CNTRLPLANE-3364: add the kms suite and migrate the kms tests of auth-o to ote

[sandeepknd]

add the kms suite and migrate the kms encryption tests to ote

Summary by CodeRabbit

• Tests
  • Added comprehensive end-to-end tests for KMS encryption functionality
  • Implemented test coverage for KMS encryption activation/deactivation scenarios
  • Added validation tests for encryption provider migration workflows

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

This PR adds end-to-end tests for KMS encryption in the cluster-authentication-operator. A new test suite is registered with serial execution constraints, and two test scenarios verify token encryption behavior during KMS enable/disable transitions and encryption provider migrations. The test logic is implemented in a new file with refactored thin entry points.

Changes

KMS Encryption E2E Tests

Layer / File(s)	Summary
Test suite registration cmd/cluster-authentication-operator-tests-ext/main.go	A new test suite openshift/cluster-authentication-operator/encryption-kms is registered with Parallelism: 1 and a qualifier filter that selects only tests with KMSEncryption in their names.
KMS encryption test scenarios test/e2e-encryption-kms/encryption_kms.go, test/e2e-encryption-kms/encryption_kms_test.go	Two serial e2e test specs are defined: TestKMSEncryptionOnOff deploys a mock KMS plugin and verifies tokens are encrypted when KMS is enabled and unencrypted when disabled; TestKMSEncryptionProvidersMigration deploys the same plugin and verifies encryption status after each migration step while shuffling between KMS and a random static AES provider. Thin test entrypoints delegate to package-level helper functions.

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 9 | ❌ 3

❌ Failed checks (3 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Microshift Test Compatibility	⚠️ Warning	Tests use config.openshift.io API which is unavailable on MicroShift. No protection mechanisms are present.	Add [apigroup:config.openshift.io] tag to test names, or use [Skipped:MicroShift] label, or add IsMicroShiftCluster() runtime check with skip.
Ipv6 And Disconnected Network Test Compatibility	⚠️ Warning	Tests require pulling quay.io/openshifttest/mock-kms-plugin image from external public registry, causing failure in disconnected environments.	Pre-load mock KMS plugin image to cluster, mirror to internal registry, or add [Skipped:Disconnected] tag to tests to skip in disconnected CI environments.

✅ Passed checks (9 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test names are stable with no dynamic content. Test titles contain only static, descriptive strings.
Test Structure And Quality	✅ Passed	Tests satisfy all requirements: single responsibility, proper timeouts, delegated assertions via library, consistent with test/e2e patterns.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	Tests do not assume multi-node clusters. KMS DaemonSet with control-plane node selector runs on SNO's single node. Tests verify encryption behavior only, not node topology.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds only e2e test code and test suite registration (no deployment manifests, operator code, or controllers). No scheduling constraints are introduced. Not applicable to custom check scope.
Ote Binary Stdout Contract	✅ Passed	PR adheres to OTE Binary Stdout Contract. main.go correctly sets klog.LogToStderr(true), contains no fmt/log stdout writes in process-level code, and test setup properly avoids stdout violations.
Title check	✅ Passed	The title accurately describes the main changes: adding a KMS test suite and migrating KMS encryption tests to OTE, which aligns with all file modifications.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sandeepknd]

/assign @gangwgr

[coderabbitai]

🧹 Nitpick comments (1)

test/e2e-encryption-kms/encryption_kms.go (1)

5-5: ⚡ Quick win

Avoid nondeterministic provider selection in migration tests.

Line 69 randomizes provider choice and order, which makes failures harder to reproduce. Prefer a fixed provider list/order (or explicit deterministic subcases) for stable CI diagnostics.

Proposed deterministic variant

-	"math/rand/v2"
@@
-		EncryptionProviders:            library.ShuffleEncryptionProviders([]configv1.APIServerEncryption{{Type: configv1.EncryptionTypeKMS, KMS: librarykms.DefaultFakeKMSPluginConfig}, library.SupportedStaticEncryptionProviders[rand.IntN(len(library.SupportedStaticEncryptionProviders))]}),
+		EncryptionProviders: []configv1.APIServerEncryption{
+			{Type: configv1.EncryptionTypeKMS, KMS: librarykms.DefaultFakeKMSPluginConfig},
+			library.SupportedStaticEncryptionProviders[0],
+		},

As per coding guidelines, "Review Ginkgo test code for quality: ... (5) Consistency - follow existing repository patterns."

