CM-1039: Thread context.Context from Reconcile() through controller helpers

[sebrandon1]

Summary

• Removes the stored ctx context.Context field from both istiocsr and trustmanager Reconciler structs
• Threads context from Reconcile(ctx context.Context, ...) through every helper method call chain (37 files, ~90 call sites)
• Tests pass context.Background() explicitly (semantically correct for test entrypoints)

Motivation

Both controllers stored a context.Context initialized once to context.Background() in New(). The Reconcile() method receives a proper request-scoped context from controller-runtime, but all helper methods used the stale struct field. This defeats cancellation and deadline propagation from the framework.

This supersedes #242, which attempted to standardize context usage by replacing context.Background() with context.TODO() everywhere — semantically backwards since context.TODO() signals "placeholder, haven't decided yet" while context.Background() is correct for top-level contexts.

Test plan

• go test ./pkg/controller/istiocsr/... passes
• go test ./pkg/controller/trustmanager/... passes
• go build ./... succeeds
• make lint shows only pre-existing issues (none introduced)
• No remaining r.ctx references in either package

Summary by CodeRabbit

• Refactor
  • Reconciler now propagates request contexts across controllers, improving cancellation, timeouts and tracing.
  • Context-awareness added to reconciliation for deployments, services, RBAC, service accounts, network policies, certificates, config maps and webhooks.
  • Status update and multi-instance checks now use request-scoped context for more reliable updates and error handling.

[openshift-ci-robot]

@sebrandon1: This pull request references CM-1039 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• Removes the stored ctx context.Context field from both istiocsr and trustmanager Reconciler structs
• Threads context from Reconcile(ctx context.Context, ...) through every helper method call chain (37 files, ~90 call sites)
• Tests pass context.Background() explicitly (semantically correct for test entrypoints)

Motivation

Both controllers stored a context.Context initialized once to context.Background() in New(). The Reconcile() method receives a proper request-scoped context from controller-runtime, but all helper methods used the stale struct field. This defeats cancellation and deadline propagation from the framework.

This supersedes #242, which attempted to standardize context usage by replacing context.Background() with context.TODO() everywhere — semantically backwards since context.TODO() signals "placeholder, haven't decided yet" while context.Background() is correct for top-level contexts.

Test plan

• go test ./pkg/controller/istiocsr/... passes
• go test ./pkg/controller/trustmanager/... passes
• go build ./... succeeds
• make lint shows only pre-existing issues (none introduced)
• No remaining r.ctx references in either package

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Propagates Go contexts through IstioCSR and TrustManager controllers: removes stored reconciler context, adds ctx context.Context parameters to reconcile entrypoints, orchestration helpers, resource reconcilers, and utility/status functions, and updates all Kubernetes client calls to use the passed context.

Changes

Context propagation through controller reconciliation

Layer / File(s)	Summary
Reconciler shape & constructors pkg/controller/istiocsr/controller.go, pkg/controller/trustmanager/controller.go, pkg/controller/*/test_utils.go	Removed ctx context.Context field from Reconciler types and stopped initializing a stored context in constructors and test helpers.
Reconcile entry & orchestration pkg/controller/istiocsr/controller.go, pkg/controller/trustmanager/controller.go, pkg/controller/istiocsr/install_istiocsr.go, pkg/controller/trustmanager/install_trustmanager.go	Reconcile now delegates to processReconcileRequest(ctx, ...); top-level deployment reconcile methods accept ctx and thread it through the orchestration of createOrApply* calls and status updates.
Resource reconciliation helpers pkg/controller/istiocsr/{certificates,deployments,networkpolicies,rbacs,serviceaccounts,services}.go, pkg/controller/trustmanager/{certificates,configmaps,deployments,rbacs,serviceaccounts,services,webhooks}.go	Updated signatures of createOrApply*, get*, handle*, and related helpers to accept ctx context.Context; replaced uses of r.ctx with passed ctx for Exists, Get, Patch, Create, UpdateWithRetry, List, and Delete calls.
Utilities, status & multi-instance checks pkg/controller/istiocsr/utils.go, pkg/controller/trustmanager/utils.go	Added/updated updateCondition(ctx, ...), namespaceExists(ctx, ...), and disallowMultipleIstioCSRInstances(ctx, ...) to use ctx for List/Get/Update operations and condition/status updates.
Tests pkg/controller/istiocsr/*_test.go, pkg/controller/trustmanager/*_test.go	All test call sites updated to pass a context.Context (typically context.Background()) as the first argument to context-aware functions; test logic and assertions otherwise unchanged.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Suggested labels

