Copy kubeconfig to temporary file and add permissions

[prietyc123]

What type of PR is this?

/kind feature

What does does this PR do / why we need it:

This pr gives read write permission for kubeconfig file which is blocking us for multi-stage testing. Detailed explanation in comment

Which issue(s) this PR fixes:

Fixes NA

How to test changes / Special notes to the reviewer:

Copying kubeconfig to tmp file and accessing it should work with template based test too.

[girishramnani]

wouldn't you delete the /auth/kubeconfig? wouldnt it be confusing to have two kubeconfigs?

[prietyc123]

wouldn't you delete the /auth/kubeconfig? wouldnt it be confusing to have two kubeconfigs?

This is original default kubeconfig provided by the installer. Due to write permission on the file in multistage test infra i need to copy that file to some location along with write permission. Then the new kubeconfig path will be updated through the env var KUBECONFIG.

Even i had the same thought to removing it, but as per my understanding though deleting the original kubeconfig brings no harm to the cluster setup but may be this original fresh kubeconfig can be used for some other purposes.

Moreover i would say lets not delete anything which is default to the cluster, otherwise it may brings some unknown issues which i don't know atm.

[girishramnani]

why 764?

[prietyc123]

Hmm, I gave unnecessary write permission to the file. Read and write permission would be enough for kubeconfig file (666 ?). Anyway let me check what is the default permission of kubeconfig file used in template based test infra.

[amitkrout]

$ ls -l
total 32
-rw-r--r--@ 1 amit staff 23 Jun 14 20:18 kubeadmin-password
-rw-r--r--@ 1 amit staff 12193 Jun 14 20:18 kubeconfig

So it would be 644. Try this

[prietyc123]

Thanks @amitkrout I will add 644 permission for the file 🙂

[prietyc123]

Done

[amitkrout]

@prietyc123 Please check it locally thoroughly, otherwise it will break the master. Update the doc if needed while following the doc for setting up local environment for running test on 4.* cluster.

[prietyc123]

@prietyc123 Please check it locally thoroughly, otherwise it will break the master. Update the doc if needed while following the doc for setting up local environment for running test on 4.* cluster.

@amitkrout +1, I have run make configure-installer-tests-cluster and one test locally to verify the change.

$ make configure-installer-tests-cluster
. ./scripts/configure-installer-tests-cluster.sh
++ HTPASSWD_FILE=./htpass
++ USERPASS=developer
++ HTPASSWD_SECRET=htpasswd-secret
++ SETUP_OPERATORS=./scripts/setup-operators.sh
+++ pwd
++ DEFAULT_INSTALLER_ASSETS_DIR=/Users/pkumari/go/src/github.com/openshift/odo
++ KUBEADMIN_USER=kubeadmin
++ KUBEADMIN_PASSWORD_FILE=/Users/pkumari/go/src/github.com/openshift/odo/auth/kubeadmin-password
++ OC_STABLE_LOGIN=false
++ CI_OPERATOR_HUB_PROJECT=ci-operator-hub-project
++ mkdir -p /Users/pkumari/go/src/github.com/openshift/odo/tmp
++ cp /Users/pkumari/go/src/github.com/openshift/odo/auth/kubeconfig /Users/pkumari/go/src/github.com/openshift/odo/tmp/kubeconfig
++ chmod 644 /Users/pkumari/go/src/github.com/openshift/odo/tmp/kubeconfig
++ export KUBECONFIG=/Users/pkumari/go/src/github.com/openshift/odo/tmp/kubeconfig
++ KUBECONFIG=/Users/pkumari/go/src/github.com/openshift/odo/tmp/kubeconfig
++ USERS='developer odonoprojectattemptscreate odosingleprojectattemptscreate odologinnoproject odologinsingleproject1'
++ '[' -z ']'
++ '[' '!' -f /Users/pkumari/go/src/github.com/openshift/odo/auth/kubeadmin-password ']'
++ '[' '!' -f /Users/pkumari/go/src/github.com/openshift/odo/tmp/kubeconfig ']'
+++ cat /Users/pkumari/go/src/github.com/openshift/odo/auth/kubeadmin-password
++ KUBEADMIN_PASSWORD=tV2Mv-KyXcL-9MWCW-TwK2U
++ oc login -u kubeadmin -p tV2Mv-KyXcL-9MWCW-TwK2U
Login successful.

