Testing of e2e code coverage for cert-manager operator

[siddhibhor-56]

Overview

This PR extends e2e test coverage collection for the cert-manager operator and refactors the telco operators' DAST (Dynamic Application Security Testing) workflow infrastructure in OpenShift CI.

Cert-Manager Operator: E2E Coverage Instrumentation

The cert-manager operator CI configuration gains end-to-end code coverage collection and automated upload to Codecov:

• Coverage Image Build: Introduces a new multi-stage cert-manager-operator-coverage image that compiles the operator binary with coverage instrumentation in a UBI9 minimal runtime, with coverage data collected to /tmp/e2e-cover.

• Setup Phase: A new setup-coverage step patches the deployed operator pod to use the coverage-instrumented image, sets the GOCOVERDIR environment variable, and mounts an emptyDir volume for coverage data collection.

• Collection and Upload: A post step named collect-coverage performs the following:

  • Sends SIGTERM to the running operator container to flush coverage data
  • Extracts coverage metadata from the pod and converts it to a text profile via go tool covdata
  • If a Codecov token is available (from a mounted secret), downloads the Codecov uploader, verifies its integrity, and uploads coverage with metadata tailored to job type (presubmit vs postsubmit) and PR/branch context
  • Treats upload failures as non-fatal to prevent blocking CI

Telco Operators: DAST Workflow Modernization

Multiple OCP release version configurations (4.16–4.21) for telco operators DAST testing are refactored:

• Test Job Consolidation: The telco-dast-ci test job is replaced across all configurations with a new telco-dast-operators-ci job that:

  • Changes the execution schedule (e.g., from 00 13 * * 1 to Friday mornings)
  • Switches the workflow from telcov10n-functional-dast-setup to telcov10n-functional-dast-scan
  • Removes supplementary environment variables (ADDITIONAL_WORKER_ARCHITECTURE, ADDITIONAL_WORKERS*, DISCONNECTED) to simplify test configuration

• Removed Resources: The distributed-tracing-tests-runner-telco test runner is removed from all affected configurations.

• Workflow Update: The new telcov10n-functional-dast-scan workflow is introduced with updated metadata and includes the telcov10n-functional-dast-tests step in its pre-execution phase.

Test Step Registry Updates

• DAST Test Scripts: The telcov10n-functional-dast-tests-commands.sh script is rewritten to orchestrate RapidAST DAST security scans instead of chainsaw compliance tests, automating vulnerability scanning across operators with result collection and artifact archiving.

• Approver Changes: The OWNERS lists for dast-related test registry steps are updated to reflect team membership changes (removing natifridman and obochan-rh, adding oblau).

• Configuration Cleanup: The old telcov10n-functional-dast-setup workflow metadata is removed as it is superseded by the new scan workflow.

Impact

These changes enable automated code coverage tracking for cert-manager operator releases and modernize the telco operators' security testing infrastructure to use RapidAST DAST scanning on a more consistent schedule across OCP versions.

[coderabbitai]

Walkthrough

This PR introduces E2E coverage collection for the cert-manager operator and restructures telco DAST testing infrastructure. The cert-manager changes add a coverage image build and post-test coverage upload. The telco changes consolidate DAST jobs across OpenShift versions, replacing a setup-based chainsaw workflow with a scan-based RapidAST workflow and updating approvers accordingly.

Changes

Cert-Manager Operator E2E Coverage

Layer / File(s)	Summary
Coverage image and setup ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-master.yaml	cert-manager-operator-coverage image combines Go build tags and UBI9 runtime with /tmp/e2e-cover volume, GOCOVERDIR env, and restricted permissions (UID/GID 65534) to enable coverage collection. The setup-coverage step patches the deployment (or owning CSV) to swap the operator container image, set GOCOVERDIR, and mount the emptyDir volume.
Post-test coverage collection and upload ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-master.yaml	collect-coverage post-step SIGTERMs the running operator pod to flush coverage, copies coverage files from /tmp/e2e-cover, converts them to text profile using go tool covdata, and optionally uploads to Codecov (best-effort) using a mounted secret token.

