USHIFT-6635: Add service account token CA bundle test

[pacevedom]

Summary by CodeRabbit

• Tests
  • Added a new test suite to validate the service account CA bundle is present and non-empty.
  • Confirms the bundle includes the expected certificate signers: kube-apiserver-localhost-signer, kube-apiserver-service-network-signer, and kube-apiserver-external-signer.
  • Reuses existing test tooling and includes suite-level setup/teardown for scoped environment management.

[openshift-ci-robot]

@pacevedom: This pull request references Jira Issue OCPBUGS-77079, which is invalid:

• expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is Verified instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[pacevedom]

/hold

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a Robot Framework test suite that validates the service account CA bundle by extracting certificate subjects from a PEM ConfigMap and asserting required signers are present; includes suite setup/teardown, resources, variables, and a keyword that uses OpenSSL to extract subjects.

Changes

Cohort / File(s)

Summary

Service Account CA Bundle Test Suite test/suites/standard2/validate-service-account-ca-bundle.robot

New Robot Framework test added. Defines suite setup/teardown and resource imports, adds variables (including ROOT_CA_CONFIGMAP_NAME), implements a test that fetches the kube-root-ca.crt ConfigMap, extracts the CA PEM bundle, asserts it's non-empty, and verifies presence of three signer subjects. Adds keyword Get Certificate Subjects From Bundle that pipes the PEM bundle through OpenSSL to list certificate subjects.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The PR title accurately describes the main change: adding a test suite for validating service account token CA bundle contents in the kube-root-ca.crt ConfigMap.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/suites/standard2/validate-service-account-ca-bundle.robot`:
- Around line 68-70: The test uses the Robot keyword Command Should Work to run
"grep -c 'BEGIN CERTIFICATE' ${ca_bundle_path}" but grep -c returns exit code 1
when there are zero matches, causing Command Should Work to fail earlier and
mask the intended numeric assertion; modify the command invoked via Command
Should Work so its pipeline cannot exit nonzero on zero matches (e.g., append
"|| echo 0" or "|| true" to the grep invocation) so ${stdout} still contains a
numeric count and the subsequent assertion (e.g., Should Be Equal As Integers)
can report the actual certificate count; update the line that produces ${stdout}
and keep the Log ${stdout} usage unchanged.
- Around line 21-37: The CA bundle subject/count helpers may fail on root-only
files; update the implementations of Get CA Bundle Subjects and Get CA Bundle
Certificate Count to run their subprocesses with sudo by prefixing the openssl
call in Get CA Bundle Subjects (the openssl crl2pkcs7 -nocrl -certfile ... |
openssl pkcs7 -print_certs -text -noout pipeline) with sudo and prefixing the
grep call in Get CA Bundle Certificate Count (grep -c 'BEGIN CERTIFICATE'
${ca_bundle_path}) with sudo so both commands read the bundle with elevated
privileges.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 2bae54f and 2cebef0.

📒 Files selected for processing (1)

• test/suites/standard2/validate-service-account-ca-bundle.robot

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pacevedom

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [pacevedom]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@pacevedom: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[pacevedom]

/hold cancel

[openshift-ci-robot]

@pacevedom: This pull request references USHIFT-6635 which is a valid jira issue.

Details

In response to this:

Summary by CodeRabbit

• Tests
• Added a new test suite to validate the service account CA bundle is present and non-empty.
• Confirms the bundle includes the expected certificate signers: kube-apiserver-localhost-signer, kube-apiserver-service-network-signer, and kube-apiserver-external-signer.
• Reuses existing test tooling and includes suite-level setup/teardown for scoped environment management.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.