Merge pull request #17887 from upodroid/fix-tests

fix podidentitywebhook test

Author: k8s-ci-robot

tests/e2e/kubetest2-kops/aws/s3.go

@@ -53,9 +53,9 @@ const (
 )
 
 // NewAWSClient returns a new instance of awsClient configured to work in the default region (us-east-2).
-func NewClient(ctx context.Context) (*Client, error) {
+func NewClient(ctx context.Context, region string) (*Client, error) {
 	cfg, err := awsconfig.LoadDefaultConfig(ctx,
-		awsconfig.WithRegion(defaultRegion))
+		awsconfig.WithRegion(region))
 	if err != nil {
 		return nil, fmt.Errorf("loading AWS config: %w", err)
 	}
@@ -71,8 +71,8 @@ func (c Client) BucketName(ctx context.Context, bucketType BucketType) (string,
 	// Construct the bucket name based on the ProwJob ID (if running in Prow) or AWS account ID (if running outside
 	// Prow) and the current timestamp
 	var identifier string
-	if jobID := os.Getenv("PROW_JOB_ID"); len(jobID) >= 4 {
-		identifier = jobID[:4]
+	if jobID := os.Getenv("BUILD_ID"); len(jobID) >= 4 {
+		identifier = jobID[len(jobID)-4:]
 	} else {
 		callerIdentity, err := c.stsClient.GetCallerIdentity(ctx, &sts.GetCallerIdentityInput{})
 		if err != nil {
@@ -95,15 +95,18 @@ func (c Client) BucketName(ctx context.Context, bucketType BucketType) (string,
 }
 
 // EnsureS3Bucket creates a new S3 bucket with the given name and public read permissions.
-func (c Client) EnsureS3Bucket(ctx context.Context, bucketName string, publicRead bool) error {
+func (c Client) EnsureS3Bucket(ctx context.Context, region, bucketName string, publicRead bool) error {
 	bucketName = strings.TrimPrefix(bucketName, "s3://")
-	klog.Infof("Creating bucket %s in region %s", bucketName, defaultRegion)
+	klog.Infof("Creating bucket %s in region %s", bucketName, region)
+	bucketConfig := &types.CreateBucketConfiguration{}
+	if region != "us-east-1" {
+		bucketConfig.LocationConstraint = types.BucketLocationConstraint(region)
+	}
 	_, err := c.s3Client.CreateBucket(ctx, &s3.CreateBucketInput{
-		Bucket: aws.String(bucketName),
-		CreateBucketConfiguration: &types.CreateBucketConfiguration{
-			LocationConstraint: defaultRegion,
-		},
-	})
+		Bucket:                    aws.String(bucketName),
+		CreateBucketConfiguration: bucketConfig,
+	},
+	)
 	if err != nil {
 		var exists *types.BucketAlreadyExists
 		if errors.As(err, &exists) {
@@ -130,15 +133,16 @@ func (c Client) EnsureS3Bucket(ctx context.Context, bucketName string, publicRea
 	klog.Infof("Bucket %s created successfully", bucketName)
 
 	if publicRead {
-		// We assume it will take 5-10 seconds for the bucket to be created and wait for it.
-		time.Sleep(10 * time.Second)
 		err = c.setPublicAccessBlock(ctx, bucketName)
 		if err != nil {
 			klog.Errorf("Failed to disable public access block policies on bucket %s, err: %v", bucketName, err)
 
 			return fmt.Errorf("disabling public access block policies for bucket %s: %w", bucketName, err)
 		}
 
+		// Wait for public access block settings to propagate before setting the policy
+		time.Sleep(10 * time.Second)
+
 		err = c.setPublicReadPolicy(ctx, bucketName)
 		if err != nil {
 			klog.Errorf("Failed to set public read policy on bucket %s, err: %v", bucketName, err)

tests/e2e/kubetest2-kops/deployer/build.go

@@ -115,7 +115,7 @@ func (d *deployer) verifyBuildFlags() error {
 	} else if d.boskos != nil {
 		d.StageLocation = d.stagingStore()
 		klog.Infof("creating staging bucket %s to hold kops/kubernetes build artifacts", d.StageLocation)
-		if err := gce.EnsureGCSBucket(d.StageLocation, d.GCPProject, true); err != nil {
+		if err := gce.EnsureGCSBucket(d.StageLocation, d.region, d.GCPProject, true); err != nil {
 			return err
 		}
 	} else {

tests/e2e/kubetest2-kops/deployer/common.go

@@ -51,9 +51,15 @@ func (d *deployer) initialize() error {
 		}
 	}
 
+	var err error
+	d.zones, err = d.getZones()
+	if err != nil {
+		return err
+	}
 	switch d.CloudProvider {
 	case "aws":
-		client, err := aws.NewClient(context.Background())
+		d.region = d.zones[0][:len(d.zones[0])-1]
+		client, err := aws.NewClient(context.Background(), d.region)
 		if err != nil {
 			return fmt.Errorf("init failed to build AWS client: %w", err)
 		}
@@ -90,6 +96,10 @@ func (d *deployer) initialize() error {
 		}
 		d.SSHUser = "root"
 	case "gce":
+		d.region, err = gce.ZoneToRegion(d.zones[0])
+		if err != nil {
+			return err
+		}
 		if d.GCPProject == "" {
 			klog.V(1).Info("No GCP project provided, acquiring from Boskos")
 
