WIP OCPNODE-4561: Migrate OCP-59552 enable image signature verification for RHEL registries

[BhargaviGudi]

Migrates testcase OCP-59552 from openshift-tests-private to origin.

What this test validates

This test verifies that image signature verification can be enabled for Red Hat Container Registries using MachineConfig.

The test:

• Checks if worker MachineConfigPool exists
• Applies a MachineConfig to set image signature policy for worker nodes
• Waits for MCP to finish updating (with 30min timeout)
• Verifies the signature configuration in /etc/containers/policy.json
• Checks for required entries: registry.access.redhat.com, registry.redhat.io, signedBy, GPGKeys, RPM-GPG-KEY-redhat-release

Implementation details

• Helper functions follow Ginkgo best practices:
  • Use g.GinkgoHelper() in helper functions
  • No assertions in helpers, return errors to It()
  • Use framework.Logf() for logging
• Uses g.DeferCleanup() for proper cleanup with context
• Handles BeforeEach errors properly (logs and skips instead of asserting)
• MachineConfig YAML copied from openshift-tests-private

Summary by CodeRabbit

• Tests
  • Added a disruptive, serial end-to-end node test that verifies image signature policies on worker nodes and ensures Red Hat registry signature/trust rules are present.
  • Added a worker MachineConfig test fixture and embedded testdata asset to deploy the signature policy during the test.
• Documentation
  • Updated E2E test listings to include the new disruptive, serial node test for image signature verification.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[openshift-ci-robot]

@BhargaviGudi: No Jira issue with key OCP-59552 exists in the tracker at https://redhat.atlassian.net.
Once a valid jira issue is referenced in the title of this pull request, request a refresh with /jira refresh.

Details

In response to this:

Migrates testcase OCP-59552 from openshift-tests-private to origin.

What this test validates

This test verifies that image signature verification can be enabled for Red Hat Container Registries using MachineConfig.

The test:

• Checks if worker MachineConfigPool exists
• Applies a MachineConfig to set image signature policy for worker nodes
• Waits for MCP to finish updating (with 30min timeout)
• Verifies the signature configuration in /etc/containers/policy.json
• Checks for required entries: registry.access.redhat.com, registry.redhat.io, signedBy, GPGKeys, RPM-GPG-KEY-redhat-release

Implementation details

• Test is in a separate file image_signature.go following PR OCPNODE-4516: PDB configured with 100% minAvailable - Migrate - 67564 #31161 pattern
• Helper functions follow Ginkgo best practices:
• Use g.GinkgoHelper() in helper functions
• No assertions in helpers, return errors to It()
• Use framework.Logf() for logging
• Uses g.DeferCleanup() for proper cleanup with context
• Handles BeforeEach errors properly (logs and skips instead of asserting)
• MachineConfig YAML copied from openshift-tests-private

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds a disruptive serial node E2E that applies a worker MachineConfig, waits for MCP rollout/rollback, and verifies /etc/containers/policy.json contains Red Hat registry signature policy entries. Includes the MachineConfig fixture, generated bindata, test suite, and helper functions.

Changes

Image Signature E2E Test Suite

Layer / File(s)	Summary
Test README entry test/extended/node/README.md	Adds openshift/disruptive-longrunning bullets for node_e2e/image_registry_config.go and node_e2e/image_signature.go, tagging the signature test [Disruptive][Serial][OTP].
Test suite implementation test/extended/node/node_e2e/image_signature.go	Adds a disruptive, serial Ginkgo test that skips on MicroShift, ensures an MCP worker exists, applies the MachineConfig, defers deletion with --ignore-not-found, and orchestrates MCP update/rollback polling.
MCP update polling helper test/extended/node/node_e2e/image_signature.go	Adds waitForMCPUpdate, polling MCP Updated condition and comparing machineCount vs updatedMachineCount until completion or timeout.
Image signature verification helper test/extended/node/node_e2e/image_signature.go	Adds checkImageSignature, which finds a ready worker, reads /etc/containers/policy.json via node exec, and asserts required registry signature policy substrings (including RPM-GPG key path).
MachineConfig fixture and bindata test/extended/testdata/node/node_e2e/machineconfig-image-signature.yaml, test/extended/testdata/bindata.go	Adds a Butane-generated worker MachineConfig writing /etc/containers/policy.json (base64, overwrite, mode 420) and embeds it into generated bindata with accessor functions and registration.

Sequence Diagram(s)

sequenceDiagram
  participant Test
  participant oc
  participant MCP
  participant WorkerNode
  Test->>oc: apply MachineConfig (machineconfig-image-signature.yaml)
  oc->>MCP: trigger worker MCP update
  MCP->>WorkerNode: rollout/rollback configuration
  Test->>WorkerNode: exec read /etc/containers/policy.json
  WorkerNode->>Test: return policy.json contents

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

p0lyn0mial

🚥 Pre-merge checks | ✅ 12 | ❌ 3

❌ Failed checks (3 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	BeforeEach assertion at line 29 is missing a failure message. Reference test includes "failed to detect cluster type" message.	Add failure message to line 29: o.Expect(err).NotTo(o.HaveOccurred(), "failed to detect cluster type")
Topology-Aware Scheduling Compatibility	⚠️ Warning	Test assumes dedicated worker nodes exist via GetFirstReadyWorkerNode(), which fails on SNO/Two-Node topologies without ControlPlaneTopology checks like other directory tests use.	Add topology-awareness checks (skipOnSingleNodeTopology, skipOnTwoNodeTopology) or adapt node selection for SNO/TNF clusters per OpenShift topology support standards.

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly references the main objective of migrating OCP-59552 to enable image signature verification for RHEL registries, matching the core content of the pull request.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Test names in image_signature.go are stable and deterministic, using only static descriptive strings with no dynamic values or runtime-dependent content.
Microshift Test Compatibility	✅ Passed	Test protected by exutil.IsMicroShiftCluster() check with g.Skip() in BeforeEach, preventing execution on MicroShift despite using machine.openshift.io APIs.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	Test is compatible with SNO: only checks machineCount != 0 (SNO has =1), works with single worker, and doesn't assume multi-node topology. MicroShift is already handled by existing skip check.
Ote Binary Stdout Contract	✅ Passed	No process-level stdout writes found: no main/init/TestMain, no fmt.Print/log/klog imports, logging uses framework.Logf (test-level) and Ginkgo APIs (which register but don't execute at init).
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Test contains no IPv4 addresses, IPv4-specific parsing, or external connectivity requirements. Only cluster-internal operations and string matching are performed.
No-Weak-Crypto	✅ Passed	No weak crypto algorithms, custom implementations, or insecure secret comparisons detected in the test files or configurations.
Container-Privileges	✅ Passed	PR adds test fixtures for image signature verification. No privileged containers, hostPID/Network/IPC, SYS_ADMIN capabilities, allowPrivilegeEscalation, or root without justification found.
No-Sensitive-Data-In-Logs	✅ Passed	Test logging only includes machine counts, MCP status, and registry names. Policy.json content never logged; only entries checked. No passwords, tokens, or sensitive data.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: BhargaviGudi
Once this PR has been reviewed and has the lgtm label, please assign cpmeadors for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@BhargaviGudi: No Jira issue with key OCP-59552 exists in the tracker at https://redhat.atlassian.net.
Once a valid jira issue is referenced in the title of this pull request, request a refresh with /jira refresh.

Details

In response to this:

Migrates testcase OCP-59552 from openshift-tests-private to origin.

What this test validates

This test verifies that image signature verification can be enabled for Red Hat Container Registries using MachineConfig.

The test:

• Checks if worker MachineConfigPool exists
• Applies a MachineConfig to set image signature policy for worker nodes
• Waits for MCP to finish updating (with 30min timeout)
• Verifies the signature configuration in /etc/containers/policy.json
• Checks for required entries: registry.access.redhat.com, registry.redhat.io, signedBy, GPGKeys, RPM-GPG-KEY-redhat-release

Implementation details

• Test is in a separate file image_signature.go following PR OCPNODE-4516: PDB configured with 100% minAvailable - Migrate - 67564 #31161 pattern
• Helper functions follow Ginkgo best practices:
• Use g.GinkgoHelper() in helper functions
• No assertions in helpers, return errors to It()
• Use framework.Logf() for logging
• Uses g.DeferCleanup() for proper cleanup with context
• Handles BeforeEach errors properly (logs and skips instead of asserting)
• MachineConfig YAML copied from openshift-tests-private

Summary by CodeRabbit

Release Notes

Tests

• Added comprehensive end-to-end test suite for image signature verification on worker nodes
• Tests validate that image signature policies for Red Hat Container Registries are correctly applied and enforced on running clusters

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

test/extended/node/node_e2e/image_signature.go (1)

98-100: 💤 Low value

Thread the caller's context into checkImageSignature instead of context.Background().

checkImageSignature ignores cancellation/timeout from the test's ctx by creating its own context.Background(). Accept a ctx context.Context (as waitForMCPUpdate does) so the poll is cancellable. The 30s total timeout is also tight for reading a freshly-rolled-out node; consider passing the timeout in as well.

