test(tracing): add control plane sources attributes tests

[crstrn13]

Description

Implements issue #919 by adding comprehensive test coverage for control plane tracing sources attributes that link policy reconciliation spans to the actual policies that triggered them. Additionally includes improvements to tracing infrastructure to handle fast reconciliation environments like kind.

• Adds new test suite validating sources attributes in authconfig and limitador spans
• Fixes timing issues in control plane tracing tests for fast environments (kind)
• Adds Jaeger tracing support to local-setup for observability testing
• Fixes OTLP endpoint configuration (4318 → 4317 for gRPC)

Changes

New Features

• test_control_plane_sources.py: New test file with 5 comprehensive tests for sources attributes
  • test_authconfig_span_attributes: Validates authconfig spans have sources, name, and namespace attributes with correct AuthPolicy references
  • test_limitador_span_attributes: Validates limitador spans have sources, name, and namespace attributes with correct RateLimitPolicy references
  • test_authconfig_span_is_child_of_reconciler: Validates authconfig spans are children of reconciler.auth_configs spans
  • test_authconfig_sources_contains_multiple_policies: Tests multiple AuthPolicies targeting same route appear in sources
  • test_limitador_sources_contains_multiple_policies: Tests multiple RateLimitPolicies targeting same route appear in sources

Bug Fixes

• Tracing timing issues: Added start_time parameter to JaegerClient.get_traces(), RemoteTempoClient.get_traces(), and TracingClient base class to support timestamp-based trace querying
• test_control_plane_lifecycle.py: Fixed race conditions in test_policy_update_generates_new_reconciliation_trace and test_policy_target_change_traced by capturing precise timestamps and using start_time instead of relying on snapshot comparison alone
• OTLP port configuration: Changed from 4318 (HTTP) to 4317 (gRPC) in make/vars.mk and testsuite/config/__init__.py
• OTLP scheme: Changed from unsupported rpc:// to http:// for OTLP/gRPC endpoints

Infrastructure

• Jaeger tracing support: Added Jaeger deployment and configuration to make/local-setup.mk, make/tools.mk, make/istio.mk, make/kuadrant.mk
• Documentation: Updated CLAUDE.md with comprehensive Jaeger tracing access instructions including control plane and data plane tracing setup

Verification steps

Run the new tests:

poetry run pytest -vv -n4 testsuite/tests/singlecluster/tracing/control_plane/test_control_plane_sources.py testsuite/tests/singlecluster/tracing/control_plane/test_control_plane_lifecycle.py

To test locally with Jaeger tracing:

make local-setup
kubectl port-forward -n tools svc/jaeger-query 16686:80
# Open http://localhost:16686 to view traces

Related Issues

Closes #919

Summary by CodeRabbit

• New Features

  • Optional distributed tracing support enabled by INSTALL_TRACING; new targets to configure tracing for mesh and control/data planes.
  • Time-bounded trace queries (start_time) for finer trace filtering.

• Documentation

  • Comprehensive Jaeger tracing guide covering setup, UI access and running tracing tests; instructions to enable/disable tracing.

• Tests

  • Added and extended control-plane tracing tests, including source-policy reconciliation validations.

• Chores

  • Configurable tooling namespace and tracing endpoints for local tooling.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ef12a67c-697e-4c1b-998d-5d333372c811

📥 Commits

Reviewing files that changed from the base of the PR and between e25f033 and 40ad6bc.

📒 Files selected for processing (4)

• testsuite/tests/singlecluster/tracing/control_plane/test_control_plane_sources.py
• testsuite/tracing/__init__.py
• testsuite/tracing/jaeger.py
• testsuite/tracing/tempo.py

✅ Files skipped from review due to trivial changes (1)

• testsuite/tests/singlecluster/tracing/control_plane/test_control_plane_sources.py

🚧 Files skipped from review as they are similar to previous changes (3)

• testsuite/tracing/init.py
• testsuite/tracing/jaeger.py
• testsuite/tracing/tempo.py

---

📝 Walkthrough

Walkthrough

Adds documentation and local config for Jaeger tracing; introduces Make variables and targets to configure tracing for Istio and Kuadrant during local setup; extends tracing clients to accept a microsecond start_time for time-bounded queries; and adds control‑plane tracing tests validating sources attributes and timestamp-scoped queries.

