UPSTREAM: <carry>: Adds ResourceVersion checks to the tls secret deletion test, mirroring the logic used in the certificate rotation test. This makes the test more robust by ensuring a new secret is created, not just that an existing one is still present.

Author: camilamacedo86

openshift/tests-extension/test/webhooks.go

@@ -240,12 +240,16 @@ var _ = Describe("[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServi
 
 		It("should be tolerant to tls secret deletion", func(ctx SpecContext) {
 			certificateSecretName := webhookServiceCert
-			By("ensuring secret exists before deletion attempt")
+			var oldSecretResourceVersion string
+
+			By("ensuring secret exists before deletion attempt and getting its ResourceVersion")
 			Eventually(func(g Gomega) {
 				secret := &corev1.Secret{}
 				err := k8sClient.Get(ctx, client.ObjectKey{Name: certificateSecretName, Namespace: webhookOperatorInstallNamespace}, secret)
 				g.Expect(err).ToNot(HaveOccurred(), fmt.Sprintf("failed to get secret %s/%s", webhookOperatorInstallNamespace, certificateSecretName))
-			}).WithTimeout(1 * time.Minute).WithPolling(5 * time.Second).Should(Succeed())
+				oldSecretResourceVersion = secret.ResourceVersion
+				g.Expect(oldSecretResourceVersion).ToNot(BeEmpty(), "expected secret ResourceVersion to not be empty")
+			}).WithTimeout(5 * time.Minute).WithPolling(5 * time.Second).Should(Succeed())
 
 			By("checking webhook is responsive through secret recreation after manual deletion")
 			tlsSecret := &corev1.Secret{
@@ -286,6 +290,7 @@ var _ = Describe("[sig-olmv1][OCPFeatureGate:NewOLMWebhookProviderOpenshiftServi
 					return
 				}
 				g.Expect(err).ToNot(HaveOccurred(), fmt.Sprintf("failed to get webhook service certificate secret %s/%s: %v", webhookOperatorInstallNamespace, certificateSecretName, err))
+				g.Expect(secret.ResourceVersion).ToNot(Equal(oldSecretResourceVersion), "expected secret ResourceVersion to be different from the old one")
 				g.Expect(secret.Data).ToNot(BeEmpty(), "expected webhook service certificate secret data to not be empty after recreation")
 			}).WithTimeout(5*time.Minute).WithPolling(10*time.Second).Should(Succeed(), "webhook service certificate secret did not get recreated and populated within timeout")
 
@@ -396,6 +401,38 @@ func setupWebhookOperator(ctx SpecContext, k8sClient client.Client, webhookOpera
 		g.Expect(secret.Data).ToNot(BeEmpty(), "expected webhook service certificate secret data to not be empty")
 	}).WithTimeout(5*time.Minute).WithPolling(5*time.Second).Should(Succeed(), "webhook service certificate secret did not become available within timeout")
 
+	By("waiting for the webhook operator's pod to be running and ready")
+	Eventually(func(g Gomega) {
+		podList := &corev1.PodList{}
+		listOpts := []client.ListOption{
+			client.InNamespace(webhookOperatorInstallNamespace),
+			// Assuming the webhook operator pod has a label like app.kubernetes.io/name=webhook-operator
+			// You might need to adjust this label selector based on your actual operator's labels.
+			client.MatchingLabels{"app.kubernetes.io/name": webhookOperatorPackageName},
+		}
+		err := k8sClient.List(ctx, podList, listOpts...)
+		g.Expect(err).ToNot(HaveOccurred(), "failed to list pods in namespace")
+		g.Expect(podList.Items).ToNot(BeEmpty(), "expected to find at least one webhook operator pod")
+
+		// Check the first pod in the list. In a typical operator setup, there should be only one pod
+		// or multiple pods if it's a deployment with multiple replicas.
+		// For simplicity, we check the first one, but a more robust check might iterate through all
+		// pods if multiple are expected.
+		pod := podList.Items[0]
+		g.Expect(pod.Status.Phase).To(Equal(corev1.PodRunning), fmt.Sprintf("expected pod %s to be running, but got %s", pod.Name, pod.Status.Phase))
+
+		// Check all container statuses within the pod to ensure they are ready
+		allContainersReady := true
+		for _, condition := range pod.Status.Conditions {
+			if condition.Type == corev1.PodReady && condition.Status != corev1.ConditionTrue {
+				allContainersReady = false
+				break
+			}
+		}
+		g.Expect(allContainersReady).To(BeTrue(), fmt.Sprintf("expected all containers in pod %s to be ready", pod.Name))
+
+	}).WithTimeout(5*time.Minute).WithPolling(10*time.Second).Should(Succeed(), "webhook operator pod did not become running and ready within timeout")
+
 	return func(ctx context.Context) {
 		By(fmt.Sprintf("cleanup: deleting ClusterExtension %s", ce.Name))
 		_ = k8sClient.Delete(ctx, ce, client.PropagationPolicy(metav1.DeletePropagationBackground))