context consistency: ensure all context are TODO()

[sebrandon1]

There were 14 instances of context.Background and 20 instances of context.TODO(). Since there were more TODO() references, I'm ensuring all of the references to context are the same.

Similar to:

• context consistency: switch Background() to TODO() rh-ecosystem-edge/eco-goinfra#680
• context consistency: switch Background() to TODO() rh-ecosystem-edge/eco-goinfra#329
• Switch context.Background() to TODO() for consistency redhat-best-practices-for-k8s/certsuite#1216
• Switch context.Background() to context.TODO() for consistency redhat-best-practices-for-k8s/certsuite#681

[openshift-ci]

Hi @sebrandon1. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[swghosh]

/ok-to-test

[swghosh]

/ok-to-test
/test all

[sebrandon1]

/retest

[sebrandon1]

/retest

[swghosh]

/test all

[lunarwhite]

Hi @sebrandon1, you may need to rebase onto the latesr commit. There have been some changes in test/e2e folder since you opened this PR

[lunarwhite]

This file can be safely removed. Then the broken CI jobs should pass.

(for your context: This file has been removed in a recent refactor PR)

[coderabbitai]

Walkthrough

The PR refactors context usage across the codebase, replacing context.Background() with context.TODO() in tests, utilities, and controller initialization. Additionally, a new comprehensive end-to-end test suite for cert-manager deployment validation is introduced.

Changes

Cohort / File(s)	Summary
ISTIO CSR Controller Context Migration pkg/controller/istiocsr/certificates_test.go, pkg/controller/istiocsr/controller.go, pkg/controller/istiocsr/controller_test.go, pkg/controller/istiocsr/test_utils.go	Context initialization changed from context.Background() to context.TODO() across test and controller files; no logic or control flow changes.
Operator Factory Documentation pkg/operator/informers/externalversions/factory.go	Documentation comment example updated to use context.TODO() instead of context.Background(); no code or API changes.
E2E Test Suite Enhancements test/e2e/cert_manager_deployment_test.go	New comprehensive E2E test file (+453 lines) with four test functions: TestSelfSignedCerts, TestACMECertsIngress, TestCertRenew, and TestContainerOverrides. Includes polling utilities, TLS verification, certificate expiry checks, and operator status validation. Defines PollInterval (5s) and TestTimeout (10m) constants.
E2E Test Context Updates test/e2e/overrides_test.go, test/library/utils.go	Context usage refactored from context.Background() to context.TODO() in test utilities and reset functions; error handling and polling logic unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~20 minutes

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 7.14% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The pull request title "context consistency: ensure all context are TODO()" directly and specifically describes the main change across the changeset. The raw summary shows that the primary objective is standardizing context usage from context.Background() to context.TODO() across multiple files in the codebase. The title is concise, clear, and specific enough that a teammate scanning the history would immediately understand the primary change being made. Although the changeset includes a new e2e test file, the dominant change throughout the PR is the context standardization.
Description Check	✅ Passed	The pull request description is clearly related to the changeset. It explains the concrete rationale for the changes—14 instances of context.Background() versus 20 instances of context.TODO(), with the author choosing to standardize on the more frequently used TODO()—and provides references to similar prior work in related repositories. The description conveys meaningful information about why the changes were made and demonstrates precedent for this type of consistency effort. It is not vague, generic, or off-topic.

✨ Finishing touches

• 📝 Generate docstrings

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

test/e2e/cert_manager_deployment_test.go (1)

1-454: Please remove this file (was deleted upstream and breaks CI).

Prior review already flagged this file as removable due to a recent refactor; re‑adding it will fail CI. Either drop it from this PR or rebase on latest master where it’s gone.

Run to confirm the file was removed in master:

#!/bin/bash
git fetch origin master
git diff --name-status origin/master -- test/e2e/cert_manager_deployment_test.go

🧹 Nitpick comments (9)

test/e2e/certificates_test.go (1)

214-221: Use the test-scoped ctx instead of context.TODO() for polling.

Propagate the same ctx you initialized in BeforeAll so cancellations/timeouts are honored consistently.

