SREP-3016: Add functional e2e tests for aws-vpce-operator

[rpodishe]

• Adds 12 end-to-end functional tests covering VPC Endpoint lifecycle, security group reconciliation,
  credential override, spec updates, drift detection, finalizer/tagging validation, and error scenarios
  • Introduces aws_integration_test.go with 9 AWS integration tests that create real VPC Endpoints and verify
    operator behavior against live AWS resources
  • Adds helpers_test.go with shared test utilities: AWS client setup, VPCE/SG verification helpers, cleanup
    functions, and unique service name mapping to avoid private-DNS conflicts
  • Refactors aws_vpce_operator_tests.go BeforeSuite to build and run the operator binary locally, apply CRDs,
    and manage the full test lifecycle automatically

Summary by CodeRabbit

• Tests
  • Expanded end-to-end test coverage for VPC Endpoint lifecycle, security group reconciliation, credential override, drift recovery, and error scenarios; added test helpers and lifecycle management to automate validation.
• Chores
  • Ignored a specific build output path, updated pipeline metadata naming, adjusted repository ownership aliases, and bumped base image tags for runtime builds.

[openshift-ci-robot]

@rpodishe: This pull request references SREP-3016 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

• Adds 12 end-to-end functional tests covering VPC Endpoint lifecycle, security group reconciliation,
  credential override, spec updates, drift detection, finalizer/tagging validation, and error scenarios
• Introduces aws_integration_test.go with 9 AWS integration tests that create real VPC Endpoints and verify
  operator behavior against live AWS resources
• Adds helpers_test.go with shared test utilities: AWS client setup, VPCE/SG verification helpers, cleanup
  functions, and unique service name mapping to avoid private-DNS conflicts
• Refactors aws_vpce_operator_tests.go BeforeSuite to build and run the operator binary locally, apply CRDs,
  and manage the full test lifecycle automatically

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rpodishe
Once this PR has been reviewed and has the lgtm label, please assign eth1030 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

Adds comprehensive e2e testing: new Ginkgo/Gomega test suite and helpers, operator subprocess lifecycle for tests, AWS/Kubernetes validation utilities, a single .gitignore entry, and minor CI/build metadata/base-image updates.

Changes

Cohort / File(s)	Summary
Gitignore ./.gitignore	Added build/aws-vpce-operator-test to ignore build output.
End-to-end tests test/e2e/aws_integration_test.go, test/e2e/aws_vpce_operator_tests.go, test/e2e/helpers_test.go	Introduced a new e2e test suite (multiple scenarios: VPCE lifecycle, SG reconciliation, credential override, updates, drift recovery, tagging, error cases), test helpers for AWS/Kubernetes interactions, and operator subprocess management during tests; adjusted test setup/cleanup and removed one negative dry-run assertion.
CI / Tekton .tekton/aws-vpce-operator-pko-pull-request.yaml	Renamed PipelineRun metadata.name from aws-vpce-operator-pko-on-pull_request → aws-vpce-operator-pko-on-pull-request.
Owners OWNERS_ALIASES	Updated alias mappings: removed hectorakemp, added gvnnn to srep-functional-team-orange; removed a7vicky from srep-functional-team-thor.
Build images build/Dockerfile, build/Dockerfile.olm-registry	Bumped final-stage base image tag for registry.access.redhat.com/ubi9/ubi-minimal to a new digest/tag.

Sequence Diagram(s)

sequenceDiagram
  participant Test as E2E Test Suite
  participant K8s as Kubernetes API
  participant Op as Operator (subprocess)
  participant AWS as AWS API
  Note over Test,K8s: Setup: register schemes, apply CRDs
  Test->>Op: start (if not healthy)
  Op->>Test: /healthz OK
  Test->>K8s: create `VpcEndpoint` CR
  K8s->>Op: watch CR -> reconcile
  Op->>AWS: create VPC Endpoint & Security Group
  AWS-->>Op: return VPCE ID, SG ID
  Op->>K8s: update CR status (IDs, available)
  Test->>AWS: verify VPCE & SG exist
  Test->>K8s: delete `VpcEndpoint` CR
  K8s->>Op: reconcile deletion
  Op->>AWS: delete VPCE & SG
  AWS-->>Op: confirm deletion
  Op->>K8s: remove finalizer -> CR removed
  Test->>AWS: assert resources deleted

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (2 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Microshift Test Compatibility	⚠️ Warning	New e2e tests use OpenShift-specific APIs (infrastructure custom resource and configv1 from config.openshift.io) that are not available on MicroShift, without proper skip mechanisms.	Add [apigroup:config.openshift.io] tag to test names or [Skipped:MicroShift] labels to ensure tests are skipped on MicroShift CI.
Ipv6 And Disconnected Network Test Compatibility	⚠️ Warning	E2E integration tests hardcode IPv4 CIDR blocks and require direct AWS API connectivity, failing in IPv6-only and disconnected environments without skip tags.	Add [Skipped:Disconnected] tags to all test cases or refactor to mock AWS SDK responses and support IPv6-compatible CIDR blocks.
Stable And Deterministic Test Names	❓ Inconclusive	Test files mentioned in PR (aws_integration_test.go, aws_vpce_operator_tests.go, helpers_test.go) are not available in current repository state for examination.	Access the PR branch (SREP-3016-add-functional-tests) or examine test files directly to verify Ginkgo test names contain only static, deterministic values without dynamic identifiers, timestamps, or random suffixes.

