fix(e2e): Fix several RBAC-related e2e test cases

Create token secret for ServiceAccount to ensure those SA
is valid for scoped client use.

Signed-off-by: Vu Dinh <[email protected]>

Author: dinhxuanvu

Diff for: test/e2e/installplan_e2e_test.go

@@ -3709,6 +3709,9 @@ var _ = Describe("Install Plan", func() {
 		}
 		_, err = c.KubernetesInterface().CoreV1().ServiceAccounts(ns.GetName()).Create(context.Background(), sa, metav1.CreateOptions{})
 		Expect(err).ToNot(HaveOccurred())
+		// Create token secret for the serviceaccount
+		_, cleanupSE := newTokenSecret(c, ns.GetName(), sa.GetName())
+		defer cleanupSE()
 
 		// role has no explicit permissions
 		role := &rbacv1.ClusterRole{
@@ -3950,6 +3953,9 @@ var _ = Describe("Install Plan", func() {
 		}
 		_, err = c.KubernetesInterface().CoreV1().ServiceAccounts(ns.GetName()).Create(context.Background(), sa, metav1.CreateOptions{})
 		Expect(err).ToNot(HaveOccurred())
+		// Create token secret for the serviceaccount
+		_, cleanupSE := newTokenSecret(c, ns.GetName(), sa.GetName())
+		defer cleanupSE()
 
 		// see https://github.com/operator-framework/operator-lifecycle-manager/blob/master/doc/design/scoped-operator-install.md
 		role := &rbacv1.ClusterRole{

Diff for: test/e2e/operator_groups_e2e_test.go

@@ -1627,6 +1627,9 @@ var _ = Describe("Operator Group", func() {
 
 		_, err = c.CreateServiceAccount(serviceAccount)
 		require.NoError(GinkgoT(), err)
+		// Create token secret for the serviceaccount
+		_, cleanupSE := newTokenSecret(c, newNamespaceName, serviceAccount.GetName())
+		defer cleanupSE()
 
 		log("wait for CSV to fail")
 		err = wait.Poll(pollInterval, pollDuration, func() (bool, error) {
@@ -1760,6 +1763,9 @@ var _ = Describe("Operator Group", func() {
 
 		_, err = c.CreateServiceAccount(serviceAccount)
 		require.NoError(GinkgoT(), err)
+		// Create token secret for the serviceaccount
+		_, cleanupSE := newTokenSecret(c, newNamespaceName, serviceAccount.GetName())
+		defer cleanupSE()
 
 		log("wait for CSV to fail")
 		err = wait.Poll(pollInterval, pollDuration, func() (bool, error) {

Diff for: test/e2e/scoped_client_test.go

@@ -85,14 +85,9 @@ var _ = Describe("Scoped Client bound to a service account can be used to make A
 		saName := genName("user-defined-")
 		sa, cleanupSA := newServiceAccount(kubeclient, namespace, saName)
 		defer cleanupSA()
-
-		By("Wait for ServiceAccount secret to be available")
-		Eventually(func() (*corev1.ServiceAccount, error) {
-			sa, err := kubeclient.KubernetesInterface().CoreV1().ServiceAccounts(sa.GetNamespace()).Get(context.TODO(), sa.GetName(), metav1.GetOptions{})
-			return sa, err
-		}).ShouldNot(WithTransform(func(v *corev1.ServiceAccount) []corev1.ObjectReference {
-			return v.Secrets
-		}, BeEmpty()))
+		// Create token secret for the serviceaccount
+		_, cleanupSE := newTokenSecret(kubeclient, namespace, saName)
+		defer cleanupSE()
 
 		strategy := scoped.NewClientAttenuator(logger, config, kubeclient)
 		getter := func() (reference *corev1.ObjectReference, err error) {

Diff for: test/e2e/user_defined_sa_test.go

@@ -54,6 +54,9 @@ var _ = Describe("User defined service account", func() {
 		saName := genName("scoped-sa-")
 		_, cleanupSA := newServiceAccount(c, generatedNamespace.GetName(), saName)
 		defer cleanupSA()
+		// Create token secret for the serviceaccount
+		_, cleanupSE := newTokenSecret(c, generatedNamespace.GetName(), saName)
+		defer cleanupSE()
 
 		// Add an OperatorGroup and specify the service account.
 		ogName := genName("scoped-og-")
@@ -104,6 +107,9 @@ var _ = Describe("User defined service account", func() {
 		saName := genName("scoped-sa")
 		_, cleanupSA := newServiceAccount(c, generatedNamespace.GetName(), saName)
 		defer cleanupSA()
+		// Create token secret for the serviceaccount
+		_, cleanupSE := newTokenSecret(c, generatedNamespace.GetName(), saName)
+		defer cleanupSE()
 		cleanupPerm := grantPermission(GinkgoT(), c, generatedNamespace.GetName(), saName)
 		defer cleanupPerm()
 
@@ -153,6 +159,9 @@ var _ = Describe("User defined service account", func() {
 		saName := genName("scoped-sa-")
 		_, cleanupSA := newServiceAccount(c, generatedNamespace.GetName(), saName)
 		defer cleanupSA()
+		// Create token secret for the serviceaccount
+		_, cleanupSE := newTokenSecret(c, generatedNamespace.GetName(), saName)
+		defer cleanupSE()
 
 		// Add an OperatorGroup and specify the service account.
 		ogName := genName("scoped-og-")

Diff for: test/e2e/util.go

@@ -1074,3 +1074,26 @@ func inKind(client operatorclient.ClientInterface) (bool, error) {
 func K8sSafeCurrentTestDescription() string {
 	return nonAlphaNumericRegexp.ReplaceAllString(CurrentSpecReport().LeafNodeText, "")
 }
+
+func newTokenSecret(client operatorclient.ClientInterface, namespace, saName string) (se *corev1.Secret, cleanup cleanupFunc) {
+	seName := saName + "-token"
+	secret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:        seName,
+			Namespace:   namespace,
+			Annotations: map[string]string{corev1.ServiceAccountNameKey: saName},
+		},
+		Type: corev1.SecretTypeServiceAccountToken,
+	}
+
+	se, err := client.KubernetesInterface().CoreV1().Secrets(namespace).Create(context.TODO(), secret, metav1.CreateOptions{})
+	Expect(err).ToNot(HaveOccurred())
+	Expect(se).ToNot(BeNil())
+
+	cleanup = func() {
+		err := client.KubernetesInterface().CoreV1().Secrets(namespace).Delete(context.TODO(), se.GetName(), metav1.DeleteOptions{})
+		Expect(err).ToNot(HaveOccurred())
+	}
+
+	return se, cleanup
+}