Test: Ztwim e2e coverage

[rausingh-rh]

Summary

This PR enhances the OpenShift CI configuration for the zero-trust-workload-identity-manager operator to enable end-to-end (e2e) coverage testing and Codecov integration.

Changes Made

Modified file: ci-operator/config/openshift/zero-trust-workload-identity-manager/openshift-zero-trust-workload-identity-manager-main.yaml

Coverage Image Build

Added a new multi-stage container image (zero-trust-workload-identity-manager-coverage) that:

• Uses a RHEL 9 Go 1.25 builder stage (OCP 4.21) to compile the manager binary with coverage instrumentation (-cover -covermode=count)
• Copies the binary into a UBI9-minimal runtime image configured to run as a non-root user (UID 65532)
• Provisions a writable /tmp/e2e-cover directory with proper permissions for coverage data collection
• Sets the GOCOVERDIR environment variable to enable Go's coverage data output

E2E Test Workflow Steps

Added two new steps to the e2e-operator test:

1. setup-coverage (dependency step): Patches the operator's ClusterServiceVersion (CSV) to inject the coverage image and configure the manager container with:

• Coverage directory volume mount (emptyDir)
• GOCOVERDIR environment variable
• Waits for rollout completion and verifies the coverage configuration

2. collect-coverage (post-step): Runs after e2e tests complete to:

• Locate the running operator pod
• Flush coverage data by sending SIGTERM to the manager process
• Copy coverage files from the container's coverage directory to the test artifacts
• Convert raw coverage data to a text profile using go tool covdata
• Optionally upload coverage metrics to Codecov (when a token is available via mounted credentials), with job-type-specific flags for presubmit/postsubmit jobs
• Gracefully handles missing coverage data with warnings and treats upload failures as non-fatal

Impact

This enables the zero-trust-workload-identity-manager project to automatically collect and report e2e test coverage metrics, improving visibility into operator test coverage and enabling integration with code coverage tracking services.

[rausingh-rh]

/pj-rehearse max

[coderabbitai]

Walkthrough

This PR adds coverage instrumentation support to the zero-trust-workload-identity-manager operator's CI pipeline. It introduces a multi-stage coverage image build, a setup step that configures the cluster to use the coverage image and injects coverage environment variables, and a post-test collection step that gathers coverage artifacts and uploads them to Codecov.

Changes

Coverage Instrumentation for Operator Tests

Layer / File(s)	Summary
Coverage image build definition ci-operator/config/openshift/zero-trust-workload-identity-manager/openshift-zero-trust-workload-identity-manager-main.yaml (lines 17–37)	Multi-stage image build using Go 1.25 builder on RHEL 9 to compile the manager binary, then copies it into UBI9-minimal runtime configured with non-root user, writable /tmp/e2e-cover directory, and GOCOVERDIR environment variable.
Cluster setup for coverage ci-operator/config/openshift/zero-trust-workload-identity-manager/openshift-zero-trust-workload-identity-manager-main.yaml (lines 182–222)	setup-coverage dependency step that patches the operator's ClusterServiceVersion to replace the manager container image with the coverage build, injects GOCOVERDIR env var, adds an emptyDir volume mount for coverage data, waits for rollout, and verifies env var injection.
Coverage collection and upload ci-operator/config/openshift/zero-trust-workload-identity-manager/openshift-zero-trust-workload-identity-manager-main.yaml (lines 81–167)	collect-coverage e2e post step that discovers the operator pod, signals graceful shutdown, copies coverage files, converts them to a text profile using go tool covdata, and conditionally uploads to Codecov using mounted credentials; handles missing data and non-fatal upload failures.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested labels

lgtm, rehearsals-ack

Suggested reviewers

• rokej
• mikeshng
• dhaiducek

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Test: Ztwim e2e coverage' clearly relates to the main change: adding e2e coverage workflow steps and configuration to the zero-trust-workload-identity-manager CI manifest.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only YAML CI configuration, not Ginkgo test code. Custom check for stable test names is not applicable to CI/YAML changes.
Test Structure And Quality	✅ Passed	Not applicable. PR modifies CI configuration YAML only, with no Ginkgo test code. Check requires reviewing Ginkgo test structure, which is absent.
Microshift Test Compatibility	✅ Passed	No Ginkgo tests added. PR only modifies YAML CI/operator config for coverage. Check applies only when Ginkgo tests (It(), Describe(), etc.) are added.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds no Ginkgo e2e tests. Only CI/operator YAML configuration for coverage instrumentation was modified.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only a CI configuration file adding e2e coverage steps. No deployment manifests, operator code, or Kubernetes resources are modified. No scheduling constraints introduced.
Ote Binary Stdout Contract	✅ Passed	PR contains only CI configuration files (YAML) and OWNERS files with no Go source code changes. OTE Binary Stdout Contract check applies to Go test binaries, not CI/YAML configurations.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests added. PR modifies CI operator configuration YAML only. No IPv4 assumptions or external connectivity requirements in test code.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-merge-bot]

@rausingh-rh: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rausingh-rh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/zero-trust-workload-identity-manager/OWNERS [rausingh-rh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

🧹 Nitpick comments (2)

ci-operator/config/openshift/zero-trust-workload-identity-manager/openshift-zero-trust-workload-identity-manager-main.yaml (2)

108-113: 💤 Low value

Consider potential timing issue with coverage data flush.

After sending SIGTERM to flush coverage data, there's a race between when coverage files are written and when the container restarts. The 10-second sleep is arbitrary and may not be sufficient if the process takes longer to write coverage data before exiting.

Consider adding an explicit check that coverage files exist before the container restarts, or use a more deterministic approach like checking for process termination:

oc exec -n "${NAMESPACE}" "${pod}" -c manager -- kill -s TERM 1 || true
# Wait for the process to actually terminate and write coverage
for i in {1..30}; do
  if ! oc exec -n "${NAMESPACE}" "${pod}" -c manager -- pgrep -x zero-trust-workload-identity-manager >/dev/null 2>&1; then
    echo "Process terminated, coverage data should be flushed"
    break
  fi
  sleep 1
done

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/openshift/zero-trust-workload-identity-manager/openshift-zero-trust-workload-identity-manager-main.yaml`
around lines 108 - 113, The fixed 10s sleep after sending SIGTERM to the manager
container can race with coverage file flush; replace the arbitrary sleep with a
deterministic wait that polls the manager process and/or the expected coverage
file inside the container (using oc exec against the pod and container
"manager") until the process (e.g., zero-trust-workload-identity-manager) is no
longer running or the coverage file appears, with a sensible timeout (e.g., loop
for up to 30s), and only proceed to oc wait once the check confirms termination
or coverage file presence.

---

202-207: 💤 Low value

Hardcoded JSON path indices are brittle.

The patch uses hardcoded indices (deployments/0, containers/0) which assumes the CSV structure won't change. If the deployment or container order changes, this will silently patch the wrong resource or fail.

This is a common pattern in CI scripts, but for robustness, consider using jq to find the correct indices dynamically based on deployment/container names, or add a verification step that the patched container is indeed the manager container.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/openshift/zero-trust-workload-identity-manager/openshift-zero-trust-workload-identity-manager-main.yaml`
around lines 202 - 207, The patch currently uses brittle hardcoded JSON path
indices in the oc patch csv call (paths containing
/spec/install/spec/deployments/0/... and /containers/0) which can break if CSV
ordering changes; update the script to locate the correct deployment and
container dynamically (e.g., use jq to read the CSV JSON, find the index of the
deployment that matches the expected name and the index of the container named
"manager" or another canonical name, then construct the patch paths using those
indices or patch the full object rather than by numeric index), or add a
verification step after oc patch that fetches the CSV from NAMESPACE and asserts
the patched container image equals COVERAGE_IMAGE and that the GOCOVERDIR_PATH
env var and volume/volumeMount named "coverage-data" are present; reference oc
patch csv, ${NAMESPACE}, ${COVERAGE_IMAGE}, and ${GOCOVERDIR_PATH} when
implementing the dynamic lookup and verification.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@ci-operator/config/openshift/zero-trust-workload-identity-manager/openshift-zero-trust-workload-identity-manager-main.yaml`:
- Around line 108-113: The fixed 10s sleep after sending SIGTERM to the manager
container can race with coverage file flush; replace the arbitrary sleep with a
deterministic wait that polls the manager process and/or the expected coverage
file inside the container (using oc exec against the pod and container
"manager") until the process (e.g., zero-trust-workload-identity-manager) is no
longer running or the coverage file appears, with a sensible timeout (e.g., loop
for up to 30s), and only proceed to oc wait once the check confirms termination
or coverage file presence.
- Around line 202-207: The patch currently uses brittle hardcoded JSON path
indices in the oc patch csv call (paths containing
/spec/install/spec/deployments/0/... and /containers/0) which can break if CSV
ordering changes; update the script to locate the correct deployment and
container dynamically (e.g., use jq to read the CSV JSON, find the index of the
deployment that matches the expected name and the index of the container named
"manager" or another canonical name, then construct the patch paths using those
indices or patch the full object rather than by numeric index), or add a
verification step after oc patch that fetches the CSV from NAMESPACE and asserts
the patched container image equals COVERAGE_IMAGE and that the GOCOVERDIR_PATH
env var and volume/volumeMount named "coverage-data" are present; reference oc
patch csv, ${NAMESPACE}, ${COVERAGE_IMAGE}, and ${GOCOVERDIR_PATH} when
implementing the dynamic lookup and verification.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: e0f1e462-afac-445e-9913-e882d1a5ce9e

📥 Commits

Reviewing files that changed from the base of the PR and between 55c6069 and 6675fbf.

📒 Files selected for processing (1)

• ci-operator/config/openshift/zero-trust-workload-identity-manager/openshift-zero-trust-workload-identity-manager-main.yaml

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@rausingh-rh: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-zero-trust-workload-identity-manager-main-ci-bundle-zero-trust-workload-identity-manager-bundle	openshift/zero-trust-workload-identity-manager	presubmit	Ci-operator config changed
pull-ci-openshift-zero-trust-workload-identity-manager-main-e2e-operator	openshift/zero-trust-workload-identity-manager	presubmit	Ci-operator config changed
pull-ci-openshift-zero-trust-workload-identity-manager-main-e2e-operator-fips	openshift/zero-trust-workload-identity-manager	presubmit	Ci-operator config changed
pull-ci-openshift-zero-trust-workload-identity-manager-main-e2e-operator-rhcos10	openshift/zero-trust-workload-identity-manager	presubmit	Ci-operator config changed
pull-ci-openshift-zero-trust-workload-identity-manager-main-e2e-operator-rhcos10-fips	openshift/zero-trust-workload-identity-manager	presubmit	Ci-operator config changed
pull-ci-openshift-zero-trust-workload-identity-manager-main-images	openshift/zero-trust-workload-identity-manager	presubmit	Ci-operator config changed
pull-ci-openshift-zero-trust-workload-identity-manager-main-unit	openshift/zero-trust-workload-identity-manager	presubmit	Ci-operator config changed
pull-ci-openshift-zero-trust-workload-identity-manager-main-verify	openshift/zero-trust-workload-identity-manager	presubmit	Ci-operator config changed

Prior to this PR being merged, you will need to either run and acknowledge or opt to skip these rehearsals.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-ci]

@rausingh-rh: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.