tls: deduplicate ConfigMap helpers into standalone functions"

[gangwgr]

Summary

• Make configMapNamespace and configMapKey fields explicit on all targets, removing fallback/defaulting logic
• Extract validateNamespace and getConfigMap helpers to replace repeated inline namespace-check and ConfigMap-fetch patterns
• Extract requireAnnotation, waitForAnnotation, and updateConfigMap helpers to replace duplicated annotation-check, polling, and update patterns
  Follow-up to : no-jira: tls: extract injectTLSAnnotation constant #31125 (merged). Each commit is independently reviewable.

Summary by CodeRabbit

• Tests
  • Updated TLS tests to target ConfigMaps by explicit namespace for accurate injection verification.
  • Refactored helpers and polling logic to centralize namespace checks and reliably detect annotation/servingInfo restoration.
  • Enhanced logging and assertions to validate minTLSVersion and cipher suite counts and to cross-check against APIServer TLS profiles.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[coderabbitai]

Walkthrough

Adds explicit ConfigMap namespace handling to TLS observed-config tests: tlsTarget gains configMapNamespace; introduces namespace-aware helpers (validateNamespace, getConfigMap); and updates tests to read/update ConfigMaps via the explicit namespace with polling, stricter assertions, and enhanced logging.

Changes

TLS Test Infrastructure Refactoring

Layer / File(s)	Summary
Data Shape test/extended/tls/tls_observed_config.go	tlsTarget struct gains configMapNamespace string; comment updated to state it no longer defaults to t.namespace.
Test Target Definitions test/extended/tls/tls_observed_config.go	Target entries (e.g., image-registry, cluster-samples-operator) updated to populate configMapNamespace alongside configMapName/configMapKey.
Helpers / Namespace Validation test/extended/tls/tls_observed_config.go	New helpers validateNamespace and getConfigMap added to check namespace existence and fetch ConfigMaps from a specific namespace.
Core Test Logic: TLS Injection Check test/extended/tls/tls_observed_config.go	testConfigMapTLSInjection refactored to use validateNamespace/getConfigMap, verify inject-tls annotation on the namespaced ConfigMap, extract TLS from configMapKey, log actual minTLSVersion and cipher suite count, and cross-check injected minTLSVersion with the cluster TLS profile (including profile type).
Core Test Logic: Annotation Restoration test/extended/tls/tls_observed_config.go	testAnnotationRestorationAfterDeletion and testAnnotationRestorationWhenFalse updated to operate on configMapNamespace/configMapName, perform annotation delete/set, and poll by re-fetching the namespaced ConfigMap until annotation is restored to "true".
Core Test Logic: ServingInfo Restoration test/extended/tls/tls_observed_config.go	testServingInfoRestorationAfterRemoval and testServingInfoRestorationAfterModification updated to operate on configMapNamespace/configMapKey, remove/modify servingInfo/minTLSVersion, and poll by re-fetching namespaced ConfigMaps until expected servingInfo/minTLSVersion are restored or corrected.
Verification / Reporting test/extended/tls/tls_observed_config.go	ConfigMap verification after TLS profile switches now always reads from t.configMapNamespace/t.configMapKey, skips missing ConfigMaps, and includes enhanced logs for versions and cipher counts.

Sequence Diagram(s)

sequenceDiagram
  participant Test as TLS Test
  participant K8s as Kubernetes API
  participant CVO as ClusterVersionOperator
  participant APIServer as API Server

  Test->>K8s: validateNamespace(namespace)
  Test->>K8s: getConfigMap(namespace/name)
  K8s-->>Test: ConfigMap (annotations + data)
  alt inject-tls present
    CVO->>K8s: inject TLS into ConfigMap (inject-tls)
    K8s-->>CVO: update ConfigMap
    CVO->>APIServer: apply TLS profile
    APIServer-->>Test: TLS profile info (queried)
    Test->>K8s: re-fetch ConfigMap (poll)
    K8s-->>Test: ConfigMap with servingInfo (minTLSVersion, cipherSuites)
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 10 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Test Structure And Quality	⚠️ Warning	Test code has critical quality issues: (1) 6+ unsafe map key accesses without existence checks; (2) error handling that continues on all Get() errors; (3) updateConfigMap lacks RetryOnConflict.	Fix unsafe map access with existence checks. Check only IsNotFound errors for skip; fail on others. Wrap updateConfigMap Update() in retry.RetryOnConflict per review comments.
Single Node Openshift (Sno) Test Compatibility	⚠️ Warning	New Ginkgo tests added lack SNO (Single Node OpenShift) protection. While tests don't require multiple nodes, they lack explicit skip guards required by the custom check.	Add [Skipped:SingleReplicaTopology] label to test names or add exutil.IsSingleNode() check in BeforeEach with g.Skip(). Tests are topology-agnostic but need explicit SNO protection.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'tls: deduplicate ConfigMap helpers into standalone functions' clearly summarizes the main objective of the changeset: extracting and deduplicating helper functions for ConfigMap operations.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test names are stable. Namespace values in test titles are hardcoded static strings from the targets array, not dynamic identifiers. No random suffixes, timestamps, or generated values found.
Microshift Test Compatibility	✅ Passed	All tests in tls_observed_config.go are protected from MicroShift via exutil.IsMicroShiftCluster() checks with g.Skip() in BeforeEach hooks of both Describe blocks. No new tests are added in this PR.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only test code (test/extended/tls/tls_observed_config.go). No deployment manifests, operator code, or controllers changed. No scheduling constraints introduced.
Ote Binary Stdout Contract	✅ Passed	No stdout violations found. All logging via safe framework methods (e2e.Logf, g.By). No fmt.Print/log.Print/klog usage. All code within proper Ginkgo test blocks.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR refactors existing tests, not adding new Ginkgo test blocks. Custom check applies only to NEW tests. Test count: 12 in parent → 12 in current. Any IPv4 usage is pre-existing.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gangwgr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• test/extended/tls/OWNERS [gangwgr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gangwgr]

/pipeline required

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[ingvagabund]

If you take a look at ingvagabund@d710237 there are two other places where configMapKey is empty. These needs to be set too.

