Skip to content

NO-JIRA: add the eso aws test cases#95

Open
emmajiafan wants to merge 1 commit intoopenshift:mainfrom
emmajiafan:migrate
Open

NO-JIRA: add the eso aws test cases#95
emmajiafan wants to merge 1 commit intoopenshift:mainfrom
emmajiafan:migrate

Conversation

@emmajiafan
Copy link

@emmajiafan emmajiafan commented Dec 24, 2025

Test Coverage Summary

Category Test Count What's Covered
Basic Operations 2 Namespace-scoped stores, binary data
Advanced Features 4 Secret rotation, templates, dataFrom, JSON paths
AWS Parameter Store 1 SSM integration
Original Test 1 Complete workflow (ClusterSecretStore + PushSecret + ExternalSecret)
Total 8 tests Comprehensive AWS coverage

@emmajiafan
Copy link
Author

emmajiafan commented Dec 24, 2025

/hold

@coderabbitai
Copy link

coderabbitai bot commented Dec 24, 2025
edited
Loading

Walkthrough

This PR adds comprehensive AWS-focused end-to-end tests to the External Secrets Operator. It introduces new test scenarios covering basic operations, advanced features (secret refresh, templates, JSONPath extraction), and multiple secret store configurations. Support utilities for AWS secret management are added to the test infrastructure.

Changes

Cohort / File(s) Summary
E2E Test Suite Expansion
test/e2e/e2e_test.go		 Adds encoding/json import, awsSecretRegionName constant ("ap-south-1"), and passes AWS region into asset templating. Expands test suite with Basic Operations (namespace-scoped SecretStore, dataFrom handling, binary data) and Advanced Features (secret refresh, template transformations, JSONPath extraction, nested JSON handling) contexts for AWS platform.
AWS Secret Store & ExternalSecret Manifests
test/e2e/testdata/aws_secret_store.yaml, aws_secret_store_namespace.yaml, aws_ssm_secret_store.yaml, aws_invalid_secret_store.yaml		 Four SecretStore/ClusterSecretStore manifests: updates region from literal to ${AWS_REGION} placeholder, adds namespace-scoped variant, introduces SSM Parameter Store variant, and defines invalid credential configuration for testing error scenarios.
ExternalSecret Test Data
test/e2e/testdata/aws_external_secret_*.yaml (binary, datafrom, jsonpath, multi_key, refresh, template, ssm)		 Seven ExternalSecret manifests covering distinct scenarios: binary data handling, dataFrom extraction, JSONPath/nested JSON queries, multi-key extraction, rapid refresh intervals, template-based transformations, and Systems Manager Parameter Store integration.
Kubernetes Secret Test Data
test/e2e/testdata/aws_k8s_secret_multi_key.yaml		 Introduces Secret manifest with three data keys (key1, key2, key3) using environment variable placeholders for test data injection.
Test Utilities for AWS
test/utils/conditions.go		 Adds two public functions: CreateAWSSecret and UpdateAWSSecret, both fetching AWS credentials from Kubernetes secrets, establishing AWS sessions, and invoking Secrets Manager operations for test secret lifecycle management.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

✨ Finishing touches
  • 📝 Generate docstrings

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

Error: build linters: unable to load custom analyzer "kubeapilinter": bin/kube-api-linter.so, plugin: not implemented
The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": bin/kube-api-linter.so, plugin: not implemented

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 24, 2025
@openshift-ci openshift-ci bot requested review from TrilokGeer and swghosh December 24, 2025 12:21
@openshift-ci
Copy link

openshift-ci bot commented Dec 24, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: emmajiafan
Once this PR has been reviewed and has the lgtm label, please assign trilokgeer for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

coderabbitai[bot]
coderabbitai bot reviewed Dec 24, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
test/e2e/e2e_test.go (1)

146-164: Redundant AWS secret deletion - both AfterAll and defer attempt cleanup.

The AfterAll block at lines 146-150 deletes awsSecretName, but the test at line 161-164 also has a defer that deletes the same secret. This could cause the second deletion to fail with a "secret not found" error (though it's using NotTo(HaveOccurred()) which would fail the test).

🔎 Proposed fix - remove duplicate cleanup

Consider removing the AfterAll cleanup since the test already handles its own cleanup via defer:

-	AfterAll(func() {
-		By("Deleting the AWS secret")
-		Expect(utils.DeleteAWSSecret(ctx, clientset, awsSecretName, awsSecretRegionName)).
-			NotTo(HaveOccurred(), "failed to delete AWS secret test/e2e")
-	})

Or keep AfterAll as a safety net but make the defer error tolerant.

🧹 Nitpick comments (7)
test/e2e/testdata/aws_invalid_secret_store.yaml (1)

13-13: Consider parameterizing the region for consistency.

The region is hardcoded to ap-south-1 while other test manifests use ${AWS_REGION}. For consistency and flexibility across test environments, consider using:

-      region: ap-south-1
+      region: ${AWS_REGION}

This allows testing invalid credential scenarios across different regions.

test/utils/conditions.go (2)

150-204: Consider extracting session creation to reduce duplication.

The AWS session creation logic is duplicated across CreateAWSSecret, UpdateAWSSecret, DeleteAWSSecret, CreateAWSParameter, and DeleteAWSParameter. This could be refactored into a helper function.

🔎 Proposed refactor to extract session helper 
+func newAWSSession(ctx context.Context, k8sClient *kubernetes.Clientset, region string) (*session.Session, error) {
+	id, key, err := fetchAWSCreds(ctx, k8sClient)
+	if err != nil {
+		return nil, err
+	}
+
+	sess, err := session.NewSession(&aws.Config{
+		Credentials: awscred.NewCredentials(&awscred.StaticProvider{Value: awscred.Value{
+			AccessKeyID:     id,
+			SecretAccessKey: key,
+		}}),
+		Region: aws.String(region),
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to create AWS session: %w", err)
+	}
+	return sess, nil
+}

 func CreateAWSSecret(ctx context.Context, k8sClient *kubernetes.Clientset, secretName, secretValue, region string) error {
-	id, key, err := fetchAWSCreds(ctx, k8sClient)
-	if err != nil {
-		return err
-	}
-
-	sess, err := session.NewSession(&aws.Config{
-		Credentials: awscred.NewCredentials(&awscred.StaticProvider{Value: awscred.Value{
-			AccessKeyID:     id,
-			SecretAccessKey: key,
-		}}),
-		Region: aws.String(region),
-	})
+	sess, err := newAWSSession(ctx, k8sClient, region)
 	if err != nil {
-		return fmt.Errorf("failed to create AWS session: %w", err)
+		return err
 	}
 	// ... rest of function

Also applies to: 263-291

280-286: SSM parameter creation will fail if parameter already exists.

With Overwrite: aws.Bool(false), CreateAWSParameter will fail if the parameter already exists from a previous test run that didn't clean up properly. Consider using Overwrite: aws.Bool(true) for test resilience, or document this behavior.

test/e2e/testdata/aws_ssm_external_secret.yaml (1)

11-13: Minor inconsistency: kind is hardcoded while other manifests use placeholders.

This manifest hardcodes kind: ClusterSecretStore while other ExternalSecret manifests use ${SECRETSTORE_KIND}. If SSM tests should only run against ClusterSecretStore, this is fine. Otherwise, consider parameterizing for consistency.

test/e2e/scripts/run-tests.sh (1)

16-19: Unused variable YELLOW.

The YELLOW variable is defined but never used in the script. Consider removing it or utilizing it for warning messages.

test/e2e/scripts/verify-setup.sh (1)

36-36: Deprecated --short flag for kubectl version.

The --short flag is deprecated in newer kubectl versions. Consider using kubectl version --client=false -o yaml or removing the version output entirely since cluster connectivity is already verified.

🔎 Proposed fix 
-    kubectl version --short 2>/dev/null | grep "Server Version" || true
+    kubectl version -o yaml 2>/dev/null | grep -A1 "serverVersion:" | head -2 || true
test/e2e/e2e_test.go (1)

594-595: Silently ignoring json.Marshal error.

The error from json.Marshal is discarded. While this is unlikely to fail for a simple map, it's better practice to handle errors explicitly in tests to catch unexpected issues during test setup.

🔎 Proposed fix 
-			secretBytes, _ := json.Marshal(nestedSecret)
+			secretBytes, err := json.Marshal(nestedSecret)
+			Expect(err).NotTo(HaveOccurred(), "failed to marshal nested secret")
 			secretValue := string(secretBytes)
📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between d29a39d and e2ee6ea.

