Merge remote-tracking branch 'origin/develop'

AliyunContainerService · Oct 19, 2023 · 989f896 · 989f896
2 parents dbc04a5 + 4cc30c9
commit 989f896
Show file tree

Hide file tree

Showing 40 changed files with 1,201 additions and 137 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -16,7 +16,7 @@ jobs:
       contents: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Set up Go

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -9,7 +9,7 @@ jobs:
     name: lint
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Set up Go
       uses: actions/setup-go@v4
       with:

diff --git a/.github/workflows/website.yaml b/.github/workflows/website.yaml
@@ -19,7 +19,7 @@ jobs:
       run:
         working-directory: website
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Setup Node
         uses: actions/setup-node@v3

diff --git a/.gitignore b/.gitignore
@@ -23,3 +23,6 @@ kubeconfig
 /examples/rrsa/kaniko-in-ack/deploy.yaml
 /ci/ossutil/ossutil
 /cputil
+.terraform/
+.terraform.*
+terraform.tfstate*
diff --git a/Makefile b/Makefile
@@ -17,7 +17,8 @@ build:
 
 .PHONY: test
 test:
-	go test -v ./...
+	go test -race -v ./...
+	cd pkg/credentials/provider && go test -race -v ./...
 
 .PHONY: e2e
 e2e:

diff --git a/examples/rrsa/aliyuncli-demo/README.md b/examples/rrsa/aliyuncli-demo/README.md
@@ -1,6 +1,24 @@
 # aliyun cli demo
 
-## Usage
+config.json:
+
+```
+{
+  "current": "default",
+  "profiles": [
+    {
+      "name": "default",
+      "mode": "External",
+      "region_id": "cn-hangzhou",
+      "process_command": "ack-ram-tool export-credentials --ignore-aliyun-cli-credentials --log-level=ERROR",
+      "credentials_uri": ""
+    }
+  ],
+  "meta_path": ""
+}
+```
+
+## Demo
 
 1. Enable RRSA:
 

diff --git a/examples/rrsa/aliyunlogcli-demo/README.md b/examples/rrsa/aliyunlogcli-demo/README.md
@@ -1,6 +1,11 @@
 # aliyunlog cli demo
 
-## Usage
+```
+ack-ram-tool export-credentials --format=environment-variables -- \
+    aliyunlog log list_project --region-endpoint=cn-hangzhou.log.aliyuncs.com
+```
+
+## Demo
 
 1. Enable RRSA:
 

diff --git a/examples/rrsa/cpp-demo/cpp-sdk/README.md b/examples/rrsa/cpp-demo/cpp-sdk/README.md
@@ -1,6 +1,6 @@
 # cpp-sdk
 
-## Usage
+## Demo
 
 1. Enable RRSA:
 

diff --git a/examples/rrsa/go-sdk/README.md b/examples/rrsa/go-sdk/README.md
@@ -2,7 +2,14 @@
 
 Using [Alibaba Could Go SDK](https://github.com/aliyun/alibabacloud-go-sdk) with RRSA Auth.
 
-## Usage
+```
+go get github.com/aliyun/[email protected]
+```
+
+https://github.com/aliyun/credentials-go
+
+
+## Demo
 
 1. Enable RRSA:
 

diff --git a/examples/rrsa/java-sdk/README.md b/examples/rrsa/java-sdk/README.md
@@ -2,8 +2,18 @@
 
 Using [Alibaba Could Java SDK](https://github.com/aliyun/alibabacloud-java-sdk) with RRSA Auth.
 
+```
+<dependency>
+    <groupId>com.aliyun</groupId>
+    <artifactId>credentials-java</artifactId>
+    <version>0.2.12</version>
+</dependency>
+```
+
+https://github.com/aliyun/credentials-java
+
 
-## Usage
+## Demo
 
 1. Enable RRSA:
 

diff --git a/examples/rrsa/kaniko-in-ack/README.md b/examples/rrsa/kaniko-in-ack/README.md
@@ -5,7 +5,7 @@ Running kaniko in ACK:
 * build image with kaniko
 * push image to the ACR with RRSA Auth
 
-## Usage
+## Demo
 
 1. Enable RRSA:
 

diff --git a/examples/rrsa/log-go-sdk/README.md b/examples/rrsa/log-go-sdk/README.md
@@ -2,7 +2,8 @@
 
 Using [aliyun-log-go-sdk](https://github.com/aliyun/aliyun-log-go-sdk) with RRSA Auth.
 