Apply this diff in the four sites:

- err := wait.PollUntilContextTimeout(context.TODO(), slowPollInterval, highTimeout, true, func(context.Context) (bool, error) {
+ err := wait.PollUntilContextTimeout(ctx, slowPollInterval, highTimeout, true, func(context.Context) (bool, error) {

- err := wait.PollUntilContextTimeout(context.TODO(), slowPollInterval, highTimeout, true, func(context.Context) (bool, error) {
+ err := wait.PollUntilContextTimeout(ctx, slowPollInterval, highTimeout, true, func(context.Context) (bool, error) {

- err := wait.PollUntilContextTimeout(context.TODO(), slowPollInterval, highTimeout, true, func(context.Context) (bool, error) {
+ err := wait.PollUntilContextTimeout(ctx, slowPollInterval, highTimeout, true, func(context.Context) (bool, error) {

- err := wait.PollUntilContextTimeout(context.TODO(), slowPollInterval, highTimeout, true, func(context.Context) (bool, error) {
+ err := wait.PollUntilContextTimeout(ctx, slowPollInterval, highTimeout, true, func(context.Context) (bool, error) {

Also applies to: 311-318, 517-524, 796-813

pkg/operator/informers/externalversions/factory.go (1)

191-191: Fix incorrect example: TODO() doesn’t return a CancelFunc.

The sample should use WithCancel; current snippet won’t compile if copied.

Apply this diff in the comment:

-//	ctx, cancel := context.TODO()
+//	ctx, cancel := context.WithCancel(context.TODO())

pkg/controller/istiocsr/controller.go (1)

114-151: DRY the repeated context.TODO() calls in GetInformer.

Minor readability nit: define ctx once and reuse.

Apply this diff:

 func BuildCustomClient(mgr ctrl.Manager) (client.Client, error) {
@@
 	customCache, err := cache.New(mgr.GetConfig(), customCacheOpts)
 	if err != nil {
 		return nil, err
 	}
-	if _, err = customCache.GetInformer(context.TODO(), &v1alpha1.IstioCSR{}); err != nil {
+	ctx := context.TODO()
+	if _, err = customCache.GetInformer(ctx, &v1alpha1.IstioCSR{}); err != nil {
 		return nil, err
 	}
-	if _, err = customCache.GetInformer(context.TODO(), &certmanagerv1.Certificate{}); err != nil {
+	if _, err = customCache.GetInformer(ctx, &certmanagerv1.Certificate{}); err != nil {
 		return nil, err
 	}
-	if _, err = customCache.GetInformer(context.TODO(), &appsv1.Deployment{}); err != nil {
+	if _, err = customCache.GetInformer(ctx, &appsv1.Deployment{}); err != nil {
 		return nil, err
 	}
-	if _, err = customCache.GetInformer(context.TODO(), &rbacv1.ClusterRole{}); err != nil {
+	if _, err = customCache.GetInformer(ctx, &rbacv1.ClusterRole{}); err != nil {
 		return nil, err
 	}
-	if _, err = customCache.GetInformer(context.TODO(), &rbacv1.ClusterRoleBinding{}); err != nil {
+	if _, err = customCache.GetInformer(ctx, &rbacv1.ClusterRoleBinding{}); err != nil {
 		return nil, err
 	}
-	if _, err = customCache.GetInformer(context.TODO(), &rbacv1.Role{}); err != nil {
+	if _, err = customCache.GetInformer(ctx, &rbacv1.Role{}); err != nil {
 		return nil, err
 	}
-	if _, err = customCache.GetInformer(context.TODO(), &rbacv1.RoleBinding{}); err != nil {
+	if _, err = customCache.GetInformer(ctx, &rbacv1.RoleBinding{}); err != nil {
 		return nil, err
 	}
-	if _, err = customCache.GetInformer(context.TODO(), &corev1.Service{}); err != nil {
+	if _, err = customCache.GetInformer(ctx, &corev1.Service{}); err != nil {
 		return nil, err
 	}
-	if _, err = customCache.GetInformer(context.TODO(), &corev1.ServiceAccount{}); err != nil {
+	if _, err = customCache.GetInformer(ctx, &corev1.ServiceAccount{}); err != nil {
 		return nil, err
 	}
-	if _, err = customCache.GetInformer(context.TODO(), &corev1.Secret{}); err != nil {
+	if _, err = customCache.GetInformer(ctx, &corev1.Secret{}); err != nil {
 		return nil, err
 	}
-	if _, err = customCache.GetInformer(context.TODO(), &corev1.ConfigMap{}); err != nil {
+	if _, err = customCache.GetInformer(ctx, &corev1.ConfigMap{}); err != nil {
 		return nil, err
 	}
-	if _, err = customCache.GetInformer(context.TODO(), &certmanagerv1.Issuer{}); err != nil {
+	if _, err = customCache.GetInformer(ctx, &certmanagerv1.Issuer{}); err != nil {
 		return nil, err
 	}
-	if _, err = customCache.GetInformer(context.TODO(), &certmanagerv1.ClusterIssuer{}); err != nil {
+	if _, err = customCache.GetInformer(ctx, &certmanagerv1.ClusterIssuer{}); err != nil {
 		return nil, err
 	}