♻️ Proposed signature change

-func checkImageSignature(oc *exutil.CLI) error {
+func checkImageSignature(ctx context.Context, oc *exutil.CLI, timeout time.Duration) error {
 	g.GinkgoHelper()
-	return wait.PollUntilContextTimeout(context.Background(), 10*time.Second, 30*time.Second, true, func(ctx context.Context) (bool, error) {
+	return wait.PollUntilContextTimeout(ctx, 10*time.Second, timeout, true, func(ctx context.Context) (bool, error) {

And update the call site:

-	err = checkImageSignature(oc)
+	err = checkImageSignature(ctx, oc, 2*time.Minute)

As per coding guidelines: "context.Context for cancellation and timeouts".

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/node/node_e2e/image_signature.go` around lines 98 - 100,
checkImageSignature currently creates its own context via context.Background(),
ignoring caller cancellation; change the signature of checkImageSignature to
accept ctx context.Context (and optionally a timeout/duration parameter instead
of hard-coded 30*time.Second), use that ctx when calling
wait.PollUntilContextTimeout, and update all call sites (e.g., callers like
waitForMCPUpdate) to pass their ctx (and timeout) through so the poll is
cancellable and the total timeout can be adjusted by the caller.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/extended/node/node_e2e/image_signature.go`:
- Around line 64-66: The current waitForMCPUpdate helper can return immediately
if the initial poll sees Updating=False; change waitForMCPUpdate so it first
waits for the MCP to enter Updating=True and only after that waits for
Updating=False (or replace its usage with existing helpers like
WaitForMCPConditionStatus/WaitForMCPToBeReady and assert
MachineConfigPoolUpdated and expected machine counts) to ensure a real rollout
occurred before returning success; also update the cleanup delete call to check
and handle the returned error instead of ignoring it.

In `@test/extended/node/README.md`:
- Line 12: The markdown line declares reference-style tags like "[OTP]" which
triggers MD052; update the text in the README so the tag is plain text instead
of a reference label—e.g., change "[OTP]" to "(OTP)" or escape the brackets (or
wrap in inline code) in the line describing node_e2e/image_signature.go so the
tag is rendered as literal text and markdownlint no longer flags it.

---

Nitpick comments:
In `@test/extended/node/node_e2e/image_signature.go`:
- Around line 98-100: checkImageSignature currently creates its own context via
context.Background(), ignoring caller cancellation; change the signature of
checkImageSignature to accept ctx context.Context (and optionally a
timeout/duration parameter instead of hard-coded 30*time.Second), use that ctx
when calling wait.PollUntilContextTimeout, and update all call sites (e.g.,
callers like waitForMCPUpdate) to pass their ctx (and timeout) through so the
poll is cancellable and the total timeout can be adjusted by the caller.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 0ead5033-d40d-45e2-93c8-e883548bf80a

📥 Commits

Reviewing files that changed from the base of the PR and between 76ed5a8 and 1625768.

📒 Files selected for processing (3)

• test/extended/node/README.md
• test/extended/node/node_e2e/image_signature.go
• test/extended/testdata/node/node_e2e/machineconfig-image-signature.yaml

[openshift-ci-robot]

@BhargaviGudi: This pull request references OCPNODE-4561 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Migrates testcase OCP-59552 from openshift-tests-private to origin.

What this test validates

This test verifies that image signature verification can be enabled for Red Hat Container Registries using MachineConfig.

The test:

• Checks if worker MachineConfigPool exists
• Applies a MachineConfig to set image signature policy for worker nodes
• Waits for MCP to finish updating (with 30min timeout)
• Verifies the signature configuration in /etc/containers/policy.json
• Checks for required entries: registry.access.redhat.com, registry.redhat.io, signedBy, GPGKeys, RPM-GPG-KEY-redhat-release

Implementation details

• Test is in a separate file image_signature.go following PR OCPNODE-4516: PDB configured with 100% minAvailable - Migrate - 67564 #31161 pattern
• Helper functions follow Ginkgo best practices:
• Use g.GinkgoHelper() in helper functions
• No assertions in helpers, return errors to It()
• Use framework.Logf() for logging
• Uses g.DeferCleanup() for proper cleanup with context
• Handles BeforeEach errors properly (logs and skips instead of asserting)
• MachineConfig YAML copied from openshift-tests-private

Summary by CodeRabbit

Release Notes

Tests

• Added comprehensive end-to-end test suite for image signature verification on worker nodes
• Tests validate that image signature policies for Red Hat Container Registries are correctly applied and enforced on running clusters

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/extended/node/README.md`:
- Line 12: Update the README entry for node_e2e/image_signature.go to include
the missing Jira reference OCP-59552 for traceability; locate the line that
lists "**node_e2e/image_signature.go** - Image signature verification" and
append the OCP-59552 identifier using the same bracketed format as the existing
OCP-44820 (e.g., add "[OCP-59552]" to the bracket list following the test tags)
so the test description consistently references both Jiras.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: fc9f42f6-ffbe-425a-8eb6-9ac1ee6b4df9

📥 Commits

Reviewing files that changed from the base of the PR and between 59f67e9 and 8f51f3e.

📒 Files selected for processing (4)

• test/extended/node/README.md
• test/extended/node/node_e2e/image_signature.go
• test/extended/testdata/bindata.go
• test/extended/testdata/node/node_e2e/machineconfig-image-signature.yaml

✅ Files skipped from review due to trivial changes (2)

• test/extended/testdata/node/node_e2e/machineconfig-image-signature.yaml
• test/extended/testdata/bindata.go

🚧 Files skipped from review as they are similar to previous changes (1)

• test/extended/node/node_e2e/image_signature.go

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[BhargaviGudi]

/payload-job periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-disruptive-longrunning

[openshift-ci]

@BhargaviGudi: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-disruptive-longrunning

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/5facd6a0-5e85-11f1-8c30-4ca1f195790f-0

[BhargaviGudi]

/payload-job periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-disruptive-longrunning

[openshift-ci]

@BhargaviGudi: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-disruptive-longrunning

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/9a7b1050-5f1e-11f1-905f-95e9eb772d51-0

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[BhargaviGudi]

/payload-job periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-disruptive-longrunning

[openshift-ci]

@BhargaviGudi: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command

• periodic-ci-openshift-release-main-nightly-5.0-e2e-aws-disruptive-longrunning

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/064e6620-5ffa-11f1-8159-424cfeffd77b-0

[coderabbitai]

♻️ Duplicate comments (1)

test/extended/node/node_e2e/image_signature.go (1)

50-59: ⚠️ Potential issue | 🟡 Minor | 💤 Low value

Capture and log the delete error in cleanup.

Line 52 discards the error from Execute(). While --ignore-not-found handles the common case where the resource is already deleted, other errors (permission, network) are silently swallowed. Per Go security guidelines, errors should not be ignored.

Suggested fix

 g.DeferCleanup(func(ctx context.Context) {
     g.By("Delete the MachineConfig")
-    oc.AsAdmin().WithoutNamespace().Run("delete").Args("-f", imgSignatureYAML, "--ignore-not-found").Execute()
+    if err := oc.AsAdmin().WithoutNamespace().Run("delete").Args("-f", imgSignatureYAML, "--ignore-not-found").Execute(); err != nil {
+        e2e.Logf("Warning: failed to delete MachineConfig: %v", err)
+    }

     g.By("Wait for MCP to finish rolling back")

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/node/node_e2e/image_signature.go` around lines 50 - 59, The
cleanup currently ignores the error returned by
oc.AsAdmin().WithoutNamespace().Run("delete").Args("-f", imgSignatureYAML,
"--ignore-not-found").Execute(); change this to capture the error (e.g., err :=
oc.AsAdmin().WithoutNamespace().Run("delete").Args(...).Execute()), and if err
!= nil log it (use e2e.Logf or the existing logger) with context including
imgSignatureYAML so permission/network/other failures aren't silently swallowed;
keep the existing --ignore-not-found flag and the subsequent waitForMCPUpdate
call unchanged.

🧹 Nitpick comments (1)

test/extended/node/node_e2e/image_signature.go (1)

109-143: ⚡ Quick win

Accept and propagate context for cancellation support.

checkImageSignature uses context.Background() (line 114) instead of accepting a context parameter. This is inconsistent with waitForMCPUpdate and prevents proper cancellation if the test times out or is interrupted.

