CMP-4142: Add e2e test for TailoredProfile extending a CEL Profile

[Vincent056]

Summary

• Adds TestTailoredProfileExtendsCELProfile to parallel e2e tests
• Validates that a TailoredProfile can extend a CEL-based Profile, disable a rule, and produce correct scan results
• Fills a gap in CEL profile coverage where only direct Profile references were tested via ScanSettingBinding

Test plan

• e2e parallel tests pass (TestTailoredProfileExtendsCELProfile)
• Existing CEL tests (TestCELProfileBundle, TestCELProfileScan, TestCELWithXCCDFProfileScan) still pass

[openshift-ci-robot]

@Vincent056: This pull request references CMP-4142 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target either version "5.0." or "openshift-5.0.", but it targets "compliance-operator-1.9.0" instead.

Details

In response to this:

Summary

• Adds TestTailoredProfileExtendsCELProfile to parallel e2e tests
• Validates that a TailoredProfile can extend a CEL-based Profile, disable a rule, and produce correct scan results
• Fills a gap in CEL profile coverage where only direct Profile references were tested via ScanSettingBinding

Test plan

• e2e parallel tests pass (TestTailoredProfileExtendsCELProfile)
• Existing CEL tests (TestCELProfileBundle, TestCELProfileScan, TestCELWithXCCDFProfileScan) still pass

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Vincent056

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [Vincent056]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[github-actions]

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:1207-70384e919d4ffe490c050e528873db82be0b139d

[openshift-ci]

@Vincent056: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-rosa	70384e9	link	true	/test e2e-rosa
ci/prow/e2e-aws-serial	70384e9	link	true	/test e2e-aws-serial
ci/prow/e2e-aws-parallel-arm	70384e9	link	true	/test e2e-aws-parallel-arm

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[taimurhafeez]

Can we use WaitForSuiteScansStatusAnyResult instead of chaining two WaitForSuiteScansStatus?

[taimurhafeez]

can we use f.OperatorNamespace instead?

[taimurhafeez]

Looks great. Tested on OCP 4.22 and passed. However, a couple of minor comments.

=== RUN   TestTailoredProfileExtendsCELProfile
=== PAUSE TestTailoredProfileExtendsCELProfile
=== CONT  TestTailoredProfileExtendsCELProfile
2026/05/20 18:02:46 Creating ProfileBundle test-tailored-profile-extends-c-e-l-profile-pb with CEL content cel-content.yaml
2026/05/20 18:02:53 waiting ProfileBundle test-tailored-profile-extends-c-e-l-profile-pb to become VALID (PENDING)
2026/05/20 18:02:58 waiting ProfileBundle test-tailored-profile-extends-c-e-l-profile-pb to become VALID (PENDING)
2026/05/20 18:03:03 waiting ProfileBundle test-tailored-profile-extends-c-e-l-profile-pb to become VALID (PENDING)
2026/05/20 18:03:08 ProfileBundle ready (VALID)
    main_test.go:6078: ProfileBundle is VALID
2026/05/20 18:03:13 TailoredProfile ready (READY)
    main_test.go:6111: TailoredProfile test-tailored-profile-extends-c-e-l-profile-tp is ready
2026/05/20 18:03:19 ScanSettingBinding status READY
    main_test.go:6141: ScanSettingBinding is ready
2026/05/20 18:03:30 ComplianceScan ready (DONE)
2026/05/20 18:03:30 All scans in ComplianceSuite have finished (test-tailored-profile-extends-c-e-l-profile-ssb)
    main_test.go:6152: CEL scan via TailoredProfile completed as NON-COMPLIANT
    main_test.go:6173: check test-tailored-profile-extends-c-e-l-profile-tp-check-default-namespace-has-no-pods: status=PASS
    main_test.go:6173: check test-tailored-profile-extends-c-e-l-profile-tp-check-default-sa-exists-in-kube-system: status=PASS
    main_test.go:6173: check test-tailored-profile-extends-c-e-l-profile-tp-check-namespaces-have-network-policies: status=FAIL
    main_test.go:6186: disabled rule test-tailored-profile-extends-c-e-l-profile-tp-check-no-privileged-containers correctly has no ComplianceCheckResult
    main_test.go:6188: TailoredProfile extending CEL profile test completed successfully
--- PASS: TestTailoredProfileExtendsCELProfile (44.97s)
PASS