Skip to content

SREP-1220: Add E2E test for revoking and deleting CertificateRequests with certman label #377

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
amitupadh wants to merge 11 commits into
base: master
Choose a base branch
from
Draft

SREP-1220: Add E2E test for revoking and deleting CertificateRequests with certman label #377

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
f77305f
Delete a labeled CertificateRequest and ensures it is recreated
amitupadh Aug 11, 2025
9f1aade
Test lable changed
amitupadh Aug 12, 2025
82df677
Conflict resolved
amitupadh Aug 12, 2025
0364f62
Merge branch 'master' into SREP-1220
amitupadh Nov 17, 2025
7cabfdd
ran make boilerplate-update for ci validate check
amitupadh Nov 18, 2025
4fd5fa2
ran make boilerplate-update for ci validate check
amitupadh Dec 2, 2025
0714b76
Merge branch 'master' into SREP-1220
amitupadh Dec 24, 2025
eebed19
Merge branch 'openshift:master' into SREP-1220
karanjitsingh01 Feb 2, 2026
e7d7eb5
updated review comments
karanjitsingh01 Feb 2, 2026
3bdf067
boilerplate-update
karanjitsingh01 Feb 4, 2026
0053a8d
Merge branch 'openshift:master' into SREP-1220
karanjitsingh01 Feb 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion boilerplate/_data/last-boilerplate-commit
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
03d10f359a4a9d3b38c4f5e1494f771ef603fc3f
8ca4e1dfcab3443c52acf52b3912b6cf1c5f79a4
96 changes: 95 additions & 1 deletion test/e2e/certman_operator_tests.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -529,7 +529,7 @@ var _ = ginkgo.Describe("Certman Operator", ginkgo.Ordered, ginkgo.ContinueOnFai

gomega.Expect(certRequestsCount).To(gomega.Equal(1), "Should have exactly 1 certificate request")

ginkgo.GinkgoLogr.Info(" Metrics verification successful",
ginkgo.GinkgoLogr.Info(" Metrics verification successful",
"certificateRequestsCount", certRequestsCount)
})

Expand Down Expand Up @@ -812,6 +812,100 @@ var _ = ginkgo.Describe("Certman Operator", ginkgo.Ordered, ginkgo.ContinueOnFai
}, pollingDuration, 30*time.Second).Should(gomega.BeTrue(), "ClusterDeployment should be automatically added as owner of CertificateRequest by operator")
})

ginkgo.It("Delete a CertificateRequest and ensures it is recreated", func(ctx context.Context) {

crGVR := schema.GroupVersionResource{
Group: "certman.managed.openshift.io",
Version: "v1alpha1",
Resource: "certificaterequests",
}

log.Log.Info("STEP 1: Fetching CertificateRequest owned by our ClusterDeployment", "clusterDeployment", clusterDeploymentName, "namespace", certConfig.TestNamespace)
originalCR, err := utils.FindCertificateRequestForClusterDeployment(ctx, dynamicClient, crGVR, certConfig.TestNamespace, clusterDeploymentName)
if err != nil {
log.Log.Info("No CertificateRequest found for our ClusterDeployment, skipping test", "error", err)
ginkgo.Skip("SKIPPED: No CertificateRequest found for ClusterDeployment. This test runs after \"should create ClusterDeployment and CertificateRequest\" and requires that CR to exist.")
}

originalCRName := originalCR.GetName()
originalCRUID := originalCR.GetUID()
crList, err := dynamicClient.Resource(crGVR).Namespace(certConfig.TestNamespace).List(ctx, metav1.ListOptions{})
gomega.Expect(err).ToNot(gomega.HaveOccurred(), "Failed to list CertificateRequests for count")
initialIssuedCertCount := len(crList.Items)

// Step 2: Delete the CertificateRequest owned by our ClusterDeployment
log.Log.Info("STEP 2: Deleting the CertificateRequest owned by our ClusterDeployment", "name", originalCRName)
err = dynamicClient.Resource(crGVR).Namespace(certConfig.TestNamespace).Delete(ctx, originalCRName, metav1.DeleteOptions{})
gomega.Expect(err).ToNot(gomega.HaveOccurred(), "Failed to delete CertificateRequest")

// Step 3: Handle deletion blocked by finalizer
gomega.Eventually(func() bool {
cr, err := dynamicClient.Resource(crGVR).Namespace(certConfig.TestNamespace).Get(ctx, originalCRName, metav1.GetOptions{})
if err != nil {
log.Log.Info("CR appears to be deleted already", "name", originalCRName)
return true
}
if cr.GetDeletionTimestamp() == nil {
log.Log.Info("CR not marked for deletion yet", "name", cr.GetName())
return false
}

finalizers, found, err := unstructured.NestedStringSlice(cr.Object, "metadata", "finalizers")
if err != nil {
log.Log.Error(err, "Error retrieving finalizers")
return false
}
if !found || len(finalizers) == 0 {
log.Log.Info("No finalizers present", "name", cr.GetName())
return false
}

crCopy := cr.DeepCopy()
_ = unstructured.SetNestedStringSlice(crCopy.Object, []string{}, "metadata", "finalizers")

_, err = dynamicClient.Resource(crGVR).Namespace(certConfig.TestNamespace).Update(ctx, crCopy, metav1.UpdateOptions{})
if err != nil {
log.Log.Error(err, "Failed to remove finalizer")
return false
}
return true
}, 1*time.Minute, 5*time.Second).Should(gomega.BeTrue(), "Finalizer should be removed")
Comment on lines 842 to 872
Copy link
Member

@tnierman tnierman Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why remove the finalizer? Shouldn't this test include coverage for certman-operator's own finalizing logic?


// Step 4: Wait for new CertificateRequest with new UID (operator recreates it for our ClusterDeployment)
var newCRName string
gomega.Eventually(func() bool {
Copy link
Member

@tnierman tnierman Dec 3, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unless we're creating a dnszone.hive.openshift.io object as a prerequisite to this test and I've missed it (which could very well be the case!), a new certificaterequest would never get recreated just because one was deleted

Copy link
Contributor

@karanjitsingh01 karanjitsingh01 Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ClusterDeployment controller Owns CertificateRequest
when a CR is deleted the controller is re-triggered and syncCertificateRequests recreates the missing CR from the ClusterDeployment spec. Domains come from the CD spec (ControlPlaneConfig.ServingCertificates, Ingress) via getDomainsForCertBundle, not from DNSZone.The test ClusterDeployment is created earlier with BuildCompleteClusterDeployment (certificateBundles,controlPlaneConfig, ingress) so the controller has everything it needs to recreate the CR.

newList, err := dynamicClient.Resource(crGVR).Namespace(certConfig.TestNamespace).List(ctx, metav1.ListOptions{})
if err != nil {
log.Log.Error(err, "Failed to list new CertificateRequests")
return false
}
if len(newList.Items) == 0 {
log.Log.Info("Still waiting for new CertificateRequest (none found)")
return false
}

newCount := len(newList.Items)
logger.Info("CertificateRequest count after reconciliation", "count", newCount)
if newCount != initialIssuedCertCount {
logger.Info("CertificateRequest count mismatch", "expected", initialIssuedCertCount, "got", newCount)
return false
}

for _, cr := range newList.Items {
log.Log.Info("Found CR candidate", "name", cr.GetName(), "uid", cr.GetUID())
if cr.GetUID() != originalCRUID {
newCRName = cr.GetName()
log.Log.Info("New CertificateRequest detected", "name", newCRName, "uid", cr.GetUID())
return true
}
}
return false
}, 2*time.Minute, 10*time.Second).Should(gomega.BeTrue(), "New CertificateRequest should appear")

secretNameFromCR, _ := utils.GetCertificateSecretNameFromCR(originalCR)
log.Log.Info("Test completed: CertificateRequest recreated by operator", "newCR", newCRName, "certificateSecret", secretNameFromCR)
})

ginkgo.AfterAll(func(ctx context.Context) {

logger.Info("Cleanup: Running AfterAll cleanup")
Expand Down