Telco DAST Workflow and Job Restructuring

Layer / File(s)	Summary
New dast-scan workflow and metadata ci-operator/step-registry/telcov10n/functional/dast/scan/telcov10n-functional-dast-scan-workflow.yaml, ci-operator/step-registry/telcov10n/functional/dast/scan/telcov10n-functional-dast-scan-workflow.metadata.json	Introduces telcov10n-functional-dast-scan workflow that includes telcov10n-functional-dast-tests step in the pre-phase after operator installation, replacing the prior setup workflow.
Test runner rewrite from chainsaw to RapidAST ci-operator/step-registry/telcov10n/functional/dast/tests/telcov10n-functional-dast-tests-commands.sh, ci-operator/step-registry/telcov10n/functional/dast/tests/telcov10n-functional-dast-tests-ref.yaml	Complete rewrite from chainsaw test to RapidAST DAST scanning: creates project/serviceaccount/RBAC, applies per-operator RapidAST ConfigMaps (with bearer-token auth and zap scanner config), runs scan pods, polls for completion, collects tar archives of results, and streams them to artifact directory. Updates ref source to cli and adds OPERATORS_DAST env variable documenting the format.
CI job config updates across versions ci-operator/config/openshift-kni/eco-ci-cd/openshift-kni-eco-ci-cd-main__telco-operators-dast-4.16.yaml, ci-operator/config/openshift-kni/eco-ci-cd/openshift-kni-eco-ci-cd-main__telco-operators-dast-4.18.yaml, ci-operator/config/openshift-kni/eco-ci-cd/openshift-kni-eco-ci-cd-main__telco-operators-dast-4.19.yaml, ci-operator/config/openshift-kni/eco-ci-cd/openshift-kni-eco-ci-cd-main__telco-operators-dast-4.20.yaml, ci-operator/config/openshift-kni/eco-ci-cd/openshift-kni-eco-ci-cd-main__telco-operators-dast-4.21.yaml	Replaces telco-dast-ci job with telco-dast-operators-ci across all release versions: updates cron schedules, changes workflow to telcov10n-functional-dast-scan, removes prior distributed-tracing-tests-runner-telco and build_root.image_stream_tag, and drops environment variables unrelated to the scan workflow (e.g., ADDITIONAL_WORKERS*, DISCONNECTED). Version 4.17 is deleted entirely.
Setup workflow cleanup ci-operator/step-registry/telcov10n/functional/dast/setup/telcov10n-functional-dast-setup-workflow.metadata.json	Metadata file for the prior setup workflow is cleared, phasing out the old workflow definition.
Ownership and approver updates ci-operator/step-registry/telcov10n/functional/dast/OWNERS, ci-operator/step-registry/telcov10n/functional/dast/scan/OWNERS, ci-operator/step-registry/telcov10n/functional/dast/tests/OWNERS, ci-operator/step-registry/telcov10n/functional/dast/talm-prereq-crds/OWNERS, ci-operator/step-registry/telcov10n/functional/dast/scan/telcov10n-functional-dast-scan-workflow.metadata.json, ci-operator/step-registry/telcov10n/functional/dast/tests/telcov10n-functional-dast-tests-ref.metadata.json, ci-operator/step-registry/telcov10n/functional/dast/talm-prereq-crds/telcov10n-functional-dast-talm-prereq-crds-ref.metadata.json	Approvers list updated across dast paths: removed natifridman and obochan-rh; added oblau (with eifrach retained/ensured in relevant paths). Metadata files for the new scan workflow and talm-prereq-crds add ownership tracking.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main change: adding e2e code coverage testing for cert-manager operator, which is the primary focus of the largest and most substantive file modification.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR modifies CI/CD configuration files (YAML, bash scripts, and metadata files). The repository contains no Ginkgo test definitions. The custom check for stable test names is not applicable.
Test Structure And Quality	✅ Passed	PR does not modify any Ginkgo test code. The check is inapplicable as the PR consists of CI/CD configuration changes, workflow definitions, and shell scripts, not Go test code with Ginkgo patterns.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added. PR contains only CI config (YAML), bash scripts, and metadata changes. Check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. Changes are limited to CI/CD configuration (YAML), infrastructure scripts, and metadata. SNO compatibility check not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies CI/CD configs only. The sole Kubernetes manifests (ConfigMap and Pod in test scripts) lack scheduling constraints. No deployment manifests with HA topology assumptions found.
Ote Binary Stdout Contract	✅ Passed	PR modifies only CI/CD configuration (YAML, shell scripts, metadata). No Go source files modified. OTE Binary Stdout Contract check applies only to Go code, not applicable here.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. Changes are CI configuration updates and coverage collection infrastructure for existing tests, which are not subject to this check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-master.yaml (2)

136-141: 💤 Low value

Consider adding a comment documenting the SIGTERM/restart assumption.

