From e1260f011a4877c0894f3495d534067ddba22dc6 Mon Sep 17 00:00:00 2001 From: PillaiManish Date: Wed, 20 May 2026 11:09:00 +0530 Subject: [PATCH 1/3] NO-JIRA: Add E2E coverage reporting for secrets-store-csi-driver-operator Add coverage-instrumented image build and CI steps to collect E2E test coverage data and upload to Codecov. Co-authored-by: Cursor --- ...ecrets-store-csi-driver-operator-main.yaml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/ci-operator/config/openshift/secrets-store-csi-driver-operator/openshift-secrets-store-csi-driver-operator-main.yaml b/ci-operator/config/openshift/secrets-store-csi-driver-operator/openshift-secrets-store-csi-driver-operator-main.yaml index 5e7833adba88a..bb2bbc4d30fd4 100644 --- a/ci-operator/config/openshift/secrets-store-csi-driver-operator/openshift-secrets-store-csi-driver-operator-main.yaml +++ b/ci-operator/config/openshift/secrets-store-csi-driver-operator/openshift-secrets-store-csi-driver-operator-main.yaml @@ -37,6 +37,8 @@ images: - dockerfile_path: Dockerfile.mustgather from: ocp_4.14_cli to: secrets-store-csi-mustgather + - dockerfile_path: Dockerfile.coverage + to: secrets-store-csi-driver-operator-coverage operator: bundles: - as: secrets-store-csi-driver-operator-bundle @@ -96,9 +98,34 @@ tests: OO_INSTALL_NAMESPACE: openshift-cluster-csi-drivers OO_PACKAGE: secrets-store-csi-driver-operator OO_TARGET_NAMESPACES: '!all' + post: + - as: collect-coverage + best_effort: true + cli: latest + commands: hack/e2e-coverage.sh collect + credentials: + - mount_path: /var/run/secrets/codecov + name: sscsi-driver-operator-codecov-token + namespace: test-credentials + from: src + resources: + requests: + cpu: 100m + timeout: 15m0s + - chain: gather test: - ref: fips-check-fips-or-die - ref: fips-check-node-scan + - as: setup-coverage + cli: latest + commands: hack/e2e-coverage.sh setup + dependencies: + - env: COVERAGE_IMAGE + name: secrets-store-csi-driver-operator-coverage + from: src + resources: + requests: + cpu: 100m - as: test-e2e cli: latest commands: make test-e2e From 80e46c219f28a68fad1c9ea2cf8999f1d6f4808e Mon Sep 17 00:00:00 2001 From: PillaiManish Date: Mon, 22 Jun 2026 17:16:41 +0530 Subject: [PATCH 2/3] OAPE-694: Separate e2e coverage into standalone LGTM-gated test Move coverage instrumentation out of operator-e2e-fips into a new operator-e2e-coverage test that runs only after lgtm label via the pipeline controller. Enroll secrets-store-csi-driver-operator (main) in the LGTM pipeline config. Co-authored-by: Cursor --- ...ecrets-store-csi-driver-operator-main.yaml | 72 ++++++++----- ...-csi-driver-operator-main-postsubmits.yaml | 1 + ...e-csi-driver-operator-main-presubmits.yaml | 101 ++++++++++++++++++ .../pipeline-controller/lgtm-config.yaml | 3 + 4 files changed, 152 insertions(+), 25 deletions(-) diff --git a/ci-operator/config/openshift/secrets-store-csi-driver-operator/openshift-secrets-store-csi-driver-operator-main.yaml b/ci-operator/config/openshift/secrets-store-csi-driver-operator/openshift-secrets-store-csi-driver-operator-main.yaml index bb2bbc4d30fd4..d99a77d7f6eb3 100644 --- a/ci-operator/config/openshift/secrets-store-csi-driver-operator/openshift-secrets-store-csi-driver-operator-main.yaml +++ b/ci-operator/config/openshift/secrets-store-csi-driver-operator/openshift-secrets-store-csi-driver-operator-main.yaml @@ -98,34 +98,9 @@ tests: OO_INSTALL_NAMESPACE: openshift-cluster-csi-drivers OO_PACKAGE: secrets-store-csi-driver-operator OO_TARGET_NAMESPACES: '!all' - post: - - as: collect-coverage - best_effort: true - cli: latest - commands: hack/e2e-coverage.sh collect - credentials: - - mount_path: /var/run/secrets/codecov - name: sscsi-driver-operator-codecov-token - namespace: test-credentials - from: src - resources: - requests: - cpu: 100m - timeout: 15m0s - - chain: gather test: - ref: fips-check-fips-or-die - ref: fips-check-node-scan - - as: setup-coverage - cli: latest - commands: hack/e2e-coverage.sh setup - dependencies: - - env: COVERAGE_IMAGE - name: secrets-store-csi-driver-operator-coverage - from: src - resources: - requests: - cpu: 100m - as: test-e2e cli: latest commands: make test-e2e @@ -198,6 +173,53 @@ tests: OO_PACKAGE: secrets-store-csi-driver-operator OO_TARGET_NAMESPACES: '!all' workflow: openshift-e2e-gcp-csi-secrets-store +- always_run: false + as: operator-e2e-coverage + steps: + cluster_profile: openshift-org-azure + dependencies: + OO_INDEX: ci-index-secrets-store-csi-driver-operator-bundle + SECRETS_STORE_E2E_PROVIDER_IMAGE: secrets-store-csi-driver-e2eprovider + env: + OO_CHANNEL: stable + OO_INSTALL_NAMESPACE: openshift-cluster-csi-drivers + OO_PACKAGE: secrets-store-csi-driver-operator + OO_TARGET_NAMESPACES: '!all' + post: + - as: collect-coverage + best_effort: true + cli: latest + commands: hack/e2e-coverage.sh collect + credentials: + - mount_path: /var/run/secrets/codecov + name: sscsi-driver-operator-codecov-token + namespace: test-credentials + from: src + resources: + requests: + cpu: 100m + timeout: 15m0s + - chain: gather + test: + - as: setup-coverage + cli: latest + commands: hack/e2e-coverage.sh setup + dependencies: + - env: COVERAGE_IMAGE + name: secrets-store-csi-driver-operator-coverage + from: src + resources: + requests: + cpu: 100m + - as: test-e2e + cli: latest + commands: make test-e2e + from: src + resources: + requests: + cpu: 50m + memory: 100Mi + workflow: openshift-e2e-azure-csi-secrets-store - always_run: false as: operator-e2e-azure-rhcos10-fips optional: true diff --git a/ci-operator/jobs/openshift/secrets-store-csi-driver-operator/openshift-secrets-store-csi-driver-operator-main-postsubmits.yaml b/ci-operator/jobs/openshift/secrets-store-csi-driver-operator/openshift-secrets-store-csi-driver-operator-main-postsubmits.yaml index 0722c99dfe3ef..643e09378ee92 100644 --- a/ci-operator/jobs/openshift/secrets-store-csi-driver-operator/openshift-secrets-store-csi-driver-operator-main-postsubmits.yaml +++ b/ci-operator/jobs/openshift/secrets-store-csi-driver-operator/openshift-secrets-store-csi-driver-operator-main-postsubmits.yaml @@ -9,6 +9,7 @@ postsubmits: decoration_config: sparse_checkout_files: - .ci-operator.yaml + - Dockerfile.coverage - Dockerfile.mustgather - Dockerfile.openshift labels: diff --git a/ci-operator/jobs/openshift/secrets-store-csi-driver-operator/openshift-secrets-store-csi-driver-operator-main-presubmits.yaml b/ci-operator/jobs/openshift/secrets-store-csi-driver-operator/openshift-secrets-store-csi-driver-operator-main-presubmits.yaml index 87da52074fe2e..7487b8bcf6be5 100644 --- a/ci-operator/jobs/openshift/secrets-store-csi-driver-operator/openshift-secrets-store-csi-driver-operator-main-presubmits.yaml +++ b/ci-operator/jobs/openshift/secrets-store-csi-driver-operator/openshift-secrets-store-csi-driver-operator-main-presubmits.yaml @@ -11,6 +11,7 @@ presubmits: decoration_config: sparse_checkout_files: - .ci-operator.yaml + - Dockerfile.coverage - Dockerfile.mustgather - Dockerfile.openshift labels: @@ -69,6 +70,7 @@ presubmits: decoration_config: sparse_checkout_files: - .ci-operator.yaml + - Dockerfile.coverage - Dockerfile.mustgather - Dockerfile.openshift labels: @@ -152,6 +154,7 @@ presubmits: decoration_config: sparse_checkout_files: - .ci-operator.yaml + - Dockerfile.coverage - Dockerfile.mustgather - Dockerfile.openshift labels: @@ -235,6 +238,7 @@ presubmits: decoration_config: sparse_checkout_files: - .ci-operator.yaml + - Dockerfile.coverage - Dockerfile.mustgather - Dockerfile.openshift labels: @@ -294,6 +298,7 @@ presubmits: decoration_config: sparse_checkout_files: - .ci-operator.yaml + - Dockerfile.coverage - Dockerfile.mustgather - Dockerfile.openshift labels: @@ -379,6 +384,7 @@ presubmits: decoration_config: sparse_checkout_files: - .ci-operator.yaml + - Dockerfile.coverage - Dockerfile.mustgather - Dockerfile.openshift labels: @@ -464,6 +470,7 @@ presubmits: decoration_config: sparse_checkout_files: - .ci-operator.yaml + - Dockerfile.coverage - Dockerfile.mustgather - Dockerfile.openshift labels: @@ -550,6 +557,7 @@ presubmits: decoration_config: sparse_checkout_files: - .ci-operator.yaml + - Dockerfile.coverage - Dockerfile.mustgather - Dockerfile.openshift labels: @@ -625,6 +633,92 @@ presubmits: secret: secretName: result-aggregator trigger: (?m)^/test( | .* )operator-e2e-azure-rhcos10-fips,?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^main$ + - ^main- + cluster: build08 + context: ci/prow/operator-e2e-coverage + decorate: true + decoration_config: + sparse_checkout_files: + - .ci-operator.yaml + - Dockerfile.coverage + - Dockerfile.mustgather + - Dockerfile.openshift + labels: + ci-operator.openshift.io/cloud: azure4 + ci-operator.openshift.io/cloud-cluster-profile: openshift-org-azure + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-secrets-store-csi-driver-operator-main-operator-e2e-coverage + rerun_command: /test operator-e2e-coverage + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=operator-e2e-coverage + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )(operator-e2e-coverage|remaining-required),?($|\s.*) - agent: kubernetes always_run: true branches: @@ -636,6 +730,7 @@ presubmits: decoration_config: sparse_checkout_files: - .ci-operator.yaml + - Dockerfile.coverage - Dockerfile.mustgather - Dockerfile.openshift labels: @@ -721,6 +816,7 @@ presubmits: decoration_config: sparse_checkout_files: - .ci-operator.yaml + - Dockerfile.coverage - Dockerfile.mustgather - Dockerfile.openshift labels: @@ -806,6 +902,7 @@ presubmits: decoration_config: sparse_checkout_files: - .ci-operator.yaml + - Dockerfile.coverage - Dockerfile.mustgather - Dockerfile.openshift labels: @@ -891,6 +988,7 @@ presubmits: decoration_config: sparse_checkout_files: - .ci-operator.yaml + - Dockerfile.coverage - Dockerfile.mustgather - Dockerfile.openshift labels: @@ -975,6 +1073,7 @@ presubmits: decoration_config: sparse_checkout_files: - .ci-operator.yaml + - Dockerfile.coverage - Dockerfile.mustgather - Dockerfile.openshift labels: @@ -1041,6 +1140,7 @@ presubmits: decoration_config: sparse_checkout_files: - .ci-operator.yaml + - Dockerfile.coverage - Dockerfile.mustgather - Dockerfile.openshift labels: @@ -1107,6 +1207,7 @@ presubmits: decoration_config: sparse_checkout_files: - .ci-operator.yaml + - Dockerfile.coverage - Dockerfile.mustgather - Dockerfile.openshift labels: diff --git a/core-services/pipeline-controller/lgtm-config.yaml b/core-services/pipeline-controller/lgtm-config.yaml index dc0d7993d293c..76c29d235372b 100644 --- a/core-services/pipeline-controller/lgtm-config.yaml +++ b/core-services/pipeline-controller/lgtm-config.yaml @@ -7,3 +7,6 @@ orgs: branches: - main - machine-config-operator + - name: secrets-store-csi-driver-operator + branches: + - main From 9a683b4c5492b452011f866f98c8ccf9933c0e81 Mon Sep 17 00:00:00 2001 From: PillaiManish Date: Tue, 23 Jun 2026 16:18:36 +0530 Subject: [PATCH 3/3] OAPE-694: Add publish-e2e-coverage postsubmit for Codecov baseline Add a postsubmit job that runs e2e coverage on main after merge, so Codecov has a baseline to compute PR coverage deltas against. Co-authored-by: Cursor --- ...ecrets-store-csi-driver-operator-main.yaml | 47 +++++++++++ ...-csi-driver-operator-main-postsubmits.yaml | 82 +++++++++++++++++++ 2 files changed, 129 insertions(+) diff --git a/ci-operator/config/openshift/secrets-store-csi-driver-operator/openshift-secrets-store-csi-driver-operator-main.yaml b/ci-operator/config/openshift/secrets-store-csi-driver-operator/openshift-secrets-store-csi-driver-operator-main.yaml index d99a77d7f6eb3..9028f94405ee8 100644 --- a/ci-operator/config/openshift/secrets-store-csi-driver-operator/openshift-secrets-store-csi-driver-operator-main.yaml +++ b/ci-operator/config/openshift/secrets-store-csi-driver-operator/openshift-secrets-store-csi-driver-operator-main.yaml @@ -271,6 +271,53 @@ tests: cpu: 50m memory: 100Mi workflow: openshift-e2e-azure-csi-secrets-store +- as: publish-e2e-coverage + postsubmit: true + steps: + cluster_profile: openshift-org-azure + dependencies: + OO_INDEX: ci-index-secrets-store-csi-driver-operator-bundle + SECRETS_STORE_E2E_PROVIDER_IMAGE: secrets-store-csi-driver-e2eprovider + env: + OO_CHANNEL: stable + OO_INSTALL_NAMESPACE: openshift-cluster-csi-drivers + OO_PACKAGE: secrets-store-csi-driver-operator + OO_TARGET_NAMESPACES: '!all' + post: + - as: collect-coverage + best_effort: true + cli: latest + commands: hack/e2e-coverage.sh collect + credentials: + - mount_path: /var/run/secrets/codecov + name: sscsi-driver-operator-codecov-token + namespace: test-credentials + from: src + resources: + requests: + cpu: 100m + timeout: 15m0s + - chain: gather + test: + - as: setup-coverage + cli: latest + commands: hack/e2e-coverage.sh setup + dependencies: + - env: COVERAGE_IMAGE + name: secrets-store-csi-driver-operator-coverage + from: src + resources: + requests: + cpu: 100m + - as: test-e2e + cli: latest + commands: make test-e2e + from: src + resources: + requests: + cpu: 50m + memory: 100Mi + workflow: openshift-e2e-azure-csi-secrets-store - as: verify-deps steps: test: diff --git a/ci-operator/jobs/openshift/secrets-store-csi-driver-operator/openshift-secrets-store-csi-driver-operator-main-postsubmits.yaml b/ci-operator/jobs/openshift/secrets-store-csi-driver-operator/openshift-secrets-store-csi-driver-operator-main-postsubmits.yaml index 643e09378ee92..078b18c3f74c8 100644 --- a/ci-operator/jobs/openshift/secrets-store-csi-driver-operator/openshift-secrets-store-csi-driver-operator-main-postsubmits.yaml +++ b/ci-operator/jobs/openshift/secrets-store-csi-driver-operator/openshift-secrets-store-csi-driver-operator-main-postsubmits.yaml @@ -64,3 +64,85 @@ postsubmits: - name: result-aggregator secret: secretName: result-aggregator + - agent: kubernetes + always_run: true + branches: + - ^main$ + cluster: build01 + decorate: true + decoration_config: + sparse_checkout_files: + - .ci-operator.yaml + - Dockerfile.coverage + - Dockerfile.mustgather + - Dockerfile.openshift + labels: + ci-operator.openshift.io/cloud: azure4 + ci-operator.openshift.io/cloud-cluster-profile: openshift-org-azure + ci.openshift.io/generator: prowgen + max_concurrency: 1 + name: branch-ci-openshift-secrets-store-csi-driver-operator-main-publish-e2e-coverage + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=publish-e2e-coverage + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator