USHIFT-6743: migrate 9 api-server tests from openshift-tests-private to RF

[agullon]

Migrates 9 Ginkgo tests from openshift-tests-private into Robot Framework tests in this repo.

Each new RF test replaces a specific Ginkgo test case:

RF file	Replaces (Ginkgo test ID + name)
logging.robot	63099 — make logging config more resilient
kustomize-sources.robot	63217 — configurable manifest sources
	63298 — manifest directory scanning
audit-log.robot	72334 — Make audit log policy configurable for MicroShift
	72340 — Microshift Audit Log File Rotation
drop-in-config.robot	76468 — Drop-in configuration directory
apiserver-readiness.robot	55728 — Clients must not use an unready Kubernetes apiserver
data-dir.robot	62987 — Remove search logic for data directory
show-config.robot (modified)	62959 — Remove search logic for configuration file

Also promotes Start MicroShift Without Waiting For Systemd Readiness from lifecycle.robot to microshift-process.resource so it can be reused by apiserver-readiness.robot.

All new files are under test/suites/configuration/ and are picked up by the existing CI scenario.

Summary by CodeRabbit

• Tests
  • Added comprehensive test coverage for API server readiness during startup.
  • Added audit logging behavior validation across multiple profile configurations.
  • Added data storage directory location tests.
  • Added drop-in configuration merge and override behavior tests.
  • Added kustomize manifest path and glob pattern expansion tests.
  • Added logging level case-insensitivity validation tests.

[openshift-ci-robot]

@agullon: This pull request references USHIFT-6743 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• Migrate 9 disruptive MicroShift tests from openshift-tests-private (test/extended/apiserverauth/apiserver_microshift.go) into Robot Framework tests
• All new tests placed in test/suites/configuration/ — automatically picked up by the existing el98-src@configuration.sh CI scenario
• Promote Start MicroShift Without Waiting For Systemd Readiness keyword to shared resource for reuse

New test files (6)

File	Source Test IDs	Coverage
logging.robot	63099	Case-insensitive log level parsing (4 variants)
kustomize-sources.robot	63217, 63298	Configurable manifest paths, glob patterns (7 tests)
audit-log.robot	72334, 72340	Audit profiles (None/Default/Write/All) + rotation (6 tests)
drop-in-config.robot	76468	Drop-in merge/override semantics (4 tests)
apiserver-readiness.robot	55728	API server rejects requests during startup with 429
data-dir.robot	62987	Data directory isolation — home dir not used

Modified files (3)

• show-config.robot — Added test 62959 (home directory config ignored)
• microshift-process.resource — Promoted shared keyword from lifecycle.robot
• lifecycle.robot — Removed local keyword copy (now in shared resource)

Test plan

• robot --dryrun each new .robot file for syntax validation
• Run ./test/run.sh suites/configuration/ against a MicroShift VM
• Verify lifecycle.robot still passes (keyword promoted to resource)
• Verify show-config.robot passes with the new test case

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds multiple Robot Framework test suites and a kustomize test resource to validate MicroShift configuration and behavior (API server readiness, audit logging, data directory, drop-in configs, kustomize sources, logging, show-config). Implements a shared keyword Start MicroShift Without Waiting For Systemd Readiness in test/resources/microshift-process.resource and moves a lifecycle suite to use it.

Changes

Shared Test Infrastructure

Layer / File(s)	Summary
New Keyword Implementation test/resources/microshift-process.resource	Adds Start MicroShift Without Waiting For Systemd Readiness which runs systemctl start microshift --no-block (with sudo), captures stdout/stderr/rc, logs outputs, and fails if rc != 0.
Consumer Update test/suites/osconfig/lifecycle.robot	Removes local definition of the start-without-wait keyword; suite now uses the shared implementation. Restarting MicroShift Should Be Successful On First Try now requests return_stderr=True and return_rc=True from Execute Command.

Kustomize Test Resource

Layer / File(s)	Summary
Resource Addition test/resources/kustomize-test.resource	Adds keywords Deploy Test Manifests, Remove Manifest Directory, and ConfigMap Should Not Exist to create/remove kustomize manifest dirs and assert ConfigMap absence.