⛔ Files ignored due to path filters (279)
  • go.sum is excluded by !**/*.sum
  • vendor/github.com/aws/aws-sdk-go/service/ssm/api.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/aws/aws-sdk-go/service/ssm/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/aws/aws-sdk-go/service/ssm/errors.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/aws/aws-sdk-go/service/ssm/service.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/aws/aws-sdk-go/service/ssm/waiters.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/id.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/number.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/span.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/status.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/traces.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/auto/sdk/internal/telemetry/value.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/auto/sdk/span.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/auto/sdk/tracer.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/config.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/internal/parse.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/metadata_supplier.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/semconv.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/stats_handler.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/version.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/.codespellignore is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/.golangci.yml is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/.lycheeignore is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/CHANGELOG.md is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/CODEOWNERS is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/CONTRIBUTING.md is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/Makefile is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/SECURITY-INSIGHTS.yml is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/encoder.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/filter.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/internal/attribute.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/iterator.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/key.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/kv.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/set.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/attribute/value.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/baggage/baggage.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/codes/codes.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/dependencies.Dockerfile is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/internal/global/internal_logging.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/internal/global/trace.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/metric/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/propagation/baggage.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/propagation/propagation.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/propagation/trace_context.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/internal/x/x.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/builtin.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/container.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/env.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/host_id.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/os.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/os_release_unix.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/process.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/resource/resource.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/batch_span_processor.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/id_generator.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/internal/x/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/internal/x/x.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/provider.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/sampling.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/simple_span_processor.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/snapshot.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/span.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/tracer.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/version.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/version.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/internal/http.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.26.0/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.26.0/attribute_group.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.26.0/metric.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.30.0/MIGRATION.md is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.30.0/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.30.0/attribute_group.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.30.0/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.30.0/exception.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.30.0/metric.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.30.0/schema.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.34.0/attribute_group.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.34.0/error_type.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.37.0/MIGRATION.md is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.37.0/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.37.0/attribute_group.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.37.0/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.37.0/error_type.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.37.0/exception.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.37.0/otelconv/metric.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.37.0/schema.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/trace/LICENSE is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/trace/auto.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/trace/config.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/trace/hex.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/trace/internal/telemetry/attr.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/trace/internal/telemetry/id.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/trace/internal/telemetry/value.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/trace/noop.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/trace/noop/noop.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/trace/trace.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/trace/tracestate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/version.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/versions.yaml is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/mod/modfile/read.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/mod/module/module.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/mod/semver/semver.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/net/context/context.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/net/http2/frame.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/net/http2/transport.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/net/http2/writesched.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/net/trace/events.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/oauth2/deviceauth.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/oauth2/oauth2.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/oauth2/pkce.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/oauth2/token.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/oauth2/transport.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sync/errgroup/errgroup.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/cpu/cpu_arm64.s is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/mkerrors.sh is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/syscall_linux.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_386.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_arm.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_mips.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/zsyscall_linux.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_linux.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/unix/ztypes_netbsd_arm.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/windows/types_windows.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/sys/windows/zsyscall_windows.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/telemetry/codereview.cfg is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/term/terminal.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/encoding/japanese/eucjp.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/encoding/japanese/iso2022jp.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/encoding/japanese/shiftjis.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/encoding/korean/euckr.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/encoding/simplifiedchinese/gbk.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/encoding/simplifiedchinese/hzgb2312.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/encoding/traditionalchinese/big5.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/text/encoding/unicode/unicode.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/time/rate/rate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/diagnostic.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/appends/appends.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/asmdecl/asmdecl.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/assign/assign.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/atomic/atomic.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/bools/bools.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/buildssa/buildssa.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/buildtag/buildtag.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/cgocall/cgocall.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/copylock/copylock.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/ctrlflow/ctrlflow.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/deepequalerrors/deepequalerrors.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/defers/defers.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/directive/directive.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/errorsas/errorsas.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/fieldalignment/fieldalignment.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/framepointer/framepointer.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/hostport/hostport.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/httpmux/httpmux.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/ifaceassert/ifaceassert.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/inspect/inspect.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/internal/analysisutil/util.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/internal/ctrlflowinternal/ctrlflowinternal.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/loopclosure/loopclosure.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/lostcancel/lostcancel.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/any.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/bloop.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/errorsastype.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/fmtappendf.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/forvar.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/maps.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/minmax.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/modernize.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/newexpr.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/omitzero.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/plusbuild.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/rangeint.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/reflect.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/slices.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/slicescontains.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/slicesdelete.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/sortslice.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/stditerators.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/stringsbuilder.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/stringscut.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/stringscutprefix.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/stringsseq.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/testingcontext.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/waitgroup.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/nilfunc/nilfunc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/nilness/nilness.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/printf/printf.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/printf/types.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/reflectvaluecompare/reflectvaluecompare.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/shadow/shadow.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/sigchanyzer/sigchanyzer.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/slog/slog.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/stdmethods/stdmethods.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/stringintconv/string.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/testinggoroutine/testinggoroutine.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/testinggoroutine/util.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/tests/tests.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/timeformat/timeformat.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/unmarshal/unmarshal.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/unreachable/unreachable.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/unsafeptr/unsafeptr.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/unusedresult/unusedresult.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/unusedwrite/unusedwrite.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/waitgroup/waitgroup.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/ast/inspector/cursor.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/callgraph/vta/propagation.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/cfg/builder.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/cfg/cfg.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/packages/visit.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/ssa/builder.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/ssa/create.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/ssa/emit.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/ssa/func.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/ssa/instantiate.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/ssa/ssa.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/ssa/ssautil/visit.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/ssa/subst.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/ssa/util.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/types/objectpath/objectpath.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/types/typeutil/map.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/imports/forward.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/analysis/analyzerutil/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/analysis/analyzerutil/extractdoc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/analysis/analyzerutil/readfile.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/analysis/analyzerutil/version.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/analysis/typeindex/typeindex.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/analysisinternal/analysis.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/analysisinternal/generated/generated.go is excluded by !**/generated/**, !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/astutil/stringlit.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/astutil/util.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/cfginternal/cfginternal.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/gcimporter/bimport.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/gcimporter/iexport.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/gcimporter/iimport.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/goplsexport/export.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/packagepath/packagepath.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/refactor/delete.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/refactor/imports.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/refactor/refactor.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/ssainternal/ssainternal.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/stdlib/deps.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/stdlib/import.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/stdlib/manifest.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/typeparams/normalize.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/element.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/fx.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/isnamed.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/qualifier.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/varkind.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/varkind_go124.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/typesinternal/zerovalue.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/versions/features.go is excluded by !vendor/**, !**/vendor/**
  • vendor/google.golang.org/grpc/CONTRIBUTING.md is excluded by !vendor/**, !**/vendor/**
  • vendor/google.golang.org/grpc/balancer/pickfirst/pickfirst.go is excluded by !vendor/**, !**/vendor/**
  • vendor/google.golang.org/grpc/balancer/pickfirst/pickfirstleaf/pickfirstleaf.go is excluded by !vendor/**, !**/vendor/**
  • vendor/google.golang.org/grpc/balancer/roundrobin/roundrobin.go is excluded by !vendor/**, !**/vendor/**
📒 Files selected for processing (21)
  • go.mod
  • test/e2e/README.md
  • test/e2e/e2e_test.go
  • test/e2e/scripts/README.md
  • test/e2e/scripts/cleanup-credentials.sh
  • test/e2e/scripts/run-tests.sh
  • test/e2e/scripts/setup-aws-credentials.sh
  • test/e2e/scripts/verify-setup.sh
  • test/e2e/testdata/aws_external_secret_binary.yaml
  • test/e2e/testdata/aws_external_secret_datafrom.yaml
  • test/e2e/testdata/aws_external_secret_jsonpath.yaml
  • test/e2e/testdata/aws_external_secret_multi_key.yaml
  • test/e2e/testdata/aws_external_secret_refresh.yaml
  • test/e2e/testdata/aws_external_secret_template.yaml
  • test/e2e/testdata/aws_invalid_secret_store.yaml
  • test/e2e/testdata/aws_k8s_secret_multi_key.yaml
  • test/e2e/testdata/aws_secret_store.yaml
  • test/e2e/testdata/aws_secret_store_namespace.yaml
  • test/e2e/testdata/aws_ssm_external_secret.yaml
  • test/e2e/testdata/aws_ssm_secret_store.yaml
  • test/utils/conditions.go
🧰 Additional context used
📓 Path-based instructions (1)
**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

  • test/e2e/scripts/README.md
  • test/e2e/testdata/aws_external_secret_template.yaml
  • test/e2e/testdata/aws_external_secret_binary.yaml
  • test/e2e/testdata/aws_external_secret_jsonpath.yaml
  • test/e2e/testdata/aws_ssm_secret_store.yaml
  • test/e2e/scripts/setup-aws-credentials.sh
  • test/e2e/testdata/aws_invalid_secret_store.yaml
  • test/e2e/scripts/run-tests.sh
  • test/e2e/testdata/aws_ssm_external_secret.yaml
  • test/e2e/scripts/cleanup-credentials.sh
  • test/e2e/README.md
  • test/e2e/scripts/verify-setup.sh
  • test/e2e/testdata/aws_external_secret_datafrom.yaml
  • test/e2e/testdata/aws_external_secret_refresh.yaml
  • test/e2e/testdata/aws_k8s_secret_multi_key.yaml
  • test/utils/conditions.go
  • test/e2e/testdata/aws_secret_store_namespace.yaml
  • test/e2e/testdata/aws_external_secret_multi_key.yaml
  • test/e2e/testdata/aws_secret_store.yaml
  • go.mod
  • test/e2e/e2e_test.go
🧬 Code graph analysis (1)
test/e2e/e2e_test.go (2)
test/utils/conditions.go (5)
  • ReplacePatternInAsset (250-261)
  • GetRandomString (240-248)
  • CreateAWSSecret (150-176)
  • WaitForESOResourceReady (101-138)
  • UpdateAWSSecret (178-204)
api/v1alpha1/groupversion_info.go (1)
  • Resource (40-42)
🪛 LanguageTool
test/e2e/scripts/README.md

[style] ~210-~210: ‘without warning’ might be wordy. Consider a shorter alternative.
Context: ...pts will overwrite existing credentials without warning - Use cleanup-credentials.sh to remov...

(EN_WORDINESS_PREMIUM_WITHOUT_WARNING)

test/e2e/README.md

[grammar] ~90-~90: Use a hyphen to join words.
Context: ...scoped SecretStore** - Tests non-cluster scoped SecretStore 2. **Multiple data ke...

(QB_NEW_EN_HYPHEN)

🪛 markdownlint-cli2 (0.18.1)
test/e2e/scripts/README.md

172-172: Bare URL used

(MD034, no-bare-urls)

🪛 Shellcheck (0.11.0)
test/e2e/scripts/run-tests.sh

[warning] 18-18: YELLOW appears unused. Verify use (or export if used externally).

(SC2034)

🔇 Additional comments (18)
test/e2e/testdata/aws_secret_store_namespace.yaml (1)

1-20: LGTM with template substitution assumption.

The manifest uses placeholder syntax consistently with other test data files. Assuming there's a template substitution mechanism in the test framework, the structure is correct for namespace-scoped AWS SecretStore testing.

Note: This assumes template substitution happens before applying to the cluster. See verification comment on aws_k8s_secret_multi_key.yaml for checking the substitution mechanism.

test/e2e/testdata/aws_ssm_secret_store.yaml (1)

1-22: LGTM!

The ClusterSecretStore manifest correctly configures AWS Parameter Store integration. The hardcoded reference to aws-creds in kube-system aligns with the setup script (setup-aws-credentials.sh), providing consistent credential management for E2E tests.

test/e2e/scripts/cleanup-credentials.sh (1)

1-54: LGTM!

The cleanup script has appropriate error handling with clear status messages. The cleanup_secret function correctly handles both success and missing secret scenarios, making it safe to run repeatedly.

test/e2e/scripts/setup-aws-credentials.sh (2)

29-31: LGTM - secure password handling.

The script correctly uses read -sp for the AWS Secret Access Key (suppressing echo), followed by explicit newlines for proper terminal formatting. This prevents credentials from being visible in terminal history or on-screen.

1-69: Interactive design is appropriate for the use case.

The script is well-structured for interactive credential setup with good error handling, validation, and user feedback. Note that this script requires interactive input and is not suitable for CI/CD environments without modification (see the CI/CD documentation issue flagged in README.md).

go.mod (1)

282-314: Module dependencies are properly integrated and consistent.

Version updates across OpenTelemetry (→1.38.0), Go stdlib extensions (→0.30.0+), gRPC (→1.77.0), and protobuf (→1.36.11) have been successfully resolved. go mod verify confirms the module graph is consistent, and go.sum contains all required hash entries with no conflicts detected. Go version 1.24.4 supports these dependency versions. No action required.

test/e2e/testdata/aws_k8s_secret_multi_key.yaml (1)

10-12: This is unused test fixture data not integrated into any tests.

The file test/e2e/testdata/aws_k8s_secret_multi_key.yaml exists but is not referenced by any test in the codebase. Both aws_k8s_secret_multi_key.yaml and the related aws_external_secret_multi_key.yaml were added as test fixtures but remain unused. The concerns about placeholder substitution and base64 encoding do not currently apply since the file is not loaded or used by any test.

Likely an incorrect or invalid review comment.

test/e2e/testdata/aws_secret_store.yaml (1)

1-22: LGTM!

Good improvement to parameterize the region with ${AWS_REGION} instead of hardcoding. This makes the test infrastructure more flexible across different AWS regions.

test/e2e/testdata/aws_external_secret_multi_key.yaml (1)

1-29: LGTM!

Well-structured manifest for testing multi-key extraction from a single AWS secret. The consistent use of placeholders and labeling pattern aligns with other test manifests.

test/e2e/testdata/aws_external_secret_template.yaml (1)

1-32: LGTM!

Good test coverage for template-based secret transformation. The manifest correctly demonstrates generating a config file from extracted secret values.

test/e2e/testdata/aws_external_secret_datafrom.yaml (1)

1-19: LGTM!

Clean manifest for testing dataFrom extraction. This correctly exercises the bulk extraction pattern from AWS Secrets Manager.

test/e2e/testdata/aws_external_secret_jsonpath.yaml (1)

1-21: LGTM!

Good test case for nested JSON property extraction using the dot-notation path syntax.

test/e2e/testdata/aws_external_secret_binary.yaml (1)

1-21: LGTM!

Clean manifest for testing binary data extraction from AWS Secrets Manager.

test/e2e/testdata/aws_external_secret_refresh.yaml (1)

1-21: LGTM!

The ExternalSecret manifest is well-structured with appropriate placeholders for dynamic substitution. The 30s refresh interval is suitable for testing the secret refresh functionality.

test/e2e/scripts/verify-setup.sh (1)

1-140: LGTM!

The verification script is comprehensive and well-structured. It properly checks prerequisites, provides clear feedback with color-coded output, and handles optional credentials appropriately with warnings rather than errors.

test/e2e/e2e_test.go (3)

235-378: LGTM - Basic Operations tests.

Well-structured tests covering namespace-scoped SecretStore and binary data handling. Good use of defer for cleanup and Eventually for async assertions.

380-652: LGTM - Advanced Features tests.

Comprehensive test coverage for secret refresh, template transformations, dataFrom, and JSON path extraction. The 2-minute timeout for refresh verification (line 454) appropriately accounts for the 30s refresh interval plus buffer.

654-716: LGTM - AWS Parameter Store tests.

Good integration test for SSM Parameter Store functionality with proper setup and cleanup.

test/e2e/scripts/README.md Outdated
Comment on lines 219 to 230
```yaml
# Example GitHub Actions
- name: Setup AWS Credentials
run: |
echo "$AWS_ACCESS_KEY_ID" | ./test/e2e/scripts/setup-aws-credentials.sh
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

- name: Run E2E Tests
run: ./test/e2e/scripts/run-tests.sh aws -v
```
Copy link

@coderabbitai coderabbitai bot Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Fix the CI/CD integration example.

The GitHub Actions example won't work because setup-aws-credentials.sh uses interactive prompts (read -p), but the example pipes credentials via echo. The script needs modification to support non-interactive CI/CD environments.

🔎 Recommended approach

Either:

  1. Modify the setup script to accept environment variables directly, or
  2. Update the documentation to show direct kubectl create secret commands for CI/CD:
# Example GitHub Actions (corrected)
- name: Setup AWS Credentials
  run: |
    kubectl create secret generic aws-creds \
      --from-literal=aws_access_key_id="${{ secrets.AWS_ACCESS_KEY_ID }}" \
      --from-literal=aws_secret_access_key="${{ secrets.AWS_SECRET_ACCESS_KEY }}" \
      -n kube-system
  env:
    AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
    AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

- name: Run E2E Tests
  run: ./test/e2e/scripts/run-tests.sh aws -v
  env:
    E2E_AWS_REGION: us-east-1
🤖 Prompt for AI Agents 
In test/e2e/scripts/README.md around lines 219-230, the GitHub Actions example
fails because setup-aws-credentials.sh uses interactive read prompts while the
example pipes values; update the setup script to support non-interactive CI by
reading AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables (use
them if set, otherwise fall back to interactive prompt), and update the README
example to either (a) call the script with those env vars exported in the
workflow or (b) replace the step with a kubectl create secret ... example that
injects the GitHub secrets directly into the cluster for CI; ensure the README
shows the corresponding env: entries for the Run E2E Tests step when necessary.

test/e2e/scripts/run-tests.sh Outdated
Comment on lines 35 to 39
if [ "$VERBOSE" = "-v" ] || [ "$VERBOSE" = "--verbose" ]; then
make test-e2e E2E_GINKGO_LABEL_FILTER="$label" || return 1
else
make test-e2e E2E_GINKGO_LABEL_FILTER="$label" 2>&1 | grep -E "Ran|PASS|FAIL|SUCCESS|•" || return 1
fi
Copy link

@coderabbitai coderabbitai bot Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Potential false failure in non-verbose mode due to grep exit code.

When $VERBOSE is not set, the script pipes make test-e2e output through grep. If grep finds no matching lines, it exits with code 1, causing return 1 even if the tests passed. This could mask successful test runs or incorrectly report failures.

🔎 Proposed fix 
     if [ "$VERBOSE" = "-v" ] || [ "$VERBOSE" = "--verbose" ]; then
         make test-e2e E2E_GINKGO_LABEL_FILTER="$label" || return 1
     else
-        make test-e2e E2E_GINKGO_LABEL_FILTER="$label" 2>&1 | grep -E "Ran|PASS|FAIL|SUCCESS|•" || return 1
+        make test-e2e E2E_GINKGO_LABEL_FILTER="$label" 2>&1 | { grep -E "Ran|PASS|FAIL|SUCCESS|•" || true; }
+        return ${PIPESTATUS[0]}
     fi
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if [ "$VERBOSE" = "-v" ] || [ "$VERBOSE" = "--verbose" ]; then
make test-e2e E2E_GINKGO_LABEL_FILTER="$label" || return 1
else
make test-e2e E2E_GINKGO_LABEL_FILTER="$label" 2>&1 | grep -E "Ran|PASS|FAIL|SUCCESS|•" || return 1
fi
if [ "$VERBOSE" = "-v" ] || [ "$VERBOSE" = "--verbose" ]; then
make test-e2e E2E_GINKGO_LABEL_FILTER="$label" || return 1
else
make test-e2e E2E_GINKGO_LABEL_FILTER="$label" 2>&1 | { grep -E "Ran|PASS|FAIL|SUCCESS|•" || true; }
return ${PIPESTATUS[0]}
fi

coderabbitai[bot]
coderabbitai bot reviewed Dec 24, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

♻️ Duplicate comments (2)
test/e2e/README.md (1)

9-27: Documentation still has inconsistencies with actual implementation.

The test counts and file references remain inconsistent:

  • Line 9: "13 test cases"
  • Line 19: references e2e_aws_test.go (file doesn't exist - tests are in e2e_test.go)
  • Line 107: "11 new AWS tests (plus 1 existing = 12 total)"
  • PR description: "8 tests"

Please reconcile the documentation to match the actual implementation.

test/e2e/scripts/README.md (1)

219-230: CI/CD integration example still has the same issue.

The GitHub Actions example pipes credentials via echo but setup-aws-credentials.sh likely uses interactive prompts (read -p), which won't work in CI. The documentation should show direct kubectl create secret commands for CI environments.

🧹 Nitpick comments (4)
test/e2e/testdata/aws_external_secret_multi_key.yaml (1)

1-29: LGTM! Consider adding documentation for test clarity.

The ExternalSecret manifest is correctly structured and follows standard ESO conventions. The use of template variables and property-based extraction from a JSON secret is appropriate for multi-key testing.

Optional: Add comment header for maintainability

Consider adding a brief header comment to document the test scenario and expected secret structure:

+# Test Case: Multi-key extraction from a single AWS Secrets Manager JSON secret
+# Expects AWS_SECRET_KEY_NAME to reference a JSON secret with structure:
+# { "key1": "value1", "key2": "value2", "key3": "value3" }
+
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret

This helps future maintainers understand the expected AWS secret format.

test/utils/conditions.go (1)

149-203: Consider extracting AWS session creation to reduce duplication.

The session creation logic is repeated in CreateAWSSecret, UpdateAWSSecret, and DeleteAWSSecret. Extracting this to a helper would improve maintainability.

🔎 Proposed refactor 
+func createAWSSession(ctx context.Context, k8sClient *kubernetes.Clientset, region string) (*session.Session, error) {
+	id, key, err := fetchAWSCreds(ctx, k8sClient)
+	if err != nil {
+		return nil, err
+	}
+
+	sess, err := session.NewSession(&aws.Config{
+		Credentials: awscred.NewCredentials(&awscred.StaticProvider{Value: awscred.Value{
+			AccessKeyID:     id,
+			SecretAccessKey: key,
+		}}),
+		Region: aws.String(region),
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to create AWS session: %w", err)
+	}
+	return sess, nil
+}
+
 func CreateAWSSecret(ctx context.Context, k8sClient *kubernetes.Clientset, secretName, secretValue, region string) error {
-	id, key, err := fetchAWSCreds(ctx, k8sClient)
-	if err != nil {
-		return err
-	}
-
-	sess, err := session.NewSession(&aws.Config{
-		Credentials: awscred.NewCredentials(&awscred.StaticProvider{Value: awscred.Value{
-			AccessKeyID:     id,
-			SecretAccessKey: key,
-		}}),
-		Region: aws.String(region),
-	})
+	sess, err := createAWSSession(ctx, k8sClient, region)
 	if err != nil {
-		return fmt.Errorf("failed to create AWS session: %w", err)
+		return err
 	}
 	// ... rest of function
 }
test/e2e/testdata/aws_invalid_secret_store.yaml (1)

13-13: Region is hardcoded while other manifests use ${AWS_REGION}.

For consistency with other AWS test manifests (aws_secret_store.yaml, aws_ssm_secret_store.yaml), consider parameterizing the region here as well.

🔎 Proposed fix 
-      region: ap-south-1
+      region: ${AWS_REGION}
test/e2e/scripts/run-tests.sh (1)

16-19: Remove unused YELLOW variable.

The YELLOW variable is defined but never used in the script. Consider removing it to keep the code clean.

🔎 Proposed fix 
 # Colors
 GREEN='\033[0;32m'
-YELLOW='\033[1;33m'
 NC='\033[0m'

As per static analysis hints, this variable appears unused.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between e2ee6ea and edc3dde.

⛔ Files ignored due to path filters (39)
  • vendor/github.com/aws/aws-sdk-go/service/ssm/api.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/aws/aws-sdk-go/service/ssm/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/aws/aws-sdk-go/service/ssm/errors.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/aws/aws-sdk-go/service/ssm/service.go is excluded by !vendor/**, !**/vendor/**
  • vendor/github.com/aws/aws-sdk-go/service/ssm/waiters.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/SECURITY-INSIGHTS.yml is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/internal/x/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/sdk/trace/internal/x/x.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.30.0/MIGRATION.md is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.30.0/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.30.0/attribute_group.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.30.0/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.30.0/exception.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.30.0/metric.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.30.0/schema.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.34.0/error_type.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.37.0/MIGRATION.md is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.37.0/README.md is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.37.0/attribute_group.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.37.0/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.37.0/error_type.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.37.0/exception.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.37.0/otelconv/metric.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/semconv/v1.37.0/schema.go is excluded by !vendor/**, !**/vendor/**
  • vendor/go.opentelemetry.io/otel/trace/hex.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/telemetry/codereview.cfg is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/internal/ctrlflowinternal/ctrlflowinternal.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/plusbuild.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/go/analysis/passes/modernize/stringscut.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/analysis/analyzerutil/doc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/analysis/analyzerutil/extractdoc.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/analysis/analyzerutil/readfile.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/analysis/analyzerutil/version.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/analysis/typeindex/typeindex.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/cfginternal/cfginternal.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/packagepath/packagepath.go is excluded by !vendor/**, !**/vendor/**
  • vendor/golang.org/x/tools/internal/ssainternal/ssainternal.go is excluded by !vendor/**, !**/vendor/**
  • vendor/google.golang.org/grpc/encoding/internal/internal.go is excluded by !vendor/**, !**/vendor/**
  • vendor/google.golang.org/grpc/internal/stats/stats.go is excluded by !vendor/**, !**/vendor/**
📒 Files selected for processing (20)
  • test/e2e/README.md
  • test/e2e/e2e_test.go
  • test/e2e/scripts/README.md
  • test/e2e/scripts/cleanup-credentials.sh
  • test/e2e/scripts/run-tests.sh
  • test/e2e/scripts/setup-aws-credentials.sh
  • test/e2e/scripts/verify-setup.sh
  • test/e2e/testdata/aws_external_secret_binary.yaml
  • test/e2e/testdata/aws_external_secret_datafrom.yaml
  • test/e2e/testdata/aws_external_secret_jsonpath.yaml
  • test/e2e/testdata/aws_external_secret_multi_key.yaml
  • test/e2e/testdata/aws_external_secret_refresh.yaml
  • test/e2e/testdata/aws_external_secret_template.yaml
  • test/e2e/testdata/aws_invalid_secret_store.yaml
  • test/e2e/testdata/aws_k8s_secret_multi_key.yaml
  • test/e2e/testdata/aws_secret_store.yaml
  • test/e2e/testdata/aws_secret_store_namespace.yaml
  • test/e2e/testdata/aws_ssm_external_secret.yaml
  • test/e2e/testdata/aws_ssm_secret_store.yaml
  • test/utils/conditions.go
🚧 Files skipped from review as they are similar to previous changes (9)
  • test/e2e/testdata/aws_k8s_secret_multi_key.yaml
  • test/e2e/scripts/setup-aws-credentials.sh
  • test/e2e/testdata/aws_external_secret_datafrom.yaml
  • test/e2e/scripts/verify-setup.sh
  • test/e2e/testdata/aws_external_secret_refresh.yaml
  • test/e2e/testdata/aws_external_secret_template.yaml
  • test/e2e/testdata/aws_external_secret_binary.yaml
  • test/e2e/testdata/aws_external_secret_jsonpath.yaml
  • test/e2e/testdata/aws_ssm_external_secret.yaml
🧰 Additional context used
📓 Path-based instructions (1)
**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

  • test/e2e/testdata/aws_ssm_secret_store.yaml
  • test/e2e/scripts/run-tests.sh
  • test/utils/conditions.go
  • test/e2e/testdata/aws_secret_store.yaml
  • test/e2e/scripts/cleanup-credentials.sh
  • test/e2e/testdata/aws_external_secret_multi_key.yaml
  • test/e2e/e2e_test.go
  • test/e2e/testdata/aws_invalid_secret_store.yaml
  • test/e2e/testdata/aws_secret_store_namespace.yaml
  • test/e2e/README.md
  • test/e2e/scripts/README.md
🧬 Code graph analysis (1)
test/e2e/e2e_test.go (2)
test/utils/conditions.go (6)
  • ReplacePatternInAsset (249-260)
  • GetRandomString (239-247)
  • DeleteAWSSecret (205-231)
  • CreateAWSSecret (149-175)
  • WaitForESOResourceReady (100-137)
  • UpdateAWSSecret (177-203)
api/v1alpha1/groupversion_info.go (1)
  • Resource (40-42)
🪛 LanguageTool
test/e2e/README.md

[grammar] ~90-~90: Use a hyphen to join words.
Context: ...scoped SecretStore** - Tests non-cluster scoped SecretStore 2. **Multiple data ke...

(QB_NEW_EN_HYPHEN)

test/e2e/scripts/README.md

[style] ~210-~210: ‘without warning’ might be wordy. Consider a shorter alternative.
Context: ...pts will overwrite existing credentials without warning - Use cleanup-credentials.sh to remov...

(EN_WORDINESS_PREMIUM_WITHOUT_WARNING)

🪛 markdownlint-cli2 (0.18.1)
test/e2e/README.md

11-11: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

15-15: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

test/e2e/scripts/README.md

11-11: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

15-15: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🪛 Shellcheck (0.11.0)
test/e2e/scripts/run-tests.sh

[warning] 18-18: YELLOW appears unused. Verify use (or export if used externally).

(SC2034)

🔇 Additional comments (8)
test/e2e/testdata/aws_secret_store_namespace.yaml (1)

1-20: LGTM!

The namespace-scoped SecretStore manifest is well-structured with appropriate placeholders for templating. The authentication configuration correctly references the secret containing AWS credentials.

test/e2e/testdata/aws_secret_store.yaml (1)

12-12: LGTM!

Good change to parameterize the region using ${AWS_REGION} instead of a hardcoded value. This aligns with the other test manifests and enables flexible region configuration.

test/e2e/testdata/aws_ssm_secret_store.yaml (1)

1-22: LGTM!

