From c4e337c57cc03432dfe3f8f6729cfc25afc33d8f Mon Sep 17 00:00:00 2001
From: Lukasz Szaszkiewicz <lukasz.szaszkiewicz@gmail.com>
Date: Tue, 24 May 2022 16:38:18 +0200
Subject: [PATCH] hardens TestAggregatedAPIServer

Since ClientCAs are provided by "client-ca::kube-system::extension-apiserver-authentication::client-ca-file" controller
we need to wait until it picks up the configmap (via a lister) before checking the CAs otherwise the response might contain an empty result.
---
 test/integration/examples/apiserver_test.go | 26 ++++++++++++++++++---
 1 file changed, 23 insertions(+), 3 deletions(-)

diff --git a/test/integration/examples/apiserver_test.go b/test/integration/examples/apiserver_test.go
index 639383a5b53..391701a78cd 100644
--- a/test/integration/examples/apiserver_test.go
+++ b/test/integration/examples/apiserver_test.go
@@ -130,7 +130,7 @@ func TestAggregatedAPIServer(t *testing.T) {
 	}
 
 	// wait for the unavailable API service to be processed with updated status
-	err = wait.Poll(100*time.Millisecond, 5*time.Second, func() (done bool, err error) {
+	err = wait.Poll(1*time.Second, wait.ForeverTestTimeout, func() (done bool, err error) {
 		_, _, err = kubeClient.Discovery().ServerGroupsAndResources()
 		hasExpectedError := checkWardleUnavailableDiscoveryError(t, err)
 		return hasExpectedError, nil
@@ -140,17 +140,37 @@ func TestAggregatedAPIServer(t *testing.T) {
 	}
 	// TODO figure out how to turn on enough of services and dns to run more
 
+	// Since ClientCAs are provided by "client-ca::kube-system::extension-apiserver-authentication::client-ca-file" controller
+	// we need to wait until it picks up the configmap (via a lister) otherwise the response might contain an empty result.
+	// The following code waits up to ForeverTestTimeout seconds for ClientCA to show up otherwise it fails
+	// maybe in the future this could be wired into the /readyz EP
+
 	// Now we want to verify that the client CA bundles properly reflect the values for the cluster-authentication
-	firstKubeCANames, err := cert.GetClientCANamesForURL(kubeClientConfig.Host)
+	var firstKubeCANames []string
+	err = wait.Poll(1*time.Second, wait.ForeverTestTimeout, func() (done bool, err error) {
+		firstKubeCANames, err = cert.GetClientCANamesForURL(kubeClientConfig.Host)
+		if err != nil {
+			return false, err
+		}
+		return len(firstKubeCANames) != 0, nil
+	})
 	if err != nil {
 		t.Fatal(err)
 	}
 	t.Log(firstKubeCANames)
-	firstWardleCANames, err := cert.GetClientCANamesForURL(directWardleClientConfig.Host)
+	var firstWardleCANames []string
+	err = wait.Poll(1*time.Second, wait.ForeverTestTimeout, func() (done bool, err error) {
+		firstWardleCANames, err = cert.GetClientCANamesForURL(directWardleClientConfig.Host)
+		if err != nil {
+			return false, err
+		}
+		return len(firstWardleCANames) != 0, nil
+	})
 	if err != nil {
 		t.Fatal(err)
 	}
 	t.Log(firstWardleCANames)
+	// Now we want to verify that the client CA bundles properly reflect the values for the cluster-authentication
 	if !reflect.DeepEqual(firstKubeCANames, firstWardleCANames) {
 		t.Fatal("names don't match")
 	}