OCPBUGS-69755:CNTRLPLANE-2158:Migrating TestTokenRequestAndReview to ginkgo

cmd/cluster-kube-apiserver-operator-tests-ext/main.go

@@ -19,6 +19,8 @@ import (
 	"k8s.io/klog/v2"
 
 	"github.com/openshift/cluster-kube-apiserver-operator/pkg/version"
+	// Import test packages to register Ginkgo tests
+	_ "github.com/openshift/cluster-kube-apiserver-operator/test/e2e"
 )
 
 func main() {

go.mod

@@ -12,6 +12,7 @@ require (
 	github.com/google/go-cmp v0.7.0
 	github.com/imdario/mergo v0.3.8
 	github.com/miekg/dns v1.1.61
+	github.com/onsi/ginkgo/v2 v2.21.0
 	github.com/openshift-eng/openshift-tests-extension v0.0.0-20250804142706-7b3ab438a292
 	github.com/openshift/api v0.0.0-20251015095338-264e80a2b6e7
 	github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee
@@ -78,7 +79,6 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/onsi/ginkgo/v2 v2.21.0 // indirect
 	github.com/onsi/gomega v1.35.1 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect

test/e2e/bound_sa_token.go

@@ -0,0 +1,75 @@
+package e2e
+
+import (
+	"context"
+	"testing"
+
+	g "github.com/onsi/ginkgo/v2"
+	"github.com/stretchr/testify/require"
+
+	authenticationv1 "k8s.io/api/authentication/v1"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+
+	testlibrary "github.com/openshift/cluster-kube-apiserver-operator/test/library"
+)
+
+var _ = g.Describe("[sig-api-machinery] kube-apiserver operator", func() {
+	g.It("[Operator][Serial] TestTokenRequestAndReview", func() {
+		testTokenRequestAndReview(g.GinkgoTB())
+	})
+})
+
+// testTokenRequestAndReview checks that bound sa tokens are correctly
+// configured. A token is requested via the TokenRequest API and
+// validated via the TokenReview API.
+func testTokenRequestAndReview(t testing.TB) {
+	kubeConfig, err := testlibrary.NewClientConfigForTest()
+	require.NoError(t, err)
+	kubeClient, err := kubernetes.NewForConfig(kubeConfig)
+	require.NoError(t, err)
+	corev1client := kubeClient.CoreV1()
+
+	// Create all test resources in a temp namespace that will be
+	// removed at the end of the test to avoid requiring explicit
+	// cleanup.
+	ns, err := corev1client.Namespaces().Create(context.TODO(), &v1.Namespace{
+		ObjectMeta: metav1.ObjectMeta{
+			GenerateName: "e2e-token-request-",
+		},
+	}, metav1.CreateOptions{})
+	require.NoError(t, err)
+	defer func() {
+		err := corev1client.Namespaces().Delete(context.TODO(), ns.Name, metav1.DeleteOptions{})
+		require.NoError(t, err)
+	}()
+	namespace := ns.Name
+
+	sa, err := corev1client.ServiceAccounts(namespace).Create(context.TODO(), &v1.ServiceAccount{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test-service-account",
+		},
+	}, metav1.CreateOptions{})
+	require.NoError(t, err)
+
+	treq, err := corev1client.ServiceAccounts(sa.Namespace).CreateToken(context.TODO(),
+		sa.Name,
+		&authenticationv1.TokenRequest{
+			Spec: authenticationv1.TokenRequestSpec{
+				// Avoid specifying any audiences so that the token will be
+				// issued for the default audience of the issuer.
+			},
+		},
+		metav1.CreateOptions{})
+	require.NoError(t, err)
+
+	trev, err := kubeClient.AuthenticationV1().TokenReviews().Create(context.TODO(), &authenticationv1.TokenReview{
+		Spec: authenticationv1.TokenReviewSpec{
+			Token: treq.Status.Token,
+		},
+	}, metav1.CreateOptions{})
+	require.NoError(t, err)
+	require.Empty(t, trev.Status.Error)
+	require.True(t, trev.Status.Authenticated)
+}

test/e2e/bound_sa_token_test.go

@@ -8,13 +8,11 @@ import (
 
 	"github.com/stretchr/testify/require"
 
-	authenticationv1 "k8s.io/api/authentication/v1"
 	corev1 "k8s.io/api/core/v1"
-	v1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
-	"k8s.io/client-go/kubernetes"
+
 	clientcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
 
 	tokenctl "github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/boundsatokensignercontroller"
@@ -171,52 +169,12 @@ func checkCertConfigMap(t *testing.T, kubeClient *clientcorev1.CoreV1Client, exp
 // TestTokenRequestAndReview checks that bound sa tokens are correctly
 // configured. A token is requested via the TokenRequest API and
 // validated via the TokenReview API.
+//
+// This test calls the shared testTokenRequestAndReview function which
+// can be called from both standard Go tests and Ginkgo tests.
+//
+// This situation is temporary until we test the new e2e-gcp-operator-serial-ote job.
+// Eventually all tests will be run only as part of the OTE framework.
 func TestTokenRequestAndReview(t *testing.T) {
-	kubeConfig, err := testlibrary.NewClientConfigForTest()
-	require.NoError(t, err)
-	kubeClient, err := kubernetes.NewForConfig(kubeConfig)
-	require.NoError(t, err)
-	corev1client := kubeClient.CoreV1()
-
-	// Create all test resources in a temp namespace that will be
-	// removed at the end of the test to avoid requiring explicit
-	// cleanup.
-	ns, err := corev1client.Namespaces().Create(context.TODO(), &v1.Namespace{
-		ObjectMeta: metav1.ObjectMeta{
-			GenerateName: "e2e-token-request-",
-		},
-	}, metav1.CreateOptions{})
-	require.NoError(t, err)
-	defer func() {
-		err := corev1client.Namespaces().Delete(context.TODO(), ns.Name, metav1.DeleteOptions{})
-		require.NoError(t, err)
-	}()
-	namespace := ns.Name
-
-	sa, err := corev1client.ServiceAccounts(namespace).Create(context.TODO(), &v1.ServiceAccount{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: "test-service-account",
-		},
-	}, metav1.CreateOptions{})
-	require.NoError(t, err)
-
-	treq, err := corev1client.ServiceAccounts(sa.Namespace).CreateToken(context.TODO(),
-		sa.Name,
-		&authenticationv1.TokenRequest{
-			Spec: authenticationv1.TokenRequestSpec{
-				// Avoid specifying any audiences so that the token will be
-				// issued for the default audience of the issuer.
-			},
-		},
-		metav1.CreateOptions{})
-	require.NoError(t, err)
-
-	trev, err := kubeClient.AuthenticationV1().TokenReviews().Create(context.TODO(), &authenticationv1.TokenReview{
-		Spec: authenticationv1.TokenReviewSpec{
-			Token: treq.Status.Token,
-		},
-	}, metav1.CreateOptions{})
-	require.NoError(t, err)
-	require.Empty(t, trev.Status.Error)
-	require.True(t, trev.Status.Authenticated)
+	testTokenRequestAndReview(t)
 }