Skip to content

SDCICD-1721 create dynamic e2e secrets as secret#472

Open
ritmun wants to merge 1 commit intoopenshift:masterfrom
ritmun:SDCICD-1721
Open

SDCICD-1721 create dynamic e2e secrets as secret#472
ritmun wants to merge 1 commit intoopenshift:masterfrom
ritmun:SDCICD-1721

Conversation

@ritmun
Copy link
Contributor

@ritmun ritmun commented Feb 26, 2026
edited by coderabbitai bot
Loading

helping to boilerplate the template

Summary by CodeRabbit

  • Tests
    • Enhanced end-to-end test setup to mount a secret as a read-only volume into the test job and pass its path to the test container.
    • Added a new parameterized secret template for test environments with three required parameters for external secret values.

@coderabbitai
Copy link

coderabbitai bot commented Feb 26, 2026
edited by openshift-ci bot
Loading

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 8cbed84 and 84a6696.

📒 Files selected for processing (2)
  • test/e2e/e2e-template.yml
  • test/e2e/rmo_secret.yml
🚧 Files skipped from review as they are similar to previous changes (1)
  • test/e2e/rmo_secret.yml

Walkthrough

Adds an OpenShift secret template and updates the e2e job template to mount that secret as a read-only volume and pass its path to the osde2e container via args.

Changes

Cohort / File(s) Summary
E2E job template & secret
test/e2e/e2e-template.yml, test/e2e/rmo_secret.yml		 Adds rmo_secret.yml Template that creates a route-monitor-operator-sc Secret with three OIDC-related parameters. Updates e2e-template.yml Job spec to add a secret-based volume (optional: true), mount it read-only at /etc/external-secrets in the osde2e container, and add --secret-locations "/etc/external-secrets" to the container args.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'SDCICD-1721 create dynamic e2e secrets as secret' clearly summarizes the main change: adding dynamic secret configuration for end-to-end testing, which aligns with the two modified files that introduce secret-based volume mounting and secret template creation.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names ✅ Passed PR modifies YAML manifest files (OpenShift templates) for e2e test infrastructure, not test code containing test names with dynamic information.
Test Structure And Quality ✅ Passed The custom check for test structure is not applicable to YAML manifest configuration files; it applies only to Go test code.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci openshift-ci bot requested review from Tessg22 and aliceh February 26, 2026 20:59
coderabbitai[bot]
coderabbitai bot reviewed Feb 26, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/e2e/rmo_configmap.yml`:
- Around line 1-2: The Template manifest uses an incorrect apiVersion
(apiVersion: v1) for kind: Template which fails on OpenShift 4.x; update the
apiVersion value to the canonical group "template.openshift.io/v1" so the
Template resource (kind: Template) is recognized (matching the existing
e2e-template.yml and OpenShift 4.x API).
- Around line 10-13: The ConfigMap is storing a sensitive value
(EXTERNAL_SECRET_OIDC_CLIENT_SECRET); remove EXTERNAL_SECRET_OIDC_CLIENT_SECRET
from the ConfigMap data and instead create a Kubernetes Secret resource
containing that key/value, keep EXTERNAL_SECRET_OIDC_CLIENT_ID and
EXTERNAL_SECRET_OIDC_ISSUER_URL in the ConfigMap, and update any consumers
(e.g., Deployment/Pod manifest or env specs) to read the secret via
secretKeyRef/secretRef (referencing the new Secret name and key) rather than
from the ConfigMap. Ensure the Secret uses the same environment variable key
(EXTERNAL_SECRET_OIDC_CLIENT_SECRET) so consumers need only switch to
secretKeyRef in their env or volume mount.
ℹ️ Review info

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 445fe2c and 789f6c7.

📒 Files selected for processing (2)
  • test/e2e/e2e-template.yml
  • test/e2e/rmo_configmap.yml

coderabbitai[bot]
coderabbitai bot reviewed Feb 26, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

♻️ Duplicate comments (1)
test/e2e/rmo_configmap.yml (1)

10-13: ⚠️ Potential issue | 🟠 Major

Move OIDC client secret out of ConfigMap.

Line 12 still places EXTERNAL_SECRET_OIDC_CLIENT_SECRET in a ConfigMap, which is inappropriate for sensitive credentials. This appears to be the same unresolved issue from earlier review.