The logic relies on the container restarting in place after SIGTERM (preserving the emptyDir volume with coverage data). This works because deployments have restartPolicy: Always, but a brief inline comment would help future maintainers understand why this approach is correct.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-master.yaml`
around lines 136 - 141, Add a brief inline comment above the SIGTERM/restart
block explaining the assumption that sending SIGTERM to PID 1 inside the
cert-manager-operator container will cause the pod to restart in place
(preserving the emptyDir volume with coverage data) because the deployment uses
restartPolicy: Always; reference the kill -TERM 1 / oc exec command and the
expectation that the container will be recreated rather than the pod being
replaced, so future maintainers understand why we sleep and wait for the same
pod to become Ready.

---

226-241: 💤 Low value

Hardcoded array indices in JSON patches are fragile.

The patches assume the operator container is at /containers/0 and the deployment is at /deployments/0. If the CSV or deployment structure changes (e.g., init containers added, multiple deployments), these patches could target the wrong resource.

Consider using jq to find the correct index by container/deployment name, or add a comment acknowledging this assumption for the current operator structure.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-master.yaml`
around lines 226 - 241, The JSON patches hardcode indices
(/spec/install/spec/deployments/0 and /containers/0) which is brittle; update
the script to compute the correct deployment and container indices dynamically
(e.g., use jq to locate the deployment index by matching the deployment name and
the container index by matching container.name == "cert-manager-operator" from
the CSV or deployment JSON) and then build the patch paths using those computed
indices (replace uses of deployments/0 and containers/0 in the oc patch/oc set
commands with the variables holding the found indices like DEP_IDX and CT_IDX);
alternatively, if you intentionally rely on a single known deployment/container,
add a clear comment near the oc patch/oc set invocations (referencing the
CSV/DEPLOYMENT, COVERAGE_IMAGE, GOCOVERDIR_PATH variables) documenting the
assumption so future reviewers understand the constraint.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-master.yaml`:
- Around line 136-141: Add a brief inline comment above the SIGTERM/restart
block explaining the assumption that sending SIGTERM to PID 1 inside the
cert-manager-operator container will cause the pod to restart in place
(preserving the emptyDir volume with coverage data) because the deployment uses
restartPolicy: Always; reference the kill -TERM 1 / oc exec command and the
expectation that the container will be recreated rather than the pod being
replaced, so future maintainers understand why we sleep and wait for the same
pod to become Ready.
- Around line 226-241: The JSON patches hardcode indices
(/spec/install/spec/deployments/0 and /containers/0) which is brittle; update
the script to compute the correct deployment and container indices dynamically
(e.g., use jq to locate the deployment index by matching the deployment name and
the container index by matching container.name == "cert-manager-operator" from
the CSV or deployment JSON) and then build the patch paths using those computed
indices (replace uses of deployments/0 and containers/0 in the oc patch/oc set
commands with the variables holding the found indices like DEP_IDX and CT_IDX);
alternatively, if you intentionally rely on a single known deployment/container,
add a clear comment near the oc patch/oc set invocations (referencing the
CSV/DEPLOYMENT, COVERAGE_IMAGE, GOCOVERDIR_PATH variables) documenting the
assumption so future reviewers understand the constraint.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 0c5e551e-9c3b-4009-8ce0-61ef3dee6f38

📥 Commits

Reviewing files that changed from the base of the PR and between 55c6069 and dc2fba5.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/openshift/external-secrets-operator/openshift-external-secrets-operator-main-postsubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (2)

• ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-master.yaml
• ci-operator/config/openshift/external-secrets-operator/openshift-external-secrets-operator-main.yaml

[openshift-merge-bot]

@siddhibhor-56, pj-rehearse: unable to determine affected jobs. This could be due to a branch that needs to be rebased. ERROR:

couldn't prepare candidate: couldn't rebase candidate onto 54c0523ef9057f134a67e16ef59372e04d7a41a1 due to conflicts

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

ci-operator/step-registry/telcov10n/functional/dast/tests/telcov10n-functional-dast-tests-commands.sh (1)

72-72: 💤 Low value

Consider pinning the RapidAST image to a specific version.

Using latest tag can lead to non-reproducible CI runs and unexpected breakages when the upstream image changes. Pin to a specific version for stability.