Changes

Cohort / File(s)	Summary
Documentation & local config CLAUDE.md, config/settings.local.yaml.tpl	Added Jaeger local-usage docs; changed commented query_url to in-cluster Jaeger query endpoint.
Make variables & tools deployment make/vars.mk, make/tools.mk	Added TOOLS_NAMESPACE, INSTALL_TRACING, JAEGER_COLLECTOR_ENDPOINT; deploy-testsuite-tools now uses $(TOOLS_NAMESPACE) for namespace and Helm install.
Make targets — Istio & Kuadrant tracing make/istio.mk, make/kuadrant.mk	Added configure-istio-tracing (patch Istio CR, apply Telemetry) and configure-kuadrant-tracing-operator / configure-kuadrant-tracing-cr (operator OTEL env, Kuadrant CR observability/tracing defaults).
Local setup flow make/local-setup.mk	local-setup reordered and made conditional on INSTALL_TRACING; invokes tracing configuration targets for relevant providers and adjusted deploy-tools timing.
Tracing client & defaults testsuite/tracing/__init__.py, testsuite/tracing/jaeger.py, testsuite/tracing/tempo.py, testsuite/config/__init__.py	Extended tracing client get_traces(..., start_time) signatures; Jaeger/Tempo clients add start query param when provided; adjusted default collector URL to use HTTP/4318.
Control-plane tracing tests testsuite/tests/singlecluster/tracing/control_plane/...	Updated lifecycle fixtures to return timestamps and pass start_time to queries; added test_control_plane_sources.py with tests and fixtures validating sources, name, namespace tags and multi-policy attribution.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Developer
  participant Makefile
  participant Kubernetes as K8s
  participant Istio
  participant KuadrantOperator as Kuadrant
  participant ToolsNS as Tools

  Developer->>Makefile: make local-setup (INSTALL_TRACING=true)
  Makefile->>Makefile: deploy-testsuite-tools --namespace $(TOOLS_NAMESPACE)
  Makefile->>K8s: helm install Jaeger into ToolsNS
  Makefile->>Istio: configure-istio-tracing (patch CR, apply Telemetry)
  Istio-->>K8s: update istio-system resources
  Makefile->>Kuadrant: configure-kuadrant-tracing-operator (set OTEL env, log level)
  Kuadrant-->>K8s: rollout patch on kuadrant-operator-controller-manager
  Makefile->>Kuadrant: configure-kuadrant-tracing-cr (patch Kuadrant CR observability)
  Kuadrant-->>K8s: update Kuadrant resources
  K8s-->>Developer: tracing components deployed and configured

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly related PRs

• test(tracing): control plane suite #870: Modifies tracing client API and tracing modules (TracingClient/Jaeger/Tempo); closely related to the added start_time parameter and tracing tests.

Suggested reviewers

• averevki
• azgabur

Poem

🐰 I hopped through Makefiles and YAML cheer,
I nudged Jaeger, Istio and Kuadrant near,
With microsecond marks and spans that sing,
Sources now follow each policy string,
Hooray — traces hop home, a joyful spring!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly and concisely summarizes the main change: adding tests for control plane tracing sources attributes, which is the primary objective of this pull request.
Description check	✅ Passed	The PR description follows the template structure with Description, Changes, and Verification sections, providing comprehensive details about objectives, implementation, and testing instructions.
Linked Issues check	✅ Passed	The code changes comprehensively address all requirements from issue #919: new tests validate authconfig/limitador sources attributes, span linking, and multiple policy scenarios; infrastructure improvements enable local tracing validation.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to implementing issue #919: new tracing tests, timing fixes in existing tracing tests, OTLP configuration corrections, and Jaeger infrastructure to enable local tracing validation.
Docstring Coverage	✅ Passed	Docstring coverage is 95.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch issues/919

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (2)

CLAUDE.md (1)

94-101: Consider removing specific test counts to avoid staleness.

