server-side apply e2e: fix oauthclientauthorization race with KCM

When the oauthclientauthorization is created, it checks the SA from its clientName for tokens and fails if there are none. The server-side apply test creates an SA but does not wait for it to be populated with tokens which may cause the test to fail when it gets to creating the oauthauthorization object too early.
openshift · Jan 7, 2021 · c56104b · c56104b
1 parent 4f87b29
commit c56104b
Showing 1 changed file with 25 additions and 0 deletions.
diff --git a/test/extended/apiserver/apply.go b/test/extended/apiserver/apply.go
@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"strings"
+	"time"
 
 	g "github.com/onsi/ginkgo"
 	o "github.com/onsi/gomega"
@@ -14,9 +15,11 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/wait"
 	discocache "k8s.io/client-go/discovery/cached"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/kubernetes"
+	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
 	"k8s.io/client-go/restmapper"
 	"k8s.io/kubernetes/test/e2e/framework"
 
@@ -74,6 +77,12 @@ var _ = g.Describe("[sig-api-machinery][Feature:ServerSideApply] Server-Side App
 				}
 				resourceClient, unstructuredObj, namespace := createResource(oc, mapper, prerequisite.GvrData, prerequisite.Stub, testNamespace)
 				testNamespace = namespace
+
+				// we need to wait for the tokens to appear at the SA otherwise creation
+				// of the oauthclientauthorization object fails
+				if gvr.Resource == "oauthclientauthorizations" && prerequisite.GvrData.Resource == "serviceaccounts" {
+					waitForSATokens(oc.AdminKubeClient().CoreV1().ServiceAccounts(testNamespace), unstructuredObj.Object)
+				}
 				defer deleteResource(resourceClient, unstructuredObj.GetName())
 			}
 
@@ -172,3 +181,19 @@ func createResource(
 
 	return resourceClient, &unstructuredObj, testNamespace
 }
+
+// waitForSATokens waits for the kube-controller-manager to populate the SA from the unstructured object
+// to be populated with a secret defining its tokens
+func waitForSATokens(saClient corev1client.ServiceAccountInterface, unstructuredObj map[string]interface{}) {
+	name, _, err := unstructured.NestedString(unstructuredObj, "metadata", "name")
+	o.Expect(err).NotTo(o.HaveOccurred())
+	err = wait.PollImmediate(time.Second, 15*time.Second, func() (bool, error) {
+		sa, err := saClient.Get(context.Background(), name, metav1.GetOptions{})
+		if err != nil {
+			framework.Logf("unexpected error retrieving SA %q: %v", name, err)
+			return false, nil
+		}
+		return len(sa.Secrets) > 0, nil
+	})
+	o.Expect(err).NotTo(o.HaveOccurred())
+}