Address the review comments

tkong · tkong · commit 06294a4ed2fa · 2026-03-18T17:47:11.000+13:00
diff --git a/test/e2e/splunk_forwarder_operator_tests.go b/test/e2e/splunk_forwarder_operator_tests.go
@@ -152,6 +152,7 @@ var _ = ginkgo.Describe("Splunk Forwarder Operator", ginkgo.Ordered, func() {
 		ginkgo.By("creating a SplunkForwarder CR with test configuration")
 		sf := makeSplunkforwarderWithIndex(
 			crName,
+			operatorNamespace,
 			"/var/log/test.log",
 			"test_index",
 			"_json",
@@ -217,7 +218,13 @@ var _ = ginkgo.Describe("Splunk Forwarder Operator", ginkgo.Ordered, func() {
 		testSourcetype := "linux_audit"
 
 		ginkgo.By("creating a SplunkForwarder CR with specific input configuration")
-		sf := makeSplunkforwarderWithIndex(crName, testPath, testIndex, testSourcetype)
+		sf := makeSplunkforwarderWithIndex(
+			crName,
+			operatorNamespace,
+			testPath,
+			testIndex,
+			testSourcetype,
+		)
 		sf.Spec.ClusterID = clusterID
 		Expect(k8s.WithNamespace(operatorNamespace).Create(ctx, &sf)).To(Succeed())
 
@@ -284,15 +291,15 @@ var _ = ginkgo.Describe("Splunk Forwarder Operator", ginkgo.Ordered, func() {
 	})
 
 	ginkgo.It("admin should be able to create and delete SplunkForwarders CR", func(ctx context.Context) {
-		sf := makeMinimalSplunkforwarder(testSplunkForwarder)
+		sf := makeMinimalSplunkforwarder(testSplunkForwarder, operatorNamespace)
 		err := k8s.WithNamespace(operatorNamespace).Create(ctx, &sf)
 		Expect(err).NotTo(HaveOccurred())
 		err = k8s.WithNamespace(operatorNamespace).Delete(ctx, &sf)
 		Expect(err).NotTo(HaveOccurred())
 	})
 
 	ginkgo.It("dedicated admin should not be able to manage SplunkForwarders CR", func(ctx context.Context) {
-		dsf := makeMinimalSplunkforwarder(dedicatedAdminSplunkForwarder)
+		dsf := makeMinimalSplunkforwarder(dedicatedAdminSplunkForwarder, operatorNamespace)
 		impersonatedResourceClient, _ := k8s.Impersonate("test-user@redhat.com", "dedicated-admins")
 		Expect(sfv1alpha1.AddToScheme(impersonatedResourceClient.GetScheme())).Should(BeNil(), "unable to register sfv1alpha1 api scheme")
 		err := impersonatedResourceClient.WithNamespace(operatorNamespace).Create(ctx, &dsf)
@@ -303,7 +310,13 @@ var _ = ginkgo.Describe("Splunk Forwarder Operator", ginkgo.Ordered, func() {
 		crName := "test-reconcile-update"
 
 		ginkgo.By("creating initial SplunkForwarder CR")
-		sf := makeSplunkforwarderWithIndex(crName, "/var/log/initial.log", "initial_index", "_json")
+		sf := makeSplunkforwarderWithIndex(
+			crName,
+			operatorNamespace,
+			"/var/log/initial.log",
+			"initial_index",
+			"_json",
+		)
 		Expect(k8s.WithNamespace(operatorNamespace).Create(ctx, &sf)).To(Succeed())
 
 		defer func() {
@@ -368,7 +381,13 @@ var _ = ginkgo.Describe("Splunk Forwarder Operator", ginkgo.Ordered, func() {
 		crName := "test-hec-connectivity"
 
 		ginkgo.By("creating SplunkForwarder CR for HEC mode")
-		sf := makeSplunkforwarderWithIndex(crName, "/var/log/hec-test.log", "hec_index", "_json")
+		sf := makeSplunkforwarderWithIndex(
+			crName,
+			operatorNamespace,
+			"/var/log/hec-test.log",
+			"hec_index",
+			"_json",
+		)
 		Expect(k8s.WithNamespace(operatorNamespace).Create(ctx, &sf)).To(Succeed())
 
 		defer func() {
@@ -514,7 +533,7 @@ var _ = ginkgo.Describe("Splunk Forwarder Operator", ginkgo.Ordered, func() {
 			Expect(k8s.Delete(ctx, &authSecret)).To(Succeed())
 
 			ginkgo.By("creating SplunkForwarder CR without auth secret present")
-			sf := makeMinimalSplunkforwarder(crName)
+			sf := makeMinimalSplunkforwarder(crName, operatorNamespace)
 			sf.Spec.SplunkInputs[0].Path = "/var/log/test.log"
 			err = k8s.WithNamespace(operatorNamespace).Create(ctx, &sf)
 
