Add e2e for pod identity webhook

tests/e2e/scenarios/lib/common.sh

@@ -19,6 +19,10 @@ set -o nounset
 set -o pipefail
 set -o xtrace
 
+if [[ -z "${CLOUD_PROVIDER-}" ]]; then
+    export CLOUD_PROVIDER="aws"
+fi
+
 echo "CLOUD_PROVIDER=${CLOUD_PROVIDER}"
 echo "CLUSTER_NAME=${CLUSTER_NAME-}"
 
@@ -129,9 +133,11 @@ function kops-up() {
     if [[ -z "${K8S_VERSION-}" ]]; then
         K8S_VERSION="v1.22.1"
     fi
+
     ${KUBETEST2} \
         --up \
         --kops-binary-path="${KOPS}" \
         --kubernetes-version="${K8S_VERSION}" \
-        --create-args="${create_args}"
+        --create-args="${create_args}" \
+        --template-path="${KOPS_TEMPLATE-}"
 }

tests/e2e/scenarios/podidentitywebhook/cluster.yaml.tmpl

@@ -0,0 +1,102 @@
+{{$zone := index .zones 0}}
+apiVersion: kops.k8s.io/v1alpha2
+kind: Cluster
+metadata:
+  name: {{.clusterName}}
+spec:
+  kubernetesApiAccess:
+  - {{.publicIP}}
+  certManager:
+    enabled: true
+  channel: stable
+  cloudProvider: {{.cloudProvider}}
+  configBase: "{{.stateStore}}/{{.clusterName}}"
+  etcdClusters:
+  - etcdMembers:
+    - instanceGroup: master-{{$zone}}
+      name: {{$zone}}
+    name: main
+  - etcdMembers:
+    - instanceGroup: master-{{$zone}}
+      name: {{$zone}}
+    name: events
+  iam:
+    serviceAccountExternalPermissions:
+    - aws:
+        policyARNs:
+        - arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess
+      name: pod-identity-webhook-test
+      namespace: default
+  kubelet:
+    anonymousAuth: false
+  kubernetesVersion: {{.kubernetesVersion}}
+  masterInternalName: api.internal.{{.clusterName}}
+  masterPublicName: api.{{.clusterName}}
+  networkCIDR: 172.20.0.0/16
+  networking:
+    calico: {}
+  nodePortAccess:
+    - 0.0.0.0/0
+  nonMasqueradeCIDR: 100.64.0.0/10
+  podIdentityWebhook:
+    enabled: true
+  serviceAccountIssuerDiscovery:
+    discoveryStore: "{{.stateStore}}/{{.clusterName}}"
+    enableAWSOIDCProvider: true
+  sshAccess:
+    - {{.publicIP}}
+  topology:
+    masters: public
+    nodes: public
+  subnets:
+  - cidr: 172.20.32.0/19
+    name: {{$zone}}
+    type: Public
+    zone: {{$zone}}
+
+---
+
+apiVersion: kops.k8s.io/v1alpha2
+kind: SSHCredential
+metadata:
+  name: admin
+  labels:
+    kops.k8s.io/cluster: {{.clusterName}}
+spec:
+  publicKey: {{.sshPublicKey}}
+
+---
+
+apiVersion: kops.k8s.io/v1alpha2
+kind: InstanceGroup
+metadata:
+  name: nodes-{{$zone}}
+  labels:
+    kops.k8s.io/cluster: {{.clusterName}}
+spec:
+  associatePublicIp: true
+  image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20201112.1
+  machineType: t3.medium
+  maxSize: 4
+  minSize: 4
+  role: Node
+  subnets:
+  - {{$zone}}
+
+---
+
+apiVersion: kops.k8s.io/v1alpha2
+kind: InstanceGroup
+metadata:
+  name: master-{{$zone}}
+  labels:
+    kops.k8s.io/cluster: {{.clusterName}}
+spec:
+  associatePublicIp: true
+  image: 099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20201112.1
+  machineType: c5.large
+  maxSize: 1
+  minSize: 1
+  role: Master
+  subnets:
+  - {{$zone}}

tests/e2e/scenarios/podidentitywebhook/pod.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: pod-identity-webhook-test
+  namespace: default
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-identity-webhook-test
+  namespace: default
+spec:
+  containers:
+  - name: aws-cli
+    image: amazon/aws-cli:latest
+    command:
+    - sleep
+    - "300"
+  serviceAccountName: "pod-identity-webhook-test"

tests/e2e/scenarios/podidentitywebhook/run-test.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+# Copyright 2021 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+REPO_ROOT=$(git rev-parse --show-toplevel);
+source "${REPO_ROOT}"/tests/e2e/scenarios/lib/common.sh
+TEST_ROOT="${REPO_ROOT}/tests/e2e/scenarios/podidentitywebhook"
+
+# shellcheck disable=SC2034
+KOPS_TEMPLATE="${TEST_ROOT}/cluster.yaml.tmpl"
+
+kops-acquire-latest
+
+kops-up
+
+kubectl apply -f "${TEST_ROOT}"/pod.yaml
+
+kubectl -n default wait --for=condition=Ready pod/pod-identity-webhook-test
+
+# This command will exit code 253 if there are no credentials
+kubectl exec -it -n default pod-identity-webhook-test -- aws sts get-caller-identity
+
+
+