Skip to content

NO-JIRA: Add test for KMS to KMS migration#938

Merged
openshift-merge-bot[bot] merged 1 commit into
openshift:masterfrom
ardaguclu:kms-to-kms-e2e
Jul 2, 2026
Merged

NO-JIRA: Add test for KMS to KMS migration#938
openshift-merge-bot[bot] merged 1 commit into
openshift:masterfrom
ardaguclu:kms-to-kms-e2e

Conversation

@ardaguclu

@ardaguclu ardaguclu commented Jun 30, 2026

Copy link
Copy Markdown
Member

This PR adds new test for kms to kms migration.

Summary by CodeRabbit

  • New Features

    • Added a new end-to-end encryption migration test covering movement between two KMS providers and a final switch to unencrypted mode.
    • Expanded test coverage for KMS encryption scenarios with a separate suite for the new migration flow.
  • Tests

    • Updated test selection so the existing KMS suite and the new KMS migration suite run independently.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 30, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@ardaguclu: This pull request explicitly references no jira issue.

Details

In response to this:

This PR adds new test for kms to kms migration.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown

Walkthrough

Adds a new e2e test suite for migrating token encryption between two distinct Vault KMS providers, registers it as a separate serial test suite (encryption-kms-2), and adjusts the existing encryption-kms suite to exclude the new suite's tests. Minor comment updates accompany the existing migration test.

Changes

KMS-to-KMS migration test

Layer / File(s) Summary
KMS-to-KMS migration test implementation
test/e2e-encryption-kms/encryption_kms_2.go
New Ginkgo test shuffles primary/secondary Vault KMS providers, migrates the token-encryption config between them, asserts token encryption after each migration, and asserts unencrypted state after switching to identity mode.
Suite wiring and documentation updates
test/e2e-encryption-kms/encryption_kms.go, cmd/cluster-authentication-operator-tests-ext/main.go
Adds a new Ginkgo It entry and updates the migration step comments; narrows the encryption-kms suite qualifier to exclude [Suite:encryption-kms-2] tests and registers a new serial encryption-kms-2 suite under openshift/kms.

Estimated code review effort: 2 (Simple) | ~10 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Test as testKMSEncryptionKMSToKMSMigration
  participant Library as library.TestEncryptionProvidersMigration
  participant PrimaryKMS as Primary Vault KMS
  participant SecondaryKMS as Secondary Vault KMS

  Test->>Test: create TokenOfLife resource
  Test->>Test: shuffle provider order
  Test->>Library: migrate to PrimaryKMS
  Library->>PrimaryKMS: apply encryption config
  Library->>Test: assert token encrypted
  Test->>Library: migrate to SecondaryKMS
  Library->>SecondaryKMS: apply encryption config
  Library->>Test: assert token encrypted
  Test->>Library: switch to identity/off mode
  Library->>Test: assert token unencrypted
Loading
🚥 Pre-merge checks | ✅ 12 | ❌ 3

