github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-20 01:01:22 +00:00
Code Issues Projects Releases Wiki Activity

Fix the flaky legacy_service_account_token_clean_up_test.Fix the flaky

Browse Source 
legacy_service_account_token_clean_up_test.
This commit is contained in:
tinatingyu 2023-07-26 04:25:24 +00:00
parent 97c7dbcd22
commit ca338e517b
1 changed files with 31 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
test/integration/serviceaccount/legacy_service_account_token_clean_up_test.go
View File

@ -51,18 +51,12 @@ func TestLegacyServiceAccountTokenCleanUp(t *testing.T) {
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, kubefeatures.LegacyServiceAccountTokenCleanUp, true)() defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, kubefeatures.LegacyServiceAccountTokenCleanUp, true)()
ctx, cancel := context.WithCancel(context.Background()) ctx, cancel := context.WithCancel(context.Background())
defer cancel() defer cancel()
fakeClock := testingclock.NewFakeClock(time.Now().UTC())
c, config, stopFunc, informers, err := startServiceAccountTestServerAndWaitForCaches(ctx, t) c, config, stopFunc, informers, err := startServiceAccountTestServerAndWaitForCaches(ctx, t)
defer stopFunc() defer stopFunc()
if err != nil { if err != nil {
t.Fatalf("failed to setup ServiceAccounts server: %v", err) t.Fatalf("failed to setup ServiceAccounts server: %v", err)
} }
// start legacy service account token cleaner
startLegacyServiceAccountTokenCleaner(ctx, c, fakeClock, informers)
// wait configmap to label with tracking date // wait configmap to label with tracking date
if err := wait.PollImmediate(time.Second, 10*time.Second, func() (bool, error) { if err := wait.PollImmediate(time.Second, 10*time.Second, func() (bool, error) {
configMap, err := c.CoreV1().ConfigMaps(metav1.NamespaceSystem).Get(ctx, legacytokentracking.ConfigMapName, metav1.GetOptions{}) configMap, err := c.CoreV1().ConfigMaps(metav1.NamespaceSystem).Get(ctx, legacytokentracking.ConfigMapName, metav1.GetOptions{})
@ -78,21 +72,11 @@ func TestLegacyServiceAccountTokenCleanUp(t *testing.T) {
t.Fatalf("failed to wait configmap starts to track: %v", err) t.Fatalf("failed to wait configmap starts to track: %v", err)
} }
// create service account
myns := "clean-ns"
_, err = c.CoreV1().Namespaces().Create(context.TODO(), &v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: myns}}, metav1.CreateOptions{})
if err != nil && !apierrors.IsAlreadyExists(err) {
t.Fatalf("could not create namespace: %v", err)
}
mysa, err := c.CoreV1().ServiceAccounts(myns).Create(context.TODO(), &v1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: readOnlyServiceAccountName}}, metav1.CreateOptions{})
if err != nil {
t.Fatalf("Service Account not created: %v", err)
}
tests := []struct { tests := []struct {
name string name string
secretName string secretName string
secretTokenData string secretTokenData string
namespace string
expectCleanedUp bool expectCleanedUp bool
lastUsedLabel bool lastUsedLabel bool
isPodMounted bool isPodMounted bool
@ -101,6 +85,7 @@ func TestLegacyServiceAccountTokenCleanUp(t *testing.T) {
{ {
name: "auto created legacy token without pod binding", name: "auto created legacy token without pod binding",
secretName: "auto-token-without-pod-mounting-a", secretName: "auto-token-without-pod-mounting-a",
namespace: "clean-ns-1",
lastUsedLabel: true, lastUsedLabel: true,
isManual: false, isManual: false,
isPodMounted: false, isPodMounted: false,
@ -109,6 +94,7 @@ func TestLegacyServiceAccountTokenCleanUp(t *testing.T) {
{ {
name: "manually created legacy token", name: "manually created legacy token",
secretName: "manual-token", secretName: "manual-token",
namespace: "clean-ns-2",
lastUsedLabel: true, lastUsedLabel: true,
isManual: true, isManual: true,
isPodMounted: false, isPodMounted: false,
@ -117,6 +103,7 @@ func TestLegacyServiceAccountTokenCleanUp(t *testing.T) {
{ {
name: "auto created legacy token with pod binding", name: "auto created legacy token with pod binding",
secretName: "auto-token-with-pod-mounting", secretName: "auto-token-with-pod-mounting",
namespace: "clean-ns-3",
lastUsedLabel: true, lastUsedLabel: true,
isManual: false, isManual: false,
isPodMounted: true, isPodMounted: true,
@ -125,6 +112,7 @@ func TestLegacyServiceAccountTokenCleanUp(t *testing.T) {
{ {
name: "auto created legacy token without pod binding, secret has not been used after tracking", name: "auto created legacy token without pod binding, secret has not been used after tracking",
secretName: "auto-token-without-pod-mounting-b", secretName: "auto-token-without-pod-mounting-b",
namespace: "clean-ns-4",
lastUsedLabel: false, lastUsedLabel: false,
isManual: false, isManual: false,
isPodMounted: false, isPodMounted: false,
@ -133,19 +121,38 @@ func TestLegacyServiceAccountTokenCleanUp(t *testing.T) {
} }
for _, test := range tests { for _, test := range tests {
t.Run(test.name, func(t *testing.T) { t.Run(test.name, func(t *testing.T) {
fakeClock := testingclock.NewFakeClock(time.Now().UTC())
// start legacy service account token cleaner
ctxForCleaner, cancelFunc := context.WithCancel(context.Background())
startLegacyServiceAccountTokenCleaner(ctxForCleaner, c, fakeClock, informers)
informers.Start(ctx.Done())
defer cancelFunc()
// create service account
_, err = c.CoreV1().Namespaces().Create(context.TODO(), &v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: test.namespace}}, metav1.CreateOptions{})
if err != nil && !apierrors.IsAlreadyExists(err) {
t.Fatalf("could not create namespace: %v", err)
}
mysa, err := c.CoreV1().ServiceAccounts(test.namespace).Create(context.TODO(), &v1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: readOnlyServiceAccountName}}, metav1.CreateOptions{})
if err != nil {
t.Fatalf("Service Account not created: %v", err)
}
// create secret // create secret
secret, err := createServiceAccountToken(c, mysa, myns, test.secretName) secret, err := createServiceAccountToken(c, mysa, test.namespace, test.secretName)
if err != nil { if err != nil {
t.Fatalf("Secret not created: %v", err) t.Fatalf("Secret not created: %v", err)
} }
if !test.isManual { if !test.isManual {
if err := addReferencedServiceAccountToken(c, myns, readOnlyServiceAccountName, secret); err != nil { if err := addReferencedServiceAccountToken(c, test.namespace, readOnlyServiceAccountName, secret); err != nil {
t.Fatal(err) t.Fatal(err)
} }
} }
podLister := informers.Core().V1().Pods().Lister() podLister := informers.Core().V1().Pods().Lister()
if test.isPodMounted { if test.isPodMounted {
_, err = createAutotokenMountedPod(c, myns, test.secretName, podLister) _, err = createAutotokenMountedPod(c, test.namespace, test.secretName, podLister)
if err != nil { if err != nil {
t.Fatalf("Pod not created: %v", err) t.Fatalf("Pod not created: %v", err)
} }
@ -158,7 +165,7 @@ func TestLegacyServiceAccountTokenCleanUp(t *testing.T) {
roClient := clientset.NewForConfigOrDie(&myConfig) roClient := clientset.NewForConfigOrDie(&myConfig)
// the secret should not be labeled with LastUsedLabelKey. // the secret should not be labeled with LastUsedLabelKey.
liveSecret, err := c.CoreV1().Secrets(myns).Get(context.TODO(), test.secretName, metav1.GetOptions{}) liveSecret, err := c.CoreV1().Secrets(test.namespace).Get(context.TODO(), test.secretName, metav1.GetOptions{})
if err != nil { if err != nil {
t.Fatalf("Could not get secret: %v", err) t.Fatalf("Could not get secret: %v", err)
} }
@ -169,9 +176,9 @@ func TestLegacyServiceAccountTokenCleanUp(t *testing.T) {
// authenticate legacy tokens // authenticate legacy tokens
if test.lastUsedLabel { if test.lastUsedLabel {
doServiceAccountAPIRequests(t, roClient, myns, true, true, false) doServiceAccountAPIRequests(t, roClient, test.namespace, true, true, false)
// all service account tokens should be labeled with LastUsedLabelKey. // all service account tokens should be labeled with LastUsedLabelKey.
liveSecret, err = c.CoreV1().Secrets(myns).Get(context.TODO(), test.secretName, metav1.GetOptions{}) liveSecret, err = c.CoreV1().Secrets(test.namespace).Get(context.TODO(), test.secretName, metav1.GetOptions{})
if err != nil { if err != nil {
t.Fatalf("Could not get secret: %v", err) t.Fatalf("Could not get secret: %v", err)
} }
@ -185,7 +192,7 @@ func TestLegacyServiceAccountTokenCleanUp(t *testing.T) {
fakeClock.Step(cleanUpPeriod + 24*time.Hour) fakeClock.Step(cleanUpPeriod + 24*time.Hour)
time.Sleep(2 * syncInterval) time.Sleep(2 * syncInterval)
liveSecret, err = c.CoreV1().Secrets(myns).Get(context.TODO(), test.secretName, metav1.GetOptions{}) liveSecret, err = c.CoreV1().Secrets(test.namespace).Get(context.TODO(), test.secretName, metav1.GetOptions{})
if test.expectCleanedUp { if test.expectCleanedUp {
if err == nil { if err == nil {
t.Fatalf("The secret %s should be cleaned up. time: %v; creationTime: %v", test.secretName, fakeClock.Now().UTC(), liveSecret.CreationTimestamp) t.Fatalf("The secret %s should be cleaned up. time: %v; creationTime: %v", test.secretName, fakeClock.Now().UTC(), liveSecret.CreationTimestamp)
@ -215,7 +222,6 @@ func startLegacyServiceAccountTokenCleaner(ctx context.Context, client clientset
CleanUpPeriod: cleanUpPeriod, CleanUpPeriod: cleanUpPeriod,
}) })
go legacySATokenCleaner.Run(ctx) go legacySATokenCleaner.Run(ctx)
informers.Start(ctx.Done())
} }
func createAutotokenMountedPod(c clientset.Interface, ns, secretName string, podLister listersv1.PodLister) (*v1.Pod, error) { func createAutotokenMountedPod(c clientset.Interface, ns, secretName string, podLister listersv1.PodLister) (*v1.Pod, error) {