From 3e6c6f6bd1b10f5eb2bc2a2680c5164f018fdf2d Mon Sep 17 00:00:00 2001 From: Kasturi Narra Date: Fri, 5 Jun 2026 00:29:11 +0530 Subject: [PATCH 1/2] Add retry to Root CA ConfigMap signer verification The Root CA ConfigMap Contains All Signers test fails intermittently on ARM (aarch64) in ISO image scenarios because the kube-root-ca.crt ConfigMap is not fully populated when the test runs. Wrap the verification in Wait Until Keyword Succeeds to retry for up to 60s. Co-Authored-By: Claude Opus 4.6 --- .../standard2/validate-service-account-ca-bundle.robot | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/test/suites/standard2/validate-service-account-ca-bundle.robot b/test/suites/standard2/validate-service-account-ca-bundle.robot index 57eae2a7fc..52c81cf0ab 100644 --- a/test/suites/standard2/validate-service-account-ca-bundle.robot +++ b/test/suites/standard2/validate-service-account-ca-bundle.robot @@ -24,17 +24,19 @@ Root CA ConfigMap Contains All Signers [Documentation] Verify that the kube-root-ca.crt ConfigMap contains certificates ... from all required signers: kube-apiserver-localhost-signer, ... kube-apiserver-service-network-signer, and kube-apiserver-external-signer + Wait Until Keyword Succeeds 60s 5s + ... Verify Root CA ConfigMap Has All Signers + + +*** Keywords *** +Verify Root CA ConfigMap Has All Signers ${configmap}= Oc Get configmap ${NAMESPACE} ${ROOT_CA_CONFIGMAP_NAME} VAR ${ca_bundle}= ${configmap.data['ca.crt']} Should Not Be Empty ${ca_bundle} - ${subjects}= Get Certificate Subjects From Bundle ${ca_bundle} Should Contain ${subjects} kube-apiserver-localhost-signer Should Contain ${subjects} kube-apiserver-service-network-signer Should Contain ${subjects} kube-apiserver-external-signer - - -*** Keywords *** Get Certificate Subjects From Bundle [Documentation] Extract all certificate subjects from a PEM-encoded CA bundle string. ... For CA certificates, the Subject field contains the signer name. From e9a7240e2df59aeab4f53dcb211c013c23e22f2c Mon Sep 17 00:00:00 2001 From: Kasturi Narra Date: Fri, 5 Jun 2026 00:49:59 +0530 Subject: [PATCH 2/2] Fix robocop linting: add documentation and blank line Co-Authored-By: Claude Opus 4.6 --- test/suites/standard2/validate-service-account-ca-bundle.robot | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test/suites/standard2/validate-service-account-ca-bundle.robot b/test/suites/standard2/validate-service-account-ca-bundle.robot index 52c81cf0ab..b178e0640b 100644 --- a/test/suites/standard2/validate-service-account-ca-bundle.robot +++ b/test/suites/standard2/validate-service-account-ca-bundle.robot @@ -30,6 +30,7 @@ Root CA ConfigMap Contains All Signers *** Keywords *** Verify Root CA ConfigMap Has All Signers + [Documentation] Fetch the kube-root-ca.crt ConfigMap and verify it contains all expected signers. ${configmap}= Oc Get configmap ${NAMESPACE} ${ROOT_CA_CONFIGMAP_NAME} VAR ${ca_bundle}= ${configmap.data['ca.crt']} Should Not Be Empty ${ca_bundle} @@ -37,6 +38,7 @@ Verify Root CA ConfigMap Has All Signers Should Contain ${subjects} kube-apiserver-localhost-signer Should Contain ${subjects} kube-apiserver-service-network-signer Should Contain ${subjects} kube-apiserver-external-signer + Get Certificate Subjects From Bundle [Documentation] Extract all certificate subjects from a PEM-encoded CA bundle string. ... For CA certificates, the Subject field contains the signer name.