ESO-323: incorporates coderabbit suggestions

Signed-off-by: Bharath B <bhb@redhat.com>

Author: bharath-b-rh

Makefile

@@ -212,6 +212,7 @@ test-e2e: ## Run e2e tests against a cluster.
 		-count 1 -v -p 1 \
 		-tags e2e ./e2e \
 		-ginkgo.v \
+		-ginkgo.trace \
 		-ginkgo.show-node-events \
 		-ginkgo.label-filter=$(E2E_GINKGO_LABEL_FILTER)
 

hack/govulncheck.sh

@@ -20,7 +20,11 @@ set -o errexit
 ## Below vulnerabilities are in the kubernetes package, which impacts the server and not the operator, which is the client.
 # - https://pkg.go.dev/vuln/GO-2025-3521 - Kubernetes GitRepo Volume Inadvertent Local Repository Access in k8s.io/kubernetes
 # - https://pkg.go.dev/vuln/GO-2025-3547 - Kubernetes kube-apiserver Vulnerable to Race Condition in k8s.io/kubernetes
-KNOWN_VULNS_PATTERN="GO-2025-3521|GO-2025-3547"
+#
+## Below vulnerabilities are in the go packages, which impacts the operator code and requires the fix to be available downstream.
+# - https://pkg.go.dev/vuln/GO-2026-4601 - Incorrect parsing of IPv6 host literals in net/url
+# - https://pkg.go.dev/vuln/GO-2026-4602 - FileInfo can escape from a Root in os
+KNOWN_VULNS_PATTERN="GO-2025-3521|GO-2025-3547|GO-2026-4601|GO-2026-4602"
 
 GOVULNCHECK_BIN="${1:-}"
 OUTPUT_DIR="${2:-}"

test/e2e/bitwarden_es_test.go

@@ -149,18 +149,20 @@ func ensureBitwardenOperandReady(ctx context.Context) error {
 var _ = Describe("Bitwarden Provider", Ordered, Label("Provider:Bitwarden", "Suite:Bitwarden"), func() {
 	ctx := context.Background()
 	var (
-		clientset                  *kubernetes.Clientset
-		dynamicClient              *dynamic.DynamicClient
-		runtimeClient              client.Client
-		loader                     utils.DynamicResourceLoader
-		testNamespace              string
-		clusterStoreName           string
-		tlsMaterials               *utils.BitwardenTLSMaterials
-		originalESC                *operatorv1alpha1.ExternalSecretsConfig
-		cssObj                     *unstructured.Unstructured
-		bitwardenOrgID             string
-		bitwardenProjectID         string
-		pushedRemoteKeyForUUIDTest string // set by first It, used by second It to look up secret UUID
+		clientset          *kubernetes.Clientset
+		dynamicClient      *dynamic.DynamicClient
+		runtimeClient      client.Client
+		loader             utils.DynamicResourceLoader
+		testNamespace      string
+		clusterStoreName   string
+		tlsMaterials       *utils.BitwardenTLSMaterials
+		originalESC        *operatorv1alpha1.ExternalSecretsConfig
+		cssObj             *unstructured.Unstructured
+		bitwardenOrgID     string
+		bitwardenProjectID string
+		// pushedRemoteKeyForUUIDTest is set by the first It block and consumed by the second.
+		// These tests must run in order (Ordered container) due to this shared state dependency.
+		pushedRemoteKeyForUUIDTest string
 	)
 
 	BeforeAll(func() {

test/e2e/e2e_suite_test.go

@@ -51,18 +51,13 @@ var (
 )
 
 func getTestDir() string {
-	if os.Getenv("OPENSHIFT_CI") == "true" {
-		if d := os.Getenv("ARTIFACT_DIR"); d != "" {
-			return d
-		}
-	}
 	if d := os.Getenv("ARTIFACT_DIR"); d != "" {
 		return d
 	}
 	// Local run: use repo _output.
 	cwd, err := os.Getwd()
 	if err == nil {
-		return filepath.Clean(filepath.Join(cwd, "..", "_output"))
+		return filepath.Clean(filepath.Join(cwd, "..", "..", "_output"))
 	}
 	return "/tmp"
 }

