Merge remote-tracking branch 'origin/develop'

AliyunContainerService · Jun 13, 2023 · 9f2d54e · 9f2d54e
2 parents 8f297c4 + 6451709
commit 9f2d54e
Show file tree

Hide file tree

Showing 33 changed files with 829 additions and 290 deletions.
diff --git a/examples/rrsa/README.md b/examples/rrsa/README.md
@@ -3,39 +3,17 @@
 Examples for RRSA Usage.
 
 
-|                   |                                                                                                                     |
-|-------------------|---------------------------------------------------------------------------------------------------------------------|
-| go-sdk            | Using Alibaba Could Go SDK with RRSA Auth                                                                           |
-| java-sdk          | Using Alibaba Could Java SDK with RRSA Auth                                                                         |
-| python3-sdk       | Using Alibaba Could Python 3 SDK with RRSA Auth                                                                     |
-| nodejs-sdk        | Using Alibaba Could Node.js/TypeScript SDK with RRSA Auth                                                           |
-| kaniko-in-ack     | Building docker image with [Kaniko](https://github.com/GoogleContainerTools/kaniko) then push to ACR with RRSA Auth |
-| aliyuncli-demo    | Using [aliyun-cli](https://github.com/aliyun/aliyun-cli) with RRSA Auth                                             |
-| aliyunlogcli-demo | Using [aliyun-log-cli](https://github.com/aliyun/aliyun-log-cli) with RRSA Auth                                     |
-| ossutil-demo      | Using [ossutil](https://github.com/aliyun/ossutil) with RRSA Auth                                                   |
-| cpp-demo          | Using C++ SDK with RRSA Auth (experimental)                                                                         |
+| sub-directory     | description                                                                                                               |
+|-------------------|---------------------------------------------------------------------------------------------------------------------------|
+| go-sdk            | Using [Alibaba Could Go SDK](https://github.com/aliyun/alibabacloud-go-sdk) with RRSA Auth                                |
+| oss-go-sdk        | Using [aliyun-oss-go-sdk](https://github.com/aliyun/aliyun-oss-go-sdk) with RRSA Auth                                     |
+| java-sdk          | Using [Alibaba Could Java SDK](https://github.com/aliyun/alibabacloud-java-sdk) with RRSA Auth                            |
+| oss-java-sdk      | Using [aliyun-oss-java-sdk](https://github.com/aliyun/aliyun-oss-java-sdk) with RRSA Auth                                 |
+| python3-sdk       | Using [Alibaba Could Python 3 SDK](https://github.com/aliyun/alibabacloud-python-sdk) with RRSA Auth                      |
+| nodejs-sdk        | Using [Alibaba Could Node.js/TypeScript SDK](https://github.com/aliyun/alibabacloud-typescript-sdk) with RRSA Auth        |
+| kaniko-in-ack     | Building docker image with [Kaniko](https://github.com/GoogleContainerTools/kaniko) then push image to ACR with RRSA Auth |
+| aliyuncli-demo    | Using [aliyun-cli](https://github.com/aliyun/aliyun-cli) with RRSA Auth                                                   |
+| aliyunlogcli-demo | Using [aliyun-log-cli](https://github.com/aliyun/aliyun-log-cli) with RRSA Auth                                           |
+
+[//]: # (| ossutil-demo      | Using [ossutil]&#40;https://github.com/aliyun/ossutil&#41; with RRSA Auth  |)
 
-
-## go-sdk
-
-An example for how to use OIDC token to assume RAM Role via Alibaba Could Go SDK.
-
-
-## java-sdk
-
-An example for how to use OIDC token to assume RAM Role via Alibaba Could Java SDK.
-
-
-## python3-sdk
-
-An example for how to use OIDC token to assume RAM Role via Alibaba Could Python 3 SDK.
-
-
-## nodejs-sdk
-
-An example for how to use OIDC token to assume RAM Role via Alibaba Could Node.js/TypeScript SDK.
-
-
-## e2e-test
-
-Run e2e test.
diff --git a/examples/rrsa/aliyuncli-demo/test.sh b/examples/rrsa/aliyuncli-demo/test.sh
@@ -5,6 +5,8 @@ SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" > /dev/null && pwd )"
 CLUSTER_ID="$1"
 KUBECONFIG_PATH="${SCRIPT_DIR}/kubeconfig"
 NAMESPACE="rrsa-demo-aliyun-cli"
+ROLE_NAME="test-rrsa-demo"
+POLICY_NAME="AliyunCSReadOnlyAccess"
 
