From c2be6b657be5151d61afbc8dd7c5ed2e7507dfc6 Mon Sep 17 00:00:00 2001 From: mozillazg Date: Fri, 14 Jan 2022 11:32:47 +0800 Subject: [PATCH] add script for run e2e testing --- .gitignore | 1 + README.md | 5 +- examples/rrsa/e2e-test/READEME.md | 11 +++ examples/rrsa/e2e-test/deploy.yaml | 56 ++++++++++++++++ examples/rrsa/e2e-test/e2e.sh | 104 +++++++++++++++++++++++++++++ 5 files changed, 176 insertions(+), 1 deletion(-) create mode 100644 examples/rrsa/e2e-test/READEME.md create mode 100644 examples/rrsa/e2e-test/deploy.yaml create mode 100644 examples/rrsa/e2e-test/e2e.sh diff --git a/.gitignore b/.gitignore index 9c59a448..4c52ee57 100644 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,4 @@ /ack-ram-tool dist/ +kubeconfig diff --git a/README.md b/README.md index 0abd1ee2..37299200 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,7 @@ $ export ALIBABA_CLOUD_ACCESS_KEY_SECRET=bar ### RAM Roles for Service Accounts (RRSA) -Enable RRSA feature: +Enable [RRSA feature](https://www.alibabacloud.com/help/doc-detail/356611.html): ``` $ ack-ram-tool rrsa enable -c @@ -120,3 +120,6 @@ SecurityToken: CAIS*** Expiration: 2021-12-03T05:51:37Z ``` + +There is also have a e2e script for testing: [examples/rrsa/e2e-test](./examples/rrsa/e2e-test/) + diff --git a/examples/rrsa/e2e-test/READEME.md b/examples/rrsa/e2e-test/READEME.md new file mode 100644 index 00000000..426f0751 --- /dev/null +++ b/examples/rrsa/e2e-test/READEME.md @@ -0,0 +1,11 @@ +# e2e test + +## Usage + +1. Install and setup [ack-ram-tool](https://github.com/AliyunContainerService/ack-ram-tool) + and [aliyun-cli](https://github.com/aliyun/aliyun-cli). +2. Run e2e test: + +```bash +$ bash e2e.sh CLUSTER_ID +``` diff --git a/examples/rrsa/e2e-test/deploy.yaml b/examples/rrsa/e2e-test/deploy.yaml new file mode 100644 index 00000000..59c2b287 --- /dev/null +++ b/examples/rrsa/e2e-test/deploy.yaml @@ -0,0 +1,56 @@ +--- +apiVersion: v1 +kind: Pod +metadata: + name: run-as-root +spec: + containers: + - image: registry-vpc.REGION.aliyuncs.com/acs/busybox:1.33.1 + command: + - sh + - -c + - 'sleep inf' + name: test + volumeMounts: + - mountPath: /var/run/secrets/tokens + name: oidc-token + serviceAccountName: user1 + volumes: + - name: oidc-token + projected: + sources: + - serviceAccountToken: + path: oidc-token + expirationSeconds: 7200 + audience: "sts.aliyuncs.com" + +--- +apiVersion: v1 +kind: Pod +metadata: + name: run-as-non-root +spec: + securityContext: + fsGroup: 65534 # for < k8s 1.19 + containers: + - image: registry-vpc.REGION.aliyuncs.com/acs/busybox:1.33.1 + command: + - sh + - -c + - 'sleep inf' + name: test + securityContext: + runAsNonRoot: true + runAsUser: 65534 + volumeMounts: + - mountPath: /var/run/secrets/tokens + name: oidc-token + serviceAccountName: user1 + volumes: + - name: oidc-token + projected: + sources: + - serviceAccountToken: + path: oidc-token + expirationSeconds: 7200 + audience: "sts.aliyuncs.com" diff --git a/examples/rrsa/e2e-test/e2e.sh b/examples/rrsa/e2e-test/e2e.sh new file mode 100644 index 00000000..b4bcfe17 --- /dev/null +++ b/examples/rrsa/e2e-test/e2e.sh @@ -0,0 +1,104 @@ +#!