lgtm, approved

Suggested reviewers

• swghosh

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 10.34% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'CM-1039: Thread context.Context from Reconcile() through controller helpers' accurately and specifically describes the main change: propagating request-scoped context through helper methods across istiocsr and trustmanager packages.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All 287 test cases across 17 modified test files use stable, deterministic names with no dynamic content, timestamps, UUIDs, or generated suffixes.
Test Structure And Quality	✅ Passed	Tests follow good patterns: table-driven structure, single-responsibility cases, clear assertions with context messages, proper mock setup. Context propagation correctly added throughout.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added. All changes are to reconciler code and unit tests in pkg/controller/. The check applies only when e2e tests are introduced.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests added. PR only refactors existing controller code to thread context.Context and updates unit test call sites. Not applicable to SNO check.
Topology-Aware Scheduling Compatibility	✅ Passed	PR is a context propagation refactoring with no new scheduling constraints. Deployments use topology-agnostic defaults (replicas: 1, OS-only nodeSelector, no affinity/tolerations).
Ote Binary Stdout Contract	✅ Passed	PR refactors context propagation only. No new stdout writes or logging detected. All logging uses r.log (logr), not stdout. No OTE Binary Stdout Contract violations.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR does not add new Ginkgo e2e tests. Modified files are controller implementation and unit tests using Go testing framework, not e2e tests.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sebrandon1
Once this PR has been reviewed and has the lgtm label, please assign swghosh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/controller/istiocsr/utils.go (1)

481-486: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Preserve the original reconciliation error in the aggregate.

When updateStatus fails, this branch currently returns the raw status-update error twice and drops prependErr. That hides the actual root cause whenever both operations fail.

Proposed fix

 func (r *Reconciler) updateCondition(ctx context.Context, istiocsr *v1alpha1.IstioCSR, prependErr error) error {
 	if err := r.updateStatus(ctx, istiocsr); err != nil {
 		errUpdate := fmt.Errorf("failed to update %s/%s status: %w", istiocsr.GetNamespace(), istiocsr.GetName(), err)
 		if prependErr != nil {
-			return utilerrors.NewAggregate([]error{err, errUpdate})
+			return utilerrors.NewAggregate([]error{prependErr, errUpdate})
 		}
 		return errUpdate
 	}
 	return prependErr
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controller/istiocsr/utils.go` around lines 481 - 486, The updateCondition
function currently aggregates the status-update error twice and discards the
original reconciliation error (prependErr); change the aggregation so that when
updateStatus fails you return an aggregate containing the original prependErr
and the constructed errUpdate (i.e., utilerrors.NewAggregate([]error{prependErr,
errUpdate})) so the root reconciliation error is preserved; keep the existing
behavior when prependErr is nil (return errUpdate or the single status error as
before). Reference: function updateCondition, call to r.updateStatus, variable
prependErr and errUpdate.

🧹 Nitpick comments (2)

pkg/controller/istiocsr/install_instiocsr_test.go (1)

116-125: ⚡ Quick win

Assert that the reconcile context is the one reaching client calls.

This only exercises the new signature today. If reconcileIstioCSRDeployment or one of its helpers regresses to context.Background(), these tests still pass because every fake ignores ctx. Passing a sentinel context here and checking it in one mocked Get/Create/UpdateWithRetry callback would lock in the behavior this PR is meant to preserve.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controller/istiocsr/install_instiocsr_test.go` around lines 116 - 125,
The test must assert the actual context passed into controller client calls:
create a sentinel context (e.g., ctx := context.WithValue(context.Background(),
"sentinel", true)) in the subtest before calling r.reconcileIstioCSRDeployment,
pass that ctx into the call instead of context.Background(), and configure one
of the fake client callbacks on fakes.FakeCtrlClient (Get or Create or
UpdateWithRetry) to check that the incoming ctx equals the sentinel (or contains
the sentinel value) and fail the test if not; update testReconciler usage in the
subtest to use this ctx and reference reconcileIstioCSRDeployment,
FakeCtrlClient, and istiocsr so the assertion locks the intended behavior.

pkg/controller/trustmanager/webhooks_test.go (1)

227-242: ⚡ Quick win

Verify that the provided context is forwarded to Exists/Patch.