test/library/utils.go (1)

59-69: Use the same ctx consistently inside DeleteTestingNS.

You define ctx on Line 59, but call PollUntilContextTimeout with context.TODO() on Line 69. Use the local ctx for consistency and easier future cancellation/threading from callers.

- if err := wait.PollUntilContextTimeout(context.TODO(), 1*time.Second, 30*time.Second, true, func(context.Context) (bool, error) {
+ if err := wait.PollUntilContextTimeout(ctx, 1*time.Second, 30*time.Second, true, func(context.Context) (bool, error) {

test/e2e/cert_manager_deployment_test.go (5)

134-151: Handle secret GET errors explicitly in poll.

You log TLS-config failure but ignore err from the Secret GET, which can hide real failures. Mirror the NotFound handling you used elsewhere.

- secret, err := loader.KubeClient.CoreV1().Secrets(ingress.ObjectMeta.Namespace).Get(ctx, "ingress-prod-secret", metav1.GetOptions{})
- tlsConfig, isvalid := library.GetTLSConfig(secret)
- if !isvalid {
-   t.Logf("Unable to retrieve the TLS config: %v", err)
-   return false, nil
- }
+ secret, err := loader.KubeClient.CoreV1().Secrets(ingress.ObjectMeta.Namespace).Get(ctx, "ingress-prod-secret", metav1.GetOptions{})
+ if errors.IsNotFound(err) {
+   t.Logf("TLS secret not found yet")
+   return false, nil
+ }
+ if err != nil {
+   return false, err
+ }
+ tlsConfig, isvalid := library.GetTLSConfig(secret)
+ if !isvalid {
+   t.Logf("Unable to build TLS config from secret")
+   return false, nil
+ }

---

92-117: Go style: prefer camelCase variable names.

ingress_host and path_type are non‑idiomatic; rename to ingressHost and pathType.

- ingress_host := "eaic." + appsDomain
- path_type := networkingv1.PathTypePrefix
+ ingressHost := "eaic." + appsDomain
+ pathType := networkingv1.PathTypePrefix
...
- Host: ingress_host,
+ Host: ingressHost,
...
- PathType: &path_type,
+ PathType: &pathType,
...
- Hosts:      []string{ingress_host},
+ Hosts:      []string{ingressHost},
...
- secret, err := loader.KubeClient.CoreV1().Secrets(ingress.ObjectMeta.Namespace).Get(ctx, "ingress-prod-secret", metav1.GetOptions{})
+ secret, err := loader.KubeClient.CoreV1().Secrets(ingress.ObjectMeta.Namespace).Get(ctx, "ingress-prod-secret", metav1.GetOptions{})
...
- is_host_correct, err := library.VerifyHostname(ingress_host, tlsConfig.Clone())
+ isHostCorrect, err := library.VerifyHostname(ingressHost, tlsConfig.Clone())
...
- is_not_expired, err := library.VerifyExpiry(ingress_host+":443", tlsConfig.Clone())
+ isNotExpired, err := library.VerifyExpiry(ingressHost+":443", tlsConfig.Clone())
- return is_host_correct && is_not_expired, nil
+ return isHostCorrect && isNotExpired, nil

Also applies to: 124-151

---

327-329: Fix typos in helper names (“Controlle” -> “Controller”).