Configuration Test Suites

Layer / File(s)	Summary
New Suite & Core Test test/suites/configuration/apiserver-readiness.robot	New suite and test API Server Rejects Requests During Startup; stops MicroShift, starts with --no-block, polls API endpoint with a readiness header until HTTP 429 observed or server returns ready-like codes.
New Suite test/suites/configuration/audit-log.robot	New suite validating auditLog.profile behaviors (Invalid/None/Default/WriteRequestBodies/AllRequestBodies) and rotation; includes grep-based helpers and rotation assertions.
New Suite test/suites/configuration/data-dir.robot	New suite verifying MicroShift uses /var/lib/microshift/resources and not ~/.microshift/data; adds Directory Should Be Empty/Not Be Empty helpers.
New Suite test/suites/configuration/drop-in-config.robot	New suite testing drop-in merge/override semantics: kustomize path loading, array replacement (SAN), and map-field merging across drop-ins; defines manifest dirs and kustomize snippets.
New Suite test/suites/configuration/kustomize-sources.robot	New suite validating kustomizePaths behaviors (empty disables, single/multi paths, ignored dirs, null defaults, glob expansion); adds deploy/remove manifest helpers and cleanup flows.
New Suite test/suites/configuration/logging.robot	New suite with template test Case Insensitive Log Levels checking multiple log level inputs via drop-in and journal checks.
Show Config Update test/suites/configuration/show-config.robot	Adds ${HOME_CONFIG_DIR} and ${MEMLIMIT180} and test Home Directory Config File Is Ignored validating home config is ignored until overridden by drop-in.
Suite Setup/Teardown & Helpers test/suites/...	Multiple suites add Setup/Teardown lifecycle keywords, kubeconfig handling, host login/logout, and per-test cleanup helpers (deploy/remove drop-ins, manifest dirs, namespaces).

Sequence Diagram(s)

sequenceDiagram
    rect rgba(200,200,255,0.5)
    participant Tester as Test Runner
    participant Host as Remote Host (ssh)
    participant Service as systemd / MicroShift
    participant API as kube-apiserver
    end

    Tester->>Host: systemctl stop microshift
    Tester->>Host: systemctl start microshift --no-block
    Host->>Service: start MicroShift (async)
    loop poll until ready or timeout
        Tester->>API: curl --header X-MicroShift-Reject: true /readyz
        alt during startup
            API-->>Tester: HTTP 429 (rejected)
        else once initialized
            API-->>Tester: HTTP 200/401/403 (ready-like)
        end
    end

Loading

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Ipv6 And Disconnected Network Test Compatibility	❓ Inconclusive	Custom check explicitly targets Ginkgo tests (It(), Describe(), etc.). This PR adds only Robot Framework tests, not Ginkgo. No Ginkgo code was added, so the check's scope doesn't apply.	Check targets Ginkgo; PR has Robot Framework. However, apiserver-readiness.robot uses localhost:6443 which may fail in IPv6-only disconnected environments. Review separately for IPv6 compatibility if required.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly reflects the main change: migrating 9 API server tests from openshift-tests-private to Robot Framework.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All 28 Robot Framework test names are stable and deterministic. No dynamic content (UUIDs, IPs, timestamps, pod names) detected. All names are descriptive and static.
Test Structure And Quality	✅ Passed	Custom check is designed for Ginkgo test code (Go), but PR contains only Robot Framework test files (.robot). Check is not applicable.
Microshift Test Compatibility	✅ Passed	All new test files use only standard Kubernetes resources and MicroShift configuration features. No unsupported OpenShift APIs, operators, or multi-node assumptions found.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	Tests are Robot Framework-based (not Ginkgo) and target MicroShift, which is single-node by design. No multi-node or HA assumptions detected.
Topology-Aware Scheduling Compatibility	✅ Passed	Test-only code adding Robot Framework suites with simple ConfigMap fixtures. No scheduling constraints like affinity, nodeSelector, or topology spread introduced.
Ote Binary Stdout Contract	✅ Passed	PR contains only Robot Framework files, not Go binaries. OTE stdout contract applies only to Go process-level code, not Robot Framework tests.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: agullon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [agullon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/suites/configuration/apiserver-readiness.robot`:
- Around line 30-33: Teardown currently calls the keywords in the wrong order:
"Wait For MicroShift" runs before "Setup Kubeconfig", which can cause spurious
failures if kubeconfig changes; modify the teardown sequence so that Setup
Kubeconfig is executed before Wait For MicroShift by swapping the two keyword
calls in the teardown block (reference keywords: Setup Kubeconfig, Wait For
MicroShift).