The ClusterSecretStore manifest for AWS Parameter Store is well-structured and follows the same parameterization pattern as other AWS manifests.

test/e2e/scripts/cleanup-credentials.sh (1)

1-54: LGTM!

The cleanup script is well-structured with appropriate error handling for missing kubectl and graceful handling of non-existent secrets. The provider-based case statement cleanly supports selective or full cleanup.

test/e2e/e2e_test.go (4)

25-25: LGTM!

The encoding/json import is correctly added to support JSON marshaling in the nested JSON test case (line 594).

175-178: LGTM!

Excellent improvement to dynamically inject the AWS region into the ClusterSecretStore asset. This makes the tests more maintainable and region-aware.

235-378: LGTM!

The Basic Operations test context provides good coverage for:

  • Namespace-scoped SecretStore functionality
  • Binary data handling with base64 encoding

Both tests follow best practices with proper cleanup (defer), async verification (Eventually), and reasonable timeouts.

383-651: LGTM on test structure!

The Advanced Features test context provides excellent coverage for:

  • Secret refresh/rotation with configurable intervals
  • Template transformations for config generation
  • DataFrom for bulk secret import
  • JSONPath extraction for nested JSON values

All four tests follow best practices with proper cleanup, async verification, and appropriate timeouts. The only concern is the region inconsistency flagged separately.

test/e2e/e2e_test.go Outdated
})

Context("Advanced Features", Label("Platform:AWS"), func() {
const awsRegion = "ap-south-1"
Copy link

@coderabbitai coderabbitai bot Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Region inconsistency across test contexts.

The Advanced Features context uses "ap-south-1" (line 381), while the Basic Operations context uses "us-east-2" (line 236) and the original AWS Secret Manager context uses "us-east-2" (line 143). This inconsistency could cause test failures if AWS credentials don't have access to all regions or if there are region-specific quotas/limits.

Recommend using a consistent region across all AWS test contexts.

🔎 Proposed fix 
 	Context("Advanced Features", Label("Platform:AWS"), func() {
-		const awsRegion = "ap-south-1"
+		const awsRegion = "us-east-2"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
const awsRegion = "ap-south-1"
const awsRegion = "us-east-2"
🤖 Prompt for AI Agents 
In test/e2e/e2e_test.go around line 381, the Advanced Features context sets
awsRegion to "ap-south-1" which is inconsistent with other contexts using
"us-east-2"; change this to the same region used elsewhere (e.g., "us-east-2")
and refactor by introducing a single shared awsRegion constant at the top of the
test file (or a test helper) and replace all hard-coded region strings to
reference that constant so all AWS test contexts use the same region.

bharath-b-rh
bharath-b-rh reviewed Jan 19, 2026
View reviewed changes
Copy link
Contributor

@bharath-b-rh bharath-b-rh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

test/e2e/README.md Outdated
Comment on lines 182 to 217
## CI/CD Integration

Example GitHub Actions workflow:

```yaml
name: E2E Tests

on: [push, pull_request]

jobs:
e2e-aws:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: '1.23'

- name: Create kind cluster
run: |
kind create cluster
kubectl cluster-info

- name: Install External Secrets Operator
run: |
# Install operator

- name: Create AWS credentials
run: |
kubectl create secret generic aws-creds \
--from-literal=aws_access_key_id=${{ secrets.AWS_ACCESS_KEY_ID }} \
--from-literal=aws_secret_access_key=${{ secrets.AWS_SECRET_ACCESS_KEY }} \
-n kube-system

- name: Run AWS E2E tests
run: make test-e2e E2E_GINKGO_LABEL_FILTER="Platform:AWS"
Copy link
Contributor

@bharath-b-rh bharath-b-rh Jan 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Do we need CI/CD Integration section?

Copy link
Author

@emmajiafan emmajiafan Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's not necessary.

test/e2e/e2e_test.go Outdated
awsSecretValuePattern = "${SECRET_VALUE}"
awsClusterSecretStoreNamePattern = "${CLUSTERSECRETSTORE_NAME}"
awsSecretRegionName = "ap-south-1"
awsSecretRegionName = "us-east-2"
Copy link
Contributor

@bharath-b-rh bharath-b-rh Jan 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we use ap-south-1 or any other Asian region is also fine. It will be less loaded and low latency I feel.

test/e2e/e2e_test.go Outdated
})

Context("Basic Operations", Label("Platform:AWS"), func() {
const awsRegion = "us-east-2"
Copy link
Contributor

@bharath-b-rh bharath-b-rh Jan 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we use the global const awsSecretRegionName unless explicitly required to use a different one.

test/e2e/scripts/README.md Outdated
- Never commit credentials to version control
- Consider using temporary/test-only credentials with minimal permissions

## CI/CD Integration
Copy link
Contributor

@bharath-b-rh bharath-b-rh Jan 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here too, world we need this section?

Copy link
Author

@emmajiafan emmajiafan Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will remove it

coderabbitai[bot]
coderabbitai bot reviewed Jan 26, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Fix all issues with AI agents 
In `@test/e2e/e2e_test.go`:
- Around line 590-591: Change the ignored json.Marshal error to be handled: call
json.Marshal(nestedSecret) into (secretBytes, err), check err and fail the test
on error (e.g., t.Fatalf or require.NoError) before converting secretBytes to
string for secretValue; update the code around nestedSecret/secretValue to use
the new err variable so marshaling failures are surfaced.

In `@test/e2e/README.md`:
- Around line 402-406: The README's "AWS Region Issues" section currently states
the default region is "us-east-2" but the test scripts and test code use
"ap-south-1"; update the documentation so both places match by setting the
documented default region to "ap-south-1" (or change the test scripts to use
"us-east-2" if you prefer the other default). Locate the "AWS Region Issues"
heading and the default region string in test/e2e/README.md and make the same
change in test/e2e/scripts/README.md (and any other README strings mentioning
the default region) so all references to the default AWS region are consistent
with the value used by the test code.

In `@test/e2e/scripts/run-tests.sh`:
- Around line 16-19: Remove the unused YELLOW variable definition from the
script: delete the line defining YELLOW='\033[1;33m' (the YELLOW symbol), and
verify there are no remaining references to YELLOW elsewhere in the file (if any
exist, replace them with an appropriate existing color like GREEN or NC); keep
the other color variables (GREEN, NC) intact.
♻️ Duplicate comments (1)
test/e2e/scripts/run-tests.sh (1)

35-39: Potential false failure when grep finds no matches.

When not in verbose mode, if grep finds no matching lines, it exits with code 1, causing the function to return 1 even if tests passed.

🔧 Proposed fix 
     if [ "$VERBOSE" = "-v" ] || [ "$VERBOSE" = "--verbose" ]; then
         make test-e2e E2E_GINKGO_LABEL_FILTER="$label" || return 1
     else
-        make test-e2e E2E_GINKGO_LABEL_FILTER="$label" 2>&1 | grep -E "Ran|PASS|FAIL|SUCCESS|•" || return 1
+        make test-e2e E2E_GINKGO_LABEL_FILTER="$label" 2>&1 | { grep -E "Ran|PASS|FAIL|SUCCESS|•" || true; }
+        return ${PIPESTATUS[0]}
     fi
🧹 Nitpick comments (1)
test/utils/conditions.go (1)

149-231: Consider extracting shared AWS session setup.

The session creation logic (fetch credentials → create session → create service client) is duplicated across CreateAWSSecret, UpdateAWSSecret, and DeleteAWSSecret. A helper function could reduce duplication.

This is optional since it's test utility code and the current approach is clear and maintainable.

♻️ Optional refactor 
func getSecretsManagerClient(ctx context.Context, k8sClient *kubernetes.Clientset, region string) (*secretsmanager.SecretsManager, error) {
    id, key, err := fetchAWSCreds(ctx, k8sClient)
    if err != nil {
        return nil, err
    }

    sess, err := session.NewSession(&aws.Config{
        Credentials: awscred.NewCredentials(&awscred.StaticProvider{Value: awscred.Value{
            AccessKeyID:     id,
            SecretAccessKey: key,
        }}),
        Region: aws.String(region),
    })
    if err != nil {
        return nil, fmt.Errorf("failed to create AWS session: %w", err)
    }

    return secretsmanager.New(sess), nil
}

test/e2e/e2e_test.go
Comment on lines +590 to +591
secretBytes, _ := json.Marshal(nestedSecret)
secretValue := string(secretBytes)
Copy link

@coderabbitai coderabbitai bot Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Handle json.Marshal error instead of ignoring it.

Ignoring the error from json.Marshal could mask issues. While marshaling this simple map is unlikely to fail, explicitly handling the error makes the test more robust.

🔧 Proposed fix 
-			secretBytes, _ := json.Marshal(nestedSecret)
-			secretValue := string(secretBytes)
+			secretBytes, err := json.Marshal(nestedSecret)
+			Expect(err).NotTo(HaveOccurred(), "failed to marshal nested secret")
+			secretValue := string(secretBytes)
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
secretBytes, _ := json.Marshal(nestedSecret)
secretValue := string(secretBytes)
secretBytes, err := json.Marshal(nestedSecret)
Expect(err).NotTo(HaveOccurred(), "failed to marshal nested secret")
secretValue := string(secretBytes)
🤖 Prompt for AI Agents 
In `@test/e2e/e2e_test.go` around lines 590 - 591, Change the ignored json.Marshal
error to be handled: call json.Marshal(nestedSecret) into (secretBytes, err),
check err and fail the test on error (e.g., t.Fatalf or require.NoError) before
converting secretBytes to string for secretValue; update the code around
nestedSecret/secretValue to use the new err variable so marshaling failures are
surfaced.

test/e2e/scripts/run-tests.sh Outdated
Comment on lines 16 to 19
# Colors
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'
Copy link

@coderabbitai coderabbitai bot Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Remove unused YELLOW variable.

The YELLOW color variable is defined but never used in the script. Based on static analysis hint.

🔧 Proposed fix 
 # Colors
 GREEN='\033[0;32m'
-YELLOW='\033[1;33m'
 NC='\033[0m'
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# Colors
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'
# Colors
GREEN='\033[0;32m'
NC='\033[0m'
🧰 Tools
🪛 Shellcheck (0.11.0)

[warning] 18-18: YELLOW appears unused. Verify use (or export if used externally).

(SC2034)

🤖 Prompt for AI Agents 
In `@test/e2e/scripts/run-tests.sh` around lines 16 - 19, Remove the unused YELLOW
variable definition from the script: delete the line defining
YELLOW='\033[1;33m' (the YELLOW symbol), and verify there are no remaining
references to YELLOW elsewhere in the file (if any exist, replace them with an
appropriate existing color like GREEN or NC); keep the other color variables
(GREEN, NC) intact.

@emmajiafan
Copy link
Author

emmajiafan commented Jan 26, 2026

/retest

coderabbitai[bot]
coderabbitai bot reviewed Jan 26, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Fix all issues with AI agents 
In `@test/e2e/README.md`:
- Around line 447-449: Update the example to use the correct AWS region to match
the test implementation: change the hardcoded region string "us-east-2" to
"ap-south-1" in both the utils.DeleteAWSSecret and utils.CreateAWSSecret calls
(the calls with identifiers secretName, utils.DeleteAWSSecret and
utils.CreateAWSSecret) so the example and test use the same region.

In `@test/e2e/scripts/README.md`:
- Line 172: Replace the bare URL in the README line "Install kubectl:
https://kubernetes.io/docs/tasks/tools/" with a proper markdown link or wrap it
in angle brackets to satisfy MD034; for example, change it to "Install kubectl:
<https://kubernetes.io/docs/tasks/tools/>" or "Install kubectl: [Kubernetes
install kubectl](https://kubernetes.io/docs/tasks/tools/)". Ensure the edited
line is the one containing the text "Install kubectl:
https://kubernetes.io/docs/tasks/tools/" so markdownlint MD034 is resolved.

In `@test/e2e/scripts/verify-setup.sh`:
- Around line 61-68: The pod count logic in the verify-setup.sh snippet
(variable OPERATOR_PODS) currently counts all pods regardless of status; change
the kubectl pipeline to count only pods in the "Running" state (e.g., filter the
kubectl get pods output for "Running" before wc -l) and ensure the subsequent
detailed listing (the kubectl get pods ... | grep -E "Running|NAME") matches
that same filter so the echoed "Running" message and count reflect only Running
pods; update references to OPERATOR_PODS and the two kubectl get pods commands
accordingly.
♻️ Duplicate comments (4)
test/e2e/e2e_test.go (1)

590-591: Handle json.Marshal error instead of ignoring it.

The error from json.Marshal is being discarded. While unlikely to fail for this simple map, explicitly handling the error makes the test more robust and follows best practices.

🔧 Proposed fix 
-			secretBytes, _ := json.Marshal(nestedSecret)
-			secretValue := string(secretBytes)
+			secretBytes, err := json.Marshal(nestedSecret)
+			Expect(err).NotTo(HaveOccurred(), "failed to marshal nested secret")
+			secretValue := string(secretBytes)
test/e2e/scripts/run-tests.sh (2)

16-19: Remove unused YELLOW variable.

The YELLOW color variable is defined but never used in the script. Based on static analysis.

🔧 Proposed fix 
 # Colors
 GREEN='\033[0;32m'
-YELLOW='\033[1;33m'
 NC='\033[0m'

35-39: Potential false failure due to grep exit code.

When $VERBOSE is not set, the script pipes output through grep. If grep finds no matching lines, it exits with code 1, causing return 1 even if the tests passed. This could incorrectly report failures.

🔧 Proposed fix 
     if [ "$VERBOSE" = "-v" ] || [ "$VERBOSE" = "--verbose" ]; then
         make test-e2e E2E_GINKGO_LABEL_FILTER="$label" || return 1
     else
-        make test-e2e E2E_GINKGO_LABEL_FILTER="$label" 2>&1 | grep -E "Ran|PASS|FAIL|SUCCESS|•" || return 1
+        local exit_code
+        set +e
+        make test-e2e E2E_GINKGO_LABEL_FILTER="$label" 2>&1 | grep -E "Ran|PASS|FAIL|SUCCESS|•"
+        exit_code=${PIPESTATUS[0]}
+        set -e
+        return $exit_code
     fi
test/e2e/README.md (1)