Aligns with type names and improves readability. Update call sites accordingly.

- addValidControlleDeploymentConfig(updatedOperator)
+ addValidControllerDeploymentConfig(updatedOperator)
...
-func addValidControlleDeploymentConfig(operator *v1alpha1.CertManager) {
+func addValidControllerDeploymentConfig(operator *v1alpha1.CertManager) {
@@
 }
-
-func addInvalidControlleOverrideEnv(operator *v1alpha1.CertManager) {
+func addInvalidControllerOverrideEnv(operator *v1alpha1.CertManager) {

And later:

- addInvalidControlleOverrideEnv(updatedOperator)
+ addInvalidControllerOverrideEnv(updatedOperator)

Also applies to: 396-416, 417-426

---

244-249: Minor: use require.NoErrorf when passing a formatted message.

Current call uses NoError with a format string.

- require.NoError(t, err, "failed to create certificate: %v", err)
+ require.NoErrorf(t, err, "failed to create certificate: %v", err)

---

264-305: Avoid long sleeps inside wait.PollUntilContextTimeout.

Sleeping within the poll function stalls the poller and can confuse timeouts. Compute the target renewal time and wait until then outside the poll loop, or increase PollInterval and remove the internal sleep.

Example approach (conceptual):

• Compute renewAt := expiryTime.Add(-renewBefore).Add(30*time.Second)
• time.Sleep(time.Until(renewAt))
• Then run a short PollImmediate to assert renewal.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between baafb49 and 8d0dc18.

📒 Files selected for processing (10)

• pkg/controller/deployment/deployment_helper_test.go (2 hunks)
• pkg/controller/istiocsr/certificates_test.go (1 hunks)
• pkg/controller/istiocsr/controller.go (2 hunks)
• pkg/controller/istiocsr/controller_test.go (1 hunks)
• pkg/controller/istiocsr/test_utils.go (1 hunks)
• pkg/operator/informers/externalversions/factory.go (1 hunks)
• test/e2e/cert_manager_deployment_test.go (1 hunks)
• test/e2e/certificates_test.go (2 hunks)
• test/e2e/overrides_test.go (2 hunks)
• test/library/utils.go (2 hunks)

🔇 Additional comments (11)

test/e2e/certificates_test.go (2)

55-55: LGTM on context choice in BeforeAll.

Using context.TODO() here is consistent with the PR objective.

---

865-865: LGTM on context choice in Self-signed BeforeAll.

Matches the repo‑wide TODO() standardization.

test/e2e/overrides_test.go (2)

23-24: LGTM: switched to context.TODO().

Consistent with the PR goal.

---

599-600: LGTM: switched to context.TODO().

Consistent with the PR goal.

pkg/controller/istiocsr/test_utils.go (1)

39-43: LGTM: test reconciler uses context.TODO().

Aligned with the project‑wide convention.

pkg/controller/istiocsr/controller_test.go (1)

395-399: LGTM: Reconcile invoked with context.TODO().

Matches the standardized usage.

pkg/controller/istiocsr/certificates_test.go (1)

221-226: LGTM: Get with context.TODO().

Consistent with the PR objective.

pkg/controller/deployment/deployment_helper_test.go (2)

337-339: LGTM: WithCancel(context.TODO()).

Consistent with repo‑wide standardization.

---

859-861: LGTM: WithCancel(context.TODO()).

Consistent with repo‑wide standardization.

pkg/controller/istiocsr/controller.go (1)

66-71: LGTM: controller root ctx set to context.TODO().

Aligns with the chosen convention. Ensure request‑scoped work uses the method ctx parameter, not r.ctx.

test/library/utils.go (1)

46-46: Context normalization to context.TODO() looks good.

Change aligns with PR goal and is safe here because the poll has its own timeout.

[coderabbitai]

⚠️ Potential issue

Logic bug: only the last matched condition wins; require all three to be correct.

Currently flag gets overwritten per condition. Compute booleans and AND them.