Suggested refactor

-// checkImageSignature verifies that the image signature policy is correctly configured on worker nodes.
-// It checks for required entries in /etc/containers/policy.json for Red Hat registries.
-// This is a helper function and does not contain assertions.
-func checkImageSignature(oc *exutil.CLI) error {
+// checkImageSignature verifies that the image signature policy is correctly configured on worker nodes.
+// It checks for required entries in /etc/containers/policy.json for Red Hat registries.
+// This is a helper function and does not contain assertions.
+func checkImageSignature(ctx context.Context, oc *exutil.CLI) error {
 	g.GinkgoHelper()
-	return wait.PollUntilContextTimeout(context.Background(), 10*time.Second, 30*time.Second, true, func(ctx context.Context) (bool, error) {
+	return wait.PollUntilContextTimeout(ctx, 10*time.Second, 30*time.Second, true, func(ctx context.Context) (bool, error) {

Update the call site accordingly:

 g.By("Verify the signature configuration in /etc/containers/policy.json")
-err = checkImageSignature(oc)
+err = checkImageSignature(ctx, oc)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/extended/node/node_e2e/image_signature.go` around lines 109 - 143,
Change checkImageSignature to accept a context (e.g., func
checkImageSignature(ctx context.Context, oc *exutil.CLI) error), then use that
ctx instead of context.Background() in the wait.PollUntilContextTimeout call and
propagate it to the node command execution call (replace
nodeutils.ExecOnNodeWithChroot(...) with the context-aware variant or add ctx as
first arg if available). Update all call sites to pass the test context. Refer
to the function name checkImageSignature, the wait.PollUntilContextTimeout
invocation, and nodeutils.ExecOnNodeWithChroot so the timeout/cancellation flows
through correctly.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@test/extended/node/node_e2e/image_signature.go`:
- Around line 50-59: The cleanup currently ignores the error returned by
oc.AsAdmin().WithoutNamespace().Run("delete").Args("-f", imgSignatureYAML,
"--ignore-not-found").Execute(); change this to capture the error (e.g., err :=
oc.AsAdmin().WithoutNamespace().Run("delete").Args(...).Execute()), and if err
!= nil log it (use e2e.Logf or the existing logger) with context including
imgSignatureYAML so permission/network/other failures aren't silently swallowed;
keep the existing --ignore-not-found flag and the subsequent waitForMCPUpdate
call unchanged.

---

Nitpick comments:
In `@test/extended/node/node_e2e/image_signature.go`:
- Around line 109-143: Change checkImageSignature to accept a context (e.g.,
func checkImageSignature(ctx context.Context, oc *exutil.CLI) error), then use
that ctx instead of context.Background() in the wait.PollUntilContextTimeout
call and propagate it to the node command execution call (replace
nodeutils.ExecOnNodeWithChroot(...) with the context-aware variant or add ctx as
first arg if available). Update all call sites to pass the test context. Refer
to the function name checkImageSignature, the wait.PollUntilContextTimeout
invocation, and nodeutils.ExecOnNodeWithChroot so the timeout/cancellation flows
through correctly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: f081f648-5e0c-49ea-bb2c-b398d3c8abc5

📥 Commits

Reviewing files that changed from the base of the PR and between 1bc0454 and 9ddf10b.

📒 Files selected for processing (4)

• test/extended/node/README.md
• test/extended/node/node_e2e/image_signature.go
• test/extended/testdata/bindata.go
• test/extended/testdata/node/node_e2e/machineconfig-image-signature.yaml

✅ Files skipped from review due to trivial changes (2)

• test/extended/testdata/bindata.go
• test/extended/testdata/node/node_e2e/machineconfig-image-signature.yaml

[openshift-merge-bot]

Scheduling required tests:
/test e2e-aws-csi
/test e2e-aws-ovn-fips
/test e2e-aws-ovn-microshift
/test e2e-aws-ovn-microshift-serial
/test e2e-aws-ovn-serial-1of2
/test e2e-aws-ovn-serial-2of2
/test e2e-gcp-csi
/test e2e-gcp-ovn
/test e2e-gcp-ovn-upgrade
/test e2e-metal-ipi-ovn-ipv6
/test e2e-vsphere-ovn
/test e2e-vsphere-ovn-upi

[openshift-ci]

@BhargaviGudi: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.