CM-937: Automate e2e tests for Azure DNS01 AAD Workload Identity auth by lunarwhite · Pull Request #375 · openshift/cert-manager-operator

lunarwhite · 2026-03-06T09:09:26Z

Second (2/2) part of https://issues.redhat.com/browse/CM-937

Changes

Add new e2e test to expand Azure DNS-01 coverage:

ACME Issuer DNS01 solver with Azure DNS in Workload Identity environment should obtain a valid certificate using ambient credentials through AAD Workload Identity

Dependency

CM-936: Add Azure OVN and Workload Identity CI coverage for cert-manager-operator release#75522
CM-937: Automate e2e tests for Azure DNS01 Service Principal auth #374

Summary by CodeRabbit

Tests
- Expanded end-to-end test coverage for workload identity integration with DNS-01 ACME validation
- Added deployment rollout verification and label management test utilities
Chores
- Updated test dependencies with additional cloud provider SDKs

…luster

Majorly azure-sdk packages

openshift-ci-robot · 2026-03-06T09:09:31Z

@lunarwhite: This pull request references CM-937 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci · 2026-03-06T09:09:42Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

coderabbitai · 2026-03-06T09:09:55Z

Walkthrough

This PR adds Azure and AWS cloud-workload identity support infrastructure to e2e ACME DNS-01 tests. Changes include Azure Managed Identity setup with federated credentials, role assignments, deployment label management helpers, and new cloud SDK dependencies for Azure and AWS.

Changes

Cohort / File(s)	Summary
E2E Test Scaffolding `test/e2e/issuer_acme_dns01_test.go`, `test/e2e/utils_test.go`	Adds Azure Workload Identity e2e test infrastructure with credentials extraction, Managed Identity creation, DNS zone discovery, federated identity credential setup, and role assignment logic. Also introduces helper functions for deployment label override and rollout polling. Note: `utils_test.go` contains duplicated function definitions requiring deduplication.
Go Dependencies `test/go.mod`	Adds Azure SDK modules (azcore, azidentity, armauthorization, armmsi, armresources) and utility dependencies. Promotes google/uuid from indirect to direct dependency.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Test Structure And Quality	⚠️ Warning	The pull request contains three critical bugs: nil-dereference at line 1447, improper label validation at line 848, and incorrect HTTP 409 error handling in role assignment retry logic.	Add nil-check for rg.Location, fix label comparison to verify key existence, and handle HTTP 409 Conflict with RoleAssignmentExists as successful idempotent operation.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly and specifically describes the main change: adding e2e test automation for Azure DNS01 with AAD Workload Identity authentication, which aligns with the substantial test scaffolding additions in the changeset.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Stable And Deterministic Test Names	✅ Passed	All test titles use stable, deterministic strings without dynamic content. Dynamic values are correctly placed in test bodies, not titles.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

openshift-ci · 2026-03-06T09:10:46Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: lunarwhite
Once this PR has been reviewed and has the lgtm label, please assign mytreya-rh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci-robot · 2026-03-06T09:14:04Z

@lunarwhite: This pull request references CM-937 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Summary by CodeRabbit

Tests

Expanded end-to-end test coverage for workload identity integration with DNS-01 ACME validation

Added deployment rollout verification and label management test utilities

Chores

Updated test dependencies with additional cloud provider SDKs

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

coderabbitai

Actionable comments posted: 3

🧹 Nitpick comments (1)

test/e2e/issuer_acme_dns01_test.go (1)

1425-1427: Restore Azure auth env vars after setup to avoid cross-spec leakage.

Lines 1425-1427 mutate process-global env and never revert it, which can bleed into later specs in the same process.

