hardens TestAggregatedAPIServer

Since ClientCAs are provided by "client-ca::kube-system::extension-apiserver-authentication::client-ca-file" controller we need to wait until it picks up the configmap (via a lister) before checking the CAs otherwise the response might contain an empty result.
openshift · May 25, 2022 · c4e337c · c4e337c
1 parent fdb2d54
commit c4e337c
Showing 1 changed file with 23 additions and 3 deletions.
diff --git a/test/integration/examples/apiserver_test.go b/test/integration/examples/apiserver_test.go
@@ -130,7 +130,7 @@ func TestAggregatedAPIServer(t *testing.T) {
 	}
 
 	// wait for the unavailable API service to be processed with updated status
-	err = wait.Poll(100*time.Millisecond, 5*time.Second, func() (done bool, err error) {
+	err = wait.Poll(1*time.Second, wait.ForeverTestTimeout, func() (done bool, err error) {
 		_, _, err = kubeClient.Discovery().ServerGroupsAndResources()
 		hasExpectedError := checkWardleUnavailableDiscoveryError(t, err)
 		return hasExpectedError, nil
@@ -140,17 +140,37 @@ func TestAggregatedAPIServer(t *testing.T) {
 	}
 	// TODO figure out how to turn on enough of services and dns to run more
 
+	// Since ClientCAs are provided by "client-ca::kube-system::extension-apiserver-authentication::client-ca-file" controller
+	// we need to wait until it picks up the configmap (via a lister) otherwise the response might contain an empty result.
+	// The following code waits up to ForeverTestTimeout seconds for ClientCA to show up otherwise it fails
+	// maybe in the future this could be wired into the /readyz EP
+
 	// Now we want to verify that the client CA bundles properly reflect the values for the cluster-authentication
-	firstKubeCANames, err := cert.GetClientCANamesForURL(kubeClientConfig.Host)
+	var firstKubeCANames []string
+	err = wait.Poll(1*time.Second, wait.ForeverTestTimeout, func() (done bool, err error) {
+		firstKubeCANames, err = cert.GetClientCANamesForURL(kubeClientConfig.Host)
+		if err != nil {
+			return false, err
+		}
+		return len(firstKubeCANames) != 0, nil
+	})
 	if err != nil {
 		t.Fatal(err)
 	}
 	t.Log(firstKubeCANames)
-	firstWardleCANames, err := cert.GetClientCANamesForURL(directWardleClientConfig.Host)
+	var firstWardleCANames []string
+	err = wait.Poll(1*time.Second, wait.ForeverTestTimeout, func() (done bool, err error) {
+		firstWardleCANames, err = cert.GetClientCANamesForURL(directWardleClientConfig.Host)
+		if err != nil {
+			return false, err
+		}
+		return len(firstWardleCANames) != 0, nil
+	})
 	if err != nil {
 		t.Fatal(err)
 	}
 	t.Log(firstWardleCANames)
+	// Now we want to verify that the client CA bundles properly reflect the values for the cluster-authentication
 	if !reflect.DeepEqual(firstKubeCANames, firstWardleCANames) {
 		t.Fatal("names don't match")
 	}