 trap cleanup EXIT
 
@@ -30,15 +32,16 @@ function setup_role() {
   ack-ram-tool rrsa associate-role --cluster-id "${CLUSTER_ID}" \
     --namespace "${NAMESPACE}" \
     --service-account demo-sa \
-    --role-name test-rrsa-demo \
+    --role-name ${ROLE_NAME} \
     --create-role-if-not-exist \
-    --attach-system-policy AliyunCSReadOnlyAccess
+    --attach-system-policy ${POLICY_NAME}
 }
 
 function deploy_demo() {
   bar_tip "deploy demo"
 
   ack-ram-tool credential-plugin get-kubeconfig --cluster-id "${CLUSTER_ID}" > ${KUBECONFIG_PATH}
+  kubectl --kubeconfig ${KUBECONFIG_PATH} delete -f "${SCRIPT_DIR}/deploy.yaml" || true
   kubectl --kubeconfig ${KUBECONFIG_PATH} apply -f "${SCRIPT_DIR}/deploy.yaml"
 }
 
@@ -54,6 +57,7 @@ function cleanup() {
   bar_tip "cleanup"
 
   rm ${KUBECONFIG_PATH}
+  aliyun ram DetachPolicyFromRole --RoleName ${ROLE_NAME} --PolicyName ${POLICY_NAME} --PolicyType System || true
 
   set -e
 }

diff --git a/examples/rrsa/aliyunlogcli-demo/test.sh b/examples/rrsa/aliyunlogcli-demo/test.sh
@@ -5,6 +5,7 @@ SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" > /dev/null && pwd )"
 CLUSTER_ID="$1"
 KUBECONFIG_PATH="${SCRIPT_DIR}/kubeconfig"
 NAMESPACE="rrsa-demo-aliyunlog-cli"
+ROLE_NAME="test-rrsa-demo"
 POLICY_NAME="AliyunLogReadOnlyAccess"
 
 trap cleanup EXIT
@@ -31,7 +32,7 @@ function setup_role() {
   ack-ram-tool rrsa associate-role --cluster-id "${CLUSTER_ID}" \
     --namespace "${NAMESPACE}" \
     --service-account demo-sa \
-    --role-name test-rrsa-demo \
+    --role-name ${ROLE_NAME} \
     --create-role-if-not-exist \
     --attach-system-policy ${POLICY_NAME}
 }
@@ -40,6 +41,7 @@ function deploy_demo() {
   bar_tip "deploy demo"
 
   ack-ram-tool credential-plugin get-kubeconfig --cluster-id "${CLUSTER_ID}" > ${KUBECONFIG_PATH}
+  kubectl --kubeconfig ${KUBECONFIG_PATH} delete -f "${SCRIPT_DIR}/deploy.yaml" || true
   kubectl --kubeconfig ${KUBECONFIG_PATH} apply -f "${SCRIPT_DIR}/deploy.yaml"
 }
 
@@ -55,6 +57,7 @@ function cleanup() {
   bar_tip "cleanup"
 
   rm ${KUBECONFIG_PATH}
+  aliyun ram DetachPolicyFromRole --RoleName ${ROLE_NAME} --PolicyName ${POLICY_NAME} --PolicyType System || true
 
