Merge branch 'main' into fix-enforcing-up-to-date-controlplanes-valid…

…atingwebhookconfiguration
Kong · Apr 25, 2024 · c3f1370 · c3f1370
2 parents cfaceaf + 822d063
commit c3f1370
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 16 deletions.
diff --git a/.github/workflows/__release-workflow.yaml b/.github/workflows/__release-workflow.yaml
@@ -268,7 +268,7 @@ jobs:
 
       # PRs to the base branch will update the version file and manifests
       - name: Create a release PR
-        uses: peter-evans/create-pull-request@9153d834b60caba6d51c9b9510b087acf9f33f83
+        uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e
         if: ${{ (inputs.base == 'main' && matrix.base == 'main') || (inputs.base != 'main') }}
         with:
           token: ${{ secrets.gh-pat }}

diff --git a/test/integration/test_controlplane.go b/test/integration/test_controlplane.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"reflect"
 	"slices"
+	"strings"
 	"testing"
 	"time"
 
@@ -339,7 +340,7 @@ func TestControlPlaneEssentials(t *testing.T) {
 	require.Eventually(t, testutils.ControlPlaneHasAdmissionWebhookConfiguration(t, GetCtx(), controlplane, clients), testutils.ControlPlaneCondDeadline, testutils.ControlPlaneCondTick)
 
 	t.Log("verifying controlplane's webhook is functional")
-	verifyControlPlaneWebhookIsFunctional(t, GetCtx(), clients)
+	eventuallyVerifyControlPlaneWebhookIsFunctional(t, GetCtx(), clients)
 
 	t.Log("verifying that controlplane's ClusterRole is patched if it goes out of sync")
 	clusterRoles = testutils.MustListControlPlaneClusterRoles(t, GetCtx(), controlplane, clients)
@@ -445,22 +446,32 @@ func verifyControlPlaneDeploymentAdmissionWebhookMount(t *testing.T, deployment
 	require.Equal(t, consts.ControlPlaneAdmissionWebhookVolumeMountPath, volumeMount.MountPath)
 }
 
-// verifyControlPlaneWebhookIsFunctional verifies that the controlplane validating webhook is functional by
-// creating a resource that should be rejected by the webhook and verifying that it is rejected.
-func verifyControlPlaneWebhookIsFunctional(t *testing.T, ctx context.Context, clients testutils.K8sClients) {
-	keyAuthSecretWithNoKey := corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			GenerateName: "test-cred-",
-			Namespace:    "default",
-			Labels: map[string]string{
-				"konghq.com/credential": "key-auth",
+// eventuallyVerifyControlPlaneWebhookIsFunctional verifies that the controlplane validating webhook
+// is functional by creating a resource that should be rejected by the webhook and verifying that
+// it is rejected.
+func eventuallyVerifyControlPlaneWebhookIsFunctional(t *testing.T, ctx context.Context, clients testutils.K8sClients) {
+	require.Eventually(t, func() bool {
+		keyAuthSecretWithNoKey := corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				GenerateName: "test-cred-",
+				Namespace:    "default",
+				Labels: map[string]string{
+					"konghq.com/credential": "key-auth",
+				},
 			},
-		},
-	}
+		}
 
-	err := clients.MgrClient.Create(ctx, &keyAuthSecretWithNoKey)
-	require.Error(t, err)
-	require.ErrorContains(t, err, "admission webhook \"secrets.validation.ingress-controller.konghq.com\" denied the request")
+		err := clients.MgrClient.Create(ctx, &keyAuthSecretWithNoKey)
+		if err == nil {
+			t.Log("ControlPlane webhook accepted an invalid secret, retrying and waiting for webhook to become functional")
+			return false
+		}
+		if !strings.Contains(err.Error(), "admission webhook \"secrets.validation.ingress-controller.konghq.com\" denied the request") {
+			t.Logf("unexpected error: %v", err)
+			return false
+		}
+		return true
+	}, testutils.ControlPlaneCondDeadline, testutils.ControlPlaneCondTick)
 }
 
 func TestControlPlaneUpdate(t *testing.T) {