@@ -546,7 +565,13 @@ var _ = ginkgo.Describe("Splunk Forwarder Operator", ginkgo.Ordered, func() {
 		crName := "test-retry-logic"
 
 		ginkgo.By("creating SplunkForwarder CR")
-		sf := makeSplunkforwarderWithIndex(crName, "/var/log/retry.log", "retry_index", "_json")
+		sf := makeSplunkforwarderWithIndex(
+			crName,
+			operatorNamespace,
+			"/var/log/retry.log",
+			"retry_index",
+			"_json",
+		)
 		Expect(k8s.WithNamespace(operatorNamespace).Create(ctx, &sf)).To(Succeed())
 
 		defer func() {
@@ -601,7 +626,13 @@ var _ = ginkgo.Describe("Splunk Forwarder Operator", ginkgo.Ordered, func() {
 		crName := "test-deletion-cleanup"
 
 		ginkgo.By("creating SplunkForwarder CR")
-		sf := makeSplunkforwarderWithIndex(crName, "/var/log/cleanup.log", "cleanup_index", "_json")
+		sf := makeSplunkforwarderWithIndex(
+			crName,
+			operatorNamespace,
+			"/var/log/cleanup.log",
+			"cleanup_index",
+			"_json",
+		)
 		Expect(k8s.WithNamespace(operatorNamespace).Create(ctx, &sf)).To(Succeed())
 
 		ginkgo.By("waiting for resources to be created")
diff --git a/test/e2e/utils.go b/test/e2e/utils.go
@@ -5,7 +5,14 @@ package osde2etests
 
 import (
 	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
 	"fmt"
+	"math/big"
+	"time"
 
 	securityv1 "github.com/openshift/api/security/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -19,11 +26,11 @@ import (
 )
 
 // Create test splunkforwarder CR definition
-func makeMinimalSplunkforwarder(name string) sfv1alpha1.SplunkForwarder {
+func makeMinimalSplunkforwarder(name string, namespace string) sfv1alpha1.SplunkForwarder {
 	return sfv1alpha1.SplunkForwarder{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: operatorNamespace,
+			Namespace: namespace,
 		},
 		Spec: sfv1alpha1.SplunkForwarderSpec{
 			SplunkLicenseAccepted: true,
@@ -38,11 +45,11 @@ func makeMinimalSplunkforwarder(name string) sfv1alpha1.SplunkForwarder {
 }
 
 // makeSplunkforwarderWithIndex creates a test SplunkForwarder CR with custom index settings
-func makeSplunkforwarderWithIndex(name, path, index, sourcetype string) sfv1alpha1.SplunkForwarder {
+func makeSplunkforwarderWithIndex(name, namespace, path, index, sourcetype string) sfv1alpha1.SplunkForwarder {
 	return sfv1alpha1.SplunkForwarder{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
-			Namespace: operatorNamespace,
+			Namespace: namespace,
 		},
 		Spec: sfv1alpha1.SplunkForwarderSpec{
 			SplunkLicenseAccepted: true,
@@ -144,35 +151,90 @@ func cleanupTestSecrets(ctx context.Context, k8s *openshift.Client, namespace st
 	k8s.Delete(ctx, hecSecret)
 }
 
-// generateSelfSignedCACert returns a PEM-encoded self-signed CA cert for testing
-// This is a minimal test certificate - sufficient for testing secret mounting
+// generateSelfSignedCACert dynamically generates a PEM-encoded self-signed CA certificate
+// using Go's crypto packages for realistic testing
 func generateSelfSignedCACert() string {
-	return `-----BEGIN CERTIFICATE-----
-MIIDXTCCAkWgAwIBAgIJAKJ0qJxKLhpOMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
-BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
-aWRnaXRzIFB0eSBMdGQwHhcNMjQwMTAxMDAwMDAwWhcNMjUwMTAxMDAwMDAwWjBF
-MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
-ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEAtIb8nPQXLq6F0mGxMz6pqGm6QC7hUdXQQEH+Vv8nqNGdF2P4IxHLqY3v
-8cTqvCXMQvJn4mGrDFVPZqXMtHxFHI+cKXkQ9BVJdUPxP6fqMq7TI4Cv3kMhz9M3
------END CERTIFICATE-----`
+	// Generate RSA private key
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		panic(fmt.Sprintf("failed to generate CA private key: %v", err))
+	}
+
+	// Create certificate template
+	template := x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			Organization: []string{"Splunk E2E Test CA"},
+			Country:      []string{"US"},
+			CommonName:   "Splunk Test CA",
+		},
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().Add(30 * 24 * time.Hour), // Valid for 1 month
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
+		BasicConstraintsValid: true,
+		IsCA:                  true,
+	}
+
+	// Create self-signed certificate
+	certDER, err := x509.CreateCertificate(rand.Reader, &template, &template, &privateKey.PublicKey, privateKey)
+	if err != nil {
+		panic(fmt.Sprintf("failed to create CA certificate: %v", err))
+	}
+
+	// Encode certificate to PEM
+	certPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: certDER,
+	})
+
+	return string(certPEM)
 }
 
-// generateSelfSignedServerCert returns a PEM-encoded server cert for testing
+// generateSelfSignedServerCert dynamically generates a PEM-encoded server certificate
+// with both certificate and private key for Splunk mTLS authentication
 func generateSelfSignedServerCert() string {
-	return `-----BEGIN CERTIFICATE-----
-MIIDXTCCAkWgAwIBAgIJAKJ0qJxKLhpPMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
-BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
-aWRnaXRzIFB0eSBMdGQwHhcNMjQwMTAxMDAwMDAwWhcNMjUwMTAxMDAwMDAwWjBF
-MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
-ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEAtIb8nPQXLq6F0mGxMz6pqGm6QC7hUdXQQEH+Vv8nqNGdF2P4IxHLqY3v
------END CERTIFICATE-----
------BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC0hvy89Bcur4XS
-YbEzPqmoabpALuFR1dBAQf5W/yeo0Z0XY/gjEcupje/xxOq8JcxC8mfiYasMVU9m
-pcy0fEUcj5wpeRD0FUl1Q/E/p+oyrtMjgK/eQyHP0zc=
------END PRIVATE KEY-----`
+	// Generate RSA private key
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		panic(fmt.Sprintf("failed to generate server private key: %v", err))
+	}
+
+	// Create certificate template
+	template := x509.Certificate{
+		SerialNumber: big.NewInt(2),
+		Subject: pkix.Name{
+			Organization: []string{"Splunk E2E Test Server"},
+			Country:      []string{"US"},
+			CommonName:   "splunk-forwarder-test.example.com",
+		},
+		NotBefore:   time.Now(),
+		NotAfter:    time.Now().Add(30 * 24 * time.Hour), // Valid for 1 month
+		KeyUsage:    x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
+		DNSNames:    []string{"splunk-forwarder-test.example.com", "localhost"},
+	}
+
+	// Create self-signed certificate (in production, this would be signed by CA)
+	certDER, err := x509.CreateCertificate(rand.Reader, &template, &template, &privateKey.PublicKey, privateKey)
+	if err != nil {
+		panic(fmt.Sprintf("failed to create server certificate: %v", err))
+	}
+
+	// Encode certificate to PEM
+	certPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: certDER,
+	})
+
+	// Encode private key to PEM
+	privateKeyPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "RSA PRIVATE KEY",
+		Bytes: x509.MarshalPKCS1PrivateKey(privateKey),
+	})
+
+	// Return combined certificate and private key
+	return string(certPEM) + string(privateKeyPEM)
 }
 
 // generateMTLSOutputsConf returns outputs.conf content for mTLS mode
@@ -181,7 +243,7 @@ func generateMTLSOutputsConf() string {
 defaultGroup = default-autolb-group
 
 [tcpout:default-autolb-group]
-server = splunk.example.com:9997
+server = splunk-forwarder-test.example.com:9997
 clientCert = $SPLUNK_HOME/etc/apps/splunkauth/default/server.pem
 sslCertPath = $SPLUNK_HOME/etc/apps/splunkauth/default/server.pem
 sslRootCAPath = $SPLUNK_HOME/etc/apps/splunkauth/default/cacert.pem
@@ -190,11 +252,18 @@ sslVerifyServerCert = false`
 }
 
 // generateHECOutputsConf returns outputs.conf content for HEC mode
+// with a realistic HEC token format (UUID) for testing
 func generateHECOutputsConf() string {
 	return `[http]
-httpEventCollectorToken = test-hec-token-12345
-uri = http://mock-hec-server:8088
-disabled = 0`
+httpEventCollectorToken = 12345678-1234-5678-1234-567812345678
+uri = https://splunk-hec.example.com:8088/services/collector/event
+disabled = 0
+useACK = true
+token = 12345678-1234-5678-1234-567812345678
+
+[tcpout]
+defaultGroup = nothing
+disabled = true`
 }
 
 // generateLimitsConf returns limits.conf content for testing
