fix(test): Fix flaky VPC e2e tests for SG rule deletion

[sapphirew]

Issue #, if available:

Description of changes:

The test_crud_tags test failed because the ACK runtime's EnsureTags persist ACK system tags (services.k8s.aws/controller-version, services.k8s.aws/namespace) into spec.tags during reconciliation. Filter out tags with the services.k8s.aws/ prefix before asserting user tag counts and values.

The test_disallow_default_security_group_rule test failed because the controller was too busy processing other resources to complete the reconcile within the fixed 10-second sleep. Replace time.sleep with wait_on_condition("ACK.ResourceSynced", "True") which polls until the controller signals reconciliation is complete.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[ack-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sapphirew
Once this PR has been reviewed and has the lgtm label, please assign knottnt for approval by writing /assign @knottnt in a comment. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gustavodiaz7722]

Can we update this to use shared util functions for asserting without ack tags? Heres an example from emr-serverless

https://github.com/aws-controllers-k8s/emrserverless-controller/blob/main/test/e2e/tests/test_application.py#L193

        updated_tags = {"environment": "production", "team": "data-platform"}
        cr = k8s.get_resource(ref)
        cr["spec"]["tags"] = updated_tags
        k8s.replace_custom_resource(ref, cr)
        time.sleep(MODIFY_WAIT_AFTER_SECONDS)
        
        assert k8s.wait_on_condition(ref, "ACK.ResourceSynced", "True", wait_periods=10)
        
        response = emrserverless_client.list_tags_for_resource(resourceArn=application_arn)
        latest_tags = response["tags"]
        
        tags.assert_ack_system_tags(tags=latest_tags)
        tags.assert_equal_without_ack_tags(expected=updated_tags, actual=latest_tags)

[sapphirew]

Good call, updated to use the shared lib for tags assertion

[sapphirew]

Looks like the tests already make tags assertion above. Going to drop this change until have a clear root cause.

[gustavodiaz7722]

Same thing here, use shared utility functions for asserting without ack tags

[gustavodiaz7722]

Same thing here, use shared utility functions for asserting without ack tags

[knottnt]

@sapphirew I think this is actually a bug in the ec2-controller. The system tags should be filtered before patching the spec.tags field.

[sapphirew]

@sapphirew I think this is actually a bug in the ec2-controller. The system tags should be filtered before patching the spec.tags field.

@knottnt I couldn't root cause the bug for tags in the ec2-controller yet. Going to reduce the scope of the fix to test_disallow_default_security_group_rule only and follow up on that

[sapphirew]

/retest

[michaelhtm]

@sapphirew
System tags are not supposed to be patched to the resource. I'll continue investigating this bug and address it
/hold

[michaelhtm]

This PR should fix system tags issues: aws-controllers-k8s/code-generator#702

[knottnt]

nit: I don't think this is true anymore after you previous PR.

Suggested change

	# Wait for the controller to finish reconciling (SG rule deletion
	# happens inline during creation but the controller may be busy)
	# Wait for the controller to finish reconciling (SG rule deletion
	# happens in update path after initial creation)