diff --git a/examples/rrsa/java-sdk/deploy.yaml b/examples/rrsa/java-sdk/deploy.yaml
index ccd1aba9..8ed622e9 100644
--- a/examples/rrsa/java-sdk/deploy.yaml
+++ b/examples/rrsa/java-sdk/deploy.yaml
@@ -27,6 +27,6 @@ spec:
serviceAccountName: demo-sa
restartPolicy: Never
containers:
- - image: registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:1.0.0-rrsa-example-java
+ - image: registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:0.13.2-rrsa-example-java
imagePullPolicy: "Always"
name: test
diff --git a/examples/rrsa/java-sdk/pom.xml b/examples/rrsa/java-sdk/pom.xml
index 032d99ca..f7a682bb 100644
--- a/examples/rrsa/java-sdk/pom.xml
+++ b/examples/rrsa/java-sdk/pom.xml
@@ -21,12 +21,6 @@
0.2.10
-
- com.aliyun.oss
- aliyun-sdk-oss
- 3.16.1
-
-
diff --git a/examples/rrsa/java-sdk/src/main/java/com/alibabacloud/Demo.java b/examples/rrsa/java-sdk/src/main/java/com/alibabacloud/Demo.java
index b39a63dc..28b66f99 100644
--- a/examples/rrsa/java-sdk/src/main/java/com/alibabacloud/Demo.java
+++ b/examples/rrsa/java-sdk/src/main/java/com/alibabacloud/Demo.java
@@ -5,13 +5,6 @@
import com.aliyun.cs20151215.models.DescribeClustersRequest;
import com.aliyun.cs20151215.models.DescribeClustersResponse;
-// only for oss sdk
-import com.aliyun.oss.ClientBuilderConfiguration;
-import com.aliyun.oss.OSS;
-import com.aliyun.oss.common.auth.*;
-import com.aliyun.oss.OSSClientBuilder;
-import com.aliyun.oss.model.Bucket;
-
import java.util.List;
class TestOpenAPISDK {
@@ -35,57 +28,11 @@ public void CallAPI(com.aliyun.credentials.Client cred) throws Exception {
}
}
-class OSSCredentialProvider implements CredentialsProvider {
-
- private final com.aliyun.credentials.Client cred;
-
- public OSSCredentialProvider(com.aliyun.credentials.Client cred) {
- this.cred = cred;
- }
-
- public void setCredentials(Credentials creds) {
- }
-
- @Override
- public Credentials getCredentials() {
- String ak = cred.getAccessKeyId();
- String sk = cred.getAccessKeySecret();
- String token = cred.getSecurityToken();
- return new DefaultCredentials(ak, sk, token);
- }
-}
-
-class TestOSSSDK {
-
- public void CallAPI(com.aliyun.credentials.Client cred) throws Exception {
- // new provider
- OSSCredentialProvider provider = new OSSCredentialProvider(cred);
- String endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
- // new client config
- ClientBuilderConfiguration conf = new ClientBuilderConfiguration();
-
- // init client
- OSS ossClient = new OSSClientBuilder().build(endpoint, provider, conf);
-
- // call api
- List buckets = ossClient.listBuckets();
- System.out.println("call oss.listBuckets via oidc token success:\n");
- for (Bucket bucket : buckets) {
- System.out.println(" - " + bucket.getName());
- }
- System.out.println();
-
- ossClient.shutdown();
- }
-
-}
-
-
public class Demo {
public static void main(String[] args) throws Exception {
// 两种方式都可以
- com.aliyun.credentials.Client cred = new Client();
+ com.aliyun.credentials.Client cred = new com.aliyun.credentials.Client();
