(ci) - fix cleanup to allow tests broken for 1.33 work

Author: camilamacedo86

docs/book/src/cronjob-tutorial/testdata/project/config/manager/manager.yaml

@@ -67,6 +67,7 @@ spec:
         name: manager
         ports: []
         securityContext:
+          readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
           capabilities:
             drop:

docs/book/src/cronjob-tutorial/testdata/project/dist/install.yaml

@@ -4197,6 +4197,7 @@ spec:
           capabilities:
             drop:
             - ALL
+          readOnlyRootFilesystem: true
         volumeMounts:
         - mountPath: /tmp/k8s-metrics-server/metrics-certs
           name: metrics-certs

docs/book/src/cronjob-tutorial/testdata/project/test/e2e/e2e_test.go

@@ -232,12 +232,13 @@ var _ = Describe("Manager", Ordered, func() {
 								},
 								"runAsNonRoot": true,
 								"runAsUser": 1000,
+								"readOnlyRootFilesystem": true,	
 								"seccompProfile": {
 									"type": "RuntimeDefault"
 								}
 							}
 						}],
-						"serviceAccount": "%s"
+						"serviceAccountName": "%s"
 					}
 				}`, token, metricsServiceName, namespace, serviceAccountName))
 			_, err = utils.Run(cmd)

docs/book/src/getting-started/testdata/project/config/manager/manager.yaml

@@ -67,6 +67,7 @@ spec:
         name: manager
         ports: []
         securityContext:
+          readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
           capabilities:
             drop:

docs/book/src/getting-started/testdata/project/dist/install.yaml

@@ -453,6 +453,7 @@ spec:
           capabilities:
             drop:
             - ALL
+          readOnlyRootFilesystem: true
         volumeMounts: []
       securityContext:
         runAsNonRoot: true

docs/book/src/getting-started/testdata/project/test/e2e/e2e_test.go

@@ -227,12 +227,13 @@ var _ = Describe("Manager", Ordered, func() {
 								},
 								"runAsNonRoot": true,
 								"runAsUser": 1000,
+								"readOnlyRootFilesystem": true,	
 								"seccompProfile": {
 									"type": "RuntimeDefault"
 								}
 							}
 						}],
-						"serviceAccount": "%s"
+						"serviceAccountName": "%s"
 					}
 				}`, token, metricsServiceName, namespace, serviceAccountName))
 			_, err = utils.Run(cmd)

docs/book/src/multiversion-tutorial/testdata/project/config/manager/manager.yaml

@@ -67,6 +67,7 @@ spec:
         name: manager
         ports: []
         securityContext:
+          readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
           capabilities:
             drop:

docs/book/src/multiversion-tutorial/testdata/project/dist/install.yaml

@@ -8049,6 +8049,7 @@ spec:
           capabilities:
             drop:
             - ALL
+          readOnlyRootFilesystem: true
         volumeMounts:
         - mountPath: /tmp/k8s-metrics-server/metrics-certs
           name: metrics-certs

docs/book/src/multiversion-tutorial/testdata/project/test/e2e/e2e_test.go

@@ -232,12 +232,13 @@ var _ = Describe("Manager", Ordered, func() {
 								},
 								"runAsNonRoot": true,
 								"runAsUser": 1000,
+								"readOnlyRootFilesystem": true,	
 								"seccompProfile": {
 									"type": "RuntimeDefault"
 								}
 							}
 						}],
-						"serviceAccount": "%s"
+						"serviceAccountName": "%s"
 					}
 				}`, token, metricsServiceName, namespace, serviceAccountName))
 			_, err = utils.Run(cmd)

pkg/plugins/common/kustomize/v2/scaffolds/internal/templates/config/manager/config.go

@@ -113,6 +113,7 @@ spec:
         name: manager
         ports: []
         securityContext:
+          readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
           capabilities:
             drop:

pkg/plugins/golang/v4/scaffolds/internal/templates/test/e2e/test.go

@@ -390,12 +390,13 @@ var _ = Describe("Manager", Ordered, func() {
 								},
 								"runAsNonRoot": true,
 								"runAsUser": 1000,
+								"readOnlyRootFilesystem": true,	
 								"seccompProfile": {
 									"type": "RuntimeDefault"
 								}
 							}
 						}],
-						"serviceAccount": "%s"
+						"serviceAccountName": "%s"
 					}
 				}` + "`" + `, token, metricsServiceName, namespace, serviceAccountName))
 			_, err = utils.Run(cmd)

test/e2e/utils/test_context.go

@@ -368,6 +368,9 @@ func (t *TestContext) UninstallHelmRelease() error {
 
 	if _, err := t.Kubectl.Wait(false, "namespace", ns, "--for=delete", "--timeout=2m"); err != nil {
 		log.Printf("failed to wait for namespace deletion: %s", err)
+		if _, forceErr := t.Kubectl.Wait(false, "namespace", ns, "--grace-period=0", "--force"); forceErr != nil {
+			log.Printf("forced deletion also failed: %s", forceErr)
+		}
 	}
 
 	return nil

test/e2e/v4/plugin_cluster_test.go

@@ -63,6 +63,9 @@ var _ = Describe("kubebuilder", func() {
 			By("clean up API objects created during the test")
 			_ = kbc.Make("undeploy")
 