The comments mentioning "40 tests" and "10 tests" will become outdated as tests are added or removed. Consider removing these counts or making them more generic.

♻️ Suggested change

 4. **Run tracing tests:**
    ```bash
-   # Control plane tracing tests (40 tests)
+   # Control plane tracing tests
    make testsuite/tests/singlecluster/tracing/control_plane/
    
-   # Data plane tracing tests (10 tests)
+   # Data plane tracing tests
    make testsuite/tests/singlecluster/tracing/data_plane_tracing/
    ```

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@CLAUDE.md` around lines 94 - 101, The documentation comments include
hard-coded test counts ("40 tests" and "10 tests") that can become stale; remove
the numeric counts from the two comment lines above the make commands (the lines
commenting "Control plane tracing tests (40 tests)" and "Data plane tracing
tests (10 tests)") so they read generically as "Control plane tracing tests" and
"Data plane tracing tests" next to the make commands `make
testsuite/tests/singlecluster/tracing/control_plane/` and `make
testsuite/tests/singlecluster/tracing/data_plane_tracing/`.

make/istio.mk (1)

36-36: Consider extracting the long JSON patch for improved maintainability.

This single-line JSON patch is difficult to read and maintain. Additionally, the service name and port (4318) are hardcoded here rather than being derived from $(JAEGER_COLLECTOR_ENDPOINT) defined in make/vars.mk, which could lead to inconsistencies if the endpoint changes.

♻️ Suggested approach: use a heredoc or external file

Consider extracting the patch to a heredoc similar to the Telemetry resource below, or parsing the port from $(JAEGER_COLLECTOR_ENDPOINT):

# Alternative: Store patch in a variable or external file for readability
# The port should ideally match JAEGER_COLLECTOR_ENDPOINT (currently 4318)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@make/istio.mk` at line 36, The kubectl patch command on istio.mk currently
inlines a long JSON and hardcodes jaeger-collector port 4318; extract that JSON
into a heredoc or separate file and reference it from the make target to improve
readability, and derive the Jaeger endpoint/port from the existing
JAEGER_COLLECTOR_ENDPOINT variable (or parse it into host and port) instead of
hardcoding 4318 so the opentelemetry.service value uses the canonical
$(JAEGER_COLLECTOR_ENDPOINT) (and keep $(TOOLS_NAMESPACE) for the service FQDN);
update the istio patch invocation (the kubectl patch line) to read the payload
from the heredoc/file and replace the inline JSON with a reference to that
payload.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@testsuite/tests/singlecluster/tracing/control_plane/test_control_plane_sources.py`:
- Around line 19-28: The fixtures (e.g., authconfig_trace, limitador_trace,
authconfig_trace_multiple_policies, limitador_trace_multiple_policies) sometimes
call skip_or_fail(...) which raises but pylint can't see that, causing
inconsistent-return-statements; after each skip_or_fail(...) call add an
explicit "return None" so every control path returns a value and the pylint
warning is silenced.
- Around line 246-249: The file ends without a trailing newline which breaks the
CI formatter; add a final newline to the end of the file (after the assert
block) so the file ends with a newline character, then run the formatter (make
reformat or poetry run black) to ensure consistent styling; locate the assert
that references found, first_policy_ref, second_policy_ref and
spans_with_sources and append the missing newline to that file.

In `@testsuite/tracing/jaeger.py`:
- Around line 62-63: The params dict in testsuite/tracing/jaeger.py expects
string values but start_time is an int, so before assigning to params["start"]
convert start_time to a string using Python's str() and then assign; update the
assignment near the conditional that checks start_time to set params["start"] to
the stringified start_time.

In `@testsuite/tracing/tempo.py`:
- Around line 30-31: The params dict in testsuite/tracing/tempo.py is getting an
int start_time assigned (params["start"] = start_time) which causes a type
mismatch; convert start_time to a string before assigning (e.g.,
str(start_time)) so params holds string values like in JaegerClient, updating
the assignment where params["start"] is set and ensuring any related uses expect
a string.