// or
// com.aliyun.credentials.Client cred = newOidcCred();
@@ -96,13 +43,6 @@ public static void main(String[] args) throws Exception {
TestOpenAPISDK openapiSdk = new TestOpenAPISDK();
openapiSdk.CallAPI(cred);
- // test oss sdk (https://github.com/aliyun/aliyun-oss-java-sdk) use rrsa oidc token
- if (System.getenv("TEST_OSS_SDK") != null && System.getenv("TEST_OSS_SDK").equals("true")) {
- System.out.println("\n");
- System.out.println("test oss sdk use rrsa oidc token");
- TestOSSSDK osssdk = new TestOSSSDK();
- osssdk.CallAPI(cred);
- }
}
static com.aliyun.credentials.Client newOidcCred() throws Exception {
@@ -113,6 +53,6 @@ static com.aliyun.credentials.Client newOidcCred() throws Exception {
credConf.oidcProviderArn = System.getenv("ALIBABA_CLOUD_OIDC_PROVIDER_ARN");
credConf.oidcTokenFilePath = System.getenv("ALIBABA_CLOUD_OIDC_TOKEN_FILE");
credConf.roleSessionName = "test-rrsa-oidc-token";
- return new Client(credConf);
+ return new com.aliyun.credentials.Client(credConf);
}
}
diff --git a/examples/rrsa/java-sdk/test.sh b/examples/rrsa/java-sdk/test.sh
index 6beda6c1..2f4e46ee 100644
--- a/examples/rrsa/java-sdk/test.sh
+++ b/examples/rrsa/java-sdk/test.sh
@@ -5,6 +5,8 @@ SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" > /dev/null && pwd )"
CLUSTER_ID="$1"
KUBECONFIG_PATH="${SCRIPT_DIR}/kubeconfig"
NAMESPACE="rrsa-demo-java-sdk"
+ROLE_NAME="test-rrsa-demo"
+POLICY_NAME="test-cs-describe-clusters"
trap cleanup EXIT
@@ -27,13 +29,15 @@ function install_helper() {
function setup_role() {
bar_tip "setup ram role"
- aliyun ram CreatePolicy --PolicyName cs-describe-clusters --PolicyDocument '{
+ aliyun ram DeletePolicy --PolicyName ${POLICY_NAME} || true
+ aliyun ram CreatePolicy --PolicyName ${POLICY_NAME} --PolicyDocument '{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
- "cs:DescribeClusters"
+ "cs:DescribeClusters",
+ "cs:GetClusters"
],
"Resource": [
"*"
@@ -46,15 +50,16 @@ function setup_role() {
ack-ram-tool rrsa associate-role --cluster-id "${CLUSTER_ID}" \
--namespace "${NAMESPACE}" \
--service-account demo-sa \
- --role-name test-rrsa-demo \
+ --role-name ${ROLE_NAME} \
--create-role-if-not-exist \
- --attach-custom-policy cs-describe-clusters
+ --attach-custom-policy ${POLICY_NAME}
}
function deploy_demo() {
bar_tip "deploy demo"
ack-ram-tool credential-plugin get-kubeconfig --cluster-id "${CLUSTER_ID}" > ${KUBECONFIG_PATH}
+ kubectl --kubeconfig ${KUBECONFIG_PATH} delete -f "${SCRIPT_DIR}/deploy.yaml"
kubectl --kubeconfig ${KUBECONFIG_PATH} apply -f "${SCRIPT_DIR}/deploy.yaml"
}
@@ -70,6 +75,7 @@ function cleanup() {
bar_tip "cleanup"
rm ${KUBECONFIG_PATH}
+ aliyun ram DetachPolicyFromRole --RoleName ${ROLE_NAME} --PolicyName ${POLICY_NAME} --PolicyType Custom || true
set -e
}
diff --git a/examples/rrsa/oss-java-sdk/.gitignore b/examples/rrsa/oss-java-sdk/.gitignore
new file mode 100644
index 00000000..bdee5e9b
--- /dev/null
+++ b/examples/rrsa/oss-java-sdk/.gitignore
@@ -0,0 +1,4 @@
+.idea/