♻️ Suggested change

-    image: quay.io/redhatproductsecurity/rapidast:latest
+    image: quay.io/redhatproductsecurity/rapidast:2.13.0

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/telcov10n/functional/dast/tests/telcov10n-functional-dast-tests-commands.sh`
at line 72, The CI job currently uses an unpinned container image
"quay.io/redhatproductsecurity/rapidast:latest"; update the image reference in
the telcov10n-functional-dast-tests-commands.sh job to a specific version tag or
an immutable digest (e.g., replace the ":latest" suffix with a concrete tag or
`@sha256`:... digest) so builds are reproducible and stable; modify the "image:
quay.io/redhatproductsecurity/rapidast:latest" line accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/telcov10n/functional/dast/tests/telcov10n-functional-dast-tests-commands.sh`:
- Around line 97-101: The polling loop that waits for the sentinel file
/tmp/.done (the until oc exec -n dast "${POD_NAME}" -c rapidast -- test -f
/tmp/.done loop) must be given a timeout to avoid hanging; add a timeout
variable (e.g., SCAN_TIMEOUT_SECONDS=600) and record a start timestamp, then
inside the loop check elapsed time on each iteration and if it exceeds the
timeout print an error mentioning POD_NAME and container rapidast and exit
non‑zero; keep the existing sleep 15 between polls and ensure the failure path
breaks the loop and fails the script so CI does not hang indefinitely.

---

Nitpick comments:
In
`@ci-operator/step-registry/telcov10n/functional/dast/tests/telcov10n-functional-dast-tests-commands.sh`:
- Line 72: The CI job currently uses an unpinned container image
"quay.io/redhatproductsecurity/rapidast:latest"; update the image reference in
the telcov10n-functional-dast-tests-commands.sh job to a specific version tag or
an immutable digest (e.g., replace the ":latest" suffix with a concrete tag or
`@sha256`:... digest) so builds are reproducible and stable; modify the "image:
quay.io/redhatproductsecurity/rapidast:latest" line accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 5a1902e3-b62f-45ac-8fa5-dfa79300076b

📥 Commits

Reviewing files that changed from the base of the PR and between dc2fba5 and 53ff260.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/openshift-kni/eco-ci-cd/openshift-kni-eco-ci-cd-main-periodics.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (18)

• ci-operator/config/openshift-kni/eco-ci-cd/openshift-kni-eco-ci-cd-main__telco-operators-dast-4.16.yaml
• ci-operator/config/openshift-kni/eco-ci-cd/openshift-kni-eco-ci-cd-main__telco-operators-dast-4.17.yaml
• ci-operator/config/openshift-kni/eco-ci-cd/openshift-kni-eco-ci-cd-main__telco-operators-dast-4.18.yaml
• ci-operator/config/openshift-kni/eco-ci-cd/openshift-kni-eco-ci-cd-main__telco-operators-dast-4.19.yaml
• ci-operator/config/openshift-kni/eco-ci-cd/openshift-kni-eco-ci-cd-main__telco-operators-dast-4.20.yaml
• ci-operator/config/openshift-kni/eco-ci-cd/openshift-kni-eco-ci-cd-main__telco-operators-dast-4.21.yaml
• ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-master.yaml
• ci-operator/step-registry/telcov10n/functional/dast/OWNERS
• ci-operator/step-registry/telcov10n/functional/dast/scan/OWNERS
• ci-operator/step-registry/telcov10n/functional/dast/scan/telcov10n-functional-dast-scan-workflow.metadata.json
• ci-operator/step-registry/telcov10n/functional/dast/scan/telcov10n-functional-dast-scan-workflow.yaml
• ci-operator/step-registry/telcov10n/functional/dast/setup/telcov10n-functional-dast-setup-workflow.metadata.json
• ci-operator/step-registry/telcov10n/functional/dast/talm-prereq-crds/OWNERS
• ci-operator/step-registry/telcov10n/functional/dast/talm-prereq-crds/telcov10n-functional-dast-talm-prereq-crds-ref.metadata.json
• ci-operator/step-registry/telcov10n/functional/dast/tests/OWNERS
• ci-operator/step-registry/telcov10n/functional/dast/tests/telcov10n-functional-dast-tests-commands.sh
• ci-operator/step-registry/telcov10n/functional/dast/tests/telcov10n-functional-dast-tests-ref.metadata.json
• ci-operator/step-registry/telcov10n/functional/dast/tests/telcov10n-functional-dast-tests-ref.yaml

💤 Files with no reviewable changes (2)