[ingvagabund]

This commit adds three new helpers. Unfortunately, the code changes overlap each other so it takes some time to focus the eye to see the boundaries and memorize the parts. To be honest I can look at the code change only so many times before my brain stops separating those three functions from each other.

[ingvagabund]

How is removing the comment related to the refactoring?

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/extended/tls/tls_observed_config.go`:
- Around line 1189-1192: The code currently treats a missing configMap key as an
empty value and skips the test; change the guard to first check key presence
using the map lookup (e.g., val, ok := cm.Data[t.configMapKey]) and if ok is
false, fail the test (or return an error) to surface a bad key/injection,
otherwise inspect val with strings.Contains for "servingInfo" (and similarly for
the other check around minTLSVersion), only skipping when the key exists but the
expected substring is absent.
- Around line 883-886: The current ConfigMap Get call
(oc.AdminKubeClient().CoreV1().ConfigMaps(...).Get using t.configMapNamespace,
t.configMapName, configChangeCtx) silently continues on any error; change it to
only continue when apierrors.IsNotFound(err) is true and treat all other errors
as test failures (e.g., call t.Fatalf or e2e.Failf with the error details) so
typos or API failures don't drop targets; apply the same change to the other
occurrence around lines 1506-1509.
- Around line 1107-1109: The ConfigMap update in updateConfigMap is vulnerable
to transient resourceVersion conflicts; wrap the call to
oc.AdminKubeClient().CoreV1().ConfigMaps(t.configMapNamespace).Update(...)
inside retry.RetryOnConflict so the update is retried on conflicts, using a
closure that re-reads the ConfigMap (via
oc.AdminKubeClient().CoreV1().ConfigMaps(...).Get(...)) if necessary and then
applies the same mutation before retrying; ensure the retry returns the final
error from Update and preserves the existing error message context.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: d4b4e02d-0e6c-429c-ae48-f2044e58a793

📥 Commits

Reviewing files that changed from the base of the PR and between 583a7b9 and e5271ce.

📒 Files selected for processing (1)

• test/extended/tls/tls_observed_config.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fail on unexpected ConfigMap lookup errors here.

Both profile-switch paths continue on any Get error. With the new explicit configMapNamespace/configMapName fields, a typo, missing namespace validation, or transient API failure will silently drop that target from coverage and let the suite pass. Only IsNotFound should skip; other errors should still fail.

Suggested tightening

- cm, err := oc.AdminKubeClient().CoreV1().ConfigMaps(t.configMapNamespace).Get(configChangeCtx, t.configMapName, metav1.GetOptions{})
- if err != nil {
- 	e2e.Logf("SKIP: ConfigMap %s/%s not found: %v", t.configMapNamespace, t.configMapName, err)
- 	continue
- }
+ validateNamespace(oc, configChangeCtx, t.configMapNamespace)
+ cm, err := oc.AdminKubeClient().CoreV1().ConfigMaps(t.configMapNamespace).Get(configChangeCtx, t.configMapName, metav1.GetOptions{})
+ if apierrors.IsNotFound(err) {
+ 	e2e.Logf("SKIP: ConfigMap %s/%s not found", t.configMapNamespace, t.configMapName)
+ 	continue
+ }
+ o.Expect(err).NotTo(o.HaveOccurred(),
+ 	fmt.Sprintf("failed to get ConfigMap %s/%s", t.configMapNamespace, t.configMapName))

Also applies to: 1506-1509

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/tls/tls_observed_config.go` around lines 883 - 886, The current
ConfigMap Get call (oc.AdminKubeClient().CoreV1().ConfigMaps(...).Get using
t.configMapNamespace, t.configMapName, configChangeCtx) silently continues on
any error; change it to only continue when apierrors.IsNotFound(err) is true and
treat all other errors as test failures (e.g., call t.Fatalf or e2e.Failf with
the error details) so typos or API failures don't drop targets; apply the same
change to the other occurrence around lines 1506-1509.

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[openshift-ci]

@gangwgr: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-trt]

Job Failure Risk Analysis for sha: e5271ce

Job Name

Failure Risk

pull-ci-openshift-origin-main-e2e-gcp-ovn

Low [Jira:Node Tuning Operator][sig-tuning-node] should [test_id:37415][OTP]Allow setting isolated_cores without touching the default_irq_affinity [Disruptive] This test has passed 0.00% of 1 runs on release 5.0 [Architecture:amd64 FeatureSet:default Installer:ipi JobTier:standard Network:ovn NetworkStack:ipv4 OS:rhcos9 Owner:eng Platform:gcp Procedure:none SecurityMode:default Topology:ha Upgrade:micro] in the last week.