guestCOs, profileLabel, and waitForClusterOperatorStable).
- Around line 696-701: The loop that calls
oc.AdminKubeClient().CoreV1().ConfigMaps(...).Get currently treats all errors as
"not found" and continues; change the error handling in the block that calls
ConfigMaps(...).Get (and the duplicate at the other occurrence around lines
1252-1255) to check metav1.IsNotFound(err) and only log/continue for NotFound
errors, while for any other error return/fail the test or propagate the error
(e.g., t.Fatalf/t.Fatalf-like behavior or return the error) so
auth/transport/apiserver failures aren’t masked; keep the existing e2e.Logf
message for the NotFound case and use a clear error log/failed assertion for
other errors.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: c89a4d07-9277-4cbd-818e-5fdc9be9f061

📥 Commits

Reviewing files that changed from the base of the PR and between 6001380 and ae5667f.

📒 Files selected for processing (1)

• test/extended/tls/tls_observed_config.go

[coderabbitai]

♻️ Duplicate comments (1)

test/extended/tls/tls_observed_config.go (1)

696-705: ⚠️ Potential issue | 🟡 Minor

Error handling masks non-"not found" failures; annotation check is inconsistent.

1. Error handling (lines 699-701): Any error is logged as "not found" and skipped. Auth, transport, or API server errors will be masked. Only apierrors.IsNotFound(err) should trigger a skip.

2. Annotation check (line 704): Uses HaveKey but testConfigMapTLSInjection at line 816 correctly uses value comparison. For consistency and to catch "false" values:

Suggested fix

 	cm, err := oc.AdminKubeClient().CoreV1().ConfigMaps(cmNamespace).Get(configChangeCtx, t.configMapName, metav1.GetOptions{})
-	if err != nil {
-		e2e.Logf("SKIP: ConfigMap %s/%s not found: %v", cmNamespace, t.configMapName, err)
-		continue
+	if apierrors.IsNotFound(err) {
+		e2e.Logf("SKIP: ConfigMap %s/%s not found", cmNamespace, t.configMapName)
+		continue
+	}
+	if err != nil {
+		o.Expect(err).NotTo(o.HaveOccurred(),
+			fmt.Sprintf("failed to get ConfigMap %s/%s", cmNamespace, t.configMapName))
 	}
 	configData := cm.Data[t.resolvedKey()]
-	o.Expect(cm.Annotations).To(o.HaveKey(injectTLSAnnotation),
-		fmt.Sprintf("ConfigMap %s/%s is missing %s annotation", cmNamespace, t.configMapName, injectTLSAnnotation))
+	o.Expect(cm.Annotations).To(o.HaveKeyWithValue(injectTLSAnnotation, "true"),
+		fmt.Sprintf("ConfigMap %s/%s must have %s=true", cmNamespace, t.configMapName, injectTLSAnnotation))

,

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/extended/tls/tls_observed_config.go` around lines 696 - 705, The loop
fetching ConfigMaps should only treat missing resources as skippable: replace
the blanket error skip around oc.AdminKubeClient().CoreV1().ConfigMaps(...).Get
by checking apierrors.IsNotFound(err) and skipping only then, otherwise
surface/return the error (don't log every error as "not found"). Also make the
annotation assertion consistent with testConfigMapTLSInjection by replacing
o.Expect(cm.Annotations).To(o.HaveKey(injectTLSAnnotation)) with an explicit
value check that the injectTLSAnnotation key equals the expected truthy value
(e.g., "true") so `"false"` is caught.

🧹 Nitpick comments (1)

test/extended/tls/tls_observed_config.go (1)

125-134: Verify controlPlane flags on configMapTargets.

Only the etcd entry (line 130) has controlPlane: true. Other operators like kube-apiserver, kube-controller-manager, and kube-scheduler ConfigMaps are not marked despite being control-plane components.

