tests: add e2e test to validate auth err does not destroy pod

Author: rquitales

operator/e2e/e2e_test.go

@@ -153,6 +153,35 @@ func TestE2E(t *testing.T) {
 				assert.NotContains(t, stack.Status.Outputs, "notTargeted")
 			},
 		},
+		{
+			name: "random-yaml-auth-error",
+			f: func(t *testing.T) {
+				t.Parallel()
+
+				cmd := exec.Command("kubectl", "apply", "-f", "e2e/testdata/random-yaml-auth-error")
+				require.NoError(t, run(cmd))
+				dumpLogs(t, "random-yaml-auth-error", "pod/random-yaml-auth-error-workspace-0")
+
+				// Ensure the stack is in a failed state with Unauthenticated.
+				_, err := waitFor[pulumiv1.Stack](
+					"stacks/random-yaml-auth-error",
+					"random-yaml-auth-error",
+					5*time.Minute,
+					`jsonpath={.status.conditions[?(@.type=="Ready")].reason}=Unauthenticated`)
+				assert.NoError(t, err)
+
+				// Ensure that we see the event for a succesful StatefulSet creation.
+				found, err := foundEvent("StatefulSet", "random-yaml-auth-error-workspace", "random-yaml-auth-error", "SuccessfulCreate")
+				assert.NoError(t, err)
+				assert.True(t, found)
+
+				// Ensure that the workspace pod was not deleted after reconciling the failed stack.
+				time.Sleep(10 * time.Second)
+				found, err = foundEvent("Pod", "random-yaml-auth-error-workspace-0", "random-yaml-auth-error", "Killing")
+				assert.NoError(t, err)
+				assert.False(t, found)
+			},
+		},
 	}
 
 	for _, tt := range tests {

operator/e2e/testdata/random-yaml-auth-error/manifests.yaml

@@ -0,0 +1,88 @@
+---
+# This NetworkPolicy allows ingress traffic to the source-controller pods
+# from specific namespaces and pods managed by pulumi-kubernetes-operator.
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-random-yaml-auth-error-fetch
+  namespace: flux-system
+spec:
+  podSelector:
+    matchLabels:
+      app: source-controller
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: http
+      from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: random-yaml-auth-error
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/managed-by: pulumi-kubernetes-operator
+              app.kubernetes.io/name: pulumi
+              app.kubernetes.io/component: workspace
+  policyTypes:
+    - Ingress
+---
+# Namespace to isolate the random-yaml-auth-error test.
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: random-yaml-auth-error
+---
+# Define a Flux Source GitRepository object for syncing Pulumi examples from a GitHub repository
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: pulumi-examples
+  namespace: random-yaml-auth-error
+spec:
+  interval: 10m
+  ref:
+    branch: master
+  timeout: 60s
+  url: https://github.com/pulumi/examples
+---
+apiVersion: pulumi.com/v1
+kind: Stack
+metadata:
+  name: random-yaml-auth-error
+  namespace: random-yaml-auth-error
+spec:
+  fluxSource:
+    sourceRef:
+      apiVersion: source.toolkit.fluxcd.io/v1
+      kind: GitRepository
+      name: pulumi-examples
+    dir: random-yaml
+  stack: dev
+  refresh: false
+  continueResyncOnCommitMatch: false
+  resyncFrequencySeconds: 60
+  destroyOnFinalize: true
+  # Enable file state for testing.
+  envRefs:
+    PULUMI_BACKEND_URL:
+      type: Literal
+      literal:
+        value: "file:///state/"
+    PULUMI_CONFIG_PASSPHRASE:
+      type: Literal
+      literal:
+        value: "test"
+  workspaceTemplate:
+    spec:
+      serviceAccountName: nonexistent-service-account # Purposefully incorrect service account name, to trigger authz error.
+      podTemplate:
+        spec:
+          containers:
+            - name: pulumi
+              volumeMounts:
+                - name: state
+                  mountPath: /state
+          volumes:
+            - name: state
+              persistentVolumeClaim:
+                claimName: state