[CNV-63822] Test plan out-out of role aggregation

[rlobillo]

STP Metadata

VEP issue: kubevirt/enhancements#160

What this PR does

STP ready for QE team review while waiting for upstream merge

Special notes for your reviewer

Summary by CodeRabbit

• Documentation
  • Added a comprehensive Quality Engineering Test Plan for the Role Aggregation Opt-Out feature, covering motivation, acceptance criteria, test strategy, test scenarios, upgrade guidance, environment and tool needs, risks, traceability, and sign-off workflow.
  • This is testing and governance documentation only; no end-user visible code, API, or public behavior changes.

[coderabbitai]

Walkthrough

Adds a new Quality Engineering Software Test Plan (STP) document for the Role Aggregation Opt-Out feature (CNV-63822) under stps/sig-iuo, detailing motivation, requirements, test strategy, scenarios, dependencies, and sign-off governance.

Changes

Cohort / File(s)

Summary

Test Plan Documentation stps/sig-iuo/CNV-63822-role-aggregation-opt-out/stp.md

Adds a new 198-line QE STP markdown covering metadata, motivation, requirements review, design considerations, detailed test strategy (functional, automation, security, compatibility, regression, upgrade), environment/tools, entry criteria, risks, test scenarios mapped to acceptance criteria, upstream dependency (KubeVirt PR #16350), prerequisites (HTPasswd IdP), and governance/sign-off. Status: Draft pending upstream merge.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title contains a typo ('out-out' instead of 'opt-out') and is unclear about the main change - it mentions 'Test plan out-out' which doesn't accurately reflect that this PR adds a Software Test Plan (STP) document for the Role Aggregation Opt-Out feature.	Correct the typo to '[CNV-63822] Test plan for role aggregation opt-out' to clearly indicate this PR adds a QE/STP document for the feature.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

No actionable comments were generated in the recent review. 🎉

🧹 Recent nitpick comments

stps/sig-iuo/CNV-63822-role-aggregation-opt-out/stp.md (4)

9-9: Consider adding a full URL for the KubeVirt PR.

The enhancement field references "KubeVirt PR #16350" but lacks a clickable link. Adding the full URL (e.g., https://github.com/kubevirt/kubevirt/pull/16350) would improve traceability and make it easier for reviewers to verify the upstream implementation.

♻️ Proposed enhancement

-| **Enhancement(s)**     | KubeVirt PR `#16350` (pending merge)                      |
+| **Enhancement(s)**     | [KubeVirt PR `#16350`](https://github.com/kubevirt/kubevirt/pull/16350) (pending merge) |

---

42-42: Format the VEP link as a markdown hyperlink for consistency.

The KubeVirt VEP reference uses plain text with a bare URL. Converting it to a markdown link would be consistent with other references in the document (e.g., Jira links in the metadata table).

♻️ Proposed enhancement

-[Kubevirt VEP](https://github.com/kubevirt/enhancements/issues/160)
+**Enhancement Proposal:** [KubeVirt VEP `#160`](https://github.com/kubevirt/enhancements/issues/160)

---

51-56: Fix inconsistent bullet formatting in the "In Scope" section.

The bullet for "Unprivileged users cannot access kubevirt resources" (line 51) ends with a colon, but the sub-bullets (lines 53-55) starting with "admin =", "edit =", and "view =" are inconsistently formatted. Line 52 ("Explicit RoleBindings...") appears misplaced before these sub-bullets, breaking the logical grouping.

♻️ Proposed restructuring

 - Verify role aggregation can be disabled via hyperconvergeds.hco.kubevirt.io config
-- Unprivileged users cannot access kubevirt resources without explicit RoleBinding (when disabled):
-- Explicit RoleBindings (admin, edit, view) grant access correctly
+- Unprivileged users cannot access kubevirt resources without explicit RoleBinding (when disabled)
+- Explicit RoleBindings (admin, edit, view) grant access correctly:
   - admin = create/delete/modify VM/VMI
   - edit = modify VM/VMIs but cannot create/delete
   - view = Only read VM/VMIs

---

187-187: Fix inconsistent @ prefix formatting in the reviewer list.

The sig-iuo representative line has inconsistent formatting: @orenc1 @hmeir @OhadRevah albarker-rh. The last reviewer (albarker-rh) is missing the @ prefix, which may prevent proper GitHub mention/notification if this list is used for automated tagging.

