update e2e tests to work on k8s 1.24

everettraven · everettraven · commit dfa14858054d · 2022-06-15T13:18:23.000-04:00
Signed-off-by: Bryce Palmer &lt;bpalmer@redhat.com&gt;
diff --git a/test/e2e/v3/plugin_cluster_test.go b/test/e2e/v3/plugin_cluster_test.go
@@ -42,6 +42,7 @@ var _ = Describe("kubebuilder", func() {
 	Context("project version 3", func() {
 		var (
 			kbc *utils.TestContext
+			sat bool
 		)
 
 		BeforeEach(func() {
@@ -52,6 +53,8 @@ var _ = Describe("kubebuilder", func() {
 
 			By("installing the Prometheus operator")
 			Expect(kbc.InstallPrometheusOperManager()).To(Succeed())
+
+			sat = false
 		})
 
 		AfterEach(func() {
@@ -91,7 +94,7 @@ var _ = Describe("kubebuilder", func() {
 				kbc.Kubectl.ServiceAccount = "default"
 				defer func() { kbc.Kubectl.ServiceAccount = tmp }()
 				GenerateV2(kbc)
-				Run(kbc)
+				Run(kbc, sat)
 			})
 		})
 
@@ -116,7 +119,15 @@ var _ = Describe("kubebuilder", func() {
 				}
 
 				GenerateV3(kbc, "v1")
-				Run(kbc)
+
+				// only if running on Kubernetes >= 1.24 do we need to generate the ServiceAccount token Secret
+				// TODO: Remove this once a better implementation using something like the TokenRequest API
+				// is used in the e2e tests
+				if srvVer := kbc.K8sVersion.ServerVersion; srvVer.GetMajorInt() == 1 && srvVer.GetMinorInt() >= 24 {
+					sat = true
+				}
+
+				Run(kbc, sat)
 			})
 			It("should generate a runnable project with the golang base plugin v3 and kustomize v4-alpha", func() {
 				// Skip if cluster version < 1.16, when v1 CRDs and webhooks did not exist.
@@ -128,7 +139,15 @@ var _ = Describe("kubebuilder", func() {
 				}
 
 				GenerateV3WithKustomizeV2(kbc, "v1")
-				Run(kbc)
+
+				// only if running on Kubernetes >= 1.24 do we need to generate the ServiceAccount token Secret
+				// TODO: Remove this once a better implementation using something like the TokenRequest API
+				// is used in the e2e tests
+				if srvVer := kbc.K8sVersion.ServerVersion; srvVer.GetMajorInt() == 1 && srvVer.GetMinorInt() >= 24 {
+					sat = true
+				}
+
+				Run(kbc, sat)
 			})
 			It("should generate a runnable project with v1beta1 CRDs and Webhooks", func() {
 				// Skip if cluster version < 1.15, when `.spec.preserveUnknownFields` was not a v1beta1 CRD field.
@@ -142,14 +161,14 @@ var _ = Describe("kubebuilder", func() {
 				}
 
 				GenerateV3(kbc, "v1beta1")
-				Run(kbc)
+				Run(kbc, sat)
 			})
 		})
 	})
 })
 
 // Run runs a set of e2e tests for a scaffolded project defined by a TestContext.
-func Run(kbc *utils.TestContext) {
+func Run(kbc *utils.TestContext, sat bool) {
 	var controllerPodName string
 	var err error
 
@@ -214,6 +233,10 @@ func Run(kbc *utils.TestContext) {
 		fmt.Sprintf("--serviceaccount=%s:%s", kbc.Kubectl.Namespace, kbc.Kubectl.ServiceAccount))
 	ExpectWithOffset(1, err).NotTo(HaveOccurred())
 
+	if sat {
+		ServiceAccountToken(kbc)
+	}
+
 	_ = curlMetrics(kbc)
 
 	By("validating that cert-manager has provisioned the certificate Secret")
@@ -324,6 +347,8 @@ func Run(kbc *utils.TestContext) {
 func curlMetrics(kbc *utils.TestContext) string {
 	By("reading the metrics token")
 	// Filter token query by service account in case more than one exists in a namespace.
+	// TODO: Parsing a token this way is not ideal or best practice and should not be used.
+	// Instead, a TokenRequest should be created to get a token to use for this step.
 	query := fmt.Sprintf(`{.items[?(@.metadata.annotations.kubernetes\.io/service-account\.name=="%s")].data.token}`,
 		kbc.Kubectl.ServiceAccount,
 	)
@@ -335,8 +360,7 @@ func curlMetrics(kbc *utils.TestContext) string {
 
 	By("creating a curl pod")
 	cmdOpts := []string{
-		"run", "curl", "--image=curlimages/curl:7.68.0", "--restart=OnFailure",
-		"--serviceaccount=" + kbc.Kubectl.ServiceAccount, "--",
+		"run", "curl", "--image=curlimages/curl:7.68.0", "--restart=OnFailure", "--",
 		"curl", "-v", "-k", "-H", fmt.Sprintf(`Authorization: Bearer %s`, token),
 		fmt.Sprintf("https://e2e-%s-controller-manager-metrics-service.%s.svc:8443/metrics",
 			kbc.TestSuffix, kbc.Kubectl.Namespace),
@@ -373,3 +397,44 @@ func curlMetrics(kbc *utils.TestContext) string {
 
 	return metricsOutput
 }
+
+// TODO: Remove this when and other related functions when
+// tests have been changed to use a better implementation.
+// ServiceAccountToken creates the ServiceAccount token Secret.
+// This is to be used when Kubernetes cluster version is >= 1.24.
+// In k8s 1.24+ a ServiceAccount token Secret is no longer
+// automatically generated
+func ServiceAccountToken(kbc *utils.TestContext) {
+	// As of Kubernetes 1.24 a ServiceAccount no longer has a ServiceAccount token
+	// secret autogenerated. We have to create it manually here
+	By("Creating the ServiceAccount token")
+	secretFile, err := createServiceAccountToken(kbc.Kubectl.ServiceAccount, kbc.Dir)
+	Expect(err).NotTo(HaveOccurred())
+	Eventually(func() error {
+		_, err = kbc.Kubectl.Apply(true, "-f", secretFile)
+		return err
+	}, time.Minute, time.Second).Should(Succeed())
+}
+
+var saSecretTemplate = `---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/service-account-token
+metadata:
+  name: %s
+  annotations:
+    kubernetes.io/service-account.name: "%s"
+`
+
+// createServiceAccountToken writes a service account token secret to a file.
+// It returns a string to the file or an error if it fails to write the file
+func createServiceAccountToken(name string, dir string) (string, error) {
+	secretName := name + "-secret"
+	fileName := dir + "/" + secretName + ".yaml"
+	err := os.WriteFile(fileName, []byte(fmt.Sprintf(saSecretTemplate, secretName, name)), 0777)
+	if err != nil {
+		return "", err
+	}
+
+	return fileName, nil
+}