   set -e
 }

diff --git a/examples/rrsa/go-sdk/deploy.yaml b/examples/rrsa/go-sdk/deploy.yaml
@@ -27,6 +27,6 @@ spec:
       serviceAccountName: demo-sa
       restartPolicy: Never
       containers:
-        - image: registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:1.0.0-rrsa-example-golang
+        - image: registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:0.13.2-rrsa-example-golang
           imagePullPolicy: "Always"
           name: test
diff --git a/examples/rrsa/go-sdk/go.mod b/examples/rrsa/go-sdk/go.mod
@@ -7,11 +7,9 @@ require (
 	github.com/alibabacloud-go/darabonba-openapi/v2 v2.0.4
 	github.com/alibabacloud-go/tea v1.1.20
 	github.com/alibabacloud-go/tea-utils v1.3.9 // indirect
-	github.com/aliyun/aliyun-oss-go-sdk v2.2.6+incompatible
 	github.com/aliyun/credentials-go v1.2.6
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	golang.org/x/net v0.7.0 // indirect
-	golang.org/x/time v0.0.0-20220224211638-0e9765cccd65 // indirect
 	gopkg.in/ini.v1 v1.66.6 // indirect
 )
diff --git a/examples/rrsa/go-sdk/go.sum b/examples/rrsa/go-sdk/go.sum
@@ -27,8 +27,6 @@ github.com/alibabacloud-go/tea-utils/v2 v2.0.1 h1:K6kwgo+UiYx+/kr6CO0PN5ACZDzE3n
 github.com/alibabacloud-go/tea-utils/v2 v2.0.1/go.mod h1:U5MTY10WwlquGPS34DOeomUGBB0gXbLueiq5Trwu0C4=
 github.com/alibabacloud-go/tea-xml v1.1.2 h1:oLxa7JUXm2EDFzMg+7oRsYc+kutgCVwm+bZlhhmvW5M=
 github.com/alibabacloud-go/tea-xml v1.1.2/go.mod h1:Rq08vgCcCAjHyRi/M7xlHKUykZCEtyBy9+DPF6GgEu8=
-github.com/aliyun/aliyun-oss-go-sdk v2.2.6+incompatible h1:KXeJoM1wo9I/6xPTyt6qCxoSZnmASiAjlrr0dyTUKt8=
-github.com/aliyun/aliyun-oss-go-sdk v2.2.6+incompatible/go.mod h1:T/Aws4fEfogEE9v+HPhhw+CntffsBHJ8nXQCwKr0/g8=
 github.com/aliyun/credentials-go v1.1.2/go.mod h1:ozcZaMR5kLM7pwtCMEpVmQ242suV6qTJya2bDq4X1Tw=
 github.com/aliyun/credentials-go v1.2.6 h1:dSMxpj4uXZj0MYOsEyljlssHzfdHw/M84iQ5QKF0Uxg=
 github.com/aliyun/credentials-go v1.2.6/go.mod h1:/KowD1cfGSLrLsH28Jr8W+xwoId0ywIy5lNzDz6O1vw=
@@ -45,7 +43,6 @@ github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnr
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
@@ -54,7 +51,6 @@ github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lN
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -108,8 +104,6 @@ golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/time v0.0.0-20220224211638-0e9765cccd65 h1:M73Iuj3xbbb9Uk1DYhzydthsj6oOd6l9bpuFcNoUvTs=
-golang.org/x/time v0.0.0-20220224211638-0e9765cccd65/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
@@ -119,7 +113,6 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/ini.v1 v1.56.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.66.6 h1:LATuAqN/shcYAOkv3wl2L4rkaKqkcgTBQjOyYDvcPKI=

diff --git a/examples/rrsa/go-sdk/main.go b/examples/rrsa/go-sdk/main.go
@@ -8,7 +8,6 @@ import (
 	cs20151215 "github.com/alibabacloud-go/cs-20151215/v3/client"
 	openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client"
 	"github.com/alibabacloud-go/tea/tea"
-	"github.com/aliyun/aliyun-oss-go-sdk/oss"
 	// github.com/aliyun/credentials-go >= v1.2.6
 	"github.com/aliyun/credentials-go/credentials"
 )
@@ -42,28 +41,6 @@ func testOpenAPISDK() {
 	}
 }
 
-func testOSSSDK() {
-	// 两种方法都可以
-	cred := newCredential()
-	// or
-	// cred := newOidcCredential()
-
-	provider := &ossCredentialsProvider{cred: cred}
-	client, err := oss.New("https://oss-cn-hangzhou.aliyuncs.com", "", "",
-		oss.SetCredentialsProvider(provider))
-	if err != nil {
-		panic(err)
-	}
-	ret, err := client.ListBuckets()
-	if err != nil {
-		panic(err)
-	}
-	fmt.Println("call oss.listBuckets via oidc token success:")
-	for _, item := range ret.Buckets {
-		fmt.Printf("-%s\n", item.Name)
-	}
-}
-
 func newCredential() credentials.Credential {
 	// https://www.alibabacloud.com/help/doc-detail/378661.html
 	cred, err := credentials.NewCredential(nil)
@@ -89,53 +66,8 @@ func newOidcCredential() credentials.Credential {
 	return oidcCredential
 }
 
