Skip to content

[WIP] MG-244: OTE migration for Support Log Gather#337

Open
KeenonLee wants to merge 1 commit into
openshift:masterfrom
KeenonLee:Migrate_OTE
Open

[WIP] MG-244: OTE migration for Support Log Gather#337
KeenonLee wants to merge 1 commit into
openshift:masterfrom
KeenonLee:Migrate_OTE

Conversation

@KeenonLee

Copy link
Copy Markdown
Contributor

No description provided.

@coderabbitai

coderabbitai Bot commented Mar 27, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Excluded labels (none allowed) (1)
  • do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3fef50e9-3309-4420-a13c-585eec60fc89

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review

Walkthrough

Introduced a comprehensive OpenShift extension test runner infrastructure, including a Docker build stage for packaging test extensions, build system targets for compiling and embedding test fixtures, Go entry point for executing extension tests with filtered specifications, and extensive e2e test suites for must-gather operator functionality with fixture templates for various scenarios (secrets, persistence, proxies, timeouts). Module dependencies were updated to include testing frameworks, OpenShift test extensions, and Kubernetes/Cobra libraries.

Changes

Cohort / File(s) Summary
Build Infrastructure
Dockerfile.openshift, Makefile, bindata.mk
Added test-extension builder stage to Docker image. Extended Makefile with tests-ext-build, extension, and clean-extension targets. Introduced bindata.mk fragment for embedding test fixtures via go-bindata with update/verify/clean targets.
Extension Test Runner
cmd/extension/main.go, go.mod
Added new Go entrypoint that initializes extension registry, registers test suites with platform/lifecycle filtering, integrates Ginkgo/Gomega, and configures OTP compatibility. Updated 20+ direct dependencies and added new direct dependencies (openshift-tests-extension, origin, cobra, gjson, google.golang.org/api) with Kubernetes stack upgrade from v0.33.3 to v0.34.1; added replace directives for OpenShift/Kubernetes forks.
E2E Test Suites
test/e2e/extension/mustgather.go, test/e2e/extension/oap_suite.go, test/e2e/extension/olm_utils.go, test/e2e/extension/supportloggather_utils.go, test/e2e/extension/utils.go
Implemented must-gather operator e2e test suite with MustGather CR creation, secret/storage provisioning, and outcome verification. Added test entrypoint, OLM v0/v1 installation helpers, must-gather pod discovery/lifecycle utilities, and general test helpers (cluster credentials, Vault/cert-manager setup, IAM manipulation, deployment readiness checks).
Test Data & Fixtures
test/e2e/extension/testdata/bindata.go, test/e2e/extension/testdata/fixtures.go, test/e2e/extension/testdata/OWNERS
Generated embedded asset file containing test fixture bytes and public APIs for asset retrieval/restoration. Implemented fixture path resolution with temporary directory caching and cleanup. Added OWNERS metadata file.
Test Fixture Templates
test/e2e/extension/testdata/eso/*, test/e2e/extension/testdata/mustgather/*, test/e2e/extension/testdata/sscsi/*
Created 40+ OpenShift/Kubernetes Template YAML files for e2e testing: external-secrets operator (ClusterGenerators, ExternalSecrets, PushSecrets, SecretStores, vault/AWS/GCP configurations), must-gather operator (MustGather CRs with various storage/audit/proxy configurations), secrets-store CSI driver (provider plugins, SecretProviderClasses), and supporting infrastructure (namespaces, operatorgroups, subscriptions, PVCs).

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@KeenonLee KeenonLee changed the title Migrate ote [WIP] MG-244: OTE migration for Support Log Gather Mar 27, 2026
@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 27, 2026
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Mar 27, 2026
@openshift-ci-robot

openshift-ci-robot commented Mar 27, 2026

Copy link
Copy Markdown

@KeenonLee: This pull request references MG-244 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot requested review from dustman9000 and swghosh March 27, 2026 09:03
@openshift-ci

openshift-ci Bot commented Mar 27, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: KeenonLee
Once this PR has been reviewed and has the lgtm label, please assign ravitri for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 13

🧹 Nitpick comments (12)
test/e2e/extension/testdata/eso/pushsecret-aws-secretkey.yaml (1)

11-11: Rename REFREASHINTERVAL to REFRESHINTERVAL to prevent template misuse.

Line 11 and Line 25 use a misspelled parameter name. It works internally now, but it increases caller error risk and hurts maintainability.

Proposed fix
-      refreshInterval: "${REFREASHINTERVAL}"
+      refreshInterval: "${REFRESHINTERVAL}"
@@
-  - name: REFREASHINTERVAL
+  - name: REFRESHINTERVAL
     value: "1m"

Also applies to: 25-26

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@test/e2e/extension/testdata/eso/pushsecret-aws-secretkey.yaml` at line 11,
Replace the misspelled template variable REFREASHINTERVAL with the correct
REFRESHINTERVAL everywhere it's used (e.g., in pushsecret-aws-secretkey.yaml and
any related templates or callers); update the YAML key values and any references
or environment variable names that supply this parameter so they match the
corrected identifier, and run a quick search to ensure no remaining occurrences
of REFREASHINTERVAL remain.
test/e2e/extension/testdata/eso/helm-vault-config.yaml (1)

1-30: Extract duplicate Helm values configuration to shared location.

The helm-vault-config.yaml files in test/e2e/extension/testdata/eso/ and test/e2e/extension/testdata/sscsi/ are identical. Extract to a single shared configuration to prevent drift and reduce maintenance burden.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@test/e2e/extension/testdata/eso/helm-vault-config.yaml` around lines 1 - 30,
The two identical helm-vault-config.yaml instances should be consolidated:
extract the YAML block shown (global:, injector:, server: ... ui = true) into a
single shared config (e.g., helm-vault-config.yaml in a common testdata/shared
location) and update the copies under test/e2e/extension/testdata/eso/ and
test/e2e/extension/testdata/sscsi/ to reference or include the shared file (via
your test framework's include mechanism, a kustomize/helm values merge, or a
lightweight symlink) so both tests use the single source of truth; ensure
filenames remain helm-vault-config.yaml in references and preserve the exact
keys (global, injector, server, server.standalone.config) when merging.
test/e2e/extension/testdata/mustgather/reader-pod.yaml (1)

18-18: Pin the reader image to an immutable tag or digest.

Using :latest makes test behavior non-deterministic over time and can cause flaky e2e runs.

Proposed change
-        image: registry.access.redhat.com/ubi9/ubi-minimal:latest
+        image: registry.access.redhat.com/ubi9/ubi-minimal:9.5
# or preferably:
+#        image: registry.access.redhat.com/ubi9/ubi-minimal@sha256:<digest>
As per coding guidelines "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@test/e2e/extension/testdata/mustgather/reader-pod.yaml` at line 18, The YAML
uses an unstable image tag "registry.access.redhat.com/ubi9/ubi-minimal:latest"
in reader-pod.yaml which can cause flaky e2e tests; update the image field to a
pinned immutable reference (either a specific released tag like
"registry.access.redhat.com/ubi9/ubi-minimal:9.2-xx" or a digest form
"registry.access.redhat.com/ubi9/ubi-minimal@sha256:<digest>") so that the image
in the manifest is deterministic and repeatable.
test/e2e/extension/testdata/eso/externalsecret-generator.yaml (1)

11-11: Typo in parameter name: REFREASHINTERVALREFRESHINTERVAL

Same spelling error as in externalsecret-gcpsm.yaml.

Suggested fix
     spec:
-      refreshInterval: "${REFREASHINTERVAL}"
+      refreshInterval: "${REFRESHINTERVAL}"
   - name: NAME
-  - name: REFREASHINTERVAL
+  - name: REFRESHINTERVAL
     value: "1m"

Also applies to: 23-24

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@test/e2e/extension/testdata/eso/externalsecret-generator.yaml` at line 11,
There's a typo in the environment variable name used for refreshInterval:
replace all occurrences of REFREASHINTERVAL with the correct REFRESHINTERVAL
(e.g., the line setting refreshInterval: "${REFREASHINTERVAL}" and the other
occurrences reported at lines 23-24), and ensure the same correction is applied
in the corresponding externalsecret-gcpsm.yaml usage so the template resolves
the intended REFRESHINTERVAL variable.
test/e2e/extension/testdata/eso/externalsecret-gcpsm.yaml (1)

11-11: Typo in parameter name: REFREASHINTERVALREFRESHINTERVAL

The parameter name has a spelling error that affects readability and could cause confusion when using this template.

