OLS-3265: Add Konflux integration test pipeline and e2e test improvements

[blublinsky]

Summary
Add a Konflux integration test pipeline that runs e2e tests against an ephemeral Hypershift cluster on every operator image build. Also improve the e2e tests for bare-pod mode and per-proposal SA verification.

Konflux pipeline

Pipeline deploys the freshly-built operator image from SNAPSHOT with a fixed mock agent (quay.io/openshift-lightspeed/ols-qe:lightspeed-mock-agent). No OLM bundle, no real LLM secrets — tests are self-contained.

Design decisions
Fixed mock agent image: Not built from SNAPSHOT — it's a stable test fixture that changes rarely. Avoids coupling two component builds.
No auto-approval for verification: Each test explicitly approves only the steps it needs. Prevents the execution test from accidentally spawning a verification pod (wasting 60s+ per run).
TEST_NAMESPACE env var: Allows the same tests to run in any namespace — openshift-lightspeed in Konflux/production, overridable for local dev.
validate-agent-sandbox (check, not install): The Sandbox operator install method is transitioning (raw manifests → OLM). The Makefile checks CRDs exist but doesn't install them — that's the user's/OLM's responsibility.

[openshift-ci-robot]

@blublinsky: This pull request references OLS-3265 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary
Add a Konflux integration test pipeline that runs e2e tests against an ephemeral Hypershift cluster on every operator image build. Also improve the e2e tests for bare-pod mode and per-proposal SA verification.

Konflux pipeline

Pipeline deploys the freshly-built operator image from SNAPSHOT with a fixed mock agent (quay.io/openshift-lightspeed/ols-qe:lightspeed-mock-agent). No OLM bundle, no real LLM secrets — tests are self-contained.

Design decisions
Fixed mock agent image: Not built from SNAPSHOT — it's a stable test fixture that changes rarely. Avoids coupling two component builds.
No auto-approval for verification: Each test explicitly approves only the steps it needs. Prevents the execution test from accidentally spawning a verification pod (wasting 60s+ per run).
TEST_NAMESPACE env var: Allows the same tests to run in any namespace — openshift-lightspeed in Konflux/production, overridable for local dev.
validate-agent-sandbox (check, not install): The Sandbox operator install method is transitioning (raw manifests → OLM). The Makefile checks CRDs exist but doesn't install them — that's the user's/OLM's responsibility.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 5d35de23-076f-4732-84da-1ef058ca2086

📥 Commits

Reviewing files that changed from the base of the PR and between d4b3aaa and 89e3f54.

📒 Files selected for processing (10)

• .tekton/integration-tests/integration-test-scenarios.yaml
• .tekton/integration-tests/pipelines/agentic-operator-e2e-pipeline.yaml
• .tekton/integration-tests/scripts/install-operator.sh
• Makefile
• config/manager/manager.yaml
• test/e2e/analysis_execution_test.go
• test/e2e/denial_test.go
• test/e2e/execution_test.go
• test/e2e/helpers_test.go
• test/e2e/verification_test.go

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift/lightspeed-agentic-sandbox (manual)

✅ Files skipped from review due to trivial changes (1)

• test/e2e/analysis_execution_test.go

🚧 Files skipped from review as they are similar to previous changes (7)

• config/manager/manager.yaml
• .tekton/integration-tests/integration-test-scenarios.yaml
• test/e2e/denial_test.go
• test/e2e/execution_test.go
• test/e2e/verification_test.go
• test/e2e/helpers_test.go
• .tekton/integration-tests/pipelines/agentic-operator-e2e-pipeline.yaml

---

📝 Walkthrough

Summary by CodeRabbit

Release Notes

• New Features

  • Added support for configurable sandbox modes (bare-pod and sandbox-claim) for operator deployment.

• Tests

  • Introduced new integration test scenarios for end-to-end operator validation on ephemeral OpenShift clusters.
  • Enhanced end-to-end test coverage with improved phase synchronization and validation checks.
  • Strengthened test infrastructure with automated cluster provisioning and artifact collection.

Walkthrough

PR adds sandbox-mode configuration to the Makefile and manager deployment args, introduces a Tekton pipeline and installer script for ephemeral-cluster e2e runs, updates e2e test helpers to support dynamic test namespaces and explicit verification approval, and enhances execution tests with per-proposal ServiceAccount and RoleBinding assertions plus explicit verification sequencing in the verification flow.

Changes

End-to-end test infrastructure and CI/CD

Layer / File(s)	Summary
Tekton pipeline and scenario .tekton/integration-tests/pipelines/agentic-operator-e2e-pipeline.yaml, .tekton/integration-tests/integration-test-scenarios.yaml	New Tekton Pipeline orchestrates EaaS provisioning, ephemeral OpenShift cluster creation, install-and-test taskSpec that parses SNAPSHOT with jq, runs installer and make test-e2e, gathers cluster/operator resources and logs, pushes artifacts to Quay tagged with commit, exports pipeline logs via finally task. IntegrationTestScenario targets this pipeline for component CI.
Operator deployment with sandbox-mode configuration Makefile, .tekton/integration-tests/scripts/install-operator.sh, config/manager/manager.yaml	Makefile adds SANDBOX_MODE/SANDBOX_IMAGE variables, validate-agent-sandbox target (validates Sandbox CRDs when needed), substitutes sandbox placeholders in deploy target, passes sandbox flags to local run target. Installer script validates IMG/KUBECONFIG, applies sandbox-mode defaults, creates namespace, runs make install/deploy with sandbox overrides, grants cluster-admin to controller-manager, waits rollout, and creates ApprovalPolicy with Analysis auto-approval. Manager YAML injects --namespace, --sandbox-mode, and --agentic-sandbox-image flags via placeholders.
E2E test helpers: namespace, pod cleanup, verification approval test/e2e/helpers_test.go	testNS now sourced from TEST_NAMESPACE env with fallback default. Adds deleteBarePod helper to clean up bare pod artifacts. Removes sandbox verification auto-approval from ApprovalPolicy fixture. Extends createProposal cleanup to delete leftover bare pods for analysis/execution/verification. Adds approveVerification helper that patches ProposalApproval to explicitly approve verification stage using e2e-agent.
Execution test: ServiceAccount and RoleBinding validation test/e2e/execution_test.go	Adds corev1 import. Logs Proposed → Executing transitions with step-specific messages. Asserts per-proposal execution ServiceAccount is created in testNS and validates RoleBinding subject references that ServiceAccount. Logs ExecutionResult owner-reference and sandbox claimName capture. Replaces post-deletion Role check with ServiceAccount cleanup assertion. Updates final PASS log to reflect RBAC and ServiceAccount focus.
Verification test: explicit approval and completion sequencing test/e2e/verification_test.go	Enforces explicit lifecycle sequencing: waits for Proposed, approves execution, waits for Verifying, calls approveVerification, then waits for Completed. Logs VerificationResult owner-reference and verification sandbox claimName. Logs just before Proposal deletion to confirm RBAC cleanup initiation and after deletion to confirm completion.
Analysis and denial tests: granular logging test/e2e/analysis_execution_test.go, test/e2e/denial_test.go	Both tests add step-oriented t.Log checkpoints throughout workflows: fixture creation, Proposal creation, phase transitions (Proposed/Denied/Completed), RBAC/owner-reference verification, AnalysisResult option assertions, sandbox claimName capture, cleanup/deletion steps, and final PASS messages.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main changes: adding a Konflux integration test pipeline and improving e2e tests, which aligns with the file additions and modifications across the changeset.
Description check	✅ Passed	The description directly addresses the changeset by explaining the Konflux pipeline deployment, design decisions for mock agent image and approval flow, and e2e test improvements for bare-pod mode and per-proposal SA verification.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.tekton/integration-tests/pipelines/agentic-operator-e2e-pipeline.yaml:
- Line 148: The pipeline is silently ignoring checkout failures because the
command 'git fetch --depth=1 origin "${COMMIT}" && git checkout "${COMMIT}" ||
true' swallows errors; remove the trailing '|| true' so the shell returns a
non‑zero exit and the Tekton task fails on fetch/checkout errors, or
alternatively replace it with an explicit validation step after checkout that
verifies the current HEAD matches "${COMMIT}" and exits non‑zero if not (update
the existing command string referenced above).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: db93b893-0f21-4d09-8d7f-2c94fe7a2e1b

📥 Commits

Reviewing files that changed from the base of the PR and between 7047d96 and 58886ca.

📒 Files selected for processing (6)

• .tekton/integration-tests/integration-test-scenarios.yaml
• .tekton/integration-tests/pipelines/agentic-operator-e2e-pipeline.yaml
• Makefile
• test/e2e/execution_test.go
• test/e2e/helpers_test.go
• test/e2e/verification_test.go

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift/lightspeed-agentic-sandbox (manual)

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/e2e/helpers_test.go`:
- Around line 118-127: The deleteBarePod helper defaults OPERATOR_NAMESPACE to
"openshift-lightspeed", which mismatches the Makefile default of "default";
update deleteBarePod (and its OPERATOR_NAMESPACE fallback logic) to use the same
default used when running locally—either change the fallback to "default" or,
better, use the existing test namespace variable (testNS) used elsewhere in
tests so cleanup targets the same namespace the operator creates bare pods in;
adjust only the fallback assignment inside deleteBarePod to reference testNS (or
"default") so deletion succeeds.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 5811c707-782d-406d-bc3d-609591c934a6

📥 Commits

Reviewing files that changed from the base of the PR and between 58886ca and 2500c3f.

📒 Files selected for processing (6)

• .tekton/integration-tests/integration-test-scenarios.yaml
• .tekton/integration-tests/pipelines/agentic-operator-e2e-pipeline.yaml
• Makefile
• test/e2e/execution_test.go
• test/e2e/helpers_test.go
• test/e2e/verification_test.go

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift/lightspeed-agentic-sandbox (manual)

✅ Files skipped from review due to trivial changes (1)

• .tekton/integration-tests/integration-test-scenarios.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

• test/e2e/execution_test.go
• .tekton/integration-tests/pipelines/agentic-operator-e2e-pipeline.yaml

[coderabbitai]

🧹 Nitpick comments (1)

Makefile (1)

160-163: 💤 Low value

Sed delimiter collision risk if SANDBOX_IMAGE contains |.

The sed command uses | as a delimiter. If SANDBOX_IMAGE ever contains a literal | (unlikely for image refs, but possible), the substitution will fail silently or produce malformed YAML.

Consider escaping or using a less common delimiter if this needs to be more robust.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Makefile` around lines 160 - 163, The sed substitution in the Makefile uses |
as the delimiter and can break if $(SANDBOX_IMAGE) contains |; update the sed
invocation to use a less-common delimiter (for example @) for all three
substitutions so variables OPERATOR_NAMESPACE, SANDBOX_MODE and SANDBOX_IMAGE
are substituted safely (e.g. replace -e
's|__OPERATOR_NAMESPACE__|$(OPERATOR_NAMESPACE)|g' with -e
's@__OPERATOR_NAMESPACE__@$(OPERATOR_NAMESPACE)`@g`' and likewise for the other
two) or alternatively switch to a quoting/escaping approach (perl -pe or awk)
that properly handles arbitrary characters in $(SANDBOX_IMAGE).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@Makefile`:
- Around line 160-163: The sed substitution in the Makefile uses | as the
delimiter and can break if $(SANDBOX_IMAGE) contains |; update the sed
invocation to use a less-common delimiter (for example @) for all three
substitutions so variables OPERATOR_NAMESPACE, SANDBOX_MODE and SANDBOX_IMAGE
are substituted safely (e.g. replace -e
's|__OPERATOR_NAMESPACE__|$(OPERATOR_NAMESPACE)|g' with -e
's@__OPERATOR_NAMESPACE__@$(OPERATOR_NAMESPACE)`@g`' and likewise for the other
two) or alternatively switch to a quoting/escaping approach (perl -pe or awk)
that properly handles arbitrary characters in $(SANDBOX_IMAGE).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c7f9cca9-fe2c-4d0b-b4f6-80684f074eda

📥 Commits

Reviewing files that changed from the base of the PR and between 2500c3f and 841668e.

📒 Files selected for processing (10)

• .tekton/integration-tests/integration-test-scenarios.yaml
• .tekton/integration-tests/pipelines/agentic-operator-e2e-pipeline.yaml
• .tekton/integration-tests/scripts/install-operator.sh
• Makefile
• config/manager/manager.yaml
• test/e2e/analysis_execution_test.go
• test/e2e/denial_test.go
• test/e2e/execution_test.go
• test/e2e/helpers_test.go
• test/e2e/verification_test.go

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift/lightspeed-agentic-sandbox (manual)

✅ Files skipped from review due to trivial changes (1)

• test/e2e/analysis_execution_test.go

🚧 Files skipped from review as they are similar to previous changes (4)

• test/e2e/verification_test.go
• .tekton/integration-tests/integration-test-scenarios.yaml
• test/e2e/execution_test.go
• test/e2e/helpers_test.go

[coderabbitai]

♻️ Duplicate comments (1)

test/e2e/helpers_test.go (1)

118-127: ⚠️ Potential issue | 🟡 Minor

OPERATOR_NAMESPACE default mismatch across files.

deleteBarePod defaults OPERATOR_NAMESPACE to "openshift-lightspeed" (line 123), but Makefile line 50 defaults it to "default". When running the operator locally via make run without explicitly setting OPERATOR_NAMESPACE, the operator creates bare pods in namespace "default", but this cleanup helper attempts to delete them from "openshift-lightspeed", causing cleanup to fail and leaving orphaned pods.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e/helpers_test.go` around lines 118 - 127, The deleteBarePod helper
uses OPERATOR_NAMESPACE default "openshift-lightspeed" which mismatches the
Makefile default "default"; update the deleteBarePod function (and any similar
test helpers) to use the same default namespace as the Makefile (e.g., default
to "default" or read from a shared constant/env helper) so the cleanup targets
the same namespace the operator creates pods in; specifically, change the
fallback value in deleteBarePod (function name: deleteBarePod, variable:
operatorNS / OPERATOR_NAMESPACE) to match the Makefile's default or centralize
the namespace default into a shared symbol and reference it from the test
helper.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@test/e2e/helpers_test.go`:
- Around line 118-127: The deleteBarePod helper uses OPERATOR_NAMESPACE default
"openshift-lightspeed" which mismatches the Makefile default "default"; update
the deleteBarePod function (and any similar test helpers) to use the same
default namespace as the Makefile (e.g., default to "default" or read from a
shared constant/env helper) so the cleanup targets the same namespace the
operator creates pods in; specifically, change the fallback value in
deleteBarePod (function name: deleteBarePod, variable: operatorNS /
OPERATOR_NAMESPACE) to match the Makefile's default or centralize the namespace
default into a shared symbol and reference it from the test helper.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 3a7ed3bc-07ba-4352-bc5b-997af8607f37

📥 Commits

Reviewing files that changed from the base of the PR and between 841668e and d4b3aaa.

📒 Files selected for processing (10)

• .tekton/integration-tests/integration-test-scenarios.yaml
• .tekton/integration-tests/pipelines/agentic-operator-e2e-pipeline.yaml
• .tekton/integration-tests/scripts/install-operator.sh
• Makefile
• config/manager/manager.yaml
• test/e2e/analysis_execution_test.go
• test/e2e/denial_test.go
• test/e2e/execution_test.go
• test/e2e/helpers_test.go
• test/e2e/verification_test.go

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift/lightspeed-agentic-sandbox (manual)

🚧 Files skipped from review as they are similar to previous changes (8)

• test/e2e/denial_test.go
• .tekton/integration-tests/integration-test-scenarios.yaml
• config/manager/manager.yaml
• .tekton/integration-tests/scripts/install-operator.sh
• test/e2e/analysis_execution_test.go
• test/e2e/execution_test.go
• test/e2e/verification_test.go
• .tekton/integration-tests/pipelines/agentic-operator-e2e-pipeline.yaml

[raptorsun]

/retest

[openshift-ci]

@blublinsky: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[vimalk78]

may be unrelated to this PR, but do we want to standardize the SA name here?
this PR uses controller-manager, the quickstart script uses lightspeed-agentic-operator
the bundle PR is going to use agentic-controller-manager

[vimalk78]

/lgtm

[blublinsky]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: blublinsky

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [blublinsky]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment