Run KubeVirt integration tests on GitHub Actions

[Jakob-Naucke]

Summary by Sourcery

Refine integration test infrastructure and operator installation error handling to support running KubeVirt-based integration tests on CI.

New Features:

• Add a GitHub Actions workflow to provision a KinD cluster with KubeVirt and run integration tests on pull requests.
• Introduce a Go module for managing the virtctl client version used by KubeVirt tests and install it in CI.

Bug Fixes:

• Ensure operator reconciliation requeues when component installation fails, instead of proceeding with an inconsistent state.
• Tighten test cleanup to fail when AttestationKey, ApprovedImage, or Machine resources are left behind after a test run.

Enhancements:

• Replace ad‑hoc pollers in tests with kube runtime await_condition and timeouts for more robust, readable wait logic.
• Simplify resource creation/deletion helpers and deployment readiness checks used by tests, unifying timeout handling.
• Improve attestation and trusted execution cluster lifecycle tests to use strongly-typed condition checks and shared helpers.

Build:

• Make operator image tag overridable via OPERATOR_IMAGE, adjust kopium version discovery, and add a dedicated virtctl tool module to go.mod.
• Extend Dependabot configuration to manage Go module updates in the new virtctl tooling directory.

CI:

• Add a GitHub Actions workflow that builds images, installs KinD and KubeVirt with KVM support, and runs the Rust integration test suite in CI.

Tests:

• Update KubeVirt and cluster integration tests to rely on await_condition-based helpers for resource readiness, deletion, and VM running state.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Jakob-Naucke

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sourcery-ai]

Reviewer's Guide

Refactors test utilities and integration tests to use kube-rs await_condition/timeout primitives instead of the custom Poller, tightens cleanup semantics, adds more robust component installation error handling in the operator, introduces a vendored virtctl Go module, and wires up a GitHub Actions workflow to run KubeVirt-based integration tests on KinD with KVM.

Sequence diagram for updated reconcile component installation flow

sequenceDiagram
    participant Reconciler
    participant Operator
    participant InstallComponents
    participant ReferenceValues

    Reconciler->>Operator: reconcile
    Operator->>InstallComponents: install_components(Client, TrustedExecutionCluster)
    InstallComponents-->>Operator: Result

    alt [install_components returns Err]
        Operator->>Operator: log warn!("Installation of a component failed")
        Operator-->>Reconciler: Action::requeue(Duration::from_secs(60))
    else [install_components returns Ok]
        Operator->>ReferenceValues: adopt_approved_images(Client, TrustedExecutionCluster)
        ReferenceValues-->>Operator: ()
        Operator-->>Reconciler: Action::await_change()
    end

Loading

File-Level Changes

Change	Details	Files
Refactor async waiting logic in tests to use kube-rs await_condition and tokio::time::timeout instead of the custom Poller, adding small helpers like ak_approved.	Introduce helper predicate ak_approved for AttestationKey Approved condition checks. Replace Poller-based loops in trusted execution cluster tests with await_condition plus timeout using small inline predicates to express readiness/removal of resources. Update attestation lifecycle, image PCRs configmap, image disallow, and ApprovedImage tests to use composable predicates for conditions instead of manual polling logic. Adjust KubeVirt VM backend wait_for_running to use await_condition and timeout instead of Poller.	tests/trusted_execution_cluster.rs tests/attestation.rs test_utils/src/virt/kubevirt.rs
Simplify and harden common test utilities for cleanup and resource existence checks, and rework wait helpers accordingly.	Change TestContext::cleanup to rely on a bounded Poller that repeatedly verifies no leftover AttestationKey, ApprovedImage, or Machine resources, instead of a bespoke delete_machines path. Add generic check_no_resources<K> helper to assert the absence of namespaced resources of a given type. Remove delete_machines and wait_for_deployment_ready helpers in favor of more generic waiting/cleanup mechanisms. Rewrite wait_for_resource_created and wait_for_resource_deleted to be thin wrappers around await_condition plus timeout, simplifying their signatures (drop interval_secs). Update call sites across test utilities to the new wait helper signatures and to reuse computed timeout values. Use deployment conditions (DeploymentStatus/DeploymentCondition) with await_condition to gate on Deployment readiness when bringing up the operator stack and related components. Slightly adjust secret-waiting loops to iterate over a fixed list instead of repeated calls.	test_utils/src/lib.rs
Tighten operator reconciliation error handling around component installation and expand unit tests to match new behavior.	Introduce install_components helper that installs trustee configuration, registration server, and attestation-key register, returning a single aggregated Result. Change reconcile flow to call install_components and, on any error (with context), log a warning and requeue after 60s instead of silently logging errors and proceeding. Refactor install_trustee_configuration, install_register_server, and install_attestation_key_register to propagate errors with anyhow::Context rather than swallow them; log success messages only on success. Update fake HTTP client in operator tests to return realistic stub objects (ConfigMap, Service, Deployment) for the new installation sequence, preserving expected call ordering.	operator/src/main.rs
Add a vendored virtctl Go module and hook it into tooling and Dependabot so CI can install a version matching KubeVirt.	Create tools/virtctl Go module pinned to kubevirt.io/kubevirt v1.7.3 with all required indirect dependencies and replace directives to align k8s/kubevirt versions. Add empty tools/virtctl/tools.go stub (likely for go install tooling) and corresponding go.sum. Extend Dependabot Go configuration to manage dependencies under tools/virtctl in addition to the root module.	tools/virtctl/go.mod tools/virtctl/go.sum tools/virtctl/tools.go .github/dependabot.yml
Adjust build tooling and metadata for more robust local and CI builds.	Make OPERATOR_IMAGE overrideable via environment by turning it into a ?= assignment, enabling the GH Actions job to push to a local registry. Change KOPIUM_VERSION derivation to use cargo metadata and jq instead of grepping Cargo.toml, making it resilient to dependency layout changes. Remove outdated comment that tracked k8s version via a Kind image tag in Cargo.toml. Drop unused Azure-specific KIND_HOST_URN variable from the Makefile.	Makefile Cargo.toml
Introduce a GitHub Actions workflow that provisions a KinD+KubeVirt environment with KVM and runs the Rust integration test suite against locally built images.	Create .github/workflows/integration-tests.yml that triggers on PRs (or ok-to-test label for external contributors) with concurrency control per PR. Set up Ubuntu 24.04 runner with KVM enabled, install Rust and Go toolchains, and cache Rust builds. Install KinD via helm/kind-action, build & push operator and related images to a local registry, install KubeVirt, and run make integration-tests. Download and install a virtctl binary matching the KubeVirt version derived from the vendored Go module before running tests.	.github/workflows/integration-tests.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[Jakob-Naucke]

/ok-to-test