fix: teardown issue where unprivileged user cannot delete namespace

[mwaykole]

No description provided.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Refactor
  • Standardized the use of the admin client when creating namespaces in tests, updating parameter names and function signatures for consistency.
  • Updated several test fixtures to explicitly require both admin and unprivileged clients where applicable.
  • Improved clarity and explicitness in namespace creation utilities regarding client usage.

## Summary by CodeRabbit

* **Refactor**
  * Standardized the use of admin and unprivileged clients in test fixtures and utilities.
  * Updated several test fixtures to explicitly require both admin and unprivileged clients where applicable.
  * Improved clarity and consistency in namespace and project creation logic during test setup.

## Walkthrough

The changes standardize the usage of the `admin_client` keyword argument across multiple test fixtures and the `create_ns` utility. Function signatures and calls are updated to explicitly require and pass `admin_client` instead of the ambiguous `client`, clarifying the distinction between admin and unprivileged clients in namespace and project creation logic.

## Changes

| Files/Paths                                                                                 | Change Summary                                                                                                     |
|--------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------|
| tests/conftest.py, tests/model_explainability/trustyai_service/service/conftest.py,        | Updated calls to `create_ns` to use `admin_client` instead of `client`; fixture signatures updated where required. |
| tests/model_registry/negative_tests/conftest.py, tests/model_serving/model_server/upgrade/conftest.py | Changed `client` to `admin_client` in `create_ns` calls within fixtures.                                           |
| tests/model_serving/model_server/private_endpoint/conftest.py, tests/rag/conftest.py        | Fixture signatures updated to accept `admin_client`; `create_ns` calls updated to use both clients.                |
| utilities/infra.py                                                                         | Refactored `create_ns` to require `admin_client`, clarified client usage, and updated teardown/cleanup logic.      |

## Possibly related PRs

- opendatahub-io/opendatahub-tests#346: Modifies pytest fixtures to replace or add the `admin_client` parameter in place of a generic `client` parameter when calling namespace or resource creation utilities, closely related to client usage updates in test fixtures.

## Suggested labels

`Verified`

## Suggested reviewers

- dbasunag
- sheltoncyril

---

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1c46006 and 308eb3d.

📒 Files selected for processing (1)

• utilities/infra.py (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• utilities/infra.py

✨ Finishing Touches

• 📝 Generate Docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[github-actions]

The following are automatically added/executed:

• PR size label.
• Run pre-commit
• Run tox
• Add PR author as the PR assignee
• Build image based on the PR

Available user actions:

• To mark a PR as WIP, add /wip in a comment. To remove it from the PR comment /wip cancel to the PR.
• To block merging of a PR, add /hold in a comment. To un-block merging of PR comment /hold cancel.
• To mark a PR as approved, add /lgtm in a comment. To remove, add /lgtm cancel.
  lgtm label removed on each new commit push.
• To mark PR as verified comment /verified to the PR, to un-verify comment /verified cancel to the PR.
  verified label removed on each new commit push.
• To Cherry-pick a merged PR /cherry-pick <target_branch_name> to the PR. If <target_branch_name> is valid,
  and the current PR is merged, a cherry-picked PR would be created and linked to the current PR.
• To build and push image to quay, add /build-push-pr-image in a comment. This would create an image with tag
  pr-<pr_number> to quay repository. This image tag, however would be deleted on PR merge or close action.

Supported labels

{'/wip', '/build-push-pr-image', '/cherry-pick', '/verified', '/hold', '/lgtm'}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

utilities/infra.py (1)

140-166: Control flow restructuring addresses the teardown issue effectively.

The restructured logic correctly separates namespace creation and cleanup responsibilities:

• When no unprivileged_client: uses admin_client for all operations
• When unprivileged_client provided: uses it for creation but admin_client for cleanup

This addresses the PR objective by ensuring privileged operations (teardown) always use admin privileges.

Two minor issues to address:

1. Line 163: Fix the typo in comment:

-        # cleanup must be done with admin admin_client
+        # cleanup must be done with admin_client

2. Line 155: Consider using the passed admin_client for consistency:

-                ns = Namespace(client=get_client(), name=name)
+                ns = Namespace(client=admin_client, name=name)

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4690e9b and 638d40b.

📒 Files selected for processing (1)

• utilities/infra.py (4 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: adolfo-ab
PR: opendatahub-io/opendatahub-tests#334
File: tests/model_explainability/trustyai_service/test_trustyai_service.py:52-65
Timestamp: 2025-06-05T10:05:17.642Z
Learning: For TrustyAI image validation tests: operator image tests require admin_client, related_images_refs, and trustyai_operator_configmap fixtures, while service image tests would require different fixtures like trustyai_service_with_pvc_storage, model_namespace, and current_client_token.

Learnt from: dbasunag
PR: opendatahub-io/opendatahub-tests#354
File: tests/model_registry/rbac/test_mr_rbac.py:64-77
Timestamp: 2025-06-16T11:26:53.789Z
Learning: In Model Registry RBAC tests, client instantiation tests are designed to verify the ability to create and use the MR python client, with actual API functionality testing covered by separate existing tests.

Learnt from: dbasunag
PR: opendatahub-io/opendatahub-tests#354
File: tests/model_registry/rbac/conftest.py:166-175
Timestamp: 2025-06-16T11:25:39.599Z
Learning: In tests/model_registry/rbac/conftest.py, predictable names are intentionally used for test resources (like RoleBindings and groups) instead of random names. This design choice prioritizes exposing cleanup failures from previous test runs through name collisions rather than masking such issues with random names. The philosophy is that test failures should be observable and informative to help debug underlying infrastructure or cleanup issues.

Learnt from: dbasunag
PR: opendatahub-io/opendatahub-tests#401
File: tests/model_registry/rest_api/mariadb/conftest.py:89-110
Timestamp: 2025-07-04T00:17:47.799Z
Learning: In tests/model_registry/rest_api/mariadb/conftest.py, the model_registry_with_mariadb fixture should always use OAUTH_PROXY_CONFIG_DICT for the oauth_proxy parameter regardless of the is_model_registry_oauth parameter value, based on expected product behavior for MariaDB-backed ModelRegistry instances.

utilities/infra.py (2)

Learnt from: jiripetrlik
PR: opendatahub-io/opendatahub-tests#335
File: tests/rag/test_rag.py:0-0
Timestamp: 2025-06-19T14:32:17.658Z
Learning: The `wait_for_replicas()` method from ocp_resources.deployment.Deployment raises an exception when timeout is reached rather than returning a boolean value, so it doesn't need explicit return value checking in tests.

Learnt from: jiripetrlik
PR: opendatahub-io/opendatahub-tests#335
File: tests/rag/test_rag.py:0-0
Timestamp: 2025-06-19T14:32:17.658Z
Learning: The `wait_for_replicas()` method from ocp_resources.deployment.Deployment raises an exception when timeout is reached rather than returning a boolean value, so it doesn't need explicit return value checking in tests.

🔇 Additional comments (2)

utilities/infra.py (2)

97-97: Documentation updated correctly.

The docstring parameter description has been updated to reflect the new parameter name.

---

74-74: All create_ns callers updated to use admin_client – no further action required.

A search for create_ns( across the codebase shows only admin_client= (and unprivileged_client=) usages, with no remaining client= parameters. The breaking-change update is fully applied.

[rnetser]

/lgtm

[israel-hdez]

/lgtm

Dismissing rnester review to unblock merging, because she already approved.

[github-actions]

Status of building tag latest: success.
Status of pushing tag latest to image registry: success.