In `@test/suites/configuration/audit-log.robot`:
- Around line 175-176: The grep invocation in the Robot test (where you build
the shell command that uses ${AUDIT_LOG} and "${resource_name}" and then RETURN
${stdout.strip()}) is appending an extra "0" via `|| echo 0`, producing "0\n0"
and breaking integer assertions; replace `grep -c ... || echo 0` with either
just `grep -c ...` (grep will print 0 on no matches) or `grep -c ... || true` to
preserve a single "0" output and suppress the non-zero exit code so RETURN
${stdout.strip()} yields a single numeric string usable by Should Be Equal As
Integers.

In `@test/suites/configuration/drop-in-config.robot`:
- Around line 78-80: The test currently only asserts a non-zero exit code for
the oc get command, which is too broad; after running Run Process (which merges
stderr into stdout via stderr=STDOUT) check that the output specifically
indicates a NotFound error. Replace or add to the numeric check by asserting the
combined output variable ${result.stdout} contains the NotFound message (e.g.,
use the Robot keyword Should Contain ${result.stdout} NotFound or a regex like
"not found") while still preserving the non-zero rc check if desired; reference
the existing Run Process call and the ${result} variable to locate where to add
the Should Contain assertion instead of relying solely on Should Not Be Equal As
Integers ${result.rc} 0.

In `@test/suites/configuration/kustomize-sources.robot`:
- Around line 192-194: The test currently treats any non-zero return code from
the oc get configmap command as success; tighten it by also asserting the
command output explicitly indicates a not-found condition: after the Run Process
call that sets ${result}, keep the existing check on ${result.rc} but add an
assertion that ${result.stdout} (or ${result.stderr} if you prefer) contains a
not-found marker such as "NotFound", "not found", or "Error from server
(NotFound)" for the specific ${CONFIGMAP_NAME} in ${namespace}; use Robot
keywords like Should Contain to validate ${result.stdout} (and/or Should Contain
to check ${result.stderr}) so the spec only passes when the configmap is
actually absent.

In `@test/suites/configuration/show-config.robot`:
- Around line 77-80: The teardown currently runs "Command Should Work    rm -rf
${HOME_CONFIG_DIR}" which deletes the entire ${HOME_CONFIG_DIR}; change the
teardown to remove only the specific file created by this test (e.g.,
${HOME_CONFIG_DIR}/config.yaml) instead of recursively deleting
${HOME_CONFIG_DIR}, keeping the other teardown steps (Run Keywords, Command
Should Work, AND, Remove Drop In MicroShift Config 10-memlimit) intact; update
the "Command Should Work" invocation so it targets the single file path rather
than using rm -rf on ${HOME_CONFIG_DIR}.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 97f1c51e-3ebd-409d-bdb2-698373ecbfbc

📥 Commits

Reviewing files that changed from the base of the PR and between 9a9d010 and 939c6f7.

📒 Files selected for processing (9)

• test/resources/microshift-process.resource
• test/suites/configuration/apiserver-readiness.robot
• test/suites/configuration/audit-log.robot
• test/suites/configuration/data-dir.robot
• test/suites/configuration/drop-in-config.robot
• test/suites/configuration/kustomize-sources.robot
• test/suites/configuration/logging.robot
• test/suites/configuration/show-config.robot
• test/suites/osconfig/lifecycle.robot

💤 Files with no reviewable changes (1)

• test/suites/osconfig/lifecycle.robot

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

test/suites/configuration/audit-log.robot (1)

191-193: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

grep -c ... || echo 0 can return 0\n0 and break numeric assertions

At Line 192, Line 199, Line 206, and Line 213, the fallback appends an extra zero on no-match paths, so ${stdout.strip()} may not be a valid integer.