You have access to 67 projects, the list has been suppressed. You can list all projects with 'oc projects'

Using project "default".
++ oc new-project ci-operator-hub-project
Error from server (AlreadyExists): project.project.openshift.io "ci-operator-hub-project" already exists
++ oc adm policy add-role-to-user edit developer
clusterrole.rbac.authorization.k8s.io/edit added: "developer"
++ sh ./scripts/setup-operators.sh
+ CI_OPERATOR_HUB_PROJECT=ci-operator-hub-project
+ count=0
+ '[' 0 -lt 5 ']'
+ oc get csv -n openshift-operators
+ grep mongo
mongodb-enterprise.v1.5.4             MongoDB                         1.5.4                          Succeeded
+ break
+ count=0
+ '[' 0 -lt 5 ']'
+ oc get csv -n openshift-operators
+ grep etcd
etcdoperator.v0.9.4-clusterwide       etcd                            0.9.4-clusterwide              Succeeded
+ break
++ '[' -f ./htpass ']'
++ rm -rf ./htpass
++ HTPASSWD_CREATED=' -c '
+++ echo developer odonoprojectattemptscreate odosingleprojectattemptscreate odologinnoproject odologinsingleproject1
++ for i in '`echo $USERS`'
++ htpasswd -b -c ./htpass developer developer
Adding password for user developer
++ HTPASSWD_CREATED=
++ for i in '`echo $USERS`'
++ htpasswd -b ./htpass odonoprojectattemptscreate developer
Adding password for user odonoprojectattemptscreate
++ HTPASSWD_CREATED=
++ for i in '`echo $USERS`'
++ htpasswd -b ./htpass odosingleprojectattemptscreate developer
Adding password for user odosingleprojectattemptscreate
++ HTPASSWD_CREATED=
++ for i in '`echo $USERS`'
++ htpasswd -b ./htpass odologinnoproject developer
Adding password for user odologinnoproject
++ HTPASSWD_CREATED=
++ for i in '`echo $USERS`'
++ htpasswd -b ./htpass odologinsingleproject1 developer
Adding password for user odologinsingleproject1
++ HTPASSWD_CREATED=
++ oc apply -n openshift -f https://raw.githubusercontent.com/openshift/library/master/arch/x86_64/community/wildfly/imagestreams/wildfly-centos7.json
imagestream.image.openshift.io/wildfly configured
++ oc get secret htpasswd-secret -n openshift-config
++ '[' 0 -eq 0 ']'
++ oc delete secret htpasswd-secret -n openshift-config
++ oc create secret generic htpasswd-secret --from-file=htpasswd=./htpass -n openshift-config
secret/htpasswd-secret created
++ oc apply -f -
oauth.config.openshift.io/cluster configured
++ for i in '{1..40}'
++ oc login -u developer -p developer
++ '[' 0 -eq 0 ']'
++ OC_STABLE_LOGIN=true
++ for j in '{1..25}'
++ oc whoami
++ '[' 0 -ne 0 ']'
++ sleep 2
++ for j in '{1..25}'
++ oc whoami
++ '[' 0 -ne 0 ']'
++ sleep 2
++ for j in '{1..25}'
++ oc whoami
++ '[' 0 -ne 0 ']'
++ sleep 2
++ for j in '{1..25}'
++ oc whoami
++ '[' 0 -ne 0 ']'
++ sleep 2
++ for j in '{1..25}'
++ oc whoami
++ '[' 0 -ne 0 ']'
++ sleep 2
++ for j in '{1..25}'
++ oc whoami
++ '[' 0 -ne 0 ']'
++ sleep 2
++ '[' true == true ']'
++ break
++ '[' true == false ']'
++ oc new-project myproject
Now using project "myproject" on server "https://api.jcaiani1.devcluster.openshift.com:6443".

You can add applications to this project with the 'new-app' command. For example, try:

    oc new-app ruby~https://github.com/sclorg/ruby-ex.git

to build a new example application in Python. Or use kubectl to deploy a simple Kubernetes application:

    kubectl create deployment hello-node --image=gcr.io/hello-minikube-zero-install/hello-node

++ sleep 4
++ oc version
Client Version: 4.4.0-0.ci-2020-02-26-215902
Kubernetes Version: v1.18.3

$ make test-generic
ginkgo  -randomizeAllSpecs -slowSpecThreshold=120 -timeout 7200s -nodes=2 -focus="odo generic" tests/integration/
Running Suite: Integration Suite
================================
Random Seed: 1593671941 - Will randomize all specs
Will run 177 specs

Running in parallel across 2 nodes

SSS•SS•SSSSSSSSSSSSSSS•SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS•SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS•SSS•SSSSSSSSSSSSSSSSSSS•SSSS•SSSSSSS•SS•SSSSSSSSSS•S•SSSSSSS
------------------------------
• [SLOW TEST:156.748 seconds]
odo generic
/Users/pkumari/go/src/github.com/openshift/odo/tests/integration/generic_test.go:15
  creating component with an application and url
  /Users/pkumari/go/src/github.com/openshift/odo/tests/integration/generic_test.go:136
    should create the component in default application
    /Users/pkumari/go/src/github.com/openshift/odo/tests/integration/generic_test.go:151
------------------------------
S••SS•SSSS
------------------------------
• [SLOW TEST:125.759 seconds]
odo generic
/Users/pkumari/go/src/github.com/openshift/odo/tests/integration/generic_test.go:15
  should list applications in other project
  /Users/pkumari/go/src/github.com/openshift/odo/tests/integration/generic_test.go:161
    should be able to create a php component with application created
    /Users/pkumari/go/src/github.com/openshift/odo/tests/integration/generic_test.go:173
------------------------------

Ran 17 of 177 Specs in 362.821 seconds
SUCCESS! -- 17 Passed | 0 Failed | 0 Pending | 160 Skipped


Ginkgo ran 1 suite in 6m12.917747428s
Test Suite Passed

[mohammedzee1000]

Let's see how it goes.

I still doubt this will pass though as you might need to give write access to the group as openshift uses randomuid and hence permission on gid will be more important. This also means group owner of the file will have to be root.

Again let's wait for CI before deciding

[amitkrout]

Update the message

[amitkrout]

Instead of tmp can we name the dir what it stand for. For example kubeconfig

[prietyc123]

I would go with tmp because its not the original kubeconfig, someone might confuse with this. As we are copying the kubeconfig and using it for the particular test, IMO keeping this under tmp make more sense than in dir like kubeconfig.

[codecov]

Codecov Report

Merging #3462 into master will decrease coverage by 0.03%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master    #3462      +/-   ##
==========================================
- Coverage   46.48%   46.45%   -0.04%     
==========================================
  Files         112      112              
  Lines       11223    11237      +14     
==========================================
+ Hits         5217     5220       +3     
- Misses       5505     5513       +8     
- Partials      501      504       +3     

Impacted Files	Coverage Δ
pkg/sync/sync.go	43.56% <0.00%> (-2.98%)	⬇️
pkg/devfile/adapters/kubernetes/utils/utils.go	52.48% <0.00%> (-1.93%)	⬇️
pkg/devfile/adapters/docker/component/utils.go	68.83% <0.00%> (-0.68%)	⬇️
...g/devfile/adapters/kubernetes/component/adapter.go	29.62% <0.00%> (-0.13%)	⬇️
pkg/config/config.go	45.64% <0.00%> (ø)
pkg/lclient/client.go	0.00% <0.00%> (ø)
pkg/lclient/fakeclient.go	82.11% <0.00%> (ø)
pkg/devfile/adapters/common/types.go	100.00% <0.00%> (ø)
pkg/devfile/adapters/docker/component/adapter.go	74.01% <0.00%> (+0.20%)	⬆️
pkg/sync/adapter.go	82.88% <0.00%> (+1.57%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 72996e0...8e30f14. Read the comment docs.

[amitkrout]

@prietyc123 Your changes won't solve the purpose. Hang on.
/hold

[amitkrout]

@prietyc123 Your changes won't solve the purpose. Hang on.
/hold

@prietyc123 Your change does not work in CI because kubeconfig is not located in the path that you are copying from (local setup). You need not to worry about the local copy of kubconfig as it is provided by the cluster itself I mean you just need to copy the kubeconfig and kube-password file in the auth dir to configure and run odo locally.

Your current change hitting the issue of No such file or directory issue in CI

++ SETUP_OPERATORS=./scripts/setup-operators.sh
+++ pwd
++ DEFAULT_INSTALLER_ASSETS_DIR=/go/src/github.com/openshift/odo
++ KUBEADMIN_USER=kubeadmin
++ KUBEADMIN_PASSWORD_FILE=/go/src/github.com/openshift/odo/auth/kubeadmin-password
++ OC_STABLE_LOGIN=false
++ CI_OPERATOR_HUB_PROJECT=ci-operator-hub-project
++ mkdir -p /go/src/github.com/openshift/odo/tmp
++ cp /go/src/github.com/openshift/odo/auth/kubeconfig /go/src/github.com/openshift/odo/tmp/kubeconfig
cp: cannot stat '/go/src/github.com/openshift/odo/auth/kubeconfig': No such file or directory
++ chmod 644 /go/src/github.com/openshift/odo/tmp/kubeconfig
chmod: cannot access '/go/src/github.com/openshift/odo/tmp/kubeconfig': No such file or directory
++ export KUBECONFIG=/tmp/admin.kube
++ KUBECONFIG=/tmp/admin.kubeconfig

Reference - https://storage.googleapis.com/origin-ci-test/pr-logs/pull/openshift_odo/3462/pull-ci-openshift-odo-master-v4.2-integration-e2e/1278587626093285376/artifacts/integration-e2e/container-logs/test.log

In multi stage test infra default kubeconfig path is not same as template based test infra.

multistage test infra default kubeconfig path. Check reference

export KUBECONFIG=/var/run/secrets/ci.openshift.io/multi-stage/kubeconfig 
++ KUBECONFIG=/var/run/secrets/ci.openshift.io/multi-stage/kubeconfig 

Template based test infra default kubeconfig path

++ export KUBECONFIG=/tmp/admin.kubeconfig
++ KUBECONFIG=/tmp/admin.kubeconfig

So you just need to add a else condition here https://github.com/openshift/odo/blob/master/scripts/configure-installer-tests-cluster.sh#L40

[...]
else
    cp $KUBECONFIG $TMPDIR/kubeconfig
    chmod 644 $TMPDIR/kubeconfig
    export KUBECONFIG=$TMPDIR/kubeconfig
fi

[prietyc123]

So you just need to replace https://github.com/openshift/odo/blob/master/scripts/configure-installer-tests-cluster.sh#L30-L33 with

Ahh... I missed the kubeconfig mounted on secret part. Yes, we need to replace it in the way you suggested. However I will be inclined to give permission as 664 instead of 644 because it is secret mounted and IMO user group also needs write permission in this case. Lets avoid rework on this. Anyway giving write permission to user group also doesn't harm anything.

[amitkrout]

However I will be inclined to give permission as 664 instead of 644 because it is secret mounted and IMO user group also needs write permission in this case. Lets avoid rework on this. Anyway giving write permission to user group also doesn't harm anything.

Instead of assuming we can check what level of permission kubeconfig file has in template based test. According you can apply the same permission to kubeconfig in multistage test. Just add ls -l command in the script to know the permission assigned to kubeconfig. May be it it does not harm anything but it exposes unnecessary permission which even does not required at all for kubeconfig file.

[...]
else
    ls -l $KUBECONFIG
    cp $KUBECONFIG $TMPDIR/kubeconfig
    chmod 644 $TMPDIR/kubeconfig
    export KUBECONFIG=$TMPDIR/kubeconfig
fi

[prietyc123]

According to templated based test I will be using 640 for our temporary kubeconfig file https://deck-ci.apps.ci.l2s4.p1.openshiftapps.com/view/gcs/origin-ci-test/pr-logs/pull/openshift_odo/3462/pull-ci-openshift-odo-master-v4.5-integration-e2e/1278937715978539008#1:build-log.txt%3A47

[amitkrout]

/hold cancel

[amitkrout]

@prietyc123 I am able to reproduce the failure https://deck-ci.apps.ci.l2s4.p1.openshiftapps.com/view/gcs/origin-ci-test/pr-logs/pull/openshift_odo/3462/pull-ci-openshift-odo-master-v4.4-integration-e2e/1278975901698101248#1:build-log.txt%3A489 locally too. I am not sure why oc whoami -t is not working with the newly exported KUBECONFIG. We need to check this in upstream, may be need to create an upstream issue to track it.