/usr/bin/env bash +set -e + +SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" > /dev/null && pwd )" +CLUSTER_ID="$1" +ROLE_NAME="test-rrsa-${CLUSTER_ID}" +KUBECONFIG_PATH="${SCRIPT_DIR}/kubeconfig" +NAMESPACE="test-rrsa" +SERVICE_ACCOUNT="user1" + +trap cleanup EXIT + +function bar_tip() { + echo -e "\n=== $1 ===\n" +} + +function enable_rrsa() { + bar_tip "enable rrsa" + ack-ram-tool rrsa -y -c "${CLUSTER_ID}" enable + ack-ram-tool rrsa -y -c "${CLUSTER_ID}" status +} + +function get_metadata() { + bar_tip "get metadata" + REGION=$(aliyun cs DescribeClusterDetail --ClusterId ${CLUSTER_ID} --endpoint cs.aliyuncs.com |jq '.region_id' -r) + echo ${REGION} + export REGION=${REGION} + + aliuid=$(aliyun sts GetCallerIdentity |jq -r .AccountId) + export ALIUID=${aliuid} +} + +function get_kubeconfig() { + bar_tip "get and setup kubeconfig" + aliyun cs DescribeClusterUserKubeconfig --ClusterId "${CLUSTER_ID}" --TemporaryDurationMinutes 15 \ + --endpoint cs.aliyuncs.com | jq '.config' -r > ${KUBECONFIG_PATH} + export KUBECONFIG=${KUBECONFIG_PATH} +} + +function create_resources() { + bar_tip "create resources" + set +e + kubectl create ns ${NAMESPACE} + kubectl create sa ${SERVICE_ACCOUNT} -n ${NAMESPACE} + aliyun ram CreateRole --RoleName ${ROLE_NAME} --AssumeRolePolicyDocument \ + '{"Version": "1", "Statement": [{"Action": "sts:AssumeRole", "Effect": "Allow", "Principal": {"Service": ["cs.aliyuncs.com"]}}]}' + set -e +} + +function associate_role() { + bar_tip "associate role" + ack-ram-tool rrsa -y -c "${CLUSTER_ID}" associate-role -r ${ROLE_NAME} -n ${NAMESPACE} -s ${SERVICE_ACCOUNT} +} + +function deploy_pods() { + bar_tip "deploy pods" + set +e + kubectl -n ${NAMESPACE} delete pod --all + set -e + sed "s/REGION/${REGION}/g" "${SCRIPT_DIR}/deploy.yaml" | kubectl -n ${NAMESPACE} apply -f - +} + +function assume_role() { + bar_tip "assume role via oidc token" + for name in $(echo run-as-root run-as-non-root); do + kubectl -n ${NAMESPACE} wait --for=condition=Ready pod/${name} --timeout=240s + TOKEN=$(kubectl -n ${NAMESPACE} exec -it ${name} -- cat /var/run/secrets/tokens/oidc-token) + + echo "assume-role via token from pod ${name}" + echo ${TOKEN} | ack-ram-tool rrsa assume-role --region-id ${REGION} -r acs:ram::${ALIUID}:role/${ROLE_NAME} \ + -p acs:ram::${ALIUID}:oidc-provider/ack-rrsa-${CLUSTER_ID} -t - + echo ${REGION} + echo $name + done +} + +function cleanup() { + set +e + bar_tip "cleanup" + aliyun ram DeleteRole --RoleName ${ROLE_NAME} + rm ${KUBECONFIG_PATH} + set -e +} + +function main() { + if [[ "${CLUSTER_ID}none" == "none" ]]; then + echo "clusterId is missing. Usage: bash e2e.sh CLUSTER_ID" + exit 1 + fi + if [[ "${SCRIPT_DIR}none" == "none" ]]; then + echo "get script dir failed" + exit 1 + fi + + get_metadata + enable_rrsa + get_kubeconfig + create_resources + associate_role + deploy_pods + assume_role +} + +main