Skip to content

Commit 3cc9d77

Browse files
AbirdcflyAbirdcfly
committed
fix: use oidc args in kubectl command
Signed-off-by: Abirdcfly <[email protected]>
1 parent 8d16a25 commit 3cc9d77

File tree

2 files changed

+53
-14
lines changed

2 files changed

+53
-14
lines changed

api/v1beta1/channel_webhook.go

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -93,6 +93,7 @@ func (r *Channel) ValidateUpdate(ctx context.Context, c client.Client, old runti
9393
channellog.Info("validate update", "name", r.Name, "user", user.String())
9494

9595
oldChannel := old.(*Channel)
96+
channellog.Info(fmt.Sprintf("debug new:%+v old:%+v", r.Spec.Peers, oldChannel.Spec.Peers))
9697

9798
// forbid to udpate channel network
9899
if oldChannel.Spec.Network != r.Spec.Network {
@@ -118,6 +119,7 @@ func (r *Channel) ValidateUpdate(ctx context.Context, c client.Client, old runti
118119
return err
119120
}
120121
// updated peers should under user's management
122+
channellog.Info(fmt.Sprintf("debug new:%+v old:%+v, managedOrgs:%+v, add:%+v, remove:%+v", r.Spec.Peers, oldChannel.Spec.Peers, managedOrgs, addedPeers, removedPeers))
121123
err = validatePeersOwnership(ctx, c, managedOrgs, append(addedPeers, removedPeers...))
122124
if err != nil {
123125
return err
@@ -197,7 +199,7 @@ func validatePeersOwnership(ctx context.Context, c client.Client, ownerOrgs []st
197199
for _, peer := range peers {
198200
// peer must belongs to owners
199201
if !owners[peer.Namespace] {
200-
return errors.Wrapf(errNoPermOperatePeer, "peer belongs to %s not in %v", peer.Namespace, ownerOrgs)
202+
return errors.Wrapf(errNoPermOperatePeer, "peer:%s belongs to %s not in %v", peer.Name, peer.Namespace, ownerOrgs)
201203
}
202204
p := &IBPPeer{}
203205
err := c.Get(ctx, types.NamespacedName{Namespace: peer.Namespace, Name: peer.Name}, p)

config/samples/example-test.sh

Lines changed: 50 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@ if [[ $RUNNER_DEBUG -eq 1 ]] || [[ $GITHUB_RUN_ATTEMPT -gt 1 ]]; then
2121
# or run the same test multiple times.
2222
set -x
2323
fi
24+
set -x
2425
export TERM=xterm-color
2526

2627
KindName="kind"
@@ -121,7 +122,8 @@ function error() {
121122
}
122123

123124
function info() {
124-
cecho -c 'blue' "$@"
125+
echo "$@"
126+
# cecho -c 'blue' "$@"
125127
}
126128

127129
info "1. create kind cluster"
@@ -150,6 +152,22 @@ info "2.1 install u4a component, u4a services and fabric-operator"
150152
. ./scripts/e2e.sh --all
151153
cd ${RootPath}
152154

155+
kubectl() {
156+
local args=("$@")
157+
local has_token=false
158+
_kubectl=$(which kubectl)
159+
for arg in "${args[@]}"; do
160+
if [[ $arg == "--token"* ]]; then
161+
has_token=true
162+
break
163+
fi
164+
done
165+
if [[ $has_token == true ]]; then
166+
args=(--server="https://${kubeProxyNodeIP}:443" --insecure-skip-tls-verify=true "${args[@]}")
167+
fi
168+
${_kubectl} "${args[@]}"
169+
}
170+
153171
info "2.2 install latest crd in dev"
154172
kubectl kustomize config/crd | kubectl apply -f -
155173

@@ -197,13 +215,25 @@ function getToken() {
197215
Token=$(echo $TokenResp | jq -r .data.token.id_token)
198216
}
199217

