feat(e2e): add --run-as flag to run all tests as cluster-admin#574
Conversation
|
Warning Review limit reached
Next review available in: 58 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (4)
📝 WalkthroughWalkthroughAdds a ChangesRunAs Admin Mode for E2E Tests
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
Suggested labels
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Test Coverage ReportTotal: 47.6% Per-package coverage
Full function-level detailsPosted by CI |
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@e2e-tests/framework/rbac.go`:
- Around line 141-145: The partial admin-mode setup in the namespace creation
path can leave the source namespace behind when
scenario.KubectlSrc.CreateNamespace succeeds but
scenario.KubectlTgt.CreateNamespace fails. Update the helper in rbac.go to clean
up the already-created source namespace before returning the target-side error,
using the same namespace variable and the KubectlSrc/KubectlTgt setup flow so
the failure path does not leak resources.
In `@e2e-tests/framework/scenario.go`:
- Around line 34-37: Add focused test coverage for the RunAs context rewrite in
NewMigrationScenario, since the config.RunAs == "admin" branch changes both
non-admin contexts. Create a small table-driven test around NewMigrationScenario
that exercises default mode and admin mode, and assert the resulting
srcNonAdminCtx and tgtNonAdminCtx behavior so the branch is covered and won’t
regress.
In `@e2e-tests/tests/tier0/mta_805_sets_test.go`:
- Around line 49-50: Preserve the existing skip behavior in the MTA 805 test
setup when --run-as is not admin, since SetupActiveKubectlRunners and
SetupNamespaceAdminUsersForScenario still require the non-admin kubectl
contexts. Restore the preflight Skip(...) before calling
SetupActiveKubectlRunners in the test flow so environments without admin mode
continue to be skipped instead of failing. Use the relevant setup path around
SetupActiveKubectlRunners, SetupNamespaceAdminUsersForScenario, and the
Kubectl*NonAdmin.Context handling to locate the change.
In `@e2e-tests/tests/tier0/mta_811_mongodb_non_admin_test.go`:
- Around line 123-124: The non-admin setup path in this test now hard-fails
instead of preserving the previous skip behavior when non-admin contexts are
unset. Update the test around SetupActiveKubectlRunners /
SetupNamespaceAdminUsersForScenario so that when --run-as is not "admin" and
either non-admin context is empty, it skips the test rather than returning an
error, matching the prior behavior when --run-as is not provided.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 0c67c994-672a-4d90-85cb-50de19da1c0a
📒 Files selected for processing (26)
e2e-tests/config/config.goe2e-tests/framework/rbac.goe2e-tests/framework/scenario.goe2e-tests/tests/tier0/e2e_suite_test.goe2e-tests/tests/tier0/mta_804_empty_pvc_migration_test.goe2e-tests/tests/tier0/mta_805_sets_test.goe2e-tests/tests/tier0/mta_806_pvc_data_integrity_test.goe2e-tests/tests/tier0/mta_807_data_validation_test.goe2e-tests/tests/tier0/mta_809_initcontainer_test.goe2e-tests/tests/tier0/mta_810_configmap_test.goe2e-tests/tests/tier0/mta_811_mongodb_non_admin_test.goe2e-tests/tests/tier0/mta_812_role_migration_test.goe2e-tests/tests/tier0/mta_813_cronJob_PVC_test.goe2e-tests/tests/tier0/mta_827_custom_transformation_stage_test.goe2e-tests/tests/tier0/mta_828_instructions_file_migration_test.goe2e-tests/tests/tier0/mta_831_validate_compatible_resources_offline_test.goe2e-tests/tests/tier0/mta_833_compatible_resources_live_test.goe2e-tests/tests/tier0/mta_844_validate_mixed_resources_live_test.goe2e-tests/tests/tier0/mta_845_validate_mixed_resources_offline_test.goe2e-tests/tests/tier0/mta_846_validate_single_incompatible_route_live_test.goe2e-tests/tests/tier1/e2e_suite_test.goe2e-tests/tests/tier1/mta_829_validate_alternative_gv_suggestion_test.goe2e-tests/tests/tier1/mta_830_instructions_file_force_reconcile_test.goe2e-tests/tests/tier1/mta_832_validate_alternative_gv_suggestion_offline_test.goe2e-tests/tests/tier1/mta_836_validate_core_group_omitted_offline_test.goe2e-tests/tests/tier1/mta_850_validate_duplicate_gvk_test.go
