Add extensive tests using interfaces and dependency injection

[Copilot]

The codebase had ~22% test coverage with entire packages (pkg/net, pkg/tls/manager) completely untested. This brings coverage up to 97.4% using idiomatic Go patterns — interfaces and dependency injection via Config struct fields — instead of mutable package-level variables.

Test-enabling production changes

pkg/net/hostname.go

• Added Resolver interface with Hostname() and FQDN() methods
• Added SystemResolver struct implementing Resolver with a configurable HostnameCmd field (defaults to /bin/hostname)

pkg/template/template_values.go

• LoadValues now accepts a net.Resolver parameter instead of calling package-level functions directly

pkg/tls/config.go

• Added dependency injection fields to Config: Resolver net.Resolver, WatchRetryDelay time.Duration, SecretClient kubernetes.SecretInterface, CertificateClient cmclient.CertificateInterface
• All fields have sensible nil/zero defaults — production code passes nothing, tests inject fakes

pkg/tls/manager.go

• NewManager uses Config-injected dependencies with defaults: creates clients from RestConfig only when SecretClient/CertificateClient are nil, uses SystemResolver{} when Resolver is nil
• Watch now returns on ctx.Done() with a select-based configurable retry delay
• watch closes the informer stop channel via a goroutine on context cancellation, making the function actually return rather than block forever
• No mutable package-level variables — uses a defaultWatchRetryDelay constant and m.config.WatchRetryDelay for override

New test coverage

Package	Coverage	Tests added
pkg/net	100%	SystemResolver.Hostname/FQDN success + error paths; hostnameCmd default and custom
pkg/template	100%	New invalid syntax, NewFromFile missing file, Execute runtime error, Execute YAML unmarshal error; all four LoadValues branches using mock Resolver (success, podinfo, hostname, fqdn errors)
pkg/tls	96.4%	NewManager (5 error paths + 2 success paths including injected clients); Create (5 paths including cert-not-ready logging); write; writeFile (7 paths including four log.Fatal branches via logrus ExitFunc interception); Watch retry loop and cancellation; watch AddFunc/UpdateFunc/DeleteFunc via fake k8s/cert-manager clients; watchRetryDelay default and custom

The remaining 3.6% uncovered in pkg/tls consists of unreachable defensive code: the json.Marshal error path (cannot fail on well-typed []map[string]interface{} with OwnerReferences) and the Watch retry loop (controller.Run only returns when the stop channel closes, which is tied to context cancellation).

pkg/tls/manager_test.go includes a TestMain that disables the WatchListClient feature gate — required because client-go v0.35 enables it by default (Beta), and the fake watch does not produce the bookmark events the reflector then expects.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[Mohammed Naser (mnaser)]

Copilot can you go over this pr and improve it and make sure you maybe find a better way of stubbing things rather than a const that changes, there is a better way of doing this with golang, so lets go to that path.

[Copilot]

Copilot can you go over this pr and improve it and make sure you maybe find a better way of stubbing things rather than a const that changes, there is a better way of doing this with ...

Refactored in accb75b. Replaced all mutable package-level variables with idiomatic Go patterns:

• Interfaces: Added net.Resolver interface with SystemResolver implementation — tests inject a mockResolver instead of swapping a global function pointer
• Dependency injection via Config: Added SecretClient, CertificateClient, Resolver, and WatchRetryDelay fields to Config with nil/zero defaults — tests inject fakes directly through the config struct, no global state mutation
• Removed all globals: hostnameFunc, fqdnCmd, newKubernetesForConfig, newCMClientForConfig, jsonMarshal, watchRetryDelay package vars and their exported accessors are all gone
• Removed watchFn hook: Tests exercise the real Watch→watch path through fake clients injected via Config

Coverage: pkg/net 100%, pkg/podinfo 100%, pkg/template 100%, pkg/tls 96.4% (remaining gaps are unreachable defensive code).

[Copilot]

Pull request overview

This PR substantially increases test coverage across previously untested packages by introducing interface-based dependency injection (notably hostname/FQDN resolution and Kubernetes/cert-manager clients) and adding comprehensive unit tests for pkg/net, pkg/template, and pkg/tls.

Changes:

• Introduces net.Resolver + SystemResolver, and threads resolver injection through template value loading and TLS manager construction.
• Adds DI fields to tls.Config (resolver, retry delay, injected clients) and adjusts Manager.Watch/watch to be context-cancellable with configurable retry delay.
• Adds extensive new tests for pkg/net, pkg/template, and pkg/tls, plus updates module sums from dependency updates/tidying.

Reviewed changes

Copilot reviewed 9 out of 10 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
pkg/net/hostname.go	Adds Resolver interface and SystemResolver implementation with configurable hostname command path.
pkg/net/hostname_test.go	Adds tests for SystemResolver behavior (hostname, fqdn, default/custom command path).
pkg/template/template_values.go	Changes LoadValues to accept an injected net.Resolver and use it for hostname/FQDN lookup.
pkg/template/template_values_test.go	Adds tests for LoadValues branches (success and error paths).
pkg/template/template_test.go	Adds negative-path tests for template parsing, file loading, execution, and YAML unmarshal failures.
pkg/tls/config.go	Adds DI/configuration fields for resolver, retry delay, and injected Kubernetes/cert-manager clients.
pkg/tls/manager.go	Uses injected dependencies with defaults; adds configurable retry delay and ensures watch exits on context cancellation.
pkg/tls/manager_test.go	Adds a large test suite covering NewManager, Create, writeFile, informer watch behavior, and retry/cancellation paths.
go.mod	Updates indirect dependencies (tidy/upgrade effects).
go.sum	Updates checksums consistent with dependency changes.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The retry log message is hard-coded to "5 seconds", but the actual delay is now configurable via WatchRetryDelay (watchRetryDelay()). This can mislead operators when a custom delay is set; consider logging the computed delay value instead of a fixed string.

[Copilot]

interceptFatal restores logrus' ExitFunc by setting it to nil, which may not restore the original behavior if it was already customized (and can be surprising even if the default is os.Exit). Capture the previous ExitFunc and restore it in the returned cleanup function instead.

Suggested change

	log.StandardLogger().ExitFunc = func(int) { panic("log.Fatal") }
	return func() { log.StandardLogger().ExitFunc = nil }
	prevExitFunc := log.StandardLogger().ExitFunc
	log.StandardLogger().ExitFunc = func(int) { panic("log.Fatal") }
	return func() { log.StandardLogger().ExitFunc = prevExitFunc }

[Copilot]

buildWatchMgr creates a watcherReady channel (closed when the watch reactor assigns fw), but it is never returned/awaited. Tests that call (*fwPtr).Modify/Delete after only waiting for AddFunc can race with fw still being nil (AddFunc can be triggered from the initial List before Watch is set up), causing a nil-pointer panic. Consider returning watcherReady (or otherwise synchronizing) and waiting for it before using fwPtr.

[Copilot]

This test uses a fixed sleep to try to let the retry loop advance before cancelling. Time-based synchronization is prone to flakiness on slow/loaded CI runners. Prefer a deterministic signal (e.g., instrument Manager/watch to notify on each iteration, or block until a second watch reactor is observed) before calling cancel().

[Copilot]

This subtest exercises net.SystemResolver{} end-to-end, which depends on the runtime environment (presence/behavior of /bin/hostname --fqdn) and can be flaky. Since SystemResolver is already unit-tested in pkg/net, consider replacing this with a mock resolver (or a deterministic HostnameCmd test helper) to keep template.LoadValues tests hermetic.

[Copilot]

The FQDN success test depends on the host environment having a working /bin/hostname that supports --fqdn and returns a non-empty value. This can be flaky across CI images/distros and makes the unit test non-deterministic. Consider using HostnameCmd to point at a small test helper (script/binary) that returns a known value so the test is hermetic.

[Copilot]

This test also overrides logrus' global ExitFunc and restores it by setting it to nil, which may not restore the prior value if it was customized. Save the previous ExitFunc and restore it in the deferred cleanup to avoid leaking global state between tests.

Suggested change

	log.StandardLogger().ExitFunc = func(int) {
	select {
	case fatalCalled <- struct{}{}:
	default:
	}
	}
	defer func() { log.StandardLogger().ExitFunc = nil }()
	previousExitFunc := log.StandardLogger().ExitFunc
	log.StandardLogger().ExitFunc = func(int) {
	select {
	case fatalCalled <- struct{}{}:
	default:
	}
	}
	defer func() { log.StandardLogger().ExitFunc = previousExitFunc }()

[Copilot]

LoadValues now dereferences the provided resolver without checking for nil. Since this is an exported function, a nil resolver will panic at runtime. Consider returning a clear error (or defaulting to net.SystemResolver{}) when resolver is nil to make the API safer for callers.