- flag := false
- for _, cond := range operator.Status.Conditions {
-   if cond.Type == "cert-manager-controller-deploymentAvailable" {
-     flag = cond.Status == opv1.ConditionTrue
-   }
-
-   if cond.Type == "cert-manager-controller-deploymentDegraded" {
-     flag = cond.Status == opv1.ConditionFalse
-   }
-
-   if cond.Type == "cert-manager-controller-deploymentProgressing" {
-     flag = cond.Status == opv1.ConditionFalse
-   }
- }
+ availableTrue, degradedFalse, progressingFalse := false, false, false
+ for _, cond := range operator.Status.Conditions {
+   switch cond.Type {
+   case "cert-manager-controller-deploymentAvailable":
+     availableTrue = cond.Status == opv1.ConditionTrue
+   case "cert-manager-controller-deploymentDegraded":
+     degradedFalse = cond.Status == opv1.ConditionFalse
+   case "cert-manager-controller-deploymentProgressing":
+     progressingFalse = cond.Status == opv1.ConditionFalse
+   }
+ }
+ flag := availableTrue && degradedFalse && progressingFalse

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	flag := false
	for _, cond := range operator.Status.Conditions {
	if cond.Type == "cert-manager-controller-deploymentAvailable" {
	flag = cond.Status == opv1.ConditionTrue
	}
	if cond.Type == "cert-manager-controller-deploymentDegraded" {
	flag = cond.Status == opv1.ConditionFalse
	}
	if cond.Type == "cert-manager-controller-deploymentProgressing" {
	flag = cond.Status == opv1.ConditionFalse
	}
	}
	availableTrue, degradedFalse, progressingFalse := false, false, false
	for _, cond := range operator.Status.Conditions {
	switch cond.Type {
	case "cert-manager-controller-deploymentAvailable":
	availableTrue = cond.Status == opv1.ConditionTrue
	case "cert-manager-controller-deploymentDegraded":
	degradedFalse = cond.Status == opv1.ConditionFalse
	case "cert-manager-controller-deploymentProgressing":
	progressingFalse = cond.Status == opv1.ConditionFalse
	}
	}
	flag := availableTrue && degradedFalse && progressingFalse

🤖 Prompt for AI Agents

In test/e2e/cert_manager_deployment_test.go around lines 375 to 388, the loop
overwrites a single flag for each matched condition so the last matched
condition determines the result; instead, introduce three separate booleans
(e.g., availableOK, degradedOK, progressingOK), set each when its corresponding
condition is seen (available should be ConditionTrue, degraded and progressing
should be ConditionFalse), then after the loop assert that all three are true by
combining them with a logical AND; ensure uninitialized/missing conditions are
treated as failures.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sebrandon1
Once this PR has been reviewed and has the lgtm label, please assign mytreya-rh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

test/e2e/cert_manager_deployment_test.go (2)

169-171: Bug: defer calls CreateFromFile instead of DeleteFromFile (leaks resources).

This will leave the certificate behind and can break later tests/teardown.

- defer loader.CreateFromFile(testassets.ReadFile, filepath.Join("testdata", "self_signed", "certificate.yaml"), ns.Name)
+ defer loader.DeleteFromFile(testassets.ReadFile, filepath.Join("testdata", "self_signed", "certificate.yaml"), ns.Name)

---

375-388: Logic bug: last matched condition wins; require all three to be correct.

Use three booleans and AND them.

- flag := false
- for _, cond := range operator.Status.Conditions {
-   if cond.Type == "cert-manager-controller-deploymentAvailable" {
-     flag = cond.Status == opv1.ConditionTrue
-   }
-   if cond.Type == "cert-manager-controller-deploymentDegraded" {
-     flag = cond.Status == opv1.ConditionFalse
-   }
-   if cond.Type == "cert-manager-controller-deploymentProgressing" {
-     flag = cond.Status == opv1.ConditionFalse
-   }
- }
+ availableTrue, degradedFalse, progressingFalse := false, false, false
+ for _, cond := range operator.Status.Conditions {
+   switch cond.Type {
+   case "cert-manager-controller-deploymentAvailable":
+     availableTrue = cond.Status == opv1.ConditionTrue
+   case "cert-manager-controller-deploymentDegraded":
+     degradedFalse = cond.Status == opv1.ConditionFalse
+   case "cert-manager-controller-deploymentProgressing":
+     progressingFalse = cond.Status == opv1.ConditionFalse
+   }
+ }
+ flag := availableTrue && degradedFalse && progressingFalse