Steps to reproduce

$ odo login -u kubeadmin -p **** https://***-aws.dev.rhcloud.com:6443
[...]
Login successful.
You have access to 57 projects, the list has been suppressed. You can list all projects with 'odo project list'
Using project "default".
$ oc whoami -t
nN1aOYBlqW7kcedWchSqen19g66ObxpJm9sXjDFErJg
$ export KUBECONFIG=/Users/amit/Downloads/cluster.kubeconfig 
$ oc whoami -t
error: no token is currently in use for this session

[amitkrout]

oc logout
# Export the new KUBECONFG and login as a kubeadmin
export KUBECONFIG=$TMP_DIR/kubeconfig
oc login -u <username> -p <password>

or

export KUBECONFIG=$TMP_DIR/kubeconfig
oc login -u <username> -p <password>

The login step is impossible in prow CI because there is no such environment variable that exposes the kubeadmin password or password file.

It works locally

$ oc logout
Logged "kube:admin" out on "https://****-aws.dev.rhcloud.com:6443"

$ export KUBECONFIG=/Users/amit/Downloads/cluster.kubeconfig 

$ oc login -u kubeadmin -p **** https://***-aws.dev.rhcloud.com:6443
[...]
Login successful.
You have access to 57 projects, the list has been suppressed. You can list all projects with 'oc projects'
Using project "default".

$ oc whoami -t
txzVnJweSurnoD70vcua79obm-MFlsQ-f6Nh0QbA3_k

[amitkrout]

@prietyc123 This can be handled through the login test script itself. Just need to add an developer login in the teardown step here in https://github.com/openshift/odo/blob/master/tests/integration/loginlogout/cmd_login_logout_test.go#L41

For example:

JustBeforeEach(func() {
       // To make sure that the script is using the developer login session
       helper.CmdShouldPass("odo", "login", "-u", "developer", "-p", "developer")
})

[amitkrout]

Remove it. It prompts for password.

[prietyc123]

/retest

[prietyc123]

This can be handled through the login test script itself. Just need to add an developer login in the teardown step here in https://github.com/openshift/odo/blob/master/tests/integration/loginlogout/cmd_login_logout_test.go#L41

Ok let me try these steps

[prietyc123]

/retest

[prietyc123]

/retest

[prietyc123]

prow failure

/retest

[prietyc123]

/retest

[amitkrout]

/retest

[prietyc123]

@girishramnani It seems after your last change on watch test file i am hitting this issue https://deck-ci.apps.ci.l2s4.p1.openshiftapps.com/view/gcs/origin-ci-test/pr-logs/pull/openshift_odo/3462/pull-ci-openshift-odo-master-v4.3-integration-e2e/1280067878812389376#1:build-log.txt%3A632 in my pr which even does not touch the watch test. Can you please check the reason for failure. Its hard for me to debug the failure.

[prietyc123]

#3307

/retest

[amitkrout]

/lgtm

[prietyc123]

Replacing "Hello" with "Hello odo" in /tmp/088854584/server.js
[curl]   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
[curl]                                  Dload  Upload   Total   Spent    Left  Speed
[curl] 
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100    42    0    42    0     0    268      0 --:--:-- --:--:-- --:--:--   276
[curl] Hello nodejs UPDATED world from node.js!
[curl] 
Running curl with args [curl http://nodejs-app-8080-app-rcinbmmswu.apps.ci-op-4rijkg75-a9fea.origin-ci-int-aws.dev.rhcloud.com]
[curl]   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
[curl]                                  Dload  Upload   Total   Spent    Left  Speed

/retest

[amitkrout]

CI is passing.
/approve

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: amitkrout

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• scripts/OWNERS [amitkrout]
• tests/OWNERS [amitkrout]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment