Skip to content

Adding KAS-O helpers and assertions#2349

Open
gangwgr wants to merge 3 commits into
openshift:masterfrom
gangwgr:update-helpers
Open

Adding KAS-O helpers and assertions#2349
gangwgr wants to merge 3 commits into
openshift:masterfrom
gangwgr:update-helpers

Conversation

@gangwgr

@gangwgr gangwgr commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Adding KAS-O helpers and assertions

Summary by CodeRabbit

  • New Features
    • Expanded encryption provider migration testing to support multiple scenarios per run, applying providers in the correct order and verifying results after each step.
    • Added KAS-focused test utilities for creating a consistent “secret-of-life” and reading its raw etcd content.
    • Added helper assertions to confirm expected encryption/decryption for Secrets and ConfigMaps, including last-migrated key verification.
  • Bug Fixes
    • Strengthened migration scenario validation and verification logic, improving correctness of encrypted vs. unencrypted checks across provider and identity transitions.

@openshift-ci openshift-ci Bot requested review from ardaguclu and p0lyn0mial July 3, 2026 10:22
@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: gangwgr
Once this PR has been reviewed and has the lgtm label, please assign dgrisonnet for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

This PR adds KAS encryption test helpers for fixed Secrets, expands Secret and ConfigMap encryption assertions, and updates encryption provider migration tests to handle multiple scenarios with shared provider-application and migration-wait logic.

Changes

KAS Encryption Test Support

Layer / File(s) Summary
Secret fixture helpers
test/library/encryption/helpers_kas.go
Creates a fixed secret-of-life Secret, replaces any existing copy in the namespace, and reads its raw etcd value.
Encryption assertions
test/library/encryption/assertion_kas.go
Adds plaintext Secret checks, combined Secret/ConfigMap verification, and last-migrated key assertions.
Provider update helper
test/library/encryption/helpers.go
Adds a shared helper to detect APIServer encryption changes and apply provider updates when needed.
Multi-scenario migration test
test/library/encryption/scenarios.go
Expands provider migration testing to handle multiple scenarios, wait for migrations per scenario, and assert encrypted or unencrypted state across the sequence.

Estimated code review effort: 4 (Complex) | ~45 minutes


Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name Status Explanation Resolution
No-Sensitive-Data-In-Logs ❌ Error FAIL: ApplyEncryptionProviderIfNeeded logs previousEncryption and provider.APIServerEncryption with %#v, which can include KMS vaultAddress/serverName and secret refs. Avoid dumping full APIServerEncryption; log only the type or redact KMS fields/secret references before emitting logs.
✅ Passed checks (14 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: adding KAS-O encryption helpers and assertion utilities.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed No Ginkgo It/Describe/Context/When titles were added; the only dynamic strings are internal step log names, not test titles.
Test Structure And Quality ✅ Passed Helper-only changes; no new Ginkgo It/Describe blocks were added, and the new waits use bounded timeouts with repo-consistent patterns.
Microshift Test Compatibility ✅ Passed No new Ginkgo test declarations were added; the PR only changes helper/library code, so MicroShift test compatibility is not implicated.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No new Ginkgo specs were added; the PR only changes encryption test helpers/scenario runners, with no node/topology assumptions or SNO-sensitive logic found.
Topology-Aware Scheduling Compatibility ✅ Passed The PR only adds/changes encryption test helpers; the touched files contain no deployment manifests, controllers, node selectors, affinity, PDBs, or topology-dependent scheduling logic.
Ote Binary Stdout Contract ✅ Passed Changed files only add test helpers; no main/init/TestMain/suite stdout writes were added. The package init only registers a scheme, and stdout prints live in test-only logger methods.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed Touched code only adds helper functions; no Ginkgo test bodies, hardcoded IPv4s, or public-network connectivity assumptions were found.
No-Weak-Crypto ✅ Passed No MD5/SHA1/DES/RC4/3DES/Blowfish/ECB or custom crypto added; new test helpers only use string checks on fixture data, matching existing patterns.
Container-Privileges ✅ Passed Diff touches one pod manifest, but it has no privileged/hostNetwork/hostPID/hostIPC/allowPrivilegeEscalation settings; other changes are Go test/helpers.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (3)
test/library/encryption/helpers_kas.go (2)

51-62: 🚀 Performance & Scalability | 🔵 Trivial | ⚡ Quick win

10-minute timeout seems excessive for a single etcd Get.