♻️ Suggested refactor

 			Expect(json.Unmarshal(data, &sp)).To(Succeed(), "failed to parse Azure credentials file")
-			os.Setenv("AZURE_CLIENT_ID", sp.ClientID)
-			os.Setenv("AZURE_CLIENT_SECRET", sp.ClientSecret)
-			os.Setenv("AZURE_TENANT_ID", sp.TenantID)
+			prevClientID, hadClientID := os.LookupEnv("AZURE_CLIENT_ID")
+			prevClientSecret, hadClientSecret := os.LookupEnv("AZURE_CLIENT_SECRET")
+			prevTenantID, hadTenantID := os.LookupEnv("AZURE_TENANT_ID")
+
+			Expect(os.Setenv("AZURE_CLIENT_ID", sp.ClientID)).To(Succeed())
+			Expect(os.Setenv("AZURE_CLIENT_SECRET", sp.ClientSecret)).To(Succeed())
+			Expect(os.Setenv("AZURE_TENANT_ID", sp.TenantID)).To(Succeed())
+
+			DeferCleanup(func() {
+				if hadClientID {
+					_ = os.Setenv("AZURE_CLIENT_ID", prevClientID)
+				} else {
+					_ = os.Unsetenv("AZURE_CLIENT_ID")
+				}
+				if hadClientSecret {
+					_ = os.Setenv("AZURE_CLIENT_SECRET", prevClientSecret)
+				} else {
+					_ = os.Unsetenv("AZURE_CLIENT_SECRET")
+				}
+				if hadTenantID {
+					_ = os.Setenv("AZURE_TENANT_ID", prevTenantID)
+				} else {
+					_ = os.Unsetenv("AZURE_TENANT_ID")
+				}
+			})

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@test/e2e/issuer_acme_dns01_test.go` around lines 1425 - 1427, Before mutating
AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID with os.Setenv,
capture their current values (using os.Getenv) and then defer restoring them
after setup; if a captured value is empty, restore with os.Unsetenv, otherwise
call os.Setenv to the previous value. Place this save-and-defer logic
immediately around the existing os.Setenv calls so the test restores the
original environment and avoids cross-spec leakage.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@test/e2e/issuer_acme_dns01_test.go`:
- Around line 1445-1448: The test dereferences rg.Location without guarding for
nil which can panic if Azure returns no Location; after calling rgClient.Get
(and the Expect on err), add a nil-check for rg.Location and fail the test or
use Expect(rg.Location).NotTo(BeNil(), "resource group Location is missing")
before using *rg.Location, then assign location := *rg.Location; ensure you
reference rg and rgClient.Get in the fix so the check sits immediately after the
Get/err assertion.
- Around line 1495-1506: In the wait.PollUntilContextTimeout retry loop around
authClient.Create (creating roleAssignmentName in dnsZoneScope), treat a failure
where the server reports the role assignment already exists as a success: after
calling authClient.Create and getting assignErr, detect the 409/Conflict with
ErrorCode "RoleAssignmentExists" (inspect the error type returned by the Azure
SDK for the status code/ErrorCode) and return true,nil so the loop exits
successfully; otherwise continue returning false,nil for transient errors as
before.

In `@test/e2e/utils_test.go`:
- Around line 842-849: The pod-label matcher in
waitForDeploymentPodLabelAndRollout can falsely succeed when the label key is
missing because labels[labelKey] returns "" for absent keys; modify the
predicate passed to waitForDeploymentConditionAndRollout to verify the key
exists (use the map lookup form, e.g., val, ok := labels[labelKey]) and return
ok && val == labelValue so the matcher requires presence and value equality;
update the anonymous function inside waitForDeploymentPodLabelAndRollout
accordingly (referencing waitForDeploymentPodLabelAndRollout and
waitForDeploymentConditionAndRollout).

---

Nitpick comments:
In `@test/e2e/issuer_acme_dns01_test.go`:
- Around line 1425-1427: Before mutating AZURE_CLIENT_ID, AZURE_CLIENT_SECRET,
and AZURE_TENANT_ID with os.Setenv, capture their current values (using
os.Getenv) and then defer restoring them after setup; if a captured value is
empty, restore with os.Unsetenv, otherwise call os.Setenv to the previous value.
Place this save-and-defer logic immediately around the existing os.Setenv calls
so the test restores the original environment and avoids cross-spec leakage.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1036b206-f410-4cdf-a650-ef48d4cd42e5

📥 Commits

Reviewing files that changed from the base of the PR and between a831625 and bc8bbee.

