USHIFT-6831: cert-manager Trust manager featuregate and test

[eslutsky]

Summary by CodeRabbit

• New Features

  • Added TrustManager support as an optional addon to cert-manager, enabling centralized management of CA certificates and trust bundles

• Tests

  • Added comprehensive test coverage for TrustManager deployment, Bundle synchronization, and CA certificate source handling

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: eslutsky

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [eslutsky]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

The PR adds Trust Manager support to cert-manager by enabling the feature flag in the operator via Kustomize patch, defining a new TrustManager custom resource manifest, and introducing comprehensive Robot test coverage with lifecycle management keywords and three functional test cases for CA secret and Bundle synchronization scenarios.

Changes

Trust Manager Support for cert-manager

Layer / File(s)	Summary
Enable TrustManager feature flag in cert-manager operator assets/optional/cert-manager/manager/kustomization.yaml	Adds a Kustomize patch that targets the cert-manager controller-manager Deployment and injects UNSUPPORTED_ADDON_FEATURES=TrustManager=true into the cert-manager-operator container.
TrustManager custom resource manifest test/assets/cert-manager/trust-manager-cr.yaml	Defines a new OpenShift TrustManager custom resource named cluster with an empty trustManagerConfig specification for test usage.
Test suite variables and configuration test/suites/optional/cert-manager.robot	Introduces suite variables to parameterize Trust Manager bundle naming, namespaces, deployment identity, and manifests.d directory path.
Trust Manager lifecycle management keywords test/suites/optional/cert-manager.robot	Keywords enable and disable Trust Manager via manifests.d kustomization and MicroShift restart, validate pod absence, and manage TrustManager CR creation and removal.
CA and Bundle YAML generation keywords test/suites/optional/cert-manager.robot	Keywords generate self-signed CA certificates via openssl, construct Bundle and Certificate YAML manifests sourced from manually created or cert-manager-generated CA secrets, apply YAML via oc, and clean up generated resources.
Trust Manager functional test cases test/suites/optional/cert-manager.robot	Three test cases validate Trust Manager deployment readiness, Bundle sync from source secret into ConfigMap, and Bundle sync from cert-manager-generated CA certificate into ConfigMap.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

---

Caution

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

• Ignore

❌ Failed checks (1 error, 1 inconclusive)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	Line 397 in test/suites/optional/cert-manager.robot logs full certificate data via Log Certificate data received: ${tls_crt_data}, exposing sensitive cryptographic material.	Remove or redact the Log statement that exposes certificate data; use Log only for metadata like common name, not the certificate contents.
Test Structure And Quality	❓ Inconclusive	Custom check specifies "Ginkgo test code" but PR contains only Robot Framework tests (.robot files), not Go/Ginkgo tests. Check instructions are inapplicable.	Clarify if check applies to Robot Framework tests or only Go tests with Ginkgo framework.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR adds Robot Framework tests only; custom check is for Ginkgo tests. Test names (Trust Manager Deployment, etc.) are static, descriptive, and contain no dynamic values.
Microshift Test Compatibility	✅ Passed	PR adds Robot Framework tests and Kubernetes manifests, not Ginkgo e2e tests. Custom check applies only to Ginkgo tests, making it inapplicable here.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR adds Robot Framework tests to MicroShift, not Ginkgo e2e tests. The custom check explicitly targets Ginkgo e2e tests and is not applicable to this codebase.
Topology-Aware Scheduling Compatibility	✅ Passed	PR introduces no new scheduling constraints. Changes are: kustomization.yaml patch adding TrustManager env var, test CR definition, and Robot Framework test cases—none with scheduling logic.
Ote Binary Stdout Contract	✅ Passed	PR contains only YAML and Robot Framework test files; no Go code modified, so OTE Binary Stdout Contract check is not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Check targets Ginkgo e2e tests; PR adds Robot Framework tests instead. Content review shows no IPv4 assumptions or external connectivity in the three new trust-manager tests.
No-Weak-Crypto	✅ Passed	No weak cryptographic algorithms, custom crypto implementations, or non-constant-time comparisons detected. Only openssl with prime256v1 (strong EC) for test CA generation.
Container-Privileges	✅ Passed	No privileged settings found in any modified files. The kustomization patch only sets environment variables; TrustManager CR has empty spec; robot tests contain no securityContext configurations.
Title check	✅ Passed	The title clearly identifies the main changes: enabling cert-manager Trust Manager via a feature gate and adding corresponding test coverage.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

test/suites/optional/cert-manager.robot (1)

54-54: 💤 Low value

Unused variable.

${TRUST_MANAGER_DEPLOYMENT} is defined but never referenced in this file.

🧹 Remove or use the variable

-${TRUST_MANAGER_DEPLOYMENT}     cert-manager-operator-controller-manager

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/suites/optional/cert-manager.robot` at line 54,
${TRUST_MANAGER_DEPLOYMENT} is defined but unused; either remove the variable
declaration or use it where the cert-manager operator deployment name is needed
(e.g., replace hard-coded "cert-manager-operator-controller-manager" occurrences
with ${TRUST_MANAGER_DEPLOYMENT} or reference it in the test keyword that
interacts with the trust manager). Update the robot file by deleting the unused
variable line if not needed, or wire ${TRUST_MANAGER_DEPLOYMENT} into the
relevant test steps/keywords to consume the value.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/suites/optional/cert-manager.robot`:
- Around line 150-151: The jsonpath used in the Oc Wait call is fragile because
it assumes the condition is at index 0; update the jsonpath in the Oc Wait that
references TRUST_MANAGER_BUNDLE_NAME to check all conditions instead of
.status.conditions[0].reason (e.g. use .status.conditions[*].reason or a filter
by condition type) so the wait asserts any condition reason equals "Synced"
rather than relying on index 0; modify the Oc Wait invocation that currently
uses .status.conditions[0].reason to use the wildcard/filter form to match line
122-123's fix approach.

---

Nitpick comments:
In `@test/suites/optional/cert-manager.robot`:
- Line 54: ${TRUST_MANAGER_DEPLOYMENT} is defined but unused; either remove the
variable declaration or use it where the cert-manager operator deployment name
is needed (e.g., replace hard-coded "cert-manager-operator-controller-manager"
occurrences with ${TRUST_MANAGER_DEPLOYMENT} or reference it in the test keyword
that interacts with the trust manager). Update the robot file by deleting the
unused variable line if not needed, or wire ${TRUST_MANAGER_DEPLOYMENT} into the
relevant test steps/keywords to consume the value.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 7d657932-8817-491b-8597-8605b0f20abd

📥 Commits

Reviewing files that changed from the base of the PR and between 04423a1 and 741675b.

📒 Files selected for processing (3)

• assets/optional/cert-manager/manager/kustomization.yaml
• test/assets/cert-manager/trust-manager-cr.yaml
• test/suites/optional/cert-manager.robot

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Same fragile index issue.

Apply the same fix as line 122-123.

🔧 Proposed fix

     Oc Wait    bundle ${TRUST_MANAGER_BUNDLE_NAME}
-    ...    --for=jsonpath='{.status.conditions[0].reason}'=Synced --timeout=${DEFAULT_WAIT_TIMEOUT}
+    ...    --for=jsonpath='{.status.conditions[?(@.type=="Synced")].status}'=True --timeout=${DEFAULT_WAIT_TIMEOUT}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	Oc Wait bundle ${TRUST_MANAGER_BUNDLE_NAME}
	... --for=jsonpath='{.status.conditions[0].reason}'=Synced --timeout=${DEFAULT_WAIT_TIMEOUT}
	Oc Wait bundle ${TRUST_MANAGER_BUNDLE_NAME}
	... --for=jsonpath='{.status.conditions[?(@.type=="Synced")].status}'=True --timeout=${DEFAULT_WAIT_TIMEOUT}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/suites/optional/cert-manager.robot` around lines 150 - 151, The jsonpath
used in the Oc Wait call is fragile because it assumes the condition is at index
0; update the jsonpath in the Oc Wait that references TRUST_MANAGER_BUNDLE_NAME
to check all conditions instead of .status.conditions[0].reason (e.g. use
.status.conditions[*].reason or a filter by condition type) so the wait asserts
any condition reason equals "Synced" rather than relying on index 0; modify the
Oc Wait invocation that currently uses .status.conditions[0].reason to use the
wildcard/filter form to match line 122-123's fix approach.

[openshift-ci-robot]

@eslutsky: This pull request references USHIFT-6831 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary by CodeRabbit

• New Features

• Added TrustManager support as an optional addon to cert-manager, enabling centralized management of CA certificates and trust bundles

• Tests

• Added comprehensive test coverage for TrustManager deployment, Bundle synchronization, and CA certificate source handling

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[eslutsky]

/test all

[openshift-ci]

@eslutsky: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-tests-bootc-arm-el9	741675b	link	true	/test e2e-aws-tests-bootc-arm-el9
ci/prow/e2e-aws-tests-bootc-arm-el10	741675b	link	true	/test e2e-aws-tests-bootc-arm-el10
ci/prow/e2e-aws-tests-bootc-el9	741675b	link	true	/test e2e-aws-tests-bootc-el9
ci/prow/verify	741675b	link	true	/test verify

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.