Suggested fix
     spec:
-      refreshInterval: "${REFREASHINTERVAL}"
+      refreshInterval: "${REFRESHINTERVAL}"
   - name: NAME
-  - name: REFREASHINTERVAL
+  - name: REFRESHINTERVAL
     value: "1m"

Also applies to: 28-29

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@test/e2e/extension/testdata/eso/externalsecret-gcpsm.yaml` at line 11,
Replace the misspelled parameter REFREASHINTERVAL with REFRESHINTERVAL wherever
it's used in this YAML template (specifically in the refreshInterval fields) so
the template uses the correctly spelled variable name; update all occurrences
(including the other instance mentioned) to maintain consistency.
test/e2e/extension/testdata/eso/pushsecret-aws.yaml (2)

4-4: Template name mismatch: creates PushSecret but named externalsecret-template

Consider renaming to pushsecret-template for clarity.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@test/e2e/extension/testdata/eso/pushsecret-aws.yaml` at line 4, The template
name in test/e2e/extension/testdata/eso/pushsecret-aws.yaml is misleading: the
resource Kind is PushSecret but the metadata.name is "externalsecret-template";
update the metadata.name value to "pushsecret-template" to match the PushSecret
resource and clarify intent (look for the PushSecret Kind and the metadata.name
field in that file).

11-11: Typo in parameter name: REFREASHINTERVALREFRESHINTERVAL

Same spelling error as in other ESO templates.

Also applies to: 24-25

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@test/e2e/extension/testdata/eso/pushsecret-aws.yaml` at line 11, Replace the
misspelled environment variable REFREASHINTERVAL with the correct
REFRESHINTERVAL in the template where refreshInterval: "${REFREASHINTERVAL}"
appears; update all other ESO templates that contain the same typo (the other
occurrences noted around lines 24-25) so they use "${REFRESHINTERVAL}" instead.
test/e2e/extension/testdata/sscsi/75963/gcpproviderplugin.yaml (1)

59-59: Pin busybox image to a specific tag for reproducibility

Using an untagged image defaults to latest, which can cause non-reproducible test runs.

Suggested fix
       - name: chown-provider-mount
-        image: busybox
+        image: busybox:1.36
         command:
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@test/e2e/extension/testdata/sscsi/75963/gcpproviderplugin.yaml` at line 59,
Replace the untagged image reference "image: busybox" with a pinned tag (for
example "image: busybox:1.36.1" or another explicit, tested version) in the
gcpproviderplugin.yaml so test runs are reproducible; update any related
manifests that reference the same "busybox" symbol to use the same pinned tag.
test/e2e/extension/utils.go (2)

318-320: Typo: "deprecateded".

 	if enableTLS {
-		e2e.Logf("enabling TLS traffic is deprecateded")
+		e2e.Logf("enabling TLS traffic is deprecated")
 	}
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@test/e2e/extension/utils.go` around lines 318 - 320, Fix the typo in the log
message emitted when enableTLS is true: update the string passed to e2e.Logf in
the conditional that checks enableTLS so it reads "enabling TLS traffic is
deprecated" (or a clearer phrase like "TLS traffic is deprecated") instead of
"deprecateded".

94-98: Potential duplicate role bindings.

This always appends a new binding for the role even if one already exists. Consider adding the member to an existing binding with the same role instead.

 		if add {
+			// Check if binding for this role already exists
+			found := false
+			for _, b := range policy.Bindings {
+				if b.Role == role {
+					b.Members = append(b.Members, member)
+					found = true
+					break
+				}
+			}
+			if !found {
+				policy.Bindings = append(policy.Bindings, &gcpcrm.Binding{
+					Role:    role,
+					Members: []string{member},
+				})
+			}
-			policy.Bindings = append(policy.Bindings, &gcpcrm.Binding{
-				Role:    role,
-				Members: []string{member},
-			})
 		} else {
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@test/e2e/extension/utils.go` around lines 94 - 98, The code currently always
appends a new gcpcrm.Binding when add is true, causing duplicate bindings for
the same role; instead, in the function that manipulates policy.Bindings locate
an existing binding where b.Role == role (iterate policy.Bindings), and if found
add member to that binding's Members slice only if it's not already present; if
no such binding exists, append a new &gcpcrm.Binding{Role: role, Members:
[]string{member}} as you do now. Ensure you update the binding in-place on
policy.Bindings and deduplicate members when adding.
test/e2e/extension/testdata/sscsi/73739/vaultproviderplugin.yaml (2)

114-115: Privileged container noted.

Static analysis flags the privileged: true setting. This is likely intentional for the CSI provider to access host paths, but consider adding allowPrivilegeEscalation: false and readOnlyRootFilesystem: true if the provider supports it.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@test/e2e/extension/testdata/sscsi/73739/vaultproviderplugin.yaml` around
lines 114 - 115, The securityContext currently sets privileged: true which is
flagged by static analysis; update the container's securityContext (the block
containing privileged: true) to also set allowPrivilegeEscalation: false and
readOnlyRootFilesystem: true where supported by the CSI provider, and validate
the provider's startup/host-access requirements so these restrictions don't
break functionality.

110-111: Empty tolerations field.

The tolerations: key is defined but has no values. Either add the required tolerations or remove the empty key entirely.

       serviceAccountName: vault-csi-provider
-      tolerations:
       containers:
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@test/e2e/extension/testdata/sscsi/73739/vaultproviderplugin.yaml` around
lines 110 - 111, Remove the empty tolerations key or populate it with the
required toleration entries: locate the bare "tolerations:" key in
vaultproviderplugin.yaml (near the "containers:" block) and either delete that
line if no tolerations are needed or replace it with a proper list of toleration
objects (e.g., - key:, operator:, effect:, etc.) so the manifest is valid.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@cmd/extension/main.go`:
- Around line 28-30: Move the framework finalization into a Cobra
PersistentPreRun and integrate the stdlib flags into the root command: call
util.InitStandardFlags() as before, then add flag.CommandLine to the root Cobra
flags using rootCmd.PersistentFlags().AddGoFlagSet(flag.CommandLine) so the k8s
framework flags get parsed by Cobra, and relocate the
framework.AfterReadingAllFlags(&framework.TestContext) call into
rootCmd.PersistentPreRun (or append it to any existing PersistentPreRun chain)
so AfterReadingAllFlags runs after Cobra has parsed CLI overrides (instead of
calling it before root.Execute()).

In `@go.mod`:
- Line 27: The go.mod has a version mismatch: the require line specifies
k8s.io/kubernetes v1.34.1 while the replace maps it to
github.com/openshift/kubernetes v1.30.1-0.20251017123720-96593f323733; update
the replace entry to use a compatible v1.34.1 OpenShift fork (or remove the
replace) so the required module and the replacement are aligned with the rest of
the k8s.io modules (ensure the replace target version matches v1.34.1 or drop
the replace and vendor a compatible module), adjusting the replace statement
referencing github.com/openshift/kubernetes accordingly.
- Line 7: go.mod pins github.com/onsi/ginkgo/v2 at v2.25.1 but a replace
directive targets an OpenShift fork at v2.6.1-0... which may be incompatible;
verify intent and compatibility by confirming the replace is deliberate,
auditing all uses of Ginkgo v2 APIs (Describe, Context, BeforeEach, BeforeAll,
It, By, Ordered, etc.) across test/e2e and test/ directories for APIs or
behaviors introduced after v2.6.1, and either update the replace to a
fork/version that provides the same or newer public API as v2.25.1 or change the
pinned module version to match the replaced fork; if the replace must remain,
add a short compatibility note in go.mod or repository docs explaining why the
older fork is acceptable and list any tested Ginkgo features to avoid surprises.

In `@test/e2e/extension/mustgather.go`:
- Around line 93-96: The test logs raw proxy environment variables (httpProxy,
httpsProxy, noProxy) using e2e.Logf which may contain userinfo credentials;
create a small sanitizer and use it before logging: add a helper like
redactProxyURL(proxy string) string that parses the proxy URL (net/url.Parse),
strips or masks URL.User (e.g., remove userinfo or replace with "REDACTED"), and
returns the safe string; for noProxy, split on commas and apply the same
sanitizer to any entries that look like URLs or contain '@'; replace the direct
uses of httpProxy, httpsProxy, and noProxy in the e2e.Logf calls with the
sanitized outputs so no raw credentials are written to test artifacts.
- Around line 81-82: The current gate requires both proxies but later
unconditionally compares httpProxy which breaks HTTPS-only clusters; update the
initial check to skip only when neither proxy is present (use OR: check if
output contains "httpsProxy" || "httpProxy"), and modify the later assertions
(around the blocks referenced at lines 98-103 and 118-120) to only compare
httpProxy-related env vars when "httpProxy" is present in output (similarly
handle httpsProxy checks independently) so each proxy is validated only if
configured.

In `@test/e2e/extension/supportloggather_utils.go`:
- Line 35: The Local value is declared as a compile-time constant false so
skipIfNotLocal(Local) is always optimized away; change the declaration of Local
from a const to a package-level variable (e.g., var Local = false) so its value
is evaluated at runtime (and can be overridden for local runs), leaving
skipIfNotLocal(Local) to behave correctly; update any related tests or build
scripts that expect a constant accordingly.
- Around line 377-385: The check using strings.Contains(output, "exists")
wrongly matches "not exists"; update the probe logic in the block that builds
cmd and reads output (the oc.AsAdmin().Run(...).Output() call using
readerPodName and namespace) to detect existence precisely—e.g. trim whitespace
and compare equality (strings.TrimSpace(output) == "exists") or test for the
negative case first (strings.Contains(output, "not exists") -> failure) so that
only an exact "exists" result is treated as success; apply the same change to
the similar block around lines 552-558.
- Around line 66-78: The current checks ignore the error returned by
oc.AsAdmin().WithoutNamespace().Run("get") and rely on stdout containing
"NotFound", which misclassifies API/auth failures as missing catalogs; update
the logic in the block that queries DefaultCatalogSourceNamespace for
AutoReleaseCatalogSourceName/QECatalogSourceName to inspect the returned error
from Output() (the err value) first: if err != nil then if err.Error() indicates
a not-found condition (e.g., contains "NotFound" or "not found") treat the
catalog as missing and continue to the next candidate, otherwise treat it as a
real failure (log/return/fail the test) so you don't pick the wrong catalog;
apply this change for both the AutoRelease and QE queries that set
catalogSourceName/catalogSourceNamespace and ensure non-NotFound errors are
propagated instead of ignored.

In `@test/e2e/extension/testdata/eso/externalsecret-gcpsm-version.yaml`:
- Line 11: Replace the misspelled template parameter REFREASHINTERVAL with
REFRESHINTERVAL across all test fixtures (e.g., in externalsecret-*.yaml and
pushsecret-*.yaml templates) so placeholders and any test wiring use the correct
name; search for occurrences of "REFREASHINTERVAL" in the testdata and update
them to "REFRESHINTERVAL", and also update any tests or helper code that set or
reference that env/template variable to use REFRESHINTERVAL to keep names
consistent.

In `@test/e2e/extension/testdata/fixtures.go`:
- Around line 91-100: ListFixtures currently filters only names starting with
"testdata/" but AssetNames yields entries like "mustgather/mustgather.yaml", so
the loop returns empty; update ListFixtures to not require the "testdata/"
prefix — iterate all names returned by AssetNames(), append
strings.TrimPrefix(name, "testdata/") (so names without that prefix are
unchanged), then sort and return; keep the function name ListFixtures and call
to AssetNames unchanged.

In `@test/e2e/extension/testdata/sscsi/73739/spc_vault_pod.yaml`:
- Around line 5-23: The pod spec for the fixture (container name "busybox" and
volume "secrets-store-inline" using CSI driver "secrets-store.csi.k8s.io") is
missing hardened security contexts; add a pod-level securityContext and a
container.securityContext for "busybox" that enforces runAsNonRoot: true and a
non-zero runAsUser (e.g. 1000), sets allowPrivilegeEscalation: false, drops all
capabilities, sets readOnlyRootFilesystem: true, and applies a seccomp/profile
of "RuntimeDefault" (or appropriate restricted profile) so the pod passes
restricted/hardened admission policies. Ensure these fields are added alongside
the existing spec/container definitions (pod-level securityContext for fsGroup
or supplementalGroups as needed and container-level securityContext for the
busybox container).

In `@test/e2e/extension/utils.go`:
- Around line 117-129: The outer loop over bindings can overwrite bindingIndex
when the same role appears multiple times; after you find the matching role and
search its Members for the member, stop iterating further to avoid picking a
later duplicate role. Modify the loop that iterates over bindings (the code
using bindings[bIdx], role, bindingIndex, and memberIndex) to break out of the
outer loop once you set bindingIndex and (after the inner member search) set
memberIndex — e.g. perform the inner member search, then break the outer loop
(or use a labeled break/return) so later bindings with the same role cannot
overwrite the indices.

---

Nitpick comments:
In `@test/e2e/extension/testdata/eso/externalsecret-gcpsm.yaml`:
- Line 11: Replace the misspelled parameter REFREASHINTERVAL with
REFRESHINTERVAL wherever it's used in this YAML template (specifically in the
refreshInterval fields) so the template uses the correctly spelled variable
name; update all occurrences (including the other instance mentioned) to
maintain consistency.

In `@test/e2e/extension/testdata/eso/externalsecret-generator.yaml`:
- Line 11: There's a typo in the environment variable name used for
refreshInterval: replace all occurrences of REFREASHINTERVAL with the correct
REFRESHINTERVAL (e.g., the line setting refreshInterval: "${REFREASHINTERVAL}"
and the other occurrences reported at lines 23-24), and ensure the same
correction is applied in the corresponding externalsecret-gcpsm.yaml usage so
the template resolves the intended REFRESHINTERVAL variable.

In `@test/e2e/extension/testdata/eso/helm-vault-config.yaml`:
- Around line 1-30: The two identical helm-vault-config.yaml instances should be
consolidated: extract the YAML block shown (global:, injector:, server: ... ui =
true) into a single shared config (e.g., helm-vault-config.yaml in a common
testdata/shared location) and update the copies under
test/e2e/extension/testdata/eso/ and test/e2e/extension/testdata/sscsi/ to
reference or include the shared file (via your test framework's include
mechanism, a kustomize/helm values merge, or a lightweight symlink) so both
tests use the single source of truth; ensure filenames remain
helm-vault-config.yaml in references and preserve the exact keys (global,
injector, server, server.standalone.config) when merging.

In `@test/e2e/extension/testdata/eso/pushsecret-aws-secretkey.yaml`:
- Line 11: Replace the misspelled template variable REFREASHINTERVAL with the
correct REFRESHINTERVAL everywhere it's used (e.g., in
pushsecret-aws-secretkey.yaml and any related templates or callers); update the
YAML key values and any references or environment variable names that supply
this parameter so they match the corrected identifier, and run a quick search to
ensure no remaining occurrences of REFREASHINTERVAL remain.

In `@test/e2e/extension/testdata/eso/pushsecret-aws.yaml`:
- Line 4: The template name in
test/e2e/extension/testdata/eso/pushsecret-aws.yaml is misleading: the resource
Kind is PushSecret but the metadata.name is "externalsecret-template"; update
the metadata.name value to "pushsecret-template" to match the PushSecret
resource and clarify intent (look for the PushSecret Kind and the metadata.name
field in that file).
- Line 11: Replace the misspelled environment variable REFREASHINTERVAL with the
correct REFRESHINTERVAL in the template where refreshInterval:
"${REFREASHINTERVAL}" appears; update all other ESO templates that contain the
same typo (the other occurrences noted around lines 24-25) so they use
"${REFRESHINTERVAL}" instead.

In `@test/e2e/extension/testdata/mustgather/reader-pod.yaml`:
- Line 18: The YAML uses an unstable image tag
"registry.access.redhat.com/ubi9/ubi-minimal:latest" in reader-pod.yaml which
can cause flaky e2e tests; update the image field to a pinned immutable
reference (either a specific released tag like
"registry.access.redhat.com/ubi9/ubi-minimal:9.2-xx" or a digest form
"registry.access.redhat.com/ubi9/ubi-minimal@sha256:<digest>") so that the image
in the manifest is deterministic and repeatable.

In `@test/e2e/extension/testdata/sscsi/73739/vaultproviderplugin.yaml`:
- Around line 114-115: The securityContext currently sets privileged: true which
is flagged by static analysis; update the container's securityContext (the block
containing privileged: true) to also set allowPrivilegeEscalation: false and
readOnlyRootFilesystem: true where supported by the CSI provider, and validate
the provider's startup/host-access requirements so these restrictions don't
break functionality.
- Around line 110-111: Remove the empty tolerations key or populate it with the
required toleration entries: locate the bare "tolerations:" key in
vaultproviderplugin.yaml (near the "containers:" block) and either delete that
line if no tolerations are needed or replace it with a proper list of toleration
objects (e.g., - key:, operator:, effect:, etc.) so the manifest is valid.

In `@test/e2e/extension/testdata/sscsi/75963/gcpproviderplugin.yaml`:
- Line 59: Replace the untagged image reference "image: busybox" with a pinned
tag (for example "image: busybox:1.36.1" or another explicit, tested version) in
the gcpproviderplugin.yaml so test runs are reproducible; update any related
manifests that reference the same "busybox" symbol to use the same pinned tag.

In `@test/e2e/extension/utils.go`:
- Around line 318-320: Fix the typo in the log message emitted when enableTLS is
true: update the string passed to e2e.Logf in the conditional that checks
enableTLS so it reads "enabling TLS traffic is deprecated" (or a clearer phrase
like "TLS traffic is deprecated") instead of "deprecateded".
- Around line 94-98: The code currently always appends a new gcpcrm.Binding when
add is true, causing duplicate bindings for the same role; instead, in the
function that manipulates policy.Bindings locate an existing binding where
b.Role == role (iterate policy.Bindings), and if found add member to that
binding's Members slice only if it's not already present; if no such binding
exists, append a new &gcpcrm.Binding{Role: role, Members: []string{member}} as
you do now. Ensure you update the binding in-place on policy.Bindings and
deduplicate members when adding.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3218da22-7cc3-4d35-86b6-b7ebc2b951dd

📥 Commits

Reviewing files that changed from the base of the PR and between 2f40259 and d686bb6.

