Fix unit test flaky for IPsec controller

[xliuxu]

Wait one second as the fake clientset doesn't support watching with specific resourceVersion.
Otherwise the update event would be missed by the watcher used in csrutil.WaitForCertificate()
if it happens to be generated in-between the List and Watch calls.

Fixes: #3851

Signed-off-by: Xu Liu [email protected]

[codecov]

Codecov Report

Merging #4016 (5251bd0) into main (e5a98dc) will increase coverage by 6.24%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main    #4016      +/-   ##
==========================================
+ Coverage   61.51%   67.75%   +6.24%     
==========================================
  Files         294      297       +3     
  Lines       43726    43820      +94     
==========================================
+ Hits        26897    29691    +2794     
+ Misses      14578    11806    -2772     
- Partials     2251     2323      +72     

Flag	Coverage Δ
integration-tests	35.97% <ø> (?)
kind-e2e-tests	51.32% <ø> (+6.78%)	⬆️
unit-tests	44.21% <ø> (-0.05%)	⬇️

Impacted Files	Coverage Δ
pkg/apiserver/handlers/endpoint/handler.go	56.52% <0.00%> (-13.05%)	⬇️
pkg/controller/ipam/antrea_ipam_controller.go	76.41% <0.00%> (-2.63%)	⬇️
pkg/controller/externalippool/controller.go	83.03% <0.00%> (-1.79%)	⬇️
...gent/controller/noderoute/node_route_controller.go	56.12% <0.00%> (-1.47%)	⬇️
pkg/ovs/openflow/ofctrl_packetout.go	79.71% <0.00%> (-0.87%)	⬇️
pkg/agent/cniserver/ipam/testing/utils.go	92.85% <0.00%> (ø)
...icluster/controllers/multicluster/common/helper.go	58.00% <0.00%> (ø)
pkg/agent/cniserver/testing/utils.go	100.00% <0.00%> (ø)
...ntroller/networkpolicy/networkpolicy_controller.go	82.32% <0.00%> (+0.31%)	⬆️
pkg/agent/controller/networkpolicy/reconciler.go	68.90% <0.00%> (+0.48%)	⬆️
... and 75 more

[tnqn]

The fake watcher registers their watches synchronously, so it should be impossible that a watcher missed an event of an object created after the watch started.

I suspect the issue is that WaitForCertificate missed the update event triggered by the signer because it uses a ListWatch, the fake clientset doesn't support watching from a specific resource version, so a fake ListWatch actually sends two individual requests, a List request and a subsequent Watch request. If the signer happens to sign the CSR in between the two requests, WaitForCertificate would never receive the update event.

This can be confirmed by adding a log to the signer to check when the failure happens, does the signer signs a CSR.

My previous comment about the defect of fake clientset:

antrea/pkg/agent/controller/noderoute/node_route_controller_test.go

Lines 101 to 103 in 4b788e7

	// Must wait for cache sync, otherwise resource creation events will be missing if the resources are created
	// in-between list and watch call of an informer. This is because fake clientset doesn't support watching with
	// resourceVersion. A watcher of fake clientset only gets events that happen after the watcher is created.

[xliuxu]

You are right and I misunderstood the goroutine in the Watch API. I think the issue did exist in WaitForCertificate when using the fake clientset. But I did not come up with a simple and clean solution for this issue. How about just waiting for one second before updating the CSR in the tests?

[tnqn]

I can't think of a better solution, I'm fine with fixing it in this way first. If it still fails in the future, perhaps we could updating the CSR multiple times to make sure the watcher will receive updates.

[tnqn]

PR description needs update

[tnqn]

LGTM

[tnqn]

/skip-all