CCO-788 : e2e for removing kube-rbac-proxy container (CCO-788)

[miyadav]

@huangmingxia @jianping-shu PTAL when time permits , test case.
Manual execution

Upgrade validation is pending.

`miyadav@miyadav-mac cloud-credential-operator % ./cloud-credential-tests-ext run-test -n '[Jira:"Cloud Credential Operator"] Cluster_Operator CCO is enabled [Suite:cco/conformance/parallel][PolarionID:88196] NonHyperShiftHOST-High-CCO metrics endpoint validation'
  Running Suite:  - /Users/miyadav/github.com/openshift/cloud-credential-operator
  ===============================================================================
  Random Seed: 1774014918 - will randomize all specs

  Will run 1 of 1 specs
  ------------------------------
  [Jira:"Cloud Credential Operator"] Cluster_Operator CCO is enabled [Suite:cco/conformance/parallel][PolarionID:88196] NonHyperShiftHOST-High-CCO metrics endpoint validation [Lifecycle:informing]
  /Users/miyadav/github.com/openshift/cloud-credential-operator/test/extend/cloudcredential.go:781
  topology is HighlyAvailable
    STEP: Validate CCO container exposes metrics on port 8443 @ 03/20/26 13:55:24.864
  CCO container ports configuration: [{"containerPort":8443,"name":"metrics","protocol":"TCP"}]
    STEP: Validate CCO container mounts serving certs @ 03/20/26 13:55:25.518
  CCO container volume mounts: [{"mountPath":"/etc/pki/ca-trust/extracted/pem","name":"cco-trusted-ca"},{"mountPath":"/etc/tls/private","name":"cloud-credential-operator-serving-cert"}]
    STEP: Verify prometheus pods are running in openshift-monitoring @ 03/20/26 13:55:26.188
  Prometheus pods found: prometheus-k8s-0 prometheus-k8s-1
    STEP: Validate service cco-metrics targets port 8443 @ 03/20/26 13:55:26.996
  Service cco-metrics port: 8443, targetPort: metrics
    STEP: Get service account token for authentication @ 03/20/26 13:55:28.064
  Successfully obtained service account token
    STEP: Validate metrics are reachable via HTTPS from prometheus pod @ 03/20/26 13:55:28.606
  Metrics endpoint response (first 10 lines): # HELP cco_controller_reconcile_seconds Distribution of the length of time each controllers reconcile loop takes.
  # TYPE cco_controller_reconcile_seconds histogram
  cco_controller_reconcile_seconds_bucket{controller="credreq",le="0.001"} 138
  cco_controller_reconcile_seconds_bucket{controller="credreq",le="0.01"} 138
  cco_controller_reconcile_seconds_bucket{controller="credreq",le="0.1"} 138
  cco_controller_reconcile_seconds_bucket{controller="credreq",le="1"} 150
  cco_controller_reconcile_seconds_bucket{controller="credreq",le="10"} 150
  cco_controller_reconcile_seconds_bucket{controller="credreq",le="30"} 150
  cco_controller_reconcile_seconds_bucket{controller="credreq",le="60"} 150
  cco_controller_reconcile_seconds_bucket{controller="credreq",le="120"} 150

    STEP: Verify response includes CCO business metrics @ 03/20/26 13:55:29.974
  Successfully verified CCO business metrics are present
    STEP: Verify prometheus target is up and has no TLS errors @ 03/20/26 13:55:29.974
  cco-metrics target is UP (health=up) with no errors
    STEP: Validate ServiceMonitor is configured correctly @ 03/20/26 13:55:42.624
  ServiceMonitor endpoints configuration: [{"bearerTokenFile":"/var/run/secrets/kubernetes.io/serviceaccount/token","interval":"30s","port":"metrics","scheme":"https","tlsConfig":{"caFile":"/etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt","serverName":"cco-metrics.openshift-cloud-credential-operator.svc"}}]
    STEP: Verify request without Bearer token is rejected @ 03/20/26 13:55:43.683
  Unauthorized access correctly rejected:   HTTP/1.1 401 Unauthorized
    Content-Type: text/plain; charset=utf-8
    X-Content-Type-Options: nosniff
    Date: Fri, 20 Mar 2026 13:55:44 GMT
    Content-Length: 13

