Added new test case for update image scenario

[gangwgr]

Added new test case for update image scenario

Summary by CodeRabbit

• Tests
  • Added an end-to-end scenario that verifies an in-place KMS configuration update does not create a new encryption key and validates propagation of the change.
  • Added a test helper that waits for at least one matching API server pod and ensures all matching pods satisfy a caller-defined container condition for more reliable rollout verification.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds a pod polling helper that waits until all listed pods satisfy a predicate, and a KMS in-place update scenario + test that applies initial/updated KMS providers, asserts no new encryption key is created, and invokes a propagation verification callback.

Changes

KMS In-Place Update and Helpers

Layer / File(s)	Summary
Pod polling helper test/library/encryption/helpers.go	Adds WaitForPodContainerCondition(ctx, t, kubeClient, namespace, labelSelector, keyName, conditionDesc, match) which polls pods by label selector until at least one pod exists and every listed pod satisfies match(pod, keyName); logs progress and fails on timeout.
KMS in-place update scenario and test test/library/encryption/scenarios.go	Adds KMSInPlaceUpdateScenario (embedding BasicScenario, with Provider, UpdatedProvider, and WaitForPropagation) and TestKMSInPlaceUpdate which validates providers are KMS-based, applies initial provider, records current encryption key metadata, applies updated provider, asserts no new encryption key is created, and invokes WaitForPropagation.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested labels

lgtm

Suggested reviewers

• dgrisonnet

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title references an 'update image scenario' but the changes actually implement a KMS in-place update test scenario and encryption helper function.	Revise the title to accurately reflect the main changes, such as: 'Add KMS in-place update test scenario and encryption helper'
Test Structure And Quality	⚠️ Warning	TestKMSInPlaceUpdate has require.NoError calls without meaningful error messages on lines 393 and 402, violating the assertion message requirement.	Add descriptive failure messages to require.NoError calls, e.g., 'require.NoError(t, err, "failed to get encryption key metadata")'.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	New test code uses static step names without dynamic information like pod names, timestamps, UUIDs, or node names. Helper functions are not Ginkgo tests.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests (It/Describe/Context patterns) are added. The PR adds library helper functions and structs for encryption test scenarios, not standalone Ginkgo tests.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	These are library test helpers (not Ginkgo tests), with no multi-node assumptions. Pod polling works on SNO with single or multiple pods on one node.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only adds test helper functions and test scenarios in test/library/encryption/. No deployment manifests, operator code, or scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	New test helpers contain no process-level stdout writes; all logging uses t.Logf() within test context, complying with OTE Binary Stdout Contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Adds test helper functions without IPv4 assumptions or external connectivity. Check applies only to Ginkgo e2e tests marked with It/Describe/Context, not library helpers.
No-Weak-Crypto	✅ Passed	No weak crypto, custom implementations, or non-constant-time secret comparisons found. PR adds test helpers for KMS encryption with standard library functions only.
Container-Privileges	✅ Passed	PR adds test helper functions for encryption testing; no privileged container settings, hostPID/hostNetwork/hostIPC, SYS_ADMIN capabilities, or allowPrivilegeEscalation configurations found.
No-Sensitive-Data-In-Logs	✅ Passed	All logging in new code logs only non-sensitive metadata: test step names, Kubernetes names, label selectors, timeouts, and errors—no passwords, tokens, API keys, PII, or customer data.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/library/encryption/scenarios.go`:
- Around line 419-426: The kmsPluginImage helper dereferences encryption.KMS and
encryption.KMS.Vault without nil checks; add defensive guards at the top of
kmsPluginImage(encryption configv1.APIServerEncryption) to verify encryption.KMS
!= nil and encryption.KMS.Vault != nil before accessing Type or KMSPluginImage,
and return a clear error (e.g., "missing KMS configuration" or "missing Vault
configuration") when those are nil; keep the existing switch on
configv1.VaultKMSProvider and only return the Vault.KMSPluginImage after the nil
checks succeed.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: a46b0da8-686d-490c-bc94-4ad56a02d520

📥 Commits

Reviewing files that changed from the base of the PR and between 5637f8b and eeb5178.

📒 Files selected for processing (1)

• test/library/encryption/scenarios.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add nil pointer guards to prevent runtime panics.

The function accesses encryption.KMS.Type (line 420) and encryption.KMS.Vault.KMSPluginImage (line 422) without checking whether encryption.KMS or encryption.KMS.Vault are nil. While current callers validate the encryption type before calling this helper, the function should be defensive against nil pointer dereferences to prevent runtime panics if called in other contexts.

🛡️ Proposed fix to add nil guards

 func kmsPluginImage(encryption configv1.APIServerEncryption) (string, error) {
+	if encryption.KMS == nil {
+		return "", fmt.Errorf("KMS configuration is nil")
+	}
 	switch encryption.KMS.Type {
 	case configv1.VaultKMSProvider:
+		if encryption.KMS.Vault == nil {
+			return "", fmt.Errorf("Vault KMS configuration is nil")
+		}
 		return encryption.KMS.Vault.KMSPluginImage, nil
 	default:
 		return "", fmt.Errorf("unsupported KMS provider type %q", encryption.KMS.Type)
 	}
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	func kmsPluginImage(encryption configv1.APIServerEncryption) (string, error) {
	switch encryption.KMS.Type {
	case configv1.VaultKMSProvider:
	return encryption.KMS.Vault.KMSPluginImage, nil
	default:
	return "", fmt.Errorf("unsupported KMS provider type %q", encryption.KMS.Type)
	}
	}
	func kmsPluginImage(encryption configv1.APIServerEncryption) (string, error) {
	if encryption.KMS == nil {
	return "", fmt.Errorf("KMS configuration is nil")
	}
	switch encryption.KMS.Type {
	case configv1.VaultKMSProvider:
	if encryption.KMS.Vault == nil {
	return "", fmt.Errorf("Vault KMS configuration is nil")
	}
	return encryption.KMS.Vault.KMSPluginImage, nil
	default:
	return "", fmt.Errorf("unsupported KMS provider type %q", encryption.KMS.Type)
	}
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/library/encryption/scenarios.go` around lines 419 - 426, The
kmsPluginImage helper dereferences encryption.KMS and encryption.KMS.Vault
without nil checks; add defensive guards at the top of kmsPluginImage(encryption
configv1.APIServerEncryption) to verify encryption.KMS != nil and
encryption.KMS.Vault != nil before accessing Type or KMSPluginImage, and return
a clear error (e.g., "missing KMS configuration" or "missing Vault
configuration") when those are nil; keep the existing switch on
configv1.VaultKMSProvider and only return the Vault.KMSPluginImage after the nil
checks succeed.

[ardaguclu]

We don't need this. Maybe it is better to call GetLastKeyMeta every time.

[ardaguclu]

Calling WaitForNoNewEncryptionKey definitely makes sense. But I wonder how we will ensure that the kms plugin container uses the new image.

[gangwgr]

/test unit

[ardaguclu]

As we did for invalidconfig scenario, I think it is better to rename this to more generic like KMSInPlaceUpdateScenario.

[ardaguclu]

In order to keep it generic, we can rename it to WaitForPropagation.

[ardaguclu]

UpdateInPlaceField

[ardaguclu]

WaitForPropagation and callers will use custom wait command as we did for invalidconfigrecovery.

[ardaguclu]

What about updating this function to be generic;

 // WaitForPodContainerCondition polls pods until every pod has at least one
  // container status (init or regular, depending on the predicate) that satisfies
  // the given condition.
  func WaitForPodContainerCondition(
      ctx context.Context,
      t testing.TB,
      kubeClient kubernetes.Interface,
      namespace, labelSelector, conditionDesc string,
      match func(pod corev1.Pod) bool,
  ) {
      t.Helper()
      t.Logf("Waiting up to %s for pods in %s (selector=%s) to satisfy: %s",
          waitPollTimeout, namespace, labelSelector, conditionDesc)
      err := wait.PollUntilContextTimeout(ctx, waitPollInterval, waitPollTimeout, true,
          func(ctx context.Context) (bool, error) {
              pods, err := kubeClient.CoreV1().Pods(namespace).List(ctx,
                  metav1.ListOptions{LabelSelector: labelSelector})
              if err != nil {
                  t.Logf("Error listing pods: %v", err)
                  return false, nil
              }
              if len(pods.Items) == 0 {
                  t.Logf("No pods found yet in %s", namespace)
                  return false, nil
              }
              for _, pod := range pods.Items { 
                  if !match(pod) {
                      t.Logf("Pod %s does not yet satisfy condition: %s", pod.Name, conditionDesc)
                      return false, nil
                  }
              }
              return true, nil
          })
      require.NoError(t, err, "timed out waiting for pods in %s to satisfy: %s",
          namespace, conditionDesc)
  }

Callers will use it like this;

 WaitForPropagation: func(ctx context.Context, t testing.TB) {
      WaitForPodContainerCondition(ctx, t, kubeClient, namespace, labelSelector,
          fmt.Sprintf("running init container with image %q", expectedImage),
          func(pod corev1.Pod) bool {
              if pod.Status.Phase != corev1.PodRunning {
                  return false
              }
              for _, cs := range pod.Status.InitContainerStatuses {
                  if cs.State.Running != nil && cs.Image == expectedImage {
                      return true
                  }
              }
              return false
          },
      )
  },

[ardaguclu]

Thank you
/lgtm
/approve
/hold
Can you please run this PR with #2241 on kas-o to see it passes?. If everything works, you can unhold this PR.

[ardaguclu]

Maybe we should get last key as in line: 393 and pass it to waitforpropagation. So that if we find a matching container, we can compare container name with our key.

[ardaguclu]

Suggested change

	for _, pod := range pods.Items {
	for _, pod := range pods.Items {
	if match(pod, keyName) {
	return true, nil
	}
	}
	t.Logf("Pod %s does not yet satisfy condition: %s", pod.Name, conditionDesc)
	return false, nil

[ardaguclu]

Don't we need to continue iteration over the pods until we see match. So maybe we should use this ^^

[ardaguclu]

/lgtm
/hold cancel

[ardaguclu]

We don't need conditionDesc?

[ardaguclu]

/lgtm cancel

[gangwgr]

@ardaguclu holding pr to test with your pr, will unhold later
/hold

[gangwgr]

/unhold

[ardaguclu]

This pod may not be the one we are looking for. Can we move this log just above the return false, nil

[gangwgr]

done

[ardaguclu]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ardaguclu, gangwgr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• test/library/encryption/OWNERS [ardaguclu]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@gangwgr: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.