+			By("clean up API objects created during the test")
+			_ = kbc.Make("uninstall")
+
 			By("removing controller image and working dir")
 			kbc.Destroy()
 		})
@@ -88,25 +91,19 @@ var _ = Describe("kubebuilder", func() {
 			GenerateV4WithoutMetrics(kbc)
 			Run(kbc, true, false, false, false, false)
 		})
-		// FIXME: This test is currently disabled because it requires to be fixed:
-		// https://github.com/kubernetes-sigs/kubebuilder/issues/4853
-		// It is not working for k8s 1.33
-		// It("should generate a runnable project with metrics protected by network policies", func() {
-		// 	 GenerateV4WithNetworkPoliciesWithoutWebhooks(kbc)
-		//	 Run(kbc, false, false, false, true, true)
-		// })
+		It("should generate a runnable project with metrics protected by network policies", func() {
+			GenerateV4WithNetworkPoliciesWithoutWebhooks(kbc)
+			Run(kbc, false, false, false, true, true)
+		})
 		It("should generate a runnable project with webhooks and metrics protected by network policies", func() {
 			GenerateV4WithNetworkPolicies(kbc)
 			Run(kbc, true, false, false, true, true)
 		})
-		// FIXME: This test is currently disabled because it requires to be fixed:
-		// https://github.com/kubernetes-sigs/kubebuilder/issues/4853
-		// It is not working for k8s 1.33
-		// It("should generate a runnable project with the manager running "+
-		//	 "as restricted and without webhooks", func() {
-		//	 GenerateV4WithoutWebhooks(kbc)
-		//	 Run(kbc, false, false, false, true, false)
-		// })
+		It("should generate a runnable project with the manager running "+
+			"as restricted and without webhooks", func() {
+			GenerateV4WithoutWebhooks(kbc)
+			Run(kbc, false, false, false, true, false)
+		})
 	})
 })
 
@@ -501,6 +498,13 @@ func getMetricsOutput(kbc *utils.TestContext) string {
 	)
 	Expect(err).NotTo(HaveOccurred(), "Controller-manager service should exist")
 
+	By("checking controller-manager logs to verify metrics server is up")
+	controllerPodName := getControllerName(kbc)
+	logs, err := kbc.Kubectl.Logs(controllerPodName)
+	Expect(err).NotTo(HaveOccurred(), "failed to get controller-manager logs")
+	Expect(logs).To(ContainSubstring("Serving metrics server"),
+		"controller logs should show that metrics server is up")
+
 	By("ensuring the service endpoint is ready")
 	checkServiceEndpoint := func(g Gomega) {
 		var output string
@@ -521,14 +525,30 @@ func getMetricsOutput(kbc *utils.TestContext) string {
 	Expect(err).NotTo(HaveOccurred())
 
 	By("validating that the curl pod is running as expected")
+	var curlCheckFailed bool
 	verifyCurlUp := func(g Gomega) {
 		var status string
 		status, err = kbc.Kubectl.Get(
 			true,
-			"pods", "curl", "-o", "jsonpath={.status.phase}")
+			"pods", "curl", "-o", "jsonpath={.status.phase}",
+		)
+		if err != nil || status != "Succeeded" {
+			curlCheckFailed = true
+		}
 		g.Expect(err).NotTo(HaveOccurred())
 		g.Expect(status).To(Equal("Succeeded"), fmt.Sprintf("curl pod in %s status", status))
 	}
+
+	defer func() {
+		if curlCheckFailed {
+			By("dumping logs from failed curl pod for diagnostics")
+			logs, err := kbc.Kubectl.Logs("curl")
+			if err != nil {
+				logs = fmt.Sprintf("unable to fetch logs: %v", err)
+			}
+			_, _ = fmt.Fprintf(GinkgoWriter, "\n[DEBUG] curl pod failure logs:\n%s\n", logs)
+		}
+	}()
 	Eventually(verifyCurlUp, 240*time.Second, time.Second).Should(Succeed())
 
 	By("validating that the metrics endpoint is serving as expected")
@@ -583,7 +603,7 @@ func cmdOptsToCreateCurlPod(kbc *utils.TestContext, token string) []string {
 	//nolint:lll
 	cmdOpts := []string{
 		"run", "curl",
-		"--restart=Never",
+		"--restart=OnFailure",
 		"--namespace", kbc.Kubectl.Namespace,
 		"--image=curlimages/curl:latest",
 		"--overrides",
@@ -601,12 +621,13 @@ func cmdOptsToCreateCurlPod(kbc *utils.TestContext, token string) []string {
 						},
 						"runAsNonRoot": true,
 						"runAsUser": 1000,
+						"readOnlyRootFilesystem": true,
 						"seccompProfile": {
 							"type": "RuntimeDefault"
 						}
 					}
 				}],
-				"serviceAccount": "%s"
+				"serviceAccountName": "%s"
 			}
     }`, token, kbc.TestSuffix, kbc.Kubectl.Namespace, kbc.Kubectl.ServiceAccount),
 	}
@@ -615,8 +636,25 @@ func cmdOptsToCreateCurlPod(kbc *utils.TestContext, token string) []string {
 
