CNTRLPLANE-3741: PKI config tests for service-ca and kube-apiserver-operator

[kaleemsiddiqu]

Tests for kube-apiserver and service-ca added

Summary by CodeRabbit

• Tests
  • Added a new external test suite (openshift/pkiconfig) to validate configurable PKI certificate regeneration.
  • Expanded coverage for kube-apiserver PKI regeneration by deleting targeted certificate Secrets and confirming regenerated certificate key properties for uniform and mixed configurations.
  • Expanded coverage for service-ca under the ConfigurablePKI feature gate, including regeneration and validation of signing and serving certificates (RSA and ECDSA key/curve parameters, with mixed overrides).
  • Strengthened secret rotation assertions by verifying Secrets are replaced and certificates match expected algorithms and parameters.
  • Improved reliability with deferred cleanup that restores prior PKI configuration after failures.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds extended e2e coverage for configurable PKI profiles, including PKI test registration, shared helpers, and kube-apiserver and service-ca certificate regeneration checks for uniform and mixed key settings.

Changes

Configurable PKI e2e coverage

Layer / File(s)	Summary
Registration and suite wiring test/extended/include.go, pkg/testsuites/standard_suites.go	Registers the PKI extended package and adds the openshift/pkiconfig suite with its execution settings.
Shared PKI helpers test/extended/pki/helpers.go	Defines PKI test config types and helper functions for applying PKI profiles, parsing certificates, waiting for secret regeneration, deleting secrets, and resetting PKI configuration.
kube-apiserver uniform cases test/extended/pki/pki_kube_apiserver.go	Sets up the kube-apiserver suite, runs the uniform RSA and ECDSA matrix, and verifies regenerated signer, serving, and client certificates.
kube-apiserver mixed cases test/extended/pki/pki_kube_apiserver.go	Runs the mixed kube-apiserver matrix and validates regenerated certificates with per-category expectations.
service-ca suite and config matrix test/extended/pki/pki_service_ca.go	Sets up the service-ca suite, checks readiness, applies the configuration matrix, and waits for reconciliation and deployment readiness.
service-ca certificate regeneration test/extended/pki/pki_service_ca.go	Deletes signing and service secrets, waits for regeneration, and validates the regenerated CA and service certificates.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Test Structure And Quality	⚠️ Warning	FAIL: The new PKI specs bundle multiple behaviors per It, use BeforeAll/context.TODO plus DeferCleanup instead of per-test setup/cleanup, and several waits/assertions hide failures.	Split the suite into smaller Its, move resource setup/cleanup to BeforeEach/AfterEach or spec-ctx cleanup, propagate ctx, and add explicit failure messages plus real error handling in poll loops.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All new ginkgo titles are fixed strings; none include generated names, timestamps, UUIDs, namespaces, or other run-varying data.
Microshift Test Compatibility	✅ Passed	Both new Ginkgo suites are tagged [apigroup:config.openshift.io] and [Skipped:MicroShift], so MicroShift CI will skip them despite kube-apiserver/service-ca API use.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No multi-node/HA assumptions found; the new PKI tests only modify cert secrets and deployments, with no node-count, scheduling, or topology checks.
Topology-Aware Scheduling Compatibility	✅ Passed	Only test code and suite metadata changed; no manifests, controllers, nodeSelectors, or scheduling constraints were added.
Ote Binary Stdout Contract	✅ Passed	No process-level stdout writes were added; pki setup uses framework.Logf/GinkgoWriter, and constructors/init paths have no fmt.Print or stdout sinks.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	The new PKI e2e tests use only cluster-internal Secrets/Services; no hardcoded IPv4s, URL construction, or external internet endpoints were found.
No-Weak-Crypto	✅ Passed	Checked the added PKI files: they use RSA/ECDSA and x509 parsing only, with no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret/token compares.
Container-Privileges	✅ Passed	The PR only adds Go e2e tests and suite registration; no touched file sets privileged/hostNetwork/hostPID/hostIPC, allowPrivilegeEscalation, or securityContext.
No-Sensitive-Data-In-Logs	✅ Passed	No logs print credentials or raw secret/certificate contents; messages only include test names, namespaces, secret names, and key sizes.
Title check	✅ Passed	The title accurately summarizes the main change: new PKI configuration tests for service-ca and kube-apiserver-operator.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[kaleemsiddiqu]

/test e2e-gcp-ovn-techpreview-serial-1of2
/test e2e-gcp-ovn-techpreview-serial-2of2

[coderabbitai]

Actionable comments posted: 8

🧹 Nitpick comments (1)

test/extended/pki/helpers.go (1)

108-125: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

buildKeyConfig silently returns an incomplete config for unrecognized algorithms.

If algorithm is neither RSA nor ECDSA, only Algorithm is set and both key bodies stay zero-valued, which could produce a confusing apply result downstream. Consider asserting/erroring on the default case so misconfigured test cases fail fast.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/pki/helpers.go` around lines 108 - 125, buildKeyConfig
currently falls through for any algorithm other than KeyAlgorithmRSA or
KeyAlgorithmECDSA, leaving KeyConfig partially populated and hiding
misconfigured test inputs. Update buildKeyConfig to explicitly handle the
supported algorithms and add a default branch that fails fast (for example by
asserting or returning an error) when an unrecognized KeyAlgorithm is passed, so
callers of buildKeyConfig get an immediate signal instead of an incomplete
config.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/extended/pki/helpers.go`:
- Around line 284-293: waitForSecretRegeneration currently treats any existing
secret as success, so it can return the old secret or a newly created secret
before cert data is ready. Update the helper in helpers.go to wait for a
genuinely regenerated secret by comparing against the deleted secret’s
UID/resourceVersion (or by confirming the secret is gone first), and then
require that the new secret contains certKey in Data before returning. Adjust
the call site in pki_kube_apiserver.go to pass the identifier needed to
distinguish the old secret from the recreated one.
- Around line 168-174: The PKI create-or-update flow in the helper currently
treats every Get failure as “missing” and falls back to Create, which can hide
RBAC, timeout, or server errors. Update the logic in the PKI helper path to only
call Create when configClient.ConfigV1alpha1().PKIs().Get returns
apierrors.IsNotFound(err), and otherwise return the original error; apply the
same NotFound-gated pattern in applyMixedPKIConfig as well.

In `@test/extended/pki/pki_kube_apiserver.go`:
- Around line 378-383: The deleteCertificateSecret failure path in
pki_kube_apiserver.go can mask a false pass because the loop only logs a warning
and continues without verifying anything. Update the certificate regeneration
checks around deleteCertificateSecret in the relevant test loop(s) so that a
missing/un-deletable expected secret causes the test to fail, or track whether
at least one certificate was successfully deleted and verified before allowing
the spec to pass. Apply the same fix to the duplicate verification block that
uses the same pattern elsewhere in the file.
- Around line 184-188: The deferred cleanup in `g.DeferCleanup` is using
`context.Background()`, which drops the test/spec context and leaves
`cleanupPKIConfiguration` unbounded; update the cleanup path to derive from the
existing spec context in `pki_kube_apiserver.go` using a detached context (for
example via `context.WithoutCancel`) and wrap it with a timeout before calling
`cleanupPKIConfiguration` so cleanup still has context values but cannot run
indefinitely.
- Around line 25-171: The package-level integrationTestCertificates slice in
pki_kube_apiserver.go is unused by the kube-apiserver test helpers. Remove the
dead variable, or update the relevant test setup functions to reference
integrationTestCertificates directly so the shared certificate list is actually
consumed. Use the integrationTestCertificates symbol and the kube-apiserver PKI
test helpers in this file to locate the change.
- Around line 173-174: The top-level ginkgo recovery hook in the `Describe` body
is unnecessary here. Remove the `defer g.GinkgoRecover()` from the `PKI
Configuration` `Describe` block in `pki_kube_apiserver.go`, and only add
`GinkgoRecover()` inside any spawned goroutine that may call `Fail` or Gomega in
the future.