♻️ Proposed fix

-  - [sig-iuo representative / `@orenc1` `@hmeir` `@OhadRevah` albarker-rh]
+  - [sig-iuo representative / `@orenc1` `@hmeir` `@OhadRevah` `@albarker-rh`]

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-virtualization-qe-bot]

Report bugs in Issues

Welcome! 🎉

This pull request will be automatically processed with the following features:

🔄 Automatic Actions

• Reviewer Assignment: Reviewers are automatically assigned based on the OWNERS file in the repository root
• Size Labeling: PR size labels (XS, S, M, L, XL, XXL) are automatically applied based on changes
• Issue Creation: A tracking issue is created for this PR and will be closed when the PR is merged or closed
• Branch Labeling: Branch-specific labels are applied to track the target branch
• Auto-verification: Auto-verified users have their PRs automatically marked as verified
• Labels: Enabled categories: branch, can-be-merged, cherry-pick, has-conflicts, hold, needs-rebase, size, verified, wip

📋 Available Commands

PR Status Management

• /wip - Mark PR as work in progress (adds WIP: prefix to title)
• /wip cancel - Remove work in progress status
• /hold - Block PR merging (approvers only)
• /hold cancel - Unblock PR merging
• /verified - Mark PR as verified
• /verified cancel - Remove verification status
• /reprocess - Trigger complete PR workflow reprocessing (useful if webhook failed or configuration changed)
• /regenerate-welcome - Regenerate this welcome message

Review & Approval

• /lgtm - Approve changes (looks good to me)
• /approve - Approve PR (approvers only)
• /assign-reviewers - Assign reviewers based on OWNERS file
• /assign-reviewer @username - Assign specific reviewer
• /check-can-merge - Check if PR meets merge requirements

Testing & Validation

• /retest tox - Run Python test suite with tox
• /retest all - Run all available tests

Cherry-pick Operations

• /cherry-pick <branch> - Schedule cherry-pick to target branch when PR is merged
  • Multiple branches: /cherry-pick branch1 branch2 branch3

Label Management

• /<label-name> - Add a label to the PR
• /<label-name> cancel - Remove a label from the PR

✅ Merge Requirements

This PR will be automatically approved when the following conditions are met:

1. Approval: /approve from at least one approver
2. LGTM Count: Minimum 2 /lgtm from reviewers
3. Status Checks: All required status checks must pass
4. No Blockers: No WIP, hold, conflict labels
5. Verified: PR must be marked as verified (if verification is enabled)

📊 Review Process

Approvers and Reviewers

Approvers:

• hmeir

Reviewers:

• OhadRevah
• albarker-rh
• hmeir
• rlobillo

Available Labels

• hold
• verified
• wip
• lgtm
• approve

💡 Tips

• WIP Status: Use /wip when your PR is not ready for review
• Verification: The verified label is automatically removed on each new commit
• Cherry-picking: Cherry-pick labels are processed when the PR is merged
• Permission Levels: Some commands require approver permissions
• Auto-verified Users: Certain users have automatic verification and merge privileges

For more information, please refer to the project documentation or contact the maintainers.

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@stps/sig-iuo/CNV-63822-role-aggregation-opt-out/stp.md`:
- Around line 122-123: Update the test framework table entry that currently
reads "ginkgo for tier1 tests inside kubevirt repo" to use the proper noun
"Ginkgo" (i.e., "Ginkgo for tier1 tests inside kubevirt repo"); locate the table
row under the "Test Framework" heading and replace the lowercase "ginkgo" token
with "Ginkgo" to match upstream documentation and the adjacent "pytest" usage.
- Around line 158-161: The table rows for KubeVirt PR `#16350` are missing entries
in the "Test Scenario(s)" column; update the four rows whose descriptions start
with "RoleAggregationStrategy config should keep aggregate labels when
RoleAggregationStrategy is nil", "RoleAggregationStrategy configuration should
keep aggregate labels when RoleAggregationStrategy is AggregateToDefault",
"RoleAggregationStrategy configuration should create ClusterRole without
aggregate labels when RoleAggregationStrategy is Manual", and
"RoleAggregationStrategy configuration should remove aggregate labels from
existing ClusterRole when strategy changes to Manual" by adding a concrete test
scenario text for each (briefly describe the test steps and expected outcome)
or, if upstream merge is pending, insert "TBD" in the Test Scenario(s) column
for each row so traceability is preserved.
- Line 162: Change the YAML boolean to lowercase: update the example that sets
the HCO spec key spec.roleAggregation.enabled from `False` to `false` so it
conforms to YAML/Kubernetes boolean conventions and standard YAML 1.2
formatting.

🧹 Nitpick comments (2)

stps/sig-iuo/CNV-63822-role-aggregation-opt-out/stp.md (2)

9-10: Include the VEP issue in the Metadata “Enhancement(s)” field.

The enhancement reference is currently a PR; consider adding the VEP issue link (and keep the PR in notes) so the metadata points to the canonical enhancement record. Based on learnings: “In the openshift-virtualization-tests-design-docs repository, not all features have OpenShift enhancement PRs. When no enhancement PR exists, it's acceptable to reference only the HLD (High-Level Design) document in the Enhancement(s) field of the STP metadata table.”

Also applies to: 42-42

---

158-161: Avoid repeating the same Requirement ID across consecutive rows.

For the KubeVirt PR #16350 rows, leave the Requirement ID blank after the first row to reduce redundancy. Based on learnings: “In the openshift-virtualization-tests-design-docs repository, when documenting test scenarios in the "Test Scenarios & Traceability" table where multiple test scenarios fall under the same epic, it's acceptable and preferred to leave the Requirement ID cells empty for subsequent rows after the first row which contains the epic ID (e.g., CNV-28924 (epic)). Repeating the epic ID in each row is considered redundant.”

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Capitalize the Ginkgo framework name.

Use “Ginkgo” (proper noun) for consistency with upstream documentation.

🧰 Tools

🪛 LanguageTool

[grammar] ~122-~122: Ensure spelling is correct
Context: ...----| | Test Framework | ginkgo for tier1 tests inside kubevirt repo |...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

---

[grammar] ~123-~123: Ensure spelling is correct
Context: ...with openshift-virtualization-tests for tier2 tests | | CI/CD | Stand...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

🤖 Prompt for AI Agents

In `@stps/sig-iuo/CNV-63822-role-aggregation-opt-out/stp.md` around lines 122 -
123, Update the test framework table entry that currently reads "ginkgo for
tier1 tests inside kubevirt repo" to use the proper noun "Ginkgo" (i.e., "Ginkgo
for tier1 tests inside kubevirt repo"); locate the table row under the "Test
Framework" heading and replace the lowercase "ginkgo" token with "Ginkgo" to
match upstream documentation and the adjacent "pytest" usage.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Fill in missing “Test Scenario(s)” for upstream KubeVirt PR cases.

The test scenario column is empty for these rows, which breaks traceability. Please add concrete scenario text or mark them as “TBD” until the upstream merge lands.

🤖 Prompt for AI Agents

In `@stps/sig-iuo/CNV-63822-role-aggregation-opt-out/stp.md` around lines 158 -
161, The table rows for KubeVirt PR `#16350` are missing entries in the "Test
Scenario(s)" column; update the four rows whose descriptions start with
"RoleAggregationStrategy config should keep aggregate labels when
RoleAggregationStrategy is nil", "RoleAggregationStrategy configuration should
keep aggregate labels when RoleAggregationStrategy is AggregateToDefault",
"RoleAggregationStrategy configuration should create ClusterRole without
aggregate labels when RoleAggregationStrategy is Manual", and
"RoleAggregationStrategy configuration should remove aggregate labels from
existing ClusterRole when strategy changes to Manual" by adding a concrete test
scenario text for each (briefly describe the test steps and expected outcome)
or, if upstream merge is pending, insert "TBD" in the Test Scenario(s) column
for each row so traceability is preserved.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# First, let's look at the file to understand the context
git ls-files | grep -E "stp\.md|STP" | head -20

Repository: RedHatQE/openshift-virtualization-tests-design-docs

Length of output: 216

---

🏁 Script executed:

# Find and read the specific file
find . -name "stp.md" -path "*CNV-63822*" 2>/dev/null | head -5

Repository: RedHatQE/openshift-virtualization-tests-design-docs

Length of output: 151

---

🏁 Script executed:

# Check if file exists in the repo
find . -name "stp.md" | head -10

Repository: RedHatQE/openshift-virtualization-tests-design-docs

Length of output: 178

---

🏁 Script executed:

# Read the specific file to see the context around line 162
cat -n ./stps/sig-iuo/CNV-63822-role-aggregation-opt-out/stp.md | sed -n '155,170p'

Repository: RedHatQE/openshift-virtualization-tests-design-docs

Length of output: 3024

---

🏁 Script executed:

# Let's see more context to understand what this table is documenting
cat -n ./stps/sig-iuo/CNV-63822-role-aggregation-opt-out/stp.md | sed -n '145,175p'

Repository: RedHatQE/openshift-virtualization-tests-design-docs

Length of output: 3603

---

🏁 Script executed:

# Look for any HCO API specification or examples in the repo
find . -type f \( -name "*.md" -o -name "*.yaml" -o -name "*.yml" \) -exec grep -l "spec.roleAggregation" {} \; 2>/dev/null

Repository: RedHatQE/openshift-virtualization-tests-design-docs

Length of output: 151

---

🏁 Script executed:

# Search for any references to HCO CR or YAML configs in the doc
grep -r "roleAggregation\|HCO CR" ./stps --include="*.md" | head -20

Repository: RedHatQE/openshift-virtualization-tests-design-docs

Length of output: 476

---

🏁 Script executed:

# Check if there are any actual YAML examples or API definitions in the repo
find . -type f -name "*.yaml" -o -name "*.yml" | xargs grep -l "roleAggregation" 2>/dev/null | head -10

Repository: RedHatQE/openshift-virtualization-tests-design-docs

Length of output: 77

---

🌐 Web query:

Kubernetes YAML boolean format lowercase false vs False

💡 Result:

In Kubernetes manifests, false and False are both typically accepted as booleans when the target Kubernetes API field is a boolean, because the YAML parsers commonly used in the Kubernetes toolchain (Go YAML) preserve YAML 1.1-style boolean resolution (case variants like False, and even yes/no/on/off in some contexts). [1][3][4]

That said, the portable / safest form is:

• Use lowercase JSON-compatible booleans: true / false (YAML 1.2 aligns booleans to these). [2]

And if you actually need the literal string "false" (common in Kubernetes):

• ConfigMap data: values are strings, so write "false" (quoted), not false (boolean). [5]

Rule of thumb: use false (lowercase) for boolean-typed fields; use "false" (quoted) for string-typed fields (ConfigMap data, most env var values, etc.). [2][5]

Sources:
[1] YAML 1.1 bool type (includes false|False|FALSE, etc.) https://yaml.org/type/bool.html
[2] YAML 1.2 spec (booleans true/false) https://yaml.org/spec/1.2-old/spec.html
[3] go-yaml issue discussing YAML 1.1 booleans vs YAML 1.2 behavior go-yaml/yaml#214
[4] Go YAML docs noting 1.1 bool compatibility https://pkg.go.dev/go.yaml.in/yaml/v4
[5] ConfigMap data must be strings; quote "false" https://stackoverflow.com/questions/63905890/kubernetes-how-to-set-boolean-type-variable-in-configmap

---

🌐 Web query:

YAML 1.2 boolean values lowercase true false

💡 Result:

In YAML 1.2, the canonical boolean forms are the lowercase scalars:

• true
• false [1]

However, under YAML 1.2’s Core schema (the recommended default), many parsers also accept the case variants:

• True, TRUE, False, FALSE [2]

If you need strict JSON compatibility (YAML as a JSON superset), use only lowercase true / false. [1]

Sources:
[1] YAML 1.2.2 “Changes in version 1.2” (yaml.org)
[2] YAML 1.2 discussion of JSON vs Core schema boolean resolution (Stack Overflow)

---

🏁 Script executed:

# Look at the full STP document to understand context better
head -100 ./stps/sig-iuo/CNV-63822-role-aggregation-opt-out/stp.md

Repository: RedHatQE/openshift-virtualization-tests-design-docs

Length of output: 7895

---

🏁 Script executed:

# Check for any examples or documentation about HCO API
grep -n -A 5 -B 5 "spec.roleAggregation" ./stps/sig-iuo/CNV-63822-role-aggregation-opt-out/stp.md

Repository: RedHatQE/openshift-virtualization-tests-design-docs

Length of output: 2203

---

Use lowercase YAML boolean (false) instead of False.

Kubernetes YAML conventions use lowercase booleans; change spec.roleAggregation.enabled: False to spec.roleAggregation.enabled: false for consistency with standard YAML 1.2 and Kubernetes documentation.

🤖 Prompt for AI Agents

In `@stps/sig-iuo/CNV-63822-role-aggregation-opt-out/stp.md` at line 162, Change
the YAML boolean to lowercase: update the example that sets the HCO spec key
spec.roleAggregation.enabled from `False` to `false` so it conforms to
YAML/Kubernetes boolean conventions and standard YAML 1.2 formatting.