Azure · matucker-msft · Apr 21, 2026 · Apr 21, 2026 · Apr 21, 2026 · Apr 21, 2026
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
@@ -8,6 +8,10 @@ permissions:
   id-token: write
   contents: read
 
+concurrency:
+  group: e2e-${{ github.head_ref }}
+  cancel-in-progress: true
+
 jobs:
   msi_acrpull_e2e:
     env:
@@ -39,8 +43,32 @@ jobs:
           client-id: ${{ env.AZURE_CLIENT_ID }}
           tenant-id: ${{ env.AZURE_TENANT_ID }}
           subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}
+      - name: Setup infrastructure
+        run: make -C test/ _output/infrastructure.json _output/aks.kubeconfig _output/deploy/prometheus-crds _output/system-vmss-puller.json _output/tenant "UNIQUE_INPUT=${UNIQUE_INPUT}"
+      - uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
+        name: Refresh Azure login before ACR build
+        with:
+          client-id: ${{ env.AZURE_CLIENT_ID }}
+          tenant-id: ${{ env.AZURE_TENANT_ID }}
+          subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}
+      - name: Build and push controller image
+        run: make -C test/ _output/image.json "UNIQUE_INPUT=${UNIQUE_INPUT}"
+      - uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
+        name: Refresh Azure login before test image imports
+        with:
+          client-id: ${{ env.AZURE_CLIENT_ID }}
+          tenant-id: ${{ env.AZURE_TENANT_ID }}
+          subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}
+        # Refresh OIDC assertion so ACR commands in test targets succeed
       - name: E2E test
         run: make -C test/ test "UNIQUE_INPUT=${UNIQUE_INPUT}"
+      - uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
+        name: Refresh Azure login before cleanup
+        if: ${{ always() }}
+        with:
+          client-id: ${{ env.AZURE_CLIENT_ID }}
+          tenant-id: ${{ env.AZURE_TENANT_ID }}
+          subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}
       - name: Cleanup
         if: ${{ always() }}
         run: make -C test/ cleanup "UNIQUE_INPUT=${UNIQUE_INPUT}"
diff --git a/test/Makefile b/test/Makefile
@@ -6,27 +6,39 @@ LOCATION ?= WestUS2
 _output:
 	mkdir _output
 
-_output/tenant: _output/
+_output/tenant: | _output
 	az account show --query tenantId --output tsv > $@
 
-_output/deployment: _output
+_output/deployment: | _output
 	echo -n "$(UNIQUE_INPUT)" | sha256sum | awk '{print $$1}' > _output/deployment
 
 _output/infrastructure.json: _output/deployment
 	az deployment sub create --name "$(shell cat _output/deployment )" --location "$(LOCATION)" --template-file "./infrastructure/resourceGroup.bicep" --parameters "location=$(LOCATION)" --parameters "uniqueIdentifier=$(UNIQUE_INPUT)" --output "json" > _output/infrastructure.json
 
-_output/identity.json: _output
+_output/identity.json: | _output
 	az deployment sub create --name msi-acrpull-e2e-test-runner --template-file "./infrastructure/identity.resourceGroup.bicep" --parameters "location=$(LOCATION)" --output json --location "$(LOCATION)" > _output/identity.json
 
 .PHONY: cleanup-resource-group
 cleanup-resource-group:
-	test -f _output/infrastructure.json && az group delete --yes --name "$(shell jq --raw-output '.properties.outputs.resourceGroup.value' < _output/infrastructure.json )"
-	rm _output/infrastructure.json
+	@if test -f _output/infrastructure.json; then \
+	  rg=$$(jq --raw-output '.properties.outputs.resourceGroup.value' < _output/infrastructure.json 2>/dev/null); \
+	  if [ -n "$$rg" ] && [ "$$rg" != "null" ]; then \
+	    az group delete --yes --name "$$rg"; \
+	  else \
+	    echo "WARNING: could not extract resource group from _output/infrastructure.json, skipping delete"; \
+	  fi; \
+	fi
+	rm -f _output/infrastructure.json
 
 .PHONY: cleanup-deployment
 cleanup-deployment:
-	test -f _output/deployment && az deployment sub delete --name "$(shell cat _output/deployment )"
-	rm _output/deployment
+	@if test -f _output/deployment; then \
+	  name=$$(cat _output/deployment); \
+	  if [ -n "$$name" ]; then \
+	    az deployment sub delete --name "$$name"; \
+	  fi; \
+	fi
+	rm -f _output/deployment
 
 .PHONY: cleanup
 cleanup: cleanup-resource-group cleanup-deployment
@@ -82,7 +94,7 @@ _output/assets/0alertmanagerConfigCustomResourceDefinition.yaml _output/assets/0
 	mkdir -p $(dir $@)
 	wget --quiet --output-document=$@ https://raw.githubusercontent.com/prometheus-operator/kube-prometheus/main/manifests/setup/$(notdir $@)
 
-_output/deploy: _output
+_output/deploy: | _output
 	mkdir -p _output/deploy
 
 _output/deploy/prometheus-crds: _output/deploy prometheus-crds _output/aks.kubeconfig

diff --git a/test/e2e_test.go b/test/e2e_test.go
@@ -105,6 +105,8 @@ func TestManagedIdentityPulls(t *testing.T) {
 				})
 			}
 
+			eventuallyServiceAccountExists(t, ctx, client, namespace, "default")
+
 			const pod = "fail"
 			t.Logf("creating pod without service account %s/%s", namespace, pod)
 			if err := client.Create(ctx, &corev1.Pod{