-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
examples/rrsa: add example for oss nodejs sdk
- Loading branch information
Showing
8 changed files
with
1,204 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
/node_modules |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
FROM node:19-alpine3.19 as builder | ||
# TARGETPLATFORM | ||
|
||
RUN npm set registry https://registry.npmmirror.com | ||
|
||
WORKDIR /app | ||
COPY package.json ./ | ||
COPY package-lock.json ./ | ||
|
||
RUN npm install | ||
|
||
FROM node:19-alpine3.19 | ||
|
||
WORKDIR /app | ||
COPY package.json ./ | ||
COPY package-lock.json ./ | ||
COPY src/index.js ./src/ | ||
COPY --from=builder /app/node_modules ./node_modules | ||
|
||
CMD npm run demo |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
# oss-nodejs-sdk | ||
|
||
Using [OSS Node.js SDK](https://github.com/ali-sdk/ali-oss) with RRSA Auth. | ||
|
||
``` | ||
npm install @alicloud/credentials | ||
``` | ||
|
||
https://github.com/aliyun/credentials-nodejs | ||
|
||
|
||
## Demo | ||
|
||
1. Enable RRSA: | ||
|
||
``` | ||
export CLUSTER_ID=<cluster_id> | ||
ack-ram-tool rrsa enable --cluster-id "${CLUSTER_ID}" | ||
``` | ||
|
||
2. Install ack-pod-identity-webhook: | ||
|
||
``` | ||
ack-ram-tool rrsa install-helper-addon --cluster-id "${CLUSTER_ID}" | ||
``` | ||
|
||
3. Create an RAM Policy: | ||
|
||
``` | ||
aliyun ram CreatePolicy --PolicyName oss-list-buckets --PolicyDocument '{ | ||
"Version": "1", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Action": [ | ||
"oss:ListBuckets" | ||
], | ||
"Resource": [ | ||
"*" | ||
], | ||
"Condition": {} | ||
} | ||
] | ||
}' | ||
``` | ||
|
||
4. Associate an RAM Role to the service account and attach the policy to the role: | ||
|
||
``` | ||
ack-ram-tool rrsa associate-role --cluster-id "${CLUSTER_ID}" \ | ||
--namespace rrsa-demo-oss-nodejs-sdk \ | ||
--service-account demo-sa \ | ||
--role-name test-rrsa-demo \ | ||
--create-role-if-not-exist \ | ||
--attach-custom-policy oss-list-buckets | ||
``` | ||
|
||
5. Deploy demo job: | ||
|
||
``` | ||
ack-ram-tool credential-plugin get-kubeconfig --cluster-id "${CLUSTER_ID}" > kubeconfig | ||
kubectl --kubeconfig ./kubeconfig apply -f deploy.yaml | ||
``` | ||
|
||
6. Get logs: | ||
|
||
``` | ||
kubectl --kubeconfig ./kubeconfig -n rrsa-demo-oss-nodejs-sdk wait --for=condition=complete job/demo --timeout=240s | ||
kubectl --kubeconfig ./kubeconfig -n rrsa-demo-oss-nodejs-sdk logs job/demo | ||
``` | ||
|
||
Outputs: | ||
|
||
``` | ||
test oss sdk using rrsa oidc token | ||
call oss.listBuckets via oidc token success: | ||
- test-*** | ||
- cri-*** | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
--- | ||
apiVersion: v1 | ||
kind: Namespace | ||
metadata: | ||
name: rrsa-demo-nodejs-sdk | ||
labels: | ||
pod-identity.alibabacloud.com/injection: 'on' | ||
|
||
--- | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: demo-sa | ||
namespace: rrsa-demo-nodejs-sdk | ||
annotations: | ||
pod-identity.alibabacloud.com/role-name: test-rrsa-demo | ||
|
||
--- | ||
apiVersion: batch/v1 | ||
kind: Job | ||
metadata: | ||
name: demo | ||
namespace: rrsa-demo-nodejs-sdk | ||
spec: | ||
template: | ||
spec: | ||
serviceAccountName: demo-sa | ||
restartPolicy: Never | ||
containers: | ||
- image: registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:1.0.0-rrsa-example-nodejs | ||
imagePullPolicy: "Always" | ||
name: test |
Oops, something went wrong.