-## Usage
+
+## Demo
 
 1. Enable RRSA:
 

diff --git a/examples/rrsa/log-go-sdk/go.mod b/examples/rrsa/log-go-sdk/go.mod
@@ -3,7 +3,7 @@ module github.com/AliyunContainerService/ack-ram-tool/examples/rrsa/log-go-sdk
 go 1.16
 
 require (
-	github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.7.1
+	github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.9.0
 	github.com/aliyun/aliyun-log-go-sdk v0.1.54
 	github.com/stretchr/testify v1.5.1 // indirect
 	golang.org/x/net v0.7.0 // indirect

diff --git a/examples/rrsa/log-go-sdk/go.sum b/examples/rrsa/log-go-sdk/go.sum
@@ -1,7 +1,7 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.7.1 h1:PXpSLU9ghgbUvDgRSr2N+SPHV5Ze0dYoqwGM4LSyfc4=
-github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.7.1/go.mod h1:ULtI7L9xkNeJ07YNqSeT5EhjQAl1CpTgPcUn4KoNcuc=
+github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.9.0 h1:PqNYfVOnnbTN9d2X8Hg8JCcp7H53YwMWFA6//AYDAg0=
+github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.9.0/go.mod h1:ULtI7L9xkNeJ07YNqSeT5EhjQAl1CpTgPcUn4KoNcuc=
 github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0=

diff --git a/examples/rrsa/log-java-sdk/README.md b/examples/rrsa/log-java-sdk/README.md
@@ -2,7 +2,18 @@
 
 Using [aliyun-log-java-sdk](https://github.com/aliyun/aliyun-log-java-sdk) with RRSA Auth.
 
-## Usage
+```
+<dependency>
+    <groupId>com.aliyun</groupId>
+    <artifactId>credentials-java</artifactId>
+    <version>0.2.12</version>
+</dependency>
+```
+
+https://github.com/aliyun/credentials-java
+
+
+## Demo
 
 1. Enable RRSA:
 

diff --git a/examples/rrsa/nodejs-sdk/README.md b/examples/rrsa/nodejs-sdk/README.md
@@ -2,7 +2,14 @@
 
 Using [Alibaba Could Node.js/TypeScript SDK](https://github.com/aliyun/alibabacloud-typescript-sdk) with RRSA Auth.
 
-## Usage
+```
+npm install @alicloud/credentials
+```
+
+https://github.com/aliyun/credentials-nodejs
+
+
+## Demo
 
 1. Enable RRSA:
 

diff --git a/examples/rrsa/oss-go-sdk/README.md b/examples/rrsa/oss-go-sdk/README.md
@@ -2,7 +2,14 @@
 
 Using [aliyun-oss-go-sdk](https://github.com/aliyun/aliyun-oss-go-sdk) with RRSA Auth.
 
-## Usage
+```
+go get github.com/aliyun/[email protected]
+```
+
+https://github.com/aliyun/credentials-go
+
+
+## Demo
 
 1. Enable RRSA:
 

diff --git a/examples/rrsa/oss-java-sdk/README.md b/examples/rrsa/oss-java-sdk/README.md
@@ -2,7 +2,18 @@
 
 Using [aliyun-oss-java-sdk](https://github.com/aliyun/aliyun-oss-java-sdk) with RRSA Auth.
 
-## Usage
+```
+<dependency>
+    <groupId>com.aliyun</groupId>
+    <artifactId>credentials-java</artifactId>
+    <version>0.2.12</version>
+</dependency>
+```
+
+https://github.com/aliyun/credentials-java
+
+
+## Demo
 
 1. Enable RRSA:
 

diff --git a/examples/rrsa/python3-sdk/README.md b/examples/rrsa/python3-sdk/README.md
@@ -2,7 +2,14 @@
 
 Using [Alibaba Could Python 3 SDK](https://github.com/aliyun/alibabacloud-python-sdk) with RRSA Auth.
 
-## Usage
+```
+pip install alibabacloud_credentials>=0.3.1
+```
+
+https://github.com/aliyun/credentials-python
+
+
+## Demo
 