402-406: Inconsistent region documentation.

Line 405 states the default region is us-east-2, but the test code uses ap-south-1 (as defined by awsSecretRegionName constant). Please align the documentation with the actual implementation.

📝 Suggested fix 
 ### AWS Region Issues
 **Error**: Tests fail with "region not found" or similar AWS errors

-**Solution**: Verify the AWS region in your SecretStore/ClusterSecretStore configuration matches your AWS setup. Default region is `us-east-2`.
+**Solution**: Verify the AWS region in your SecretStore/ClusterSecretStore configuration matches your AWS setup. Default region is `ap-south-1`.
🧹 Nitpick comments (3)
test/e2e/testdata/aws_invalid_secret_store.yaml (1)

11-13: Consider parameterizing the region for consistency.

Align this manifest with the rest of the AWS test data by using the region placeholder so tests respect the configured AWS region.

♻️ Suggested change 
-      region: ap-south-1
+      region: ${AWS_REGION}
test/utils/conditions.go (1)

149-203: Consider extracting AWS session creation to reduce duplication.

CreateAWSSecret, UpdateAWSSecret, and DeleteAWSSecret all duplicate the same session creation logic (fetch creds, create session). Extracting this to a helper function would improve maintainability.

♻️ Suggested refactor 
func newAWSSecretsManagerClient(ctx context.Context, k8sClient *kubernetes.Clientset, region string) (*secretsmanager.SecretsManager, error) {
	id, key, err := fetchAWSCreds(ctx, k8sClient)
	if err != nil {
		return nil, err
	}

	sess, err := session.NewSession(&aws.Config{
		Credentials: awscred.NewCredentials(&awscred.StaticProvider{Value: awscred.Value{
			AccessKeyID:     id,
			SecretAccessKey: key,
		}}),
		Region: aws.String(region),
	})
	if err != nil {
		return nil, fmt.Errorf("failed to create AWS session: %w", err)
	}

	return secretsmanager.New(sess), nil
}

func CreateAWSSecret(ctx context.Context, k8sClient *kubernetes.Clientset, secretName, secretValue, region string) error {
	svc, err := newAWSSecretsManagerClient(ctx, k8sClient, region)
	if err != nil {
		return err
	}

	_, err = svc.CreateSecret(&secretsmanager.CreateSecretInput{
		Name:         aws.String(secretName),
		SecretString: aws.String(secretValue),
	})
	if err != nil {
		return fmt.Errorf("failed to create AWS secret: %w", err)
	}
	return nil
}
test/e2e/scripts/verify-setup.sh (1)

36-36: --short flag is deprecated and removed in kubectl v1.30+.

This will produce deprecation warnings or fail silently on newer kubectl versions. Consider using the JSON output format instead.

Suggested fix 
-    kubectl version --short 2>/dev/null | grep "Server Version" || true
+    kubectl version -o json 2>/dev/null | jq -r '"Server Version: " + .serverVersion.gitVersion' || true

test/e2e/README.md Outdated
Comment on lines 447 to 449
defer utils.DeleteAWSSecret(ctx, "us-east-2", secretName)

err := utils.CreateAWSSecret(ctx, "us-east-2", secretName, `{"key":"value"}`)
Copy link

@coderabbitai coderabbitai bot Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Example uses incorrect region.

The example code uses us-east-2 but should use ap-south-1 to match the actual test implementation.

📝 Suggested fix 
     // Create AWS secret
     secretName := fmt.Sprintf("eso-e2e-%s", utils.GetRandomString(8))
-    defer utils.DeleteAWSSecret(ctx, "us-east-2", secretName)
+    defer utils.DeleteAWSSecret(ctx, "ap-south-1", secretName)

-    err := utils.CreateAWSSecret(ctx, "us-east-2", secretName, `{"key":"value"}`)
+    err := utils.CreateAWSSecret(ctx, "ap-south-1", secretName, `{"key":"value"}`)
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
defer utils.DeleteAWSSecret(ctx, "us-east-2", secretName)
err := utils.CreateAWSSecret(ctx, "us-east-2", secretName, `{"key":"value"}`)
// Create AWS secret
secretName := fmt.Sprintf("eso-e2e-%s", utils.GetRandomString(8))
defer utils.DeleteAWSSecret(ctx, "ap-south-1", secretName)
err := utils.CreateAWSSecret(ctx, "ap-south-1", secretName, `{"key":"value"}`)
🤖 Prompt for AI Agents 
In `@test/e2e/README.md` around lines 447 - 449, Update the example to use the
correct AWS region to match the test implementation: change the hardcoded region
string "us-east-2" to "ap-south-1" in both the utils.DeleteAWSSecret and
utils.CreateAWSSecret calls (the calls with identifiers secretName,
utils.DeleteAWSSecret and utils.CreateAWSSecret) so the example and test use the
same region.

test/e2e/scripts/README.md Outdated
## Troubleshooting

### kubectl not found
Install kubectl: https://kubernetes.io/docs/tasks/tools/
Copy link

@coderabbitai coderabbitai bot Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Fix markdownlint MD034 (bare URL).

Wrap the URL in angle brackets or a markdown link to avoid lint failures.

🛠️ Suggested fix 
-Install kubectl: https://kubernetes.io/docs/tasks/tools/
+Install kubectl: <https://kubernetes.io/docs/tasks/tools/>
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
Install kubectl: https://kubernetes.io/docs/tasks/tools/
Install kubectl: <https://kubernetes.io/docs/tasks/tools/>
🧰 Tools
🪛 markdownlint-cli2 (0.18.1)

172-172: Bare URL used

(MD034, no-bare-urls)

🤖 Prompt for AI Agents 
In `@test/e2e/scripts/README.md` at line 172, Replace the bare URL in the README
line "Install kubectl: https://kubernetes.io/docs/tasks/tools/" with a proper
markdown link or wrap it in angle brackets to satisfy MD034; for example, change
it to "Install kubectl: <https://kubernetes.io/docs/tasks/tools/>" or "Install
kubectl: [Kubernetes install kubectl](https://kubernetes.io/docs/tasks/tools/)".
Ensure the edited line is the one containing the text "Install kubectl:
https://kubernetes.io/docs/tasks/tools/" so markdownlint MD034 is resolved.

test/e2e/scripts/verify-setup.sh Outdated
Comment on lines 61 to 68
OPERATOR_PODS=$(kubectl get pods -n external-secrets-operator 2>/dev/null | grep -v NAME | wc -l | tr -d ' ')
if [ "$OPERATOR_PODS" -gt 0 ]; then
echo -e "${GREEN}✓ Running ($OPERATOR_PODS pods)${NC}"
kubectl get pods -n external-secrets-operator 2>/dev/null | grep -E "Running|NAME" || true
else
echo -e "${RED}✗ No pods found${NC}"
READY=false
fi
Copy link

@coderabbitai coderabbitai bot Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Pod count includes non-running pods but reports them as "Running".

The count at line 61 includes all pods regardless of status, but the output claims they are "Running". Pods in CrashLoopBackOff, Pending, or Error states would be counted and reported as running, potentially masking deployment issues.

Suggested fix 
-OPERATOR_PODS=$(kubectl get pods -n external-secrets-operator 2>/dev/null | grep -v NAME | wc -l | tr -d ' ')
-if [ "$OPERATOR_PODS" -gt 0 ]; then
-    echo -e "${GREEN}✓ Running ($OPERATOR_PODS pods)${NC}"
+OPERATOR_RUNNING=$(kubectl get pods -n external-secrets-operator --field-selector=status.phase=Running 2>/dev/null | grep -v NAME | wc -l | tr -d ' ')
+OPERATOR_TOTAL=$(kubectl get pods -n external-secrets-operator 2>/dev/null | grep -v NAME | wc -l | tr -d ' ')
+if [ "$OPERATOR_RUNNING" -gt 0 ]; then
+    echo -e "${GREEN}✓ Running ($OPERATOR_RUNNING/$OPERATOR_TOTAL pods)${NC}"
     kubectl get pods -n external-secrets-operator 2>/dev/null | grep -E "Running|NAME" || true
+elif [ "$OPERATOR_TOTAL" -gt 0 ]; then
+    echo -e "${RED}✗ Pods exist but none running ($OPERATOR_TOTAL pods)${NC}"
+    kubectl get pods -n external-secrets-operator 2>/dev/null || true
+    READY=false
 else
     echo -e "${RED}✗ No pods found${NC}"
     READY=false
 fi
🤖 Prompt for AI Agents 
In `@test/e2e/scripts/verify-setup.sh` around lines 61 - 68, The pod count logic
in the verify-setup.sh snippet (variable OPERATOR_PODS) currently counts all
pods regardless of status; change the kubectl pipeline to count only pods in the
"Running" state (e.g., filter the kubectl get pods output for "Running" before
wc -l) and ensure the subsequent detailed listing (the kubectl get pods ... |
grep -E "Running|NAME") matches that same filter so the echoed "Running" message
and count reflect only Running pods; update references to OPERATOR_PODS and the
two kubectl get pods commands accordingly.

@emmajiafan
Copy link
Author

emmajiafan commented Jan 27, 2026

/unhold

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 27, 2026
@emmajiafan
Copy link
Author

emmajiafan commented Jan 27, 2026

/lgtm
/approved
/label qe-approved
/label doc-approved
/label px-approved

@openshift-ci
Copy link

openshift-ci bot commented Jan 27, 2026

@emmajiafan: you cannot LGTM your own PR.

Details

In response to this:

/lgtm
/approved
/label qe-approved
/label doc-approved
/label px-approved

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci openshift-ci bot added qe-approved Signifies that QE has signed off on this PR px-approved Signifies that Product Support has signed off on this PR labels Jan 27, 2026
@openshift-ci
Copy link

openshift-ci bot commented Jan 27, 2026

@emmajiafan: The label(s) /label doc-approved cannot be applied. These labels are supported: acknowledge-critical-fixes-only, platform/aws, platform/azure, platform/baremetal, platform/google, platform/libvirt, platform/openstack, ga, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, px-approved, docs-approved, qe-approved, ux-approved, no-qe, downstream-change-needed, rebase/manual, cluster-config-api-changed, run-integration-tests, approved, backport-risk-assessed, bugzilla/valid-bug, cherry-pick-approved, jira/valid-bug, ok-to-test, stability-fix-approved, staff-eng-approved. Is this label configured under labels -> additional_labels or labels -> restricted_labels in plugin.yaml?

Details

In response to this:

/lgtm
/approved
/label qe-approved
/label doc-approved
/label px-approved

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@emmajiafan
Copy link
Author

emmajiafan commented Jan 27, 2026

/label docs-approved

@openshift-ci openshift-ci bot added the docs-approved Signifies that Docs has signed off on this PR label Jan 27, 2026
lunarwhite
lunarwhite reviewed Jan 27, 2026
View reviewed changes
test/e2e/README.md Outdated
Copy link
Member

@lunarwhite lunarwhite Jan 27, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not against having a README for the e2e tests, but could we avoid committing AI-generated intermediate "reports" or "summary", since they would become outdated frequently and would only increase the maintenance burden. :)

test/e2e/scripts/README.md Outdated
Copy link
Member

@lunarwhite lunarwhite Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we remove the scripts folder from this PR, since these AI-generated "script docs" look pretty random and redundant. If we really want to add some handy scripts, we should revise them to not introduce much noise.

@emmajiafan
add the eso aws test cases
8c5973f 
remove the ssm related

update the region

update the vendor

rmove the ai generate scripts
coderabbitai[bot]
coderabbitai bot reviewed Jan 28, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Fix all issues with AI agents 
In `@test/utils/conditions.go`:
- Around line 149-203: Both CreateAWSSecret and UpdateAWSSecret accept a ctx but
call the blocking SDK methods; update each to use the context-aware variants by
replacing svc.CreateSecret(...) with svc.CreateSecretWithContext(ctx, ...) in
CreateAWSSecret and svc.UpdateSecret(...) with svc.UpdateSecretWithContext(ctx,
...) in UpdateAWSSecret so cancellations/timeouts propagate; keep the same
inputs/outputs and error wrapping around the calls.
🧹 Nitpick comments (1)
test/e2e/e2e_test.go (1)

21-28: Allow AWS region to be overridden for test portability.

Hard-coding a region can make these tests brittle across environments. Consider an env override with a default.

♻️ Suggested refactor 
 import (
 	"context"
 	"embed"
 	"encoding/base64"
 	"encoding/json"
+	"os"
 	"fmt"
 	"testing"
 	"time"
@@
-	awsSecretRegionName      = "ap-south-1"
 )
+
+var awsSecretRegionName = func() string {
+	if v := os.Getenv("AWS_REGION"); v != "" {
+		return v
+	}
+	return "ap-south-1"
+}()

Also applies to: 62-70

test/utils/conditions.go
Comment on lines +149 to +203
func CreateAWSSecret(ctx context.Context, k8sClient *kubernetes.Clientset, secretName, secretValue, region string) error {
id, key, err := fetchAWSCreds(ctx, k8sClient)
if err != nil {
return err
}

sess, err := session.NewSession(&aws.Config{
Credentials: awscred.NewCredentials(&awscred.StaticProvider{Value: awscred.Value{
AccessKeyID: id,
SecretAccessKey: key,
}}),
Region: aws.String(region),
})
if err != nil {
return fmt.Errorf("failed to create AWS session: %w", err)
}

svc := secretsmanager.New(sess)
_, err = svc.CreateSecret(&secretsmanager.CreateSecretInput{
Name: aws.String(secretName),
SecretString: aws.String(secretValue),
})
if err != nil {
return fmt.Errorf("failed to create AWS secret: %w", err)
}
return nil
}

func UpdateAWSSecret(ctx context.Context, k8sClient *kubernetes.Clientset, secretName, secretValue, region string) error {
id, key, err := fetchAWSCreds(ctx, k8sClient)
if err != nil {
return err
}

sess, err := session.NewSession(&aws.Config{
Credentials: awscred.NewCredentials(&awscred.StaticProvider{Value: awscred.Value{
AccessKeyID: id,
SecretAccessKey: key,
}}),
Region: aws.String(region),
})
if err != nil {
return fmt.Errorf("failed to create AWS session: %w", err)
}

svc := secretsmanager.New(sess)
_, err = svc.UpdateSecret(&secretsmanager.UpdateSecretInput{
SecretId: aws.String(secretName),
SecretString: aws.String(secretValue),
})
if err != nil {
return fmt.Errorf("failed to update AWS secret: %w", err)
}
return nil
}
Copy link

@coderabbitai coderabbitai bot Jan 28, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

find . -path "*/test/utils/conditions.go" -type f

Repository: openshift/external-secrets-operator

Length of output: 105

🏁 Script executed:

# If file exists, check its contents around lines 149-203
if [ -f "test/utils/conditions.go" ]; then
  wc -l test/utils/conditions.go
  echo "---"
  sed -n '140,210p' test/utils/conditions.go
fi

Repository: openshift/external-secrets-operator

Length of output: 2146

🌐 Web query:

AWS SDK Go secretsmanager CreateSecretWithContext UpdateSecretWithContext methods

💡 Result:

In AWS SDK for Go v1 (github.com/aws/aws-sdk-go/service/secretsmanager), the WithContext variants are the same API calls as CreateSecret / UpdateSecret, but let you pass a non-nil context for cancellation/timeouts plus optional request options:

  • func (c *SecretsManager) CreateSecretWithContext(ctx aws.Context, input *CreateSecretInput, opts ...request.Option) (*CreateSecretOutput, error) (docs.aws.amazon.com)
  • func (c *SecretsManager) UpdateSecretWithContext(ctx aws.Context, input *UpdateSecretInput, opts ...request.Option) (*UpdateSecretOutput, error) (docs.aws.amazon.com)

Example (v1):

sess := session.Must(session.NewSession())
sm := secretsmanager.New(sess)

ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel()

_, err := sm.CreateSecretWithContext(ctx, &secretsmanager.CreateSecretInput{
    Name:         aws.String("my-secret"),
    SecretString: aws.String(`{"user":"u","pass":"p"}`),
})

_, err = sm.UpdateSecretWithContext(ctx, &secretsmanager.UpdateSecretInput{
    SecretId:     aws.String("my-secret"),
    SecretString: aws.String(`{"user":"u","pass":"p2"}`),
})

In AWS SDK for Go v2 (github.com/aws/aws-sdk-go-v2/service/secretsmanager), the context is already part of the standard method signature (no WithContext suffix):

  • func (c *Client) CreateSecret(ctx context.Context, params *CreateSecretInput, optFns ...func(*Options)) (*CreateSecretOutput, error) (pkg.go.dev)
  • func (c *Client) UpdateSecret(ctx context.Context, params *UpdateSecretInput, optFns ...func(*Options)) (*UpdateSecretOutput, error) (pkg.go.dev)

Citations:

Use context-aware AWS SDK calls to avoid hanging tests.

ctx is accepted by both CreateAWSSecret and UpdateAWSSecret but ignored in the AWS SDK calls. This prevents test timeouts and cancellations from propagating, risking hung tests on network stalls. Use the WithContext variants to respect the provided context.

🛠️ Suggested changes 
-	_, err = svc.CreateSecret(&secretsmanager.CreateSecretInput{
+	_, err = svc.CreateSecretWithContext(ctx, &secretsmanager.CreateSecretInput{
 		Name:         aws.String(secretName),
 		SecretString: aws.String(secretValue),
 	})
-	_, err = svc.UpdateSecret(&secretsmanager.UpdateSecretInput{
+	_, err = svc.UpdateSecretWithContext(ctx, &secretsmanager.UpdateSecretInput{
 		SecretId:     aws.String(secretName),
 		SecretString: aws.String(secretValue),
 	})
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
func CreateAWSSecret(ctx context.Context, k8sClient *kubernetes.Clientset, secretName, secretValue, region string) error {
id, key, err := fetchAWSCreds(ctx, k8sClient)
if err != nil {
return err
}
sess, err := session.NewSession(&aws.Config{
Credentials: awscred.NewCredentials(&awscred.StaticProvider{Value: awscred.Value{
AccessKeyID: id,
SecretAccessKey: key,
}}),
Region: aws.String(region),
})
if err != nil {
return fmt.Errorf("failed to create AWS session: %w", err)
}
svc := secretsmanager.New(sess)
_, err = svc.CreateSecret(&secretsmanager.CreateSecretInput{
Name: aws.String(secretName),
SecretString: aws.String(secretValue),
})
if err != nil {
return fmt.Errorf("failed to create AWS secret: %w", err)
}
return nil
}
func UpdateAWSSecret(ctx context.Context, k8sClient *kubernetes.Clientset, secretName, secretValue, region string) error {
id, key, err := fetchAWSCreds(ctx, k8sClient)
if err != nil {
return err
}
sess, err := session.NewSession(&aws.Config{
Credentials: awscred.NewCredentials(&awscred.StaticProvider{Value: awscred.Value{
AccessKeyID: id,
SecretAccessKey: key,
}}),
Region: aws.String(region),
})
if err != nil {
return fmt.Errorf("failed to create AWS session: %w", err)
}
svc := secretsmanager.New(sess)
_, err = svc.UpdateSecret(&secretsmanager.UpdateSecretInput{
SecretId: aws.String(secretName),
SecretString: aws.String(secretValue),
})
if err != nil {
return fmt.Errorf("failed to update AWS secret: %w", err)
}
return nil
}
func CreateAWSSecret(ctx context.Context, k8sClient *kubernetes.Clientset, secretName, secretValue, region string) error {
id, key, err := fetchAWSCreds(ctx, k8sClient)
if err != nil {
return err
}
sess, err := session.NewSession(&aws.Config{
Credentials: awscred.NewCredentials(&awscred.StaticProvider{Value: awscred.Value{
AccessKeyID: id,
SecretAccessKey: key,
}}),
Region: aws.String(region),
})
if err != nil {
return fmt.Errorf("failed to create AWS session: %w", err)
}
svc := secretsmanager.New(sess)
_, err = svc.CreateSecretWithContext(ctx, &secretsmanager.CreateSecretInput{
Name: aws.String(secretName),
SecretString: aws.String(secretValue),
})
if err != nil {
return fmt.Errorf("failed to create AWS secret: %w", err)
}
return nil
}
func UpdateAWSSecret(ctx context.Context, k8sClient *kubernetes.Clientset, secretName, secretValue, region string) error {
id, key, err := fetchAWSCreds(ctx, k8sClient)
if err != nil {
return err
}
sess, err := session.NewSession(&aws.Config{
Credentials: awscred.NewCredentials(&awscred.StaticProvider{Value: awscred.Value{
AccessKeyID: id,
SecretAccessKey: key,
}}),
Region: aws.String(region),
})
if err != nil {
return fmt.Errorf("failed to create AWS session: %w", err)
}
svc := secretsmanager.New(sess)
_, err = svc.UpdateSecretWithContext(ctx, &secretsmanager.UpdateSecretInput{
SecretId: aws.String(secretName),
SecretString: aws.String(secretValue),
})
if err != nil {
return fmt.Errorf("failed to update AWS secret: %w", err)
}
return nil
}
🤖 Prompt for AI Agents 
In `@test/utils/conditions.go` around lines 149 - 203, Both CreateAWSSecret and
UpdateAWSSecret accept a ctx but call the blocking SDK methods; update each to
use the context-aware variants by replacing svc.CreateSecret(...) with
svc.CreateSecretWithContext(ctx, ...) in CreateAWSSecret and
svc.UpdateSecret(...) with svc.UpdateSecretWithContext(ctx, ...) in
UpdateAWSSecret so cancellations/timeouts propagate; keep the same
inputs/outputs and error wrapping around the calls.

Copy link

@coderabbitai coderabbitai bot Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!

Copy link
Contributor

@bharath-b-rh bharath-b-rh Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@emmajiafan ^^

@openshift-ci
Copy link

openshift-ci bot commented Jan 28, 2026

@emmajiafan: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@emmajiafan emmajiafan changed the title add the eso aws test cases NO-JIRA: add the eso aws test cases Jan 28, 2026
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jan 28, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 28, 2026

@emmajiafan: This pull request explicitly references no jira issue.

Details

In response to this:

Test Coverage Summary

Category Test Count What's Covered
Basic Operations 2 Namespace-scoped stores, binary data
Advanced Features 4 Secret rotation, templates, dataFrom, JSON paths
AWS Parameter Store 1 SSM integration
Original Test 1 Complete workflow (ClusterSecretStore + PushSecret + ExternalSecret)
Total 8 tests Comprehensive AWS coverage

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

bharath-b-rh
bharath-b-rh reviewed Feb 4, 2026
View reviewed changes
Copy link
Contributor

@bharath-b-rh bharath-b-rh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Few nits, otherwise LGTM.
@mytreya-rh had brought this up in another PR. We are adding a CR manifest for every scenario, which adds to maintenance burden, and instead we should make use of go API definitions for the same, and derive the required manifests.

test/utils/conditions.go
}

svc := secretsmanager.New(sess)
_, err = svc.CreateSecret(&secretsmanager.CreateSecretInput{
Copy link
Contributor

@bharath-b-rh bharath-b-rh Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
_, err = svc.CreateSecret(&secretsmanager.CreateSecretInput{
_, err = svc.CreateSecretWithContext(ctx, &secretsmanager.CreateSecretInput{

test/utils/conditions.go
}

svc := secretsmanager.New(sess)
_, err = svc.UpdateSecret(&secretsmanager.UpdateSecretInput{
Copy link
Contributor

@bharath-b-rh bharath-b-rh Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
_, err = svc.UpdateSecret(&secretsmanager.UpdateSecretInput{
_, err = svc.UpdateSecretWithContext(ctx, &secretsmanager.UpdateSecretInput{

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@swghosh swghosh Awaiting requested review from swghosh

@TrilokGeer TrilokGeer Awaiting requested review from TrilokGeer

+2 more reviewers

@lunarwhite lunarwhite lunarwhite left review comments

@bharath-b-rh bharath-b-rh bharath-b-rh left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

docs-approved Signifies that Docs has signed off on this PR jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. px-approved Signifies that Product Support has signed off on this PR qe-approved Signifies that QE has signed off on this PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@emmajiafan @openshift-ci-robot @lunarwhite @bharath-b-rh