+out/
+/target/
+*.iml
diff --git a/examples/rrsa/oss-java-sdk/Dockerfile b/examples/rrsa/oss-java-sdk/Dockerfile
new file mode 100644
index 00000000..2052ea24
--- /dev/null
+++ b/examples/rrsa/oss-java-sdk/Dockerfile
@@ -0,0 +1,16 @@
+FROM maven:3.8.7-openjdk-18-slim as builder
+# TARGETPLATFORM
+
+WORKDIR /app
+COPY src/main/java/com/alibabacloud/Demo.java ./src/main/java/com/alibabacloud/
+COPY pom.xml ./
+RUN mvn package
+
+
+FROM openjdk:18-slim-buster
+
+WORKDIR /app
+
+COPY --from=builder /app/target/demo-1.0-SNAPSHOT-jar-with-dependencies.jar ./
+
+CMD java -jar ./demo-1.0-SNAPSHOT-jar-with-dependencies.jar
diff --git a/examples/rrsa/oss-java-sdk/README.md b/examples/rrsa/oss-java-sdk/README.md
new file mode 100644
index 00000000..209280da
--- /dev/null
+++ b/examples/rrsa/oss-java-sdk/README.md
@@ -0,0 +1,68 @@
+# java-sdk
+
+## Usage
+
+1. Enable RRSA:
+
+```
+export CLUSTER_ID=
+ack-ram-tool rrsa enable --cluster-id "${CLUSTER_ID}"
+```
+
+2. Install ack-pod-identity-webhook:
+
+```
+ack-ram-tool rrsa install-helper-addon --cluster-id "${CLUSTER_ID}"
+```
+
+
+3. Create an RAM Policy:
+
+```
+aliyun ram CreatePolicy --PolicyName oss-list-buckets --PolicyDocument '{
+ "Version": "1",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": [
+ "oss:ListBuckets"
+ ],
+ "Resource": [
+ "*"
+ ],
+ "Condition": {}
+ }
+ ]
+}'
+```
+
+4. Associate an RAM Role to the service account and attach the policy to the role:
+
+```
+ack-ram-tool rrsa associate-role --cluster-id "${CLUSTER_ID}" \
+ --namespace rrsa-demo-oss-java-sdk \
+ --service-account demo-sa \
+ --role-name test-rrsa-demo \
+ --create-role-if-not-exist \
+ --attach-custom-policy oss-list-buckets
+```
+
+5. Deploy demo job:
+
+```
+ack-ram-tool credential-plugin get-kubeconfig --cluster-id "${CLUSTER_ID}" > kubeconfig
+kubectl --kubeconfig ./kubeconfig apply -f deploy.yaml
+```
+
+6. Get logs:
+
+```
+kubectl --kubeconfig ./kubeconfig -n rrsa-demo-oss-java-sdk wait --for=condition=complete job/demo --timeout=240s
+kubectl --kubeconfig ./kubeconfig -n rrsa-demo-oss-java-sdk logs job/demo
+```
+
+Outputs:
+
+```
+
+```
diff --git a/examples/rrsa/oss-java-sdk/deploy.yaml b/examples/rrsa/oss-java-sdk/deploy.yaml
new file mode 100644
index 00000000..69094ee1
--- /dev/null
+++ b/examples/rrsa/oss-java-sdk/deploy.yaml
@@ -0,0 +1,32 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: rrsa-demo-java-sdk
+ labels:
+ pod-identity.alibabacloud.com/injection: 'on'
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: demo-sa
+ namespace: rrsa-demo-java-sdk
+ annotations:
+ pod-identity.alibabacloud.com/role-name: test-rrsa-demo
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: demo
+ namespace: rrsa-demo-java-sdk
+spec:
+ template:
+ spec:
+ serviceAccountName: demo-sa
+ restartPolicy: Never
+ containers:
+ - image: registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:0.13.2-rrsa-example-oss-java
+ imagePullPolicy: "Always"
+ name: test
diff --git a/examples/rrsa/oss-java-sdk/pom.xml b/examples/rrsa/oss-java-sdk/pom.xml
