verify the original secret refs too

test/e2e/parallel/serviceaccount_test.go

@@ -38,8 +38,15 @@ func TestDoNotOverrideServiceAccount(t *testing.T) {
 	nsName := fmt.Sprintf("%s-env", mur.Name)
 
 	expectedSecrets := getSASecrets(t, member, nsName, "namespace-manager")
+	sa, err := member.WaitForServiceAccount(t, nsName, "namespace-manager")
+	require.NoError(t, err)
+	expSecretRefs := sa.Secrets
+	expPullSecretRefs := sa.ImagePullSecrets
 
 	for i := 0; i < 10; i++ {
+		dummySecretRefName := fmt.Sprintf("dummy-secret-%d", i)
+		dummyPullSecretRefName := fmt.Sprintf("dummy-pull-secret-%d", i)
+
 		// update the ServiceAccount values so we can verify that some parts will stay and some will be reverted to the needed values
 		_, err := member.UpdateServiceAccount(t, nsName, "namespace-manager", func(sa *corev1.ServiceAccount) {
 
@@ -50,17 +57,25 @@ func TestDoNotOverrideServiceAccount(t *testing.T) {
 			// add secret and ImagePullSecret refs and expect that they will stay there.
 			// the actual secrets don't exist, but that's fine - we need to check only if the refs stay in the SA resource
 			sa.Secrets = append(sa.Secrets, corev1.ObjectReference{
-				Name: fmt.Sprintf("dummy-secret-%d", i),
+				Name: dummySecretRefName,
 			})
 			sa.ImagePullSecrets = append(sa.ImagePullSecrets, corev1.LocalObjectReference{
-				Name: fmt.Sprintf("dummy-pull-secret-%d", i),
+				Name: dummyPullSecretRefName,
 			})
 
 			// also delete the space label key as we expect that this change should be reverted by the next reconcile loop
 			delete(sa.Labels, v1alpha1.SpaceLabelKey)
 		})
 		require.NoError(t, err)
 
+		// add the generated secret refs to the expected ones
+		expSecretRefs = append(expSecretRefs, corev1.ObjectReference{
+			Name: dummySecretRefName,
+		})
+		expPullSecretRefs = append(expPullSecretRefs, corev1.LocalObjectReference{
+			Name: dummyPullSecretRefName,
+		})
+
 		// Update the namespace annotations & labels to trigger the reconciliation
 		_, err = member.UpdateNamespace(t, nsName, func(ns *corev1.Namespace) {
 			// drop the last-applied-space-roles annotation, so we are sure that the content of the roles are re-applied
@@ -76,29 +91,33 @@ func TestDoNotOverrideServiceAccount(t *testing.T) {
 		require.NoError(t, err)
 		assert.Equal(t, "stay", sa.Annotations["should"])
 
-		for j := 0; j <= i; j++ {
-			expSecretName := fmt.Sprintf("dummy-secret-%d", j)
+		// verify that the expected secret refs are present
+		assert.NotEmpty(t, sa.Secrets)
+		for _, expSecret := range expSecretRefs {
 			secretFound := false
 			for _, secretRef := range sa.Secrets {
-				if secretRef.Name == expSecretName {
+				if secretRef.Name == expSecret.Name {
 					secretFound = true
 					break
 				}
 			}
 			if !secretFound {
-				assert.Fail(t, fmt.Sprintf("secret '%s' not found", expSecretName))
+				assert.Fail(t, fmt.Sprintf("secret '%s' not found", expSecret.Name))
 			}
+		}
 
-			expPullSecretName := fmt.Sprintf("dummy-pull-secret-%d", j)
+		// verify that the expected pull secret refs are present
+		assert.NotEmpty(t, sa.ImagePullSecrets)
+		for _, expPullSecret := range expPullSecretRefs {
 			pullSecretFound := false
 			for _, pullSecretRef := range sa.ImagePullSecrets {
-				if pullSecretRef.Name == expPullSecretName {
+				if pullSecretRef.Name == expPullSecret.Name {
 					pullSecretFound = true
 					break
 				}
 			}
 			if !pullSecretFound {
-				assert.Fail(t, fmt.Sprintf("pull secret '%s' not found", expPullSecretName))
+				assert.Fail(t, fmt.Sprintf("pull secret '%s' not found", expPullSecret.Name))
 			}
 		}