test/utils/bitwarden.go

@@ -188,6 +188,9 @@ func FetchBitwardenCredsFromSecret(ctx context.Context, client kubernetes.Interf
 		return "", "", "", fmt.Errorf("get Bitwarden creds secret %s/%s: %w", secretNamespace, secretName, err)
 	}
 	token = string(secret.Data[TokenSecretKey])
+	if token == "" {
+		return "", "", "", fmt.Errorf("bitwarden creds secret %s/%s missing required key %q", secretNamespace, secretName, TokenSecretKey)
+	}
 	if v, ok := secret.Data[BitwardenCredKeyOrgID]; ok {
 		orgID = string(v)
 	}
@@ -291,7 +294,7 @@ func WaitForBitwardenSDKServerReachableFromCluster(ctx context.Context, client k
 			},
 			Containers: []corev1.Container{{
 				Name:    "curl",
-				Image:   "docker.io/curlimages/curl:latest",
+				Image:   bitwardenAPITestRunnerImage,
 				Command: cmd,
 				SecurityContext: &corev1.SecurityContext{
 					AllowPrivilegeEscalation: &allowPrivilegeEscalation,

test/utils/bitwarden_api_runner.go

@@ -90,7 +90,9 @@ func RunBitwardenAPIJob(ctx context.Context, client kubernetes.Interface, namesp
 		return -1, "", fmt.Errorf("create job %s: %w", jobName, err)
 	}
 	propagationBackground := metav1.DeletePropagationBackground
-	defer func() { _ = client.BatchV1().Jobs(namespace).Delete(ctx, jobName, metav1.DeleteOptions{PropagationPolicy: &propagationBackground}) }()
+	defer func() {
+		_ = client.BatchV1().Jobs(namespace).Delete(ctx, jobName, metav1.DeleteOptions{PropagationPolicy: &propagationBackground})
+	}()
 
 	err = wait.PollUntilContextTimeout(ctx, 2*time.Second, timeout, true, func(ctx context.Context) (bool, error) {
 		j, getErr := client.BatchV1().Jobs(namespace).Get(ctx, jobName, metav1.GetOptions{})
@@ -111,9 +113,12 @@ func RunBitwardenAPIJob(ctx context.Context, client kubernetes.Interface, namesp
 
 	// Find the pod and get exit code and logs.
 	pods, err := client.CoreV1().Pods(namespace).List(ctx, metav1.ListOptions{LabelSelector: "job-name=" + jobName})
-	if err != nil || len(pods.Items) == 0 {
+	if err != nil {
 		return -1, "", fmt.Errorf("list pods for job %s: %w", jobName, err)
 	}
+	if len(pods.Items) == 0 {
+		return -1, "", fmt.Errorf("no pods found for job %s", jobName)
+	}
 	pod := pods.Items[0]
 	for _, cs := range pod.Status.ContainerStatuses {
 		if cs.State.Terminated != nil {

test/utils/cleanup.go

@@ -22,6 +22,8 @@ package utils
 import (
 	"context"
 
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	apiextensionsclientset "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
@@ -60,7 +62,10 @@ func CleanupESOOperandAndRelated(ctx context.Context, cfg *rest.Config) {
 	}
 
 	// 1. Delete all instances of operand CRDs (label app=external-secrets).
-	crdList, _ := extClient.ApiextensionsV1().CustomResourceDefinitions().List(ctx, metav1.ListOptions{LabelSelector: operandLabelSelector})
+	crdList, err := extClient.ApiextensionsV1().CustomResourceDefinitions().List(ctx, metav1.ListOptions{LabelSelector: operandLabelSelector})
+	if err != nil || crdList == nil {
+		crdList = &apiextensionsv1.CustomResourceDefinitionList{}
+	}
 	for i := range crdList.Items {
 		crd := &crdList.Items[i]
 		version := preferredVersion(crd)
@@ -99,17 +104,26 @@ func CleanupESOOperandAndRelated(ctx context.Context, cfg *rest.Config) {
 	_ = dynamicClient.Resource(escGVR).Delete(ctx, externalSecretsConfigName, metav1.DeleteOptions{})
 
