From 3b9485bba3ad48b9a8c9124d13e6d66eee2f11bf Mon Sep 17 00:00:00 2001
From: Walter Fender <wfender@google.com>
Date: Mon, 21 Aug 2017 15:45:51 -0700
Subject: [PATCH] Fixed gke auth update wait condition.

Lookup whoami on gke using gcloud auth list.
Make sure we do not run the test on any cluster older than 1.7.
Fix for Mehdy
Fixes for LavaLamp
---
 test/e2e/apimachinery/BUILD         |  2 +-
 test/e2e/apimachinery/aggregator.go | 40 +++++++++++++++++------------
 2 files changed, 24 insertions(+), 18 deletions(-)

diff --git a/test/e2e/apimachinery/BUILD b/test/e2e/apimachinery/BUILD
index 21a93f45c6c..96bb4738f9b 100644
--- a/test/e2e/apimachinery/BUILD
+++ b/test/e2e/apimachinery/BUILD
@@ -51,7 +51,7 @@ go_library(
         "//vendor/k8s.io/apimachinery/pkg/util/uuid:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/util/wait:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/watch:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/authentication/serviceaccount:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library",
         "//vendor/k8s.io/apiserver/pkg/storage/names:go_default_library",
         "//vendor/k8s.io/client-go/discovery:go_default_library",
         "//vendor/k8s.io/client-go/kubernetes:go_default_library",
diff --git a/test/e2e/apimachinery/aggregator.go b/test/e2e/apimachinery/aggregator.go
index bbf9bfb2e00..26a98fdf2a7 100644
--- a/test/e2e/apimachinery/aggregator.go
+++ b/test/e2e/apimachinery/aggregator.go
@@ -33,11 +33,12 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/util/wait"
-	"k8s.io/apiserver/pkg/authentication/serviceaccount"
+	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/client-go/discovery"
 	"k8s.io/client-go/util/cert"
 	apiregistrationv1beta1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1"
 	rbacapi "k8s.io/kubernetes/pkg/apis/rbac"
+	utilversion "k8s.io/kubernetes/pkg/util/version"
 	"k8s.io/kubernetes/test/e2e/framework"
 	samplev1alpha1 "k8s.io/sample-apiserver/pkg/apis/wardle/v1alpha1"
 
@@ -50,6 +51,8 @@ type aggregatorContext struct {
 	apiserverSigningCert []byte
 }
 
+var serverAggregatorVersion = utilversion.MustParseSemantic("v1.7.0")
+
 var _ = SIGDescribe("Aggregator", func() {
 	f := framework.NewDefaultFramework("aggregator")
 	framework.AddCleanupAction(func() {
@@ -58,6 +61,7 @@ var _ = SIGDescribe("Aggregator", func() {
 
 	It("Should be able to support the 1.7 Sample API Server using the current Aggregator", func() {
 		// Make sure the relevant provider supports Agggregator
+		framework.SkipUnlessServerVersionGTE(serverAggregatorVersion, f.ClientSet.Discovery())
 		framework.SkipUnlessProviderIs("gce", "gke")
 
 		// Testing a 1.7 version of the sample-apiserver
@@ -161,12 +165,8 @@ func TestSampleAPIServer(f *framework.Framework, image, namespaceName string) {
 	ns := f.Namespace.Name
 	if framework.ProviderIs("gke") {
 		// kubectl create clusterrolebinding user-cluster-admin-binding --clusterrole=cluster-admin --user=user@domain.com
-		framework.BindClusterRole(client.RbacV1beta1(), "cluster-admin", ns,
-			rbacv1beta1.Subject{Kind: rbacv1beta1.ServiceAccountKind, Namespace: ns, Name: "default"})
-		err := framework.WaitForAuthorizationUpdate(client.AuthorizationV1beta1(),
-			serviceaccount.MakeUsername(ns, "default"),
-			"", "get", schema.GroupResource{Group: "storage.k8s.io", Resource: "storageclasses"}, true)
-		framework.ExpectNoError(err, "Failed to update authorization: %v", err)
+		authenticated := rbacv1beta1.Subject{Kind: rbacv1beta1.GroupKind, Name: user.AllAuthenticated}
+		framework.BindClusterRole(client.RbacV1beta1(), "cluster-admin", ns, authenticated)
 	}
 
 	// kubectl create -f namespace.yaml
@@ -319,16 +319,22 @@ func TestSampleAPIServer(f *framework.Framework, image, namespaceName string) {
 	framework.ExpectNoError(err, "creating cluster resource rule")
 	urlRule, err := rbacapi.NewRule("get").URLs("*").Rule()
 	framework.ExpectNoError(err, "creating cluster url rule")
-	roleLabels := map[string]string{"kubernetes.io/bootstrapping": "wardle-default"}
-	role := rbacapi.ClusterRole{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:   "wardler",
-			Labels: roleLabels,
-		},
-		Rules: []rbacapi.PolicyRule{resourceRule, urlRule},
-	}
-	_, err = iclient.Rbac().ClusterRoles().Create(&role)
-	framework.ExpectNoError(err, "creating cluster role %s", "wardler")
+	err = wait.Poll(100*time.Millisecond, 30*time.Second, func() (bool, error) {
+		roleLabels := map[string]string{"kubernetes.io/bootstrapping": "wardle-default"}
+		role := rbacapi.ClusterRole{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:   "wardler",
+				Labels: roleLabels,
+			},
+			Rules: []rbacapi.PolicyRule{resourceRule, urlRule},
+		}
+		_, err = iclient.Rbac().ClusterRoles().Create(&role)
+		if err != nil {
+			return false, nil
+		}
+		return true, nil
+	})
+	framework.ExpectNoError(err, "creating cluster role wardler - may not have permissions")
 
 	// kubectl create -f auth-reader.yaml
 	_, err = client.RbacV1beta1().RoleBindings("kube-system").Create(&rbacv1beta1.RoleBinding{