200-
info "3.2 get all test user's token"
218+
info "3.2 get all test user's token, and verify that token authentication is valid"
201219
getToken $Domain "org1admin" $DefaultPassWord
202220
Admin1Token=$Token
203221
getToken $Domain "org2admin" $DefaultPassWord
204222
Admin2Token=$Token
205223
getToken $Domain "org3admin" $DefaultPassWord
206224
Admin3Token=$Token
225+
# Verify that the default kubectl command using the token parameter is invalid.
226+
code=0
227+
kubectl get po -n kube-system --token ${Admin1Token} &>/dev/null && code=0 || code=1
228+
if [[ $code -eq 1 ]]; then
229+
error "default kubectl has started to verify oidc, which is incorrect."
230+
fi
231+
# Verify that use of oidc parameters, oidc works.
232+
code=0
233+
kubectl get po -n kube-system --token ${Admin1Token} &>/dev/null && code=0 || code=1
234+
if [[ $code -eq 0 ]]; then
235+
error "oidc token valid failed"
236+
fi
207237

208238
info "3.3 get default ingress class and storage class"
209239
IngressClassName=$(kubectl get ingressclass --no-headers | awk '{print $1}')
@@ -374,7 +404,7 @@ function waitNetwork() {
374404
START_TIME=$(date +%s)
375405
while true; do
376406
if [[ $want == "NoExist" ]]; then
377-
name=$(kubectl get network --token=${token} $networkName --no-headers=true --ignore-not-found=true | awk '{print $1}')
407+
name=$(kubectl get network $networkName --no-headers=true --ignore-not-found=true | awk '{print $1}')
378408
if [[ $name == "" ]]; then
379409
break
380410
fi
@@ -419,6 +449,13 @@ kubectl create -f config/samples/ibp.com_v1beta1_network_size_3.yaml --dry-run=c
419449
kubectl create --token=${Admin1Token} -f -
420450
waitNetwork network-sample3 "Ready" "" ${Admin1Token}
421451

452+
info "4.4.2.1 valid org3 has no permission to get this network"
453+
code=0
454+
kubectl get network network-sample3 --token ${Admin3Token} &>/dev/null && code=0 || code=1
455+
if [[ $code -eq 0 ]]; then
456+
error "org3 can get network network-sampl3, There is a problem with access control."
457+
fi
458+
422459
info "4.4.3 delete network need create a federation dissolve network proposal for fed=federation-sample network=network-sample"
423460

424461
info "4.4.3.1 create proposal pro=dissolve-network-sample"
@@ -587,7 +624,7 @@ kubectl apply -f config/samples/ibp.com_v1beta1_channel_join_org2.yaml --token=$
587624
waitPeerJoined channel-sample 1 PeerJoined ${Admin2Token}
588625

589626
info "4.7.6 create a proposal to archive channel-sample"
590-
kubectl --token=${Admin1Token} apply -f config/samples/ibp.com_v1beta1_proposal_archive_channel.yaml
627+
kubectl --token=${Admin1Token} create -f config/samples/ibp.com_v1beta1_proposal_archive_channel.yaml
591628

592629
info "4.7.7 user=org2admin vote for pro=archive-channel-sample"
593630
waitVoteExist org2 archive-channel-sample ${Admin2Token}
@@ -601,7 +638,7 @@ info "4.7.9 channel=channel-sample become Archived"
601638
waitChannelReady channel-sample "ChannelArchived" ${Admin1Token}
602639

603640
info "4.7.10 create a proposal to unarchive channel-sample"
604-
kubectl --token=${Admin1Token} apply -f config/samples/ibp.com_v1beta1_proposal_unarchive_channel.yaml
641+
kubectl --token=${Admin1Token} create -f config/samples/ibp.com_v1beta1_proposal_unarchive_channel.yaml
605642

606643
info "4.7.11 user=org2admin vote for pro=unarchive-channel-sample"
607644
waitVoteExist org2 unarchive-channel-sample ${Admin2Token}
@@ -616,7 +653,7 @@ waitChannelReady channel-sample "ChannelCreated" ${Admin1Token}
616653

