From 2ba28a33893322a9ba694a560691dabe9dc1806e Mon Sep 17 00:00:00 2001
From: Max Gautier <mg@max.gautier.name>
Date: Fri, 25 Oct 2024 14:57:25 +0200
Subject: [PATCH 1/2] Revert "Wait for available API token in a new namespace
 (#7045)"

This reverts commit 275c54e81051ff73a0b5556717b38d5677f2b0b9.

Static tokens are no longer created automatically for service account in
Kubernetes. Instead, they are dynamically injected into pods using a
projected volume.

Thus there is no longer a need to check for this (it didn't work anyway,
since the describe output actually contains <none> when there is no
tokens:
{
  "attempts": 1,
  "changed": false,
  "cmd": "set -o pipefail && /usr/local/bin/kubectl describe serviceaccounts default --namespace test | grep Tokens | awk '{print $2}'",
  "delta": "0:00:00.075633",
  "end": "2024-10-19 14:25:04.858871",
  "msg": "",
  "rc": 0,
  "start": "2024-10-19 14:25:04.783238",
  "stderr": "",
  "stderr_lines": [],
  "stdout": "<none>",
  "stdout_lines": [
    "<none>"
  ]
}
)
---
 tests/testcases/030_check-network.yml | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/tests/testcases/030_check-network.yml b/tests/testcases/030_check-network.yml
index e13128dd9..bdb3c53bb 100644
--- a/tests/testcases/030_check-network.yml
+++ b/tests/testcases/030_check-network.yml
@@ -75,16 +75,6 @@
     command: "{{ bin_dir }}/kubectl create namespace test"
     changed_when: false
 
-  - name: Wait for API token of test namespace
-    shell: "set -o pipefail && {{ bin_dir }}/kubectl describe serviceaccounts default --namespace test | grep Tokens | awk '{print $2}'"
-    args:
-      executable: /bin/bash
-    changed_when: false
-    register: default_token
-    until: default_token.stdout | length > 0
-    retries: 5
-    delay: 5
-
   - name: Run 2 agnhost pods in test ns
     shell:
       cmd: |

From 5cb07e0aac1d0f9e3293115a2f97bb0932c91ddf Mon Sep 17 00:00:00 2001
From: Max Gautier <mg@max.gautier.name>
Date: Fri, 25 Oct 2024 14:53:24 +0200
Subject: [PATCH 2/2] CI: remove shell usage for test playbooks

General cleanup + has the advantages of not requiring bash on the hosts.
---
 tests/testcases/030_check-network.yml     | 29 +++++-----
 tests/testcases/040_check-network-adv.yml | 64 +++++++----------------
 2 files changed, 31 insertions(+), 62 deletions(-)

diff --git a/tests/testcases/030_check-network.yml b/tests/testcases/030_check-network.yml
index bdb3c53bb..9ee540ef5 100644
--- a/tests/testcases/030_check-network.yml
+++ b/tests/testcases/030_check-network.yml
@@ -20,29 +20,29 @@
     when:
     - kubelet_rotate_server_certificates | default(false)
     - kubelet_csr_approver_enabled | default(kubelet_rotate_server_certificates | default(false))
+    vars:
+      csrs: "{{ csr_json.stdout | from_json }}"
     block:
 
     - name: Get certificate signing requests
-      command: "{{ bin_dir }}/kubectl get csr"
-      register: get_csr
+      command: "{{ bin_dir }}/kubectl get csr -o jsonpath-as-json={.items[*]}"
+      register: csr_json
       changed_when: false
 
     - debug:  # noqa name[missing]
-        msg: "{{ get_csr.stdout.split('\n') }}"
+        var: csrs
 
     - name: Check there are csrs
       assert:
-        that: get_csr.stdout_lines | length > 0
+        that: csrs | length > 0
         fail_msg: kubelet_rotate_server_certificates is {{ kubelet_rotate_server_certificates }} but no csr's found
 
-    - name: Get Denied/Pending certificate signing requests
-      shell: "set -o pipefail && {{ bin_dir }}/kubectl get csr | grep -e Denied -e Pending || true"
-      register: get_csr_denied_pending
-      changed_when: false
-
     - name: Check there are Denied/Pending csrs
       assert:
-        that: get_csr_denied_pending.stdout_lines | length == 0
+        that:
+        - csrs | rejectattr('status') | length == 0 # Pending == no status
+        - csrs | map(attribute='status.conditions') | flatten | selectattr('type', 'equalto', 'Denied') | length == 0 # Denied
+
         fail_msg: kubelet_csr_approver is enabled but CSRs are not approved
 
   - name: Approve kubelet serving certificates
@@ -76,10 +76,9 @@
     changed_when: false
 
   - name: Run 2 agnhost pods in test ns
-    shell:
-      cmd: |
-        set -o pipefail
-        cat <<EOF | {{ bin_dir }}/kubectl apply -f -
+    command:
+      cmd: "{{ bin_dir }}/kubectl apply -f -"
+      stdin: |
         apiVersion: v1
         kind: Pod
         metadata:
@@ -98,8 +97,6 @@
               runAsNonRoot: true
               seccompProfile:
                 type: RuntimeDefault
-        EOF
-      executable: /bin/bash
     changed_when: false
     loop:
     - agnhost1
diff --git a/tests/testcases/040_check-network-adv.yml b/tests/testcases/040_check-network-adv.yml
index 45cf6db28..4ff1c9ddb 100644
--- a/tests/testcases/040_check-network-adv.yml
+++ b/tests/testcases/040_check-network-adv.yml
@@ -3,13 +3,16 @@
   hosts: kube_node
   tasks:
     - name: Test tunl0 routes
-      shell: "set -o pipefail && ! /sbin/ip ro | grep '/{{ calico_pool_blocksize }} | default(26) via' | grep -v tunl0"
-      args:
-        executable: /bin/bash
+      command: "/sbin/ip route"
+      register: routes
+      failed_when: routes.stdout_lines
+        | select('contains', '/' ~ calico_pool_blocksize|d(26))
+        | select('contains', 'tunl0') | length == 0
       when:
         - (calico_ipip_mode is defined and calico_ipip_mode != 'Never' or cloud_provider is defined)
         - kube_network_plugin | default('calico') == 'calico'
 
+
 - name: Advanced testcases for network
   hosts: k8s_cluster
   vars:
@@ -32,24 +35,14 @@
         name: cluster-dump
 
     - name: Wait for netchecker server
-      shell: "set -o pipefail && {{ bin_dir }}/kubectl get pods -o wide --namespace {{ netcheck_namespace }} | grep ^netchecker-server"
-      args:
-        executable: /bin/bash
-      register: ncs_pod
-      until: ncs_pod.stdout.find('Running') != -1
-      retries: 3
-      delay: 10
-      when: inventory_hostname == groups['kube_control_plane'][0]
-
-    - name: Wait for netchecker agents
-      shell: "set -o pipefail && {{ bin_dir }}/kubectl get pods -o wide --namespace {{ netcheck_namespace }} | grep '^netchecker-agent-.*Running'"
-      args:
-        executable: /bin/bash
-      register: nca_pod
-      until: nca_pod.stdout_lines | length >= groups['k8s_cluster'] | intersect(ansible_play_hosts) | length * 2
+      command: "{{ bin_dir }}/kubectl get pods --field-selector=status.phase==Running -o jsonpath-as-json={.items[*].metadata.name} --namespace {{ netcheck_namespace }}"
+      register: pods_json
+      until:
+        - pods_json.stdout | from_json | select('match', 'netchecker-server.*') | length == 1
+        - (pods_json.stdout | from_json | select('match', 'netchecker-agent.*') | length)
+          >= (groups['k8s_cluster'] | intersect(ansible_play_hosts) | length * 2)
       retries: 3
       delay: 10
-      failed_when: false
       when: inventory_hostname == groups['kube_control_plane'][0]
 
     - name: Get netchecker pods
@@ -60,7 +53,7 @@
       with_items:
         - netchecker-agent
         - netchecker-agent-hostnet
-      when: not nca_pod is success
+      when: not pods_json is success
 
     - debug:  # noqa name[missing]
         var: nca_pod.stdout_lines
@@ -99,7 +92,7 @@
         - agents.content != '{}'
 
     - debug:  # noqa name[missing]
-        var: ncs_pod
+        var: pods_json
       run_once: true
 
     - name: Get kube-proxy logs
@@ -169,14 +162,9 @@
       run_once: true
 
     - name: Create macvlan network conf
-      # We cannot use only shell: below because Ansible will render the text
-      # with leading spaces, which means the shell will never find the string
-      # EOF at the beginning of a line. We can avoid Ansible's unhelpful
-      # heuristics by using the cmd parameter like this:
-      shell:
-        cmd: |
-          set -o pipefail
-          cat <<EOF | {{ bin_dir }}/kubectl create -f -
+      command:
+        cmd: "{{ bin_dir }}/kubectl create -f -"
+        stdin: |
           apiVersion: "k8s.cni.cncf.io/v1"
           kind: NetworkAttachmentDefinition
           metadata:
@@ -198,21 +186,7 @@
               "gateway": "192.168.1.1"
             }
           }'
-          EOF
-        executable: /bin/bash
-      when:
-        - inventory_hostname == groups['kube_control_plane'][0]
-        - kube_network_plugin_multus | default(false) | bool
-
-    - name: Annotate pod with macvlan network
-      # We cannot use only shell: below because Ansible will render the text
-      # with leading spaces, which means the shell will never find the string
-      # EOF at the beginning of a line. We can avoid Ansible's unhelpful
-      # heuristics by using the cmd parameter like this:
-      shell:
-        cmd: |
-          set -o pipefail
-          cat <<EOF | {{ bin_dir }}/kubectl create -f -
+          ---
           apiVersion: v1
           kind: Pod
           metadata:
@@ -224,8 +198,6 @@
             - name: samplepod
               command: ["/bin/bash", "-c", "sleep 2000000000000"]
               image: dougbtv/centos-network
-          EOF
-        executable: /bin/bash
       when:
         - inventory_hostname == groups['kube_control_plane'][0]
         - kube_network_plugin_multus | default(false) | bool