Add e2e test for x-radius-sensitive annotation updates

[lakshmimsft]

Description

This pull request adds new functional tests that validates sensitive field encryption and redaction for user-defined resource types in the dynamic resource provider. The test ensures that fields marked with the x-radius-sensitive annotation are encrypted on creation and update, and are redacted (set to null) when retrieved via GET or LIST operations. The changes include the test logic, supporting Bicep templates, and the resource type schema definition.

Type of change

• This pull request adds or changes features of Radius and has an approved issue (issue link required).
• This pull request is a minor refactor, code cleanup, test improvement, or other maintenance task and doesn't change the functionality of Radius (issue link optional).

Fixes: #11097

Contributor checklist

Please verify that the PR meets the following requirements, where applicable:

• An overview of proposed schema changes is included in a linked GitHub issue.
  • Yes
  • Not applicable
• A design document PR is created in the design-notes repository, if new APIs are being introduced.
  • Yes
  • Not applicable
• The design document has been reviewed and approved by Radius maintainers/approvers.
  • Yes
  • Not applicable
• A PR for the samples repository is created, if existing samples are affected by the changes in this PR.
  • Yes
  • Not applicable
• A PR for the documentation repository is created, if the changes in this PR affect the documentation or any user facing updates are made.
  • Yes
  • Not applicable
• A PR for the recipes repository is created, if existing recipes are affected by the changes in this PR.
  • Yes
  • Not applicable

[github-actions]

Unit Tests

    2 files  ±0    415 suites  ±0   6m 48s ⏱️ +7s
4 862 tests ±0  4 860 ✅ ±0  2 💤 ±0  0 ❌ ±0 
5 762 runs  ±0  5 760 ✅ ±0  2 💤 ±0  0 ❌ ±0 

Results for commit 585f7fb. ± Comparison against base commit a1059b6.

♻️ This comment has been updated with latest results.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 51.09%. Comparing base (0980cf9) to head (9799cc1).

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #11348      +/-   ##
==========================================
- Coverage   51.10%   51.09%   -0.01%     
==========================================
  Files         699      699              
  Lines       44067    44067              
==========================================
- Hits        22521    22518       -3     
- Misses      19400    19402       +2     
- Partials     2146     2147       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

Adds a new DynamicRP functional (non-cloud portable) test scenario to validate handling of x-radius-sensitive fields for user-defined resource types, including recipe-time decryption and GET/LIST-time redaction.

Changes:

• Add a new DynamicRP resource type schema (sensitiveResource) with a mix of sensitive/non-sensitive fields (including nested + object-level sensitivity).
• Add Bicep templates for deploying the sensitive resource and a recipe that writes decrypted values into a Kubernetes Secret.
• Add an end-to-end functional test that verifies redaction on GET/LIST and verifies decrypted values were provided to the recipe on create and update.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File	Description
test/testrecipes/test-bicep-recipes/dynamicrp_sensitive_recipe.bicep	New recipe writes decrypted sensitive values into a K8s Secret for verification.
test/functional-portable/dynamicrp/noncloud/resources/testdata/testresourcetypes.yaml	Adds sensitiveResource schema with x-radius-sensitive annotations.
test/functional-portable/dynamicrp/noncloud/resources/testdata/sensitive-resource.bicep	Deploys env/app and the sensitiveResource instance wired to the new recipe.
test/functional-portable/dynamicrp/noncloud/resources/sensitive_fields_test.go	New functional test validating GET/LIST redaction and recipe-time decryption on create/update.

[sk593]

Is it possible to move this to a helper function between the put and update steps?

[radius-functional-tests]

Radius functional test overview

🔍 Go to test action run

Click here to see the test run details

Name	Value
Repository	radius-project/radius
Commit ref	585f7fb
Unique ID	funca9ed15a0e5
Image tag	pr-funca9ed15a0e5

• gotestsum 1.13.0
• KinD: v0.29.0
• Dapr: 1.14.4
• Azure KeyVault CSI driver: 1.4.2
• Azure Workload identity webhook: 1.3.0
• Bicep recipe location ghcr.io/radius-project/dev/test/testrecipes/test-bicep-recipes/<name>:pr-funca9ed15a0e5
• Terraform recipe location http://tf-module-server.radius-test-tf-module-server.svc.cluster.local/<name>.zip (in cluster)
• applications-rp test image location: ghcr.io/radius-project/dev/applications-rp:pr-funca9ed15a0e5
• dynamic-rp test image location: ghcr.io/radius-project/dev/dynamic-rp:pr-funca9ed15a0e5
• controller test image location: ghcr.io/radius-project/dev/controller:pr-funca9ed15a0e5
• ucp test image location: ghcr.io/radius-project/dev/ucpd:pr-funca9ed15a0e5
• deployment-engine test image location: ghcr.io/radius-project/deployment-engine:latest

Test Status

⌛ Building Radius and pushing container images for functional tests...
✅ Container images build succeeded
⌛ Publishing Bicep Recipes for functional tests...
✅ Recipe publishing succeeded
⌛ Starting ucp-cloud functional tests...
⌛ Starting corerp-cloud functional tests...
✅ ucp-cloud functional tests succeeded
✅ corerp-cloud functional tests succeeded