 1. Enable RRSA:
 

diff --git a/examples/rrsa/terraform-demo/rrsa-config/README.md b/examples/rrsa/terraform-demo/rrsa-config/README.md
@@ -0,0 +1,22 @@
+# RRSA Configuration Via Terraform
+
+
+```
+aliyun/terraform-provider-alicloud > v1.171.0
+```
+
+https://registry.terraform.io/providers/aliyun/alicloud/latest
+
+
+
+## Demo
+
+```
+export ALICLOUD_ACCESS_KEY=<ALICLOUD_ACCESS_KEY>
+export ALICLOUD_SECRET_KEY=<ALICLOUD_SECRET_KEY>
+export ALICLOUD_REGION="cn-hangzhou"
+
+terraform init
+terraform plan
+terraform apply
+```
diff --git a/examples/rrsa/terraform-demo/rrsa-config/main.tf b/examples/rrsa/terraform-demo/rrsa-config/main.tf
@@ -0,0 +1,121 @@
+provider "alicloud" {
+}
+
+variable "k8s_name_prefix" {
+  description = "The name prefix used to create ASK cluster."
+  default     = "ask-rrsa-example"
+}
+
+resource "random_uuid" "this" {}
+
+
+locals {
+  k8s_name_ask = substr(join("-", [var.k8s_name_prefix,"ask"]), 0, 63)
+  new_vpc_name = "tf-vpc-172-16"
+  new_vsw_name = "tf-vswitch-172-16-0"
+}
+
+data "alicloud_zones" "default" {
+  available_resource_creation = "VSwitch"
+}
+
+resource "alicloud_vpc" "vpc" {
+  vpc_name   = local.new_vpc_name
+  cidr_block = "172.16.0.0/12"
+}
+
+resource "alicloud_vswitch" "vsw" {
+  vswitch_name      = local.new_vsw_name
+  vpc_id          = alicloud_vpc.vpc.id
+  cidr_block      = cidrsubnet(alicloud_vpc.vpc.cidr_block, 8, 8)
+  zone_id      = data.alicloud_zones.default.zones[0].id
+}
+
+
+resource "alicloud_cs_serverless_kubernetes" "serverless" {
+  name                           = local.k8s_name_ask
+  version                        = "1.26.3-aliyun.1"
+  cluster_spec                   = "ack.pro.small"
+  vpc_id                         = alicloud_vpc.vpc.id
+  vswitch_ids                    = split(",", join(",", alicloud_vswitch.vsw.*.id))
+  new_nat_gateway                = false
+  endpoint_public_access_enabled = false
+  deletion_protection            = false
+  load_balancer_spec             = "slb.s2.small"
+  time_zone                      = "Asia/Shanghai"
+  service_cidr                   = "10.13.0.0/16"
+  service_discovery_types        = ["CoreDNS"]
+
+  # Enable RRSA
+  enable_rrsa                    = true
+}
+
+
+# k8s service account info
+variable "k8s_namespace" {
+    default       = "test-rrsa-ns"
+}
+variable "k8s_service_account" {
+    default = "foo-bar-manager-sa"
+}
+
+# Create a new RAM Role.
+resource "alicloud_ram_role" "role" {
+  name        = "rrsa-demo-${alicloud_cs_serverless_kubernetes.serverless.id}"
+  document    = <<EOF
+  {
+    "Statement": [
+      {
+        "Action": "sts:AssumeRole",
+        "Condition": {
+          "StringEquals": {
+            "oidc:aud": "sts.aliyuncs.com",
+            "oidc:iss": "${alicloud_cs_serverless_kubernetes.serverless.rrsa_metadata[0].rrsa_oidc_issuer_url}",
+            "oidc:sub": "system:serviceaccount:${var.k8s_namespace}:${var.k8s_service_account}"
+          }
+        },
+        "Effect": "Allow",
+        "Principal": {
+          "Federated": [
+            "${alicloud_cs_serverless_kubernetes.serverless.rrsa_metadata[0].ram_oidc_provider_arn}"
+          ]
+        }
+      }
+    ],
+    "Version": "1"
+  }
+  EOF
+  description = "this is a role for rrsa demo."
+  force       = true
+}
+
+# Create a new RAM Policy.
+resource "alicloud_ram_policy" "policy" {
+  policy_name        = "rrsa-demo-policy-demo"
+  policy_document    = <<EOF
+  {
+    "Statement": [
+      {
+        "Action": [
+          "oss:GetObject"
+        ],
+        "Effect": "Allow",
+        "Resource": [
+          "acs:oss:*:*:my-foo-bar-bucket/*"
+        ]
+      }
+    ],
+      "Version": "1"
+  }
+  EOF
+  description = "this is a policy test"
+  force       = true
+}
+
+# Attach Policy to the Role.
+resource "alicloud_ram_role_policy_attachment" "attach" {
+  policy_name = alicloud_ram_policy.policy.policy_name
+  policy_type = alicloud_ram_policy.policy.type
+  role_name   = alicloud_ram_role.role.name
+}
+
-Original file line number
+Diff line change
@@ Expand Up / @@ -2,7 +2,8 @@ @@
     Using [aliyun-log-go-sdk](https://github.com/aliyun/aliyun-log-go-sdk) with RRSA Auth.
-    ## Usage
+    ## Demo
 . Enable RRSA:
@@ Expand Down @@