Let Kaniko E2E test work with a KO_DOCKER_REPO env

[afrittoli]

Changes

If test runner set a KO_DOCKER_REPO variable, use it, so we run the tests
against an external container registry. If not set, the kaniko tests
will spin up its own local registry. Bring back the GCP secret support
so this works in the existing CI, but also supports the case where
KO_DOCKER_REPO points to a container registry where no secret required,
like in the kind based tests.

Add a "test_setup" function to the e2e script, which is picked up after
the setup of the cluster, which provisions a GCP service account to be
used by tests via the GCP_SERVICE_ACCOUNT_KEY_PATH env variable.

Since the local registry runs on HTTP (not HTTPS), the local registry
approach does not work for the helm test as the kubelet tries to use
HTTPS. If KO_DOCKER_REPO is not specified we either fail or skip the
test (no change in behaviour) depending on the value of missingKoFatal

This setup makes it easier to run E2E tests in different environments,
where a registry may or may not be available.

Signed-off-by: Andrea Frittoli andrea.frittoli@uk.ibm.com
/kind misc

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

• [-] Docs included if any changes are user facing
• Tests included if any functionality added or changed
• Follows the commit message standard
• Meets the Tekton contributor standards (including
  functionality, content, code)
• Release notes block below has been filled in or deleted (only if no user facing changes)

Release Notes

NONE

[tekton-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign afrittoli
You can assign the PR to them by writing /assign @afrittoli in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[afrittoli]

/cc @vdemeester

[vdemeester]

Sounds ok, I just need to validate that it works fine on our OpenShift CI 😅

[afrittoli]

/test pull-tekton-pipeline-alpha-integration-tests
/test pull-tekton-pipeline-integration-tests

[afrittoli]

/test pull-tekton-pipeline-unit-tests

[tekton-robot]

@afrittoli: The following tests failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
pull-tekton-pipeline-integration-tests	cdec71d	link	/test pull-tekton-pipeline-integration-tests
pull-tekton-pipeline-alpha-integration-tests	cdec71d	link	/test pull-tekton-pipeline-alpha-integration-tests

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[tekton-robot]

@afrittoli: The following tests failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
pull-tekton-pipeline-integration-tests	cdec71d	link	/test pull-tekton-pipeline-integration-tests
pull-tekton-pipeline-alpha-integration-tests	cdec71d	link	/test pull-tekton-pipeline-alpha-integration-tests

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[afrittoli]

Creating a service account with the right permissions to run the tests does not seem to work:

=================================
==== SETTING UP TEST CLUSTER ====
=================================
- Project is tekton-prow-8
- Cluster is gke_tekton-prow-8_us-central1_tpipeline-e2e-cls1466744752903819268
- User is prow-account@tekton-releases.iam.gserviceaccount.com
- Docker is gcr.io/tekton-prow-8/tpipeline-e2e-img
Updated property [core/project].
WARNING: You do not appear to have access to project [tekton-prow-8] or it does not exist.
Created service account [tekton-prow-8].
ERROR: (gcloud.projects.add-iam-policy-binding) User [prow-account@tekton-releases.iam.gserviceaccount.com] does not have permission to access projects instance [tekton-prow-8:getIamPolicy] (or it may not exist): Cloud Resource Manager API has not been used in project 574248271492 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=574248271492 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
- '@type': type.googleapis.com/google.rpc.Help
  links:
  - description: Google developers console API activation
    url: https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=574248271492
- '@type': type.googleapis.com/google.rpc.ErrorInfo
  domain: googleapis.com
  metadata:
    consumer: projects/574248271492
    service: cloudresourcemanager.googleapis.com
  reason: SERVICE_DISABLED
ERROR: (gcloud.iam.service-accounts.keys.create) FAILED_PRECONDITION: Key creation is not allowed on this service account.
- '@type': type.googleapis.com/google.rpc.PreconditionFailure
  violations:
  - description: Key creation is not allowed on this service account.
    subject: projects/tekton-prow-8/serviceAccounts/tekton-prow-8@tekton-prow-8.iam.gserviceaccount.com?configvalue=tekton-prow-8%40tekton-prow-8.iam.gserviceaccount.com
    type: constraints/iam.disableServiceAccountKeyCreation
================================

[afrittoli]

/hold

[nikhil-thomas]

Sounds ok, I just need to validate that it works fine on our OpenShift CI 😅

@vdemeester I think this would be ok as:

1. at present, we use a separate e2e test script (but i agree, this is not ideal and we should start using this script as soon as we can).
2. we will not touch the ìnitialize part any way for tests on OpenShift. The switches in PR: Add some switches to the e2e script ⚙️ #4400 will make this easy to disable while testing on OpenShift
3. we run tests with github.com/tektoncd/pipeline/test/v1alpha1.missingKoFatal=false here

cc @barthy1

[barthy1]

just fyi I've tested the proposed code with s390x nightly pipeline test suite (pure k8s, KO_DOCKER_REPO is specified and remote, registry is HTTP). Everything works perfectly.

[tekton-robot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

[tekton-robot]

@afrittoli: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[tekton-robot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle rotten

Send feedback to tektoncd/plumbing.

[tekton-robot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen with a justification.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/close

Send feedback to tektoncd/plumbing.

[tekton-robot]

@tekton-robot: Closed this PR.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen with a justification.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/close

Send feedback to tektoncd/plumbing.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.