@@ -170,7 +180,7 @@ func (d *deployer) initialize() error {
 // verifyKopsFlags ensures common fields are set for kops commands
 func (d *deployer) verifyKopsFlags() error {
 	if d.ClusterName == "" {
-		name, err := defaultClusterName(d.CloudProvider)
+		name, err := d.defaultClusterName()
 		if err != nil {
 			return err
 		}
@@ -311,7 +321,7 @@ func (d *deployer) featureFlags() string {
 }
 
 // defaultClusterName returns a kops cluster name to use when ClusterName is not set
-func defaultClusterName(cloudProvider string) (string, error) {
+func (d *deployer) defaultClusterName() (string, error) {
 	dnsDomain := os.Getenv("KOPS_DNS_DOMAIN")
 	jobName := os.Getenv("JOB_NAME")
 	jobType := os.Getenv("JOB_TYPE")
@@ -328,9 +338,13 @@ func defaultClusterName(cloudProvider string) (string, error) {
 	}
 
 	var suffix string
-	switch cloudProvider {
+	switch d.CloudProvider {
 	case "aws":
-		suffix = dnsDomain
+		if strings.Contains(d.CreateArgs, "--dns=none") {
+			suffix = "k8s.local"
+		} else {
+			suffix = dnsDomain
+		}
 	case "azure":
 		// Azure uses --dns=none and the domain is not needed
 		suffix = ""
@@ -349,7 +363,7 @@ func defaultClusterName(cloudProvider string) (string, error) {
 
 	// GCP has char limit of 64
 	gcpLimit := 63 - (len(suffix) + 1) // 1 for the dot
-	if len(jobName) > gcpLimit && cloudProvider == "gce" {
+	if len(jobName) > gcpLimit && d.CloudProvider == "gce" {
 		jobName = jobName[:gcpLimit]
 	}
 

tests/e2e/kubetest2-kops/deployer/deployer.go

@@ -100,6 +100,8 @@ type deployer struct {
 	stateStoreName     string
 	discoveryStoreName string
 	stagingStoreName   string
+	region             string
+	zones              []string
 
 	// boskos struct field will be non-nil when the deployer is
 	// using boskos to acquire a GCP project

tests/e2e/kubetest2-kops/deployer/up.go

@@ -70,14 +70,14 @@ func (d *deployer) Up() error {
 		switch d.CloudProvider {
 		case "aws":
 			ctx := context.Background()
-			if err := d.aws.EnsureS3Bucket(ctx, d.stateStore(), false); err != nil {
+			if err := d.aws.EnsureS3Bucket(ctx, d.region, d.stateStore(), false); err != nil {
 				return err
 			}
-			if err := d.aws.EnsureS3Bucket(ctx, d.discoveryStore(), true); err != nil {
+			if err := d.aws.EnsureS3Bucket(ctx, d.region, d.discoveryStore(), true); err != nil {
 				return err
 			}
 		case "gce":
-			if err := gce.EnsureGCSBucket(d.stateStore(), d.GCPProject, false); err != nil {
+			if err := gce.EnsureGCSBucket(d.stateStore(), d.region, d.GCPProject, false); err != nil {
 				return err
 			}
 		}
@@ -93,18 +93,13 @@ func (d *deployer) Up() error {
 		adminAccess = publicIP
 	}
 
-	zones, err := d.zones()
-	if err != nil {
-		return err
-	}
-
 	// Write out the env file for kops
 	if err := d.writeEnvFile(ctx); err != nil {
 		return fmt.Errorf("error writing env file %q: %v", d.EnvFile, err)
 	}
 
 	if d.TemplatePath != "" {
-		values, err := d.templateValues(zones, adminAccess)
+		values, err := d.templateValues(d.zones, adminAccess)
 		if err != nil {
 			return err
 		}
@@ -116,13 +111,13 @@ func (d *deployer) Up() error {
 		}
 	} else {
 		if d.terraform != nil {
-			if err := d.createCluster(zones, adminAccess, true); err != nil {
+			if err := d.createCluster(d.zones, adminAccess, true); err != nil {
 				return err
 			}
 		} else {
 			// For the non-terraform case, we want to see the preview output.
 			// So run a create (which logs the output), then do an update
-			if err := d.createCluster(zones, adminAccess, false); err != nil {
+			if err := d.createCluster(d.zones, adminAccess, false); err != nil {
 				return err
 			}
 			if err := d.updateCluster(true); err != nil {
@@ -383,7 +378,35 @@ func (d *deployer) verifyUpFlags() error {
 	return nil
 }
 