Proposed minimal fix

-    ...    grep -c '"${resource_name}"' ${AUDIT_LOG} || echo 0
+    ...    grep -c '"${resource_name}"' ${AUDIT_LOG} || true
...
-    ...    grep '"${resource_name}"' ${AUDIT_LOG} | grep -c '"requestObject"\\|"responseObject"' || echo 0
+    ...    grep '"${resource_name}"' ${AUDIT_LOG} | grep -c '"requestObject"\\|"responseObject"' || true
...
-    ...    grep '"${resource_name}"' ${AUDIT_LOG} | grep -E '"verb":"(create|update|patch|delete)"' | grep -c '"requestObject"' || echo 0
+    ...    grep '"${resource_name}"' ${AUDIT_LOG} | grep -E '"verb":"(create|update|patch|delete)"' | grep -c '"requestObject"' || true
...
-    ...    grep '"${resource_name}"' ${AUDIT_LOG} | grep -E '"verb":"(get|list|watch)"' | grep -c '"responseObject"' || echo 0
+    ...    grep '"${resource_name}"' ${AUDIT_LOG} | grep -E '"verb":"(get|list|watch)"' | grep -c '"responseObject"' || true

Also applies to: 198-200, 205-207, 212-214

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/suites/configuration/audit-log.robot` around lines 191 - 193, The grep
fallback can emit multiple lines (e.g. "0\n0") and break numeric assertions when
the test reads RETURN ${stdout.strip()}; update the shell expression used with
the Command Should Work call that runs grep '"${resource_name}"' ${AUDIT_LOG} so
it always yields a single integer string — for example, pipe the grep output to
tail -n1 (or use an equivalent awk/printf to print only the last/first line) so
${stdout.strip()} is a valid integer; apply this change to every occurrence of
the grep '"${resource_name}"' ${AUDIT_LOG} pattern in the file referenced by the
test.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/resources/kustomize-test.resource`:
- Around line 27-30: The Robot keyword "Remove Manifest Directory" currently
runs "rm -rf ${manifest_dir}" unsafely; change it to validate and normalize
${manifest_dir} before deletion: ensure ${manifest_dir} is not empty, not "/",
and is under an allowed base (e.g., the repo/test workspace or a known temp dir)
by resolving to an absolute path and comparing prefixes, only then run the
removal; also explicitly fail the keyword with a clear error if validation fails
or the path is outside the allowed directory to prevent accidental host-wide
deletions.

In `@test/suites/configuration/apiserver-readiness.robot`:
- Around line 49-60: The readiness poll loop currently sleeps for 0.5s between
attempts, which can miss short 429 windows; in the FOR ${i} IN RANGE loop that
runs the curl against ${APIS_ENDPOINT} with header ${READINESS_HEADER}, reduce
the Sleep interval (e.g., to 0.1s or 0.2s) to catch transient 429 responses and,
if you want to preserve the same overall timeout, proportionally increase the
iteration count (FOR ${i} IN RANGE) so total wait time remains acceptable.

---

Duplicate comments:
In `@test/suites/configuration/audit-log.robot`:
- Around line 191-193: The grep fallback can emit multiple lines (e.g. "0\n0")
and break numeric assertions when the test reads RETURN ${stdout.strip()};
update the shell expression used with the Command Should Work call that runs
grep '"${resource_name}"' ${AUDIT_LOG} so it always yields a single integer
string — for example, pipe the grep output to tail -n1 (or use an equivalent
awk/printf to print only the last/first line) so ${stdout.strip()} is a valid
integer; apply this change to every occurrence of the grep '"${resource_name}"'
${AUDIT_LOG} pattern in the file referenced by the test.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 21e46a09-2beb-43cd-85bb-f365a4f92b2e

📥 Commits

Reviewing files that changed from the base of the PR and between 939c6f7 and fc2d0fe.