• ci-operator/step-registry/telcov10n/functional/dast/setup/telcov10n-functional-dast-setup-workflow.metadata.json
• ci-operator/config/openshift-kni/eco-ci-cd/openshift-kni-eco-ci-cd-main__telco-operators-dast-4.17.yaml

✅ Files skipped from review due to trivial changes (5)

• ci-operator/step-registry/telcov10n/functional/dast/tests/OWNERS
• ci-operator/step-registry/telcov10n/functional/dast/scan/OWNERS
• ci-operator/step-registry/telcov10n/functional/dast/scan/telcov10n-functional-dast-scan-workflow.metadata.json
• ci-operator/step-registry/telcov10n/functional/dast/OWNERS
• ci-operator/step-registry/telcov10n/functional/dast/talm-prereq-crds/telcov10n-functional-dast-talm-prereq-crds-ref.metadata.json

🚧 Files skipped from review as they are similar to previous changes (1)

• ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-master.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add a timeout to the polling loop to prevent indefinite hangs.

The until loop polling for /tmp/.done has no timeout. If the scan crashes or hangs without creating the sentinel file, this CI job will run indefinitely. The pod startup already enforces a 600s timeout, but the scan completion polling does not.

🛡️ Proposed fix to add timeout

   # Wait for sentinel file
   echo "Waiting for scan to complete..."
+  TIMEOUT=3600  # 1 hour max for scan
+  ELAPSED=0
-  until oc exec -n dast "${POD_NAME}" -c rapidast -- test -f /tmp/.done 2>/dev/null; do
+  until oc exec -n dast "${POD_NAME}" -c rapidast -- test -f /tmp/.done 2>/dev/null; do
+    if [[ ${ELAPSED} -ge ${TIMEOUT} ]]; then
+      echo "ERROR: Scan timed out after ${TIMEOUT}s for ${OPERATOR_NAME}"
+      OVERALL_RC=1
+      kill "${LOGS_PID}" 2>/dev/null || true
+      oc delete pod "${POD_NAME}" -n dast --ignore-not-found
+      continue 2
+    fi
     sleep 15
+    ELAPSED=$((ELAPSED + 15))
   done

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/telcov10n/functional/dast/tests/telcov10n-functional-dast-tests-commands.sh`
around lines 97 - 101, The polling loop that waits for the sentinel file
/tmp/.done (the until oc exec -n dast "${POD_NAME}" -c rapidast -- test -f
/tmp/.done loop) must be given a timeout to avoid hanging; add a timeout
variable (e.g., SCAN_TIMEOUT_SECONDS=600) and record a start timestamp, then
inside the loop check elapsed time on each iteration and if it exceeds the
timeout print an error mentioning POD_NAME and container rapidast and exit
non‑zero; keep the existing sleep 15 between polls and ensure the failure path
breaks the loop and fails the script so CI does not hang indefinitely.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: siddhibhor-56
Once this PR has been reviewed and has the lgtm label, please assign swghosh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/cert-manager-operator/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@siddhibhor-56: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-cert-manager-operator-master-ci-bundle-cert-manager-operator-bundle	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-e2e-operator	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-e2e-operator-aws-proxy	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-e2e-operator-aws-sts	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-e2e-operator-aws-upi-proxy	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-e2e-operator-azure-ovn	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-e2e-operator-azure-workload-identity	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-e2e-operator-gcp-ovn	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-e2e-operator-gcp-workload-identity	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-e2e-operator-tech-preview	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-fips-image-scan-cert-manager	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-fips-image-scan-operator	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-images	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-unit	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-verify	openshift/cert-manager-operator	presubmit	Ci-operator config changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@siddhibhor-56: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-cert-manager-operator-master-ci-bundle-cert-manager-operator-bundle	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-e2e-operator	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-e2e-operator-aws-proxy	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-e2e-operator-aws-sts	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-e2e-operator-aws-upi-proxy	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-e2e-operator-azure-ovn	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-e2e-operator-azure-workload-identity	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-e2e-operator-gcp-ovn	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-e2e-operator-gcp-workload-identity	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-e2e-operator-tech-preview	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-fips-image-scan-cert-manager	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-fips-image-scan-operator	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-images	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-unit	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-verify	openshift/cert-manager-operator	presubmit	Ci-operator config changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-ci]

@siddhibhor-56: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[siddhibhor-56]

/pj-rehearse max

[openshift-merge-bot]

@siddhibhor-56: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.