fix: minor bug fix in clean up and wait for TAS operator

[dbasunag]

Pull Request

Summary

Related Issues

• Fixes:
• JIRA:

How it has been tested

• Locally
• Jenkins

Additional Requirements

• If this PR introduces a new test image, did you create a PR to mirror it in disconnected environment?
• If this PR introduces new marker(s)/adds a new component, was relevant ticket created to update relevant Jenkins job?

Summary by CodeRabbit

• Tests
  • Improved Securesign test setup by explicitly creating and waiting for namespaces for active instances.
  • Replaced polling-based readiness helpers with direct condition-based waiting for more reliable test execution.
  • Enhanced teardown to ensure Securesign namespace is removed after operator uninstall, improving cleanup consistency.

[github-actions]

The following are automatically added/executed:

• PR size label.
• Run pre-commit
• Run tox
• Add PR author as the PR assignee
• Build image based on the PR

Available user actions:

• To mark a PR as WIP, add /wip in a comment. To remove it from the PR comment /wip cancel to the PR.
• To block merging of a PR, add /hold in a comment. To un-block merging of PR comment /hold cancel.
• To mark a PR as approved, add /lgtm in a comment. To remove, add /lgtm cancel.
  lgtm label removed on each new commit push.
• To mark PR as verified comment /verified to the PR, to un-verify comment /verified cancel to the PR.
  verified label removed on each new commit push.
• To Cherry-pick a merged PR /cherry-pick <target_branch_name> to the PR. If <target_branch_name> is valid,
  and the current PR is merged, a cherry-picked PR would be created and linked to the current PR.
• To build and push image to quay, add /build-push-pr-image in a comment. This would create an image with tag
  pr-<pr_number> to quay repository. This image tag, however would be deleted on PR merge or close action.

Supported labels

{'/hold', '/build-push-pr-image', '/verified', '/wip', '/cherry-pick', '/lgtm'}

[coderabbitai]

📝 Walkthrough

Walkthrough

Switched Securesign readiness checks in test fixtures from custom polling/TimeoutSampler to condition-based waits; removed the is_securesign_ready helper; added explicit namespace deletion in TAS operator teardown; simplified namespace creation and waiting for ACTIVE status.

Changes

Cohort / File(s)	Summary
Test Fixture Refactoring tests/model_registry/model_registry/python_client/signing/conftest.py	Removed TimeoutExpiredError and TimeoutSampler imports; replaced manual polling with securesign.wait_for_condition(condition="Ready", status="True"); create namespace explicitly and wait for ACTIVE; added explicit deletion of SECURESIGN_NAMESPACE in installed_tas_operator teardown.
Utility Function Removal tests/model_registry/model_registry/python_client/signing/utils.py	Removed is_securesign_ready() which inspected Securesign instance Ready condition; get_tas_service_urls() unchanged.

Security findings (actionable)

• Potential blocking/unbounded wait if wait_for_condition lacks a timeout — can cause test hang / DoS of CI. Recommend ensuring an explicit timeout and hard fail. (CWE-835: Loop with Unbounded Iteration / CWE-400: Uncontrolled Resource Consumption)
• Possible race between namespace creation and deletion (time-of-check/time-of-use) when tests run concurrently; ensure namespace name isolation or retry logic to avoid deleting unrelated resources. (CWE-367: Time-of-check Time-of-use)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 1 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is entirely template placeholders with no actual content—Summary, Related Issues, and testing details are all unfilled.	Fill in the Summary section describing what was fixed and why (namespace cleanup timing, wait_for_condition migration). Provide any related JIRA/GitHub issue links and confirm testing status.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix: minor bug fix in clean up and wait for TAS operator' accurately describes the main changes: cleanup improvements and TAS operator readiness handling.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

tests/model_registry/model_registry/python_client/signing/conftest.py (1)

203-203: Pass the readiness timeout explicitly.

The docstring still promises a 5-minute wait budget, but Line 203 now depends on wait_for_condition(...) defaults. Keep the timeout explicit here so hangs and timeout regressions do not depend on library behavior.