📒 Files selected for processing (5)

• test/resources/kustomize-test.resource
• test/suites/configuration/apiserver-readiness.robot
• test/suites/configuration/audit-log.robot
• test/suites/configuration/drop-in-config.robot
• test/suites/configuration/kustomize-sources.robot

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

test/suites/configuration/drop-in-config.robot (1)

60-64: ⚡ Quick win

Use failure-tolerant teardown sequencing.

Line 60 uses Run Keywords ... AND ...; a single cleanup failure can block later cleanup/restart and contaminate subsequent tests. Consider Run Keyword And Continue On Failure per step (or a shared resilient cleanup keyword).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/suites/configuration/drop-in-config.robot` around lines 60 - 64, The
teardown currently chains cleanup steps using "Run Keywords" so a single failure
can abort subsequent cleanup; update the teardown to run each step with
failure-tolerant execution (e.g., replace the chained "Run Keywords" invocation
with individual "Run Keyword And Continue On Failure" calls for "Remove Drop In
MicroShift Config", "Remove Manifest Directory", "Oc Delete" and "Restart
MicroShift", or implement a single resilient cleanup keyword that internally
calls those functions with continue-on-failure behavior) to ensure all cleanup
steps execute even if one fails.

test/suites/configuration/kustomize-sources.robot (1)

88-95: ⚡ Quick win

Make teardown cleanup non-short-circuiting.

Line 88 uses Run Keywords ... AND ...; if one cleanup step fails, later steps (including restart) may be skipped, leaving state behind for following tests. Prefer per-step Run Keyword And Continue On Failure (or a helper keyword implementing that behavior).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/suites/configuration/kustomize-sources.robot` around lines 88 - 95, The
teardown currently uses a single "Run Keywords" chain which short-circuits on
the first failure; replace each chained step (the "Run Keywords" invocation
involving Remove Drop In MicroShift Config, Remove Manifest Directory for
${MANIFEST_DIR_1} and ${MANIFEST_DIR_2}, Oc Delete namespace
ksrc-multi-ns-1/ksrc-multi-ns-2, and Restart MicroShift) with individual calls
to "Run Keyword And Continue On Failure" (or a small helper keyword that wraps
each of those: Remove Drop In MicroShift Config, Remove Manifest Directory, Oc
Delete, Restart MicroShift) so every cleanup action runs even if prior ones
fail.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/suites/configuration/drop-in-config.robot`:
- Around line 74-79: The negative assertion for dropin-ns-a2 is currently
checked immediately after "Restart MicroShift" which is flaky; wrap the
"ConfigMap Should Not Exist    dropin-ns-a2" call in a "Wait Until Keyword
Succeeds" block (use the same retry parameters as the preceding check, e.g.,
"10x    10s") so the test retries the negative assertion until the API is fully
up; update the sequence that contains "Restart MicroShift", "Oc Get    configmap
dropin-ns-b    test-configmap", and the "ConfigMap Should Not Exist" check to
use this wait wrapper around the latter.

In `@test/suites/configuration/kustomize-sources.robot`:
- Around line 57-60: The negative ConfigMap existence assertion runs immediately
after restart and can fail due to transient API startup; wrap the "ConfigMap
Should Not Exist    ksrc-empty-ns" call in Robot's "Wait Until Keyword Succeeds"
to poll until the API is stable (e.g., retry every 5s for up to 60s). Replace
the direct call to ConfigMap Should Not Exist in the test with a Wait Until
Keyword Succeeds that invokes ConfigMap Should Not Exist and provide sensible
retry interval and timeout to ensure a stable post-start state.

---

Nitpick comments:
In `@test/suites/configuration/drop-in-config.robot`:
- Around line 60-64: The teardown currently chains cleanup steps using "Run
Keywords" so a single failure can abort subsequent cleanup; update the teardown
to run each step with failure-tolerant execution (e.g., replace the chained "Run
Keywords" invocation with individual "Run Keyword And Continue On Failure" calls
for "Remove Drop In MicroShift Config", "Remove Manifest Directory", "Oc Delete"
and "Restart MicroShift", or implement a single resilient cleanup keyword that
internally calls those functions with continue-on-failure behavior) to ensure
all cleanup steps execute even if one fails.

