test/e2e: add focused SVID attestation coverage with shared helpers

[sayak-redhat]

1. Move attestation test setup into reusable helper functions in utils.
2. Add clear checks for:
3. valid svid.pem X.509 certificate
4. correct SPIFFE ID in certificate
5. valid certificate expiry window
6. SVID rotation using short TTL
7. Remove repeated setup and cert parsing code.
8. Make attestation E2E tests easier to read and maintain.

Summary by CodeRabbit

• Tests
  • Expanded attestation e2e coverage with validations for SVID X.509 PEM/certificate contents, SPIFFE ID matching, TTL bounds/non-expiration, CA chaining, and rotation before expiry.
  • Added fixture-based attestation setup and utilities to provision isolated test pods and retrieve/parse SVID and bundle PEMs.
  • Introduced a default X.509 SVID TTL used by the e2e suite.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds PEM/X.509 utilities and a test attestation fixture; updates SpireServer TTL sourcing; replaces manual workload attestation with fixture-driven SVID validation (PEM parsing, SPIFFE ID, TTL bounds, bundle chain) and adds a rotation-before-expiry test.

Changes

SVID Attestation Testing Infrastructure

Layer / File(s)	Summary
Imports and SpireServer config test/e2e/utils/utils.go, test/e2e/e2e_test.go	Adds crypto/x509/encoding/pem imports, replaces k8s.io/utils/ptr usage with k8s.io/apimachinery/pkg/types, and sets SpireServer DefaultX509Validity to utils.DefaultX509SVIDTTL.
Certificate Read / Parse Utilities test/e2e/utils/utils.go (imports, cert helpers)	Adds ReadSVIDPEM, ReadBundlePEM, ParsePEMCertificate, ParseAllPEMCertificates, and ReadAndParseSVIDCertificate to read and parse PEM and X.509 certificates from the attestation pod.
Default X.509 TTL constant & SpiffeHelperConfig test/e2e/utils/constants.go, test/e2e/utils/utils.go	Adds exported DefaultX509SVIDTTL = 1 * time.Hour and reintroduces SpiffeHelperConfig helpers used by tests.
Attestation fixture and setup test/e2e/utils/utils.go (…952–1094)	Adds AttestationFixture and SetupAttestationTest to provision namespace, ClusterSPIFFEID, ServiceAccount, spiffe-helper ConfigMap, and an attestation Pod mounting SPIFFE CSI and /certs, waiting for SVID files.
SVID Validation & Rotation Tests test/e2e/e2e_test.go (…401–526)	Replaces prior workload attestation with fixture-driven tests asserting svid.pem is a valid X.509 cert (NotBefore/NotAfter), SPIFFE ID SAN matches, TTL within bounds, bundle contains CA certs and verifies chain, and adds a rotation-before-expiry test that forces short TTL and verifies certificate rotation and validity.

Sequence Diagram

sequenceDiagram
    participant Tester as Test Runner
    participant K8s as Kubernetes API
    participant Pod as Attestation Pod
    participant CSI as SPIFFE CSI Driver
    participant Spire as SPIRE Agent/Server
    participant Parser as Test Utilities (x509)

    Tester->>K8s: Create Namespace, ClusterSPIFFEID, ServiceAccount, ConfigMap
    Tester->>K8s: Create Pod spec (mount CSI, emptyDir /certs)
    K8s->>CSI: CSI volume mount request for Pod
    CSI->>Spire: Request SVID for Pod/SA
    Spire->>CSI: Provide SVID files (svid.pem, svid_key.pem, bundle.pem)
    CSI->>Pod: Populate /certs with SVID files
    K8s->>Tester: Pod becomes Ready
    Tester->>Pod: Exec "cat /certs/svid.pem"
    Pod-->>Tester: stdout (PEM)
    Tester->>Parser: Parse PEM -> x509.Certificate, inspect SPIFFE ID, expiry
    Parser-->>Tester: Validation results (valid cert, SPIFFE ID, TTL bounds, rotation checks)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~30 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding SVID attestation test coverage with reusable helper functions, which aligns with the core objectives of moving test setup into shared utilities and improving test readability.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test names in the PR are stable and deterministic: no UUIDs, timestamps, dynamic suffixes, variables, or string construction found in test titles; all resource names use static prefixes.
Test Structure And Quality	✅ Passed	All quality checks pass: single responsibility per test, proper cleanup via DeferCleanup, appropriate timeouts, meaningful assertion messages, consistent with codebase patterns.
Microshift Test Compatibility	✅ Passed	New tests use only standard K8s APIs (Pod, Namespace, ServiceAccount, ConfigMap) and SPIRE CRDs (ClusterSPIFFEID). No forbidden OpenShift APIs or MicroShift-incompatible patterns detected.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	Tests create single pods without multi-node constraints. Certificate validation, SPIFFE ID checks, TTL bounds, and rotation testing are SNO-compatible operations using standard Kubernetes APIs.
Topology-Aware Scheduling Compatibility	✅ Passed	PR contains only E2E test code with no deployment manifests, operator code, or scheduling constraints. SetupAttestationTest creates pods with no nodeSelector, affinity, or topology-aware constraints.
Ote Binary Stdout Contract	✅ Passed	All 82 fmt.Fprintf calls use GinkgoWriter. No process-level stdout writes, klog, log.Print, BeforeSuite, main(), init() functions, or top-level code that could corrupt JSON output detected.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	New SVID tests have no IPv4 hardcoding, IP parsing assumptions, or external connectivity. All operations are cluster-internal certificate validation using X.509 and SPIFFE URIs.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sayak-redhat
Once this PR has been reviewed and has the lgtm label, please assign rausingh-rh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/e2e/utils/utils.go`:
- Around line 927-953: The test uses deterministic names (ns, podName, saName
and ClusterSPIFFEID ObjectMeta.Name -> cspiffeID) computed from prefix which
causes AlreadyExists flakes; update SetupAttestationTest to append a unique
suffix (e.g., short random/UUID or timestamp) to ns, podName, saName and the
ClusterSPIFFEID name (and update dependent selectors/labels like PodSelector
MatchLabels and NamespaceSelector MatchLabels if they reference the base name)
so every test run/parallel spec creates distinct Namespace, Pod, ServiceAccount
and ClusterSPIFFEID objects (ensure the code paths that reference attestationNS,
podName, saName, and cspiffeID use the new suffixed values).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 6a9aafc6-4d3c-4322-a75c-e9b03d69a865

📥 Commits

Reviewing files that changed from the base of the PR and between 5e5841e and d1c869b.

📒 Files selected for processing (1)

• test/e2e/utils/utils.go

[rausingh-rh]

can be use Label("attestation") instead in all the newly added 4 test cases?

[sayak-redhat]

Done

[rausingh-rh]

suggestion: Consider adding a test (in this PR or a follow-up) that verifies:

1. bundle.pem parses as a valid CA certificate (IsCA: true)
2. svid.pem chains to bundle.pem (using x509.Certificate.Verify with a pool containing the bundle)

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/e2e/e2e_test.go`:
- Around line 404-406: BeforeAll is calling SetupAttestationTest with testCtx
which is only initialized in BeforeEach, so create a dedicated context inside
BeforeAll (e.g., allCtx or beforeAllCtx) and pass that to SetupAttestationTest
instead of testCtx; also ensure you cancel/cleanup that context in AfterAll to
avoid leaks. Update references in the test to use the new before-all context for
the SetupAttestationTest call and add a matching cancellation in AfterAll.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 38558a73-0608-41d4-b9a8-7f1a2e8a9942

📥 Commits

Reviewing files that changed from the base of the PR and between d1c869b and c36086a.

📒 Files selected for processing (3)

• test/e2e/e2e_test.go
• test/e2e/utils/constants.go
• test/e2e/utils/utils.go

✅ Files skipped from review due to trivial changes (1)

• test/e2e/utils/constants.go

[sayak-redhat]

/retest

[sayak-redhat]

/retest

[sayak-redhat]

/test

[sayak-redhat]

/retest

[openshift-ci]

@sayak-redhat: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.