🧹 Nitpick comments (4)

pkg/controller/istiocsr/controller.go (1)

117-117: Top-level ctx: prefer Background() or manager root ctx; consider removing stored ctx.

context.TODO() is a placeholder. For a long-lived struct field, use context.Background() or a manager/root ctx, and pass request-scoped ctx down from Reconcile. If r.ctx is unused here, consider deleting the field to avoid ambiguity. Please verify usage before changing.

test/e2e/cert_manager_deployment_test.go (3)

92-117: Go naming: use camelCase for local vars.

Rename ingress_host -> ingressHost and path_type -> pathType.

- ingress_host := "eaic." + appsDomain
- path_type := networkingv1.PathTypePrefix
+ ingressHost := "eaic." + appsDomain
+ pathType := networkingv1.PathTypePrefix
@@
- Host: ingress_host,
+ Host: ingressHost,
@@
- PathType: &path_type,
+ PathType: &pathType,
@@
- Hosts:      []string{ingress_host},
+ Hosts:      []string{ingressHost},

---

136-140: Avoid logging a stale err when TLS config not ready.

err here is from the prior Secret Get; log a clear message instead.

- tlsConfig, isvalid := library.GetTLSConfig(secret)
- if !isvalid {
-     t.Logf("Unable to retrieve the TLS config: %v", err)
+ tlsConfig, isvalid := library.GetTLSConfig(secret)
+ if !isvalid {
+     t.Logf("TLS config not yet available in secret %s/%s", ingress.ObjectMeta.Namespace, "ingress-prod-secret")
      return false, nil
 }

---

396-417: Typo in helper names; fix and update call sites.

s/Controlle/Controller/ for clarity.

- func addValidControlleDeploymentConfig(operator *v1alpha1.CertManager) {
+ func addValidControllerDeploymentConfig(operator *v1alpha1.CertManager) {
@@
- func addInvalidControlleOverrideEnv(operator *v1alpha1.CertManager) {
+ func addInvalidControllerOverrideEnv(operator *v1alpha1.CertManager) {

And update call sites:

- addValidControlleDeploymentConfig(updatedOperator)
+ addValidControllerDeploymentConfig(updatedOperator)
@@
- addInvalidControlleOverrideEnv(updatedOperator)
+ addInvalidControllerOverrideEnv(updatedOperator)

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 8d0dc18 and e8c5eff.

📒 Files selected for processing (10)

• pkg/controller/deployment/deployment_helper_test.go (2 hunks)
• pkg/controller/istiocsr/certificates_test.go (1 hunks)
• pkg/controller/istiocsr/controller.go (1 hunks)
• pkg/controller/istiocsr/controller_test.go (1 hunks)
• pkg/controller/istiocsr/test_utils.go (1 hunks)
• pkg/operator/informers/externalversions/factory.go (1 hunks)
• test/e2e/cert_manager_deployment_test.go (1 hunks)
• test/e2e/certificates_test.go (2 hunks)
• test/e2e/overrides_test.go (2 hunks)
• test/library/utils.go (2 hunks)

✅ Files skipped from review due to trivial changes (1)

• pkg/operator/informers/externalversions/factory.go

🚧 Files skipped from review as they are similar to previous changes (6)

• pkg/controller/istiocsr/certificates_test.go
• pkg/controller/istiocsr/controller_test.go
• pkg/controller/istiocsr/test_utils.go
• test/e2e/certificates_test.go
• test/library/utils.go
• pkg/controller/deployment/deployment_helper_test.go

🔇 Additional comments (3)

test/e2e/overrides_test.go (2)

735-737: LGTM on switching to context.TODO().

---

30-31: Review statement on context usage for consistency.

The remaining context.Background() calls at lines 624, 642, 667, 685, 710, and 728 should be reviewed for consistency. Since lines 30-31 were changed to context.TODO(), clarify whether the pollTillDeploymentAvailable() calls should similarly use context.TODO() for consistency, or document why context.Background() is appropriate for polling operations.

test/e2e/cert_manager_deployment_test.go (1)

1-10: Confirm intent to (re)introduce this e2e file; prior refactor removed it.