⛔ Files ignored due to path filters (287)

test/go.sum is excluded by !**/*.sum
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/internal/resource/resource_identifier.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/internal/resource/resource_type.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/policy/policy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/resource_identifier.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/resource_type.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/runtime/pipeline.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/runtime/policy_bearer_token.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/runtime/policy_register_rp.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/runtime/policy_trace_namespace.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/arm/runtime/runtime.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/ci.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud/cloud.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/core.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/etag.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported/exported.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported/pipeline.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported/request.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported/response_error.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/log/log.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/async/async.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/body/body.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/fake/fake.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/loc/loc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/op/op.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/poller.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/pollers/util.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared/constants.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/shared/shared.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/log/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/log/log.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/policy/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/policy/policy.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/pager.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/pipeline.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_api_version.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_bearer_token.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_body_download.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_http_header.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_http_trace.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_include_response.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_key_credential.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_logging.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_request_id.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_retry.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_sas_credential.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/policy_telemetry.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/poller.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/request.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/response.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/transport_default_dialer_other.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/transport_default_dialer_wasm.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime/transport_default_http_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/streaming/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/streaming/progress.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/to/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/to/to.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/tracing/constants.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azcore/tracing/tracing.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/BREAKING_CHANGES.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/MIGRATION.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TOKEN_CACHING.MD is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/TROUBLESHOOTING.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/assets.json is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/authentication_record.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azidentity.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_cli_credential.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_developer_cli_credential.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/azure_pipelines_credential.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/chained_token_credential.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/ci.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_assertion_credential.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_certificate_credential.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_secret_credential.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/confidential_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/default_azure_credential.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/developer_credential_util.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/device_code_credential.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/environment_credential.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/go.work is excluded by !**/*.work, !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/interactive_browser_credential.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/internal/cache.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/logging.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed-identity-matrix.json is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed_identity_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/managed_identity_credential.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/on_behalf_of_credential.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/public_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/test-resources-post.ps1 is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/test-resources-pre.ps1 is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/test-resources.bicep is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/username_password_credential.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/version.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/workload_identity.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/internal/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/internal/diag/diag.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/internal/diag/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/internal/errorinfo/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/internal/errorinfo/errorinfo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/internal/exported/exported.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/internal/log/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/internal/log/log.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/internal/poller/util.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/internal/temporal/resource.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/internal/uuid/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/internal/uuid/uuid.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2/autorest.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2/build.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2/ci.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2/classicadministrators_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2/client_factory.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2/constants.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2/denyassignments_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2/eligiblechildresources_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2/globaladministrator_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2/interfaces.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2/models.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2/models_serde.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2/options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2/permissions_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2/polymorphic_helpers.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2/provideroperationsmetadata_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2/response_types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2/roleassignments_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2/roleassignmentscheduleinstances_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2/roleassignmentschedulerequests_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2/roleassignmentschedules_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2/roledefinitions_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2/roleeligibilityscheduleinstances_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2/roleeligibilityschedulerequests_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2/roleeligibilityschedules_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2/rolemanagementpolicies_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2/rolemanagementpolicyassignments_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2/time_rfc3339.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/assets.json is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/autorest.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/build.