🌱 Use dedicated least-privilege service accounts for revision probe e2e tests

[perdasilva]

Description

The revision probe e2e tests are failing the test-experimental-e2e job. This PR addresses that issue.

The revision probe e2e tests previously shared the generic olm-sa service account, which has RBAC permissions related to the scope required for the test-operator. This change updates the service account + RBAC creation step to derive the appropriate rbac template from the service account and the olm kernel used (helm or boxcutter). It also adds a dedicated rbac template for the revision test with only the rbac required for the tests (i.e. the resources in the revision object).

Changes

• Convention-based RBAC template lookup: Replaced hardcoded RBAC template constants with a fmt.Sprintf pattern: <service-account>-<helm|boxcutter>-rbac-template.yaml, keyed off the service account name and the BoxcutterRuntime feature gate
• RBAC template renames: Renamed existing templates with olm-sa- prefix to match the new convention (rbac-template.yaml → olm-sa-helm-rbac-template.yaml, boxcutter-rbac-template.yaml → olm-sa-boxcutter-rbac-template.yaml)
• Dedicated pvc-probe-sa service account: PVC revision scenarios now use a dedicated SA with a least-privilege RBAC template granting only CER finalizer update, PersistentVolume CRUD, PVC CRUD, and ConfigMap CRUD

Reviewer Checklist

• API Go Documentation
• Tests: Unit Tests (and E2E Tests, if appropriate)
• Comprehensive Commit Messages
• Links to related GitHub Issue(s)

[netlify]

✅ Deploy Preview for olmv1 ready!

Name	Link
🔨 Latest commit	5811289
🔍 Latest deploy log	https://app.netlify.com/projects/olmv1/deploys/69af0533e1e9d00008b0735e
😎 Deploy Preview	https://deploy-preview-2547--olmv1.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[Copilot]

Pull request overview

Updates the revision e2e tests to run with dedicated ServiceAccounts and purpose-built RBAC templates rather than relying on the shared “needed permissions” setup.

Changes:

• Added per-scenario RBAC templates for revision probe-related ServiceAccounts.
• Introduced a new Godog step that applies an RBAC template derived from the ServiceAccount name.
• Updated revision.feature to use the new ServiceAccounts and step.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
test/e2e/steps/testdata/pvc-probe-sa-rbac-template.yaml	Adds a dedicated RBAC template for the PVC probe failure scenario.
test/e2e/steps/testdata/pvc-bound-sa-rbac-template.yaml	Adds a dedicated RBAC template for the PVC “Bound” progression scenario (includes PV permissions).
test/e2e/steps/steps.go	Adds a new step to apply <serviceAccount>-rbac-template.yaml RBAC templates.
test/e2e/features/revision.feature	Switches scenarios to use the new dedicated ServiceAccounts and RBAC-template step.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[perdasilva]

/hold

[Copilot]

Pull request overview

Copilot reviewed 4 out of 6 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[perdasilva]

/unhold

[Copilot]

Pull request overview

Copilot reviewed 3 out of 5 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[tmshort]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: tmshort

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [tmshort]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[tmshort]

/lgtm

[tmshort]

/override ".github/workflows/pr-title.yaml / Verify PR title (pull_request_target)"

[openshift-ci]

@tmshort: /override requires failed status contexts, check run or a prowjob name to operate on.
The following unknown contexts/checkruns were given:

• .github/workflows/pr-title.yaml / Verify PR title (pull_request_target)

Only the following failed contexts/checkruns were expected:

• Verify PR title
• crd-diff
• e2e
• experimental-e2e
• extension-developer-e2e
• go-apidiff
• go-verdiff
• goreleaser
• lint
• netlify/olmv1/deploy-preview
• st2ex-e2e
• tide
• unit-test-basic
• upgrade-st2st-e2e
• verify

If you are trying to override a checkrun that has a space in it, you must put a double quote on the context.

Details

In response to this:

/override ".github/workflows/pr-title.yaml / Verify PR title (pull_request_target)"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[tmshort]

/override "Verify PR title"

[openshift-ci]

@tmshort: Overrode contexts on behalf of tmshort: Verify PR title

Details

In response to this:

/override "Verify PR title"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[tmshort]

/override "Verify PR title"

[openshift-ci]

@tmshort: /override requires failed status contexts, check run or a prowjob name to operate on.
The following unknown contexts/checkruns were given:

• Verify PR title

Only the following failed contexts/checkruns were expected:

• crd-diff
• e2e
• experimental-e2e
• extension-developer-e2e
• go-apidiff
• go-verdiff
• goreleaser
• lint
• netlify/olmv1/deploy-preview
• st2ex-e2e
• tide
• unit-test-basic
• upgrade-st2st-e2e
• verify

If you are trying to override a checkrun that has a space in it, you must put a double quote on the context.

Details

In response to this:

/override "Verify PR title"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[rashmigottipati]

/lgtm

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.58%. Comparing base (bca7a49) to head (5811289).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2547      +/-   ##
==========================================
+ Coverage   64.28%   68.58%   +4.29%     
==========================================
  Files         131      131              
  Lines        9330     9330              
==========================================
+ Hits         5998     6399     +401     
+ Misses       2855     2439     -416     
- Partials      477      492      +15     

Flag	Coverage Δ
e2e	42.22% <ø> (ø)
experimental-e2e	51.57% <ø> (?)
unit	53.81% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.