ESO-424: Restructures e2e test labeling, default filter, and prerequisite handling

[bharath-b-rh]

Summary

• Introduce a structured Ginkgo label taxonomy (Platform, Provider, Feature, API) across e2e suites and update the Makefile default filter to run portable + AWS tests while excluding Bitwarden provider, proxy, and upgrade checks.
• Remove runtime Skip() calls: selected specs now fail fast when prerequisites (secrets, cluster config) are missing; label filters are the opt-in mechanism.
• Refactor Bitwarden API setup to auto-provision bitwarden-tls-certs and enable the SDK server plugin via ensureBitwardenOperandReady; only Provider:Bitwarden specs require pre-provisioned bitwarden-creds.
• Rewrite test/e2e/README.md with label keys, filter recipes, prerequisites, and local/CI artifact output (ARTIFACT_DIR / _output).

Changes

Labeling

• Add Feature:* labels to previously unlabeled contexts (OverrideEnv, RevisionHistoryLimit, UnsafeAllowGenericTargets, CustomAnnotations, NetworkPolicy, TrustedCABundle, etc.).
• Replace ad hoc labels (CrossPlatform:GCP-AWS, Proxy:HTTP, PostUpgradeCheck, Suite:Bitwarden) with Platform:GCP + Provider:AWS, Feature:Proxy, Feature:Upgrade, etc.
• Tag Bitwarden Secrets API context with Provider:Bitwarden so default CI runs health/auth only.

Makefile

• Default filter:

Platform: isSubsetOf {AWS,Generic} && !(Feature: containsAny {Proxy, Upgrade}) && !(Provider: containsAny Bitwarden)

• Use {Proxy, Upgrade} brace syntax so Ginkgo parses containsAny correctly (comma is otherwise treated as OR).

Test behavior

• Replace credential/config skips with Expect failures for Provider:AWS, Platform:GCP, and Provider:Bitwarden.
• Custom network policy test adds a dummy egress rule to ExternalSecretsConfig and verifies eso-user-* creation (no CR removal — CEL immutability).
• Trusted CA bundle test adapts to cluster proxy state (checks spec and status on proxy.config.openshift.io/cluster).
• Extract shared Bitwarden setup into test/e2e/bitwarden_helpers_test.go; add RunBitwardenCurlJob for cred-less API health/auth tests.

Test plan

• Dry-run default filter and confirm expected run/skip counts:

go test -C test -tags e2e -count=1 -p 1 ./e2e -ginkgo.dry-run \
  -ginkgo.label-filter='Platform: isSubsetOf {AWS,Generic} && !(Feature: containsAny {Proxy, Upgrade}) && !(Provider: containsAny Bitwarden)'

<!-- This is an auto-generated comment: release notes by coderabbit.ai -->

## Summary by CodeRabbit

* **New Features**
  * Expanded end-to-end test selection options with clearer label-based filtering and documented suite recipes.
  * Added support for Bitwarden API checks without requiring credential mounts.
  * Improved trusted CA bundle handling when an OpenShift proxy is configured.

* **Bug Fixes**
  * Tightened E2E test requirements so missing prerequisites now fail clearly instead of being skipped.
  * Updated Bitwarden and network policy test flows for more reliable setup and validation.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

[openshift-ci-robot]

@bharath-b-rh: This pull request references ESO-424 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• Introduce a structured Ginkgo label taxonomy (Platform, Provider, Feature, API) across e2e suites and update the Makefile default filter to run portable + AWS tests while excluding Bitwarden provider, proxy, and upgrade checks.
• Remove runtime Skip() calls: selected specs now fail fast when prerequisites (secrets, cluster config) are missing; label filters are the opt-in mechanism.
• Refactor Bitwarden API setup to auto-provision bitwarden-tls-certs and enable the SDK server plugin via ensureBitwardenOperandReady; only Provider:Bitwarden specs require pre-provisioned bitwarden-creds.
• Rewrite test/e2e/README.md with label keys, filter recipes, prerequisites, and local/CI artifact output (ARTIFACT_DIR / _output).

Changes

Labeling

• Add Feature:* labels to previously unlabeled contexts (OverrideEnv, RevisionHistoryLimit, UnsafeAllowGenericTargets, CustomAnnotations, NetworkPolicy, TrustedCABundle, etc.).
• Replace ad hoc labels (CrossPlatform:GCP-AWS, Proxy:HTTP, PostUpgradeCheck, Suite:Bitwarden) with Platform:GCP + Provider:AWS, Feature:Proxy, Feature:Upgrade, etc.
• Tag Bitwarden Secrets API context with Provider:Bitwarden so default CI runs health/auth only.

Makefile

• Default filter:

Platform: isSubsetOf {AWS,Generic} && !(Feature: containsAny {Proxy, Upgrade}) && !(Provider: containsAny Bitwarden)

• Use {Proxy, Upgrade} brace syntax so Ginkgo parses containsAny correctly (comma is otherwise treated as OR).

Test behavior

• Replace credential/config skips with Expect failures for Provider:AWS, Platform:GCP, and Provider:Bitwarden.
• Custom network policy test adds a dummy egress rule to ExternalSecretsConfig and verifies eso-user-* creation (no CR removal — CEL immutability).
• Trusted CA bundle test adapts to cluster proxy state (checks spec and status on proxy.config.openshift.io/cluster).
• Extract shared Bitwarden setup into test/e2e/bitwarden_helpers_test.go; add RunBitwardenCurlJob for cred-less API health/auth tests.

Test plan

• Dry-run default filter and confirm expected run/skip counts:

go test -C test -tags e2e -count=1 -p 1 ./e2e -ginkgo.dry-run \
 -ginkgo.label-filter='Platform: isSubsetOf {AWS,Generic} && !(Feature: containsAny {Proxy, Upgrade}) && !(Provider: containsAny Bitwarden)'

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Default E2E label filtering, suite labels, and README guidance were updated for the Platform, Provider, API, and Feature taxonomy. AWS and custom network policy scenarios now fetch credentials or assert the generated policy shape. Bitwarden tests share readiness and curl-job helpers, and trusted CA bundle checks branch on OpenShift proxy configuration.

Changes

E2E label filtering and test wiring

Layer / File(s)	Summary
Label filters and suite taxonomy Makefile, test/e2e/README.md, test/e2e/e2e_test.go, test/utils/conditions.go	Default E2E label filtering, suite-label metadata, and README examples are updated for the new label taxonomy and suite selection rules.
AWS credential prechecks test/e2e/e2e_test.go	AWS Secret Manager contexts fetch credentials from the configured secret before running.
Custom network policy naming test/e2e/e2e_test.go	The custom network policy naming test uses a fixed dummy policy name, conditionally patches the CR, and asserts the resulting policy type and egress port; one proxy egress label is removed.
Bitwarden readiness helpers test/utils/bitwarden.go, test/e2e/bitwarden_helpers_test.go, test/e2e/bitwarden_es_test.go	Adds shared Bitwarden TLS secret and operand readiness helpers, then moves the provider setup to them while removing the inlined network-policy and readiness helpers.
Bitwarden API jobs test/utils/bitwarden_api_runner.go, test/e2e/bitwarden_api_test.go	Adds a curl-only Bitwarden job path and updates the API e2e suite to use it while failing when the credential secret is missing.
Trusted CA bundle proxy path test/e2e/trusted_ca_bundle_test.go	The trusted CA bundle suite now checks OpenShift proxy state and asserts either the user CA bundle path or the operator-managed proxy CA bundle path.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 4

❌ Failed checks (4 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 46.15% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	bitwarden_api_test mutates cluster-scoped Bitwarden config in BeforeAll with no AfterAll cleanup; trusted_ca_bundle_test still has bare Expect(err).NotTo(HaveOccurred()) at lines 354/367.	Add an AfterAll to revert Bitwarden plugin/secret changes and add failure messages to the deployment Get assertions in trusted_ca_bundle_test.
Microshift Test Compatibility	⚠️ Warning	Trusted CA Bundle and Proxy E2E suites read config.openshift.io/v1 Proxy CRs without any MicroShift guard or apigroup tag.	Add [apigroup:config.openshift.io] or [Skipped:MicroShift] to the Trusted CABundle and Feature:Proxy tests, or guard them with exutil.IsMicroShiftCluster().
Ipv6 And Disconnected Network Test Compatibility	⚠️ Warning	The new Bitwarden curl jobs use docker.io/curlimages/curl:latest, so these e2e specs depend on public registry access in disconnected CI.	Mirror the curl image in an internal registry or use a cluster-provided image; if that’s not possible, mark the affected suite [Skipped:Disconnected].

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: e2e labeling, default filtering, and prerequisite handling were reworked.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo titles are static string literals; randomness is confined to bodies/resource names, not Describe/Context/It names.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	Changed e2e tests only exercise secrets, deployments, network policies, proxy CRs, and in-cluster jobs; I found no multi-node/HA assumptions or SNO-only skips needed.
Topology-Aware Scheduling Compatibility	✅ Passed	Touched deployment manifests only define basic replicas/containers; no nodeSelector, affinity, topologySpreadConstraints, PDBs, or control-plane targeting were added.
Ote Binary Stdout Contract	✅ Passed	No stdout writes appear in main/init/TestMain/BeforeSuite/AfterSuite/RunSpecs setup; the only print is in a non-process-level helper, and suite startup logs to GinkgoWriter.
No-Weak-Crypto	✅ Passed	Touched crypto code uses stdlib ECDSA/x509 for test certs; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB or secret/token compares found.
Container-Privileges	✅ Passed	No changed file adds privileged/host* fields or allowPrivilegeEscalation; the new Bitwarden Job pod specs are minimal and lack securityContext.
No-Sensitive-Data-In-Logs	✅ Passed	No new logging prints secret values or tokens; added messages only reference secret names, namespaces, or generic job logs/status.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

Error: build linters: unable to load custom analyzer "kubeapilinter": bin/kube-api-linter.so, plugin: not implemented
The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": bin/kube-api-linter.so, plugin: not implemented

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bharath-b-rh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [bharath-b-rh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

test/e2e/README.md (1)

44-46: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Optional: add a language to these fenced code blocks.

markdownlint (MD040) flags the blocks at Line 44 (filter expression) and Line 190 (artifact tree). Adding a hint like text silences the warning.

📝 Suggested tweak

-```
+```text
 Platform: isSubsetOf {AWS,Generic} && !(Feature: containsAny {Proxy, Upgrade}) && !(Provider: containsAny Bitwarden)

(apply the same to the `_output/e2e-artifacts/...` block at Line 190)
</details>






Also applies to: 190-195

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @test/e2e/README.md around lines 44 - 46, The fenced code blocks in the
README need a language hint to satisfy markdownlint MD040. Update the two
affected fenced blocks in the e2e README, including the filter expression block
and the _output/e2e-artifacts/... artifact tree block, by adding an
appropriate info string such as text while keeping the content unchanged.

</details>

<!-- cr-comment:v1:3766293b9690f4a37fdb8e31 -->

_Source: Linters/SAST tools_

</blockquote></details>
<details>
<summary>test/e2e/trusted_ca_bundle_test.go (1)</summary><blockquote>

`469-488`: _📐 Maintainability & Code Quality_ | _🔵 Trivial_ | _⚡ Quick win_

**Use the literal proxy singleton name `"cluster"` instead of `common.ExternalSecretsConfigObjectName`.**

The cluster-wide OpenShift proxy is a singleton named `cluster`. This lookup currently works only because `ExternalSecretsConfigObjectName` happens to equal `"cluster"`. Coupling the proxy name to an unrelated ESC constant is misleading and silently breaks proxy detection if that constant ever changes, which would flip the test to the wrong assertion branch.




<details>
<summary>♻️ Proposed change</summary>

```diff
-	proxyCR, err := suiteDynamicClient.Resource(proxyGVR).Get(ctx, common.ExternalSecretsConfigObjectName, metav1.GetOptions{})
+	// The cluster-wide OpenShift proxy is a singleton named "cluster".
+	proxyCR, err := suiteDynamicClient.Resource(proxyGVR).Get(ctx, "cluster", metav1.GetOptions{})

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e/trusted_ca_bundle_test.go` around lines 469 - 488, The OpenShift
proxy lookup in isOpenShiftClusterProxyConfigured is coupled to an unrelated
constant; replace common.ExternalSecretsConfigObjectName with the literal
singleton name "cluster" when calling suiteDynamicClient.Resource(proxyGVR).Get
so the proxy detection logic remains correct even if the ESC constant changes.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/e2e/bitwarden_api_test.go`:
- Around line 51-60: The Bitwarden API suite setup in BeforeAll mutates cluster
state via ensureBitwardenOperandReady and copies bitwarden-creds into
utils.BitwardenOperandNamespace, but there is no teardown to revert those
changes. Add an AfterAll in bitwarden_api_test.go, mirroring the cleanup pattern
from bitwarden_es_test.go, to restore the ExternalSecretsConfig/plugin and
egress-policy state and delete the copied secret after the suite finishes.

In `@test/e2e/trusted_ca_bundle_test.go`:
- Around line 350-371: The deployment fetch assertions inside the trusted CA
bundle tests use bare g.Expect(err).NotTo(HaveOccurred()) calls without any
failure context, so update the Eventually blocks in trusted_ca_bundle_test.go to
include meaningful messages for the Get call failures. Use the existing
Deployment fetches around externalsecrets.OperandCoreControllerDeployment and
the surrounding g.Expect/Eventually pattern in this test to add a clear message
describing which namespace/deployment lookup failed, matching the style used
elsewhere in the file.

---

Nitpick comments:
In `@test/e2e/README.md`:
- Around line 44-46: The fenced code blocks in the README need a language hint
to satisfy markdownlint MD040. Update the two affected fenced blocks in the e2e
README, including the filter expression block and the
`_output/e2e-artifacts/...` artifact tree block, by adding an appropriate info
string such as text while keeping the content unchanged.

In `@test/e2e/trusted_ca_bundle_test.go`:
- Around line 469-488: The OpenShift proxy lookup in
isOpenShiftClusterProxyConfigured is coupled to an unrelated constant; replace
common.ExternalSecretsConfigObjectName with the literal singleton name "cluster"
when calling suiteDynamicClient.Resource(proxyGVR).Get so the proxy detection
logic remains correct even if the ESC constant changes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 39ca9028-8fba-41e2-9b11-313c760a5da9

📥 Commits

Reviewing files that changed from the base of the PR and between a717728 and 8a4f5c8.

📒 Files selected for processing (10)

• Makefile
• test/e2e/README.md
• test/e2e/bitwarden_api_test.go
• test/e2e/bitwarden_es_test.go
• test/e2e/bitwarden_helpers_test.go
• test/e2e/e2e_test.go
• test/e2e/trusted_ca_bundle_test.go
• test/utils/bitwarden.go
• test/utils/bitwarden_api_runner.go
• test/utils/conditions.go

[bharath-b-rh]

/woof

[openshift-ci]

@bharath-b-rh:

Details

In response to this:

/woof

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[bharath-b-rh]

/test e2e-operator

[openshift-ci]

@bharath-b-rh: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 46.32%. Comparing base (89fc4bc) to head (8a4f5c8).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #161      +/-   ##
==========================================
+ Coverage   46.19%   46.32%   +0.12%     
==========================================
  Files          31       31              
  Lines        5451     5464      +13     
==========================================
+ Hits         2518     2531      +13     
  Misses       2626     2626              
  Partials      307      307              

Flag	Coverage Δ
e2e	46.32% <ø> (+0.12%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[bharath-b-rh]

/cherrypick release-1.2

[openshift-cherrypick-robot]

@bharath-b-rh: once the present PR merges, I will cherry-pick it on top of release-1.2 in a new PR and assign it to you.

Details

In response to this:

/cherrypick release-1.2

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[bharath-b-rh]

Adding below labels based on the e2e results
/label qe-approved
/label docs-approved
/label px-approved