Skip to content

EP #1914: Add trust-manager E2E tests#434

Closed
openshift-app-platform-shift[bot] wants to merge 3 commits into
cert-manager-1.18from
feature/e2e-tests-1914
Closed

EP #1914: Add trust-manager E2E tests#434
openshift-app-platform-shift[bot] wants to merge 3 commits into
cert-manager-1.18from
feature/e2e-tests-1914

Conversation

@openshift-app-platform-shift

@openshift-app-platform-shift openshift-app-platform-shift Bot commented Jun 9, 2026

Copy link
Copy Markdown

Summary

  • Adds end-to-end tests for the trust-manager controller (EP #1914: Extend cert-manager-operator to manage trust-manager)
  • Tests cover the full trust-manager lifecycle: CR creation → resource verification → status conditions → cleanup
  • Validates feature-specific behaviors: SecretTargets policy, DefaultCAPackage, FilterExpiredCertificates, and log configuration
  • Follows established E2E patterns from istio_csr_test.go using Ginkgo/Gomega, dynamic resource loader, and Go template-based CR manifests

Test Coverage

Context Tests Description
Basic lifecycle 3 Resource creation, Ready condition, cleanup on deletion
Deployment reconciliation 2 Drift detection (replica reset), log level/format args
Secret targets policy 2 RBAC creation (Custom), RBAC absence (Disabled)
Default CA package 2 ConfigMap with injection annotation (Enabled), absence (Disabled)
Filter expired certificates 2 --filter-expired-certs=true/false deployment arg verification

New Files

  • test/e2e/trust_manager_test.go — 11 E2E test cases with helper functions
  • test/e2e/testdata/trust_manager/trust_manager_template.yaml — Go template for TrustManager CR

Test plan

  • Verify go vet -tags e2e ./test/e2e/... passes
  • Run E2E tests with Feature:TrustManager label on a cluster with TrustManager feature gate enabled
  • Verify tests create and clean up resources properly

Dependencies

🤖 Generated with Claude Code

openshift-app-platform-shift Bot and others added 3 commits June 9, 2026 08:33
@openshift-app-platform-shift @claude
feat: add TrustManager API type definitions for trust-manager integra…
33db88a 
…tion

Add the TrustManager CRD (trustmanagers.operator.openshift.io/v1alpha1)
as specified in EP #1914 to enable cert-manager-operator to deploy and
manage the trust-manager operand.

New types include:
- TrustManager: cluster-scoped singleton CR (name must be "cluster")
- TrustManagerSpec/TrustManagerConfig: operand configuration including
  logLevel, logFormat, trustNamespace, secretTargets, defaultCAPackage,
  filterExpiredCertificates, and scheduling options
- SecretTargetsConfig: CEL-validated union of policy + authorizedSecrets
- DefaultCAPackageConfig: enable/disable OpenShift trusted CA bundle
- FilterExpiredCertificatesPolicy, SecretTargetsPolicy, DefaultCAPackagePolicy:
  enum types for policy configuration
- TrustManagerStatus: observed state with conditions and policy status

Also adds:
- TrustManager feature gate (Default: false, PreRelease: Alpha)
- Generated deepcopy, CRD manifest, client, informer, lister code
- Integration tests validating CRD schema, singleton, immutability,
  and cross-field validation rules
- YAML test suite covering create/update validation scenarios

Ref: openshift/enhancements#1914

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@openshift-app-platform-shift @claude
feat: add trust-manager controller implementation for EP #1914
6a41550 
Implement the trust-manager controller following the established istiocsr
controller patterns. The controller manages the lifecycle of trust-manager
operand deployment in the cert-manager namespace.

Key implementation details:
- Controller package at pkg/controller/trustmanager/ with full reconciliation
  logic for Deployment, ServiceAccount, RBAC, and Service resources
- Static manifest templates in bindata/trust-manager/ for all managed resources
- Feature gate integration: controller only registers when TrustManager feature
  gate is enabled (Alpha, disabled by default)
- Combined cache builder in setup_manager.go ensures label-filtered resources
  from both istiocsr and trustmanager controllers are properly cached
- SecretTargets RBAC: dynamically creates/removes ClusterRole and
  ClusterRoleBinding based on SecretTargets policy (Custom vs Disabled)
- DefaultCAPackage support: creates ConfigMap with OpenShift trusted CA bundle
  injection annotation when enabled
- Cleanup logic: removes cluster-scoped resources (ClusterRoles,
  ClusterRoleBindings) on TrustManager CR deletion
- Updates features test to include TrustManager in the disabled-by-default
  feature list and fixes ordering comparison

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@openshift-app-platform-shift @claude
feat: add trust-manager E2E tests for EP #1914
a7da1b9 
Add end-to-end tests for the trust-manager controller covering:
- Basic lifecycle: resource creation, Ready condition, cleanup on deletion
- Deployment reconciliation: drift detection, log level/format configuration
- Secret targets policy: RBAC creation when Custom, absence when Disabled
- Default CA package: ConfigMap with injection annotation, deployment args
- Filter expired certificates: deployment arg verification for both policies

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@openshift-ci openshift-ci Bot requested review from PillaiManish and swghosh June 9, 2026 08:55
@openshift-ci

openshift-ci Bot commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: openshift-app-platform-shift[bot]
Once this PR has been reviewed and has the lgtm label, please assign bharath-b-rh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jun 9, 2026
@openshift-ci

openshift-ci Bot commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

Hi @openshift-app-platform-shift[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@swghosh swghosh mentioned this pull request Jun 9, 2026
Merged
@swghosh

swghosh commented Jun 9, 2026

Copy link
Copy Markdown
Member

/close
redundant as of #423

@openshift-ci openshift-ci Bot closed this Jun 9, 2026
@openshift-ci

openshift-ci Bot commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

@swghosh: Closed this PR.

Details

In response to this:

/close
redundant as of #423

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@PillaiManish PillaiManish Awaiting requested review from PillaiManish

@swghosh swghosh Awaiting requested review from swghosh

Assignees

No one assigned

Labels

needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@swghosh