tests: Wait for webhook to serve new cert after recovery

The certificate recovery tests (certificates_test.go) verify that a
deleted secret/caBundle gets regenerated, but do not wait for the
webhook server to actually reload and serve the new certificate.
Due to kubelet secret volume propagation delay (~60s), subsequent
tests can hit "x509: certificate signed by unknown authority" if
they call the webhook before the new cert is in place.

Add a probe in checkCertLibraryRecovery that creates a VM via the
webhook and retries until it succeeds, ensuring the new certificate
is fully operational before the test completes.

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Ram Lavi <ralavi@redhat.com>

Author: RamLavi

tests/certificates_test.go

@@ -9,6 +9,8 @@ import (
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/util/retry"
+	kubevirtv1 "kubevirt.io/api/core/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/k8snetworkplumbingwg/kubemacpool/pkg/names"
 )
@@ -79,6 +81,9 @@ func checkCertLibraryRecovery(oldCABundle []byte, oldSecret *v1.Secret) {
 
 	By("checking that the caBundle is regenerated")
 	checkCaBundleRecovery(oldCABundle)
+
+	By("waiting for webhook to serve the new certificate")
+	waitForWebhookWithNewCert()
 }
 
 func GetCurrentSecret(secretName string) (*v1.Secret, error) {
@@ -120,3 +125,13 @@ func checkCaBundleRecovery(oldCABundle []byte) {
 		return caBundles, nil
 	}, timeout, pollingInterval).ShouldNot(ContainElement(oldCABundle), "should successfully renew all webhook's caBundles")
 }
+
+func waitForWebhookWithNewCert() {
+	Eventually(func(g Gomega) {
+		vm := CreateVMObject(TestNamespace,
+			[]kubevirtv1.Interface{newInterface("br", "")},
+			[]kubevirtv1.Network{newNetwork("br")})
+		g.Expect(testClient.CRClient.Create(context.TODO(), vm, client.DryRunAll)).To(Succeed(),
+			"webhook should accept requests with the new certificate")
+	}, webhookPropagationTimeout, webhookPropagationInterval).Should(Succeed())
+}