---

Nitpick comments:
In `@CLAUDE.md`:
- Around line 94-101: The documentation comments include hard-coded test counts
("40 tests" and "10 tests") that can become stale; remove the numeric counts
from the two comment lines above the make commands (the lines commenting
"Control plane tracing tests (40 tests)" and "Data plane tracing tests (10
tests)") so they read generically as "Control plane tracing tests" and "Data
plane tracing tests" next to the make commands `make
testsuite/tests/singlecluster/tracing/control_plane/` and `make
testsuite/tests/singlecluster/tracing/data_plane_tracing/`.

In `@make/istio.mk`:
- Line 36: The kubectl patch command on istio.mk currently inlines a long JSON
and hardcodes jaeger-collector port 4318; extract that JSON into a heredoc or
separate file and reference it from the make target to improve readability, and
derive the Jaeger endpoint/port from the existing JAEGER_COLLECTOR_ENDPOINT
variable (or parse it into host and port) instead of hardcoding 4318 so the
opentelemetry.service value uses the canonical $(JAEGER_COLLECTOR_ENDPOINT) (and
keep $(TOOLS_NAMESPACE) for the service FQDN); update the istio patch invocation
(the kubectl patch line) to read the payload from the heredoc/file and replace
the inline JSON with a reference to that payload.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2d1b4c2e-e087-4989-831e-6ab5163efd47

📥 Commits

Reviewing files that changed from the base of the PR and between d6450a3 and cef128b.

📒 Files selected for processing (13)

• CLAUDE.md
• config/settings.local.yaml.tpl
• make/istio.mk
• make/kuadrant.mk
• make/local-setup.mk
• make/tools.mk
• make/vars.mk
• testsuite/config/__init__.py
• testsuite/tests/singlecluster/tracing/control_plane/test_control_plane_lifecycle.py
• testsuite/tests/singlecluster/tracing/control_plane/test_control_plane_sources.py
• testsuite/tracing/__init__.py
• testsuite/tracing/jaeger.py
• testsuite/tracing/tempo.py

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add explicit return to satisfy pylint's inconsistent-return-statements check.

skip_or_fail() raises an exception and never returns, but pylint doesn't know this statically. Add an explicit return None after the call to silence the warning. The same pattern applies to the other fixtures flagged by pylint (lines 31, 124, 198).

Proposed fix for this fixture

 `@pytest.fixture`(scope="module")
 def authconfig_trace(auth_traces, skip_or_fail):
     """Find trace with authconfig span that has sources attribute"""
     for trace in auth_traces:
         spans = trace.filter_spans(lambda s: s.operation_name == "authconfig" and s.has_tag("sources"))
         if spans:
             return trace

     skip_or_fail("No trace with authconfig span containing 'sources' attribute found")
+    return None  # Unreachable, but satisfies pylint

Apply the same pattern to limitador_trace, authconfig_trace_multiple_policies, and limitador_trace_multiple_policies fixtures.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	@pytest.fixture(scope="module")
	def authconfig_trace(auth_traces, skip_or_fail):
	"""Find trace with authconfig span that has sources attribute"""
	for trace in auth_traces:
	spans = trace.filter_spans(lambda s: s.operation_name == "authconfig" and s.has_tag("sources"))
	if spans:
	return trace
	skip_or_fail("No trace with authconfig span containing 'sources' attribute found")
	`@pytest.fixture`(scope="module")
	def authconfig_trace(auth_traces, skip_or_fail):
	"""Find trace with authconfig span that has sources attribute"""
	for trace in auth_traces:
	spans = trace.filter_spans(lambda s: s.operation_name == "authconfig" and s.has_tag("sources"))
	if spans:
	return trace
	skip_or_fail("No trace with authconfig span containing 'sources' attribute found")
	return None # Unreachable, but satisfies pylint

🧰 Tools

🪛 GitHub Actions: Code static analysis

[error] 20-20: pylint R1710: Either all return statements in a function should return an expression, or none of them should (inconsistent-return-statements)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@testsuite/tests/singlecluster/tracing/control_plane/test_control_plane_sources.py`
around lines 19 - 28, The fixtures (e.g., authconfig_trace, limitador_trace,
authconfig_trace_multiple_policies, limitador_trace_multiple_policies) sometimes
call skip_or_fail(...) which raises but pylint can't see that, causing
inconsistent-return-statements; after each skip_or_fail(...) call add an
explicit "return None" so every control path returns a value and the pylint
warning is silenced.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

testsuite/tests/singlecluster/tracing/control_plane/test_control_plane_sources.py (1)

109-110: Consider autouse=True for policy setup fixtures to align with test fixture standard.

Both policy-creation fixtures already use finalisers correctly; adding autouse=True would align them with the repository fixture pattern and reduce per-test wiring.

As per coding guidelines: "Use autouse=True and request.addfinalizer() in fixture setup to automatically commit policies before tests and ensure cleanup after tests complete".

Also applies to: 183-184

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@testsuite/tests/singlecluster/tracing/control_plane/test_control_plane_sources.py`
around lines 109 - 110, The fixture second_auth_policy (and other
policy-creation fixtures) should be made autouse to follow repo conventions:
change the `@pytest.fixture`(...) decorator to include autouse=True, ensure the
setup still commits the policy during fixture setup, and keep the existing
cleanup registered via request.addfinalizer so the policy is removed after each
test; apply the same change to the other policy-creation fixture(s) referenced
in the review.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@testsuite/tests/singlecluster/tracing/control_plane/test_control_plane_sources.py`:
- Around line 214-219: The test currently accepts a trace when either
first_policy_ref or second_policy_ref is present; change the conditional that
checks sources (the one using first_policy_ref and second_policy_ref) to require
both references (use logical AND instead of OR) so it only returns trace when
both first_policy_ref and second_policy_ref are in sources, and apply the same
change to the second occurrence of the same check (the other block that
currently uses OR before calling skip_or_fail).
- Around line 140-146: The test currently accepts a trace if either policy ref
appears in the trace's sources; change that to require both policies so the test
validates multiple-policy propagation: in the block that checks "if sources and
(first_policy_ref in sources or second_policy_ref in sources)" replace the
logical OR with AND (or equivalently assert both first_policy_ref and
second_policy_ref are in sources) so the function returns the trace only when
both are present; make the same change in the second occurrence that mirrors
lines ~173-180 so both checks require both refs, keeping the surrounding use of
variables first_policy_ref, second_policy_ref, sources, trace and the
skip_or_fail behavior unchanged.
- Line 73: The filter on limitador_trace currently picks any span with the
"sources" tag and may match unrelated spans; update the lambda used in
limitador_trace.filter_spans(...) so it only returns spans that both
have_tag("sources") and whose operation_name == "limits" (e.g., change lambda s:
s.has_tag("sources") to lambda s: s.has_tag("sources") and s.operation_name ==
"limits") where limitador_span is selected (also apply the same change to the
other two occurrences that assert on limitador spans).

---

Nitpick comments:
In
`@testsuite/tests/singlecluster/tracing/control_plane/test_control_plane_sources.py`:
- Around line 109-110: The fixture second_auth_policy (and other policy-creation
fixtures) should be made autouse to follow repo conventions: change the
`@pytest.fixture`(...) decorator to include autouse=True, ensure the setup still
commits the policy during fixture setup, and keep the existing cleanup
registered via request.addfinalizer so the policy is removed after each test;
apply the same change to the other policy-creation fixture(s) referenced in the
review.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8052dbb5-42c2-49d2-b5ff-474d0298205b

📥 Commits

Reviewing files that changed from the base of the PR and between cef128b and e25f033.

📒 Files selected for processing (1)

• testsuite/tests/singlecluster/tracing/control_plane/test_control_plane_sources.py

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Filter limitador assertions to operation_name == "limits" to avoid false positives.

On Line 73, Line 211, and Line 231 the code selects any span with sources, which can match unrelated spans. Constrain these to limits spans so assertions target the intended reconciliation span.

Proposed fix

-    limitador_span = limitador_trace.filter_spans(lambda s: s.has_tag("sources"))[0]
+    limitador_span = limitador_trace.filter_spans(
+        lambda s: s.operation_name == "limits" and s.has_tag("sources")
+    )[0]
@@
-        spans = trace.filter_spans(lambda s: s.has_tag("sources"))
+        spans = trace.filter_spans(lambda s: s.operation_name == "limits" and s.has_tag("sources"))
@@
-    spans_with_sources = limitador_trace_multiple_policies.filter_spans(lambda s: s.has_tag("sources"))
+    spans_with_sources = limitador_trace_multiple_policies.filter_spans(
+        lambda s: s.operation_name == "limits" and s.has_tag("sources")
+    )

Also applies to: 211-213, 231-231

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@testsuite/tests/singlecluster/tracing/control_plane/test_control_plane_sources.py`
at line 73, The filter on limitador_trace currently picks any span with the
"sources" tag and may match unrelated spans; update the lambda used in
limitador_trace.filter_spans(...) so it only returns spans that both
have_tag("sources") and whose operation_name == "limits" (e.g., change lambda s:
s.has_tag("sources") to lambda s: s.has_tag("sources") and s.operation_name ==
"limits") where limitador_span is selected (also apply the same change to the
other two occurrences that assert on limitador spans).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Require both AuthPolicy references, not either one.

The current logic passes when only one policy appears, so it does not verify the “multiple policies” objective. On Line 140 and Line 173, switch or to and (or assert both refs in the same sources list) so this test only passes when both policies are represented.

Proposed fix

-            if sources and (first_policy_ref in sources or second_policy_ref in sources):
+            if sources and (first_policy_ref in sources and second_policy_ref in sources):
                 return trace
@@
-        if first_policy_ref in sources or second_policy_ref in sources:
+        if first_policy_ref in sources and second_policy_ref in sources:
             found = True
             break
@@
-        f"Neither {first_policy_ref} nor {second_policy_ref} found in any authconfig span sources. "
+        f"Both {first_policy_ref} and {second_policy_ref} must be present in authconfig span sources. "
         f"Checked {len(authconfig_spans)} span(s)"
     )

Also applies to: 173-180

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@testsuite/tests/singlecluster/tracing/control_plane/test_control_plane_sources.py`
around lines 140 - 146, The test currently accepts a trace if either policy ref
appears in the trace's sources; change that to require both policies so the test
validates multiple-policy propagation: in the block that checks "if sources and
(first_policy_ref in sources or second_policy_ref in sources)" replace the
logical OR with AND (or equivalently assert both first_policy_ref and
second_policy_ref are in sources) so the function returns the trace only when
both are present; make the same change in the second occurrence that mirrors
lines ~173-180 so both checks require both refs, keeping the surrounding use of
variables first_policy_ref, second_policy_ref, sources, trace and the
skip_or_fail behavior unchanged.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Require both RateLimitPolicy references in multi-policy validation.

Like the authconfig variant, this currently succeeds when only one policy is present. On Line 214 and Line 244, enforce both references in sources so the test actually validates aggregation.

Proposed fix

-            if sources and (first_policy_ref in sources or second_policy_ref in sources):
+            if sources and (first_policy_ref in sources and second_policy_ref in sources):
                 return trace
@@
-        if first_policy_ref in sources or second_policy_ref in sources:
+        if first_policy_ref in sources and second_policy_ref in sources:
             found = True
             break
@@
-        f"Neither {first_policy_ref} nor {second_policy_ref} found in any span sources. "
+        f"Both {first_policy_ref} and {second_policy_ref} must be present in span sources. "
         f"Checked {len(spans_with_sources)} span(s)"
     )

Also applies to: 244-250

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@testsuite/tests/singlecluster/tracing/control_plane/test_control_plane_sources.py`
around lines 214 - 219, The test currently accepts a trace when either
first_policy_ref or second_policy_ref is present; change the conditional that
checks sources (the one using first_policy_ref and second_policy_ref) to require
both references (use logical AND instead of OR) so it only returns trace when
both first_policy_ref and second_policy_ref are in sources, and apply the same
change to the second occurrence of the same check (the other block that
currently uses OR before calling skip_or_fail).