💤 Files with no reviewable changes (2)
- e2e-tests/tests/tier0/mta_846_validate_single_incompatible_route_live_test.go
- e2e-tests/tests/tier1/mta_850_validate_duplicate_gvk_test.go
- Added `RunAs` field to the configuration to allow tests to run with cluster-admin credentials. - Updated `SetupActiveNamespaceAdmin` and `SetupActiveKubectlRunners` functions to utilize the new `RunAs` configuration for managing namespace access. - Refactored multiple test cases to replace direct calls to `SetupNamespaceAdminUsersForScenario` with `SetupActiveKubectlRunners`, streamlining the process for both admin and non-admin contexts. - Removed redundant context checks in tests, simplifying the setup process. This change improves flexibility in test execution and aligns with the new configuration structure. Signed-off-by: midays <midays@redhat.com>
43b539a to
b7a9ea8
Compare
|
/rfr |
- Introduced a new GitHub Actions workflow to enforce compliance checks on non-admin e2e test files. - The workflow verifies that tests do not use deprecated functions and ensures proper context handling. - Outputs results indicating compliance status for all relevant test files. This addition enhances the testing framework by ensuring adherence to best practices in test configurations. Signed-off-by: midays <midays@redhat.com>
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/test-compliance.yml:
- Line 16: The checkout step currently uses actions/checkout@v4 without
disabling persisted credentials, which leaves the GitHub token in local git
config unnecessarily. Update the checkout configuration to set
persist-credentials to false in the test-compliance workflow so the job can
still read files without storing credentials.
- Around line 23-24: Scope the compliance scan in the workflow so it only checks
test files changed in the current pull request instead of every *_test.go under
e2e-tests/tests. Update the file-gathering logic in the workflow step that sets
CHANGED, and keep the later violation check pointing at that PR-touched file
list so pre-existing issues like the one in mta_853_split_apply_test.go do not
fail unrelated PRs.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 215c641e-939c-4130-b08f-1e6375fa8a96
📒 Files selected for processing (1)
.github/workflows/test-compliance.yml
- Updated the compliance workflow to collect and report violations for non-admin test files more effectively. - Replaced deprecated function calls with `SetupActiveKubectlRunners` in relevant test cases. - Removed empty context checks to streamline compliance checks and improve clarity in test configurations. This change enhances the compliance verification process and aligns with best practices for non-admin test setups. Signed-off-by: midays <midays@redhat.com>
|
Claude Review: PR #574 — feat(e2e): add --run-as flag to run all tests as cluster-admin This PR adds a --run-as=admin flag that overrides non-admin e2e test contexts to use cluster-admin credentials. It introduces two new helpers Findings
** The fix is small: add an empty-context Skip inside SetupActiveKubectlRunners so
Findings importance Findings 2 and 3 are minor — they're about two validate-only tests where the non-admin distinction barely matters (they test API compatibility, not RBAC). |
| // When config.RunAs == "admin", it creates the namespace with admin credentials and returns | ||
| // admin runners directly (bypassing RBAC setup). Otherwise it delegates to | ||
| // SetupNamespaceAdminUsersForScenario to grant namespace-scoped permissions to the non-admin user. | ||
| func SetupActiveKubectlRunners(scenario MigrationScenario, namespace string) (KubectlRunner, KubectlRunner, func(), error) { |
There was a problem hiding this comment.
Hi @midays — I found one behavior change while testing this PR locally.
I checked out the PR branch and ran a focused tier0 test (MTA-810) without passing non-admin contexts (and without --run-as=admin). It now fails at setup with:
non-admin context is required
So in default mode, this path is now fail instead of skip. Previously these non-admin tests would skip when non-admin contexts were missing.
Could we restore that previous skip behavior when --run-as != admin and non-admin contexts are not provided? That would keep “when --run-as is omitted, behavior is unchanged” true.
Please let me know if there was a strong reason for failing these tests deliberately then I'll retract this comment.
Thanks.
------------------------------
ConfigMap Migration [MTA-810] Should migrate a configmap with data intact as nonadmin user [tier0]
/Users/mmansoor/Desktop/git_repos/crane-testing/crane/.worktrees/pr574-review/e2e-tests/tests/tier0/mta_810_configmap_test.go:16
STEP: Grant ns admin permissions to nonadmin user on source and target @ 07/01/26 16:29:48.801
[FAILED] in [It] - /Users/mmansoor/Desktop/git_repos/crane-testing/crane/.worktrees/pr574-review/e2e-tests/tests/tier0/mta_810_configmap_test.go:41 @ 07/01/26 16:29:48.801
[CRANE-RESULT] FAILED MTA-810
• [FAILED] [0.001 seconds]
ConfigMap Migration [It] [MTA-810] Should migrate a configmap with data intact as nonadmin user [tier0]
/Users/mmansoor/Desktop/git_repos/crane-testing/crane/.worktrees/pr574-review/e2e-tests/tests/tier0/mta_810_configmap_test.go:16
[FAILED] Unexpected error:
<*errors.errorString | 0x14000326470>:
non-admin context is required
{
s: "non-admin context is required",
}
occurred
In [It] at: /Users/mmansoor/Desktop/git_repos/crane-testing/crane/.worktrees/pr574-review/e2e-tests/tests/tier0/mta_810_configmap_test.go:41 @ 07/01/26 16:29:48.801
There was a problem hiding this comment.
Hi, thanks for the detailed feedback and for testing this locally.
The FAIL behavior is intentional. These tests were built specifically to run with non-admin context, so if the context isn't provided, that's a misconfiguration of the test run rather than an expected condition, so failing loudly is more helpful than a silent skip in that case.
Also, the Jenkins pipeline always passes --source-nonadmin-context and --target-nonadmin-context regardless of the RUN_AS_ADMIN setting, so there's no scenario in a real pipeline run where these contexts would be missing.
WDYT ?
There was a problem hiding this comment.
Right , makes sense @midays , thanks for clearing it up.
| // When config.RunAs == "admin", it creates the namespace with admin credentials and returns | ||
| // admin runners directly (bypassing RBAC setup). Otherwise it delegates to | ||
| // SetupNamespaceAdminUsersForScenario to grant namespace-scoped permissions to the non-admin user. | ||
| func SetupActiveKubectlRunners(scenario MigrationScenario, namespace string) (KubectlRunner, KubectlRunner, func(), error) { |
There was a problem hiding this comment.
Right , makes sense @midays , thanks for clearing it up.
Signed-off-by: midays <midays@redhat.com>
- Added checks to ensure that the target-nonadmin-context is not empty in both the single incompatible route and duplicate GVK validation tests. - This improvement ensures that the necessary context is available for the tests to execute correctly. Signed-off-by: midays <midays@redhat.com>
|
@istein1 thank you for sharing it, i've updated PR to fix accordingly, please note regarding the first one: this is intentional and has been addressed: #574 (comment) |
Add a --run-as=admin flag that overrides all test contexts to use
cluster-admin credentials without modifying individual test files.
Changes:
helpers that bypass RBAC setup in admin mode and log the resolved
username as proof of identity
and replace SetupNamespaceAdminUsersForScenario with
SetupActiveKubectlRunners
When --run-as is omitted, behavior is unchanged.
Jenkins Run
Summary by CodeRabbit
Summary by CodeRabbit
--run-asflag to run end-to-end tests with admin credentials.