From 23185d55a5b3609e78e6cfdb856ea6a503367da4 Mon Sep 17 00:00:00 2001
From: Ryan Richard <richardry@vmware.com>
Date: Mon, 26 Sep 2022 14:43:50 -0700
Subject: [PATCH] Another integration test fix for dynamic clients feature with
 Okta

Also increase the timeout in an integration test because it is flaking
on one of the GKE environments sometimes, probably because the
Concierge controllers aren't ready fast enough before the integration
tests start.
---
 .../concierge_api_serving_certs_test.go       | 41 +++++++++++--------
 test/integration/supervisor_login_test.go     |  4 ++
 2 files changed, 27 insertions(+), 18 deletions(-)

diff --git a/test/integration/concierge_api_serving_certs_test.go b/test/integration/concierge_api_serving_certs_test.go
index 2aed7c4a..1162d03c 100644
--- a/test/integration/concierge_api_serving_certs_test.go
+++ b/test/integration/concierge_api_serving_certs_test.go
@@ -109,25 +109,30 @@ func TestAPIServingCertificateAutoCreationAndRotation_Disruptive(t *testing.T) {
 
 			// Expect that the Secret comes back right away with newly minted certs.
 			var regeneratedCACert []byte
-			testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
-				var err error
-				secret, err = kubeClient.CoreV1().Secrets(env.ConciergeNamespace).Get(ctx, defaultServingCertResourceName, metav1.GetOptions{})
-				requireEventually.NoError(err)
+			testlib.RequireEventually(t,
+				func(requireEventually *require.Assertions) {
+					var err error
+					secret, err = kubeClient.CoreV1().Secrets(env.ConciergeNamespace).Get(ctx, defaultServingCertResourceName, metav1.GetOptions{})
+					requireEventually.NoError(err)
 
-				regeneratedCACert = secret.Data["caCertificate"]
-				regeneratedPrivateKey := secret.Data["tlsPrivateKey"]
-				regeneratedCertChain := secret.Data["tlsCertificateChain"]
-				requireEventually.NotEmpty(regeneratedCACert)
-				requireEventually.NotEmpty(regeneratedPrivateKey)
-				requireEventually.NotEmpty(regeneratedCertChain)
-				requireEventually.NotEqual(initialCACert, regeneratedCACert)
-				requireEventually.NotEqual(initialPrivateKey, regeneratedPrivateKey)
-				requireEventually.NotEqual(initialCertChain, regeneratedCertChain)
-				for k, v := range env.ConciergeCustomLabels {
-					requireEventually.Equalf(v, secret.Labels[k], "expected secret to have label `%s: %s`", k, v)
-				}
-				requireEventually.Equal(env.ConciergeAppName, secret.Labels["app"])
-			}, 2*time.Minute, 250*time.Millisecond)
+					regeneratedCACert = secret.Data["caCertificate"]
+					regeneratedPrivateKey := secret.Data["tlsPrivateKey"]
+					regeneratedCertChain := secret.Data["tlsCertificateChain"]
+					requireEventually.NotEmpty(regeneratedCACert)
+					requireEventually.NotEmpty(regeneratedPrivateKey)
+					requireEventually.NotEmpty(regeneratedCertChain)
+					requireEventually.NotEqual(initialCACert, regeneratedCACert)
+					requireEventually.NotEqual(initialPrivateKey, regeneratedPrivateKey)
+					requireEventually.NotEqual(initialCertChain, regeneratedCertChain)
+					for k, v := range env.ConciergeCustomLabels {
+						requireEventually.Equalf(v, secret.Labels[k], "expected secret to have label `%s: %s`", k, v)
+					}
+					requireEventually.Equal(env.ConciergeAppName, secret.Labels["app"])
+				},
+				// Wait 5 minutes in case the Concierge was just redeployed, in which case it can take time for
+				// the controllers to be ready again. This test is often run as the very first test in the whole suite.
+				5*time.Minute,
+				250*time.Millisecond)
 
 			// Expect that the APIService was also updated with the new CA.
 			testlib.RequireEventually(t, func(requireEventually *require.Assertions) {
diff --git a/test/integration/supervisor_login_test.go b/test/integration/supervisor_login_test.go
index a2f613e4..79f0a46f 100644
--- a/test/integration/supervisor_login_test.go
+++ b/test/integration/supervisor_login_test.go
@@ -1293,6 +1293,10 @@ func TestSupervisorLogin_Browser(t *testing.T) {
 			maybeSkip: skipNever,
 			createIDP: func(t *testing.T) string {
 				spec := basicOIDCIdentityProviderSpec()
+				spec.Claims = idpv1alpha1.OIDCClaims{
+					Username: env.SupervisorUpstreamOIDC.UsernameClaim,
+					Groups:   env.SupervisorUpstreamOIDC.GroupsClaim,
+				}
 				spec.AuthorizationConfig = idpv1alpha1.OIDCAuthorizationConfig{
 					AdditionalScopes: env.SupervisorUpstreamOIDC.AdditionalScopes,
 				}