✅ Passed checks (7 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding functional end-to-end tests for the aws-vpce-operator, which aligns with the substantial test additions across multiple test files in the changeset.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Test Structure And Quality	✅ Passed	Test suite demonstrates strong adherence to quality requirements with single responsibility, proper setup/cleanup patterns, appropriate timeouts, and meaningful assertions.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The new e2e tests added in this PR are compatible with Single Node OpenShift. All nine test cases focus on Kubernetes CR operations and AWS API interactions without making any multi-node assumptions.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds e2e tests and updates Dockerfiles/configs without modifying operator deployment specs or introducing topology-incompatible scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	The pull request properly adheres to the OTE Binary Stdout Contract by avoiding non-JSON output in suite-level code.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@rpodishe: This pull request references SREP-3016 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

• Adds 12 end-to-end functional tests covering VPC Endpoint lifecycle, security group reconciliation,
  credential override, spec updates, drift detection, finalizer/tagging validation, and error scenarios
• Introduces aws_integration_test.go with 9 AWS integration tests that create real VPC Endpoints and verify
  operator behavior against live AWS resources
• Adds helpers_test.go with shared test utilities: AWS client setup, VPCE/SG verification helpers, cleanup
  functions, and unique service name mapping to avoid private-DNS conflicts
• Refactors aws_vpce_operator_tests.go BeforeSuite to build and run the operator binary locally, apply CRDs,
  and manage the full test lifecycle automatically

Summary by CodeRabbit

Release Notes

• Tests

• Expanded end-to-end test coverage with comprehensive scenarios for VPC Endpoint lifecycle, security group reconciliation, credential override, and error handling.

• Added test infrastructure and helpers to automate operator validation across multiple use cases.

• Chores

• Updated build output configuration.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 40.69%. Comparing base (55396f7) to head (b31f351).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #375   +/-   ##
=======================================
  Coverage   40.69%   40.69%           
=======================================
  Files          32       32           
  Lines        2106     2106           
=======================================
  Hits          857      857           
  Misses       1145     1145           
  Partials      104      104           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/e2e/aws_integration_test.go`:
- Around line 281-293: The test's drift check can pass while the original
endpoint is still deleting; update the Eventually block that calls
helper.awsClient.DescribeSingleVPCEndpointById and inspects
obj.Status.VPCEndpointId so it verifies the endpoint is fully usable: require
that the returned VpcEndpointId is different from the previously deleted ID (or
store the deleted ID and compare) and assert the endpoint State equals
"available" (not just != "deleted"); adjust the expectations around
obj.Status.VPCEndpointId and resp.VpcEndpoints[0].State in the Eventually
closure (and keep using vpceReadyTimeout/pollingInterval) so the test waits
until AWS reports the new endpoint as available before succeeding.

In `@test/e2e/aws_vpce_operator_tests.go`:
- Around line 104-117: The AWS profile resolution code using
awsconfig.LoadSharedConfigProfile must also export temporary session tokens:
when you append resolved credentials to operatorCmd.Env in the block that checks
cfg.Credentials.AccessKeyID and cfg.Credentials.SecretAccessKey, also check
cfg.Credentials.SessionToken and append
"AWS_SESSION_TOKEN="+cfg.Credentials.SessionToken if non-empty; likewise update
the getOverrideCredentials() function to return/include the SessionToken it
reads from the profile (and ensure callers propagate it into any env
construction), so temporary STS creds are complete for subprocesses and tests.

In `@test/e2e/helpers_test.go`:
- Around line 155-166: The Eventually body treats SDK errors as success because
it ignores non-nil err; update the polling closure (the Eventually that calls
DescribeSingleVPCEndpointById) to explicitly fail on any error from
DescribeSingleVPCEndpointById by asserting the error (e.g., using Gomega on err
via g.Expect(err).NotTo(HaveOccurred()) or g.Expect(err).To(BeNil())) before
proceeding to check resp, keep the existing nil resp handling and the
resp.VpcEndpoints[0].State == "deleted" assertion, and apply the same
explicit-error assertion to the similar block referencing
DescribeSingleVPCEndpointById at lines 179-188.
- Around line 219-223: When deletion times out in the isVpceDeletedWithin check,
after calling stripFinalizers(ctx, c, name, namespace) you must wait again for
the CR to actually disappear instead of returning immediately; re-run
isVpceDeletedWithin(ctx, c, name, namespace, vpceDeletedTimeout) (or a shorter
retry loop) and only proceed once it returns true (or explicitly fail/log if it
still times out), preserving the existing GinkgoLogr.Info call so the strip
action is logged; update the logic around isVpceDeletedWithin, stripFinalizers,
name, namespace, vpceDeletedTimeout, ctx and c accordingly.
- Around line 192-201: createTestNamespace currently fails on AlreadyExists;
make namespace creation idempotent by calling c.Create(ctx, ns) and checking the
returned error: if err == nil proceed to DeferCleanup to delete the namespace,
if apierrors.IsAlreadyExists(err) simply return (do not call Expect to fail).
Use k8s.io/apimachinery/pkg/api/errors.IsAlreadyExists to detect the condition
and keep DeferCleanup tied only to the successful create path so we don't
attempt to delete namespaces we didn't create; reference createTestNamespace,
c.Create, apierrors.IsAlreadyExists, and DeferCleanup in the change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 8f43074b-1898-4bdb-a098-3925390a1cd3