-func (d *deployer) zones() ([]string, error) {
+func extractZones(args string) []string {
+	// Zones are specified by --zones=zone1,zone2
+	prefix := "--zones="
+	startIdx := strings.Index(args, prefix)
+
+	if startIdx == -1 {
+		return []string{}
+	}
+
+	startIdx += len(prefix)
+
+	endIdx := strings.Index(args[startIdx:], " ")
+	var zonesValue string
+
+	if endIdx == -1 {
+		zonesValue = args[startIdx:]
+	} else {
+		zonesValue = args[startIdx : startIdx+endIdx]
+	}
+	return strings.Split(zonesValue, ",")
+}
+
+func (d *deployer) getZones() ([]string, error) {
+	if d.CreateArgs != "" {
+		zones := extractZones(d.CreateArgs)
+		if len(zones) > 0 {
+			return zones, nil
+		}
+	}
 	switch d.CloudProvider {
 	case "aws":
 		return aws.RandomZones(d.ControlPlaneCount)

tests/e2e/kubetest2-kops/gce/gcs.go

@@ -40,7 +40,7 @@ func GCSBucketName(projectID, prefix string) string {
 	return bucket
 }
 
-func EnsureGCSBucket(bucketPath, projectID string, public bool) error {
+func EnsureGCSBucket(bucketPath, region, projectID string, public bool) error {
 	lsArgs := []string{
 		"gsutil", "ls", "-b",
 	}
@@ -66,6 +66,9 @@ func EnsureGCSBucket(bucketPath, projectID string, public bool) error {
 	if projectID != "" {
 		mbArgs = append(mbArgs, "-p", projectID)
 	}
+	if region != "" {
+		mbArgs = append(mbArgs, "-l", region)
+	}
 	mbArgs = append(mbArgs, bucketPath)
 
 	klog.Info(strings.Join(mbArgs, " "))

tests/e2e/kubetest2-kops/gce/zones.go

@@ -18,8 +18,10 @@ package gce
 
 import (
 	"errors"
+	"fmt"
 	"math/rand"
 	"sort"
+	"strings"
 )
 
 var allZones = []string{
@@ -77,3 +79,13 @@ func RandomZones(count int) ([]string, error) {
 	sort.Strings(chosenZones)
 	return chosenZones, nil
 }
+
+// ZoneToRegion maps a GCE zone name to a GCE region name, returning an error if it cannot be mapped
+func ZoneToRegion(zone string) (string, error) {
+	tokens := strings.Split(zone, "-")
+	if len(tokens) <= 2 {
+		return "", fmt.Errorf("invalid GCE Zone: %v", zone)
+	}
+	region := tokens[0] + "-" + tokens[1]
+	return region, nil
+}

tests/e2e/scenarios/podidentitywebhook/run-test.sh

@@ -15,22 +15,30 @@
 # limitations under the License.
 
 REPO_ROOT=$(git rev-parse --show-toplevel);
-source "${REPO_ROOT}"/tests/e2e/scenarios/lib/common.sh
 TEST_ROOT="${REPO_ROOT}/tests/e2e/scenarios/podidentitywebhook"
 
 # shellcheck disable=SC2034
 KOPS_TEMPLATE="${TEST_ROOT}/cluster.yaml.tmpl"
 
-kops-acquire-latest
-
-kops-up
-
-kubectl apply -f "${TEST_ROOT}"/pod.yaml
-
-kubectl -n default wait --for=condition=Ready pod/pod-identity-webhook-test
-
-# This command will exit code 253 if there are no credentials
-kubectl exec -it -n default pod-identity-webhook-test -- aws sts get-caller-identity
-
-
-
+make test-e2e-install
+export KOPS_STATE_STORE=
+export CLUSTER_NAME=
+
+KUBETEST2_ARGS=()
+KUBETEST2_ARGS+=("-v=2")
+
+if [[ "${JOB_TYPE}" == "presubmit" && "${REPO_OWNER}/${REPO_NAME}" == "kubernetes/kops" ]]; then
+  KUBETEST2_ARGS+=("--build")
+  KUBETEST2_ARGS+=("--kops-binary-path=${GOPATH}/src/k8s.io/kops/.build/dist/linux/$(go env GOARCH)/kops")
+else
+  KUBETEST2_ARGS+=("--kops-version-marker=${KOPS_VERSION_MARKER:-https://storage.googleapis.com/k8s-staging-kops/kops/releases/markers/master/latest-ci.txt}")
+fi
+
+kubetest2 kops \
+    --up --down \
+    "${KUBETEST2_ARGS[@]}" \
+    --cloud-provider=aws \
+    --create-args="--zones=us-east-1a" \
+    --template-path="${KOPS_TEMPLATE}" \
+    --kubernetes-version=https://dl.k8s.io/release/stable.txt \
+    --test=exec -- "${TEST_ROOT}/test.sh"

tests/e2e/scenarios/podidentitywebhook/test.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+# Copyright 2026 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+REPO_ROOT=$(git rev-parse --show-toplevel);
+kubectl apply -f "${REPO_ROOT}/tests/e2e/scenarios/podidentitywebhook/pod.yaml"
+
+kubectl -n default wait --for=condition=Ready pod/pod-identity-webhook-test
+
+# This command will exit code 253 if there are no credentials
+kubectl exec -it -n default pod-identity-webhook-test -- aws sts get-caller-identity