In `@test/extended/pki/pki_service_ca.go`:
- Around line 331-333: The cleanup in the deferred namespace deletion is
ignoring a returned error, which can hide failed teardown; update the defer in
the pki service CA test to capture the result of
kubeClient.CoreV1().Namespaces().Delete and explicitly assert or log any error
instead of discarding it. Use the existing cleanup block around the testNS
deletion in the deferred func and keep the failure handling consistent with the
test’s other error checks so namespace leaks are surfaced.
- Around line 33-35: The deferred cleanup in the Ginkgo test uses
context.Background(), which disconnects it from the spec context. Update the
DeferCleanup block in pki_service_ca.go to derive a detached context from the
existing test context using context.WithoutCancel(ctx) and wrap it with a
bounded timeout, then pass that context into cleanupPKIConfiguration so cleanup
still runs independently without losing test-scoped values. Use the existing
test context variable from the surrounding spec and keep the cleanup logic
inside g.DeferCleanup.

---

Nitpick comments:
In `@test/extended/pki/helpers.go`:
- Around line 108-125: buildKeyConfig currently falls through for any algorithm
other than KeyAlgorithmRSA or KeyAlgorithmECDSA, leaving KeyConfig partially
populated and hiding misconfigured test inputs. Update buildKeyConfig to
explicitly handle the supported algorithms and add a default branch that fails
fast (for example by asserting or returning an error) when an unrecognized
KeyAlgorithm is passed, so callers of buildKeyConfig get an immediate signal
instead of an incomplete config.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 0bcf1c75-08b8-4f9c-b678-e0aeb6c80603

📥 Commits

Reviewing files that changed from the base of the PR and between 5c8a9b0 and 1820a38.

📒 Files selected for processing (4)

• test/extended/include.go
• test/extended/pki/helpers.go
• test/extended/pki/pki_kube_apiserver.go
• test/extended/pki/pki_service_ca.go

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[kaleemsiddiqu]

/test e2e-gcp-ovn-techpreview-serial-1of2
/test e2e-gcp-ovn-techpreview-serial-2of2

[coderabbitai]

🧹 Nitpick comments (3)

test/extended/pki/pki_kube_apiserver.go (3)

196-384: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚖️ Poor tradeoff

Consider extracting the shared regeneration/verify loop.

testKubeAPIServerCertificates and testMixedKubeAPIServerCertificates differ only in how the expected algorithm/size/curve is sourced; the get-UID → delete → wait → verify body is duplicated. A small helper taking (cert operatorCertificate, expectedAlgorithm, expectedRSASize, expectedECDSACurve) would remove the duplication and keep timeout/verification logic in one place.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/pki/pki_kube_apiserver.go` around lines 196 - 384, The
regeneration/verify flow is duplicated in testKubeAPIServerCertificates and
testMixedKubeAPIServerCertificates; extract the shared get-UID →
deleteCertificateSecret → waitForSecretRegeneration → getCertificateFromSecret
loop into a helper. Make the helper take operatorCertificate plus the expected
algorithm/size/curve inputs so both callers can reuse the same timeout and
verification logic while only differing in how expectations are populated.

---

232-236: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Redundant if err != nil around the assertion.

o.Expect(err).NotTo(o.HaveOccurred()) already fails (and halts via panic) when err != nil, so the surrounding conditional adds nothing and only obscures intent. The same pattern repeats at Lines 336-339. Assert unconditionally.

♻️ Suggested change

-		oldSecret, err := kubeClient.CoreV1().Secrets(cert.Namespace).Get(ctx, cert.SecretName, metav1.GetOptions{})
-		if err != nil {
-			o.Expect(err).NotTo(o.HaveOccurred(), "certificate %s/%s must exist before deletion", cert.Namespace, cert.SecretName)
-		}
+		oldSecret, err := kubeClient.CoreV1().Secrets(cert.Namespace).Get(ctx, cert.SecretName, metav1.GetOptions{})
+		o.Expect(err).NotTo(o.HaveOccurred(), "certificate %s/%s must exist before deletion", cert.Namespace, cert.SecretName)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/pki/pki_kube_apiserver.go` around lines 232 - 236, Remove the
redundant `if err != nil` guard around the
`o.Expect(err).NotTo(o.HaveOccurred(), ...)` assertion in the certificate secret
lookup, and let the expectation run unconditionally before using
`oldSecret.UID`. Apply the same cleanup to the repeated pattern later in this
test (the `kubeClient.CoreV1().Secrets(...).Get` plus `o.Expect` block), so the
intent is clearer and the assertion alone handles failures.

---

42-48: 🩺 Stability & Availability | 🔵 Trivial

Accept the Ginkgo context in these It bodies.

These [Slow] specs can wait up to 20 minutes, so context.TODO() bypasses Ginkgo timeout and cancellation handling. Thread the spec context through instead.

♻️ Suggested change

-	g.It("should validate uniform PKI configurations and certificate regeneration [apigroup:config.openshift.io][Slow][Skipped:MicroShift]", func() {
-		testUniformPKIConfigurations(context.TODO(), kubeClient, configClient)
-	})
+	g.It("should validate uniform PKI configurations and certificate regeneration [apigroup:config.openshift.io][Slow][Skipped:MicroShift]", func(ctx context.Context) {
+		testUniformPKIConfigurations(ctx, kubeClient, configClient)
+	})
 
-	g.It("should validate mixed PKI configurations and certificate regeneration [apigroup:config.openshift.io][Slow][Skipped:MicroShift]", func() {
-		testMixedPKIConfigurations(context.TODO(), kubeClient, configClient)
-	})
+	g.It("should validate mixed PKI configurations and certificate regeneration [apigroup:config.openshift.io][Slow][Skipped:MicroShift]", func(ctx context.Context) {
+		testMixedPKIConfigurations(ctx, kubeClient, configClient)
+	})

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/pki/pki_kube_apiserver.go` around lines 42 - 48, The two Ginkgo
It bodies are using context.TODO(), which bypasses Ginkgo’s timeout and
cancellation handling for these long-running [Slow] specs. Update the uniform
and mixed PKI specs to accept the Ginkgo context from the It body and pass that
spec context through to testUniformPKIConfigurations and
testMixedPKIConfigurations instead of creating a TODO context, so cancellation
and timeout behavior is preserved.

Source: Path instructions

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/extended/pki/pki_kube_apiserver.go`:
- Around line 196-384: The regeneration/verify flow is duplicated in
testKubeAPIServerCertificates and testMixedKubeAPIServerCertificates; extract
the shared get-UID → deleteCertificateSecret → waitForSecretRegeneration →
getCertificateFromSecret loop into a helper. Make the helper take
operatorCertificate plus the expected algorithm/size/curve inputs so both
callers can reuse the same timeout and verification logic while only differing
in how expectations are populated.
- Around line 232-236: Remove the redundant `if err != nil` guard around the
`o.Expect(err).NotTo(o.HaveOccurred(), ...)` assertion in the certificate secret
lookup, and let the expectation run unconditionally before using
`oldSecret.UID`. Apply the same cleanup to the repeated pattern later in this
test (the `kubeClient.CoreV1().Secrets(...).Get` plus `o.Expect` block), so the
intent is clearer and the assertion alone handles failures.
- Around line 42-48: The two Ginkgo It bodies are using context.TODO(), which
bypasses Ginkgo’s timeout and cancellation handling for these long-running
[Slow] specs. Update the uniform and mixed PKI specs to accept the Ginkgo
context from the It body and pass that spec context through to
testUniformPKIConfigurations and testMixedPKIConfigurations instead of creating
a TODO context, so cancellation and timeout behavior is preserved.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 57aa33bc-1f72-4c5b-94ea-09a80b5afb76

📥 Commits

Reviewing files that changed from the base of the PR and between 1820a38 and aa956c0.