Past review notes say this file was removed and its presence breaks CI (go:embed patterns may fail if testdata is absent). If unintended, delete the file to unblock CI; otherwise ensure embedded testdata exists under test/e2e/testdata/.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Don’t sleep inside PollUntilContextTimeout; it blocks and ignores ctx.

time.Sleep within the condition function can exceed TestTimeout and defeats cancellation. Compute a deadline and let polling cadence drive.

-        // include grace time for certificate rotation and for secret change propagation to
-        // the pod, to the sleep time.
-        timeUntil := (time.Until(expiryTime) - renewBeforeDuration) + time.Second*30
-        time.Sleep(timeUntil)
+        // Wait until we're past the renewal window (+30s grace) using the poll cadence.
+        deadline := expiryTime.Add(-renewBeforeDuration).Add(30 * time.Second)
+        if time.Now().Before(deadline) {
+            return false, nil
+        }

If preferred, compute deadline once before the poll and capture it via closure:

- err = wait.PollUntilContextTimeout(ctx, PollInterval, TestTimeout, true, func(ctx context.Context) (bool, error) {
+ deadline := expiryTime.Add(-renewBeforeDuration).Add(30 * time.Second)
+ err = wait.PollUntilContextTimeout(ctx, PollInterval, TestTimeout, true, func(ctx context.Context) (bool, error) {
+     if time.Now().Before(deadline) {
+         return false, nil
+     }
      // ... rest unchanged ...

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// include grace time for certificate rotation and for secret change propagation to
	// the pod, to the sleep time.
	timeUntil := (time.Until(expiryTime) - renewBeforeDuration) + time.Second*30
	time.Sleep(timeUntil)
	// Wait until we're past the renewal window (+30s grace) using the poll cadence.
	deadline := expiryTime.Add(-renewBeforeDuration).Add(30 * time.Second)
	if time.Now().Before(deadline) {
	return false, nil
	}

🤖 Prompt for AI Agents

In test/e2e/cert_manager_deployment_test.go around lines 283 to 287, remove the
direct time.Sleep call inside the PollUntilContextTimeout condition because it
blocks and ignores ctx; instead compute a deadline before entering the poll
(deadline := time.Now().Add((time.Until(expiryTime) - renewBeforeDuration) +
30*time.Second)) and capture that deadline in the closure, then inside the poll
check time.Until(deadline) or return done/error so the poller’s cadence and
context cancellation control waiting; ensure you use the poll interval passed to
PollUntilContextTimeout rather than sleeping.

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[sebrandon1]

/remove-lifecycle stale

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@test/e2e/cert_manager_deployment_test.go`:
- Around line 134-151: The callback passed to wait.PollImmediate calls
loader.KubeClient.CoreV1().Secrets(...).Get but never checks the returned err or
nil secret before calling library.GetTLSConfig(secret), which can panic; update
the PollImmediate lambda to check if err != nil or secret == nil immediately
after the Get() call, log the retrieval error via t.Logf including the error,
and return false, nil to retry (or return the err if you want to fail fast),
before calling library.GetTLSConfig; reference the secret variable, the Get()
call on loader.KubeClient.CoreV1().Secrets(...).Get, and library.GetTLSConfig to
locate where to add the guard.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, locate the file and read the relevant lines
find . -name "cert_manager_deployment_test.go" -type f

Repository: openshift/cert-manager-operator

Length of output: 117

---

🏁 Script executed:

# Once found, read the actual code around lines 134-151
cat -n test/e2e/cert_manager_deployment_test.go | sed -n '130,160p'

Repository: openshift/cert-manager-operator

Length of output: 1571

---

🏁 Script executed:

# Search for the library.GetTLSConfig implementation
rg -n "func.*GetTLSConfig" --type go

Repository: openshift/cert-manager-operator

Length of output: 868

---

🏁 Script executed:

# Read the GetTLSConfig implementation
cat -n test/library/cert_utils.go | head -60

Repository: openshift/cert-manager-operator

Length of output: 1875

---

Guard against missing Secret before TLS validation.
The error from Get() is never checked; if the Secret doesn't exist or retrieval fails, secret is nil and GetTLSConfig will panic when accessing secret.Data.