A hung etcd call would block the test for up to 10 minutes before failing, slowing down CI feedback significantly. Consider a much shorter bound (e.g., 30s–1min) consistent with a simple point read.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/library/encryption/helpers_kas.go` around lines 51 - 62, The timeout in
GetRawSecretOfLife is too long for a single etcd point read and can slow tests
unnecessarily; reduce the context.WithTimeout duration in GetRawSecretOfLife to
a much shorter bound (around 30s–1min) while keeping the existing
clientSet.Etcd.Get and require checks unchanged.

19-37: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Use a timeout-bound context instead of context.TODO().

Get/Delete/Create calls here use context.TODO() with no timeout, unlike GetRawSecretOfLife in the same file which properly bounds its etcd call with context.WithTimeout. If the API server hangs, this helper can block indefinitely instead of failing the test with a clear timeout.

🔧 Suggested fix
 func CreateAndStoreSecretOfLife(t testing.TB, clientSet ClientSet, namespace string) runtime.Object {
 	t.Helper()
-	ctx := context.TODO()
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
+	defer cancel()

As per path instructions, Go files should use "context.Context for cancellation and timeouts."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/library/encryption/helpers_kas.go` around lines 19 - 37,
CreateAndStoreSecretOfLife currently uses context.TODO() for Secrets
Get/Delete/Create, which leaves the helper without cancellation or a timeout.
Update this helper to use a timeout-bound context like the nearby
GetRawSecretOfLife logic, and make sure the same bounded context is passed
through the clientSet.Kube.CoreV1().Secrets(namespace) operations so the test
fails cleanly instead of hanging if the API server stalls.

Source: Path instructions

test/library/encryption/scenarios.go (1)

194-197: 🎯 Functional Correctness | 🔵 Trivial | 💤 Low value

Providers are read only from scenarios[0]; other scenarios' lists are ignored.

The doc comment states all scenarios must share the same EncryptionProviders, but the code derives providers solely from scenarios[0] and never validates the rest. A caller passing a divergent list on scenarios[1..] gets silently wrong behavior rather than a clear failure. Consider asserting equality across scenarios up front.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/library/encryption/scenarios.go` around lines 194 - 197, The provider
list in ProvidersMigrationScenario is taken only from scenarios[0], so divergent
EncryptionProviders on later scenarios are ignored. Update
ProvidersMigrationScenario to validate that every scenario in the scenarios
slice has the same EncryptionProviders before using the shared providers value,
and fail fast with a clear test error if any mismatch is found. Use the existing
ProvidersMigrationScenario logic and EncryptionProviders field to locate the
check and add the equality assertion up front.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/library/encryption/helpers_kas.go`:
- Around line 51-62: The timeout in GetRawSecretOfLife is too long for a single
etcd point read and can slow tests unnecessarily; reduce the context.WithTimeout
duration in GetRawSecretOfLife to a much shorter bound (around 30s–1min) while
keeping the existing clientSet.Etcd.Get and require checks unchanged.
- Around line 19-37: CreateAndStoreSecretOfLife currently uses context.TODO()
for Secrets Get/Delete/Create, which leaves the helper without cancellation or a
timeout. Update this helper to use a timeout-bound context like the nearby
GetRawSecretOfLife logic, and make sure the same bounded context is passed
through the clientSet.Kube.CoreV1().Secrets(namespace) operations so the test
fails cleanly instead of hanging if the API server stalls.

In `@test/library/encryption/scenarios.go`:
- Around line 194-197: The provider list in ProvidersMigrationScenario is taken
only from scenarios[0], so divergent EncryptionProviders on later scenarios are
ignored. Update ProvidersMigrationScenario to validate that every scenario in
the scenarios slice has the same EncryptionProviders before using the shared
providers value, and fail fast with a clear test error if any mismatch is found.
Use the existing ProvidersMigrationScenario logic and EncryptionProviders field
to locate the check and add the equality assertion up front.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 68426789-1623-4f79-b81e-05c7a1fd510f

📥 Commits

Reviewing files that changed from the base of the PR and between c6cd1a2 and 4ac8cc7.

📒 Files selected for processing (3)
  • test/library/encryption/assertion_kas.go
  • test/library/encryption/helpers_kas.go
  • test/library/encryption/scenarios.go

@p0lyn0mial

Copy link
Copy Markdown
Contributor

ok, could you leave a note on the functions that were copied? Also, could you paste a link to the code we copied them from? It would make the review easier for me.

also, before we merge this PR, could we open a test PR to kas-o?

@gangwgr

gangwgr commented Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

ok, could you leave a note on the functions that were copied? Also, could you paste a link to the code we copied them from? It would make the review easier for me.

also, before we merge this PR, could we open a test PR to kas-o?

PR- openshift/cluster-kube-apiserver-operator#2197

@p0lyn0mial

Copy link
Copy Markdown
Contributor

could you leave a note on the functions that were copied? Also, could you paste a link to the code we copied them from? It would make the review easier for me.

@gangwgr

gangwgr commented Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

could you leave a note on the functions that were copied? Also, could you paste a link to the code we copied them from? It would make the review easier for me.

added

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
test/library/encryption/helpers_kas.go (1)

22-24: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Consider a bounded context instead of context.TODO().

GetRawSecretOfLife in this same file uses a 10-minute context.WithTimeout, but CreateAndStoreSecretOfLife uses context.TODO() for its Get/Delete/Create calls, leaving no cancellation/timeout if the API server hangs.

As per path instructions, "context.Context for cancellation and timeouts" should be used.

♻️ Proposed fix
 	t.Helper()
-	ctx := context.TODO()
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute)
+	defer cancel()
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/library/encryption/helpers_kas.go` around lines 22 - 24,
CreateAndStoreSecretOfLife currently uses context.TODO() for the
Get/Delete/Create calls, so it has no cancellation or timeout. Update this
helper to use a bounded context like GetRawSecretOfLife does, preferably with
context.WithTimeout and a sensible duration, and make sure the resulting context
is passed through the same client calls in CreateAndStoreSecretOfLife.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/library/encryption/helpers_kas.go`:
- Around line 22-24: CreateAndStoreSecretOfLife currently uses context.TODO()
for the Get/Delete/Create calls, so it has no cancellation or timeout. Update
this helper to use a bounded context like GetRawSecretOfLife does, preferably
with context.WithTimeout and a sensible duration, and make sure the resulting
context is passed through the same client calls in CreateAndStoreSecretOfLife.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e9371315-c7e1-4367-8947-9a7a5b87e6eb

📥 Commits

Reviewing files that changed from the base of the PR and between 4ac8cc7 and b511fb2.

📒 Files selected for processing (3)
  • test/library/encryption/assertion_kas.go
  • test/library/encryption/helpers_kas.go
  • test/library/encryption/scenarios.go
🚧 Files skipped from review as they are similar to previous changes (2)
  • test/library/encryption/assertion_kas.go
  • test/library/encryption/scenarios.go

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
test/library/encryption/helpers_kas.go (2)

22-40: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Consider a bounded context instead of context.TODO().

GetRawSecretOfLife uses context.WithTimeout (Line 56), but this function uses unbounded context.TODO() for the Get/Delete/Create calls. If the API server hangs, this test helper will block indefinitely instead of failing with a clear timeout. As per path instructions, "context.Context for cancellation and timeouts" should be used consistently.

♻️ Suggested fix
 func CreateAndStoreSecretOfLife(t testing.TB, clientSet ClientSet, namespace string) runtime.Object {
 	t.Helper()
-	ctx := context.TODO()
+	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute)
+	defer cancel()
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/library/encryption/helpers_kas.go` around lines 22 - 40,
CreateAndStoreSecretOfLife currently uses context.TODO() for Secrets
Get/Delete/Create, which leaves these test helper calls unbounded. Update the
helper to use a bounded context, ideally following the same pattern as
GetRawSecretOfLife with context.WithTimeout, and pass that context into
clientSet.Kube.CoreV1().Secrets(namespace) operations. Ensure the context is
canceled/deferred properly so the helper fails fast instead of hanging if the
API server stalls.

Source: Path instructions


26-33: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Redundant nil check on oldSecret.

clientSet.Kube.CoreV1().Secrets(namespace).Get typically returns a non-nil zero-value object alongside a NotFound error, so oldSecret != nil is effectively always true; the actual existence check is len(oldSecret.Name) > 0. Not a functional bug since the length check still guards correctly, but the nil check is misleading.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/library/encryption/helpers_kas.go` around lines 26 - 33, The existence
check in the secret cleanup path is redundant because `Secrets(namespace).Get`
already returns a non-nil object, so `oldSecret != nil` adds noise and can
mislead readers. In `helpers_kas.go`, simplify the conditional around
`oldSecret` in the secret cleanup logic to rely on the actual presence check
already used (`len(oldSecret.Name) > 0`) and keep the delete flow in
`clientSet.Kube.CoreV1().Secrets(namespace)` unchanged.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/library/encryption/helpers_kas.go`:
- Around line 22-40: CreateAndStoreSecretOfLife currently uses context.TODO()
for Secrets Get/Delete/Create, which leaves these test helper calls unbounded.
Update the helper to use a bounded context, ideally following the same pattern
as GetRawSecretOfLife with context.WithTimeout, and pass that context into
clientSet.Kube.CoreV1().Secrets(namespace) operations. Ensure the context is
canceled/deferred properly so the helper fails fast instead of hanging if the
API server stalls.
- Around line 26-33: The existence check in the secret cleanup path is redundant
because `Secrets(namespace).Get` already returns a non-nil object, so `oldSecret
!= nil` adds noise and can mislead readers. In `helpers_kas.go`, simplify the
conditional around `oldSecret` in the secret cleanup logic to rely on the actual
presence check already used (`len(oldSecret.Name) > 0`) and keep the delete flow
in `clientSet.Kube.CoreV1().Secrets(namespace)` unchanged.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 66644bd0-4252-493f-a769-95d8cab3cc67

📥 Commits

Reviewing files that changed from the base of the PR and between b511fb2 and f28d097.

📒 Files selected for processing (3)
  • test/library/encryption/assertion_kas.go
  • test/library/encryption/helpers_kas.go
  • test/library/encryption/scenarios.go
🚧 Files skipped from review as they are similar to previous changes (2)
  • test/library/encryption/assertion_kas.go
  • test/library/encryption/scenarios.go

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
test/library/encryption/helpers_kas.go (1)

41-51: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Consider returning *corev1.Secret directly.

SecretOfLife returns runtime.Object and its only caller immediately type-asserts back to *corev1.Secret (line 36). Returning the concrete type avoids an unchecked assertion and is simpler for a helper with a single concrete construction.

♻️ Proposed simplification
-func SecretOfLife(_ testing.TB, namespace string) runtime.Object {
+func SecretOfLife(_ testing.TB, namespace string) *corev1.Secret {
 	return &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      secretOfLifeName,
 			Namespace: namespace,
 		},
 		Data: map[string][]byte{
 			"quote": []byte("I have no special talents. I am only passionately curious"),
 		},
 	}
 }
-	secret, err := clientSet.Kube.CoreV1().Secrets(namespace).Create(ctx, rawSecret.(*corev1.Secret), metav1.CreateOptions{})
+	secret, err := clientSet.Kube.CoreV1().Secrets(namespace).Create(ctx, rawSecret, metav1.CreateOptions{})

Note: since this is copied from upstream KAS-O, changing the signature diverges from the source; weigh against keeping parity for easier future syncs.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/library/encryption/helpers_kas.go` around lines 41 - 51, SecretOfLife
currently returns runtime.Object even though it always constructs a
*corev1.Secret, and its only caller type-asserts it back immediately. Update
SecretOfLife in helpers_kas.go to return *corev1.Secret directly and adjust the
caller to use the concrete type without an assertion. Keep the helper’s
construction logic the same, and consider the upstream parity note before
changing the signature.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/library/encryption/helpers_kas.go`:
- Around line 41-51: SecretOfLife currently returns runtime.Object even though
it always constructs a *corev1.Secret, and its only caller type-asserts it back
immediately. Update SecretOfLife in helpers_kas.go to return *corev1.Secret
directly and adjust the caller to use the concrete type without an assertion.
Keep the helper’s construction logic the same, and consider the upstream parity
note before changing the signature.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: cf6ffb0f-31c5-4ba0-9701-eea71ee95eb4

📥 Commits

Reviewing files that changed from the base of the PR and between f28d097 and 9a5d640.

📒 Files selected for processing (3)
  • test/library/encryption/assertion_kas.go
  • test/library/encryption/helpers_kas.go
  • test/library/encryption/scenarios.go
🚧 Files skipped from review as they are similar to previous changes (2)
  • test/library/encryption/assertion_kas.go
  • test/library/encryption/scenarios.go

@gangwgr gangwgr force-pushed the update-helpers branch 2 times, most recently from ad67a63 to 9dd8513 Compare July 7, 2026 13:55
if multi {
stepName = fmt.Sprintf("%s[%s]", stepName, scenario.ResourceName)
}
stepName := fmt.Sprintf("%s%s", prefix, strings.ToUpper(string(provider.Type)))

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that we should run each scenario in parallel.

if multi {
stepName = fmt.Sprintf("%s[%s]", stepName, scenario.ResourceName)
}
stepName := fmt.Sprintf("%s%s", prefix, strings.ToUpper(string(provider.Type)))

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We will run into issues with updating the API when running in parallel. We have a few options here.

  1. we retry on a conflict
  2. only one scenario can set a provider, the remaining use the same provider and we also do 1
  3. ?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Flow in runMigrationStepMultiOperator:
1.Snapshot GetLastKeyMeta for each operator
2. Single APIServer update (+ setup once)
3.Parallel wait/assert per scenario (KAS, Auth, OAS)

@openshift-ci

openshift-ci Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

@gangwgr: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

{Group: "", Resource: "configmaps"},
}

func AssertSecretOfLifeEncrypted(t testing.TB, clientSet ClientSet, resource runtime.Object) {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's open a new PR and move this function to the existing assertion.go file.
also I think we could rename the function to AssertWellKnownSecretOfLifeEncrypted(...)

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we merge first this pr after your PR merged
then I will  update your renaming suggestions in new pr what you think?

}
}

func AssertSecretOfLifeNotEncrypted(t testing.TB, clientSet ClientSet, resource runtime.Object) {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AssertWellKnownSecretOfLifeNotEncrypted

}
}

func AssertSecretsAndConfigMaps(t testing.TB, clientSet ClientSet, expectedMode configv1.EncryptionType, namespace, labelSelector string) {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AssertWellKnownSecretsAndConfigMaps

AssertLastMigratedKey(t, clientSet.Kube, DefaultTargetGRs, namespace, labelSelector)
}

func assertSecrets(t testing.TB, etcdClient EtcdClient, expectedMode string) {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this can be moved as is.

require.NoError(t, err)
}

func assertConfigMaps(t testing.TB, etcdClient EtcdClient, expectedMode string) {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this can be moved as is.

configv1 "github.com/openshift/api/config/v1"
)

var DefaultTargetGRs = []schema.GroupResource{

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WellKnownKASTargetGRs ?


const secretOfLifeName = "secret-of-life"

func CreateAndStoreSecretOfLife(t testing.TB, clientSet ClientSet, namespace string) runtime.Object {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's open a new PR and move this function to the existing helpers.go file.
let's also rename the function to CreateAndStoreWellKnownSecretOfLife

return secret
}

func SecretOfLife(_ testing.TB, namespace string) runtime.Object {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WellKnownSecretOfLife

}
}

func GetRawSecretOfLife(t testing.TB, clientSet ClientSet, namespace string) string {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GetRawWellKnownSecretOfLife

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants