Merge pull request #1522 from viccuad/test/fix-flaky-proxy

viccuad · web-flow · commit 3f2f4eb02b32 · 2026-03-02T10:31:28.000+01:00
test(policy-evaluator,policy-server): Fix flaky tests
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/kwctl/tests/proxy.rs b/crates/kwctl/tests/proxy.rs
@@ -1,6 +1,4 @@
-use std::time::Duration;
-
-use backon::{BlockingRetryable, ExponentialBuilder};
+use backon::{BlockingRetryable, ConstantBuilder};
 use predicates::str::contains;
 use rstest::rstest;
 use tempfile::tempdir;
@@ -31,7 +29,8 @@ fn start_proxy() -> (Container<GenericImage>, u16) {
 
 /// Used to verify that traffic was (or was not) routed through the proxy.
 /// Returns true if the proxy container's logs (stdout or stderr) contain `needle`.
-/// Retries with exponential backoff because tinyproxy may not flush its log immediately.
+/// Retries with a constant backoff to handle testcontainers' log collection latency.
+/// The container should be stopped before calling this to ensure tinyproxy has flushed its logs.
 fn proxy_log_contains(container: &Container<GenericImage>, needle: &str) -> bool {
     let check = || {
         let stdout =
@@ -46,9 +45,9 @@ fn proxy_log_contains(container: &Container<GenericImage>, needle: &str) -> bool
     };
     check
         .retry(
-            ExponentialBuilder::default()
-                .with_min_delay(Duration::from_millis(100))
-                .with_max_times(5),
+            ConstantBuilder::default()
+                .with_delay(std::time::Duration::from_millis(100))
+                .with_max_times(10),
         )
         .call()
         .is_ok()
diff --git a/crates/policy-evaluator/tests/proxy.rs b/crates/policy-evaluator/tests/proxy.rs
@@ -6,7 +6,7 @@ mod common;
 mod proxy_tests {
     use std::time::Duration;
 
-    use backon::{ExponentialBuilder, Retryable};
+    use backon::{ConstantBuilder, Retryable};
     use policy_evaluator::callback_requests::{CallbackRequest, CallbackRequestType};
     use policy_fetcher::{proxy::ProxyConfig, sources::Sources};
     use testcontainers::{
@@ -34,7 +34,7 @@ mod proxy_tests {
 
     /// Used to verify that traffic was (or was not) routed through the proxy.
     /// Returns true if the proxy container's logs (stdout or stderr) contain `needle`.
-    /// Retries with exponential backoff because tinyproxy may not flush its log immediately.
+    /// Retries with a constant backoff to give tinyproxy time to flush its log.
     async fn proxy_log_contains(container: &ContainerAsync<GenericImage>, needle: &str) -> bool {
         let check = || async {
             let stdout = String::from_utf8(container.stdout_to_vec().await.unwrap_or_default())
@@ -49,9 +49,9 @@ mod proxy_tests {
         };
         check
             .retry(
-                ExponentialBuilder::default()
-                    .with_min_delay(Duration::from_millis(100))
-                    .with_max_times(5),
+                ConstantBuilder::default()
+                    .with_delay(std::time::Duration::from_millis(100))
+                    .with_max_times(10),
             )
             .await
             .is_ok()
@@ -119,7 +119,9 @@ mod proxy_tests {
         cb_channel
             .try_send(CallbackRequest {
                 request: CallbackRequestType::OciManifest {
-                    image: "ghcr.io/kubewarden/tests/pod-privileged:v0.2.5".to_owned(),
+                    // Use a different image than the https_proxy test to avoid a process-wide
+                    // cache hit (the `#[cached]` key is the image URL only, not the proxy config).
+                    image: "ghcr.io/kubewarden/tests/pod-privileged:v0.2.1".to_owned(),
                 },
                 response_channel: resp_tx,
             })
diff --git a/crates/policy-server/Cargo.toml b/crates/policy-server/Cargo.toml
@@ -67,6 +67,7 @@ tokio-stream = "0.1.18"
 
 [dev-dependencies]
 backon         = { version = "1.6", features = ["tokio-sleep"] }
+serial_test    = "3"
 http-body-util = "0.1.3"
 mockall        = "0.14"
 rcgen          = { version = "0.14", features = ["crypto"] }
diff --git a/crates/policy-server/tests/integration_test.rs b/crates/policy-server/tests/integration_test.rs
@@ -1305,9 +1305,7 @@ fn build_request_client(
 
 // helper functions for testing proxy functionality
 mod proxy_helpers {
-    use std::time::Duration;
-
-    use backon::{ExponentialBuilder, Retryable};
+    use backon::{ConstantBuilder, Retryable};
     use testcontainers::{
         ContainerAsync, GenericImage,
         core::{IntoContainerPort, WaitFor},
@@ -1329,7 +1327,7 @@ mod proxy_helpers {
 
     /// Used to verify that traffic was (or was not) routed through the proxy.
     /// Returns true if the proxy container's logs (stdout or stderr) contain `needle`.
-    /// Retries with exponential backoff because tinyproxy may not flush its log immediately.
+    /// Retries with a constant backoff to give tinyproxy time to flush its log.
     pub async fn proxy_log_contains(
         container: &ContainerAsync<GenericImage>,
         needle: &str,
@@ -1347,9 +1345,9 @@ mod proxy_helpers {
         };
         check
             .retry(
-                ExponentialBuilder::default()
-                    .with_min_delay(Duration::from_millis(100))
-                    .with_max_times(5),
+                ConstantBuilder::default()
+                    .with_delay(std::time::Duration::from_millis(500))
+                    .with_max_times(20),
             )
             .await
             .is_ok()
@@ -1359,6 +1357,7 @@ mod proxy_helpers {
 #[rstest]
 #[case::both_http_and_https_proxy(true)]
 #[case::https_proxy_only(false)]
+#[serial_test::serial]
 #[tokio::test]
 async fn test_policy_server_with_https_proxy(#[case] set_http_proxy: bool) {
     use proxy_helpers::*;
@@ -1415,6 +1414,7 @@ async fn test_policy_server_with_https_proxy(#[case] set_http_proxy: bool) {
 /// source. The policy is first fetched from ghcr.io, pushed to the local registry, then the policy
 /// server is started with HTTP_PROXY pointing at tinyproxy. Both containers share the default
 /// docker bridge network so the proxy can forward requests to the registry by its bridge IP.
+#[serial_test::serial]
 #[tokio::test]
 async fn test_policy_server_with_http_proxy() {
     use proxy_helpers::*;
@@ -1518,6 +1518,7 @@ async fn test_policy_server_with_http_proxy() {
 /// A real tinyproxy is started and set as HTTPS_PROXY. With NO_PROXY=ghcr.io the policy server
 /// must connect directly to ghcr.io, so startup and validation succeed and the proxy logs must not
 /// contain any reference to ghcr.io.
+#[serial_test::serial]
 #[tokio::test]
 async fn test_policy_server_with_no_proxy() {
     use proxy_helpers::*;
