test: add e2e tests for TLS security profile watcher

[IshwarKanse]

Summary

• Adds e2e tests for the TLS security profile watcher feature introduced in Add support for TLS profiles #1041
• Tests verify the operator correctly restarts when the APIServer CR's tlsSecurityProfile changes and remains stable when non-TLS fields change
• Test file is prefixed with zz_ to run last in the suite, since modifying the APIServer TLS profile triggers a MachineConfigPool rollout

Test scenarios

Test	What it verifies
Default TLS profile	APIServer CR is readable; operator is running with default (nil/Intermediate) profile
Restart on Old profile	Changing TLS profile to Old triggers operator container restart; operator recovers to ready
Restart on Custom profile	Setting a Custom profile with specific ciphers triggers restart; operator recovers
No restart on non-TLS change	Adding an annotation to the APIServer CR does NOT cause the operator to restart

Design decisions

• Tracks container restart count AND pod UID: the TLS watcher cancels the operator's context causing the process to exit; Kubernetes either restarts the container (restart count increases) or replaces the pod entirely (new UID) depending on backoff state
• Uses waitForStableRestartCount: waits for restart count to remain unchanged for 30s AND the container to have been running for 15s+ before considering the operator stable — prevents race conditions between test cleanup restarts and subsequent tests
• Uses annotation changes instead of audit profile changes: modifying spec.audit.profile triggers disruptive MachineConfigPool rollouts; annotations trigger the watcher reconcile without cluster impact
• Resets TLS profile at suite start: ensures a clean nil/Intermediate baseline regardless of what previous test runs may have left behind

Test plan

• All 4 TLS profile tests pass in isolation
• All 4 TLS profile tests pass as part of the full e2e suite
• No regressions in existing e2e tests

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)

• work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 9374acb8-c2d8-47aa-8d7c-d87bd4985095

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds an OpenShift-only end-to-end test that manipulates configv1.APIServer.spec.TLSSecurityProfile and verifies the observability-operator by observing Deployment readiness and operator pod/container restart signals. The test clears the TLS profile baseline, runs subtests for default/Modern/Custom TLS profiles and a non-TLS annotation stability check, and uses helpers to patch/restore the APIServer, locate the running operator pod, compute restart counts, wait for restarts, and ensure a stable restart-count baseline.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: adding end-to-end tests for the TLS security profile watcher feature.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, providing detailed test scenarios, design decisions, and test plan.
Docstring Coverage	✅ Passed	Docstring coverage is 91.67% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: IshwarKanse
Once this PR has been reviewed and has the lgtm label, please assign simonpasquier for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @IshwarKanse. Thanks for your PR.

I'm waiting for a rhobs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[jan--f]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

test/e2e/zz_tls_profile_test.go (1)

397-405: Consider filtering by container name for consistency.

Similar to the previous restart detection loop, this checks uptime across all containers. For consistency with getOperatorContainerRestartCount, consider filtering to operatorContainerName.

♻️ Suggested improvement

 		for _, cs := range pod.Status.ContainerStatuses {
+			if cs.Name != operatorContainerName {
+				continue
+			}
 			if cs.State.Running != nil {
 				uptime := time.Since(cs.State.Running.StartedAt.Time)
 				if uptime < 15*time.Second {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/e2e/zz_tls_profile_test.go` around lines 397 - 405, The uptime check
iterates all pod.Status.ContainerStatuses and may include non-operator
containers; update the loop to filter by the operatorContainerName (same
selector used in getOperatorContainerRestartCount) so you only inspect
ContainerStatus entries where cs.Name == operatorContainerName before checking
cs.State.Running and StartedAt; this ensures consistency with the
restart-detection logic and avoids false waits due to other containers' short
uptimes.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/e2e/zz_tls_profile_test.go`:
- Around line 361-366: The restart-detection loop iterates all
p.Status.ContainerStatuses and can pick up non-operator containers; update the
loop in the test (the block iterating p.Status.ContainerStatuses) to only
consider the operator by checking cs.Name (or the container name field used)
equals operatorContainerName before comparing RestartCount to baselineRestarts
so only the operator container restarts trigger the true return; you may also
explicitly skip InitContainerStatuses if relevant.

---

Nitpick comments:
In `@test/e2e/zz_tls_profile_test.go`:
- Around line 397-405: The uptime check iterates all
pod.Status.ContainerStatuses and may include non-operator containers; update the
loop to filter by the operatorContainerName (same selector used in
getOperatorContainerRestartCount) so you only inspect ContainerStatus entries
where cs.Name == operatorContainerName before checking cs.State.Running and
StartedAt; this ensures consistency with the restart-detection logic and avoids
false waits due to other containers' short uptimes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: 159c305b-31a0-48e3-8161-9b1252ed052c

📥 Commits

Reviewing files that changed from the base of the PR and between e38cec1 and 8bcce30.