🔧 Suggested fix

-		secret, err := loader.KubeClient.CoreV1().Secrets(ingress.ObjectMeta.Namespace).Get(ctx, "ingress-prod-secret", metav1.GetOptions{})
-		tlsConfig, isvalid := library.GetTLSConfig(secret)
-		if !isvalid {
-			t.Logf("Unable to retrieve the TLS config: %v", err)
-			return false, nil
-		}
+		secret, err := loader.KubeClient.CoreV1().Secrets(ingress.ObjectMeta.Namespace).Get(ctx, "ingress-prod-secret", metav1.GetOptions{})
+		if errors.IsNotFound(err) {
+			t.Logf("Secret not ready yet: %v", err)
+			return false, nil
+		}
+		if err != nil {
+			return false, err
+		}
+		tlsConfig, isValid := library.GetTLSConfig(secret)
+		if !isValid {
+			t.Logf("Unable to retrieve the TLS config")
+			return false, nil
+		}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	err = wait.PollImmediate(PollInterval, TestTimeout, func() (bool, error) {
	secret, err := loader.KubeClient.CoreV1().Secrets(ingress.ObjectMeta.Namespace).Get(ctx, "ingress-prod-secret", metav1.GetOptions{})
	tlsConfig, isvalid := library.GetTLSConfig(secret)
	if !isvalid {
	t.Logf("Unable to retrieve the TLS config: %v", err)
	return false, nil
	}
	is_host_correct, err := library.VerifyHostname(ingress_host, tlsConfig.Clone())
	if err != nil {
	t.Logf("Host: %v", err)
	return false, nil
	}
	is_not_expired, err := library.VerifyExpiry(ingress_host+":443", tlsConfig.Clone())
	if err != nil {
	t.Logf("Expired: %v", err)
	return false, nil
	}
	return is_host_correct && is_not_expired, nil
	err = wait.PollImmediate(PollInterval, TestTimeout, func() (bool, error) {
	secret, err := loader.KubeClient.CoreV1().Secrets(ingress.ObjectMeta.Namespace).Get(ctx, "ingress-prod-secret", metav1.GetOptions{})
	if errors.IsNotFound(err) {
	t.Logf("Secret not ready yet: %v", err)
	return false, nil
	}
	if err != nil {
	return false, err
	}
	tlsConfig, isValid := library.GetTLSConfig(secret)
	if !isValid {
	t.Logf("Unable to retrieve the TLS config")
	return false, nil
	}
	is_host_correct, err := library.VerifyHostname(ingress_host, tlsConfig.Clone())
	if err != nil {
	t.Logf("Host: %v", err)
	return false, nil
	}
	is_not_expired, err := library.VerifyExpiry(ingress_host+":443", tlsConfig.Clone())
	if err != nil {
	t.Logf("Expired: %v", err)
	return false, nil
	}
	return is_host_correct && is_not_expired, nil

🤖 Prompt for AI Agents

In `@test/e2e/cert_manager_deployment_test.go` around lines 134 - 151, The
callback passed to wait.PollImmediate calls
loader.KubeClient.CoreV1().Secrets(...).Get but never checks the returned err or
nil secret before calling library.GetTLSConfig(secret), which can panic; update
the PollImmediate lambda to check if err != nil or secret == nil immediately
after the Get() call, log the retrieval error via t.Logf including the error,
and return false, nil to retry (or return the err if you want to fail fast),
before calling library.GetTLSConfig; reference the secret variable, the Get()
call on loader.KubeClient.CoreV1().Secrets(...).Get, and library.GetTLSConfig to
locate where to add the guard.

[openshift-ci]

@sebrandon1: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/verify	719d24e	link	true	/test verify
ci/prow/e2e-operator	719d24e	link	true	/test e2e-operator
ci/prow/verify-deps	719d24e	link	true	/test verify-deps
ci/prow/e2e-operator-tech-preview	719d24e	link	false	/test e2e-operator-tech-preview

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.