📒 Files selected for processing (4)

• test/extended/include.go
• test/extended/pki/helpers.go
• test/extended/pki/pki_kube_apiserver.go
• test/extended/pki/pki_service_ca.go

🚧 Files skipped from review as they are similar to previous changes (3)

• test/extended/include.go
• test/extended/pki/helpers.go
• test/extended/pki/pki_service_ca.go

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[kaleemsiddiqu]

/test e2e-gcp-ovn-techpreview-serial-1of2
/test e2e-gcp-ovn-techpreview-serial-2of2

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[kaleemsiddiqu]

/retest

[kaleemsiddiqu]

/test pull-ci-openshift-origin-main-e2e-gcp-ovn-techpreview-pkiconfig
/test e2e-aws-ovn-fips

[gangwgr]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: gangwgr, kaleemsiddiqu
Once this PR has been reviewed and has the lgtm label, please assign stbenjam for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kaleemsiddiqu]

/verified by CI
TechPreview job e2e-gcp-ovn-techpreview-pkiconfig

[openshift-ci-robot]

@kaleemsiddiqu: This PR has been marked as verified by CI.

Details

In response to this:

/verified by CI
TechPreview job e2e-gcp-ovn-techpreview-pkiconfig

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

New changes are detected. LGTM label has been removed.

[kaleemsiddiqu]

/test pull-ci-openshift-origin-main-e2e-gcp-ovn-techpreview-pkiconfig

[coderabbitai]

Actionable comments posted: 7

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/extended/pki/helpers.go`:
- Around line 71-79: Both polling helpers are swallowing every client error and
only timing out, which hides real failures. Update waitForPKICRD and
waitForSecretRegeneration to use the callback error return from
wait.PollUntilContextTimeout so only the expected “not ready”/not found case
keeps waiting, while RBAC, transport, or apiserver errors are returned
immediately. Keep the logic localized in these helper functions and preserve
their existing retry behavior for the transient unavailable case.

In `@test/extended/pki/pki_kube_apiserver.go`:
- Around line 42-48: The PKI test cases are using context.TODO(), which drops
the Ginkgo spec context and its cancellation/deadline behavior. Update the two
g.It blocks in the PKI kube apiserver spec to pass the existing spec ctx through
to testUniformPKIConfigurations and testMixedPKIConfigurations instead of
creating a new TODO context.
- Around line 98-103: The fixed sleep before the kube-apiserver certificate
regeneration checks is too brittle and can race with operator reconciliation. In
both test loops in pki_kube_apiserver.go, replace the 10-second time.Sleep with
a wait that observes operator progress after the PKI config change before
calling testKubeAPIServerCertificates. Use the existing test flow around tc,
kubeClient, and the reconciliation helpers to block until the operator has
consumed the updated configuration, then continue with the certificate
assertions.

In `@test/extended/pki/pki_service_ca.go`:
- Around line 211-214: Only treat a NotFound error as the optional absence of
the serving cert in pki_service_ca.go; the current Get call in the serving-cert
lookup silently ignores all errors and leaves oldServingCertUID empty. Update
the logic around kubeClient.CoreV1().Secrets(...).Get so it explicitly checks
for apierrors.IsNotFound(err) before continuing, and for any other error return
it immediately instead of proceeding. Keep the existing oldServingCertUID
assignment path in the successful Get case.
- Around line 319-324: The deferred namespace cleanup in the PKI service CA
helper still depends on the cancellable spec context, so deletion can be skipped
when the test context is canceled. Update the cleanup in the helper that defers
kubeClient.CoreV1().Namespaces().Delete to use a detached context via
context.WithoutCancel(ctx) and wrap it with an explicit timeout before issuing
the delete, while keeping the existing NotFound handling and warning log.
- Around line 174-178: The service-ca reconciliation check is currently only
logged and then execution continues, which violates the “never ignore error
returns” rule. In the PKI test flow around WaitForOperatorProgressingFalse and
the subsequent “Operator has reconciled PKI configuration” log, change the
handling so a non-nil error fails the test immediately instead of warning and
proceeding. Ensure the surrounding logic only continues once the operator has
successfully reconciled.
- Around line 39-55: Pass the Ginkgo context through the PKI test flow instead
of using context.TODO(), so the spec lifecycle controls the CRD waits, config
updates, and certificate polling. Update the g.It callback in the PKI service CA
test to accept a context and forward it into testServiceCAPKIConfiguration, then
change testServiceCAPKIConfiguration to take that ctx parameter and use it for
the client polling and wait logic.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 440f93eb-4914-4bf0-97be-d1c56f25bb1e