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/ci.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/client_factory.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/constants.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/federatedidentitycredentials_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/models.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/models_serde.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/operations_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/responses.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/systemassignedidentities_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/time_rfc3339.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi/userassignedidentities_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources/LICENSE.txt is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources/assets.json is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources/autorest.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources/build.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources/ci.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources/client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources/client_factory.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources/constants.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources/deploymentoperations_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources/deployments_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources/models.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources/models_serde.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources/operations_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources/options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources/providerresourcetypes_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources/providers_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources/resourcegroups_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources/response_types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources/tags_client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources/time_rfc3339.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/cache/cache.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential/confidential.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/errors/error_design.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/errors/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/base.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/items.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/partitioned_storage.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base/storage/storage.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/exported/exported.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/json/design.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/json/json.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/json/mapslice.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/json/marshal.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/json/struct.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/json/types/time/time.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/local/server.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/oauth.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/accesstokens/accesstokens.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/accesstokens/apptype_string.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/accesstokens/tokens.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/authority/authority.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/authority/authorizetype_string.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/internal/comm/comm.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/internal/comm/compress.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/internal/grant/grant.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/ops.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/wstrust/defs/endpointtype_string.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/wstrust/defs/mex_document_definitions.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/wstrust/defs/saml_assertion_definitions.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/wstrust/defs/version_string.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/wstrust/defs/wstrust_endpoint.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/wstrust/defs/wstrust_mex_document.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/ops/wstrust/wstrust.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/resolvers.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/options/options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/shared/shared.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/version/version.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/managedidentity/azure_ml.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/managedidentity/cloud_shell.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/managedidentity/managedidentity.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/managedidentity/servicefabric.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/AzureAD/microsoft-authentication-library-for-go/apps/public/public.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang-jwt/jwt/v5/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang-jwt/jwt/v5/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang-jwt/jwt/v5/MIGRATION_GUIDE.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang-jwt/jwt/v5/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang-jwt/jwt/v5/SECURITY.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang-jwt/jwt/v5/VERSION_HISTORY.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang-jwt/jwt/v5/claims.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang-jwt/jwt/v5/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang-jwt/jwt/v5/ecdsa.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang-jwt/jwt/v5/ecdsa_utils.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang-jwt/jwt/v5/ed25519.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang-jwt/jwt/v5/ed25519_utils.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang-jwt/jwt/v5/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang-jwt/jwt/v5/hmac.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang-jwt/jwt/v5/map_claims.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang-jwt/jwt/v5/none.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang-jwt/jwt/v5/parser.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang-jwt/jwt/v5/parser_option.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang-jwt/jwt/v5/registered_claims.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang-jwt/jwt/v5/rsa.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang-jwt/jwt/v5/rsa_pss.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang-jwt/jwt/v5/rsa_utils.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang-jwt/jwt/v5/signing_method.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang-jwt/jwt/v5/staticcheck.conf is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang-jwt/jwt/v5/token.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang-jwt/jwt/v5/token_option.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang-jwt/jwt/v5/types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/golang-jwt/jwt/v5/validator.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/kylelemons/godebug/pretty/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/kylelemons/godebug/pretty/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/kylelemons/godebug/pretty/public.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/kylelemons/godebug/pretty/reflect.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/kylelemons/godebug/pretty/structure.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/pkg/browser/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/pkg/browser/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/pkg/browser/browser.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/pkg/browser/browser_darwin.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/pkg/browser/browser_freebsd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/pkg/browser/browser_linux.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/pkg/browser/browser_netbsd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/pkg/browser/browser_openbsd.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/pkg/browser/browser_unsupported.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/pkg/browser/browser_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/crypto/pkcs12/bmp-string.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/crypto/pkcs12/crypto.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/crypto/pkcs12/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/crypto/pkcs12/internal/rc2/rc2.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/crypto/pkcs12/mac.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/crypto/pkcs12/pbkdf.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/crypto/pkcs12/pkcs12.go is excluded by !**/vendor/**, !vendor/**
vendor/golang.org/x/crypto/pkcs12/safebags.go is excluded by !**/vendor/**, !vendor/**
vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (3)

test/e2e/issuer_acme_dns01_test.go
test/e2e/utils_test.go
test/go.mod

coderabbitai · 2026-03-06T09:22:51Z

test/e2e/issuer_acme_dns01_test.go

+			rg, err := rgClient.Get(ctx, clusterResourceGroup, nil)
+			Expect(err).NotTo(HaveOccurred(), "failed to get resource group")
+			location := *rg.Location
+


⚠️ Potential issue | 🟡 Minor

Guard nil Location before dereference.

Line 1447 can panic if Azure returns a resource group payload without Location.

🛡️ Suggested fix

rg, err := rgClient.Get(ctx, clusterResourceGroup, nil) Expect(err).NotTo(HaveOccurred(), "failed to get resource group") + Expect(rg.Location).NotTo(BeNil(), "resource group location should be populated") location := *rg.Location

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

rg, err := rgClient.Get(ctx, clusterResourceGroup, nil)

Expect(err).NotTo(HaveOccurred(), "failed to get resource group")

location := *rg.Location

rg, err := rgClient.Get(ctx, clusterResourceGroup, nil)

Expect(err).NotTo(HaveOccurred(), "failed to get resource group")

Expect(rg.Location).NotTo(BeNil(), "resource group location should be populated")

location := *rg.Location

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@test/e2e/issuer_acme_dns01_test.go` around lines 1445 - 1448, The test dereferences rg.Location without guarding for nil which can panic if Azure returns no Location; after calling rgClient.Get (and the Expect on err), add a nil-check for rg.Location and fail the test or use Expect(rg.Location).NotTo(BeNil(), "resource group Location is missing") before using *rg.Location, then assign location := *rg.Location; ensure you reference rg and rgClient.Get in the fix so the check sits immediately after the Get/err assertion.

coderabbitai · 2026-03-06T09:22:51Z

test/e2e/issuer_acme_dns01_test.go

+			err = wait.PollUntilContextTimeout(ctx, fastPollInterval, lowTimeout, true, func(context.Context) (bool, error) {
+				_, assignErr := authClient.Create(ctx, dnsZoneScope, roleAssignmentName, armauthorization.RoleAssignmentCreateParameters{
+					Properties: &armauthorization.RoleAssignmentProperties{
+						RoleDefinitionID: &dnsZoneContributorRoleID,
+						PrincipalID:      &identityPrincipalID,
+						PrincipalType:    to.Ptr(armauthorization.PrincipalTypeServicePrincipal),
+					},
+				}, nil)
+				if assignErr != nil {
+					fmt.Fprintf(GinkgoWriter, "role assignment attempt failed (retrying): %v\n", assignErr)
+					return false, nil
+				}


⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash # Get exact code at the specified lines sed -n '1490,1515p' test/e2e/issuer_acme_dns01_test.go | cat -n

Repository: openshift/cert-manager-operator

Length of output: 1493

🏁 Script executed:

#!/bin/bash # Check for existing imports in the file head -50 test/e2e/issuer_acme_dns01_test.go | cat -n

Repository: openshift/cert-manager-operator

Length of output: 2060

🏁 Script executed:

#!/bin/bash # Search for error handling patterns in the file rg -n 'ResponseError|errors\.As|StatusCode|ErrorCode' test/e2e/issuer_acme_dns01_test.go

Repository: openshift/cert-manager-operator

Length of output: 57

🏁 Script executed:

#!/bin/bash # Check if azcore is already imported rg -n 'import|azcore' test/e2e/issuer_acme_dns01_test.go | head -20

Repository: openshift/cert-manager-operator

Length of output: 139

🏁 Script executed:

#!/bin/bash # Search for other Azure API calls that might handle conflicts rg -n 'authClient|Create\(' test/e2e/issuer_acme_dns01_test.go | head -20

Repository: openshift/cert-manager-operator

Length of output: 2380

🌐 Web query:

Azure SDK for Go v2 RoleAssignment Create conflict error handling

💡 Result:

In Azure SDK for Go v2 (github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2), RoleAssignmentsClient.Create(...) returns an error that you can unwrap as *azcore.ResponseError when the service responds with a non-2xx code. (pkg.go.dev)

Treat “already exists” as success (409 Conflict / RoleAssignmentExists)

Azure RBAC role assignments are effectively unique by (principal + roleDefinition + scope); if you try to create the same combination again (often with a different GUID for roleAssignmentName), Azure can return 409 Conflict with code RoleAssignmentExists. (learn.microsoft.com)

import ( "errors" "net/http" "github.com/Azure/azure-sdk-for-go/sdk/azcore" ) resp, err := roleAssignmentsClient.Create(ctx, scope, roleAssignmentName, params, nil) if err != nil { var re *azcore.ResponseError if errors.As(err, &re) { if re.StatusCode == http.StatusConflict && re.ErrorCode == "RoleAssignmentExists" { // idempotent success: the assignment is already present return nil } } return err } // use resp.RoleAssignment ... _ = resp

Notes:

azcore.ResponseError is the standard error type for non-success HTTP status codes, and the SDK expects you to use errors.As() to access it. (pkg.go.dev)

The SDK extracts ErrorCode from the response (preferring x-ms-error-code, otherwise parsing the body). (pkg.go.dev)

If you need the existing assignment’s ID

If you must return the existing role assignment resource ID (not just ignore the conflict), you typically need to list role assignments at the scope and match on principalId + roleDefinitionId (since the conflicting create won’t tell you the existing GUID). This is the same approach commonly recommended via CLI for investigating these conflicts. (learn.microsoft.com)

Citations:

1: https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/authorization/armauthorization/v2

2: https://learn.microsoft.com/en-us/answers/questions/5508946/error-roleassignmentexists-setting-up-continuous-d?utm_source=openai

3: https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azcore

4: https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime

5: https://learn.microsoft.com/en-us/answers/questions/5508946/error-roleassignmentexists-setting-up-continuous-d?utm_source=openai

🌐 Web query:

Azure SDK for Go azcore ResponseError StatusCode RoleAssignmentExists

💡 Result:

In the Azure SDK for Go, ARM “role assignment already exists” surfaces as an *azcore.ResponseError with:

StatusCode == 409 (HTTP Conflict)

ErrorCode == "RoleAssignmentExists" (pkg.go.dev)

Handle it by type-asserting via errors.As and checking StatusCode and/or ErrorCode:

import ( "errors" "net/http" "github.com/Azure/azure-sdk-for-go/sdk/azcore" ) if err != nil { var re *azcore.ResponseError if errors.As(err, &re) { if re.StatusCode == http.StatusConflict && re.ErrorCode == "RoleAssignmentExists" { // role assignment is already present; treat as success / ignore / reconcile return nil } } return err }

Why it happens: you attempted to create an RBAC role assignment that already exists (same scope + principal + role), so the service returns 409 with code RoleAssignmentExists. (github.com)

Citations:

1: https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azcore/internal/exported

2: azurerm_role_assignment "The role assignment already exists." hashicorp/terraform-provider-azurerm#17421

🏁 Script executed:

#!/bin/bash # Search for any other Azure error handling patterns in the test file rg -n 'if.*err|Delete|authClient' test/e2e/issuer_acme_dns01_test.go | tail -30

Repository: openshift/cert-manager-operator

Length of output: 2349

🏁 Script executed:

#!/bin/bash # Check if the repository has any other conflict handling patterns rg -r 'ResponseError|StatusConflict|RoleAssignmentExists' test/ --type go

Repository: openshift/cert-manager-operator

Length of output: 50388

Handle role-assignment "already exists" as success in retry loop.

The retry loop currently retries on all errors. When a role assignment succeeds server-side but the client receives a transient error, subsequent retry attempts can return HTTP 409 Conflict with ErrorCode == "RoleAssignmentExists", causing the loop to timeout instead of succeeding.

🔧 Suggested fix

+// import additions needed: +// "errors" +// "net/http" +// "github.com/Azure/azure-sdk-for-go/sdk/azcore" err = wait.PollUntilContextTimeout(ctx, fastPollInterval, lowTimeout, true, func(context.Context) (bool, error) { _, assignErr := authClient.Create(ctx, dnsZoneScope, roleAssignmentName, armauthorization.RoleAssignmentCreateParameters{ Properties: &armauthorization.RoleAssignmentProperties{ RoleDefinitionID: &dnsZoneContributorRoleID, PrincipalID: &identityPrincipalID, PrincipalType: to.Ptr(armauthorization.PrincipalTypeServicePrincipal), }, }, nil) if assignErr != nil { + var respErr *azcore.ResponseError + if errors.As(assignErr, &respErr) && + (respErr.StatusCode == http.StatusConflict && respErr.ErrorCode == "RoleAssignmentExists") { + return true, nil + } fmt.Fprintf(GinkgoWriter, "role assignment attempt failed (retrying): %v\n", assignErr) return false, nil } return true, nil })

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@test/e2e/issuer_acme_dns01_test.go` around lines 1495 - 1506, In the wait.PollUntilContextTimeout retry loop around authClient.Create (creating roleAssignmentName in dnsZoneScope), treat a failure where the server reports the role assignment already exists as a success: after calling authClient.Create and getting assignErr, detect the 409/Conflict with ErrorCode "RoleAssignmentExists" (inspect the error type returned by the Azure SDK for the status code/ErrorCode) and return true,nil so the loop exits successfully; otherwise continue returning false,nil for transient errors as before.

coderabbitai · 2026-03-06T09:22:51Z

test/e2e/utils_test.go

+func waitForDeploymentPodLabelAndRollout(ctx context.Context, namespace, deploymentName, labelKey, labelValue string, timeout time.Duration) error {
+	return waitForDeploymentConditionAndRollout(ctx, namespace, deploymentName, func(deployment *appsv1.Deployment) bool {
+		labels := deployment.Spec.Template.GetLabels()
+		if labels == nil {
+			return false
+		}
+		return labels[labelKey] == labelValue
+	}, timeout)


⚠️ Potential issue | 🟡 Minor

Require label-key presence in pod label matcher.

At Line 848, missing keys currently compare as "", which can incorrectly pass when expected value is empty.

🔧 Suggested fix

func waitForDeploymentPodLabelAndRollout(ctx context.Context, namespace, deploymentName, labelKey, labelValue string, timeout time.Duration) error { return waitForDeploymentConditionAndRollout(ctx, namespace, deploymentName, func(deployment *appsv1.Deployment) bool { labels := deployment.Spec.Template.GetLabels() if labels == nil { return false } - return labels[labelKey] == labelValue + actual, ok := labels[labelKey] + return ok && actual == labelValue }, timeout) }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

func waitForDeploymentPodLabelAndRollout(ctx context.Context, namespace, deploymentName, labelKey, labelValue string, timeout time.Duration) error {

return waitForDeploymentConditionAndRollout(ctx, namespace, deploymentName, func(deployment *appsv1.Deployment) bool {

labels := deployment.Spec.Template.GetLabels()

if labels == nil {

return false

}

return labels[labelKey] == labelValue

}, timeout)

func waitForDeploymentPodLabelAndRollout(ctx context.Context, namespace, deploymentName, labelKey, labelValue string, timeout time.Duration) error {

return waitForDeploymentConditionAndRollout(ctx, namespace, deploymentName, func(deployment *appsv1.Deployment) bool {

labels := deployment.Spec.Template.GetLabels()

if labels == nil {

return false

}

actual, ok := labels[labelKey]

return ok && actual == labelValue

}, timeout)

}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@test/e2e/utils_test.go` around lines 842 - 849, The pod-label matcher in waitForDeploymentPodLabelAndRollout can falsely succeed when the label key is missing because labels[labelKey] returns "" for absent keys; modify the predicate passed to waitForDeploymentConditionAndRollout to verify the key exists (use the map lookup form, e.g., val, ok := labels[labelKey]) and return ok && val == labelValue so the matcher requires presence and value equality; update the anonymous function inside waitForDeploymentPodLabelAndRollout accordingly (referencing waitForDeploymentPodLabelAndRollout and waitForDeploymentConditionAndRollout).

openshift-ci-robot · 2026-03-06T09:45:17Z

@lunarwhite: This pull request references CM-937 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Second (2/2) part of https://issues.redhat.com/browse/CM-937

Changes

Add new e2e test to expand Azure DNS-01 coverage:

ACME Issuer DNS01 solver with Azure DNS in Workload Identity environment should obtain a valid certificate using ambient credentials through AAD Workload Identity

Dependency

CM-936: Add Azure OVN and Workload Identity CI coverage for cert-manager-operator release#75522

CM-937: Automate e2e tests for Azure DNS01 Service Principal auth #374

Summary by CodeRabbit

Tests

Expanded end-to-end test coverage for workload identity integration with DNS-01 ACME validation

Added deployment rollout verification and label management test utilities

Chores

Updated test dependencies with additional cloud provider SDKs

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

lunarwhite added 2 commits March 6, 2026 17:03

Automate e2e test for Azure DNS01 AAD Workload Identity auth in STS c…

096e204

…luster

Update vendor deps used by e2e tests

bc8bbee

Majorly azure-sdk packages

openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Mar 6, 2026

openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 6, 2026

coderabbitai bot reviewed Mar 6, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CM-937: Automate e2e tests for Azure DNS01 AAD Workload Identity auth#375

CM-937: Automate e2e tests for Azure DNS01 AAD Workload Identity auth#375
lunarwhite wants to merge 2 commits intoopenshift:masterfrom
lunarwhite:e2e-az-sts

lunarwhite commented Mar 6, 2026 •

edited

Loading

Uh oh!

openshift-ci-robot commented Mar 6, 2026 •

edited by openshift-ci bot

Loading

Uh oh!

openshift-ci bot commented Mar 6, 2026

Uh oh!

coderabbitai bot commented Mar 6, 2026 •

edited

Loading

❌ Failed checks (1 warning)

Uh oh!

openshift-ci bot commented Mar 6, 2026

Uh oh!

openshift-ci-robot commented Mar 6, 2026 •

edited by openshift-ci bot

Loading

Summary by CodeRabbit

Uh oh!

coderabbitai bot left a comment

Uh oh!

coderabbitai bot Mar 6, 2026

Uh oh!

coderabbitai bot Mar 6, 2026

Uh oh!

coderabbitai bot Mar 6, 2026

Uh oh!

openshift-ci-robot commented Mar 6, 2026 •

edited by openshift-ci bot

Loading

Changes

Dependency

Summary by CodeRabbit

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

lunarwhite commented Mar 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changes

Dependency

Summary by CodeRabbit

Uh oh!

openshift-ci-robot commented Mar 6, 2026 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-ci bot commented Mar 6, 2026

Uh oh!

coderabbitai bot commented Mar 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Estimated code review effort

❌ Failed checks (1 warning)

Uh oh!

openshift-ci bot commented Mar 6, 2026

Uh oh!

openshift-ci-robot commented Mar 6, 2026 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Mar 6, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Mar 6, 2026

Choose a reason for hiding this comment

Treat “already exists” as success (409 Conflict / RoleAssignmentExists)

If you need the existing assignment’s ID

Uh oh!

coderabbitai bot Mar 6, 2026

Choose a reason for hiding this comment

Uh oh!

openshift-ci-robot commented Mar 6, 2026 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changes

Dependency

Summary by CodeRabbit

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

lunarwhite commented Mar 6, 2026 •

edited

Loading

openshift-ci-robot commented Mar 6, 2026 •

edited by openshift-ci bot

Loading

coderabbitai bot commented Mar 6, 2026 •

edited

Loading

openshift-ci-robot commented Mar 6, 2026 •

edited by openshift-ci bot

Loading

Treat “already exists” as success (409 Conflict / `RoleAssignmentExists`)

openshift-ci-robot commented Mar 6, 2026 •

edited by openshift-ci bot

Loading