Integration of codecov on the cert-manager-operator

[siddhibhor-56]

This PR integrates Codecov-based code coverage collection into the cert-manager-operator's OpenShift CI pipeline.

Affected Component: openshift/cert-manager-operator CI configuration (openshift-cert-manager-operator-master.yaml)

Changes Made:

The PR adds comprehensive code coverage instrumentation to the cert-manager-operator's CI workflow:

1. Coverage Image Build: Adds a new container image build that produces a cert-manager-operator-coverage image from images/ci/Dockerfile.coverage, enabling coverage-instrumented builds during CI runs.

2. E2E Test Coverage Collection: Expands the e2e-operator workflow with coverage collection capabilities:

   • Introduces a setup-coverage step that initializes the coverage environment before tests run
   • Adds a dedicated test step that runs make test-e2e with the existing E2E_GINKGO_LABEL_FILTER configuration
   • Adds a post phase that executes hack/e2e-coverage.sh collect to gather coverage data after test completion, with Codecov credentials injected from a mounted secret

3. Coverage Publishing Workflow: Introduces a new publish-e2e-coverage workflow section that:

   • Performs its own coverage collection via hack/e2e-coverage.sh collect
   • Chains coverage gathering with the standard gather step
   • Includes installation and setup phases to ensure proper environment configuration

Practical Impact: The cert-manager-operator CI pipeline now automatically collects, processes, and publishes code coverage metrics to Codecov with each e2e test run, providing improved visibility into test coverage and enabling coverage trend tracking over time without manual intervention.

[coderabbitai]

Walkthrough

This PR adds code coverage instrumentation to the cert-manager-operator CI pipeline. It introduces a coverage image build target, adds a coverage collection hook to the e2e operator job, and reorganizes the e2e coverage workflow with explicit setup, test execution, and publish phases.

Changes

E2E Coverage Instrumentation

Layer / File(s)	Summary
Coverage image artifact ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-master.yaml	New image build target wires images/ci/Dockerfile.coverage to the cert-manager-operator-coverage artifact.
E2E operator coverage collection ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-master.yaml	E2e job post phase runs hack/e2e-coverage.sh collect, mounts Codecov token credentials, sets resource requests and timeout, and chains to gather.
E2E coverage workflow organization ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-master.yaml	E2e coverage workflow adds setup-coverage step, standalone e2e test step with ginkgo label filter, and publish-e2e-coverage section with its own coverage collection post hook and chained gather/install/setup phases.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: integrating Codecov coverage collection into the cert-manager-operator CI configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only a CI/CD YAML configuration file, not Ginkgo test code. The custom check applies to Ginkgo test declarations (It(), Describe(), etc.) in Go test files, which are absent here.
Test Structure And Quality	✅ Passed	This PR modifies only CI operator configuration YAML files, not Ginkgo test code. The custom check is specific to reviewing Ginkgo test structure and quality, which is not applicable here.
Microshift Test Compatibility	✅ Passed	PR adds CI configuration changes for codecov integration but does not add any new Ginkgo e2e tests. The check only applies when new test code is added.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR only adds CI configuration files for codecov integration. No new Ginkgo e2e tests are added. The SNO compatibility check is not applicable to infrastructure/configuration changes.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only CI configuration, not deployment manifests or operator code. The custom check applies to deployment/operator artifacts, not CI infrastructure files.
Ote Binary Stdout Contract	✅ Passed	Not applicable. PR modifies CI configuration and utility tools, not OTE test binaries that communicate with openshift-tests.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added. PR only modifies CI configuration YAML files to integrate codecov coverage for existing tests. Check applies only to new tests.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@siddhibhor-56: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-cert-manager-operator-master-ci-bundle-cert-manager-operator-bundle	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-e2e-operator	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-e2e-operator-aws-proxy	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-e2e-operator-aws-sts	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-e2e-operator-aws-upi-proxy	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-e2e-operator-azure-ovn	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-e2e-operator-azure-workload-identity	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-e2e-operator-gcp-ovn	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-e2e-operator-gcp-workload-identity	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-e2e-operator-tech-preview	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-fips-image-scan-cert-manager	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-fips-image-scan-operator	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-images	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-unit	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-verify	openshift/cert-manager-operator	presubmit	Ci-operator config changed

Prior to this PR being merged, you will need to either run and acknowledge or opt to skip these rehearsals.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-master.yaml`:
- Around line 90-104: The presubmit job includes a post step that uploads
coverage using a secret (the post block with the step "as: collect-coverage",
"commands: hack/e2e-coverage.sh collect", and "credentials:
cert-manager-operator-codecov-token") which should not run in presubmit; remove
or disable this "collect-coverage" post step (and its credentials mount) from
the e2e-operator presubmit configuration so only the existing
"publish-e2e-coverage" postsubmit path performs coverage uploads, leaving the
rest of the post/chain: gather steps intact.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 54b4fe3e-af75-4416-8139-585e85de20b5

📥 Commits

Reviewing files that changed from the base of the PR and between ed5d22c and 0ede6bd.

⛔ Files ignored due to path filters (2)

• ci-operator/jobs/openshift/cert-manager-operator/openshift-cert-manager-operator-master-postsubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift/cert-manager-operator/openshift-cert-manager-operator-master-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (1)

• ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-master.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Avoid Codecov-token uploads in presubmit e2e-operator.

This adds secret-backed coverage upload to a presubmit path while publish-e2e-coverage already uploads coverage postsubmit. Keeping upload only in postsubmit reduces secret exposure and avoids duplicate external uploads.

Suggested diff

   steps:
-    post:
-    - as: collect-coverage
-      best_effort: true
-      cli: latest
-      commands: hack/e2e-coverage.sh collect
-      credentials:
-      - mount_path: /var/run/secrets/codecov
-        name: cert-manager-operator-codecov-token
-        namespace: test-credentials
-      from: src
-      resources:
-        requests:
-          cpu: 100m
-      timeout: 15m0s
-    - chain: gather
+    post:
+    - chain: gather

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	post:
	- as: collect-coverage
	best_effort: true
	cli: latest
	commands: hack/e2e-coverage.sh collect
	credentials:
	- mount_path: /var/run/secrets/codecov
	name: cert-manager-operator-codecov-token
	namespace: test-credentials
	from: src
	resources:
	requests:
	cpu: 100m
	timeout: 15m0s
	- chain: gather
	post:
	- chain: gather

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-master.yaml`
around lines 90 - 104, The presubmit job includes a post step that uploads
coverage using a secret (the post block with the step "as: collect-coverage",
"commands: hack/e2e-coverage.sh collect", and "credentials:
cert-manager-operator-codecov-token") which should not run in presubmit; remove
or disable this "collect-coverage" post step (and its credentials mount) from
the e2e-operator presubmit configuration so only the existing
"publish-e2e-coverage" postsubmit path performs coverage uploads, leaving the
rest of the post/chain: gather steps intact.

[openshift-ci]

@siddhibhor-56: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.