📥 Commits

Reviewing files that changed from the base of the PR and between ba29d50 and 66180a4.

📒 Files selected for processing (5)

• pkg/testsuites/standard_suites.go
• test/extended/include.go
• test/extended/pki/helpers.go
• test/extended/pki/pki_kube_apiserver.go
• test/extended/pki/pki_service_ca.go

✅ Files skipped from review due to trivial changes (1)

• test/extended/include.go

[openshift-ci-robot]

@kaleemsiddiqu: This pull request references CNTRLPLANE-3741 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the sub-task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Tests for kube-apiserver and service-ca added

Summary by CodeRabbit

• Tests
• Added a new external test suite (openshift/pkiconfig) to validate configurable PKI certificate regeneration.
• Expanded coverage for kube-apiserver PKI regeneration by deleting targeted certificate Secrets and confirming regenerated certificate key properties for uniform and mixed configurations.
• Expanded coverage for service-ca under the ConfigurablePKI feature gate, including regeneration and validation of signing and serving certificates (RSA and ECDSA key/curve parameters, with mixed overrides).
• Strengthened secret rotation assertions by verifying Secrets are replaced and certificates match expected algorithms and parameters.
• Improved reliability with deferred cleanup that restores prior PKI configuration after failures.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[kaleemsiddiqu]

/test e2e-gcp-ovn-techpreview-pkiconfig

[kaleemsiddiqu]

/retest

[kaleemsiddiqu]

/retest

[kaleemsiddiqu]

/retest

[openshift-ci]

@kaleemsiddiqu: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-ovn-techpreview-serial-2of2	ba29d50	link	false	/test e2e-gcp-ovn-techpreview-serial-2of2
ci/prow/e2e-gcp-ovn-techpreview-serial-1of2	ba29d50	link	false	/test e2e-gcp-ovn-techpreview-serial-1of2
ci/prow/e2e-aws-ovn-single-node-techpreview-serial	ba29d50	link	false	/test e2e-aws-ovn-single-node-techpreview-serial
ci/prow/e2e-gcp-ovn	f0278a2	link	true	/test e2e-gcp-ovn
ci/prow/e2e-aws-ovn-microshift	f0278a2	link	true	/test e2e-aws-ovn-microshift

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-trt]

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New Test Risks for sha: f0278a2

Job Name	New Test Risk
pull-ci-openshift-origin-main-e2e-gcp-ovn-techpreview-pkiconfig	High - "[sig-kube-apiserver][OCPFeatureGate:ConfigurablePKI][Serial][Disruptive][Suite:openshift/pkiconfig] PKI Configuration should validate mixed PKI configurations and certificate regeneration [apigroup:config.openshift.io][Skipped:MicroShift]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-gcp-ovn-techpreview-pkiconfig	High - "[sig-kube-apiserver][OCPFeatureGate:ConfigurablePKI][Serial][Disruptive][Suite:openshift/pkiconfig] PKI Configuration should validate uniform PKI configurations and certificate regeneration [apigroup:config.openshift.io][Skipped:MicroShift]" is a new test that was not present in all runs against the current commit.
pull-ci-openshift-origin-main-e2e-gcp-ovn-techpreview-pkiconfig	High - "[sig-service-ca][OCPFeatureGate:ConfigurablePKI][Serial][Disruptive][Suite:openshift/pkiconfig] PKI Configuration should validate PKI config and regenerate signing cert [apigroup:config.openshift.io][Skipped:MicroShift]" is a new test that was not present in all runs against the current commit.

