refactor: split config update based on component

refactor: check if latest generation of deployment has been observed

.github/workflows/main.yml

@@ -315,7 +315,7 @@ jobs:
           TEST_BASE_CATALOG: registry.redhat.io/redhat/redhat-operator-index:v4.14
           TEST_TARGET_CATALOG: ${{ env.CATALOG_IMG }}
           OPENSHIFT: false
-        run: go test ./test/e2e/... -tags=upgrade -timeout 20m
+        run: go test -p 1 ./test/e2e/... -tags=upgrade -timeout 20m
 
       - name: Archive test artifacts
         uses: actions/upload-artifact@v4

.gitignore

@@ -32,6 +32,7 @@ go.work
 *.swp
 *.swo
 *~
+.DS_Store
 
 # K8s dump from e2e tests
 k8s-dump-*.tar.gz

Makefile

@@ -130,12 +130,12 @@ test: manifests generate fmt vet envtest ## Run tests.
 # Utilize Kind or modify the e2e tests to load the image locally, enabling compatibility with other vendors.
 .PHONY: test-e2e  # Run the e2e tests against a Kind k8s instance that is spun up.
 test-e2e:
-	go test ./test/e2e/... -v -ginkgo.v -tags=integration -timeout 20m
+	go test -p 1 ./test/e2e/... -tags=integration -timeout 20m
 
 # Switch images from `registry.redhat.io` images to the dev images
 .PHONY: dev-images
 dev-images:
-	sed -E -f ci/dev-images.sed  -i internal/controller/constants/images.go
+	sed -E -f ci/dev-images.sed -i internal/controller/constants/images.go
 
 GOLANGCI_LINT = $(shell pwd)/bin/golangci-lint
 GOLANGCI_LINT_VERSION ?= v1.54.2

internal/controller/tsa/actions/generate_signer_test.go

@@ -4,14 +4,15 @@ import (
 	"context"
 	"testing"
 
+	"github.com/securesign/operator/test/e2e/support/tas/tsa"
+
 	. "github.com/onsi/gomega"
 	rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1"
 	"github.com/securesign/operator/internal/controller/common/action"
 	"github.com/securesign/operator/internal/controller/common/utils/kubernetes"
 	"github.com/securesign/operator/internal/controller/constants"
 	testAction "github.com/securesign/operator/internal/testing/action"
 	common "github.com/securesign/operator/internal/testing/common/tsa"
-	"github.com/securesign/operator/test/e2e/support"
 	"k8s.io/apimachinery/pkg/api/meta"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
@@ -183,7 +184,7 @@ func Test_SignerHandle(t *testing.T) {
 
 				obj := []client.Object{}
 				client := testAction.FakeClientBuilder().WithObjects(instance).Build()
-				secret := support.InitTsaSecrets(instance.Namespace, "tsa-test-secret")
+				secret := tsa.CreateSecrets(instance.Namespace, "tsa-test-secret")
 				obj = append(obj, secret)
 				return common.TsaTestSetup(instance, t, client, NewGenerateSignerAction(), obj...)
 			},
@@ -239,7 +240,7 @@ func Test_SignerHandle(t *testing.T) {
 				}
 				obj := []client.Object{}
 				client := testAction.FakeClientBuilder().WithObjects(instance).Build()
-				secret := support.InitTsaSecrets(instance.Namespace, "tsa-test-secret")
+				secret := tsa.CreateSecrets(instance.Namespace, "tsa-test-secret")
 				obj = append(obj, secret)
 				return common.TsaTestSetup(instance, t, client, NewGenerateSignerAction(), obj...)
 			},
@@ -263,7 +264,7 @@ func Test_SignerHandle(t *testing.T) {
 			setup: func(instance *rhtasv1alpha1.TimestampAuthority) (client.WithWatch, action.Action[*rhtasv1alpha1.TimestampAuthority]) {
 				instance.Status.Conditions[0].Reason = constants.Pending
 				client := testAction.FakeClientBuilder().WithObjects(instance).Build()
-				secret := support.InitTsaSecrets(instance.Namespace, "tsa-test-secret")
+				secret := tsa.CreateSecrets(instance.Namespace, "tsa-test-secret")
 				return common.TsaTestSetup(instance, t, client, NewGenerateSignerAction(), secret)
 			},
 			testCase: func(g Gomega, a action.Action[*rhtasv1alpha1.TimestampAuthority], client client.WithWatch, instance *rhtasv1alpha1.TimestampAuthority) bool {
@@ -332,7 +333,7 @@ func Test_SignerHandle(t *testing.T) {
 			setup: func(instance *rhtasv1alpha1.TimestampAuthority) (client.WithWatch, action.Action[*rhtasv1alpha1.TimestampAuthority]) {
 				instance.Status.Conditions[0].Reason = constants.Pending
 				client := testAction.FakeClientBuilder().WithObjects(instance).Build()
-				secret := support.InitTsaSecrets(instance.Namespace, "tsa-test-secret")
+				secret := tsa.CreateSecrets(instance.Namespace, "tsa-test-secret")
 				return common.TsaTestSetup(instance, t, client, NewGenerateSignerAction(), secret)
 			},
 			testCase: func(g Gomega, a action.Action[*rhtasv1alpha1.TimestampAuthority], client client.WithWatch, instance *rhtasv1alpha1.TimestampAuthority) bool {

internal/controller/tsa/tsa_hot_update_test.go

@@ -20,14 +20,15 @@ import (
 	"context"
 	"time"
 
+	"github.com/securesign/operator/test/e2e/support/tas/tsa"
+
 	k8sTest "github.com/securesign/operator/internal/testing/kubernetes"
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1"
 	"github.com/securesign/operator/internal/controller/constants"
 	"github.com/securesign/operator/internal/controller/tsa/actions"
-	"github.com/securesign/operator/test/e2e/support"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/equality"
@@ -186,7 +187,7 @@ var _ = Describe("Timestamp Authority hot update", func() {
 			}).Should(Equal(constants.Pending))
 
 			By("Creating new certificate chain and signer keys")
-			secret := support.InitTsaSecrets(Namespace, "tsa-test-secret")
+			secret := tsa.CreateSecrets(Namespace, "tsa-test-secret")
 			Expect(k8sClient.Create(context.TODO(), secret)).NotTo(HaveOccurred())
 
 			By("Status field changed for cert chain")

test/e2e/byodb_test.go

@@ -4,15 +4,13 @@ package e2e
 
 import (
 	"context"
-	"time"
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	"github.com/securesign/operator/api/v1alpha1"
 	"github.com/securesign/operator/internal/controller/common/utils/kubernetes"
 	"github.com/securesign/operator/test/e2e/support"
 	"github.com/securesign/operator/test/e2e/support/tas"
-	clients "github.com/securesign/operator/test/e2e/support/tas/cli"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
@@ -25,7 +23,7 @@ var _ = Describe("Securesign install with byodb", Ordered, func() {
 
 	var targetImageName string
 	var namespace *v1.Namespace
-	var securesign *v1alpha1.Securesign
+	var s *v1alpha1.Securesign
 
 	AfterEach(func() {
 		if CurrentSpecReport().Failed() && support.IsCIEnvironment() {
@@ -39,7 +37,7 @@ var _ = Describe("Securesign install with byodb", Ordered, func() {
 			_ = cli.Delete(ctx, namespace)
 		})
 
-		securesign = &v1alpha1.Securesign{
+		s = &v1alpha1.Securesign{
 			ObjectMeta: metav1.ObjectMeta{
 				Namespace: namespace.Name,
 				Name:      "test",
@@ -132,18 +130,12 @@ var _ = Describe("Securesign install with byodb", Ordered, func() {
 
 	Describe("Install with byodb", func() {
 		BeforeAll(func() {
-			Expect(createDB(ctx, cli, namespace.Name, securesign.Spec.Trillian.Db.DatabaseSecretRef.Name)).To(Succeed())
-			Expect(cli.Create(ctx, securesign)).To(Succeed())
+			Expect(createDB(ctx, cli, namespace.Name, s.Spec.Trillian.Db.DatabaseSecretRef.Name)).To(Succeed())
+			Expect(cli.Create(ctx, s)).To(Succeed())
 		})
 
 		It("All components are running", func() {
-			tas.VerifySecuresign(ctx, cli, namespace.Name, securesign.Name)
-			tas.VerifyTrillian(ctx, cli, namespace.Name, securesign.Name, false)
-			tas.VerifyFulcio(ctx, cli, namespace.Name, securesign.Name)
-			tas.VerifyRekor(ctx, cli, namespace.Name, securesign.Name)
-			tas.VerifyCTLog(ctx, cli, namespace.Name, securesign.Name)
-			tas.VerifyTuf(ctx, cli, namespace.Name, securesign.Name)
-			tas.VerifyTSA(ctx, cli, namespace.Name, securesign.Name)
+			tas.VerifyAllComponents(ctx, cli, s, false)
 		})
 
 		It("No other DB is created", func() {
@@ -153,50 +145,7 @@ var _ = Describe("Securesign install with byodb", Ordered, func() {
 		})
 
 		It("Use cosign cli", func() {
-			fulcio := tas.GetFulcio(ctx, cli, namespace.Name, securesign.Name)()
-			Expect(fulcio).ToNot(BeNil())
-
-			rekor := tas.GetRekor(ctx, cli, namespace.Name, securesign.Name)()
-			Expect(rekor).ToNot(BeNil())
-
-			tuf := tas.GetTuf(ctx, cli, namespace.Name, securesign.Name)()
-			Expect(tuf).ToNot(BeNil())
-
-			tsa := tas.GetTSA(ctx, cli, namespace.Name, securesign.Name)()
-			Expect(tsa).ToNot(BeNil())
-
-			Eventually(func() error {
-				return tas.GetTSACertificateChain(ctx, cli, tsa.Namespace, tsa.Name, tsa.Status.Url)
-			}).Should(Succeed())
-
-			oidcToken, err := support.OidcToken(ctx)
-			Expect(err).ToNot(HaveOccurred())
-			Expect(oidcToken).ToNot(BeEmpty())
-
-			// sleep for a while to be sure everything has settled down
-			time.Sleep(time.Duration(10) * time.Second)
-
-			Expect(clients.Execute("cosign", "initialize", "--mirror="+tuf.Status.Url, "--root="+tuf.Status.Url+"/root.json")).To(Succeed())
-
-			Expect(clients.Execute(
-				"cosign", "sign", "-y",
-				"--fulcio-url="+fulcio.Status.Url,
-				"--rekor-url="+rekor.Status.Url,
-				"--timestamp-server-url="+tsa.Status.Url+"/api/v1/timestamp",
-				"--oidc-issuer="+support.OidcIssuerUrl(),
-				"--oidc-client-id="+support.OidcClientID(),
-				"--identity-token="+oidcToken,
-				targetImageName,
-			)).To(Succeed())
-
-			Expect(clients.Execute(
-				"cosign", "verify",
-				"--rekor-url="+rekor.Status.Url,
-				"--timestamp-certificate-chain=ts_chain.pem",
-				"--certificate-identity-regexp", ".*@redhat",
-				"--certificate-oidc-issuer-regexp", ".*keycloak.*",
-				targetImageName,
-			)).To(Succeed())
+			tas.VerifyByCosign(ctx, cli, s, targetImageName)
 		})
 	})
 })