Right now this just compiles against the new API. A future fallback to context.Background() inside createOrApplyValidatingWebhookConfiguration would still pass. Using a sentinel context here and asserting it inside one fake client callback would make the context-threading change testable.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controller/trustmanager/webhooks_test.go` around lines 227 - 242, The
test should verify the context is forwarded to the client methods: create a
sentinel context (e.g., ctxSentinel := context.WithValue(context.Background(),
"sentinel", struct{}{})), call r.createOrApplyValidatingWebhookConfiguration
with that ctxSentinel instead of context.Background(), and configure the fake
client (fakes.FakeCtrlClient) inside the test (via mock.ExistsStub and/or
mock.PatchStub) to assert the incoming ctx equals ctxSentinel (fail the test if
not) before returning; update the test case that exercises
createOrApplyValidatingWebhookConfiguration to set those stubs so Exists/Patch
receive and validate the sentinel context.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@pkg/controller/istiocsr/utils.go`:
- Around line 481-486: The updateCondition function currently aggregates the
status-update error twice and discards the original reconciliation error
(prependErr); change the aggregation so that when updateStatus fails you return
an aggregate containing the original prependErr and the constructed errUpdate
(i.e., utilerrors.NewAggregate([]error{prependErr, errUpdate})) so the root
reconciliation error is preserved; keep the existing behavior when prependErr is
nil (return errUpdate or the single status error as before). Reference: function
updateCondition, call to r.updateStatus, variable prependErr and errUpdate.

---

Nitpick comments:
In `@pkg/controller/istiocsr/install_instiocsr_test.go`:
- Around line 116-125: The test must assert the actual context passed into
controller client calls: create a sentinel context (e.g., ctx :=
context.WithValue(context.Background(), "sentinel", true)) in the subtest before
calling r.reconcileIstioCSRDeployment, pass that ctx into the call instead of
context.Background(), and configure one of the fake client callbacks on
fakes.FakeCtrlClient (Get or Create or UpdateWithRetry) to check that the
incoming ctx equals the sentinel (or contains the sentinel value) and fail the
test if not; update testReconciler usage in the subtest to use this ctx and
reference reconcileIstioCSRDeployment, FakeCtrlClient, and istiocsr so the
assertion locks the intended behavior.

In `@pkg/controller/trustmanager/webhooks_test.go`:
- Around line 227-242: The test should verify the context is forwarded to the
client methods: create a sentinel context (e.g., ctxSentinel :=
context.WithValue(context.Background(), "sentinel", struct{}{})), call
r.createOrApplyValidatingWebhookConfiguration with that ctxSentinel instead of
context.Background(), and configure the fake client (fakes.FakeCtrlClient)
inside the test (via mock.ExistsStub and/or mock.PatchStub) to assert the
incoming ctx equals ctxSentinel (fail the test if not) before returning; update
the test case that exercises createOrApplyValidatingWebhookConfiguration to set
those stubs so Exists/Patch receive and validate the sentinel context.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 23714fe0-8a1a-4c99-a548-c1d17e7437d7

📥 Commits

Reviewing files that changed from the base of the PR and between a2e7514 and df73b9f.

📒 Files selected for processing (37)

• pkg/controller/istiocsr/certificates.go
• pkg/controller/istiocsr/certificates_test.go
• pkg/controller/istiocsr/controller.go
• pkg/controller/istiocsr/controller_test.go
• pkg/controller/istiocsr/deployments.go
• pkg/controller/istiocsr/deployments_test.go
• pkg/controller/istiocsr/install_instiocsr_test.go
• pkg/controller/istiocsr/install_istiocsr.go
• pkg/controller/istiocsr/networkpolicies.go
• pkg/controller/istiocsr/rbacs.go
• pkg/controller/istiocsr/rbacs_test.go
• pkg/controller/istiocsr/serviceaccounts.go
• pkg/controller/istiocsr/serviceaccounts_test.go
• pkg/controller/istiocsr/services.go
• pkg/controller/istiocsr/services_test.go
• pkg/controller/istiocsr/test_utils.go
• pkg/controller/istiocsr/utils.go
• pkg/controller/trustmanager/certificates.go
• pkg/controller/trustmanager/certificates_test.go
• pkg/controller/trustmanager/configmaps.go
• pkg/controller/trustmanager/configmaps_test.go
• pkg/controller/trustmanager/controller.go
• pkg/controller/trustmanager/controller_test.go
• pkg/controller/trustmanager/deployments.go
• pkg/controller/trustmanager/deployments_test.go
• pkg/controller/trustmanager/install_trustmanager.go
• pkg/controller/trustmanager/install_trustmanager_test.go
• pkg/controller/trustmanager/rbacs.go
• pkg/controller/trustmanager/rbacs_test.go
• pkg/controller/trustmanager/serviceaccounts.go
• pkg/controller/trustmanager/serviceaccounts_test.go
• pkg/controller/trustmanager/services.go
• pkg/controller/trustmanager/services_test.go
• pkg/controller/trustmanager/test_utils.go
• pkg/controller/trustmanager/utils.go
• pkg/controller/trustmanager/webhooks.go
• pkg/controller/trustmanager/webhooks_test.go

💤 Files with no reviewable changes (2)

• pkg/controller/trustmanager/test_utils.go
• pkg/controller/istiocsr/test_utils.go

[coderabbitai]

🧹 Nitpick comments (2)

pkg/controller/trustmanager/configmaps_test.go (1)

321-321: ⚡ Quick win

Add one explicit context-propagation assertion in this test path.

Using context.Background() updates the call site, but it still doesn’t verify that the same context reaches Get/Exists/Patch. Add a case with context.WithValue(...) and assert the fake client callbacks receive that value to lock in the PR’s core behavior.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controller/trustmanager/configmaps_test.go` at line 321, Add a test case
that verifies context propagation to the client callbacks by replacing the call
using context.Background() with a variant that uses a context created by
context.WithValue(...) carrying a unique key/value and asserting the fake
client's Get/Exists/Patch callbacks see that same value; specifically, update
the test that calls r.createOrApplyDefaultCAPackageConfigMap(...) to invoke it
with the new ctx and modify the fake client callbacks (used in the test harness)
to check ctx.Value(...) matches the injected value so the assertion ensures
createOrApplyDefaultCAPackageConfigMap and its internal Get/Exists/Patch calls
propagate the exact context.

pkg/controller/istiocsr/install_instiocsr_test.go (1)

124-124: ⚡ Quick win

Assert context propagation here, not just the new signature.

This still passes if reconcileIstioCSRDeployment falls back to context.Background() somewhere downstream. Pass a sentinel context and assert one of the fake client callbacks sees it.

Suggested test shape

+ type ctxKey struct{}
+ reqCtx := context.WithValue(context.Background(), ctxKey{}, "reconcile-test")
+
+ mock.CreateCalls(func(ctx context.Context, obj client.Object, option ...client.CreateOption) error {
+ 	if ctx.Value(ctxKey{}) != "reconcile-test" {
+ 		t.Fatalf("request context was not propagated")
+ 	}
+ 	return nil
+ })
+
- err := r.reconcileIstioCSRDeployment(context.Background(), istiocsr, true)
+ err := r.reconcileIstioCSRDeployment(reqCtx, istiocsr, true)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controller/istiocsr/install_instiocsr_test.go` at line 124, Replace the
use of context.Background() in the test call to r.reconcileIstioCSRDeployment
with a sentinel context (e.g., ctx := context.WithValue(context.Background(),
"sentinelKey", "sentinel")) and update the fake client(s) used by
reconcileIstioCSRDeployment to capture the incoming ctx in their callback(s)
(the fake Create/Update/Delete/Get hooks or whatever fake client method you
already use) and assert the captured ctx carries the sentinel value; ensure the
test calls r.reconcileIstioCSRDeployment(ctx, true) and fails if the fake client
callback sees a different or nil context so you detect any fallback to
context.Background().

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@pkg/controller/istiocsr/install_instiocsr_test.go`:
- Line 124: Replace the use of context.Background() in the test call to
r.reconcileIstioCSRDeployment with a sentinel context (e.g., ctx :=
context.WithValue(context.Background(), "sentinelKey", "sentinel")) and update
the fake client(s) used by reconcileIstioCSRDeployment to capture the incoming
ctx in their callback(s) (the fake Create/Update/Delete/Get hooks or whatever
fake client method you already use) and assert the captured ctx carries the
sentinel value; ensure the test calls r.reconcileIstioCSRDeployment(ctx, true)
and fails if the fake client callback sees a different or nil context so you
detect any fallback to context.Background().

In `@pkg/controller/trustmanager/configmaps_test.go`:
- Line 321: Add a test case that verifies context propagation to the client
callbacks by replacing the call using context.Background() with a variant that
uses a context created by context.WithValue(...) carrying a unique key/value and
asserting the fake client's Get/Exists/Patch callbacks see that same value;
specifically, update the test that calls
r.createOrApplyDefaultCAPackageConfigMap(...) to invoke it with the new ctx and
modify the fake client callbacks (used in the test harness) to check
ctx.Value(...) matches the injected value so the assertion ensures
createOrApplyDefaultCAPackageConfigMap and its internal Get/Exists/Patch calls
propagate the exact context.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 1eba83f8-e38a-4ef9-9e0e-8f29e2e077e3

📥 Commits

Reviewing files that changed from the base of the PR and between df73b9f and 0dd33b8.

📒 Files selected for processing (37)

• pkg/controller/istiocsr/certificates.go
• pkg/controller/istiocsr/certificates_test.go
• pkg/controller/istiocsr/controller.go
• pkg/controller/istiocsr/controller_test.go
• pkg/controller/istiocsr/deployments.go
• pkg/controller/istiocsr/deployments_test.go
• pkg/controller/istiocsr/install_instiocsr_test.go
• pkg/controller/istiocsr/install_istiocsr.go
• pkg/controller/istiocsr/networkpolicies.go
• pkg/controller/istiocsr/rbacs.go
• pkg/controller/istiocsr/rbacs_test.go
• pkg/controller/istiocsr/serviceaccounts.go
• pkg/controller/istiocsr/serviceaccounts_test.go
• pkg/controller/istiocsr/services.go
• pkg/controller/istiocsr/services_test.go
• pkg/controller/istiocsr/test_utils.go
• pkg/controller/istiocsr/utils.go
• pkg/controller/trustmanager/certificates.go
• pkg/controller/trustmanager/certificates_test.go
• pkg/controller/trustmanager/configmaps.go
• pkg/controller/trustmanager/configmaps_test.go
• pkg/controller/trustmanager/controller.go
• pkg/controller/trustmanager/controller_test.go
• pkg/controller/trustmanager/deployments.go
• pkg/controller/trustmanager/deployments_test.go
• pkg/controller/trustmanager/install_trustmanager.go
• pkg/controller/trustmanager/install_trustmanager_test.go
• pkg/controller/trustmanager/rbacs.go
• pkg/controller/trustmanager/rbacs_test.go
• pkg/controller/trustmanager/serviceaccounts.go
• pkg/controller/trustmanager/serviceaccounts_test.go
• pkg/controller/trustmanager/services.go
• pkg/controller/trustmanager/services_test.go
• pkg/controller/trustmanager/test_utils.go
• pkg/controller/trustmanager/utils.go
• pkg/controller/trustmanager/webhooks.go
• pkg/controller/trustmanager/webhooks_test.go

💤 Files with no reviewable changes (2)

• pkg/controller/trustmanager/test_utils.go
• pkg/controller/istiocsr/test_utils.go

✅ Files skipped from review due to trivial changes (3)

• pkg/controller/trustmanager/webhooks_test.go
• pkg/controller/istiocsr/services_test.go
• pkg/controller/trustmanager/deployments_test.go

🚧 Files skipped from review as they are similar to previous changes (21)

• pkg/controller/trustmanager/certificates_test.go
• pkg/controller/trustmanager/rbacs_test.go
• pkg/controller/istiocsr/certificates.go
• pkg/controller/trustmanager/services_test.go
• pkg/controller/trustmanager/webhooks.go
• pkg/controller/trustmanager/services.go
• pkg/controller/istiocsr/serviceaccounts.go
• pkg/controller/istiocsr/install_istiocsr.go
• pkg/controller/istiocsr/networkpolicies.go
• pkg/controller/istiocsr/controller_test.go
• pkg/controller/trustmanager/deployments.go
• pkg/controller/trustmanager/utils.go
• pkg/controller/istiocsr/utils.go
• pkg/controller/istiocsr/services.go
• pkg/controller/trustmanager/serviceaccounts.go
• pkg/controller/trustmanager/controller.go
• pkg/controller/istiocsr/controller.go
• pkg/controller/istiocsr/rbacs.go
• pkg/controller/trustmanager/certificates.go
• pkg/controller/istiocsr/certificates_test.go
• pkg/controller/trustmanager/install_trustmanager.go

[openshift-ci]

@sebrandon1: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/ci-bundle-cert-manager-operator-bundle	0dd33b8	link	true	/test ci-bundle-cert-manager-operator-bundle
ci/prow/fips-image-scan-cert-manager	0dd33b8	link	true	/test fips-image-scan-cert-manager
ci/prow/images	0dd33b8	link	true	/test images
ci/prow/e2e-operator	0dd33b8	link	true	/test e2e-operator

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.