UPSTREAM: <carry>: [OTE] add webhook tests

Migrates OLMv1 webhook operator tests from using external YAML files to
defining resources in Go structs. This change removes file dependencies,
improving test reliability and simplifying test setup.

The migration is a refactoring of code from openshift/origin#30059.
The new code uses better naming conventions and adapts the tests to work
with a controller-runtime client, enhancing test consistency and maintainability.

The migration covers all core test scenarios:
- Validating, mutating, and conversion webhooks.
- Certificate and secret rotation tolerance.

Assisted-by: Gemini

Author: camilamacedo86

openshift/tests-extension/.openshift-tests-extension/openshift_payload_olmv1.json

@@ -48,5 +48,55 @@
     "source": "openshift:payload:olmv1",
     "lifecycle": "blocking",
     "environmentSelector": {}
+  },
+  {
+    "name": "[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should have a working validating webhook",
+    "labels": {},
+    "resources": {
+      "isolation": {}
+    },
+    "source": "openshift:payload:olmv1",
+    "lifecycle": "blocking",
+    "environmentSelector": {}
+  },
+  {
+    "name": "[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should have a working mutating webhook",
+    "labels": {},
+    "resources": {
+      "isolation": {}
+    },
+    "source": "openshift:payload:olmv1",
+    "lifecycle": "blocking",
+    "environmentSelector": {}
+  },
+  {
+    "name": "[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should have a working conversion webhook",
+    "labels": {},
+    "resources": {
+      "isolation": {}
+    },
+    "source": "openshift:payload:olmv1",
+    "lifecycle": "blocking",
+    "environmentSelector": {}
+  },
+  {
+    "name": "[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should be tolerant to openshift-service-ca certificate rotation",
+    "labels": {},
+    "resources": {
+      "isolation": {}
+    },
+    "source": "openshift:payload:olmv1",
+    "lifecycle": "blocking",
+    "environmentSelector": {}
+  },
+  {
+    "name": "[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServiceCA][Skipped:Disconnected][Serial] OLMv1 operator with webhooks should be tolerant to tls secret deletion",
+    "labels": {},
+    "resources": {
+      "isolation": {}
+    },
+    "source": "openshift:payload:olmv1",
+    "lifecycle": "blocking",
+    "environmentSelector": {}
   }
 ]

openshift/tests-extension/pkg/helpers/catalogs.go

@@ -0,0 +1,52 @@
+package helpers
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	//nolint:staticcheck // ST1001: dot-imports for readability
+	. "github.com/onsi/gomega"
+
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	olmv1 "github.com/operator-framework/operator-controller/api/v1"
+
+	"github/operator-framework-operator-controller/openshift/tests-extension/pkg/env"
+)
+
+// NewClusterCatalog returns a new ClusterCatalog object.
+// It sets the image reference as source.
+func NewClusterCatalog(name, imageRef string) *olmv1.ClusterCatalog {
+	return &olmv1.ClusterCatalog{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: name,
+		},
+		Spec: olmv1.ClusterCatalogSpec{
+			Source: olmv1.CatalogSource{
+				Type: olmv1.SourceTypeImage,
+				Image: &olmv1.ImageSource{
+					Ref: imageRef,
+				},
+			},
+		},
+	}
+}
+
+// ExpectCatalogToBeServing checks that the catalog with the given name is installed
+func ExpectCatalogToBeServing(ctx context.Context, name string) {
+	k8sClient := env.Get().K8sClient
+	Eventually(func(g Gomega) {
+		var catalog olmv1.ClusterCatalog
+		err := k8sClient.Get(ctx, client.ObjectKey{Name: name}, &catalog)
+		g.Expect(err).ToNot(HaveOccurred(), fmt.Sprintf("failed to get catalog %q", name))
+
+		conditions := catalog.Status.Conditions
+		g.Expect(conditions).NotTo(BeEmpty(), fmt.Sprintf("catalog %q has empty status.conditions", name))
+
+		g.Expect(meta.IsStatusConditionPresentAndEqual(conditions, olmv1.TypeServing, metav1.ConditionTrue)).
+			To(BeTrue(), fmt.Sprintf("catalog %q is not serving", name))
+	}).WithTimeout(5 * time.Minute).WithPolling(5 * time.Second).Should(Succeed())
+}

openshift/tests-extension/pkg/helpers/cluster_extension.go

@@ -2,25 +2,27 @@ package helpers
 
 import (
 	"context"
+	"fmt"
+	"time"
 
 	//nolint:staticcheck // ST1001: dot-imports for readability
 	. "github.com/onsi/gomega"
 
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
+	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/rand"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	ocv1 "github.com/operator-framework/operator-controller/api/v1"
+	olmv1 "github.com/operator-framework/operator-controller/api/v1"
 
 	"github/operator-framework-operator-controller/openshift/tests-extension/pkg/env"
 )
 
