image policy tests: include test cleanup within the It block

haircommander · haircommander · commit 3befae98ad5b · 2026-04-09T15:34:50.000-04:00
Using g.Cleanup means the cleanup steps aren't included as part of the monitor testing event interval. This causes MCP rollouts to
trigger events out of the window of forgiveness, causing test failures

Signed-off-by: Peter Hunt &lt;pehunt@redhat.com&gt;
diff --git a/test/extended/imagepolicy/imagepolicy.go b/test/extended/imagepolicy/imagepolicy.go
@@ -84,7 +84,11 @@ var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][
 
 	g.It("Should fail clusterimagepolicy signature validation root of trust does not match the identity in the signature", func() {
 		createClusterImagePolicy(oc, testClusterImagePolicies[invalidPublicKeyClusterImagePolicyName])
-		g.DeferCleanup(deleteClusterImagePolicy, oc, invalidPublicKeyClusterImagePolicyName)
+
+		// Cleanup inline instead of DeferCleanup so it's included in test interval timing
+		defer func() {
+			o.Expect(deleteClusterImagePolicy(oc, invalidPublicKeyClusterImagePolicyName)).NotTo(o.HaveOccurred())
+		}()
 
 		pod, err := launchTestPod(tctx, clif, testPodName, testSignedPolicyScope)
 		o.Expect(err).NotTo(o.HaveOccurred())
@@ -98,10 +102,18 @@ var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][
 		// Ensure allowedRegistries do not skip signature verification by adding testSignedPolicyScope to the list.
 		allowedRegistries := []string{"quay.io", "registry.redhat.io", "image-registry.openshift-image-registry.svc:5000", testSignedPolicyScope}
 		updateImageConfig(oc, allowedRegistries)
-		g.DeferCleanup(cleanupImageConfig, oc)
+
+		// Cleanup inline instead of DeferCleanup so it's included in test interval timing
+		defer func() {
+			o.Expect(cleanupImageConfig(oc)).NotTo(o.HaveOccurred())
+		}()
 
 		createClusterImagePolicy(oc, testClusterImagePolicies[invalidPublicKeyClusterImagePolicyName])
-		g.DeferCleanup(deleteClusterImagePolicy, oc, invalidPublicKeyClusterImagePolicyName)
+
+		// Cleanup inline instead of DeferCleanup so it's included in test interval timing
+		defer func() {
+			o.Expect(deleteClusterImagePolicy(oc, invalidPublicKeyClusterImagePolicyName)).NotTo(o.HaveOccurred())
+		}()
 
 		pod, err := launchTestPod(tctx, clif, testPodName, testSignedPolicyScope)
 		o.Expect(err).NotTo(o.HaveOccurred())
@@ -113,7 +125,11 @@ var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][
 
 	g.It("Should pass clusterimagepolicy signature validation with signed image", func() {
 		createClusterImagePolicy(oc, testClusterImagePolicies[publiKeyRekorClusterImagePolicyName])
-		g.DeferCleanup(deleteClusterImagePolicy, oc, publiKeyRekorClusterImagePolicyName)
+
+		// Cleanup inline instead of DeferCleanup so it's included in test interval timing
+		defer func() {
+			o.Expect(deleteClusterImagePolicy(oc, publiKeyRekorClusterImagePolicyName)).NotTo(o.HaveOccurred())
+		}()
 
 		pod, err := launchTestPod(tctx, clif, testPodName, testSignedPolicyScope)
 		o.Expect(err).NotTo(o.HaveOccurred())
@@ -125,7 +141,11 @@ var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][
 
 	g.It("Should fail imagepolicy signature validation in different namespaces root of trust does not match the identity in the signature", func() {
 		createImagePolicy(oc, testImagePolicies[invalidPublicKeyImagePolicyName], imgpolicyClif.Namespace.Name)
-		g.DeferCleanup(deleteImagePolicy, oc, invalidPublicKeyImagePolicyName, imgpolicyClif.Namespace.Name)
+
+		// Cleanup inline instead of DeferCleanup so it's included in test interval timing
+		defer func() {
+			o.Expect(deleteImagePolicy(oc, invalidPublicKeyImagePolicyName, imgpolicyClif.Namespace.Name)).NotTo(o.HaveOccurred())
+		}()
 
 		pod, err := launchTestPod(tctx, imgpolicyClif, testPodName, testSignedPolicyScope)
 		o.Expect(err).NotTo(o.HaveOccurred())
@@ -137,9 +157,12 @@ var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerification][
 	})
 
 	g.It("Should pass imagepolicy signature validation with signed image in namespaces", func() {
-
 		createImagePolicy(oc, testImagePolicies[publiKeyRekorImagePolicyName], imgpolicyClif.Namespace.Name)
-		g.DeferCleanup(deleteImagePolicy, oc, publiKeyRekorImagePolicyName, imgpolicyClif.Namespace.Name)
+
+		// Cleanup inline instead of DeferCleanup so it's included in test interval timing
+		defer func() {
+			o.Expect(deleteImagePolicy(oc, publiKeyRekorImagePolicyName, imgpolicyClif.Namespace.Name)).NotTo(o.HaveOccurred())
+		}()
 
 		pod, err := launchTestPod(tctx, imgpolicyClif, testPodName, testSignedPolicyScope)
 		o.Expect(err).NotTo(o.HaveOccurred())
@@ -172,7 +195,11 @@ var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerificationPK
 	g.DescribeTable("clusterimagepolicy signature validation tests",
 		func(policyName string, expectPass bool, imageSpec string, verifyFunc func(tctx context.Context, clif *e2e.Framework, expectPass bool, testPodName string, imageSpec string) error) {
 			createClusterImagePolicy(oc, testClusterImagePolicies[policyName])
-			g.DeferCleanup(deleteClusterImagePolicy, oc, policyName)
+
+			// Cleanup inline instead of DeferCleanup so it's included in test interval timing
+			defer func() {
+				o.Expect(deleteClusterImagePolicy(oc, policyName)).NotTo(o.HaveOccurred())
+			}()
 
 			err := verifyFunc(tctx, clif, expectPass, testPodName, imageSpec)
 			o.Expect(err).NotTo(o.HaveOccurred())
@@ -185,7 +212,11 @@ var _ = g.Describe("[sig-imagepolicy][OCPFeatureGate:SigstoreImageVerificationPK
 	g.DescribeTable("imagepolicy signature validation tests",
 		func(policyName string, expectPass bool, imageSpec string, verifyFunc func(tctx context.Context, clif *e2e.Framework, expectPass bool, testPodName string, imageSpec string) error) {
 			createImagePolicy(oc, testImagePolicies[policyName], imgpolicyClif.Namespace.Name)
-			g.DeferCleanup(deleteImagePolicy, oc, policyName, imgpolicyClif.Namespace.Name)
+
+			// Cleanup inline instead of DeferCleanup so it's included in test interval timing
+			defer func() {
+				o.Expect(deleteImagePolicy(oc, policyName, imgpolicyClif.Namespace.Name)).NotTo(o.HaveOccurred())
+			}()
 
 			err := verifyFunc(tctx, imgpolicyClif, expectPass, testPodName, imageSpec)
 			o.Expect(err).NotTo(o.HaveOccurred())