📒 Files selected for processing (1)

• test/e2e/zz_tls_profile_test.go

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/e2e/zz_tls_profile_test.go`:
- Around line 190-207: The poll silently passes when pods are replaced or when
lookup errors are swallowed; change the stability check to (1) capture the
operator pod UID alongside the restart count before the wait (introduce or
modify operatorContainerRestartCount to return (int, string, error) or add a
getOperatorPodUID helper and store initialPodUID), and (2) in the
wait.PollUntilContextTimeout lambda return an error when
operatorContainerRestartCount/getOperatorPodUID fails (do not swallow persistent
errors) and treat podUID != initialPodUID OR currentRestarts > initialRestarts
as a restart (return true, fmt.Errorf(...)); keep using
wait.Interrupted/assert.NilError as final assertions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: 51e16b9d-ffa7-41d0-a59f-0bd2014906b8

📥 Commits

Reviewing files that changed from the base of the PR and between d87050d and cbd97cd.

📒 Files selected for processing (1)

• test/e2e/zz_tls_profile_test.go

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/e2e/zz_tls_profile_test.go`:
- Around line 31-35: This test mutates cluster-wide APIServer TLS profile by
calling setTLSProfile(t, nil) and does not restore the pre-test value; capture
the current TLS profile before calling setTLSProfile(nil) (e.g., call a helper
like getTLSProfile or read the APIServer spec), then ensure you restore it in
teardown using t.Cleanup or defer by calling setTLSProfile(t, originalProfile);
apply this around the setTLSProfile invocation in TestTLSProfileWatcher so the
operatorDeploymentName/f.AssertDeploymentReady checks remain but cluster state
is reverted after the test.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: a210f140-b03d-46df-b856-04dbeeb5b929

📥 Commits

Reviewing files that changed from the base of the PR and between cbd97cd and b5572fd.

📒 Files selected for processing (1)

• test/e2e/zz_tls_profile_test.go

[simonpasquier]

Test file is prefixed with zz_ to run last in the suite, since modifying the APIServer TLS profile triggers a MachineConfigPool rollout

I'm not sure about this: the runner executes tests using the alphabetical order of the test names, not filenames.

[coderabbitai]

♻️ Duplicate comments (1)

test/e2e/zz_tls_profile_test.go (1)

31-35: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Restore the original APIServer TLS profile at test scope.

The test calls setTLSProfile(t, nil) to establish a baseline but does not capture or restore the pre-test TLS profile value. This leaves cluster-wide state mutated after the test completes. While individual subtests restore their own changes, the suite-level reset at line 33 is never reverted.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e/zz_tls_profile_test.go` around lines 31 - 35, Capture the current
APIServer TLS profile before calling setTLSProfile(t, nil) and ensure it is
restored at test teardown (use t.Cleanup or defer) so suite-level state is not
left mutated; specifically, call something like getTLSProfile/tlsProfile :=
get...() or read the current profile just before setTLSProfile(t, nil) and
register a cleanup that calls setTLSProfile(t, tlsProfile) (so the baseline
reset is reverted), ensuring this restoration runs even if
f.AssertDeploymentReady(operatorDeploymentName, f.OperatorNamespace,
framework.WithTimeout(5*time.Minute))(t) fails.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@test/e2e/zz_tls_profile_test.go`:
- Around line 31-35: Capture the current APIServer TLS profile before calling
setTLSProfile(t, nil) and ensure it is restored at test teardown (use t.Cleanup
or defer) so suite-level state is not left mutated; specifically, call something
like getTLSProfile/tlsProfile := get...() or read the current profile just
before setTLSProfile(t, nil) and register a cleanup that calls setTLSProfile(t,
tlsProfile) (so the baseline reset is reverted), ensuring this restoration runs
even if f.AssertDeploymentReady(operatorDeploymentName, f.OperatorNamespace,
framework.WithTimeout(5*time.Minute))(t) fails.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 628a83d3-da73-4251-a9b8-46d10b9b3a2c

📥 Commits

Reviewing files that changed from the base of the PR and between b5572fd and 1c20b98.

📒 Files selected for processing (1)

• test/e2e/zz_tls_profile_test.go

[IshwarKanse]

Test file is prefixed with zz_ to run last in the suite, since modifying the APIServer TLS profile triggers a MachineConfigPool rollout

I'm not sure about this: the runner executes tests using the alphabetical order of the test names, not filenames.

The zz_ prefix works at the filename level, not the test name level. Go's go test tool compiles and processes source files in lexicographic order, so Test* functions defined in zz_tls_profile_test.go are placed after all functions in files that sort earlier (e.g. uiplugin_test.go). This ensures TestTLSProfileWatcher runs last regardless of its name. The PR description has been updated to clarify this.

Also addressed the Modern profile suggestion — switched from Old to Modern in the latest commit (verified on a live cluster that it is accepted and triggers an operator restart correctly).

[simonpasquier]

/ok-to-test

[openshift-ci]

@IshwarKanse: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/observability-operator-e2e	1c20b98	link	true	/test observability-operator-e2e

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.