New tests seen in this PR at sha: f0278a2

• "[sig-kube-apiserver][OCPFeatureGate:ConfigurablePKI][Serial][Disruptive][Suite:openshift/pkiconfig] PKI Configuration should validate mixed PKI configurations and certificate regeneration [apigroup:config.openshift.io][Skipped:MicroShift]" [Total: 2, Pass: 2, Fail: 0, Flake: 0]
• "[sig-kube-apiserver][OCPFeatureGate:ConfigurablePKI][Serial][Disruptive][Suite:openshift/pkiconfig] PKI Configuration should validate uniform PKI configurations and certificate regeneration [apigroup:config.openshift.io][Skipped:MicroShift]" [Total: 2, Pass: 2, Fail: 0, Flake: 0]
• "[sig-service-ca][OCPFeatureGate:ConfigurablePKI][Serial][Disruptive][Suite:openshift/pkiconfig] PKI Configuration should validate PKI config and regenerate signing cert [apigroup:config.openshift.io][Skipped:MicroShift]" [Total: 2, Pass: 2, Fail: 0, Flake: 0]

[openshift-trt]

Risk analysis has seen new tests most likely introduced by this PR.
Please ensure that new tests meet guidelines for naming and stability.

New Test Risks for sha: f0278a2

Job Name	New Test Risk
pull-ci-openshift-origin-main-e2e-gcp-ovn-techpreview-pkiconfig	Medium - "[sig-kube-apiserver][OCPFeatureGate:ConfigurablePKI][Serial][Disruptive][Suite:openshift/pkiconfig] PKI Configuration should validate mixed PKI configurations and certificate regeneration [apigroup:config.openshift.io][Skipped:MicroShift]" is a new test, and was only seen in one job.
pull-ci-openshift-origin-main-e2e-gcp-ovn-techpreview-pkiconfig	Medium - "[sig-kube-apiserver][OCPFeatureGate:ConfigurablePKI][Serial][Disruptive][Suite:openshift/pkiconfig] PKI Configuration should validate uniform PKI configurations and certificate regeneration [apigroup:config.openshift.io][Skipped:MicroShift]" is a new test, and was only seen in one job.
pull-ci-openshift-origin-main-e2e-gcp-ovn-techpreview-pkiconfig	Medium - "[sig-service-ca][OCPFeatureGate:ConfigurablePKI][Serial][Disruptive][Suite:openshift/pkiconfig] PKI Configuration should validate PKI config and regenerate signing cert [apigroup:config.openshift.io][Skipped:MicroShift]" is a new test, and was only seen in one job.

New tests seen in this PR at sha: f0278a2

• "[sig-kube-apiserver][OCPFeatureGate:ConfigurablePKI][Serial][Disruptive][Suite:openshift/pkiconfig] PKI Configuration should validate mixed PKI configurations and certificate regeneration [apigroup:config.openshift.io][Skipped:MicroShift]" [Total: 2, Pass: 2, Fail: 0, Flake: 0]
• "[sig-kube-apiserver][OCPFeatureGate:ConfigurablePKI][Serial][Disruptive][Suite:openshift/pkiconfig] PKI Configuration should validate uniform PKI configurations and certificate regeneration [apigroup:config.openshift.io][Skipped:MicroShift]" [Total: 2, Pass: 2, Fail: 0, Flake: 0]
• "[sig-service-ca][OCPFeatureGate:ConfigurablePKI][Serial][Disruptive][Suite:openshift/pkiconfig] PKI Configuration should validate PKI config and regenerate signing cert [apigroup:config.openshift.io][Skipped:MicroShift]" [Total: 2, Pass: 2, Fail: 0, Flake: 0]