617654
info "4.8 upload contract to minio"
618655

619-
cat <<EOF | kubectl --token=${Admin1Token} apply -f -
656+
cat <<EOF | kubectl apply -f -
620657
apiVersion: v1
621658
kind: Secret
622659
metadata:
@@ -629,7 +666,7 @@ ak=$(kubectl -nbaas-system get secret fabric-minio -ojson | jq -r '.data.rootUse
629666
sk=$(kubectl -nbaas-system get secret fabric-minio -ojson | jq -r '.data.rootPassword' | base64 -d)
630667

631668
cat ${InstallDirPath}/fabric-operator/tekton/pipelines/sample/pre_sample_minio.yaml | sed "s/admin/${ak}/g" |
632-
sed "s/passw0rd/${sk}/g" | kubectl --token=${Admin1Token} apply -f -
669+
sed "s/passw0rd/${sk}/g" | kubectl create -f -
633670

634671
function waitPipelineRun() {
635672
pipelinerunName=$1
@@ -659,7 +696,7 @@ function waitPipelineRun() {
659696
waitPipelineRun pre-sample-minio ${Admin1Token} "Succeeded"
660697

661698
info "4.9 chaincodebuild"
662-
kubectl --token=${Admin1Token} apply -f config/samples/ibp.com_v1beta1_chaincodebuild_minio.yaml
699+
kubectl --token=${Admin1Token} create -f config/samples/ibp.com_v1beta1_chaincodebuild_minio.yaml
663700

664701
function waitchaincodebuildImage() {
665702
chaincodebuildName=$1
@@ -694,18 +731,18 @@ waitchaincodebuildImage chaincodebuild-sample-minio $Admin1Token 2
694731
info "chaincode chaincodebuild-sample-minio done!"
695732

696733
info "4.9.1 chaincodebuild for upgrade chaincode"
697-
kubectl --token=${Admin1Token} apply -f config/samples/ibp.com_v1beta1_chaincodebuild_minio_upgrade_chaincode.yaml
734+
kubectl --token=${Admin1Token} create -f config/samples/ibp.com_v1beta1_chaincodebuild_minio_upgrade_chaincode.yaml
698735

699736
waitchaincodebuildImage chaincodebuild-sample-minio-upgrade-chaincode $Admin1Token 2
700737
info "chaincode chaincodebuild-sample-minio-upgrade-chaincode done!"
701738

702739
info "4.10 install chaincode"
703740
info "4.10.1 create endorsepolicy e-policy"
704-
kubectl --token=${Admin1Token} apply -f config/samples/ibp.com_v1beta1_chaincode_endorse_policy.yaml
741+
kubectl --token=${Admin1Token} create -f config/samples/ibp.com_v1beta1_chaincode_endorse_policy.yaml
705742
info "4.10.2 create chaincode chaincode-sample"
706-
kubectl --token=${Admin1Token} apply -f config/samples/ibp.com_v1beta1_chaincode.yaml
743+
kubectl --token=${Admin1Token} create -f config/samples/ibp.com_v1beta1_chaincode.yaml
707744
info "4.10.3 create proposal create-chaincode"
708-
kubectl --token=${Admin1Token} apply -f config/samples/ibp.com_v1beta1_proposal_create_chaincode.yaml
745+
kubectl --token=${Admin1Token} create -f config/samples/ibp.com_v1beta1_proposal_create_chaincode.yaml
709746
info "4.10.4 patch vote vote-org2-create-chaincode"
710747

711748
waitVoteExist org2 create-chaincode ${Admin2Token}
@@ -741,7 +778,7 @@ waitChaincodeRunning chaincode-sample $Admin1Token "ChaincodeRunning"
741778

742779
info "4.10.6 upgrade chaincode to erc20"
743780
info "4.10.7 create proposal upgrade-chaincode"
744-
kubectl --token=${Admin1Token} apply -f config/samples/ibp.com_v1beta1_proposal_upgrade_chaincode.yaml
781+
kubectl --token=${Admin1Token} create -f config/samples/ibp.com_v1beta1_proposal_upgrade_chaincode.yaml
745782

746783
info "4.10.8 wait vote vote-org2-upgrade-chaincode"
747784
waitVoteExist org2 upgrade-chaincode ${Admin2Token}

0 commit comments

Comments
 (0)