From bd7b323fbf74aed7534014963325f41570918b73 Mon Sep 17 00:00:00 2001
From: Scot Wells <wells.scot@gmail.com>
Date: Tue, 23 Jun 2026 16:22:07 -0500
Subject: [PATCH] test(e2e): wait for CA issuance before copying its secret

The gateway-accepted test created a cert-manager CA Certificate and immediately
copied its secret into envoy-gateway-system, racing issuance. On slow runners the
secret didn't exist yet, failing with "secrets <name> not found / no objects
passed to apply" and flaking the suite. Assert the Certificate is Ready first.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 test/e2e/gateway/chainsaw-test.yaml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/test/e2e/gateway/chainsaw-test.yaml b/test/e2e/gateway/chainsaw-test.yaml
index 56382ec7..77cf0066 100644
--- a/test/e2e/gateway/chainsaw-test.yaml
+++ b/test/e2e/gateway/chainsaw-test.yaml
@@ -56,6 +56,22 @@ spec:
                 ca:
                   secretName: ($clusterIssuerName)
 
+        # Wait for cert-manager to issue the CA before the script copies its
+        # secret. Without this, the copy races issuance and intermittently fails
+        # with "secrets <name> not found / no objects passed to apply".
+        - assert:
+            cluster: nso-infra
+            resource:
+              apiVersion: cert-manager.io/v1
+              kind: Certificate
+              metadata:
+                name: (join('-', [$clusterIssuerName, 'ca']))
+                namespace: cert-manager
+              status:
+                conditions:
+                  - type: Ready
+                    status: "True"
+
         - script:
             # skipCommandOutput: true
             # skipLogOutput: true