If this is intentional (e.g., these ConfigMaps exist in separate *-operator namespaces on guest clusters), consider adding a brief comment explaining the rationale to prevent future confusion.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/extended/tls/tls_observed_config.go` around lines 125 - 134, The
configMapTargets slice currently only marks the etcd entry with controlPlane:
true (the literal entry for namespace "openshift-etcd" / configMapName
"etcd-operator-config"); update the other control-plane operator entries (for
example the entries with namespace "openshift-kube-apiserver",
"openshift-kube-controller-manager", and "openshift-kube-scheduler") to include
controlPlane: true if they are indeed control-plane ConfigMaps, or if this
omission is intentional leave the entries unchanged but add a concise inline
comment next to configMapTargets (or above the slice) explaining why only etcd
is marked (e.g., those operator ConfigMaps live in separate operator namespaces
on guest clusters) so future reviewers understand the rationale.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@test/extended/tls/tls_observed_config.go`:
- Around line 696-705: The loop fetching ConfigMaps should only treat missing
resources as skippable: replace the blanket error skip around
oc.AdminKubeClient().CoreV1().ConfigMaps(...).Get by checking
apierrors.IsNotFound(err) and skipping only then, otherwise surface/return the
error (don't log every error as "not found"). Also make the annotation assertion
consistent with testConfigMapTLSInjection by replacing
o.Expect(cm.Annotations).To(o.HaveKey(injectTLSAnnotation)) with an explicit
value check that the injectTLSAnnotation key equals the expected truthy value
(e.g., "true") so `"false"` is caught.

---

Nitpick comments:
In `@test/extended/tls/tls_observed_config.go`:
- Around line 125-134: The configMapTargets slice currently only marks the etcd
entry with controlPlane: true (the literal entry for namespace "openshift-etcd"
/ configMapName "etcd-operator-config"); update the other control-plane operator
entries (for example the entries with namespace "openshift-kube-apiserver",
"openshift-kube-controller-manager", and "openshift-kube-scheduler") to include
controlPlane: true if they are indeed control-plane ConfigMaps, or if this
omission is intentional leave the entries unchanged but add a concise inline
comment next to configMapTargets (or above the slice) explaining why only etcd
is marked (e.g., those operator ConfigMaps live in separate operator namespaces
on guest clusters) so future reviewers understand the rationale.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 9d6193d8-3a17-4efc-8df2-3506db49de05

📥 Commits

Reviewing files that changed from the base of the PR and between ae5667f and 75e6f83.

📒 Files selected for processing (1)

• test/extended/tls/tls_observed_config.go

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[openshift-trt]

Job Failure Risk Analysis for sha: c4d1caa

Job Name

Failure Risk

pull-ci-openshift-origin-main-e2e-gcp-ovn-upgrade

High [Monitor:legacy-test-framework-invariants-pathological][sig-arch] events should not repeat pathologically for ns/openshift-network-diagnostics This test has passed 99.68% of 5356 runs on release 5.0 [Overall] in the last week. --- [Monitor:node-lifecycle][sig-node] node-lifecycle detects unexpected not ready node This test has passed 99.10% of 5358 runs on release 5.0 [Overall] in the last week. --- [Monitor:legacy-test-framework-invariants-pathological][sig-arch] events should not repeat pathologically for ns/openshift-multus This test has passed 99.91% of 5356 runs on release 5.0 [Overall] in the last week.

[ingvagabund]

Worth extending requireAnnotation with annotationKey string argument so the function can be reused. Also, to make it more explicit which annotation is checked.

[ingvagabund]

ditto about annotationKey string argument

[ingvagabund]

the annotation value as an argument to waitForAnnotation

[ingvagabund]

The comment got deleted by accident?

[ingvagabund]

The comment got deleted by accident?

[ingvagabund]

The code got deleted by accident?

[ingvagabund]

updateConfigMap can read the namespace from cm object? So namespace argument can be dropped.

[ingvagabund]

Is this producing the same list?

[ingvagabund]

Why moving the code around? Why not move it to the right place in the commit all these functions are introduced?

[ingvagabund]

How is this test related to "migrate all test functions and loops to narrow target types" commit? Perhaps move it into a separate commit?

[ingvagabund]

s/controlPlane/hostedControlPlane to make it more explicit.

[ingvagabund]

Worth inlining all the guestXXX functions in the top g.Describe("[sig-api-machinery][Feature:TLSObservedConfig][Serial][Suite:openshift/tls-observed-config]" as local variables instead of invoking the functions multiple times with the same input producing the same output.

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[gangwgr]

/test e2e-aws-ovn-serial-1of2

[gangwgr]

/test e2e-gcp-ovn

[gangwgr]

/test e2e-gcp-ovn

[ingvagabund]

nit: keeping this on the same line will make the diff look easier to read

[ingvagabund]

nit: the comment removed on purpose?

[ingvagabund]

nit: the comment removed on purpose?

[ingvagabund]

nit: keeping it on a single line will make the diff easier to read

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[ingvagabund]

Nit: Another line breaking. Is this the cursor making these extra changes randomly?

[gangwgr]

yes

[ingvagabund]

guestSideObservedConfigTargets() and others can be inlined here since they are invoked only once.

[openshift-ci]

@gangwgr: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-csi	49e0038	link	true	/test e2e-aws-csi

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.