chore(tests): Align 1-120_repo_server_system_ca_trust.go with downstream

[olivergondza]

What type of PR is this?

/kind chore

What does this PR do / why we need it:

Have you updated the necessary documentation?

• Documentation update is required by this PR.
• Documentation has been updated.

Which issue(s) this PR fixes:

How to test changes / Special notes to the reviewer:

Summary by CodeRabbit

• Tests
  • Improved test reliability by centralizing resource cleanup and ensuring consistent teardown after each test.
  • Enhanced failure diagnostics by emitting debug output on test failures.
  • Strengthened certificate bundle detection with automatic fallback handling for broader system compatibility.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 93104174-64ff-40d5-be37-899a6b6eee74

📥 Commits

Reviewing files that changed from the base of the PR and between 504fbb4 and f6d944c.

📒 Files selected for processing (1)

• tests/ginkgo/sequential/1-120_repo_server_system_ca_trust.go

✅ Files skipped from review due to trivial changes (1)

• tests/ginkgo/sequential/1-120_repo_server_system_ca_trust.go

---

📝 Walkthrough

Walkthrough

Consolidated per-test namespace cleanup into a shared AfterEach and replaced a hardcoded CA bundle path with a shell command that detects and reads the system CA bundle from common locations.

Changes

Cohort / File(s)	Summary
Test lifecycle & CA detection tests/ginkgo/sequential/1-120_repo_server_system_ca_trust.go	Removed global caBundlePath constant; replaced usages with a shell command that reads /etc/ssl/certs/ca-certificates.crt or falls back to /etc/ssl/certs/ca-bundle.crt. Reworked namespace creation/cleanup to assign ns and cleanupNs to shared variables and perform cleanup+debug in a centralized AfterEach (calls fixture.OutputDebugOnFail(ns), cleanupNs(), then purgeCtbs()).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• chore: sync E2E tests with downstream #2122: Modifies the same test file with different test logic changes.

Suggested reviewers

• jgwest

Poem

🐰 I nibbled through tests with a curious twitch,
Shared cleanup now hops in one tidy stitch,
CA paths I sniffed in two likely spots,
Namespaces neat, no more scattered plots,
A small rabbit cheer for refactors and dots!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: aligning a test file with downstream, which matches the PR's stated objectives and the modifications in the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

tests/ginkgo/sequential/1-120_repo_server_system_ca_trust.go (1)

87-94: ⚠️ Potential issue | 🔴 Critical

Prevent nil/stale cleanupNs invocation in AfterEach

When Skip(...) executes before namespace creation (Line 121, Line 346, Line 398), cleanupNs may be nil or left from a previous spec, and Line 98 can panic or clean up the wrong namespace.

Suggested fix

 		BeforeEach(func() {
 			fixture.EnsureSequentialCleanSlate()

 			k8sClient, _ = fixtureUtils.GetE2ETestKubeClient()
 			ctx = context.Background()
+			ns = nil
+			cleanupNs = nil

 			clusterSupportsClusterTrustBundles = detectClusterTrustBundleSupport(k8sClient, ctx)
 		})

 		AfterEach(func() {
 			fixture.OutputDebugOnFail(ns)
-			cleanupNs()
+			if cleanupNs != nil {
+				cleanupNs()
+			}
 			purgeCtbs()
 		})

Also applies to: 96-99

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/ginkgo/sequential/1-120_repo_server_system_ca_trust.go` around lines 87
- 94, The AfterEach currently calls cleanupNs unguarded which can panic or clean
the wrong namespace if Skip(...) runs before namespace creation; ensure
cleanupNs is reset and called safely: set cleanupNs = nil at the start of the
BeforeEach (or immediately after fixture.EnsureSequentialCleanSlate()) to avoid
reusing a stale closure, and change the AfterEach invocation to check if
cleanupNs != nil before calling it (i.e., if cleanupNs != nil { cleanupNs() }).
Reference symbols: cleanupNs, BeforeEach, AfterEach, Skip(...).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tests/ginkgo/sequential/1-120_repo_server_system_ca_trust.go`:
- Around line 792-794: Replace the permissive shell command string "cat
/etc/ssl/certs/ca-certificates.crt || cat /etc/ssl/certs/ca-bundle.crt" used in
the test with a strict upstream Ubuntu path only: use "cat
/etc/ssl/certs/ca-certificates.crt" so the test asserts the Ubuntu CA bundle
location; update the command literal in the test invocation (the "bash", "-c",
... argument) accordingly and remove downstream RHEL/Fedora/UBI fallback logic.

---

Outside diff comments:
In `@tests/ginkgo/sequential/1-120_repo_server_system_ca_trust.go`:
- Around line 87-94: The AfterEach currently calls cleanupNs unguarded which can
panic or clean the wrong namespace if Skip(...) runs before namespace creation;
ensure cleanupNs is reset and called safely: set cleanupNs = nil at the start of
the BeforeEach (or immediately after fixture.EnsureSequentialCleanSlate()) to
avoid reusing a stale closure, and change the AfterEach invocation to check if
cleanupNs != nil before calling it (i.e., if cleanupNs != nil { cleanupNs() }).
Reference symbols: cleanupNs, BeforeEach, AfterEach, Skip(...).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: eda3ccfb-6a41-437a-a57c-30503a1e9b10

📥 Commits

Reviewing files that changed from the base of the PR and between 8bda8b1 and 504fbb4.

📒 Files selected for processing (1)

• tests/ginkgo/sequential/1-120_repo_server_system_ca_trust.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Keep CA bundle path strict to upstream Ubuntu behavior in this test

Using cat ...ca-certificates.crt || ...ca-bundle.crt makes the test accept downstream-specific layout and weakens what this upstream test is verifying.

Suggested fix

-		"bash", "-c",
-		// Ubuntu or RHEL location
-		"cat /etc/ssl/certs/ca-certificates.crt || cat /etc/ssl/certs/ca-bundle.crt",
+		"cat", "/etc/ssl/certs/ca-certificates.crt",

Based on learnings: In the file tests/ginkgo/sequential/1-120_repo_server_system_ca_trust.go, the CA bundle path should be set to /etc/ssl/certs/ca-certificates.crt on Ubuntu, and downstream RHEL/Fedora/UBI-specific logic should not be mixed in this file.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"bash", "-c",
	// Ubuntu or RHEL location
	"cat /etc/ssl/certs/ca-certificates.crt || cat /etc/ssl/certs/ca-bundle.crt",
	"cat", "/etc/ssl/certs/ca-certificates.crt",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/ginkgo/sequential/1-120_repo_server_system_ca_trust.go` around lines
792 - 794, Replace the permissive shell command string "cat
/etc/ssl/certs/ca-certificates.crt || cat /etc/ssl/certs/ca-bundle.crt" used in
the test with a strict upstream Ubuntu path only: use "cat
/etc/ssl/certs/ca-certificates.crt" so the test asserts the Ubuntu CA bundle
location; update the command literal in the test invocation (the "bash", "-c",
... argument) accordingly and remove downstream RHEL/Fedora/UBI fallback logic.

[olivergondza]

Aligns with redhat-developer/gitops-operator#1123

[jannfis]

/lgtm

[anandf]

nitpick: This empty line can be removed IMO.