USHIFT-6985: Add retry to Root CA ConfigMap signer verification

[kasturinarra]

Summary

• The Root CA ConfigMap Contains All Signers test fails intermittently on ARM (aarch64) in ISO image scenarios (el98-lrel@iso-standard2) because the kube-root-ca.crt ConfigMap is not fully populated by the time the test runs.
• Wraps the entire verification (ConfigMap fetch + openssl subject extraction + signer assertions) in Wait Until Keyword Succeeds with a 60s timeout and 5s retry interval.
• The test passes consistently on x86_64 and on ARM in non-ISO scenarios; only the ISO installation path on ARM exhibits this timing issue.

Evidence

• Failing job: periodic-ci-openshift-microshift-release-4.22-periodics-e2e-aws-tests-bootc-release-arm-periodic-el9/2061644145188933632
• Failed in el98-lrel@iso-standard2 (22.8s, error: 1 != 0) while passing in 5 other scenarios (~0.25s each)

Test plan

• Verify the test passes on ARM ISO scenarios with the retry
• Confirm no regression on x86_64 standard2 scenarios

🤖 Generated with Claude Code

Summary by CodeRabbit

• Tests
  • Enhanced Root CA ConfigMap validation test with retry logic to improve reliability in verifying certificate signer identities.
  • Refactored CA bundle verification logic into a dedicated test keyword for improved test organization and maintainability.

[coderabbitai]

Walkthrough

This PR refactors a service account CA bundle test to add retry logic. The "Root CA ConfigMap Contains All Signers" test case now wraps validation in a Wait Until Keyword Succeeds loop with a new Verify Root CA ConfigMap Has All Signers keyword that centralizes ConfigMap retrieval, bundle validation, and signer identity assertions.

Changes

CA Bundle Verification Refactor

Layer / File(s)	Summary
CA Bundle Verification Keyword and Retry test/suites/standard2/validate-service-account-ca-bundle.robot	Test case wrapped in Wait Until Keyword Succeeds retry loop calling new Verify Root CA ConfigMap Has All Signers keyword. Keyword fetches kube-root-ca.crt ConfigMap, validates ca.crt is non-empty, extracts certificate subjects, and asserts the three expected signer names.

🎯 2 (Simple) | ⏱️ ~10 minutes

ready-for-human-review

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	Custom check is for Ginkgo tests, but PR only modifies Robot Framework tests (.robot files). No Ginkgo tests affected; test names in Robot file are stable and deterministic.
Test Structure And Quality	✅ Passed	PR modifies Robot Framework tests, not Ginkgo tests. Check specifies Ginkgo test review (It blocks, BeforeEach/AfterEach, Eventually patterns). Check is not applicable to this PR.
Microshift Test Compatibility	✅ Passed	Custom check targets Ginkgo e2e tests; this PR modifies Robot Framework tests only, so the check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR modifies a Robot Framework test file, not a Ginkgo e2e test. The SNO compatibility check only applies to Ginkgo tests (Go syntax), not MicroShift robot tests.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only a test file (Robot Framework) to add retry logic; no deployment manifests, operator code, controllers, or scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	PR modifies only Robot Framework test file (.robot), not Go test code. OTE Binary Stdout Contract check applies exclusively to Go binaries/Ginkgo tests, making it inapplicable here.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR modifies Robot Framework tests, not Ginkgo e2e tests. The custom check applies only to Ginkgo tests, making it not applicable.
No-Weak-Crypto	✅ Passed	Test file contains no weak crypto (MD5, SHA1, DES, etc.), custom crypto implementations, or non-constant-time secret comparisons. OpenSSL usage is for certificate parsing only.
Container-Privileges	✅ Passed	PR modifies only a Robot Framework test file (validate-service-account-ca-bundle.robot), which contains no K8s manifests or container configurations. The container-privileges check is inapplicable.
No-Sensitive-Data-In-Logs	✅ Passed	The logging statement outputs X.509 certificate subject names, which are public metadata. No passwords, tokens, API keys, PII, or sensitive data are exposed.
Title check	✅ Passed	The title clearly and concisely describes the main change: adding retry logic to the Root CA ConfigMap signer verification test, which directly matches the refactoring from inline assertions to a Wait Until Keyword Succeeds retry loop.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[kasturinarra]

/test e2e-aws-tests-bootc-release-arm-el9
/test e2e-aws-tests-bootc-release-arm-el10

[kasturinarra]

/retest

[pacevedom]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kasturinarra, pacevedom

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [kasturinarra,pacevedom]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@kasturinarra: This pull request references USHIFT-6985 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Summary

• The Root CA ConfigMap Contains All Signers test fails intermittently on ARM (aarch64) in ISO image scenarios (el98-lrel@iso-standard2) because the kube-root-ca.crt ConfigMap is not fully populated by the time the test runs.
• Wraps the entire verification (ConfigMap fetch + openssl subject extraction + signer assertions) in Wait Until Keyword Succeeds with a 60s timeout and 5s retry interval.
• The test passes consistently on x86_64 and on ARM in non-ISO scenarios; only the ISO installation path on ARM exhibits this timing issue.

Evidence

• Failing job: periodic-ci-openshift-microshift-release-4.22-periodics-e2e-aws-tests-bootc-release-arm-periodic-el9/2061644145188933632
• Failed in el98-lrel@iso-standard2 (22.8s, error: 1 != 0) while passing in 5 other scenarios (~0.25s each)

Test plan

• Verify the test passes on ARM ISO scenarios with the retry
• Confirm no regression on x86_64 standard2 scenarios

🤖 Generated with Claude Code

Summary by CodeRabbit

• Tests
• Enhanced Root CA ConfigMap validation test with retry logic to improve reliability in verifying certificate signer identities.
• Refactored CA bundle verification logic into a dedicated test keyword for improved test organization and maintainability.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[kasturinarra]

/test e2e-aws-tests-bootc-release-arm-el9
/test e2e-aws-tests-bootc-release-arm-el10

[kasturinarra]

/override ci/prow/e2e-aws-tests-bootc-release-arm-el9

[openshift-ci]

@kasturinarra: Overrode contexts on behalf of kasturinarra: ci/prow/e2e-aws-tests-bootc-release-arm-el9

Details

In response to this:

/override ci/prow/e2e-aws-tests-bootc-release-arm-el9

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@kasturinarra: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-tests-bootc-release-arm-el9	587f5dd	link	true	/test e2e-aws-tests-bootc-release-arm-el9

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[pacevedom]

/label backport-risk-assessed
/verified by CI

[openshift-ci-robot]

@pacevedom: This PR has been marked as verified by CI.

Details

In response to this:

/label backport-risk-assessed
/verified by CI

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[kasturinarra]

/jira refresh

[openshift-ci-robot]

@kasturinarra: This pull request references USHIFT-6985 which is a valid jira issue.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[kasturinarra]

/cherry-pick release-4.21

[openshift-cherrypick-robot]

@kasturinarra: new pull request created: #6813

Details

In response to this:

/cherry-pick release-4.21

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.