    STEP: Verify ClusterOperator cloud-credential is Available and not Degraded @ 03/20/26 13:55:45.027
    STEP: Verify CCO logs show successful reconciliation @ 03/20/26 13:55:52.738
  CCO pod name: cloud-credential-operator-98fc5f4b4-p2fcd
  Successfully verified CCO reconciliation activity in logs
  • [36.273 seconds]
  ------------------------------

  Ran 1 of 1 Specs in 36.273 seconds
  SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 0 Skipped`

Co-authored: claudecode

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ad8c7810-6be5-45d8-8fef-871300a8b576

📥 Commits

Reviewing files that changed from the base of the PR and between b829309 and 32fbe99.

📒 Files selected for processing (1)

• test/extend/cloudcredential.go

✅ Files skipped from review due to trivial changes (1)

• test/extend/cloudcredential.go

---

Walkthrough

Added a new Ginkgo test that performs end-to-end HTTPS metrics validation for the cloud-credential-operator: verifies container port and volume mounts, service and ServiceMonitor configuration, Prometheus target health, authenticated metrics access, unauthenticated rejection, and reconciliation evidence in logs.

Changes

Cohort / File(s)	Summary
CCO Metrics Endpoint Test test/extend/cloudcredential.go	New ~148-line Ginkgo test validating CCO metrics over HTTPS: checks container metrics port and cert/CA mounts, cco-metrics Service port/targetPort, Prometheus pods and target health polling, ServiceMonitor endpoints, authenticated /metrics access using SA token, unauthenticated access rejection, and log-based reconciliation checks.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

test/extend/cloudcredential.go (2)

783-783: Consider filtering by container name instead of index.

Using containers[0] assumes the CCO container is always first. If another container (e.g., sidecar) is added before it, this test would break. Consider using containers[?(@.name=="cloud-credential-operator")] similar to line 496.

♻️ Suggested fix

-		ports, err := oc.AsAdmin().WithoutNamespace().Run("get").Args("deployment", "cloud-credential-operator", "-n", DefaultNamespace, "-o=jsonpath={.spec.template.spec.containers[0].ports}").Output()
+		ports, err := oc.AsAdmin().WithoutNamespace().Run("get").Args("deployment", "cloud-credential-operator", "-n", DefaultNamespace, "-o=jsonpath={.spec.template.spec.containers[?(@.name==\"cloud-credential-operator\")].ports}").Output()

Apply the same change to line 791 for volumeMounts.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/extend/cloudcredential.go` at line 783, The jsonpath used when calling
oc.AsAdmin().WithoutNamespace().Run("get").Args(...
"-o=jsonpath={.spec.template.spec.containers[0].ports}") assumes the CCO
container is at index 0; change the selector to filter by container name (e.g.
use containers[?(@.name=="cloud-credential-operator")].ports) so it targets the
container by name, and make the analogous change for the volumeMounts call
(replace containers[0].volumeMounts with
containers[?(@.name=="cloud-credential-operator")].volumeMounts) to avoid
fragility if sidecars are added.

---

828-833: Redundant metric check logic.

Line 828 already asserts that metricsOutput contains "cco_". The hasMetric check on lines 830-832 is redundant since it includes strings.Contains(metricsOutput, "cco_") which will always be true if line 828 passes.

♻️ Simplified check

 		g.By("Verify response includes CCO business metrics")
-		o.Expect(metricsOutput).To(o.ContainSubstring("cco_"))
-		// Check for common CCO metrics
-		hasMetric := strings.Contains(metricsOutput, "cco_credentials_mode") ||
-			strings.Contains(metricsOutput, "cco_credentials_requests") ||
-			strings.Contains(metricsOutput, "cco_")
-		o.Expect(hasMetric).To(o.BeTrue(), "Expected to find CCO metrics in response")
+		// Check for common CCO metrics prefixed with cco_
+		o.Expect(metricsOutput).To(o.ContainSubstring("cco_"), "Expected to find CCO metrics in response")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/extend/cloudcredential.go` around lines 828 - 833, The test contains a
redundant assertion: metricsOutput is already checked for "cco_" via
o.Expect(metricsOutput).To(o.ContainSubstring("cco_")), so the subsequent
hasMetric boolean (which includes strings.Contains(metricsOutput, "cco_")) is
unnecessary; either remove the initial broad Expect and keep the specific
hasMetric checks, or better, remove the "cco_" check inside hasMetric and let
hasMetric only test for specific metrics ("cco_credentials_mode" or
"cco_credentials_requests") before asserting with
o.Expect(hasMetric).To(o.BeTrue()). Update references to metricsOutput,
hasMetric, and the Expect calls accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@test/extend/cloudcredential.go`:
- Line 783: The jsonpath used when calling
oc.AsAdmin().WithoutNamespace().Run("get").Args(...
"-o=jsonpath={.spec.template.spec.containers[0].ports}") assumes the CCO
container is at index 0; change the selector to filter by container name (e.g.
use containers[?(@.name=="cloud-credential-operator")].ports) so it targets the
container by name, and make the analogous change for the volumeMounts call
(replace containers[0].volumeMounts with
containers[?(@.name=="cloud-credential-operator")].volumeMounts) to avoid
fragility if sidecars are added.
- Around line 828-833: The test contains a redundant assertion: metricsOutput is
already checked for "cco_" via
o.Expect(metricsOutput).To(o.ContainSubstring("cco_")), so the subsequent
hasMetric boolean (which includes strings.Contains(metricsOutput, "cco_")) is
unnecessary; either remove the initial broad Expect and keep the specific
hasMetric checks, or better, remove the "cco_" check inside hasMetric and let
hasMetric only test for specific metrics ("cco_credentials_mode" or
"cco_credentials_requests") before asserting with
o.Expect(hasMetric).To(o.BeTrue()). Update references to metricsOutput,
hasMetric, and the Expect calls accordingly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ce49d981-a422-4850-8b9a-210d3e419c0a

📥 Commits

Reviewing files that changed from the base of the PR and between f5fb038 and 2bfdefa.

📒 Files selected for processing (1)

• test/extend/cloudcredential.go

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 46.28%. Comparing base (f5fb038) to head (32fbe99).
⚠️ Report is 12 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #991   +/-   ##
=======================================
  Coverage   46.28%   46.28%           
=======================================
  Files          98       98           
  Lines       12259    12259           
=======================================
  Hits         5674     5674           
  Misses       5935     5935           
  Partials      650      650           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

🧹 Nitpick comments (2)

test/extend/cloudcredential.go (2)

821-830: Consider adding polling for initial metrics fetch to reduce flakiness.

The direct wget call may fail transiently if the metrics endpoint isn't immediately ready. This contrasts with the Prometheus target validation below (lines 833-884) which properly uses wait.Poll. Consider wrapping this in a similar poll loop.

♻️ Suggested approach

 		g.By("Validate metrics are reachable via HTTPS from prometheus pod")
-		metricsOutput, err := oc.AsAdmin().WithoutNamespace().Run("exec").Args("-n", OpenShiftMonitoringNamespace, "prometheus-k8s-0", "-c", "prometheus", "--", "sh", "-c", fmt.Sprintf("wget -qO- --no-check-certificate --header='Authorization: Bearer %s' https://cco-metrics.%s.svc:8443/metrics 2>/dev/null | head -10", token, DefaultNamespace)).Output()
-		o.Expect(err).NotTo(o.HaveOccurred())
-		o.Expect(metricsOutput).NotTo(o.BeEmpty())
+		var metricsOutput string
+		err = wait.Poll(5*time.Second, 1*time.Minute, func() (bool, error) {
+			output, execErr := oc.AsAdmin().WithoutNamespace().Run("exec").Args("-n", OpenShiftMonitoringNamespace, "prometheus-k8s-0", "-c", "prometheus", "--", "sh", "-c", fmt.Sprintf("wget -qO- --no-check-certificate --header='Authorization: Bearer %s' https://cco-metrics.%s.svc:8443/metrics 2>/dev/null | head -10", token, DefaultNamespace)).Output()
+			if execErr != nil || output == "" {
+				g.GinkgoT().Logf("Metrics endpoint not ready yet, retrying...")
+				return false, nil
+			}
+			metricsOutput = output
+			return true, nil
+		})
+		assertWaitPollNoErr(err, "metrics endpoint not reachable")
 		g.GinkgoT().Logf("Metrics endpoint response (first 10 lines): %s", metricsOutput)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/extend/cloudcredential.go` around lines 821 - 830, The direct wget exec
that populates metricsOutput can be flaky; wrap the
oc.AsAdmin().WithoutNamespace().Run("exec") call (the command that sets
metricsOutput) in a retry/poll loop (e.g., wait.Poll or similar) that retries
the exec until metricsOutput contains the expected "cco_" substring or a timeout
elapses; update the checks around metricsOutput and the o.Expect assertions to
run after successful poll completion and log failures appropriately so the test
only asserts once the endpoint is reachable and returns CCO metrics.

---

822-822: Minor: Hard-coded prometheus pod name could be fragile.

The test uses prometheus-k8s-0 in multiple places. If this specific pod is temporarily unavailable (e.g., during rolling update), the test will fail. Consider dynamically selecting an available prometheus pod from the list obtained at line 800.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/extend/cloudcredential.go` at line 822, The test currently hard-codes
the Prometheus pod name in the oc exec call (the call building metricsOutput
using oc.AsAdmin().WithoutNamespace().Run("exec").Args(..., "prometheus-k8s-0",
...)), which is fragile; change it to pick an available Prometheus pod
dynamically from the previously obtained list of Prometheus pods (the variable
holding the pod list from the earlier pod-listing call) instead of
"prometheus-k8s-0": iterate the pod list or filter for Ready/Running status,
select the first healthy pod name, and use that podName in the Args(...) for the
exec call; if selection fails, surface a clear error so the test fails fast.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@test/extend/cloudcredential.go`:
- Around line 821-830: The direct wget exec that populates metricsOutput can be
flaky; wrap the oc.AsAdmin().WithoutNamespace().Run("exec") call (the command
that sets metricsOutput) in a retry/poll loop (e.g., wait.Poll or similar) that
retries the exec until metricsOutput contains the expected "cco_" substring or a
timeout elapses; update the checks around metricsOutput and the o.Expect
assertions to run after successful poll completion and log failures
appropriately so the test only asserts once the endpoint is reachable and
returns CCO metrics.
- Line 822: The test currently hard-codes the Prometheus pod name in the oc exec
call (the call building metricsOutput using
oc.AsAdmin().WithoutNamespace().Run("exec").Args(..., "prometheus-k8s-0", ...)),
which is fragile; change it to pick an available Prometheus pod dynamically from
the previously obtained list of Prometheus pods (the variable holding the pod
list from the earlier pod-listing call) instead of "prometheus-k8s-0": iterate
the pod list or filter for Ready/Running status, select the first healthy pod
name, and use that podName in the Args(...) for the exec call; if selection
fails, surface a clear error so the test fails fast.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bac3160e-60a2-4880-a12c-5269d3fc8047

📥 Commits

Reviewing files that changed from the base of the PR and between 2bfdefa and b829309.

📒 Files selected for processing (1)

• test/extend/cloudcredential.go

[jstuever]

/approve
/override ci/prow/security

[openshift-ci]

@jstuever: Overrode contexts on behalf of jstuever: ci/prow/security

Details

In response to this:

/approve
/override ci/prow/security

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@miyadav: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[huangmingxia]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: huangmingxia, jstuever, miyadav

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jstuever]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[huangmingxia]

@miyadav Hi, if it passes locally on your side, please add the verified label and then let's proceed with merging the PR.

[miyadav]

/verified by @miyadav

[openshift-ci-robot]

@miyadav: This PR has been marked as verified by @miyadav.

Details

In response to this:

/verified by @miyadav

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.