-const openshiftOperatorsNs = "openshift-operators"
-
 // CreateClusterExtension creates a ServiceAccount, ClusterRoleBinding, and ClusterExtension using typed APIs.
 // It returns the unique suffix and a cleanup function.
-func CreateClusterExtension(packageName, version string) (string, func()) {
+func CreateClusterExtension(packageName, version, namespace string) (string, func()) {
 	ctx := context.TODO()
 	k8sClient := env.Get().K8sClient
 	unique := rand.String(8)
@@ -30,59 +32,92 @@ func CreateClusterExtension(packageName, version string) (string, func()) {
 	ceName := "install-test-ce-" + unique
 
 	// 1. Create ServiceAccount
-	sa := &corev1.ServiceAccount{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      saName,
-			Namespace: openshiftOperatorsNs,
-		},
-	}
-	Expect(k8sClient.Create(ctx, sa)).To(Succeed(), "failed to create ServiceAccount")
+	sa := NewServiceAccount(saName, namespace)
+	Expect(k8sClient.Create(ctx, sa)).To(Succeed(),
+		"failed to create ServiceAccount")
 
 	// 2. Create ClusterRoleBinding
-	crb := &rbacv1.ClusterRoleBinding{
+	crb := NewClusterRoleBinding(crbName, "cluster-admin", saName, namespace)
+	Expect(k8sClient.Create(ctx, crb)).To(Succeed(), "failed to create ClusterRoleBinding")
+
+	// 3. Create ClusterExtension
+	ce := NewClusterExtensionObject(packageName, version, ceName, saName, namespace)
+	Expect(k8sClient.Create(ctx, ce)).To(Succeed(), "failed to create ClusterExtension")
+
+	// Cleanup closure
+	return ceName, func() {
+		_ = k8sClient.Delete(ctx, ce)
+		_ = k8sClient.Delete(ctx, crb)
+		_ = k8sClient.Delete(ctx, sa)
+	}
+}
+
+// NewServiceAccount creates a new ServiceAccount object in the openshift-operators namespace.
+func NewServiceAccount(name, namespace string) *corev1.ServiceAccount {
+	return &corev1.ServiceAccount{
 		ObjectMeta: metav1.ObjectMeta{
-			Name: crbName,
+			Name:      name,
+			Namespace: namespace,
 		},
+	}
+}
+
+// NewClusterRoleBinding creates a new ClusterRoleBinding object that binds a ClusterRole to a ServiceAccount.
+func NewClusterRoleBinding(name, roleName, saName, namespace string) *rbacv1.ClusterRoleBinding {
+	return &rbacv1.ClusterRoleBinding{
+		ObjectMeta: metav1.ObjectMeta{Name: name},
 		RoleRef: rbacv1.RoleRef{
 			APIGroup: "rbac.authorization.k8s.io",
 			Kind:     "ClusterRole",
-			Name:     "cluster-admin",
+			Name:     roleName,
 		},
 		Subjects: []rbacv1.Subject{{
 			Kind:      "ServiceAccount",
 			Name:      saName,
-			Namespace: openshiftOperatorsNs,
+			Namespace: namespace,
 		}},
 	}
-	Expect(k8sClient.Create(ctx, crb)).To(Succeed(), "failed to create ClusterRoleBinding")
+}
 
-	// 3. Create ClusterExtension
-	ce := &ocv1.ClusterExtension{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: ceName,
-		},
-		Spec: ocv1.ClusterExtensionSpec{
-			Namespace: openshiftOperatorsNs,
-			ServiceAccount: ocv1.ServiceAccountReference{
+// NewClusterExtensionObject creates a new ClusterExtension object with the specified package, version, name, and ServiceAccount.
+func NewClusterExtensionObject(pkg, version, ceName, saName, namespace string) *olmv1.ClusterExtension {
+	return &olmv1.ClusterExtension{
+		ObjectMeta: metav1.ObjectMeta{Name: ceName},
+		Spec: olmv1.ClusterExtensionSpec{
+			Namespace: namespace,
+			ServiceAccount: olmv1.ServiceAccountReference{
 				Name: saName,
 			},
-			Source: ocv1.SourceConfig{
-				SourceType: ocv1.SourceTypeCatalog,
-				Catalog: &ocv1.CatalogFilter{
-					PackageName:             packageName,
+			Source: olmv1.SourceConfig{
+				SourceType: olmv1.SourceTypeCatalog,
+				Catalog: &olmv1.CatalogFilter{
+					PackageName:             pkg,
 					Version:                 version,
 					Selector:                &metav1.LabelSelector{},
-					UpgradeConstraintPolicy: ocv1.UpgradeConstraintPolicyCatalogProvided,
+					UpgradeConstraintPolicy: olmv1.UpgradeConstraintPolicyCatalogProvided,
 				},
 			},
 		},
 	}
-	Expect(k8sClient.Create(ctx, ce)).To(Succeed(), "failed to create ClusterExtension")
+}
 
-	// Cleanup closure
-	return ceName, func() {
-		_ = k8sClient.Delete(ctx, ce)
-		_ = k8sClient.Delete(ctx, crb)
-		_ = k8sClient.Delete(ctx, sa)
-	}
+// ExpectClusterExtensionToBeInstalled checks that the ClusterExtension has both Progressing=True and Installed=True.
+func ExpectClusterExtensionToBeInstalled(ctx context.Context, name string) {
+	k8sClient := env.Get().K8sClient
+	Eventually(func(g Gomega) {
+		var ext olmv1.ClusterExtension
+		err := k8sClient.Get(ctx, client.ObjectKey{Name: name}, &ext)
+		g.Expect(err).ToNot(HaveOccurred(), fmt.Sprintf("failed to get ClusterExtension %q", name))
+
+		conditions := ext.Status.Conditions
+		g.Expect(conditions).NotTo(BeEmpty(), fmt.Sprintf("ClusterExtension %q has empty status.conditions", name))
+
+		progressing := meta.FindStatusCondition(conditions, string(olmv1.TypeProgressing))
+		g.Expect(progressing).ToNot(BeNil(), "Progressing condition not found")
+		g.Expect(progressing.Status).To(Equal(metav1.ConditionTrue), "Progressing should be True")
+
+		installed := meta.FindStatusCondition(conditions, string(olmv1.TypeInstalled))
+		g.Expect(installed).ToNot(BeNil(), "Installed condition not found")
+		g.Expect(installed.Status).To(Equal(metav1.ConditionTrue), "Installed should be True")
+	}).WithTimeout(5 * time.Minute).WithPolling(1 * time.Second).Should(Succeed())
 }

openshift/tests-extension/test/olmv1.go

@@ -11,9 +11,11 @@ import (
 	. "github.com/onsi/gomega"
 
 	configv1 "github.com/openshift/api/config/v1"
+	corev1 "k8s.io/api/core/v1"
 	apiextclient "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/rand"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	olmv1 "github.com/operator-framework/operator-controller/api/v1"
@@ -71,37 +73,42 @@ var _ = Describe("[sig-olmv1][OCPFeatureGate:NewOLM] OLMv1 CRDs", func() {
 })
 
 var _ = Describe("[sig-olmv1][OCPFeatureGate:NewOLM][Skipped:Disconnected] OLMv1 operator installation", func() {
+	var (
+		namespace string
+		k8sClient client.Client
+	)
 	BeforeEach(func() {
 		helpers.RequireOLMv1CapabilityOnOpenshift()
+		k8sClient = env.Get().K8sClient
+		namespace = "install-test-ns-" + rand.String(4)
+
+		By(fmt.Sprintf("creating namespace %s for single-namespace tests", namespace))
+		ns := &corev1.Namespace{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: namespace,
+			},
+		}
+		Expect(k8sClient.Create(context.Background(), ns)).To(Succeed(), "failed to create test namespace")
+		DeferCleanup(func() {
+			_ = k8sClient.Delete(context.Background(), ns)
+		})
 	})
+
 	It("should install a cluster extension", func(ctx SpecContext) {
 		if !env.Get().IsOpenShift {
 			Skip("Requires OCP Catalogs: not OpenShift")
 		}
 		By("applying the ClusterExtension resource")
-		name, cleanup := helpers.CreateClusterExtension("quay-operator", "3.13.0")
+		name, cleanup := helpers.CreateClusterExtension("quay-operator", "3.13.0", namespace)
 		DeferCleanup(cleanup)
 
 		By("waiting for the quay-operator ClusterExtension to be installed")
-		Eventually(func(g Gomega) {
-			k8sClient := env.Get().K8sClient
-			ce := &olmv1.ClusterExtension{}
-			err := k8sClient.Get(ctx, client.ObjectKey{Name: name}, ce)
-			g.Expect(err).ToNot(HaveOccurred())
-
-			progressing := meta.FindStatusCondition(ce.Status.Conditions, olmv1.TypeProgressing)
-			g.Expect(progressing).ToNot(BeNil())
-			g.Expect(progressing.Status).To(Equal(metav1.ConditionTrue))
-
-			installed := meta.FindStatusCondition(ce.Status.Conditions, olmv1.TypeInstalled)
-			g.Expect(installed).ToNot(BeNil())
-			g.Expect(installed.Status).To(Equal(metav1.ConditionTrue))
-		}).WithTimeout(5 * time.Minute).WithPolling(1 * time.Second).Should(Succeed())
+		helpers.ExpectClusterExtensionToBeInstalled(ctx, name)
 	})
 
 	It("should fail to install a non-existing cluster extension", func(ctx SpecContext) {
 		By("applying the ClusterExtension resource")
-		name, cleanup := helpers.CreateClusterExtension("does-not-exist", "99.99.99")
+		name, cleanup := helpers.CreateClusterExtension("does-not-exist", "99.99.99", namespace)
 		DeferCleanup(cleanup)
 
 		By("waiting for the ClusterExtension to exist")
@@ -136,7 +143,7 @@ var _ = Describe("[sig-olmv1][OCPFeatureGate:NewOLM][Skipped:Disconnected] OLMv1
 		}
 
 		By("applying the ClusterExtension resource")
-		name, cleanup := helpers.CreateClusterExtension("cluster-logging", "6.2.2")
+		name, cleanup := helpers.CreateClusterExtension("cluster-logging", "6.2.2", namespace)
 		DeferCleanup(cleanup)
 
 		By("waiting for the function-mesh ClusterExtension to be installed")