⛔ Files ignored due to path filters (241)
  • go.sum is excluded by !**/*.sum
  • vendor/cel.dev/expr/.bazelversion is excluded by !vendor/**, !**/vendor/**
  • vendor/cel.dev/expr/.gitattributes is excluded by !vendor/**, !**/vendor/**
  • vendor/cel.dev/expr/.gitignore is excluded by !vendor/**, !**/vendor/**
  • vendor/cel.dev/expr/BUILD.bazel is excluded by !vendor/**, !**/vendor/**
  • vendor/cel.dev/expr/CODE_OF_CONDUCT.md is excluded by !vendor/**, !**/vendor/**
  • vendor/cel.dev/expr/CONTRIBUTING.md is excluded by !vendor/**, !**/vendor/**
  • vendor/cel.dev/expr/GOVERNANCE.md is excluded by !vendor/**, !**/vendor/**
  • vendor/cel.dev/expr/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/cel.dev/expr/MAINTAINERS.md is excluded by !vendor/**, !**/vendor/**
  • vendor/cel.dev/expr/MODULE.bazel is excluded by !vendor/**, !**/vendor/**
  • vendor/cel.dev/expr/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/cel.dev/expr/WORKSPACE is excluded by !vendor/**, !**/vendor/**
  • vendor/cel.dev/expr/WORKSPACE.bzlmod is excluded by !vendor/**, !**/vendor/**
  • vendor/cel.dev/expr/checked.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cel.dev/expr/cloudbuild.yaml is excluded by !vendor/**, !**/vendor/**
  • vendor/cel.dev/expr/eval.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cel.dev/expr/explain.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cel.dev/expr/regen_go_proto.sh is excluded by !vendor/**, !**/vendor/**
  • vendor/cel.dev/expr/regen_go_proto_canonical_protos.sh is excluded by !vendor/**, !**/vendor/**
  • vendor/cel.dev/expr/syntax.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cel.dev/expr/value.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/CHANGES.md is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/auth.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/credentials/compute.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/credentials/detect.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/credentials/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/credentials/filetypes.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/credentials/internal/externalaccount/aws_provider.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/credentials/internal/externalaccount/executable_provider.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/credentials/internal/externalaccount/externalaccount.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/credentials/internal/externalaccount/file_provider.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/credentials/internal/externalaccount/info.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/credentials/internal/externalaccount/programmatic_provider.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/credentials/internal/externalaccount/url_provider.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/credentials/internal/externalaccount/x509_provider.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/credentials/internal/externalaccountuser/externalaccountuser.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/credentials/internal/gdch/gdch.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/credentials/internal/impersonate/idtoken.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/credentials/internal/impersonate/impersonate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/credentials/internal/stsexchange/sts_exchange.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/credentials/selfsignedjwt.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/grpctransport/dial_socketopt.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/grpctransport/directpath.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/grpctransport/grpctransport.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/grpctransport/pool.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/httptransport/httptransport.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/httptransport/transport.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/internal/compute/compute.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/internal/compute/manufacturer.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/internal/compute/manufacturer_linux.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/internal/compute/manufacturer_windows.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/internal/credsfile/credsfile.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/internal/credsfile/filetype.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/internal/credsfile/parse.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/internal/internal.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/internal/jwt/jwt.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/internal/transport/cba.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/internal/transport/cert/default_cert.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/internal/transport/cert/enterprise_cert.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/internal/transport/cert/secureconnect_cert.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/internal/transport/cert/workload_cert.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/internal/transport/s2a.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/internal/transport/transport.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/oauth2adapt/CHANGES.md is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/oauth2adapt/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/oauth2adapt/oauth2adapt.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/auth/threelegged.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/compute/metadata/CHANGES.md is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/compute/metadata/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/compute/metadata/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/compute/metadata/log.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/compute/metadata/metadata.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/compute/metadata/retry.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/compute/metadata/retry_linux.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/compute/metadata/syscheck.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/compute/metadata/syscheck_linux.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/compute/metadata/syscheck_windows.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/iam/CHANGES.md is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/iam/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/iam/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/iam/apiv1/iampb/iam_policy.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/iam/apiv1/iampb/options.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/iam/apiv1/iampb/policy.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/iam/apiv1/iampb/resource_policy_member.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/iam/iam.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/internal/.repo-metadata-full.json is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/internal/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/internal/annotate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/internal/gen_info.sh is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/internal/optional/optional.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/internal/retry.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/internal/trace/trace.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/internal/version/update_version.sh is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/internal/version/version.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/alert_policy_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/auxiliary.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/auxiliary_go123.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/gapic_metadata.json is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/group_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/helpers.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/metric_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/alert.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/alert_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/common.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/dropped_labels.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/group.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/group_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/metric.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/metric_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/mutation_record.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/notification.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/notification_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/query_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/service_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/snooze.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/snooze_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/span_context.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/uptime.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/monitoringpb/uptime_service.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/notification_channel_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/query_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/service_monitoring_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/snooze_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/uptime_check_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/apiv3/v2/version.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/monitoring/internal/version.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/CHANGES.md is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/TESTING.md is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/acl.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/bucket.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/copy.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/dynamic_delay.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/emulator_test.sh is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/experimental/experimental.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/grpc_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/grpc_dp.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/grpc_metrics.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/grpc_reader.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/grpc_reader_multi_range.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/grpc_writer.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/hmac.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/http_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/iam.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/internal/apiv2/auxiliary.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/internal/apiv2/auxiliary_go123.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/internal/apiv2/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/internal/apiv2/gapic_metadata.json is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/internal/apiv2/helpers.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/internal/apiv2/storage_client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/internal/apiv2/storagepb/storage.pb.go is excluded by !**/*.pb.go, !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/internal/apiv2/version.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/internal/experimental.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/internal/version.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/invoke.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/notifications.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/option.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/post_policy_v4.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/reader.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/storage.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/storage.replay is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/trace.go is excluded by !vendor/**, !**/vendor/**
  • vendor/cloud.google.com/go/storage/writer.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-pipeline-go/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-pipeline-go/pipeline/core.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-pipeline-go/pipeline/defaultlog.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-pipeline-go/pipeline/defaultlog_syslog.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-pipeline-go/pipeline/defaultlog_windows.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-pipeline-go/pipeline/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-pipeline-go/pipeline/error.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-pipeline-go/pipeline/progress.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-pipeline-go/pipeline/request.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-pipeline-go/pipeline/response.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-pipeline-go/pipeline/version.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/LICENSE.txt is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/NOTICE.txt is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/profiles/latest/containerregistry/mgmt/containerregistry/models.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/LICENSE.txt is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/client.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/internal/resource/resource_identifier.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/internal/resource/resource_type.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/policy/policy.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/resource_identifier.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/resource_type.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/runtime/pipeline.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/runtime/policy_bearer_token.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/runtime/policy_register_rp.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/runtime/policy_trace_namespace.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/runtime/runtime.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/ci.yml is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud/cloud.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/core.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/errors.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/etag.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported/exported.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported/pipeline.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported/request.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported/response_error.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/log/log.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/async/async.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/body/body.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/fake/fake.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/loc/loc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/op/op.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/poller.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/util.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared/constants.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared/shared.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/log/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/log/log.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/policy/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/policy/policy.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/errors.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/pager.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/pipeline.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_api_version.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_bearer_token.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_body_download.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_http_header.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_http_trace.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_include_response.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_key_credential.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_logging.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_request_id.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_retry.go is excluded by !vendor/**, !**/vendor/**
📒 Files selected for processing (59)
  • Dockerfile.openshift
  • Makefile
  • bindata.mk
  • cmd/extension/main.go
  • go.mod
  • test/e2e/extension/mustgather.go
  • test/e2e/extension/oap_suite.go
  • test/e2e/extension/olm_utils.go
  • test/e2e/extension/supportloggather_utils.go
  • test/e2e/extension/testdata/OWNERS
  • test/e2e/extension/testdata/bindata.go
  • test/e2e/extension/testdata/eso/clustergenerator-password.yaml
  • test/e2e/extension/testdata/eso/externalsecret-awsps.yaml
  • test/e2e/extension/testdata/eso/externalsecret-awssm.yaml
  • test/e2e/extension/testdata/eso/externalsecret-gcpsm-version.yaml
  • test/e2e/extension/testdata/eso/externalsecret-gcpsm.yaml
  • test/e2e/extension/testdata/eso/externalsecret-generator.yaml
  • test/e2e/extension/testdata/eso/externalsecret-vault.yaml
  • test/e2e/extension/testdata/eso/generator-password.yaml
  • test/e2e/extension/testdata/eso/helm-vault-config.yaml
  • test/e2e/extension/testdata/eso/namespace.yaml
  • test/e2e/extension/testdata/eso/operandConfig.yaml
  • test/e2e/extension/testdata/eso/operatorgroup.yaml
  • test/e2e/extension/testdata/eso/pushsecret-aws-secretkey.yaml
  • test/e2e/extension/testdata/eso/pushsecret-aws.yaml
  • test/e2e/extension/testdata/eso/secretstore-awssm.yaml
  • test/e2e/extension/testdata/eso/secretstore-gcpsm.yaml
  • test/e2e/extension/testdata/eso/secretstore-vault.yaml
  • test/e2e/extension/testdata/eso/subscription.yaml
  • test/e2e/extension/testdata/exec-helm-helper.yaml
  • test/e2e/extension/testdata/fixtures.go
  • test/e2e/extension/testdata/konflux-fbc.yaml
  • test/e2e/extension/testdata/mustgather/mustgather-audit.yaml
  • test/e2e/extension/testdata/mustgather/mustgather-noupload.yaml
  • test/e2e/extension/testdata/mustgather/mustgather-proxy.yaml
  • test/e2e/extension/testdata/mustgather/mustgather-pvc.yaml
  • test/e2e/extension/testdata/mustgather/mustgather-retain.yaml
  • test/e2e/extension/testdata/mustgather/mustgather-timeout.yaml
  • test/e2e/extension/testdata/mustgather/mustgather-upload.yaml
  • test/e2e/extension/testdata/mustgather/mustgather.yaml
  • test/e2e/extension/testdata/mustgather/namespace.yaml
  • test/e2e/extension/testdata/mustgather/operatorgroup.yaml
  • test/e2e/extension/testdata/mustgather/pvc.yaml
  • test/e2e/extension/testdata/mustgather/reader-pod.yaml
  • test/e2e/extension/testdata/mustgather/subscription.yaml
  • test/e2e/extension/testdata/operatorgroup.yaml
  • test/e2e/extension/testdata/sscsi/73739/spc_vault_pod.yaml
  • test/e2e/extension/testdata/sscsi/73739/vault_v1_secretproviderclass.yaml
  • test/e2e/extension/testdata/sscsi/73739/vaultproviderplugin.yaml
  • test/e2e/extension/testdata/sscsi/75963/gcpproviderplugin.yaml
  • test/e2e/extension/testdata/sscsi/75963/invalid_sc_pod.yaml
  • test/e2e/extension/testdata/sscsi/75963/sc_pod.yaml
  • test/e2e/extension/testdata/sscsi/75970/sc_pod.yaml
  • test/e2e/extension/testdata/sscsi/drivers.yaml
  • test/e2e/extension/testdata/sscsi/helm-vault-config.yaml
  • test/e2e/extension/testdata/sscsi/operatorgroup.yaml
  • test/e2e/extension/testdata/sscsi/subscription.yaml
  • test/e2e/extension/testdata/subscription.yaml
  • test/e2e/extension/utils.go

Comment thread cmd/extension/main.go
Comment on lines +28 to +30
// Initialize test framework flags (required for kubeconfig, provider, etc.)
util.InitStandardFlags()
framework.AfterReadingAllFlags(&framework.TestContext)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

find . -name "main.go" -path "*/extension/*" -type f

Repository: openshift/must-gather-operator

Length of output: 97


🏁 Script executed:

cat -n cmd/extension/main.go

Repository: openshift/must-gather-operator

Length of output: 5809


🏁 Script executed:

rg "AfterReadingAllFlags" -B 5 -A 5

Repository: openshift/must-gather-operator

Length of output: 1898


🏁 Script executed:

rg "root\.Execute\(\)" cmd/extension/main.go -B 10 -A 5

Repository: openshift/must-gather-operator

Length of output: 315


🏁 Script executed:

rg "InitStandardFlags" -B 3 -A 10

Repository: openshift/must-gather-operator

Length of output: 3462


🏁 Script executed:

rg "DefaultExtensionCommands" -B 2 -A 15

Repository: openshift/must-gather-operator

Length of output: 2090


🏁 Script executed:

find . -path "*/test/e2e/extension/*.go" -type f | head -5

Repository: openshift/must-gather-operator

Length of output: 264


🏁 Script executed:

cat -n test/e2e/extension/mustgather.go | head -50

Repository: openshift/must-gather-operator

Length of output: 2071


🏁 Script executed:

rg "flag.CommandLine.Parse" cmd/extension/main.go

Repository: openshift/must-gather-operator

Length of output: 56


🏁 Script executed:

cat vendor/github.com/openshift-eng/openshift-tests-extension/pkg/cmd/run/suite.go | head -100

Repository: openshift/must-gather-operator

Length of output: 184


🏁 Script executed:

rg "ParseFlags\|flag\.Parse" -A 3 -B 3

Repository: openshift/must-gather-operator

Length of output: 56


🏁 Script executed:

rg "flag\.CommandLine\.Parse|flag\.Parse" -B 5 -A 5

Repository: openshift/must-gather-operator

Length of output: 11072


🏁 Script executed:

find vendor/github.com/openshift-eng/openshift-tests-extension -name "*.go" -type f | head -20

Repository: openshift/must-gather-operator

Length of output: 1817


🏁 Script executed:

ls -la vendor/github.com/openshift-eng/openshift-tests-extension/pkg/cmd/

Repository: openshift/must-gather-operator

Length of output: 528


🏁 Script executed:

cat vendor/github.com/openshift-eng/openshift-tests-extension/pkg/cmd/cmdrun/runsuite.go | head -80

Repository: openshift/must-gather-operator

Length of output: 2576


🏁 Script executed:

rg "PersistentPreRun\|PersistentPreRunE" vendor/github.com/openshift-eng/openshift-tests-extension -B 2 -A 10 | head -60

Repository: openshift/must-gather-operator

Length of output: 56


🏁 Script executed:

python3 << 'EOF'
# Check if Cobra integrates with flag.CommandLine
# and how the flags flow between k8s framework and Cobra
import subprocess
result = subprocess.run(
    ['rg', 'flag.CommandLine', 'vendor/github.com/openshift-eng/openshift-tests-extension', '-B 2', '-A 5'],
    capture_output=True,
    text=True
)
print("Cobra extension flag.CommandLine usage:")
print(result.stdout[:2000] if result.stdout else "No results")
EOF

Repository: openshift/must-gather-operator

Length of output: 124


🏁 Script executed:

cat vendor/github.com/openshift-eng/openshift-tests-extension/pkg/flags/component.go

Repository: openshift/must-gather-operator

Length of output: 539


🏁 Script executed:

rg "BindFlags|RegisterFlagCompletionFunc" vendor/github.com/openshift-eng/openshift-tests-extension/pkg/flags -B 2 -A 5 | head -80

Repository: openshift/must-gather-operator

Length of output: 4912


🏁 Script executed:

cat vendor/github.com/spf13/cobra/command.go | grep -A 30 "func (c \*Command) Execute()"

Repository: openshift/must-gather-operator

Length of output: 860


🏁 Script executed:

rg "flag\.CommandLine\.Parse|flag\.Parse\(\)" -B 5 -A 5 cmd/ vendor/github.com/openshift-eng/openshift-tests-extension/pkg/cmd/

Repository: openshift/must-gather-operator

Length of output: 56


🏁 Script executed:

cat vendor/github.com/openshift-eng/openshift-tests-extension/pkg/cmd/cmdrun/runsuite.go | grep -A 40 "cmd.Flags().AddFlagSet\|cmd.PersistentFlags\|opts.componentFlags.BindFlags"

Repository: openshift/must-gather-operator

Length of output: 1008


🏁 Script executed:

python3 << 'EOF'
# Search for where component and other flags are bound to Cobra commands
import subprocess
result = subprocess.run(
    ['rg', 'BindFlags', 'vendor/github.com/openshift-eng/openshift-tests-extension/pkg/cmd/', '-B 3', '-A 3'],
    capture_output=True,
    text=True
)
print(result.stdout[:3000] if result.stdout else "No results")
EOF

Repository: openshift/must-gather-operator

Length of output: 84


🏁 Script executed:

cat vendor/github.com/spf13/cobra/command.go | grep -A 100 "func (c \*Command) persistentPreRunE"

Repository: openshift/must-gather-operator

Length of output: 56


🏁 Script executed:

cat vendor/k8s.io/kubernetes/test/e2e/framework/test_context.go | grep -B 5 -A 20 "func AfterReadingAllFlags"

Repository: openshift/must-gather-operator

Length of output: 991


🏁 Script executed:

python3 << 'EOF'
# Trace the flag parsing flow
# Check if Cobra calls flag.CommandLine.Parse
import subprocess

# Check what happens when Cobra parses
result = subprocess.run(
    ['rg', 'flag\.CommandLine\.Parse|CommandLine\.Parse', 'vendor/github.com/spf13/cobra/', '-B 3', '-A 3'],
    capture_output=True,
    text=True
)
print("Cobra+flag.CommandLine integration:")
print(result.stdout[:1500] if result.stdout else "No integration found")
print("\n---\n")

# Check k8s test_context for what AfterReadingAllFlags does
result2 = subprocess.run(
    ['rg', 'TestContext.*kubeconfig|kubeconfig.*TestContext', '-B 2', '-A 2'],
    capture_output=True,
    text=True
)
print("TestContext kubeconfig:")
print(result2.stdout[:1500] if result2.stdout else "No results")
EOF

Repository: openshift/must-gather-operator

Length of output: 171


🏁 Script executed:

rg "flag\.Parse\(\)|CommandLine\.Parse" cmd/ -B 5 -A 5

Repository: openshift/must-gather-operator

Length of output: 56


🏁 Script executed:

cat vendor/k8s.io/kubernetes/test/e2e/framework/test_context.go | sed -n '1,100p'

Repository: openshift/must-gather-operator

Length of output: 3291


🏁 Script executed:

python3 << 'EOF'
# Let's trace the actual flag parsing behavior
# Check if there's any global flag parsing that happens in the extension framework
import subprocess

# Look for where flags are actually parsed in the extension ecosystem
result = subprocess.run(
    ['rg', 'flag\.Parse|ParseFlags', '-t', 'go', '-B 5', '-A 5'],
    capture_output=True,
    text=True,
    timeout=10
)
lines = result.stdout.split('\n')
# Filter to only relevant results
relevant = []
for i, line in enumerate(lines):
    if any(x in line for x in ['cmd/extension', 'openshift-tests-extension', 'test context', 'kubeconfig']):
        relevant.append(line)
    elif 'flag.Parse' in line and i < 100:  # early in codebase
        start = max(0, i-5)
        end = min(len(lines), i+6)
        relevant.extend(lines[start:end])

print("Flag parsing in relevant code:")
print('\n'.join(relevant[:2000]))
EOF

Repository: openshift/must-gather-operator

Length of output: 105


🏁 Script executed:

# Check the k8s TestContext struct to see if it reads flags directly
rg "type TestContextType struct" -A 30 vendor/k8s.io/kubernetes/test/e2e/framework/

Repository: openshift/must-gather-operator

Length of output: 3109


🏁 Script executed:

# Check if flag.CommandLine is merged with Cobra's pflag anywhere
rg "AddGoFlagSet|CommandLine\.AddGoFlagSet" -B 3 -A 3

Repository: openshift/must-gather-operator

Length of output: 2245


🏁 Script executed:

# Check if Cobra root command sets up pflag to include flag.CommandLine
cat vendor/github.com/spf13/cobra/command.go | grep -A 20 "func (c \*Command) execute("

Repository: openshift/must-gather-operator

Length of output: 660


🏁 Script executed:

# Final check: look for any global initialization that might parse flags
rg "init\(\)" cmd/extension/ -B 2 -A 10

Repository: openshift/must-gather-operator

Length of output: 56


🏁 Script executed:

# Check if flag.CommandLine is ever parsed in this flow
rg "flag\.CommandLine\.Parse|pflag\.CommandLine\.Parse\(\)" -B 5 -A 5 cmd/extension/

Repository: openshift/must-gather-operator

Length of output: 56


🏁 Script executed:

# Check what RegisterCommonFlags and RegisterClusterFlags do
rg "func RegisterCommonFlags|func RegisterClusterFlags" -A 15 vendor/k8s.io/kubernetes/test/e2e/framework/ | head -80

Repository: openshift/must-gather-operator

Length of output: 6847


🏁 Script executed:

# Verify: are the k8s framework flags ever actually parsed?
python3 << 'EOF'
import subprocess
import re

# Search for any invocation of flag.Parse or pflag.Parse in the extension code
result = subprocess.run(
    ['rg', 'flag\.Parse\(\)|pflag\.Parse\(\)', 'cmd/', '--type', 'go'],
    capture_output=True,
    text=True,
    timeout=5
)

if result.returncode == 0:
    print("Flag parsing in cmd/extension:")
    print(result.stdout if result.stdout else "None found")
else:
    print("No flag parsing found in cmd/extension/")

# Also check if Cobra integrates the k8s flags
result2 = subprocess.run(
    ['rg', 'AddGoFlagSet|CommandLine', 'cmd/extension/', '--type', 'go'],
    capture_output=True,
    text=True,
    timeout=5
)

print("\nCobra+flag integration in extension code:")
print(result2.stdout if result2.returncode == 0 and result2.stdout else "None found")
EOF

Repository: openshift/must-gather-operator

Length of output: 167


🏁 Script executed:

# Critical check: does Cobra's Execute() somehow parse flag.CommandLine?
cat vendor/github.com/spf13/cobra/command.go | grep -B 5 -A 30 "func (c \*Command) ParseFlags"

Repository: openshift/must-gather-operator

Length of output: 1003


🏁 Script executed:

# Check if the extension framework integrates flag.CommandLine with Cobra
rg "pflag.CommandLine|flag.CommandLine" vendor/github.com/openshift-eng/openshift-tests-extension/ -B 3 -A 3

Repository: openshift/must-gather-operator

Length of output: 56


🏁 Script executed:

# Final verification: does the root command have any PreRun or PersistentPreRun hook?
cat -n cmd/extension/main.go | sed -n '90,105p'

Repository: openshift/must-gather-operator

Length of output: 427


🏁 Script executed:

# Let me verify the exact issue: are k8s framework flags integrated with Cobra's pflag?
python3 << 'EOF'
import subprocess

# Check if there's any AddGoFlagSet integration
result = subprocess.run(
    ['rg', 'AddGoFlagSet.*CommandLine|CommandLine.*AddGoFlagSet', '-B 5', '-A 5'],
    capture_output=True,
    text=True,
    timeout=5
)

print("AddGoFlagSet integration anywhere:")
lines = result.stdout.split('\n')
for i, line in enumerate(lines):
    if 'cmd/extension' in line or 'main.go' in line or 'root.AddCommand' in line:
        start = max(0, i-3)
        end = min(len(lines), i+5)
        print('\n'.join(lines[start:end]))
        break

if not result.stdout:
    print("No AddGoFlagSet integration found")

# Also check: are the k8s flags ever actually parsed?
print("\n\nChecking for flag.Parse() or pflag.Parse() in extension code:")
result2 = subprocess.run(
    ['rg', 'flag\.Parse\(\)|pflag\.Parse\(\)', 'cmd/extension', '--type', 'go'],
    capture_output=True,
    text=True,
    timeout=5
)
print(result2.stdout if result2.stdout else "No flag parsing in extension code")
EOF

Repository: openshift/must-gather-operator

Length of output: 240


🏁 Script executed:

# Check the actual Cobra integration - does the root command link k8s flags?
rg "cmd\.Flags\(\)\.AddGoFlagSet|root\.Flags\(\)\.AddGoFlagSet|PersistentFlags\(\)\.AddGoFlagSet" cmd/extension/ -B 5 -A 5

Repository: openshift/must-gather-operator

Length of output: 56


Move AfterReadingAllFlags into a PersistentPreRun hook to ensure it runs after Cobra parses CLI flags.

Currently, AfterReadingAllFlags is called at line 30 before root.Execute(), so TestContext is finalized before Cobra has a chance to parse and apply any command-line overrides for kubeconfig, provider, and other framework settings.

However, there is a more fundamental issue: the k8s framework flags registered via util.InitStandardFlags() (line 29) are never actually parsed because they are registered to flag.CommandLine, but the Cobra command does not integrate them. The standard library's flag.Parse() is never called, nor does the root Cobra command call AddGoFlagSet(flag.CommandLine). This means kubeconfig and provider flags cannot be overridden from the CLI at all in the current setup.

The fix requires both:

  1. Move AfterReadingAllFlags to PersistentPreRun so it runs after Cobra parses flags
  2. Integrate the k8s framework flags into the Cobra command by adding flag.CommandLine to the root command's flag set
Suggested approach
 func main() {
 	// Initialize test framework flags (required for kubeconfig, provider, etc.)
 	util.InitStandardFlags()
-	framework.AfterReadingAllFlags(&framework.TestContext)

 	logs.InitLogs()
 	defer logs.FlushLogs()
 	
 	...
 	
 	root := &cobra.Command{
 		Long: "Must-gather-operator Tests",
+		PersistentPreRun: func(cmd *cobra.Command, args []string) {
+			framework.AfterReadingAllFlags(&framework.TestContext)
+		},
 	}
+	root.PersistentFlags().AddGoFlagSet(flag.CommandLine)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@cmd/extension/main.go` around lines 28 - 30, Move the framework finalization
into a Cobra PersistentPreRun and integrate the stdlib flags into the root
command: call util.InitStandardFlags() as before, then add flag.CommandLine to
the root Cobra flags using
rootCmd.PersistentFlags().AddGoFlagSet(flag.CommandLine) so the k8s framework
flags get parsed by Cobra, and relocate the
framework.AfterReadingAllFlags(&framework.TestContext) call into
rootCmd.PersistentPreRun (or append it to any existing PersistentPreRun chain)
so AfterReadingAllFlags runs after Cobra has parsed CLI overrides (instead of
calling it before root.Execute()).

Comment thread cmd/extension/main.go
Comment on lines +107 to +149
func registerSuites(ext *e.Extension) {
suites := []e.Suite{
{
Name: "must-gather-operator/conformance/parallel",
Parents: []string{
"openshift/conformance/parallel",
},
Description: "Parallel conformance tests (Level0, non-serial, non-disruptive)",
Qualifiers: []string{
`name.contains("[Level0]") && !(name.contains("[Serial]") || name.contains("[Disruptive]"))`,
},
},
{
Name: "must-gather-operator/conformance/serial",
Parents: []string{
"openshift/conformance/serial",
},
Description: "Serial conformance tests (must run sequentially)",
Qualifiers: []string{
`name.contains("[Level0]") && name.contains("[Serial]") && !name.contains("[Disruptive]")`,
},
},
{
Name: "must-gather-operator/disruptive",
Parents: []string{"openshift/disruptive"},
Description: "Disruptive tests (may affect cluster state)",
Qualifiers: []string{
`name.contains("[Disruptive]")`,
},
},
{
Name: "must-gather-operator/non-disruptive",
Description: "All non-disruptive tests (safe for development clusters)",
Qualifiers: []string{
`!name.contains("[Disruptive]")`,
},
},
{
Name: "must-gather-operator/all",
Description: "All must-gather-operator tests",
// No qualifiers means all tests from this extension will be included
},
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

These suite selectors don’t catch the new specs.

The qualifiers depend on [Level0], [Serial], and [Disruptive], but the specs added in test/e2e/extension/mustgather.go don’t carry those tokens. As written, they only land in non-disruptive/all, not the conformance/disruptive suites introduced here.

Comment thread go.mod
github.com/onsi/gomega v1.36.1
github.com/openshift/api v0.0.0-20240522145529-93d6bda14341
github.com/go-logr/logr v1.4.3
github.com/onsi/ginkgo/v2 v2.25.1

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the exact require/replace entries and surface callsites likely to rely on newer Ginkgo APIs.

set -euo pipefail

echo "== ginkgo require/replace entries =="
rg -n '^\s*github.com/onsi/ginkgo/v2\s+v' go.mod -n -C1
rg -n '^\s*github.com/onsi/ginkgo/v2\s+=>\s+github.com/openshift/onsi-ginkgo/v2\s+v' go.mod -n -C1

echo
echo "== ginkgo usage in extension/e2e paths (spot-check API surface) =="
rg -n --type=go -C2 '\b(ginkgo|Describe|Context|When|It|Before(All|Each)|After(All|Each)|DeferCleanup|Label|Serial|Ordered)\b' test cmd

Repository: openshift/must-gather-operator

Length of output: 50386


Verify version compatibility between pinned and replaced Ginkgo versions before merge.

Line 7 pins github.com/onsi/ginkgo/v2 at v2.25.1, but line 335 replaces it with an OpenShift fork at v2.6.1-0.20241205171354-8006f302fd12. This ~19 minor version gap introduces risk:

  • Newer API features in v2.25.1 may not exist in the fork.
  • Bug fixes and performance improvements are absent from the older fork version.
  • Test code extensively uses Ginkgo v2 APIs (Describe, Context, BeforeEach, BeforeAll, It, By, Ordered, etc.) across test/e2e/ and test/ directories—these must remain compatible with the fork version.

Confirm this replace is intentional and that all APIs currently in use are supported by the fork before proceeding.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 7, go.mod pins github.com/onsi/ginkgo/v2 at v2.25.1 but a
replace directive targets an OpenShift fork at v2.6.1-0... which may be
incompatible; verify intent and compatibility by confirming the replace is
deliberate, auditing all uses of Ginkgo v2 APIs (Describe, Context, BeforeEach,
BeforeAll, It, By, Ordered, etc.) across test/e2e and test/ directories for APIs
or behaviors introduced after v2.6.1, and either update the replace to a
fork/version that provides the same or newer public API as v2.25.1 or change the
pinned module version to match the replaced fork; if the replace must remain,
add a short compatibility note in go.mod or repository docs explaining why the
older fork is acceptable and list any tested Ginkgo features to avoid surprises.

Comment thread go.mod
k8s.io/client-go v0.34.1
k8s.io/component-base v0.34.1
k8s.io/kube-openapi v0.0.0-20250814151709-d7b6acb124c3
k8s.io/kubernetes v1.34.1

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify k8s core module version alignment in go.mod and related replace targets.

set -euo pipefail

echo "== k8s.io/kubernetes require =="
rg -n '^\s*k8s\.io/kubernetes\s+v' go.mod -n -C1

echo
echo "== k8s.io/kubernetes replace =="
rg -n '^\s*k8s\.io/kubernetes\s+=>\s+github\.com/openshift/kubernetes\s+v' go.mod -n -C1

echo
echo "== top-level k8s.io/* direct requires =="
rg -n '^\s*k8s\.io/(api|apimachinery|client-go|component-base|kubernetes)\s+v' go.mod -n

Repository: openshift/must-gather-operator

Length of output: 820


Reconcile k8s.io/kubernetes version mismatch between require and replace.

Line 27 requires k8s.io/kubernetes v1.34.1, but Line 360 replaces it with github.com/openshift/kubernetes v1.30.1-0.20251017123720-96593f323733. This 4-version gap is inconsistent with all other k8s.io modules pinned to v0.34.1 (v1.34.1), and will likely cause transitive API compatibility issues across the module set.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 27, The go.mod has a version mismatch: the require line
specifies k8s.io/kubernetes v1.34.1 while the replace maps it to
github.com/openshift/kubernetes v1.30.1-0.20251017123720-96593f323733; update
the replace entry to use a compatible v1.34.1 OpenShift fork (or remove the
replace) so the required module and the replacement are aligned with the rest of
the k8s.io modules (ensure the replace target version matches v1.34.1 or drop
the replace and vendor a compatible module), adjusting the replace statement
referencing github.com/openshift/kubernetes accordingly.

Comment on lines +81 to +82
if !strings.Contains(output, "httpsProxy") && !strings.Contains(output, "httpProxy") {
g.Skip("Skip for non-proxy cluster - this test requires a proxy-enabled environment")

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Allow proxy configs that only set httpsProxy.

This test gates on either proxy being present, but later requires httpProxy and compares both env vars unconditionally. A valid HTTPS-only cluster proxy config will fail here.

Also applies to: 98-103, 118-120

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@test/e2e/extension/mustgather.go` around lines 81 - 82, The current gate
requires both proxies but later unconditionally compares httpProxy which breaks
HTTPS-only clusters; update the initial check to skip only when neither proxy is
present (use OR: check if output contains "httpsProxy" || "httpProxy"), and
modify the later assertions (around the blocks referenced at lines 98-103 and
118-120) to only compare httpProxy-related env vars when "httpProxy" is present
in output (similarly handle httpsProxy checks independently) so each proxy is
validated only if configured.

Comment on lines +377 to +385
cmd := fmt.Sprintf("test -d /data/%s && echo 'exists' || echo 'not exists'", subPath)
output, err := oc.AsAdmin().Run("exec").Args(readerPodName, "-n", namespace, "-c", "reader-container", "--", "sh", "-c", cmd).Output()
if err != nil {
return fmt.Errorf("failed to check PVC data: %v", err)
}

if !strings.Contains(output, "exists") {
return fmt.Errorf("PVC does not contain expected data at path: %s", subPath)
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

These negative probes still satisfy the "exists" check.

The shell branches emit not exists / not-exists, and both still make strings.Contains(..., "exists") return true. Missing PVC data or a missing audit_logs directory will therefore pass as success.

Possible fix
-	if !strings.Contains(output, "exists") {
+	if strings.TrimSpace(output) != "exists" {
 		return fmt.Errorf("PVC does not contain expected data at path: %s", subPath)
 	}
@@
-	if err == nil && strings.Contains(output, "exists") {
+	if err == nil && strings.TrimSpace(output) == "exists" {
 		directoryFound = true
 		e2e.Logf("Found audit_logs directory at /data/%s/audit_logs", subPath)
 	} else {

Also applies to: 552-558

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@test/e2e/extension/supportloggather_utils.go` around lines 377 - 385, The
check using strings.Contains(output, "exists") wrongly matches "not exists";
update the probe logic in the block that builds cmd and reads output (the
oc.AsAdmin().Run(...).Output() call using readerPodName and namespace) to detect
existence precisely—e.g. trim whitespace and compare equality
(strings.TrimSpace(output) == "exists") or test for the negative case first
(strings.Contains(output, "not exists") -> failure) so that only an exact
"exists" result is treated as success; apply the same change to the similar
block around lines 552-558.

metadata:
name: "${NAME}"
spec:
refreshInterval: "${REFREASHINTERVAL}"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

rg -n -C2 'REFREASHINTERVAL|REFRESHINTERVAL'

Repository: openshift/must-gather-operator

Length of output: 21390


🏁 Script executed:

head -20 test/e2e/extension/testdata/bindata.go

Repository: openshift/must-gather-operator

Length of output: 1165


🏁 Script executed:

cat -n test/e2e/extension/testdata/eso/externalsecret-gcpsm-version.yaml

Repository: openshift/must-gather-operator

Length of output: 1434


Fix typo in template parameter name across test fixtures.

REFREASHINTERVAL is misspelled (should be REFRESHINTERVAL). While the typo is internally consistent and doesn't cause runtime failures, it degrades readability and maintainability. This typo appears in multiple test fixture files.

Proposed change
-      refreshInterval: "${REFREASHINTERVAL}"
+      refreshInterval: "${REFRESHINTERVAL}"
@@
-  - name: REFREASHINTERVAL
+  - name: REFRESHINTERVAL
     value: "1m"

This change applies to: test/e2e/extension/testdata/eso/externalsecret-gcpsm-version.yaml (lines 11, 30-31) and other test fixture files with the same pattern (externalsecret-.yaml, pushsecret-.yaml).

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@test/e2e/extension/testdata/eso/externalsecret-gcpsm-version.yaml` at line
11, Replace the misspelled template parameter REFREASHINTERVAL with
REFRESHINTERVAL across all test fixtures (e.g., in externalsecret-*.yaml and
pushsecret-*.yaml templates) so placeholders and any test wiring use the correct
name; search for occurrences of "REFREASHINTERVAL" in the testdata and update
them to "REFRESHINTERVAL", and also update any tests or helper code that set or
reference that env/template variable to use REFRESHINTERVAL to keep names
consistent.

Comment on lines +91 to +100
func ListFixtures() []string {
names := AssetNames()
fixtures := make([]string, 0, len(names))
for _, name := range names {
if strings.HasPrefix(name, "testdata/") {
fixtures = append(fixtures, strings.TrimPrefix(name, "testdata/"))
}
}
sort.Strings(fixtures)
return fixtures

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

ListFixtures() filters out every embedded asset.

AssetNames() here returns names like mustgather/mustgather.yaml, not testdata/..., so this loop currently always returns an empty slice. Filter on the actual embedded prefixes/suffixes instead.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@test/e2e/extension/testdata/fixtures.go` around lines 91 - 100, ListFixtures
currently filters only names starting with "testdata/" but AssetNames yields
entries like "mustgather/mustgather.yaml", so the loop returns empty; update
ListFixtures to not require the "testdata/" prefix — iterate all names returned
by AssetNames(), append strings.TrimPrefix(name, "testdata/") (so names without
that prefix are unchanged), then sort and return; keep the function name
ListFixtures and call to AssetNames unchanged.

Comment on lines +5 to +23
spec:
containers:
- image: registry.k8s.io/e2e-test-images/busybox:1.29-4
name: busybox
imagePullPolicy: IfNotPresent
command:
- "/bin/sleep"
- "10000"
volumeMounts:
- name: secrets-store-inline
mountPath: "/mnt/secrets-store"
readOnly: true
volumes:
- name: secrets-store-inline
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "vault-foo"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
file="test/e2e/extension/testdata/sscsi/73739/spc_vault_pod.yaml"

echo "Inspecting security-related fields in ${file}..."
rg -n 'securityContext|allowPrivilegeEscalation|readOnlyRootFilesystem|runAsNonRoot|seccompProfile|capabilities' "$file" || true

Repository: openshift/must-gather-operator

Length of output: 173


Harden pod/container security context to avoid policy rejections.

This fixture lacks security context configuration. On restricted/hardened clusters, the default security posture will cause admission failures and break e2e reliability.

Suggested hardening patch
 spec:
+  securityContext:
+    seccompProfile:
+      type: RuntimeDefault
   containers:
   - image: registry.k8s.io/e2e-test-images/busybox:1.29-4
     name: busybox
     imagePullPolicy: IfNotPresent
+    securityContext:
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: true
+      runAsNonRoot: true
+      capabilities:
+        drop:
+          - ALL
     command:
     - "/bin/sleep"
     - "10000"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
spec:
containers:
- image: registry.k8s.io/e2e-test-images/busybox:1.29-4
name: busybox
imagePullPolicy: IfNotPresent
command:
- "/bin/sleep"
- "10000"
volumeMounts:
- name: secrets-store-inline
mountPath: "/mnt/secrets-store"
readOnly: true
volumes:
- name: secrets-store-inline
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "vault-foo"
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- image: registry.k8s.io/e2e-test-images/busybox:1.29-4
name: busybox
imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop:
- ALL
command:
- "/bin/sleep"
- "10000"
volumeMounts:
- name: secrets-store-inline
mountPath: "/mnt/secrets-store"
readOnly: true
volumes:
- name: secrets-store-inline
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "vault-foo"
🧰 Tools
🪛 Checkov (3.2.510)

[medium] 1-23: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)


[medium] 1-23: Minimize the admission of root containers

(CKV_K8S_23)

🪛 Trivy (0.69.3)

[error] 7-16: Root file system is not read-only

Container 'busybox' of Pod 'secrets-store-inline' should set 'securityContext.readOnlyRootFilesystem' to true

Rule: KSV-0014

Learn more

(IaC/Kubernetes)


[error] 7-16: Default security context configured

container secrets-store-inline in default namespace is using the default security context

Rule: KSV-0118

Learn more

(IaC/Kubernetes)


[error] 5-23: Default security context configured

pod secrets-store-inline in default namespace is using the default security context, which allows root privileges

Rule: KSV-0118

Learn more

(IaC/Kubernetes)

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@test/e2e/extension/testdata/sscsi/73739/spc_vault_pod.yaml` around lines 5 -
23, The pod spec for the fixture (container name "busybox" and volume
"secrets-store-inline" using CSI driver "secrets-store.csi.k8s.io") is missing
hardened security contexts; add a pod-level securityContext and a
container.securityContext for "busybox" that enforces runAsNonRoot: true and a
non-zero runAsUser (e.g. 1000), sets allowPrivilegeEscalation: false, drops all
capabilities, sets readOnlyRootFilesystem: true, and applies a seccomp/profile
of "RuntimeDefault" (or appropriate restricted profile) so the pod passes
restricted/hardened admission policies. Ensure these fields are added alongside
the existing spec/container definitions (pod-level securityContext for fsGroup
or supplementalGroups as needed and container-level securityContext for the
busybox container).

Comment thread test/e2e/extension/utils.go Outdated
Comment on lines +117 to +129
for bIdx := range bindings {
if bindings[bIdx].Role != role {
continue
}
bindingIndex = bIdx
for mIdx := range bindings[bindingIndex].Members {
if bindings[bindingIndex].Members[mIdx] != member {
continue
}
memberIndex = mIdx
break
}
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Logic bug: outer loop doesn't break after finding the role.

If the same role appears in multiple bindings, this loop will only process the last one, potentially missing the member or modifying the wrong binding.

 	for bIdx := range bindings {
 		if bindings[bIdx].Role != role {
 			continue
 		}
 		bindingIndex = bIdx
 		for mIdx := range bindings[bindingIndex].Members {
 			if bindings[bindingIndex].Members[mIdx] != member {
 				continue
 			}
 			memberIndex = mIdx
 			break
 		}
+		if memberIndex != -1 {
+			break
+		}
 	}
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@test/e2e/extension/utils.go` around lines 117 - 129, The outer loop over
bindings can overwrite bindingIndex when the same role appears multiple times;
after you find the matching role and search its Members for the member, stop
iterating further to avoid picking a later duplicate role. Modify the loop that
iterates over bindings (the code using bindings[bIdx], role, bindingIndex, and
memberIndex) to break out of the outer loop once you set bindingIndex and (after
the inner member search) set memberIndex — e.g. perform the inner member search,
then break the outer loop (or use a labeled break/return) so later bindings with
the same role cannot overwrite the indices.

Migrates must-gather e2e tests from openshift-tests-private to OTE
framework using monorepo strategy. Tests are placed in test/e2e/extension/
to avoid conflicts with existing test/e2e/ structure.

Changes:
- Add cmd/extension/main.go: OTE extension entry point that filters and
  registers tests from test/e2e/extension/ directory
- Add test/e2e/extension/mustgather.go: 7 must-gather tests ([OTP] annotated)
- Add test/e2e/extension/supportloggather_utils.go: must-gather helper functions
- Add test/e2e/extension/olm_utils.go: OLM installation utilities
- Add test/e2e/extension/utils.go: minimal utility functions (getRandomString,
  IsDeploymentReady, dumpResource)
- Add test/e2e/extension/testdata/mustgather/: test fixtures for must-gather tests
- Add bindata.mk: Makefile for generating bindata from testdata files
- Update Dockerfile.openshift: multi-stage build for test extension binary
- Update Makefile: add tests-ext-build target
- Update go.mod: add OTE dependencies and replace directives
- Update go.sum: dependency checksums

Only must-gather test fixtures are included (testdata/mustgather/). ESO
and SSCSI test data are not migrated as those tests are not included.

The test extension binary can be built with 'make tests-ext-build' and
will be packaged as must-gather-operator-test-extension.tar.gz in the
container image for CI execution.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@openshift-ci

openshift-ci Bot commented Mar 30, 2026

Copy link
Copy Markdown
Contributor

@KeenonLee: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-gcp-operator 6f4edb0 link true /test e2e-gcp-operator
ci/prow/verify-deps 6f4edb0 link true /test verify-deps
ci/prow/images 6f4edb0 link true /test images
ci/prow/lint 6f4edb0 link true /test lint
ci/prow/coverage 6f4edb0 link true /test coverage
ci/prow/test 6f4edb0 link true /test test
ci/prow/ci-bundle-must-gather-operator-bundle 6f4edb0 link true /test ci-bundle-must-gather-operator-bundle
ci/prow/validate-boilerplate 6f4edb0 link false /test validate-boilerplate

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants