From 1a4f9e3466c2daf3ec8268c78dd95791cc9ceab6 Mon Sep 17 00:00:00 2001
From: Andrew Keesler <akeesler@vmware.com>
Date: Tue, 22 Sep 2020 11:38:13 -0400
Subject: [PATCH] kubecertagent: get integration tests passing again

Note: the non-kubecertagent integration tests are still failing :).
---
 deploy/rbac.yaml                       | 17 +++++++++--------
 test/integration/kubecertagent_test.go | 17 ++++++++++++-----
 2 files changed, 21 insertions(+), 13 deletions(-)

diff --git a/deploy/rbac.yaml b/deploy/rbac.yaml
index 5f02c6ca..6361d301 100644
--- a/deploy/rbac.yaml
+++ b/deploy/rbac.yaml
@@ -47,6 +47,10 @@ rules:
   - apiGroups: [""]
     resources: [secrets]
     verbs: [create, get, list, patch, update, watch, delete]
+    #! We need to be able to CRUD pods in our namespace so we can reconcile the kube-cert-agent pods.
+  - apiGroups: [""]
+    resources: [pods]
+    verbs: [create, get, list, patch, update, watch, delete]
   - apiGroups: [config.pinniped.dev, idp.pinniped.dev]
     resources: ["*"]
     verbs: [create, get, list, update, watch]
@@ -65,25 +69,22 @@ roleRef:
   name: #@ data.values.app_name + "-aggregated-api-server"
   apiGroup: rbac.authorization.k8s.io
 
-#! Give permission to CRUD pods and pod exec in the kube-system namespace so we can find the API server's private key
+#! Give permission to read pods in the kube-system namespace so we can find the API server's private key
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: #@ data.values.app_name + "-kube-system-pod-read-write"
+  name: #@ data.values.app_name + "-kube-system-pod-read"
   namespace: kube-system
 rules:
   - apiGroups: [""]
     resources: [pods]
-    verbs: [create, get, list, patch, update, watch, delete]
-  - apiGroups: [""]
-    resources: [pods/exec]
-    verbs: [create]
+    verbs: [get, list, watch]
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: #@ data.values.app_name + "-kube-system-pod-read-write"
+  name: #@ data.values.app_name + "-kube-system-pod-read"
   namespace: kube-system
 subjects:
   - kind: ServiceAccount
@@ -91,7 +92,7 @@ subjects:
     namespace: #@ data.values.namespace
 roleRef:
   kind: Role
-  name: #@ data.values.app_name + "-kube-system-pod-read-write"
+  name: #@ data.values.app_name + "-kube-system-pod-read"
   apiGroup: rbac.authorization.k8s.io
 
 #! Allow both authenticated and unauthenticated TokenCredentialRequests (i.e. allow all requests)
diff --git a/test/integration/kubecertagent_test.go b/test/integration/kubecertagent_test.go
index 220eb9aa..cc0b63b9 100644
--- a/test/integration/kubecertagent_test.go
+++ b/test/integration/kubecertagent_test.go
@@ -21,13 +21,13 @@ import (
 )
 
 const (
-	kubeCertAgentNamespace     = "kube-system"
 	kubeCertAgentLabelSelector = "kube-cert-agent.pinniped.dev="
 )
 
 func TestKubeCertAgent(t *testing.T) {
 	library.SkipUnlessIntegration(t)
 	library.SkipUnlessClusterHasCapability(t, library.ClusterSigningKeyIsAvailable)
+	namespaceName := library.GetEnv(t, "PINNIPED_NAMESPACE")
 
 	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute)
 	defer cancel()
@@ -39,7 +39,7 @@ func TestKubeCertAgent(t *testing.T) {
 	// We can pretty safely assert there should be more than 1, since there should be a
 	// kube-cert-agent pod per kube-controller-manager pod, and there should probably be at least
 	// 1 kube-controller-manager for this to be a working kube API.
-	originalAgentPods, err := kubeClient.CoreV1().Pods(kubeCertAgentNamespace).List(ctx, metav1.ListOptions{
+	originalAgentPods, err := kubeClient.CoreV1().Pods(namespaceName).List(ctx, metav1.ListOptions{
 		LabelSelector: kubeCertAgentLabelSelector,
 	})
 	require.NoError(t, err)
@@ -48,7 +48,7 @@ func TestKubeCertAgent(t *testing.T) {
 
 	agentPodsReconciled := func() bool {
 		var currentAgentPods *corev1.PodList
-		currentAgentPods, err = kubeClient.CoreV1().Pods(kubeCertAgentNamespace).List(ctx, metav1.ListOptions{
+		currentAgentPods, err = kubeClient.CoreV1().Pods(namespaceName).List(ctx, metav1.ListOptions{
 			LabelSelector: kubeCertAgentLabelSelector,
 		})
 
@@ -56,6 +56,13 @@ func TestKubeCertAgent(t *testing.T) {
 			return false
 		}
 
+		if len(originalAgentPods.Items) != len(currentAgentPods.Items) {
+			err = fmt.Errorf(
+				"original agent pod len != current agent pod len: %s",
+				diff.ObjectDiff(originalAgentPods.Items, currentAgentPods.Items),
+			)
+		}
+
 		sortPods(currentAgentPods)
 		for i := range originalAgentPods.Items {
 			if !equality.Semantic.DeepEqual(
@@ -84,7 +91,7 @@ func TestKubeCertAgent(t *testing.T) {
 			updatedAgentPod.Spec.Tolerations,
 			corev1.Toleration{Key: "fake-toleration"},
 		)
-		_, err = kubeClient.CoreV1().Pods(kubeCertAgentNamespace).Update(ctx, updatedAgentPod, metav1.UpdateOptions{})
+		_, err = kubeClient.CoreV1().Pods(namespaceName).Update(ctx, updatedAgentPod, metav1.UpdateOptions{})
 		require.NoError(t, err)
 
 		// Make sure the original pods come back.
@@ -96,7 +103,7 @@ func TestKubeCertAgent(t *testing.T) {
 		// Delete the first pod. The controller should see it, and flip it back.
 		err = kubeClient.
 			CoreV1().
-			Pods(kubeCertAgentNamespace).
+			Pods(namespaceName).
 			Delete(ctx, originalAgentPods.Items[0].Name, metav1.DeleteOptions{})
 		require.NoError(t, err)