Also applies to: 69-69

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-encryption-kms/encryption_kms.go` at line 5, The test currently
randomizes the provider selection/order (the providers slice and its
rand.Shuffle/selection logic) which causes nondeterministic failures; replace
the randomization with a deterministic order—either hardcode the providers slice
in a stable order (e.g., []string{"aws","gcp","azure"}) or
sort.Strings(providers) before use, and remove any use of math/rand/v2 or
rand.Shuffle in the provider-selection code path so the migration tests run with
a stable, reproducible provider list.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/e2e-encryption-kms/encryption_kms.go`:
- Line 5: The test currently randomizes the provider selection/order (the
providers slice and its rand.Shuffle/selection logic) which causes
nondeterministic failures; replace the randomization with a deterministic
order—either hardcode the providers slice in a stable order (e.g.,
[]string{"aws","gcp","azure"}) or sort.Strings(providers) before use, and remove
any use of math/rand/v2 or rand.Shuffle in the provider-selection code path so
the migration tests run with a stable, reproducible provider list.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 6e62b6d6-dcfd-4fe7-a5e4-b453d6d4ca2c

📥 Commits

Reviewing files that changed from the base of the PR and between cdcee0b and c352356.

📒 Files selected for processing (4)

• cmd/cluster-authentication-operator-tests-ext/main.go
• pkg/dependencymagnet/dependencymagnet.go
• test/e2e-encryption-kms/encryption_kms.go
• test/e2e-encryption-kms/encryption_kms_test.go

[sandeepknd]

/test e2e-aws-operator-encryption-kms-ote

[sandeepknd]

/test e2e-aws-operator-encryption-kms-ote

[sandeepknd]

re-triggering the test e2e-aws-operator-encryption-kms-ote as it failed due to node not becoming ready.
e2e-aws-operator-encryption-kms-ote-nodes-readiness failed.

[INFO] - 6 ready nodes expected, found 7... Waiting 1min before retrying (timeout in 1min)...
108
[ERROR] Timeout reached. 6 ready nodes expected, found 7... Failing.

[sandeepknd]

The tests (TestKMSEncryptionOnOff and TestKMSEncryptionProvidersMigration) got executed within the suite openshift/cluster-authentication-operator/encryption-kms.
Please find the log ,

[p0lyn0mial]

could we use https://github.com/openshift/cluster-kube-apiserver-operator/blob/main/cmd/cluster-kube-apiserver-operator-tests-ext/main.go#L92C20-L92C33 ?

[p0lyn0mial]

already added to pkg/dependencymagnet/dependencymagnet.go ?

[sandeepknd]

added only in this file. Referred other repo as well.

[p0lyn0mial]

were there any changes to this test ?

[sandeepknd]

the latest changes made to this test has been pulled in this PR as well.

[p0lyn0mial]

were there any changes to this test ?

[sandeepknd]

the latest changes made to this test (multiline parameters) has been pulled in this PR as well.

[p0lyn0mial]

/assign @gangwgr

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from gangwgr. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@sandeepknd: This pull request references CNTRLPLANE-3364 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

add the kms suite and migrate the kms encryption tests to ote

Summary by CodeRabbit

• Tests
• Added comprehensive end-to-end tests for KMS encryption functionality
• Implemented test coverage for KMS encryption activation/deactivation scenarios
• Added validation tests for encryption provider migration workflows

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@sandeepknd: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[sandeepknd]

job e2e-aws-operator-encryption-kms-ote got executed. Logs can be found here. It has successfully executed the tests TestKMSEncryptionOnOff and estKMSEncryptionProvidersMigration .

[sandeepknd]

All tests have passed.
@p0lyn0mial Could you PTAL.
@gangwgr Could you PTAL.

[sandeepknd]

/verified by CI

[openshift-ci-robot]

@sandeepknd: This PR has been marked as verified by CI.

Details

In response to this:

/verified by CI

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.