Suggested fix

-        securesign.wait_for_condition(condition="Ready", status="True")
+        securesign.wait_for_condition(
+            condition="Ready",
+            status="True",
+            timeout=Timeout.TIMEOUT_5MIN,
+        )

As per coding guidelines, "REVIEW PRIORITIES: 3. Bug-prone patterns and error handling gaps."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/model_registry/model_registry/python_client/signing/conftest.py` at
line 203, The call to securesign.wait_for_condition currently relies on its
default timeout, contradicting the docstring promise of a 5-minute readiness
budget; update the call to securesign.wait_for_condition(condition="Ready",
status="True", timeout=300) (or equivalent 5-minute param name if different) so
the timeout is passed explicitly and no longer depends on library defaults;
modify the invocation in conftest.py where securesign.wait_for_condition is
called to include the explicit 300-second timeout.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tests/model_registry/model_registry/python_client/signing/conftest.py`:
- Around line 154-155: The Namespace for SECURESIGN_NAMESPACE is only
referenced, not created, causing wait_for_status(Namespace.Status.ACTIVE) to
time out; construct it with ensure_exists=True so the namespace is created
before waiting (i.e., update Namespace(name=SECURESIGN_NAMESPACE) to
Namespace(name=SECURESIGN_NAMESPACE, ensure_exists=True) and keep the subsequent
wait_for_status call).
- Around line 120-123: The Namespace deletion is currently asynchronous and
namespace creation was removed; update the deletion call to ns.delete(wait=True)
to avoid a Terminating race, and restore creation by constructing the Namespace
with the admin client and ensure_exists=True (or use the context manager
pattern) so the namespace is created before waiting: e.g., use
Namespace(client=admin_client, name=SECURESIGN_NAMESPACE, ensure_exists=True) or
with Namespace(client=admin_client, name=SECURESIGN_NAMESPACE) as ns, then call
ns.wait_for_status(status=Namespace.Status.ACTIVE); ensure you reference
Namespace, SECURESIGN_NAMESPACE, ns.delete(wait=True), and
ns.wait_for_status(...) in the fix.

---

Nitpick comments:
In `@tests/model_registry/model_registry/python_client/signing/conftest.py`:
- Line 203: The call to securesign.wait_for_condition currently relies on its
default timeout, contradicting the docstring promise of a 5-minute readiness
budget; update the call to securesign.wait_for_condition(condition="Ready",
status="True", timeout=300) (or equivalent 5-minute param name if different) so
the timeout is passed explicitly and no longer depends on library defaults;
modify the invocation in conftest.py where securesign.wait_for_condition is
called to include the explicit 300-second timeout.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: c9bc60c0-6bee-412a-8a04-1dffbe0a3736

📥 Commits

Reviewing files that changed from the base of the PR and between 292742e and f882a10.

📒 Files selected for processing (2)

• tests/model_registry/model_registry/python_client/signing/conftest.py
• tests/model_registry/model_registry/python_client/signing/utils.py

💤 Files with no reviewable changes (1)

• tests/model_registry/model_registry/python_client/signing/utils.py

[fege]

/lgtm

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tests/model_registry/model_registry/python_client/signing/conftest.py`:
- Around line 120-123: The comment above the Namespace teardown is incorrect: it
reads "Ensure namespace exists for Securesign" but the code is deleting the
namespace; update the comment to accurately describe the teardown (e.g., "Delete
Securesign namespace if it exists") or remove it; locate the Namespace
instantiation (Namespace(name=SECURESIGN_NAMESPACE)) and the conditional using
ns.exists and ns.delete(wait=True) and change the comment to reflect deletion
rather than creation.
- Around line 154-155: The wait_for_status call on Namespace lacks an explicit
timeout which can cause indefinite hangs; update the Namespace instantiation
usage by calling ns.wait_for_status(status=Namespace.Status.ACTIVE,
timeout=Timeout.TIMEOUT_2MIN) so it matches the pattern used in
utilities/infra.py and prevents waiting forever (refer to Namespace,
wait_for_status, Namespace.Status.ACTIVE, and Timeout.TIMEOUT_2MIN to locate the
change).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 73194bc5-0e17-44ea-a497-45609059d19c

📥 Commits

Reviewing files that changed from the base of the PR and between f882a10 and c9d6f2a.

📒 Files selected for processing (1)

• tests/model_registry/model_registry/python_client/signing/conftest.py

[github-actions]

Status of building tag latest: success.
Status of pushing tag latest to image registry: success.