 func removeCurlPod(kbc *utils.TestContext) {
 	By("cleaning up the curl pod")
-	_, err := kbc.Kubectl.Delete(true, "pods/curl")
-	Expect(err).NotTo(HaveOccurred())
+	_, err := kbc.Kubectl.Delete(true, "pod", "curl")
+	Expect(err).NotTo(HaveOccurred(), "Failed to delete curl pod")
+
+	var deleted bool
+	Eventually(func() bool {
+		_, err := kbc.Kubectl.Get(true, "pod", "curl")
+		deleted = err != nil
+		return deleted
+	}, time.Minute, time.Second).Should(BeTrue(), "curl pod should be deleted within 1 minute")
+
+	if !deleted {
+		By("forcing deletion of the curl pod")
+		_, err := kbc.Kubectl.Command("delete", "pod", "curl", "--grace-period=0", "--force")
+		Expect(err).NotTo(HaveOccurred(), "Force delete of curl pod failed")
+		Eventually(func(g Gomega) {
+			_, err := kbc.Kubectl.Get(true, "pod", "curl")
+			g.Expect(err).To(HaveOccurred())
+		}, time.Minute, time.Second).Should(Succeed(), "curl pod should be deleted after force")
+	}
 }
 
 // serviceAccountToken provides a helper function that can provide you with a service account

testdata/project-v4-multigroup/config/manager/manager.yaml

@@ -72,6 +72,7 @@ spec:
           value: memcached:1.6.26-alpine3.19
         ports: []
         securityContext:
+          readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
           capabilities:
             drop:

testdata/project-v4-multigroup/dist/install.yaml

@@ -2157,6 +2157,7 @@ spec:
           capabilities:
             drop:
             - ALL
+          readOnlyRootFilesystem: true
         volumeMounts:
         - mountPath: /tmp/k8s-webhook-server/serving-certs
           name: webhook-certs

testdata/project-v4-multigroup/test/e2e/e2e_test.go

@@ -227,12 +227,13 @@ var _ = Describe("Manager", Ordered, func() {
 								},
 								"runAsNonRoot": true,
 								"runAsUser": 1000,
+								"readOnlyRootFilesystem": true,	
 								"seccompProfile": {
 									"type": "RuntimeDefault"
 								}
 							}
 						}],
-						"serviceAccount": "%s"
+						"serviceAccountName": "%s"
 					}
 				}`, token, metricsServiceName, namespace, serviceAccountName))
 			_, err = utils.Run(cmd)

testdata/project-v4-with-plugins/config/manager/manager.yaml

@@ -72,6 +72,7 @@ spec:
           value: memcached:1.6.26-alpine3.19
         ports: []
         securityContext:
+          readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
           capabilities:
             drop:

testdata/project-v4-with-plugins/dist/install.yaml

@@ -850,6 +850,7 @@ spec:
           capabilities:
             drop:
             - ALL
+          readOnlyRootFilesystem: true
         volumeMounts:
         - mountPath: /tmp/k8s-webhook-server/serving-certs
           name: webhook-certs

testdata/project-v4-with-plugins/test/e2e/e2e_test.go

@@ -227,12 +227,13 @@ var _ = Describe("Manager", Ordered, func() {
 								},
 								"runAsNonRoot": true,
 								"runAsUser": 1000,
+								"readOnlyRootFilesystem": true,	
 								"seccompProfile": {
 									"type": "RuntimeDefault"
 								}
 							}
 						}],
-						"serviceAccount": "%s"
+						"serviceAccountName": "%s"
 					}
 				}`, token, metricsServiceName, namespace, serviceAccountName))
 			_, err = utils.Run(cmd)

testdata/project-v4/config/manager/manager.yaml

@@ -67,6 +67,7 @@ spec:
         name: manager
         ports: []
         securityContext:
+          readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
           capabilities:
             drop:

testdata/project-v4/dist/install.yaml

@@ -715,6 +715,7 @@ spec:
           capabilities:
             drop:
             - ALL
+          readOnlyRootFilesystem: true
         volumeMounts:
         - mountPath: /tmp/k8s-webhook-server/serving-certs
           name: webhook-certs

testdata/project-v4/test/e2e/e2e_test.go

@@ -227,12 +227,13 @@ var _ = Describe("Manager", Ordered, func() {
 								},
 								"runAsNonRoot": true,
 								"runAsUser": 1000,
+								"readOnlyRootFilesystem": true,	
 								"seccompProfile": {
 									"type": "RuntimeDefault"
 								}
 							}
 						}],
-						"serviceAccount": "%s"
+						"serviceAccountName": "%s"
 					}
 				}`, token, metricsServiceName, namespace, serviceAccountName))
 			_, err = utils.Run(cmd)