examples/rrsa: add example for oss nodejs sdk

AliyunContainerService · Jul 8, 2024 · fcfaa00 · fcfaa00
1 parent 1487245
commit fcfaa00
Show file tree

Hide file tree

Showing 8 changed files with 1,204 additions and 0 deletions.
diff --git a/examples/rrsa/oss-nodejs-sdk/.gitignore b/examples/rrsa/oss-nodejs-sdk/.gitignore
@@ -0,0 +1 @@
+/node_modules
diff --git a/examples/rrsa/oss-nodejs-sdk/Dockerfile b/examples/rrsa/oss-nodejs-sdk/Dockerfile
@@ -0,0 +1,20 @@
+FROM node:19-alpine3.19 as builder
+# TARGETPLATFORM
+
+RUN npm set registry https://registry.npmmirror.com
+
+WORKDIR /app
+COPY package.json ./
+COPY package-lock.json ./
+
+RUN npm install
+
+FROM node:19-alpine3.19
+
+WORKDIR /app
+COPY package.json ./
+COPY package-lock.json ./
+COPY src/index.js ./src/
+COPY --from=builder /app/node_modules ./node_modules
+
+CMD npm run demo
diff --git a/examples/rrsa/oss-nodejs-sdk/README.md b/examples/rrsa/oss-nodejs-sdk/README.md
@@ -0,0 +1,80 @@
+# oss-nodejs-sdk
+
+Using [OSS Node.js SDK](https://github.com/ali-sdk/ali-oss) with RRSA Auth.
+
+```
+npm install @alicloud/credentials
+```
+
+https://github.com/aliyun/credentials-nodejs
+
+
+## Demo
+
+1. Enable RRSA:
+
+```
+export CLUSTER_ID=<cluster_id>
+ack-ram-tool rrsa enable --cluster-id "${CLUSTER_ID}"
+```
+
+2. Install ack-pod-identity-webhook:
+
+```
+ack-ram-tool rrsa install-helper-addon --cluster-id "${CLUSTER_ID}"
+```
+
+3. Create an RAM Policy:
+
+```
+aliyun ram CreatePolicy --PolicyName oss-list-buckets --PolicyDocument '{
+  "Version": "1",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "oss:ListBuckets"
+      ],
+      "Resource": [
+        "*"
+      ],
+      "Condition": {}
+    }
+  ]
+}'
+```
+
+4. Associate an RAM Role to the service account and attach the policy to the role:
+
+```
+ack-ram-tool rrsa associate-role --cluster-id "${CLUSTER_ID}" \
+    --namespace rrsa-demo-oss-nodejs-sdk \
+    --service-account demo-sa \
+    --role-name test-rrsa-demo \
+    --create-role-if-not-exist \
+    --attach-custom-policy oss-list-buckets
+```
+
+5. Deploy demo job:
+
+```
+ack-ram-tool credential-plugin get-kubeconfig --cluster-id "${CLUSTER_ID}" > kubeconfig
+kubectl --kubeconfig ./kubeconfig apply -f deploy.yaml
+```
+
+6. Get logs:
+
+```
+kubectl --kubeconfig ./kubeconfig -n rrsa-demo-oss-nodejs-sdk wait --for=condition=complete job/demo --timeout=240s
+kubectl --kubeconfig ./kubeconfig -n rrsa-demo-oss-nodejs-sdk logs job/demo
+```
+
+Outputs:
+
+```
+test oss sdk using rrsa oidc token
+call oss.listBuckets via oidc token success:
+- test-***
+- cri-***
+
+```
diff --git a/examples/rrsa/oss-nodejs-sdk/deploy.yaml b/examples/rrsa/oss-nodejs-sdk/deploy.yaml
@@ -0,0 +1,32 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: rrsa-demo-nodejs-sdk
+  labels:
+    pod-identity.alibabacloud.com/injection: 'on'
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: demo-sa
+  namespace: rrsa-demo-nodejs-sdk
+  annotations:
+    pod-identity.alibabacloud.com/role-name: test-rrsa-demo
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: demo
+  namespace: rrsa-demo-nodejs-sdk
+spec:
+  template:
+    spec:
+      serviceAccountName: demo-sa
+      restartPolicy: Never
+      containers:
+        - image: registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:1.0.0-rrsa-example-nodejs
+          imagePullPolicy: "Always"
+          name: test