test: add e2e tests for TLS security profile watcher

[IshwarKanse]

Summary

• Adds e2e tests for the TLS security profile watcher feature introduced in Add support for TLS profiles #1041
• Tests verify the operator correctly restarts when the APIServer CR's tlsSecurityProfile changes and remains stable when non-TLS fields change
• Test file is prefixed with zz_ to run last in the suite, since modifying the APIServer TLS profile triggers a MachineConfigPool rollout

Test scenarios

Test	What it verifies
Default TLS profile	APIServer CR is readable; operator is running with default (nil/Intermediate) profile
Restart on Old profile	Changing TLS profile to Old triggers operator container restart; operator recovers to ready
Restart on Custom profile	Setting a Custom profile with specific ciphers triggers restart; operator recovers
No restart on non-TLS change	Adding an annotation to the APIServer CR does NOT cause the operator to restart

Design decisions

• Tracks container restart count AND pod UID: the TLS watcher cancels the operator's context causing the process to exit; Kubernetes either restarts the container (restart count increases) or replaces the pod entirely (new UID) depending on backoff state
• Uses waitForStableRestartCount: waits for restart count to remain unchanged for 30s AND the container to have been running for 15s+ before considering the operator stable — prevents race conditions between test cleanup restarts and subsequent tests
• Uses annotation changes instead of audit profile changes: modifying spec.audit.profile triggers disruptive MachineConfigPool rollouts; annotations trigger the watcher reconcile without cluster impact
• Resets TLS profile at suite start: ensures a clean nil/Intermediate baseline regardless of what previous test runs may have left behind

Test plan

• All 4 TLS profile tests pass in isolation
• All 4 TLS profile tests pass as part of the full e2e suite
• No regressions in existing e2e tests

[coderabbitai]

Warning

Rate limit exceeded

@IshwarKanse has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 5 minutes and 35 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 5 minutes and 35 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: ea95752a-8ee0-4b5d-b811-8085d86955e8

📥 Commits

Reviewing files that changed from the base of the PR and between cbd97cd and f1a72c6.

📒 Files selected for processing (1)

• test/e2e/zz_tls_profile_test.go

📝 Walkthrough

Walkthrough

A new end-to-end test file was added to validate the observability operator's TLS profile watcher on OpenShift. The test skips non-OpenShift clusters, captures and clears the APIServer spec.tlsSecurityProfile baseline, ensures the operator deployment is ready, and runs four subtests: operator health with the effective default TLS profile, restart when switching to Old, restart when switching to Custom (with explicit ciphers/MinTLSVersion), and stability when a non-TLS APIServer field (annotation) is patched. Helpers were added to patch/restore the APIServer TLS profile, detect operator restarts via pod UID or container restart counts, and query the running operator pod and container restart counts; cleanup restores the original profile.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: adding e2e tests for the TLS security profile watcher feature.
Description check	✅ Passed	The description is well-related to the changeset, providing context, test scenarios, design decisions, and test plan for the new e2e tests.
Docstring Coverage	✅ Passed	Docstring coverage is 92.31% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: IshwarKanse
Once this PR has been reviewed and has the lgtm label, please assign simonpasquier for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @IshwarKanse. Thanks for your PR.

I'm waiting for a rhobs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[jan--f]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

test/e2e/zz_tls_profile_test.go (1)

397-405: Consider filtering by container name for consistency.

Similar to the previous restart detection loop, this checks uptime across all containers. For consistency with getOperatorContainerRestartCount, consider filtering to operatorContainerName.

♻️ Suggested improvement

 		for _, cs := range pod.Status.ContainerStatuses {
+			if cs.Name != operatorContainerName {
+				continue
+			}
 			if cs.State.Running != nil {
 				uptime := time.Since(cs.State.Running.StartedAt.Time)
 				if uptime < 15*time.Second {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/e2e/zz_tls_profile_test.go` around lines 397 - 405, The uptime check
iterates all pod.Status.ContainerStatuses and may include non-operator
containers; update the loop to filter by the operatorContainerName (same
selector used in getOperatorContainerRestartCount) so you only inspect
ContainerStatus entries where cs.Name == operatorContainerName before checking
cs.State.Running and StartedAt; this ensures consistency with the
restart-detection logic and avoids false waits due to other containers' short
uptimes.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/e2e/zz_tls_profile_test.go`:
- Around line 361-366: The restart-detection loop iterates all
p.Status.ContainerStatuses and can pick up non-operator containers; update the
loop in the test (the block iterating p.Status.ContainerStatuses) to only
consider the operator by checking cs.Name (or the container name field used)
equals operatorContainerName before comparing RestartCount to baselineRestarts
so only the operator container restarts trigger the true return; you may also
explicitly skip InitContainerStatuses if relevant.

---

Nitpick comments:
In `@test/e2e/zz_tls_profile_test.go`:
- Around line 397-405: The uptime check iterates all
pod.Status.ContainerStatuses and may include non-operator containers; update the
loop to filter by the operatorContainerName (same selector used in
getOperatorContainerRestartCount) so you only inspect ContainerStatus entries
where cs.Name == operatorContainerName before checking cs.State.Running and
StartedAt; this ensures consistency with the restart-detection logic and avoids
false waits due to other containers' short uptimes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: 159c305b-31a0-48e3-8161-9b1252ed052c

📥 Commits

Reviewing files that changed from the base of the PR and between e38cec1 and 8bcce30.

📒 Files selected for processing (1)

• test/e2e/zz_tls_profile_test.go

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/e2e/zz_tls_profile_test.go`:
- Around line 190-207: The poll silently passes when pods are replaced or when
lookup errors are swallowed; change the stability check to (1) capture the
operator pod UID alongside the restart count before the wait (introduce or
modify operatorContainerRestartCount to return (int, string, error) or add a
getOperatorPodUID helper and store initialPodUID), and (2) in the
wait.PollUntilContextTimeout lambda return an error when
operatorContainerRestartCount/getOperatorPodUID fails (do not swallow persistent
errors) and treat podUID != initialPodUID OR currentRestarts > initialRestarts
as a restart (return true, fmt.Errorf(...)); keep using
wait.Interrupted/assert.NilError as final assertions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro Plus

Run ID: 51e16b9d-ffa7-41d0-a59f-0bd2014906b8

📥 Commits

Reviewing files that changed from the base of the PR and between d87050d and cbd97cd.

📒 Files selected for processing (1)

• test/e2e/zz_tls_profile_test.go