 	// 3. Remove webhooks first so namespace deletion can proceed.
-	webhooks, _ := clientset.AdmissionregistrationV1().ValidatingWebhookConfigurations().List(ctx, metav1.ListOptions{LabelSelector: operandLabelSelector})
+	webhooks, err := clientset.AdmissionregistrationV1().ValidatingWebhookConfigurations().List(ctx, metav1.ListOptions{LabelSelector: operandLabelSelector})
+	if err != nil || webhooks == nil {
+		webhooks = &admissionregistrationv1.ValidatingWebhookConfigurationList{}
+	}
 	for i := range webhooks.Items {
 		_ = clientset.AdmissionregistrationV1().ValidatingWebhookConfigurations().Delete(ctx, webhooks.Items[i].Name, metav1.DeleteOptions{})
 	}
 
 	// 4. ClusterRoleBindings before ClusterRoles.
-	crbs, _ := clientset.RbacV1().ClusterRoleBindings().List(ctx, metav1.ListOptions{LabelSelector: operandLabelSelector})
+	crbs, err := clientset.RbacV1().ClusterRoleBindings().List(ctx, metav1.ListOptions{LabelSelector: operandLabelSelector})
+	if err != nil || crbs == nil {
+		crbs = &rbacv1.ClusterRoleBindingList{}
+	}
 	for i := range crbs.Items {
 		_ = clientset.RbacV1().ClusterRoleBindings().Delete(ctx, crbs.Items[i].Name, metav1.DeleteOptions{})
 	}
-	crList, _ := clientset.RbacV1().ClusterRoles().List(ctx, metav1.ListOptions{LabelSelector: operandLabelSelector})
+	crList, err := clientset.RbacV1().ClusterRoles().List(ctx, metav1.ListOptions{LabelSelector: operandLabelSelector})
+	if err != nil || crList == nil {
+		crList = &rbacv1.ClusterRoleList{}
+	}
 	for i := range crList.Items {
 		_ = clientset.RbacV1().ClusterRoles().Delete(ctx, crList.Items[i].Name, metav1.DeleteOptions{})
 	}

test/utils/conditions.go

@@ -265,7 +265,7 @@ func DeleteAWSSecretFromCredsSecret(ctx context.Context, k8sClient *kubernetes.C
 	svc := secretsmanager.New(sess)
 	_, err = svc.DeleteSecret(&secretsmanager.DeleteSecretInput{
 		SecretId:                   aws.String(awsSecretName),
-		ForceDeleteWithoutRecovery: aws.Bool(true),
+		ForceDeleteWithoutRecovery: aws.Bool(true), // permanently delete without 7-day wait
 	})
 	if err != nil {
 		return fmt.Errorf("failed to delete AWS secret: %w", err)

test/utils/dynamic_resources.go

@@ -23,7 +23,6 @@ import (
 	"context"
 	"testing"
 
-	"github.com/stretchr/testify/require"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -34,6 +33,8 @@ import (
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/restmapper"
+
+	"github.com/stretchr/testify/require"
 )
 
 type DynamicResourceLoader struct {
@@ -56,60 +57,10 @@ func NewDynamicResourceLoader(context context.Context, t *testing.T) DynamicReso
 	}
 }
 
-func (d DynamicResourceLoader) noErrorSkipExists(err error) {
-	if !k8serrors.IsAlreadyExists(err) {
-		require.NoError(d.t, err)
-	}
-}
-
-func (d DynamicResourceLoader) noErrorSkipNotExisting(err error) {
-	if !k8serrors.IsNotFound(err) {
-		require.NoError(d.t, err)
-	}
-}
-
-func (d DynamicResourceLoader) do(do doFunc, assetFunc func(name string) ([]byte, error), filename string, overrideNamespace string) {
-	b, err := assetFunc(filename)
-	require.NoError(d.t, err)
-
-	decoder := yamlutil.NewYAMLOrJSONDecoder(bytes.NewReader(b), 1024)
-	var rawObj runtime.RawExtension
-	err = decoder.Decode(&rawObj)
-	require.NoError(d.t, err)
-
-	obj, gvk, err := yaml.NewDecodingSerializer(unstructured.UnstructuredJSONScheme).Decode(rawObj.Raw, nil, nil)
-	require.NoError(d.t, err)
-
-	unstructuredMap, err := runtime.DefaultUnstructuredConverter.ToUnstructured(obj)
-	require.NoError(d.t, err)
-
-	unstructuredObj := &unstructured.Unstructured{Object: unstructuredMap}
-
-	gr, err := restmapper.GetAPIGroupResources(d.KubeClient.Discovery())
-	require.NoError(d.t, err)
-
-	mapper := restmapper.NewDiscoveryRESTMapper(gr)
-	mapping, err := mapper.RESTMapping(gvk.GroupKind(), gvk.Version)
-	require.NoError(d.t, err)
-
-	var dri dynamic.ResourceInterface
-	if mapping.Scope.Name() == meta.RESTScopeNameNamespace {
-		if overrideNamespace != "" {
-			unstructuredObj.SetNamespace(overrideNamespace)
-		}
-		require.NotEmpty(d.t, unstructuredObj.GetNamespace(), "Namespace can not be empty!")
-		dri = d.DynamicClient.Resource(mapping.Resource).Namespace(unstructuredObj.GetNamespace())
-	} else {
-		dri = d.DynamicClient.Resource(mapping.Resource)
-	}
-
-	do(d.t, unstructuredObj, dri)
-}
-
 func (d DynamicResourceLoader) DeleteFromFile(assetFunc func(name string) ([]byte, error), filename string, overrideNamespace string) {
 	d.t.Logf("Deleting resource %v\n", filename)
 	deleteFunc := func(t *testing.T, unstructured *unstructured.Unstructured, dynamicResourceInterface dynamic.ResourceInterface) {
-		err := dynamicResourceInterface.Delete(context.Background(), unstructured.GetName(), metav1.DeleteOptions{})
+		err := dynamicResourceInterface.Delete(d.context, unstructured.GetName(), metav1.DeleteOptions{})
 		d.noErrorSkipNotExisting(err)
 	}
 
@@ -120,7 +71,7 @@ func (d DynamicResourceLoader) DeleteFromFile(assetFunc func(name string) ([]byt
 func (d DynamicResourceLoader) CreateFromFile(assetFunc func(name string) ([]byte, error), filename string, overrideNamespace string) {
 	d.t.Logf("Creating resource %v\n", filename)
 	createFunc := func(t *testing.T, unstructured *unstructured.Unstructured, dynamicResourceInterface dynamic.ResourceInterface) {
-		_, err := dynamicResourceInterface.Create(context.Background(), unstructured, metav1.CreateOptions{})
+		_, err := dynamicResourceInterface.Create(d.context, unstructured, metav1.CreateOptions{})
 		d.noErrorSkipExists(err)
 	}
 
@@ -142,31 +93,86 @@ func (d DynamicResourceLoader) CreateFromUnstructured(unstructuredObj *unstructu
 // Use from Ginkgo tests with Expect(err).NotTo(HaveOccurred()) to see the actual API error on failure.
 func (d DynamicResourceLoader) CreateFromUnstructuredReturnErr(unstructuredObj *unstructured.Unstructured, overrideNamespace string) error {
 	dri := d.getResourceInterface(unstructuredObj, overrideNamespace)
-	_, err := dri.Create(context.Background(), unstructuredObj, metav1.CreateOptions{})
+	_, err := dri.Create(d.context, unstructuredObj, metav1.CreateOptions{})
 	return err
 }
 
 // DeleteFromUnstructured deletes a resource by name. For cluster-scoped resources, namespace is ignored.
 func (d DynamicResourceLoader) DeleteFromUnstructured(unstructuredObj *unstructured.Unstructured, overrideNamespace string) {
 	dri := d.getResourceInterface(unstructuredObj, overrideNamespace)
-	err := dri.Delete(context.Background(), unstructuredObj.GetName(), metav1.DeleteOptions{})
-	d.noErrorSkipNotExisting(err)
-	d.t.Logf("Resource %s deleted\n", unstructuredObj.GetName())
+	err := dri.Delete(d.context, unstructuredObj.GetName(), metav1.DeleteOptions{})
+	if err != nil && !k8serrors.IsNotFound(err) {
+		require.NoError(d.t, err)
+	}
+	if err == nil || k8serrors.IsNotFound(err) {
+		d.t.Logf("Resource %s deleted\n", unstructuredObj.GetName())
+	}
 }
 
 func (d DynamicResourceLoader) getResourceInterface(unstructuredObj *unstructured.Unstructured, overrideNamespace string) dynamic.ResourceInterface {
-	gvk := unstructuredObj.GroupVersionKind()
+	objCopy := unstructuredObj.DeepCopy()
+	gvk := objCopy.GroupVersionKind()
 	gr, err := restmapper.GetAPIGroupResources(d.KubeClient.Discovery())
 	require.NoError(d.t, err)
 	mapper := restmapper.NewDiscoveryRESTMapper(gr)
 	mapping, err := mapper.RESTMapping(gvk.GroupKind(), gvk.Version)
 	require.NoError(d.t, err)
 	if mapping.Scope.Name() == meta.RESTScopeNameNamespace {
 		if overrideNamespace != "" {
-			unstructuredObj.SetNamespace(overrideNamespace)
+			objCopy.SetNamespace(overrideNamespace)
 		}
-		require.NotEmpty(d.t, unstructuredObj.GetNamespace(), "Namespace can not be empty for namespaced resource")
-		return d.DynamicClient.Resource(mapping.Resource).Namespace(unstructuredObj.GetNamespace())
+		require.NotEmpty(d.t, objCopy.GetNamespace(), "Namespace can not be empty for namespaced resource")
+		return d.DynamicClient.Resource(mapping.Resource).Namespace(objCopy.GetNamespace())
 	}
 	return d.DynamicClient.Resource(mapping.Resource)
 }
+
+func (d DynamicResourceLoader) noErrorSkipExists(err error) {
+	if !k8serrors.IsAlreadyExists(err) {
+		require.NoError(d.t, err)
+	}
+}
+
+func (d DynamicResourceLoader) noErrorSkipNotExisting(err error) {
+	if !k8serrors.IsNotFound(err) {
+		require.NoError(d.t, err)
+	}
+}
+
+func (d DynamicResourceLoader) do(do doFunc, assetFunc func(name string) ([]byte, error), filename string, overrideNamespace string) {
+	b, err := assetFunc(filename)
+	require.NoError(d.t, err)
+
+	decoder := yamlutil.NewYAMLOrJSONDecoder(bytes.NewReader(b), 1024)
+	var rawObj runtime.RawExtension
+	err = decoder.Decode(&rawObj)
+	require.NoError(d.t, err)
+
+	obj, gvk, err := yaml.NewDecodingSerializer(unstructured.UnstructuredJSONScheme).Decode(rawObj.Raw, nil, nil)
+	require.NoError(d.t, err)
+
+	unstructuredMap, err := runtime.DefaultUnstructuredConverter.ToUnstructured(obj)
+	require.NoError(d.t, err)
+
+	unstructuredObj := &unstructured.Unstructured{Object: unstructuredMap}
+
+	gr, err := restmapper.GetAPIGroupResources(d.KubeClient.Discovery())
+	require.NoError(d.t, err)
+
+	mapper := restmapper.NewDiscoveryRESTMapper(gr)
+	mapping, err := mapper.RESTMapping(gvk.GroupKind(), gvk.Version)
+	require.NoError(d.t, err)
+
+	var dri dynamic.ResourceInterface
+	if mapping.Scope.Name() == meta.RESTScopeNameNamespace {
+		if overrideNamespace != "" {
+			unstructuredObj.SetNamespace(overrideNamespace)
+		}
+		require.NotEmpty(d.t, unstructuredObj.GetNamespace(), "Namespace can not be empty!")
+		dri = d.DynamicClient.Resource(mapping.Resource).Namespace(unstructuredObj.GetNamespace())
+	} else {
+		dri = d.DynamicClient.Resource(mapping.Resource)
+	}
+
+	do(d.t, unstructuredObj, dri)
+}