In `@test/suites/configuration/kustomize-sources.robot`:
- Around line 88-95: The teardown currently uses a single "Run Keywords" chain
which short-circuits on the first failure; replace each chained step (the "Run
Keywords" invocation involving Remove Drop In MicroShift Config, Remove Manifest
Directory for ${MANIFEST_DIR_1} and ${MANIFEST_DIR_2}, Oc Delete namespace
ksrc-multi-ns-1/ksrc-multi-ns-2, and Restart MicroShift) with individual calls
to "Run Keyword And Continue On Failure" (or a small helper keyword that wraps
each of those: Remove Drop In MicroShift Config, Remove Manifest Directory, Oc
Delete, Restart MicroShift) so every cleanup action runs even if prior ones
fail.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 9e48c90a-b00c-4e13-a5cc-b0ac1c3624cf

📥 Commits

Reviewing files that changed from the base of the PR and between fc2d0fe and b756017.

📒 Files selected for processing (3)

• test/suites/configuration/audit-log.robot
• test/suites/configuration/drop-in-config.robot
• test/suites/configuration/kustomize-sources.robot

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

test/resources/kustomize-test.resource (1)

30-32: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Deletion guard is still incomplete; normalize and block base-root deletes.

Line 31 checks raw prefix only. A traversal-style path can bypass intent, and Line 32 still allows deleting /etc/microshift/ itself.

Suggested patch

 Remove Manifest Directory
     [Documentation]    Completely remove a manifest directory under /etc/microshift
     [Arguments]    ${manifest_dir}
     Should Not Be Empty    ${manifest_dir}
-    Should Start With    ${manifest_dir}    /etc/microshift/
-    Command Should Work    rm -rf ${manifest_dir}
+    ${normalized}=    Evaluate    os.path.abspath(os.path.normpath(r'''${manifest_dir}'''))    os
+    Should Start With    ${normalized}    /etc/microshift/
+    Should Not Be Equal    ${normalized}    /etc/microshift
+    Should Not Be Equal    ${normalized}    /
+    Command Should Work    rm -rf -- '${normalized}'

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/resources/kustomize-test.resource` around lines 30 - 32, The test's
deletion guard around ${manifest_dir} is insufficient because it only checks raw
prefix and allows traversal or deletion of the base root; update the test to
normalize the path (resolve symlinks and collapse .. components) before checks
and assert that the normalized path is a strict child of the intended base root
(not equal to it) and not outside it; replace the "Should Start With
${manifest_dir} /etc/microshift/" check with a normalized containment assertion
and add a check that the normalized ${manifest_dir} != /etc/microshift/ to
prevent deleting the base-root, then only run "Command Should Work rm -rf
${manifest_dir}" after these validations pass.

🧹 Nitpick comments (2)

test/resources/kustomize-test.resource (1)

12-12: ⚡ Quick win

Quote and terminate mkdir args to harden path handling.

Line 12 should pass ${manifest_dir} as a single shell arg (-- + quotes) to avoid edge-case breakage from whitespace/special chars.

Suggested patch

-    Command Should Work    mkdir -p ${manifest_dir}
+    Command Should Work    mkdir -p -- '${manifest_dir}'

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/resources/kustomize-test.resource` at line 12, Replace the unquoted
mkdir invocation in the "Command Should Work" test so ${manifest_dir} is passed
as a single shell argument and options are terminated; specifically modify the
test line that currently uses "mkdir -p ${manifest_dir}" (the "Command Should
Work" step) to call mkdir with a "--" terminator and quote the ${manifest_dir}
variable so paths with spaces, special chars or a leading dash are handled
safely.

test/suites/configuration/audit-log.robot (1)

87-90: ⚡ Quick win

Avoid fixed ConfigMap names when grepping a persistent audit log.