new file mode 100644
index 00000000..f3a619a3
--- /dev/null
+++ b/examples/rrsa/oss-java-sdk/pom.xml
@@ -0,0 +1,75 @@
+
+
+ 4.0.0
+
+ com.alibabacloud
+ demo
+ 1.0-SNAPSHOT
+
+
+
+
+ com.aliyun
+ credentials-java
+ 0.2.10
+
+
+
+ com.aliyun.oss
+ aliyun-sdk-oss
+ 3.16.1
+
+
+
+
+
+ 3.8.0
+ 18
+ 18
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-jar-plugin
+ 3.3.0
+
+
+
+ true
+ com.alibabacloud.Demo
+
+
+
+
+
+
+ maven-assembly-plugin
+ 3.4.2
+
+
+
+ com.alibabacloud.Demo
+
+
+
+ jar-with-dependencies
+
+
+
+
+ make-assembly
+ package
+
+ single
+
+
+
+
+
+
+
+
diff --git a/examples/rrsa/oss-java-sdk/src/main/java/com/alibabacloud/Demo.java b/examples/rrsa/oss-java-sdk/src/main/java/com/alibabacloud/Demo.java
new file mode 100644
index 00000000..ec7cbfde
--- /dev/null
+++ b/examples/rrsa/oss-java-sdk/src/main/java/com/alibabacloud/Demo.java
@@ -0,0 +1,84 @@
+package com.alibabacloud;
+
+// com.aliyun:credentials-java >= 0.2.10
+import com.aliyun.credentials.Client;
+
+import com.aliyun.oss.ClientBuilderConfiguration;
+import com.aliyun.oss.OSS;
+import com.aliyun.oss.common.auth.*;
+import com.aliyun.oss.OSSClientBuilder;
+import com.aliyun.oss.model.Bucket;
+
+import java.util.List;
+
+class OSSCredentialProvider implements CredentialsProvider {
+
+ private final com.aliyun.credentials.Client cred;
+
+ public OSSCredentialProvider(com.aliyun.credentials.Client cred) {
+ this.cred = cred;
+ }
+
+ public void setCredentials(Credentials creds) {
+ }
+
+ @Override
+ public Credentials getCredentials() {
+ String ak = cred.getAccessKeyId();
+ String sk = cred.getAccessKeySecret();
+ String token = cred.getSecurityToken();
+ return new DefaultCredentials(ak, sk, token);
+ }
+}
+
+class TestOSSSDK {
+
+ public void CallAPI(com.aliyun.credentials.Client cred) throws Exception {
+ // new provider
+ OSSCredentialProvider provider = new OSSCredentialProvider(cred);
+ String endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
+ // new client config
+ ClientBuilderConfiguration conf = new ClientBuilderConfiguration();
+
+ // init client
+ OSS ossClient = new OSSClientBuilder().build(endpoint, provider, conf);
+
+ // call api
+ List buckets = ossClient.listBuckets();
+ System.out.println("call oss.listBuckets via oidc token success:\n");
+ for (Bucket bucket : buckets) {
+ System.out.println(" - " + bucket.getName());
+ }
+ System.out.println();
+
+ ossClient.shutdown();
+ }
+
+}
+
+
+public class Demo {
+
+ public static void main(String[] args) throws Exception {
+ // 两种方式都可以
+ com.aliyun.credentials.Client cred = new com.aliyun.credentials.Client();
+ // or
+ // com.aliyun.credentials.Client cred = newOidcCred();
+
+ // test oss sdk (https://github.com/aliyun/aliyun-oss-java-sdk) use rrsa oidc token
+ System.out.println("test oss sdk use rrsa oidc token");
+ TestOSSSDK osssdk = new TestOSSSDK();
+ osssdk.CallAPI(cred);
+ }
+
+ static com.aliyun.credentials.Client newOidcCred() throws Exception {
+ // new credential which use rrsa oidc token
+ com.aliyun.credentials.models.Config credConf = new com.aliyun.credentials.models.Config();
+ credConf.type = "oidc_role_arn";
+ credConf.roleArn = System.getenv("ALIBABA_CLOUD_ROLE_ARN");
+ credConf.oidcProviderArn = System.getenv("ALIBABA_CLOUD_OIDC_PROVIDER_ARN");
+ credConf.oidcTokenFilePath = System.getenv("ALIBABA_CLOUD_OIDC_TOKEN_FILE");
+ credConf.roleSessionName = "test-rrsa-oidc-token";
+ return new com.aliyun.credentials.Client(credConf);
+ }
+}
diff --git a/examples/rrsa/oss-java-sdk/test.sh b/examples/rrsa/oss-java-sdk/test.sh
new file mode 100644
index 00000000..126b9ab7
--- /dev/null
+++ b/examples/rrsa/oss-java-sdk/test.sh
@@ -0,0 +1,100 @@
+#!/usr/bin/env bash
+set -e
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" > /dev/null && pwd )"
+CLUSTER_ID="$1"
+KUBECONFIG_PATH="${SCRIPT_DIR}/kubeconfig"
+NAMESPACE="rrsa-demo-oss-java-sdk"
+ROLE_NAME="test-rrsa-demo"
+POLICY_NAME="test-oss-list-buckets"
+
+trap cleanup EXIT
+
+function bar_tip() {
+ echo -e "\n=== $1 ===\n"
+}
+
+function enable_rrsa() {
+ bar_tip "enable RRSA"
+
+ ack-ram-tool rrsa enable --cluster-id "${CLUSTER_ID}"
+}
+
+function install_helper() {
+ bar_tip "install ack-pod-identity-webhook"
+
+ ack-ram-tool rrsa install-helper-addon --cluster-id "${CLUSTER_ID}"
+}
+
+function setup_role() {
+ bar_tip "setup ram role"
+
+ aliyun ram DeletePolicy --PolicyName ${POLICY_NAME} || true
+ aliyun ram CreatePolicy --PolicyName ${POLICY_NAME} --PolicyDocument '{
+ "Version": "1",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": [
+ "oss:ListBuckets"
+ ],
+ "Resource": [
+ "*"
+ ],
+ "Condition": {}
+ }
+ ]
+}' || true
+
+ ack-ram-tool rrsa associate-role --cluster-id "${CLUSTER_ID}" \
+ --namespace "${NAMESPACE}" \
+ --service-account demo-sa \
+ --role-name ${ROLE_NAME} \
+ --create-role-if-not-exist \
+ --attach-custom-policy ${POLICY_NAME}
+}
+
+function deploy_demo() {
+ bar_tip "deploy demo"
+
+ ack-ram-tool credential-plugin get-kubeconfig --cluster-id "${CLUSTER_ID}" > ${KUBECONFIG_PATH}
+ kubectl --kubeconfig ${KUBECONFIG_PATH} delete -f "${SCRIPT_DIR}/deploy.yaml"
+ kubectl --kubeconfig ${KUBECONFIG_PATH} apply -f "${SCRIPT_DIR}/deploy.yaml"
+}
+
+function get_logs() {
+ bar_tip "wait demo and get logs"
+
+ kubectl --kubeconfig ${KUBECONFIG_PATH} -n "${NAMESPACE}" wait --for=condition=complete job/demo --timeout=240s
+ kubectl --kubeconfig ${KUBECONFIG_PATH} -n "${NAMESPACE}" logs job/demo
+}
+
+function cleanup() {
+ set +e
+ bar_tip "cleanup"
+
+ rm ${KUBECONFIG_PATH}
+ aliyun ram DetachPolicyFromRole --RoleName ${ROLE_NAME} --PolicyName ${POLICY_NAME} --PolicyType Custom || true
+
+ set -e
+}
+
+function main() {
+ if [[ "${CLUSTER_ID}none" == "none" ]]; then
+ echo "clusterId is missing. Usage: bash test.sh CLUSTER_ID"
+ exit 1
+ fi
+ if [[ "${SCRIPT_DIR}none" == "none" ]]; then
+ echo "get script dir failed"
+ exit 1
+ fi
+
+ enable_rrsa
+ install_helper
+ setup_role
+ sleep 60
+ deploy_demo
+ get_logs
+}
+
+main