❌ Failed checks (3 warnings)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 75.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality ⚠️ Warning The new KMS migration test creates a cluster-scoped token via CreateAndStoreTokenOfLife but adds no cleanup/AfterEach, and one closure still drops the available ctx. Add cleanup (e.g. DeferCleanup/AfterEach or helper teardown) for the token, and pass ctx through to CreateAndStoreTokenOfLife instead of context.TODO().
Microshift Test Compatibility ⚠️ Warning The new KMS-to-KMS e2e test updates config.openshift.io/v1 APIServer encryption config and has no MicroShift skip/apigroup guard. Add a [Skipped:MicroShift] or suitable [apigroup:...] tag, or guard the test with exutil.IsMicroShiftCluster() before using KMS encryption APIs.
✅ Passed checks (12 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: adding a test for KMS-to-KMS migration.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed All added Ginkgo titles are static strings; no timestamps, random IDs, hostnames, namespaces, or other run-to-run dynamic values appear in test names.
Single Node Openshift (Sno) Test Compatibility ✅ Passed The new KMS-to-KMS test only migrates encryption providers and API objects; it has no node-count, scheduling, drain, or HA assumptions and needs no SNO skip.
Topology-Aware Scheduling Compatibility ✅ Passed Only e2e tests and test-suite registration changed; no manifests/controllers or scheduling constraints (affinity, nodeSelector, PDB, replicas) were introduced.
Ote Binary Stdout Contract ✅ Passed Changed files add new suites/tests only; main.go already routes klog to stderr and no changed process-level code writes to stdout.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed The new KMS-to-KMS test uses in-cluster Vault services and resolves ClusterIP with net.JoinHostPort; no hardcoded IPv4 or public internet deps found.
No-Weak-Crypto ✅ Passed The added/modified test code only wires KMS/Vault encryption helpers and contains no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret comparisons.
Container-Privileges ✅ Passed No changed file adds pod/container security settings; the PR only touches Go e2e test code and suite registration.
No-Sensitive-Data-In-Logs ✅ Passed The PR adds tests and suite registration only; I found no new log/printf/error statements exposing secrets, PII, or customer data.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested review from benluddy and tjungblu June 30, 2026 07:16
@ardaguclu

Copy link
Copy Markdown
Member Author

/hold
until CI is green

@openshift-ci openshift-ci Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 30, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/e2e-encryption-kms/encryption_kms.go`:
- Around line 63-68: The helper comment for testKMSEncryptionKMSToKMSMigration
only describes the default-to-secondary path, but the provider order is
randomized in the test flow, so it must reflect both possible migration
directions. Update the comment near testKMSEncryptionKMSToKMSMigration to
describe that the test may run default -> secondary or secondary -> default
after the shuffle, while keeping the step summary accurate and contextual.
- Around line 80-82: The CreateResourceFunc closure is ignoring the
already-available ctx by calling CreateAndStoreTokenOfLife with context.TODO(),
which drops cancellation and timeout propagation. Update the CreateResourceFunc
in the encryption_kms test to pass the captured ctx through to
operatorencryption.CreateAndStoreTokenOfLife, keeping the existing
operatorencryption.GetClients(t) call intact. This change should be made
wherever the token creation closure is defined so the context flows consistently
through the test helper.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 47dacfab-7878-4d07-8087-aa0def91fc83

📥 Commits

Reviewing files that changed from the base of the PR and between 8239d52 and 9d77502.

📒 Files selected for processing (1)
  • test/e2e-encryption-kms/encryption_kms.go

Comment thread test/e2e-encryption-kms/encryption_kms.go Outdated
Comment on lines +80 to +82
CreateResourceFunc: func(t testing.TB, _ library.ClientSet, namespace string) runtime.Object {
return operatorencryption.CreateAndStoreTokenOfLife(context.TODO(), t, operatorencryption.GetClients(t))
},

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Propagate ctx instead of hardcoding context.TODO().

This closure already has ctx in scope, so using context.TODO() here drops cancellation/timeout propagation for the token creation call.

Suggested fix
 		CreateResourceFunc: func(t testing.TB, _ library.ClientSet, namespace string) runtime.Object {
-			return operatorencryption.CreateAndStoreTokenOfLife(context.TODO(), t, operatorencryption.GetClients(t))
+			return operatorencryption.CreateAndStoreTokenOfLife(ctx, t, operatorencryption.GetClients(t))
 		},

As per coding guidelines, "Propagate context.Context... Never discard a context or substitute context.Background()/context.TODO() when a context is already available." As per path instructions, **/*.go: "context.Context for cancellation and timeouts".

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
CreateResourceFunc: func(t testing.TB, _ library.ClientSet, namespace string) runtime.Object {
return operatorencryption.CreateAndStoreTokenOfLife(context.TODO(), t, operatorencryption.GetClients(t))
},
CreateResourceFunc: func(t testing.TB, _ library.ClientSet, namespace string) runtime.Object {
return operatorencryption.CreateAndStoreTokenOfLife(ctx, t, operatorencryption.GetClients(t))
},
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-encryption-kms/encryption_kms.go` around lines 80 - 82, The
CreateResourceFunc closure is ignoring the already-available ctx by calling
CreateAndStoreTokenOfLife with context.TODO(), which drops cancellation and
timeout propagation. Update the CreateResourceFunc in the encryption_kms test to
pass the captured ctx through to operatorencryption.CreateAndStoreTokenOfLife,
keeping the existing operatorencryption.GetClients(t) call intact. This change
should be made wherever the token creation closure is defined so the context
flows consistently through the test helper.

Sources: Coding guidelines, Path instructions

@openshift-ci openshift-ci Bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 30, 2026
@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Jun 30, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@ardaguclu: This PR has been marked as verified by CI.

Details

In response to this:

https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_cluster-authentication-operator/938/pull-ci-openshift-cluster-authentication-operator-master-e2e-aws-operator-encryption-kms/2071859033412734976 passed
/hold cancel
/verified by CI

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@ardaguclu

Copy link
Copy Markdown
Member Author

/hold
monitoring thresholds are exceeded

@openshift-ci openshift-ci Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 30, 2026
@openshift-ci-robot openshift-ci-robot removed the verified Signifies that the PR passed pre-merge verification criteria label Jun 30, 2026
@ardaguclu

Copy link
Copy Markdown
Member Author

/hold cancel

@openshift-ci openshift-ci Bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 30, 2026
@ardaguclu

Copy link
Copy Markdown
Member Author

/verified bypass
This is new suite and needs to be registered in openshift/release

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Jun 30, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@ardaguclu: The verified label has been added.

Details

In response to this:

/verified bypass
This is new suite and needs to be registered in openshift/release

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot removed the verified Signifies that the PR passed pre-merge verification criteria label Jun 30, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@ardaguclu: This pull request explicitly references no jira issue.

Details

In response to this:

This PR adds new test for kms to kms migration.

Summary by CodeRabbit

  • Tests
  • Added a new end-to-end test covering migration between two Vault-backed KMS encryption providers under the KMS feature gate.
  • Verifies token encryption during step-by-step provider migration (including shuffled provider order) and confirms correct behavior after switching to identity mode (unencrypted rewrite).
  • Documentation
  • Refreshed KMS provider migration test guidance/comments to align with the current migration verification flow.
  • Chores
  • Registered an additional parallelizable OpenShift encryption-KMS test suite (encryption-kms-2) in the operator test suite catalog.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/e2e-encryption-kms/encryption_kms_to_kms.go`:
- Around line 21-27: The helper comment for testKMSEncryptionKMSToKMSMigration
is outdated and incorrectly mentions “KMS and AES providers” even though the
test only shuffles the default and secondary Vault KMS providers. Update the
comment near testKMSEncryptionKMSToKMSMigration to accurately describe the two
KMS providers and keep the step list consistent with the actual migration flow,
without changing the test logic.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 8390ff7c-e305-4235-a6a9-c622183a39ea

📥 Commits

Reviewing files that changed from the base of the PR and between eb9e044 and 7b6bae7.

📒 Files selected for processing (3)
  • cmd/cluster-authentication-operator-tests-ext/main.go
  • test/e2e-encryption-kms/encryption_kms.go
  • test/e2e-encryption-kms/encryption_kms_to_kms.go
✅ Files skipped from review due to trivial changes (1)
  • cmd/cluster-authentication-operator-tests-ext/main.go

Comment on lines +21 to +27
// testKMSEncryptionKMSToKMSMigration tests migration between two distinct KMS providers
// (default Vault instance and secondary Vault instance).
// This test:
// 1. Shuffles the KMS and AES providers to create a randomized migration order
// 2. Migrates between the providers in the shuffled order
// 3. Verifies token is correctly encrypted after each migration
// 4. Switches to identity (off) to verify the resource is re-written unencrypted

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Fix the helper comment to describe two KMS providers.

Lines 24-25 still say “KMS and AES providers”, but this scenario only shuffles the default and secondary Vault KMS providers, so the comment now misstates the test flow.

Suggested fix
-// 1. Shuffles the KMS and AES providers to create a randomized migration order
+// 1. Shuffles the two KMS providers to create a randomized migration order

As per coding guidelines, "Comments should be meaningful and add context and/or explain choices that cannot be expressed through clear code."

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
// testKMSEncryptionKMSToKMSMigration tests migration between two distinct KMS providers
// (default Vault instance and secondary Vault instance).
// This test:
// 1. Shuffles the KMS and AES providers to create a randomized migration order
// 2. Migrates between the providers in the shuffled order
// 3. Verifies token is correctly encrypted after each migration
// 4. Switches to identity (off) to verify the resource is re-written unencrypted
// testKMSEncryptionKMSToKMSMigration tests migration between two distinct KMS providers
// (default Vault instance and secondary Vault instance).
// This test:
// 1. Shuffles the two KMS providers to create a randomized migration order
// 2. Migrates between the providers in the shuffled order
// 3. Verifies token is correctly encrypted after each migration
// 4. Switches to identity (off) to verify the resource is re-written unencrypted
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-encryption-kms/encryption_kms_to_kms.go` around lines 21 - 27, The
helper comment for testKMSEncryptionKMSToKMSMigration is outdated and
incorrectly mentions “KMS and AES providers” even though the test only shuffles
the default and secondary Vault KMS providers. Update the comment near
testKMSEncryptionKMSToKMSMigration to accurately describe the two KMS providers
and keep the step list consistent with the actual migration flow, without
changing the test logic.

Source: Coding guidelines

@ardaguclu

Copy link
Copy Markdown
Member Author

/verified bypass

@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@ardaguclu: The verified label has been added.

Details

In response to this:

/verified bypass

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Jun 30, 2026
@openshift-ci-robot openshift-ci-robot removed the verified Signifies that the PR passed pre-merge verification criteria label Jul 1, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@ardaguclu: This pull request explicitly references no jira issue.

Details

In response to this:

This PR adds new test for kms to kms migration.

Summary by CodeRabbit

  • New Features

  • Added a new end-to-end encryption migration test covering movement between two KMS providers and a final switch to unencrypted mode.

  • Expanded test coverage for KMS encryption scenarios with a separate suite for the new migration flow.

  • Tests

  • Updated test selection so the existing KMS suite and the new KMS migration suite run independently.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/e2e-encryption-kms/encryption_kms_2.go`:
- Around line 28-41: `testKMSEncryptionKMSToKMSMigration` is discarding its
available context inside `CreateResourceFunc` by calling `context.TODO()`
instead of reusing `ctx`. Update the closure to pass the captured `ctx` through
to `operatorencryption.CreateAndStoreTokenOfLife`, keeping context propagation
consistent with the rest of the function and avoiding a new background context.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 77e1e2e0-a006-4b81-b8b1-af1d7ce435a2

📥 Commits

Reviewing files that changed from the base of the PR and between 7b6bae7 and 12b3293.

📒 Files selected for processing (3)
  • cmd/cluster-authentication-operator-tests-ext/main.go
  • test/e2e-encryption-kms/encryption_kms.go
  • test/e2e-encryption-kms/encryption_kms_2.go
🚧 Files skipped from review as they are similar to previous changes (1)
  • test/e2e-encryption-kms/encryption_kms.go

Comment on lines +28 to +41
func testKMSEncryptionKMSToKMSMigration(ctx context.Context, t testing.TB) {
library.TestEncryptionProvidersMigration(ctx, t, library.ProvidersMigrationScenario{
BasicScenario: library.BasicScenario{
Namespace: "openshift-config-managed",
LabelSelector: "encryption.apiserver.operator.openshift.io/component" + "=" + "openshift-oauth-apiserver",
EncryptionConfigSecretName: "encryption-config-openshift-oauth-apiserver",
EncryptionConfigSecretNamespace: "openshift-config-managed",
OperatorNamespace: "openshift-authentication-operator",
TargetGRs: operatorencryption.DefaultTargetGRs,
AssertFunc: operatorencryption.AssertTokens,
},
CreateResourceFunc: func(t testing.TB, _ library.ClientSet, namespace string) runtime.Object {
return operatorencryption.CreateAndStoreTokenOfLife(context.TODO(), t, operatorencryption.GetClients(t))
},

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Discarding the passed-in ctx in favor of context.TODO().

testKMSEncryptionKMSToKMSMigration receives ctx (Line 28) and correctly forwards it to the KMS provider constructors (Line 47-48), but CreateResourceFunc discards it and calls context.TODO() instead, even though ctx is captured in the closure's scope.

🔧 Proposed fix
 		CreateResourceFunc: func(t testing.TB, _ library.ClientSet, namespace string) runtime.Object {
-			return operatorencryption.CreateAndStoreTokenOfLife(context.TODO(), t, operatorencryption.GetClients(t))
+			return operatorencryption.CreateAndStoreTokenOfLife(ctx, t, operatorencryption.GetClients(t))
 		},

As per coding guidelines, "When a function accepts or has access to a context.Context, pass it through to downstream calls that accept one. Never discard a context or substitute context.Background()/context.TODO() when a context is already available."

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
func testKMSEncryptionKMSToKMSMigration(ctx context.Context, t testing.TB) {
library.TestEncryptionProvidersMigration(ctx, t, library.ProvidersMigrationScenario{
BasicScenario: library.BasicScenario{
Namespace: "openshift-config-managed",
LabelSelector: "encryption.apiserver.operator.openshift.io/component" + "=" + "openshift-oauth-apiserver",
EncryptionConfigSecretName: "encryption-config-openshift-oauth-apiserver",
EncryptionConfigSecretNamespace: "openshift-config-managed",
OperatorNamespace: "openshift-authentication-operator",
TargetGRs: operatorencryption.DefaultTargetGRs,
AssertFunc: operatorencryption.AssertTokens,
},
CreateResourceFunc: func(t testing.TB, _ library.ClientSet, namespace string) runtime.Object {
return operatorencryption.CreateAndStoreTokenOfLife(context.TODO(), t, operatorencryption.GetClients(t))
},
CreateResourceFunc: func(t testing.TB, _ library.ClientSet, namespace string) runtime.Object {
return operatorencryption.CreateAndStoreTokenOfLife(ctx, t, operatorencryption.GetClients(t))
},
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-encryption-kms/encryption_kms_2.go` around lines 28 - 41,
`testKMSEncryptionKMSToKMSMigration` is discarding its available context inside
`CreateResourceFunc` by calling `context.TODO()` instead of reusing `ctx`.
Update the closure to pass the captured `ctx` through to
`operatorencryption.CreateAndStoreTokenOfLife`, keeping context propagation
consistent with the rest of the function and avoiding a new background context.

Source: Coding guidelines

@ardaguclu

Copy link
Copy Markdown
Member Author

/retest

@gangwgr

gangwgr commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

/test e2e-aws-operator-encryption-kms-2

@ardaguclu

Copy link
Copy Markdown
Member Author

/retest

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Jul 1, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@ardaguclu: This PR has been marked as verified by CI.

Details

In response to this:

https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_cluster-authentication-operator/938/pull-ci-openshift-cluster-authentication-operator-master-e2e-aws-operator-encryption-kms-2/2072253671353094144 passed
/verified by CI

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@p0lyn0mial

Copy link
Copy Markdown
Contributor

/approve
/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 1, 2026
@openshift-ci

openshift-ci Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: p0lyn0mial

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 1, 2026
@ardaguclu

Copy link
Copy Markdown
Member Author

/retest

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

/retest-required

Remaining retests: 0 against base HEAD 8239d52 and 2 for PR HEAD 12b3293 in total

@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

@ardaguclu: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-merge-bot openshift-merge-bot Bot merged commit 4610550 into openshift:master Jul 2, 2026
18 checks passed
@ardaguclu ardaguclu deleted the kms-to-kms-e2e branch July 2, 2026 03:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants