Another integration test fix for dynamic clients feature with Okta

Also increase the timeout in an integration test because it is flaking on one of the GKE environments sometimes, probably because the Concierge controllers aren't ready fast enough before the integration tests start.
2022-09-26 14:43:50 -07:00 · 2022-09-26 14:43:50 -07:00 · 23185d55a5
commit 23185d55a5
parent f302e71b0f
2 changed files with 27 additions and 18 deletions
--- a/test/integration/concierge_api_serving_certs_test.go
+++ b/test/integration/concierge_api_serving_certs_test.go
@ -109,25 +109,30 @@ func TestAPIServingCertificateAutoCreationAndRotation_Disruptive(t *testing.T) {

 			// Expect that the Secret comes back right away with newly minted certs.
 			var regeneratedCACert []byte
-			testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
-				var err error
-				secret, err = kubeClient.CoreV1().Secrets(env.ConciergeNamespace).Get(ctx, defaultServingCertResourceName, metav1.GetOptions{})
-				requireEventually.NoError(err)
+			testlib.RequireEventually(t,
+				func(requireEventually *require.Assertions) {
+					var err error
+					secret, err = kubeClient.CoreV1().Secrets(env.ConciergeNamespace).Get(ctx, defaultServingCertResourceName, metav1.GetOptions{})
+					requireEventually.NoError(err)

-				regeneratedCACert = secret.Data["caCertificate"]
-				regeneratedPrivateKey := secret.Data["tlsPrivateKey"]
-				regeneratedCertChain := secret.Data["tlsCertificateChain"]
-				requireEventually.NotEmpty(regeneratedCACert)
-				requireEventually.NotEmpty(regeneratedPrivateKey)
-				requireEventually.NotEmpty(regeneratedCertChain)
-				requireEventually.NotEqual(initialCACert, regeneratedCACert)
-				requireEventually.NotEqual(initialPrivateKey, regeneratedPrivateKey)
-				requireEventually.NotEqual(initialCertChain, regeneratedCertChain)
-				for k, v := range env.ConciergeCustomLabels {
-					requireEventually.Equalf(v, secret.Labels[k], "expected secret to have label `%s: %s`", k, v)
-				}
-				requireEventually.Equal(env.ConciergeAppName, secret.Labels["app"])
-			}, 2*time.Minute, 250*time.Millisecond)
+					regeneratedCACert = secret.Data["caCertificate"]
+					regeneratedPrivateKey := secret.Data["tlsPrivateKey"]
+					regeneratedCertChain := secret.Data["tlsCertificateChain"]
+					requireEventually.NotEmpty(regeneratedCACert)
+					requireEventually.NotEmpty(regeneratedPrivateKey)
+					requireEventually.NotEmpty(regeneratedCertChain)
+					requireEventually.NotEqual(initialCACert, regeneratedCACert)
+					requireEventually.NotEqual(initialPrivateKey, regeneratedPrivateKey)
+					requireEventually.NotEqual(initialCertChain, regeneratedCertChain)
+					for k, v := range env.ConciergeCustomLabels {
+						requireEventually.Equalf(v, secret.Labels[k], "expected secret to have label `%s: %s`", k, v)
+					}
+					requireEventually.Equal(env.ConciergeAppName, secret.Labels["app"])
+				},
+				// Wait 5 minutes in case the Concierge was just redeployed, in which case it can take time for
+				// the controllers to be ready again. This test is often run as the very first test in the whole suite.
+				5*time.Minute,
+				250*time.Millisecond)

 			// Expect that the APIService was also updated with the new CA.
 			testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
--- a/test/integration/supervisor_login_test.go
+++ b/test/integration/supervisor_login_test.go
@ -1293,6 +1293,10 @@ func TestSupervisorLogin_Browser(t *testing.T) {
 			maybeSkip: skipNever,
 			createIDP: func(t *testing.T) string {
 				spec := basicOIDCIdentityProviderSpec()
+				spec.Claims = idpv1alpha1.OIDCClaims{
+					Username: env.SupervisorUpstreamOIDC.UsernameClaim,
+					Groups:   env.SupervisorUpstreamOIDC.GroupsClaim,
+				}
 				spec.AuthorizationConfig = idpv1alpha1.OIDCAuthorizationConfig{
 					AdditionalScopes: env.SupervisorUpstreamOIDC.AdditionalScopes,
 				}