Fix test environment on GKE (#5207)

* Prevent private img test from being run if GKE

Signed-off-by: Antonio Gamez Diaz <[email protected]>

* Fix typo

Signed-off-by: Antonio Gamez Diaz <[email protected]>

* Use a clusterrolebinding for "edit" ci user

Signed-off-by: Antonio Gamez Diaz <[email protected]>

* Add todo and minor typo

Signed-off-by: Antonio Gamez Diaz <[email protected]>

Signed-off-by: Antonio Gamez Diaz <[email protected]>

Author: antgamdia

cmd/kubeapps-apis/plugins/helm/packages/v1alpha1/repositories.go

@@ -251,8 +251,10 @@ func (s *Server) mapToPackageRepositoryDetail(source *apprepov1alpha1.AppReposit
 // Using owner references on the secret so that it can be
 // (1) cleaned up automatically and/or
 // (2) enable some control (ie. if I add a secret manually
-//   via kubectl before running kubeapps, it won't get deleted just
-//   because Kubeapps is deleting it)?
+//
+//	via kubectl before running kubeapps, it won't get deleted just
+//	because Kubeapps is deleting it)?
+//
 // See https://github.com/vmware-tanzu/kubeapps/pull/4630#discussion_r861446394 for details
 func (s *Server) setOwnerReferencesForRepoSecret(
 	ctx context.Context,
@@ -500,6 +502,7 @@ func (s *Server) GetPkgRepositories(ctx context.Context, cluster, namespace stri
 	if err != nil {
 		return nil, err
 	}
+	// TODO(agamez): handle permission denied scenario when listing w/o namespace, which would need a ClusterRole
 	unstructured, err := resource.List(ctx, metav1.ListOptions{})
 	if err != nil {
 		return nil, err

cmd/kubeapps-apis/plugins/helm/packages/v1alpha1/repositories_resources.go

@@ -84,7 +84,7 @@ func (s *Server) updatePkgRepository(ctx context.Context, cluster, namespace str
 	}
 
 	if err = client.Update(ctx, newPkgRepository); err != nil {
-		return statuserror.FromK8sError("get", AppRepositoryKind, newPkgRepository.Name, err)
+		return statuserror.FromK8sError("update", AppRepositoryKind, newPkgRepository.Name, err)
 	}
 	return nil
 }

integration/tests/main/10-deploy-package-with-private-image.spec.js integration/tests/multicluster/10-deploy-package-with-private-image.spec.js

@@ -309,9 +309,11 @@ installChartMuseum "${CHARTMUSEUM_VERSION}"
 pushChart apache 8.6.2 admin password
 pushChart apache 8.6.3 admin password
 
-# Setting up local Docker registry
-setupLocalDockerRegistry
-pushLocalChart
+# Setting up local Docker registry if not in GKE
+if [[ -z "${GKE_BRANCH-}" ]]; then
+  setupLocalDockerRegistry
+  pushLocalChart
+fi
 
 # Ensure that we are testing the correct image
 info ""
@@ -396,7 +398,7 @@ kubectl create serviceaccount kubeapps-edit -n kubeapps
 # default). See https://github.com/vmware-tanzu/kubeapps/issues/4435
 kubectl create rolebinding kubeapps-edit -n kubeapps --clusterrole=edit --serviceaccount kubeapps:kubeapps-edit
 kubectl create rolebinding kubeapps-edit -n default --clusterrole=edit --serviceaccount kubeapps:kubeapps-edit
-kubectl create rolebinding kubeapps-repositories-read -n kubeapps --clusterrole kubeapps:kubeapps:apprepositories-read --serviceaccount kubeapps:kubeapps-edit
+kubectl create clusterrolebinding kubeapps-repositories-read --clusterrole kubeapps:kubeapps:apprepositories-read --serviceaccount kubeapps:kubeapps-edit
 # TODO(minelson): Similar to the `global-repos-read` rolebinding that the chart
 # adds to the `kubeapps-repos-global` namespace for all authenticated users, we
 # should eventually consider adding a similar rolebinding for secrets in the