-type ossCredentials struct {
-	teaCred credentials.Credential
-}
-
-func (cred *ossCredentials) GetAccessKeyID() string {
-	value, err := cred.teaCred.GetAccessKeyId()
-	if err != nil {
-		log.Printf("get access key id failed: %+v", err)
-		return ""
-	}
-	return tea.StringValue(value)
-}
-
-func (cred *ossCredentials) GetAccessKeySecret() string {
-	value, err := cred.teaCred.GetAccessKeySecret()
-	if err != nil {
-		log.Printf("get access key secret failed: %+v", err)
-		return ""
-	}
-	return tea.StringValue(value)
-}
-
-func (cred *ossCredentials) GetSecurityToken() string {
-	value, err := cred.teaCred.GetSecurityToken()
-	if err != nil {
-		log.Printf("get access security token failed: %+v", err)
-		return ""
-	}
-	return tea.StringValue(value)
-}
-
-type ossCredentialsProvider struct {
-	cred credentials.Credential
-}
-
-func (p *ossCredentialsProvider) GetCredentials() oss.Credentials {
-	return &ossCredentials{teaCred: p.cred}
-}
-
 func main() {
-	// test open api sdk (https://github.com/aliyun/alibabacloud-go-sdk) use rrsa oidc token
+	// test open api sdk (https://github.com/aliyun/alibabacloud-go-sdk) using rrsa oidc token
 	log.Printf("test open api sdk use rrsa oidc token")
 	testOpenAPISDK()
-
-	// test oss sdk (https://github.com/aliyun/aliyun-oss-go-sdk) use rrsa oidc token
-	if os.Getenv("TEST_OSS_SDK") == "true" {
-		log.Printf("test oss sdk use rrsa oidc token")
-		testOSSSDK()
-	}
 }
diff --git a/examples/rrsa/go-sdk/test.sh b/examples/rrsa/go-sdk/test.sh
@@ -5,6 +5,8 @@ SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" > /dev/null && pwd )"
 CLUSTER_ID="$1"
 KUBECONFIG_PATH="${SCRIPT_DIR}/kubeconfig"
 NAMESPACE="rrsa-demo-golang-sdk"
+ROLE_NAME="test-rrsa-demo"
+POLICY_NAME="test-cs-describe-clusters"
 
 trap cleanup EXIT
 
@@ -27,13 +29,15 @@ function install_helper() {
 function setup_role() {
   bar_tip "setup ram role"
 
-  aliyun ram CreatePolicy --PolicyName cs-describe-clusters --PolicyDocument '{
+  aliyun ram DeletePolicy --PolicyName ${POLICY_NAME} || true
+  aliyun ram CreatePolicy --PolicyName ${POLICY_NAME} --PolicyDocument '{
   "Version": "1",
   "Statement": [
     {
       "Effect": "Allow",
       "Action": [
-        "cs:DescribeClusters"
+        "cs:DescribeClusters",
+        "cs:GetClusters"
       ],
       "Resource": [
         "*"
@@ -46,15 +50,16 @@ function setup_role() {
   ack-ram-tool rrsa associate-role --cluster-id "${CLUSTER_ID}" \
     --namespace "${NAMESPACE}" \
     --service-account demo-sa \
-    --role-name test-rrsa-demo \
+    --role-name ${ROLE_NAME} \
     --create-role-if-not-exist \
-    --attach-custom-policy cs-describe-clusters
+    --attach-custom-policy ${POLICY_NAME}
 }
 
 function deploy_demo() {
   bar_tip "deploy demo"
 
   ack-ram-tool credential-plugin get-kubeconfig --cluster-id "${CLUSTER_ID}" > ${KUBECONFIG_PATH}
+  kubectl --kubeconfig ${KUBECONFIG_PATH} delete -f "${SCRIPT_DIR}/deploy.yaml" || true
   kubectl --kubeconfig ${KUBECONFIG_PATH} apply -f "${SCRIPT_DIR}/deploy.yaml"
 }
 
@@ -70,6 +75,7 @@ function cleanup() {
   bar_tip "cleanup"
 
   rm ${KUBECONFIG_PATH}
+  aliyun ram DetachPolicyFromRole --RoleName ${ROLE_NAME} --PolicyName ${POLICY_NAME} --PolicyType Custom || true
 
   set -e
 }

diff --git a/examples/rrsa/java-sdk/deploy.yaml b/examples/rrsa/java-sdk/deploy.yaml
@@ -27,6 +27,6 @@ spec:
       serviceAccountName: demo-sa
       restartPolicy: Never
       containers:
-        - image: registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:1.0.0-rrsa-example-java
+        - image: registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:0.13.2-rrsa-example-java
           imagePullPolicy: "Always"
           name: test
diff --git a/examples/rrsa/java-sdk/pom.xml b/examples/rrsa/java-sdk/pom.xml
@@ -21,12 +21,6 @@
             <version>0.2.10</version>
         </dependency>
 
-        <dependency>
-            <groupId>com.aliyun.oss</groupId>
-            <artifactId>aliyun-sdk-oss</artifactId>
-            <version>3.16.1</version>
-        </dependency>
-
     </dependencies>
 
     <properties>