Skip to content

Fix: add dry-run AzureCluster create to ensure CA bundle availability #6221

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mboersma wants to merge 3 commits into
base: main
Choose a base branch
from
+34 −0
Open

Fix: add dry-run AzureCluster create to ensure CA bundle availability #6221

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
99a0162
Fix: add dry-run AzureCluster create to ensure CA bundle availability
mboersma Apr 8, 2026
6a44fd3
Treat webhook validation rejections as success in dry-run probe
mboersma Apr 9, 2026
08f5da0
Increase dry-run webhook probe timeout to 5 minutes
mboersma Apr 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions test/e2e/helpers.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ import (
appsv1 "k8s.io/api/apps/v1"
batchv1 "k8s.io/api/batch/v1"
corev1 "k8s.io/api/core/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
typedappsv1 "k8s.io/client-go/kubernetes/typed/apps/v1"
Expand All @@ -58,6 +59,7 @@ import (
"sigs.k8s.io/cluster-api/test/framework/kubernetesversions"
"sigs.k8s.io/controller-runtime/pkg/client"

infrav1 "sigs.k8s.io/cluster-api-provider-azure/api/v1beta1"
"sigs.k8s.io/cluster-api-provider-azure/azure"
)

Expand Down Expand Up @@ -854,4 +856,36 @@ func waitForWebhookCAInjection(ctx context.Context, c client.Client) {
}
}
}, 5*time.Minute, 5*time.Second).Should(Succeed(), "cert-manager cainjector did not inject CA bundles into webhook configurations in time")

// Even after the CABundle is populated on the webhook configuration, the
// kube-apiserver may not have picked up the updated config from its
// informer cache yet. Perform a dry-run create of an AzureCluster to
// verify the CAPZ mutating webhook is reachable end-to-end with valid TLS.
Comment on lines +860 to +863
Copy link
Copy Markdown
Contributor

@nojnhuh nojnhuh Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The big mystery for me is that even the default ApplyCusterTemplateAndWait does retries over the course of one minute. Either the webhooks work the first time or they fail several times in a row for 1 minute. Is this check basically doing that same thing but for 5 minutes? Have we seen cases in this PR where the webhooks fail for more than 1 minute but less than 5 minutes?

By("Verifying CAPZ webhook is reachable via dry-run create")
Eventually(func() error {
obj := &infrav1.AzureCluster{
ObjectMeta: metav1.ObjectMeta{
Name: "capz-webhook-probe",
Namespace: "default",
},
Spec: infrav1.AzureClusterSpec{
AzureClusterClassSpec: infrav1.AzureClusterClassSpec{
SubscriptionID: "00000000-0000-0000-0000-000000000000",
Location: "eastus",
},
ResourceGroup: "capz-webhook-probe",
},
}
err := client.NewDryRunClient(c).Create(ctx, obj)
if err == nil {
return nil
}
// A webhook validation rejection (e.g. Invalid/Forbidden) means the
// webhook was reachable with valid TLS, which is all we need to verify.
// Only keep retrying on errors that indicate TLS is not yet working.
if apierrors.IsInvalid(err) || apierrors.IsForbidden(err) {
return nil
}
return err
}, 5*time.Minute, 5*time.Second).Should(Succeed(), "dry-run AzureCluster create failed, webhook TLS may not be ready")
}
Loading