📥 Commits

Reviewing files that changed from the base of the PR and between 55396f7 and fef196e.

📒 Files selected for processing (4)

• .gitignore
• test/e2e/aws_integration_test.go
• test/e2e/aws_vpce_operator_tests.go
• test/e2e/helpers_test.go

[openshift-ci-robot]

@rpodishe: This pull request references SREP-3016 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

• Adds 12 end-to-end functional tests covering VPC Endpoint lifecycle, security group reconciliation,
  credential override, spec updates, drift detection, finalizer/tagging validation, and error scenarios
• Introduces aws_integration_test.go with 9 AWS integration tests that create real VPC Endpoints and verify
  operator behavior against live AWS resources
• Adds helpers_test.go with shared test utilities: AWS client setup, VPCE/SG verification helpers, cleanup
  functions, and unique service name mapping to avoid private-DNS conflicts
• Refactors aws_vpce_operator_tests.go BeforeSuite to build and run the operator binary locally, apply CRDs,
  and manage the full test lifecycle automatically

Summary by CodeRabbit

• Tests
• Expanded end-to-end test coverage for VPC Endpoint lifecycle, security group reconciliation, credential override, drift recovery, and error scenarios; added test helpers and lifecycle management to automate validation.
• Chores
• Ignored a specific build output path, updated pipeline metadata naming, adjusted repository ownership aliases, and bumped base image tags for runtime builds.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@rpodishe: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[coderabbitai]

🧹 Nitpick comments (1)

test/e2e/helpers_test.go (1)

66-73: Silent fallback may mask test misconfiguration.

When testKey doesn't exist in the map, the function silently falls back to "ssmmessages". This could hide typos or missing entries without any indication. Consider logging a warning or returning an error for unknown keys.

Optional: Add logging for unknown test keys

 func testServiceName(region, testKey string) string {
 	svc, ok := testServiceNames[testKey]
 	if !ok {
+		GinkgoLogr.Info("unknown test key, using default service", "testKey", testKey, "default", "ssmmessages")
 		svc = "ssmmessages"
 	}
 	return fmt.Sprintf("com.amazonaws.%s.%s", region, svc)
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/e2e/helpers_test.go` around lines 66 - 73, The function testServiceName
silently falls back to "ssmmessages" when testKey is missing from
testServiceNames which can hide typos; change testServiceName to return (string,
error) instead of only string, check the map and if the key is missing return a
descriptive error (e.g., fmt.Errorf("unknown test service key: %s", testKey)),
otherwise return the formatted service string and nil error; update all callers
of testServiceName to handle the error (fail the test or log as appropriate) so
missing keys are surfaced rather than silently ignored.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@test/e2e/helpers_test.go`:
- Around line 66-73: The function testServiceName silently falls back to
"ssmmessages" when testKey is missing from testServiceNames which can hide
typos; change testServiceName to return (string, error) instead of only string,
check the map and if the key is missing return a descriptive error (e.g.,
fmt.Errorf("unknown test service key: %s", testKey)), otherwise return the
formatted service string and nil error; update all callers of testServiceName to
handle the error (fail the test or log as appropriate) so missing keys are
surfaced rather than silently ignored.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: b170878c-fdbb-4113-b1de-3fdc84a32587

📥 Commits

Reviewing files that changed from the base of the PR and between fef196e and b31f351.

⛔ Files ignored due to path filters (6)

• boilerplate/_data/last-boilerplate-commit is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/OWNERS_ALIASES is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/README.md is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/ensure.sh is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/olm_pko_migration.py is excluded by !boilerplate/**
• boilerplate/openshift/golang-osd-operator/standard.mk is excluded by !boilerplate/**

📒 Files selected for processing (6)

• .tekton/aws-vpce-operator-pko-pull-request.yaml
• OWNERS_ALIASES
• build/Dockerfile
• build/Dockerfile.olm-registry
• test/e2e/aws_integration_test.go
• test/e2e/helpers_test.go

✅ Files skipped from review due to trivial changes (3)

• build/Dockerfile
• build/Dockerfile.olm-registry
• OWNERS_ALIASES