Update e2e_test.go for clusters which have ServerSideFieldValidation

Also update prepare-cluster-for-integration-tests.sh for new kubectl version command options.
2022-07-25 17:25:21 -07:00 · 2022-07-25 17:25:21 -07:00 · c07cc6b8ec
parent 7ccd41b5f2
commit c07cc6b8ec
2 changed files with 13 additions and 5 deletions
--- a/hack/prepare-for-integration-tests.sh
+++ b/hack/prepare-for-integration-tests.sh
@ -175,8 +175,8 @@ if [[ "$skip_chromedriver_check" == "no" ]]; then
  fi
 fi

-# Require kubectl >= 1.18.x
-if [ "$(kubectl version --client=true --short | cut -d '.' -f 2)" -lt 18 ]; then
+# Require kubectl >= 1.18.x.
+if [ "$(kubectl version --client=true -o=json | grep gitVersion | cut -d '.' -f 2)" -lt 18 ]; then
  log_error "kubectl >= 1.18.x is required, you have $(kubectl version --client=true --short | cut -d ':' -f2)"
  exit 1
 fi
--- a/test/integration/e2e_test.go
+++ b/test/integration/e2e_test.go
@ -1336,8 +1336,15 @@ func requireUserCanUseKubectlWithoutAuthenticatingAgain(
 	expectedGroupsPlusAuthenticated := append([]string{}, expectedGroups...)
 	expectedGroupsPlusAuthenticated = append(expectedGroupsPlusAuthenticated, "system:authenticated")

-	// Confirm we are the right user according to Kube by calling the whoami API.
-	kubectlCmd3 := exec.CommandContext(ctx, "kubectl", "create", "-f", "-", "-o", "yaml", "--kubeconfig", kubeconfigPath)
+	// Confirm we are the right user according to Kube by calling the WhoAmIRequest API.
+	// Use --validate=false with this command because running this command against any cluster which has
+	// the ServerSideFieldValidation feature gate enabled causes this command to return an RBAC error
+	// complaining that this user does not have permission to list CRDs:
+	//   error validating data: failed to check CRD: failed to list CRDs: customresourcedefinitions.apiextensions.k8s.io is forbidden:
+	//   User "pinny" cannot list resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope; if you choose to ignore these errors, turn validation off with --validate=false
+	// While it is true that the user cannot list CRDs, that fact seems unrelated to making a create call to the
+	// aggregated API endpoint, so this is a strange error, but it can be easily reproduced.
+	kubectlCmd3 := exec.CommandContext(ctx, "kubectl", "create", "-f", "-", "-o", "yaml", "--kubeconfig", kubeconfigPath, "--validate=false")
 	kubectlCmd3.Env = append(os.Environ(), env.ProxyEnv()...)
 	kubectlCmd3.Stdin = strings.NewReader(here.Docf(`
 			apiVersion: identity.concierge.%s/v1alpha1
@ -1345,7 +1352,8 @@ func requireUserCanUseKubectlWithoutAuthenticatingAgain(
 	`, env.APIGroupSuffix))

 	kubectlOutput3, err := kubectlCmd3.CombinedOutput()
-	require.NoError(t, err)
+	require.NoErrorf(t, err,
+		"expected no error but got error, combined stdout/stderr was:\n----start of output\n%s\n----end of output", kubectlOutput3)

 	whoAmI := deserializeWhoAmIRequest(t, string(kubectlOutput3), env.APIGroupSuffix)
 	require.Equal(t, expectedUsername, whoAmI.Status.KubernetesUserInfo.User.Username)