Proposed fix 
 objects:
 - apiVersion: v1
   kind: ConfigMap
   metadata:
     name: route-monitor-operator-cm
   data:
     EXTERNAL_SECRET_OIDC_CLIENT_ID: ${EXTERNAL_SECRET_OIDC_CLIENT_ID}
-    EXTERNAL_SECRET_OIDC_CLIENT_SECRET: ${EXTERNAL_SECRET_OIDC_CLIENT_SECRET}
     EXTERNAL_SECRET_OIDC_ISSUER_URL: ${EXTERNAL_SECRET_OIDC_ISSUER_URL}
+- apiVersion: v1
+  kind: Secret
+  metadata:
+    name: route-monitor-operator-secret
+  stringData:
+    EXTERNAL_SECRET_OIDC_CLIENT_SECRET: ${EXTERNAL_SECRET_OIDC_CLIENT_SECRET}

And update the e2e job template to consume that secret:

envFrom:
  - configMapRef:
      name: route-monitor-operator-cm
  - secretRef:
      name: route-monitor-operator-secret
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@test/e2e/rmo_configmap.yml` around lines 10 - 13, Remove
EXTERNAL_SECRET_OIDC_CLIENT_SECRET from the ConfigMap data and instead place it
into a Kubernetes Secret (e.g., route-monitor-operator-secret) so sensitive
credentials are not stored in plain text; update the e2e job template to load
environment variables from both the ConfigMap (route-monitor-operator-cm) and
the new Secret via envFrom with secretRef pointing to the secret, and ensure any
code or manifests that reference EXTERNAL_SECRET_OIDC_CLIENT_SECRET now read it
from the Secret rather than the ConfigMap.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@test/e2e/rmo_configmap.yml`:
- Around line 10-13: Remove EXTERNAL_SECRET_OIDC_CLIENT_SECRET from the
ConfigMap data and instead place it into a Kubernetes Secret (e.g.,
route-monitor-operator-secret) so sensitive credentials are not stored in plain
text; update the e2e job template to load environment variables from both the
ConfigMap (route-monitor-operator-cm) and the new Secret via envFrom with
secretRef pointing to the secret, and ensure any code or manifests that
reference EXTERNAL_SECRET_OIDC_CLIENT_SECRET now read it from the Secret rather
than the ConfigMap.
ℹ️ Review info

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 789f6c7 and 5979c9c.

📒 Files selected for processing (2)
  • test/e2e/e2e-template.yml
  • test/e2e/rmo_configmap.yml

@ritmun ritmun force-pushed the SDCICD-1721 branch 2 times, most recently from c1dcc70 to 8ab08f0 Compare February 26, 2026 21:37
@ritmun ritmun changed the title SDCICD-1721 create dynamic e2e secrets as configmap SDCICD-1721 create dynamic e2e secrets as secret Feb 26, 2026
coderabbitai[bot]
coderabbitai bot reviewed Feb 26, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/e2e/rmo_secret.yml`:
- Around line 10-13: Replace the Secret's `data` map with `stringData` so that
plaintext template-substituted parameters like EXTERNAL_SECRET_OIDC_CLIENT_ID,
EXTERNAL_SECRET_OIDC_CLIENT_SECRET, and EXTERNAL_SECRET_OIDC_ISSUER_URL are
accepted and Kubernetes handles base64 encoding; locate the block containing the
keys EXTERNAL_SECRET_OIDC_CLIENT_ID / EXTERNAL_SECRET_OIDC_CLIENT_SECRET /
EXTERNAL_SECRET_OIDC_ISSUER_URL (currently under `data`) and rename the field to
`stringData`, leaving the parameter references unchanged.
ℹ️ Review info

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 5979c9c and c1dcc70.

📒 Files selected for processing (2)
  • test/e2e/e2e-template.yml
  • test/e2e/rmo_secret.yml

@ritmun ritmun force-pushed the SDCICD-1721 branch 2 times, most recently from 040134b to ae2a043 Compare February 26, 2026 21:47
@ritmun
SDCICD-1721 create dynamic e2e secrets
84a6696 
helping to boilerplate the template
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 26, 2026

@ritmun: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@codecov-commenter
Copy link

codecov-commenter commented Feb 27, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 55.91%. Comparing base (445fe2c) to head (84a6696).

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##           master     #472   +/-   ##
=======================================
  Coverage   55.91%   55.91%           
=======================================
  Files          31       31           
  Lines        2749     2749           
=======================================
  Hits         1537     1537           
  Misses       1120     1120           
  Partials       92       92
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@YiqinZhang
Copy link
Contributor

YiqinZhang commented Feb 27, 2026

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Feb 27, 2026
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 27, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ritmun, YiqinZhang
Once this PR has been reviewed and has the lgtm label, please assign tessg22 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@aliceh aliceh Awaiting requested review from aliceh

@Tessg22 Tessg22 Awaiting requested review from Tessg22

Assignees

@YiqinZhang YiqinZhang

Labels

lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ritmun @codecov-commenter @YiqinZhang