Lines 87/103/124/144 use static names, but Lines 188-214 grep the entire ${AUDIT_LOG}. Old entries from previous runs can be matched, making assertions flaky (especially zero-count checks).

Suggested refactor

+    ${run_id}=    Evaluate    __import__("uuid").uuid4().hex[:8]
-    ${cm_name}=    Set Variable    audit-none-cm
+    ${cm_name}=    Set Variable    audit-none-cm-${run_id}

Apply the same pattern to audit-default-cm, audit-write-cm, and audit-all-cm.

Also applies to: 103-107, 124-128, 144-148, 188-214

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/suites/configuration/audit-log.robot` around lines 87 - 90, The tests
use fixed ConfigMap names (e.g., audit-none-cm) when calling Oc Create and then
call the keyword Grep Audit Log Count against ${AUDIT_LOG}, which can match
stale entries from prior runs and make zero-count checks flaky; update the test
to generate and use unique ConfigMap names for each create (e.g., append a
run-specific suffix/timestamp or ${TEST_RUN_ID}) and pass that generated name
into the Grep Audit Log Count call (references: the variable ${cm_name}, the
keyword Grep Audit Log Count, and the audit ConfigMap names audit-none-cm,
audit-default-cm, audit-write-cm, audit-all-cm and ${AUDIT_LOG}); apply the same
pattern to all occurrences noted (lines around the other create/grep pairs) so
each grep only searches for the current run's ConfigMap entries.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/suites/configuration/audit-log.robot`:
- Around line 93-97: The teardown uses "Run Keywords    Oc Delete ...    AND   
Remove Drop In MicroShift Config    AND    Restart MicroShift" which aborts
remaining steps if any earlier step fails; update each teardown block (the
instances using "Run Keywords" with "Oc Delete", "Remove Drop In MicroShift
Config", and "Restart MicroShift") to ensure all cleanup steps always run by
wrapping individual steps with a continue-on-failure variant, e.g. replace
direct calls with "Run Keyword And Ignore Error    Oc Delete    configmap
${cm_name} -n ${TEST_NS} --ignore-not-found" (or "Run Keyword And Continue On
Failure" if you want failure reported but not abort), then call "Run Keyword And
Ignore Error    Remove Drop In MicroShift Config    10-audit" and "Run Keyword
And Ignore Error    Restart MicroShift" so deletion, config removal, and restart
are attempted regardless of prior failures.

In `@test/suites/configuration/show-config.robot`:
- Around line 70-72: The test currently uses "Should Not Be Equal As Integers
180 ${config.etcd.memoryLimitMB}" which allows any non-180 value; change the
assertion to assert the exact baseline value fixed in suite setup by using
"Should Be Equal As Integers 256 ${config.etcd.memoryLimitMB}" after calling the
"Show Config" keyword so the ${config.etcd.memoryLimitMB} is verified equals
256.

---

Duplicate comments:
In `@test/resources/kustomize-test.resource`:
- Around line 30-32: The test's deletion guard around ${manifest_dir} is
insufficient because it only checks raw prefix and allows traversal or deletion
of the base root; update the test to normalize the path (resolve symlinks and
collapse .. components) before checks and assert that the normalized path is a
strict child of the intended base root (not equal to it) and not outside it;
replace the "Should Start With ${manifest_dir} /etc/microshift/" check with a
normalized containment assertion and add a check that the normalized
${manifest_dir} != /etc/microshift/ to prevent deleting the base-root, then only
run "Command Should Work rm -rf ${manifest_dir}" after these validations pass.

---

Nitpick comments:
In `@test/resources/kustomize-test.resource`:
- Line 12: Replace the unquoted mkdir invocation in the "Command Should Work"
test so ${manifest_dir} is passed as a single shell argument and options are
terminated; specifically modify the test line that currently uses "mkdir -p
${manifest_dir}" (the "Command Should Work" step) to call mkdir with a "--"
terminator and quote the ${manifest_dir} variable so paths with spaces, special
chars or a leading dash are handled safely.

In `@test/suites/configuration/audit-log.robot`:
- Around line 87-90: The tests use fixed ConfigMap names (e.g., audit-none-cm)
when calling Oc Create and then call the keyword Grep Audit Log Count against
${AUDIT_LOG}, which can match stale entries from prior runs and make zero-count
checks flaky; update the test to generate and use unique ConfigMap names for
each create (e.g., append a run-specific suffix/timestamp or ${TEST_RUN_ID}) and
pass that generated name into the Grep Audit Log Count call (references: the
variable ${cm_name}, the keyword Grep Audit Log Count, and the audit ConfigMap
names audit-none-cm, audit-default-cm, audit-write-cm, audit-all-cm and
${AUDIT_LOG}); apply the same pattern to all occurrences noted (lines around the
other create/grep pairs) so each grep only searches for the current run's
ConfigMap entries.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: c59facd1-d9b0-41a0-a6b6-74ed0debdc09

📥 Commits

Reviewing files that changed from the base of the PR and between b756017 and 9276907.

📒 Files selected for processing (4)

• test/resources/kustomize-test.resource
• test/suites/configuration/apiserver-readiness.robot
• test/suites/configuration/audit-log.robot
• test/suites/configuration/show-config.robot

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

test/suites/configuration/audit-log.robot (1)

192-192: ⚡ Quick win

Use guarded grep rc handling instead of || true.

Line 192 still uses || true, which can hide real grep errors. Align with the safer pattern already used elsewhere in this file (|| test $? -eq 1).

Suggested patch

-    ...    grep -c '"${resource_name}"' ${AUDIT_LOG} || true
+    ...    grep -c '"${resource_name}"' ${AUDIT_LOG} || test $? -eq 1

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/suites/configuration/audit-log.robot` at line 192, Replace the guarded
grep exit handling for the command grep -c '"${resource_name}"' ${AUDIT_LOG} ||
true with the safer pattern used elsewhere: use "|| test $? -eq 1" so only the
"no matches" exit code is allowed through while real grep errors still fail;
update that exact grep invocation in the
test/suites/configuration/audit-log.robot file accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/suites/configuration/kustomize-sources.robot`:
- Around line 88-95: The teardown uses a single "Run Keywords" chain which
short-circuits on the first failure and can skip final steps like "Restart
MicroShift"; fix by wrapping each individual teardown step (e.g., "Remove Drop
In MicroShift Config", each "Remove Manifest Directory
${MANIFEST_DIR_1}/${MANIFEST_DIR_2}", each "Oc Delete namespace ...", and
"Restart MicroShift") with "Run Keyword And Continue On Failure" so every
cleanup runs regardless of failures, replacing the current multi-step "Run
Keywords ... AND ..." pattern with separate continue-on-failure wrapped calls.

---

Nitpick comments:
In `@test/suites/configuration/audit-log.robot`:
- Line 192: Replace the guarded grep exit handling for the command grep -c
'"${resource_name}"' ${AUDIT_LOG} || true with the safer pattern used elsewhere:
use "|| test $? -eq 1" so only the "no matches" exit code is allowed through
while real grep errors still fail; update that exact grep invocation in the
test/suites/configuration/audit-log.robot file accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 2149c276-ed28-4393-81e7-b87db7d451e7

📥 Commits

Reviewing files that changed from the base of the PR and between 9276907 and e77e1b0.

📒 Files selected for processing (2)

• test/suites/configuration/audit-log.robot
• test/suites/configuration/kustomize-sources.robot

[agullon]

/retest

[agullon]

/retest

[agullon]

/retest

[openshift-ci]

@agullon: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-tests-bootc-upstream-arm	155f558	link	true	/test e2e-aws-tests-bootc-upstream-arm
ci/prow/e2e-aws-tests-release	155f558	link	true	/test e2e-aws-tests-release
ci/prow/e2e-aws-tests-release-arm	155f558	link	true	/test e2e-aws-tests-release-arm
ci/prow/e2e-aws-tests-bootc-upstream	155f558	link	true	/test e2e-aws-tests-bootc-upstream

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.