fake bump test

[gangwgr]

Summary by CodeRabbit

• Tests

  • Expanded end-to-end encryption coverage with new KMS-to-KMS migration scenarios, including transitions across two distinct Vault KMS providers and token encryption state validation.
  • Adjusted the encryption KMS test suite to focus on migration and provider on/off behavior.

• Chores

  • Updated module resolution by adding/updating a dependency replace directive to align with the referenced library version.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[gangwgr]

/test e2e-aws-operator-encryption-kms

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign xueqzhan for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gangwgr]

/test e2e-aws-operator-encryption-kms

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 34297338-7603-4f9f-98d7-cb4b19220337

📥 Commits

Reviewing files that changed from the base of the PR and between f85fc99 and 3ce654e.

⛔ Files ignored due to path filters (6)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/library-go/pkg/operator/encryption/controllers/key_controller.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/pkg/operator/encryption/controllers/kms_preflight_controller.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/test/library/encryption/helpers.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/test/library/encryption/scenarios.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (2)

• go.mod
• test/e2e-encryption-kms/encryption_kms.go

🚧 Files skipped from review as they are similar to previous changes (2)

• go.mod
• test/e2e-encryption-kms/encryption_kms.go

---

Walkthrough

The PR disables the existing TestKMSEncryptionOnOff and TestKMSEncryptionProvidersMigration e2e specs and introduces two new KMS-to-KMS test scenarios (TestKMSToKMSMigration, TestKMSToKMSOnOff) backed by new helper functions. It also updates go.mod to point github.com/openshift/library-go to github.com/ardaguclu/library-go via a replace directive.

Changes

KMS-to-KMS E2E Tests and Dependency Wiring

Layer / File(s)	Summary
library-go fork replace directive go.mod	Updates the github.com/openshift/library-go replace directive to github.com/ardaguclu/library-go v0.0.0-20260618055608-feb27829a74c.
KMS-to-KMS Ginkgo specs and helpers test/e2e-encryption-kms/encryption_kms.go	Comments out TestKMSEncryptionOnOff and TestKMSEncryptionProvidersMigration specs; enables TestKMSToKMSMigration and TestKMSToKMSOnOff specs. Adds testKMSToKMSMigration and testKMSToKMSOnOff helpers that configure BasicScenario with PrimaryProvider/SecondaryProvider from Vault KMS and assert token encryption states across provider migration and on/off transitions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• openshift/cluster-authentication-operator#916: Also updates github.com/openshift/library-go dependency with KMS-related behavior changes that may overlap with this PR's fork wiring.

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Microshift Test Compatibility	⚠️ Warning	Two new tests (TestKMSToKMSMigration and TestKMSToKMSOnOff) reference [OCPFeatureGate:KMSEncryption], which indicates they require a feature gate unavailable on MicroShift. Tests lack any [Skipped:...	Add [Skipped:MicroShift] label to both tests or wrap them in a guard checking if KMSEncryption feature gate is available. Alternatively, add [apigroup:config.openshift.io] tag since feature gates are config.openshift.io resources not ser...
Title check	❓ Inconclusive	The title 'fake bump test' is vague and does not clearly convey the actual changes, which involve updating a dependency replace directive and modifying KMS encryption test scenarios.	Consider a more descriptive title that reflects the main changes, such as 'Update library-go dependency and modify KMS encryption test scenarios' or similar.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test names in the PR are static and deterministic with no dynamic information like generated IDs, timestamps, pod/node names, or random values.
Test Structure And Quality	✅ Passed	Tests follow codebase patterns: delegation to library functions handles setup, assertions with appropriate timeouts, and each test targets one behavior. No explicit BeforeEach/AfterEach needed due...
Single Node Openshift (Sno) Test Compatibility	✅ Passed	New Ginkgo tests (TestKMSToKMSMigration, TestKMSToKMSOnOff) test API-level encryption state transitions and KMS provider migration. They don't assume multi-node clusters, multi-node pod scheduling,...
Topology-Aware Scheduling Compatibility	✅ Passed	PR only modifies go.mod (dependency update) and test/e2e-encryption-kms/encryption_kms.go (test helpers). No deployment manifests, operator code, or scheduling constraints were introduced.
Ote Binary Stdout Contract	✅ Passed	No stdout-writing patterns (fmt.Print*, log.Print*, klog) found in process-level code. TestMain() contains only test shuffling. All test code is properly encapsulated within Ginkgo It() blocks wher...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	New Ginkgo tests contain no IPv4 assumptions or external connectivity requirements. Tests use only cluster-internal resources and Vault KMS which supports IPv6.
No-Weak-Crypto	✅ Passed	No weak cryptographic algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons detected in the modified code.
Container-Privileges	✅ Passed	PR adds manifests with privileged containers and runAsUser: 0, but all instances include inline comments justifying the settings (audit file permissions, CA bundle writing). No hostPID, hostNetwork...
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data (passwords, tokens, API keys, PII) is exposed in logs; only configuration metadata (VaultAddress, TransitMount, TransitKey, VaultNamespace) is logged at debug level for KMS migrat...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

test/e2e-encryption-kms/encryption_kms.go (1)

17-23: ⚡ Quick win

Prefer explicit pending specs over commented-out g.It blocks.

Lines [17]-[23] hide skipped coverage in comments. Using explicit pending/disabled Ginkgo nodes keeps intent visible in test reports and avoids stale commented code paths.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-encryption-kms/encryption_kms.go` around lines 17 - 23, The
commented-out g.It blocks for TestKMSEncryptionOnOff and
TestKMSEncryptionProvidersMigration should be replaced with explicit Ginkgo
pending specs rather than remaining as commented code. Remove the comment syntax
and use Ginkgo's pending mechanism (such as g.PIt or adding a Skip() call) to
explicitly mark these test specifications as disabled, which will make the
intent visible in test reports and prevent stale commented code paths.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Line 137: Remove the replace directive for github.com/openshift/library-go
that points to the personal fork github.com/gangwgr/library-go from go.mod. This
replace directive widened the supply-chain trust boundary by redirecting all
imports (including production code) to a personal fork instead of the official
OpenShift-owned repository. If the changes from this fork are still necessary
for functionality, work to upstream them to the official
github.com/openshift/library-go repository, or if they are only needed for local
development or testing, configure them through local-only mechanisms (such as
local go.mod overrides or test-specific environment setup) that do not affect
production builds.

In `@test/e2e-encryption-kms/encryption_kms.go`:
- Around line 112-113: Replace all instances of context.TODO() with the
available ctx parameter from the enclosing function scope to enable proper
cancellation and timeout propagation in the encryption test closures. In file
test/e2e-encryption-kms/encryption_kms.go, make the following changes: at lines
112-113 in the CreateResourceFunc closure within testKMSToKMSMigration, replace
context.TODO() with ctx; at lines 86-88 in the closure within
testKMSEncryptionProvidersMigration, replace context.TODO() with ctx; and at
lines 136-137 in the closure within testKMSToKMSOnOff, replace context.TODO()
with ctx. Each enclosing function has a ctx parameter available in its scope
that should be used instead of creating a new TODO context.

---

Nitpick comments:
In `@test/e2e-encryption-kms/encryption_kms.go`:
- Around line 17-23: The commented-out g.It blocks for TestKMSEncryptionOnOff
and TestKMSEncryptionProvidersMigration should be replaced with explicit Ginkgo
pending specs rather than remaining as commented code. Remove the comment syntax
and use Ginkgo's pending mechanism (such as g.PIt or adding a Skip() call) to
explicitly mark these test specifications as disabled, which will make the
intent visible in test reports and prevent stale commented code paths.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 381667e5-fdca-472c-bca8-228571841975

📥 Commits

Reviewing files that changed from the base of the PR and between ab7203a and f85fc99.

⛔ Files ignored due to path filters (5)

• go.sum is excluded by !**/*.sum
• vendor/github.com/openshift/library-go/pkg/operator/encryption/controllers/key_controller.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/test/library/encryption/helpers.go is excluded by !**/vendor/**, !vendor/**
• vendor/github.com/openshift/library-go/test/library/encryption/scenarios.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (2)

• go.mod
• test/e2e-encryption-kms/encryption_kms.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "replace directives:"
rg -n '^replace ' go.mod

echo
echo "Non-test imports affected by the library-go replace:"
rg -n --type=go '"github.com/openshift/library-go' -g '!test/**' -g '!**/*_test.go'

echo
echo "Test imports (expected target scope for this PR):"
rg -n --type=go '"github.com/openshift/library-go' test

Repository: openshift/cluster-authentication-operator

Length of output: 50397

---

Remove the personal fork replace directive before merging.

Line 137 redirects all github.com/openshift/library-go imports (including production code in pkg/) to the personal fork github.com/gangwgr/library-go. This widens the supply-chain trust boundary and conflicts with dependency security requirements.

Before merge, either:

• Upstream the required changes to the official github.com/openshift/library-go repository, or
• Isolate the override to a local/test-only configuration so production builds use the official OpenShift-owned library

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 137, Remove the replace directive for
github.com/openshift/library-go that points to the personal fork
github.com/gangwgr/library-go from go.mod. This replace directive widened the
supply-chain trust boundary by redirecting all imports (including production
code) to a personal fork instead of the official OpenShift-owned repository. If
the changes from this fork are still necessary for functionality, work to
upstream them to the official github.com/openshift/library-go repository, or if
they are only needed for local development or testing, configure them through
local-only mechanisms (such as local go.mod overrides or test-specific
environment setup) that do not affect production builds.

Source: Coding guidelines

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# Check if the file exists and examine the relevant lines
head -n 150 test/e2e-encryption-kms/encryption_kms.go | tail -n 50

Repository: openshift/cluster-authentication-operator

Length of output: 3184

---

🏁 Script executed:

# Get the full context around lines 112-113 and 136-137
cat -n test/e2e-encryption-kms/encryption_kms.go | sed -n '100,150p'

Repository: openshift/cluster-authentication-operator

Length of output: 3506

---

🏁 Script executed:

# Check the function signature of CreateAndStoreTokenOfLife
rg -A 5 "func CreateAndStoreTokenOfLife" test/

Repository: openshift/cluster-authentication-operator

Length of output: 668

---

🏁 Script executed:

# Look at the enclosing function to understand the scope and whether ctx is available
cat -n test/e2e-encryption-kms/encryption_kms.go | sed -n '1,120p' | tail -n 50

Repository: openshift/cluster-authentication-operator

Length of output: 3842

---

Use ctx instead of context.TODO() in resource creation closures.

At lines 113, 137, and 87, the closures use context.TODO() instead of the available ctx parameter from their enclosing functions (testKMSToKMSMigration, testKMSToKMSOnOff, and testKMSEncryptionProvidersMigration). For long-running serial encryption tests, this bypasses proper cancellation and timeout propagation.

Suggested fix

-        CreateResourceFunc: func(t testing.TB, _ library.ClientSet, namespace string) runtime.Object {
-            return operatorencryption.CreateAndStoreTokenOfLife(context.TODO(), t, operatorencryption.GetClients(t))
-        },
+        CreateResourceFunc: func(t testing.TB, _ library.ClientSet, namespace string) runtime.Object {
+            return operatorencryption.CreateAndStoreTokenOfLife(ctx, t, operatorencryption.GetClients(t))
+        },

Also applies to: 86-88, 136-137

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-encryption-kms/encryption_kms.go` around lines 112 - 113, Replace
all instances of context.TODO() with the available ctx parameter from the
enclosing function scope to enable proper cancellation and timeout propagation
in the encryption test closures. In file
test/e2e-encryption-kms/encryption_kms.go, make the following changes: at lines
112-113 in the CreateResourceFunc closure within testKMSToKMSMigration, replace
context.TODO() with ctx; at lines 86-88 in the closure within
testKMSEncryptionProvidersMigration, replace context.TODO() with ctx; and at
lines 136-137 in the closure within testKMSToKMSOnOff, replace context.TODO()
with ctx. Each enclosing function has a ctx parameter available in its scope
that should be used instead of creating a new TODO context.

Source: Coding guidelines

[gangwgr]

/test e2e-aws-operator-encryption-kms

[openshift-ci]

@gangwgr: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-operator-encryption-kms	f85fc99	link	false	/test e2e-aws-operator-encryption-kms

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[gangwgr]

/testwith openshift/cluster-authenication-operator/master/e2e-aws-operator-encryption-kms openshift/cluster-kube-apiserver-operator#2203 openshift/cluster-openshift-apiserver-operator#712

[openshift-ci]

@gangwgr, testwith: could not generate prow job. ERROR:

could not determine ci op config from metadata: got unexpected http 404 status code from configresolver: failed to get config: could not find any config for repo openshift/cluster-authenication-operator

[gangwgr]

/testwith openshift/cluster-authentication-operator/master/e2e-aws-operator-encryption-kms openshift/cluster-kube-apiserver-operator#2203 openshift/cluster-openshift-apiserver-operator#712

[openshift-ci]

@gangwgr, testwith: could not generate prow job. ERROR:

could not determine ci op config from metadata: got unexpected http 404 status code from configresolver: failed to get config: could not find any config for repo openshift/cluster-openshift-authenication-operator

[gangwgr]

/testwith openshift/cluster-authentication-operator/master/e2e-aws-operator-encryption-kms openshift/cluster-kube-apiserver-operator#2203 openshift/cluster-openshift-apiserver-operator#712

[gangwgr]

/testwith openshift/cluster-authentication-operator/master/e2e-aws-operator-encryption-kms openshift/cluster-kube-apiserver-operator#2203 openshift/cluster-openshift-apiserver-operator#712