refactor aggregated-apiserver e2e test
Signed-off-by: changzhen <changzhen5@huawei.com>
This commit is contained in:
changzhen
RainbowMango
parent
b534e994c2
commit
e1fbf5cf2d
|
|
@ -1,128 +1,138 @@
|
|||
package e2e
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
"github.com/onsi/ginkgo"
|
||||
"github.com/onsi/gomega"
|
||||
rbacv1 "k8s.io/api/rbac/v1"
|
||||
"k8s.io/apimachinery/pkg/util/rand"
|
||||
"k8s.io/klog/v2"
|
||||
|
||||
"github.com/karmada-io/karmada/test/e2e/framework"
|
||||
"github.com/karmada-io/karmada/test/helper"
|
||||
)
|
||||
|
||||
var _ = ginkgo.Describe("aggregatedapi testing", func() {
|
||||
const (
|
||||
clusterProxy = "/apis/cluster.karmada.io/v1alpha1/clusters/%s/proxy/"
|
||||
)
|
||||
|
||||
var member1, member2 string
|
||||
saName := "tom"
|
||||
var _ = ginkgo.Describe("Aggregated Kubernetes API Endpoint testing", func() {
|
||||
member1, member2 := "member1", "member2"
|
||||
|
||||
saName := fmt.Sprintf("tom-%s", rand.String(RandomStrLength))
|
||||
saNamespace := testNamespace
|
||||
saTom := helper.NewServiceaccount(saNamespace, saName)
|
||||
clusterroleName := "cluster-proxy-clusterrole"
|
||||
crbSubjectGroupName := "system:serviceaccounts:" + saNamespace
|
||||
crbSubject := []rbacv1.Subject{{
|
||||
Kind: "ServiceAccount",
|
||||
Name: saName,
|
||||
Namespace: saTom.Namespace,
|
||||
},
|
||||
tomServiceAccount := helper.NewServiceaccount(saNamespace, saName)
|
||||
tomClusterRole := helper.NewClusterRole(tomServiceAccount.Name, []rbacv1.PolicyRule{
|
||||
{
|
||||
Kind: "Group",
|
||||
Name: "system:serviceaccounts",
|
||||
APIGroups: []string{"cluster.karmada.io"},
|
||||
Verbs: []string{"*"},
|
||||
Resources: []string{"clusters/proxy"},
|
||||
ResourceNames: []string{member1},
|
||||
},
|
||||
{
|
||||
Kind: "Group",
|
||||
Name: crbSubjectGroupName,
|
||||
},
|
||||
}
|
||||
saBinding := helper.NewClusterrolebindings(saName, clusterroleName, crbSubject)
|
||||
saClustrole := helper.NewClusterroles(saName, "*", "*", "")
|
||||
crbSubject2 := []rbacv1.Subject{{
|
||||
Kind: "ServiceAccount",
|
||||
Name: saName,
|
||||
Namespace: saTom.Namespace,
|
||||
},
|
||||
}
|
||||
saBinding2 := helper.NewClusterrolebindings(saName, saName, crbSubject2)
|
||||
|
||||
ginkgo.BeforeEach(func() {
|
||||
member1 = framework.ClusterNames()[0]
|
||||
member2 = framework.ClusterNames()[1]
|
||||
karmdaApiGroup := "cluster.karmada.io"
|
||||
karmdaResource := "clusters/proxy"
|
||||
proxyClustrole := helper.NewClusterroles(clusterroleName, karmdaApiGroup, karmdaResource, member1)
|
||||
framework.CreateMermberclusterSa(member1, saTom)
|
||||
framework.CreateKarmadaSa(kubeClient, saTom)
|
||||
framework.CreateClusterrole(kubeClient, proxyClustrole)
|
||||
framework.CreateClusterroleBinding(kubeClient, saBinding)
|
||||
})
|
||||
tomClusterRoleBinding := helper.NewClusterRoleBinding(tomServiceAccount.Name, tomClusterRole.Name, []rbacv1.Subject{
|
||||
{Kind: "ServiceAccount", Name: tomServiceAccount.Name, Namespace: tomServiceAccount.Namespace},
|
||||
{Kind: "Group", Name: "system:serviceaccounts"},
|
||||
{Kind: "Group", Name: "system:serviceaccounts:" + tomServiceAccount.Namespace},
|
||||
})
|
||||
|
||||
ginkgo.AfterEach(func() {
|
||||
framework.RemoveMermberclusterSa(member1, saTom.Name, saTom.Namespace)
|
||||
framework.RemoveKarmadalusterSa(kubeClient, saTom.Name, saTom.Namespace)
|
||||
framework.RemoveClusterrole(kubeClient, clusterroleName)
|
||||
framework.RemoveclusterroleBinding(kubeClient, saBinding.Name)
|
||||
tomClusterRoleOnMember := helper.NewClusterRole(tomServiceAccount.Name, []rbacv1.PolicyRule{
|
||||
{
|
||||
APIGroups: []string{"*"},
|
||||
Verbs: []string{"*"},
|
||||
Resources: []string{"*"},
|
||||
},
|
||||
})
|
||||
tomClusterRoleBindingOnMember := helper.NewClusterRoleBinding(tomServiceAccount.Name, tomClusterRoleOnMember.Name, []rbacv1.Subject{
|
||||
{Kind: "ServiceAccount", Name: tomServiceAccount.Name, Namespace: tomServiceAccount.Namespace},
|
||||
})
|
||||
|
||||
ginkgo.When("Serviceaccount access test", func() {
|
||||
ginkgo.Context("Serviceaccount access test", func() {
|
||||
ginkgo.It("Serviceaccount access in the member1 cluster", func() {
|
||||
framework.WaitServiceaccountPresentOnCluster(kubeClient, saName, saTom.Namespace)
|
||||
framework.WaitServiceaccountPresentOnMemberCluster(member1, saName, saTom.Namespace)
|
||||
framework.WaitClusterrolebindingPresentOnCluster(kubeClient, saBinding.Name)
|
||||
apiPath := "/apis/cluster.karmada.io/v1alpha1/clusters/" + member1 + "/proxy/apis"
|
||||
code := framework.GetClusterNode(apiPath, kubeClient, karmadaClient, saName, saTom.Namespace)
|
||||
gomega.Expect(code).Should(gomega.Equal(200))
|
||||
ginkgo.Context("Aggregated Kubernetes API Endpoint testing", func() {
|
||||
ginkgo.BeforeEach(func() {
|
||||
framework.CreateServiceAccount(kubeClient, tomServiceAccount)
|
||||
framework.CreateClusterRole(kubeClient, tomClusterRole)
|
||||
framework.CreateClusterRoleBinding(kubeClient, tomClusterRoleBinding)
|
||||
})
|
||||
|
||||
ginkgo.BeforeEach(func() {
|
||||
klog.Infof("Create ServiceAccount(%s) in the cluster(%s)", klog.KObj(tomServiceAccount).String(), member1)
|
||||
clusterClient := framework.GetClusterClient(member1)
|
||||
gomega.Expect(clusterClient).ShouldNot(gomega.BeNil())
|
||||
framework.CreateServiceAccount(clusterClient, tomServiceAccount)
|
||||
})
|
||||
|
||||
ginkgo.AfterEach(func() {
|
||||
klog.Infof("Delete ServiceAccount(%s) in the cluster(%s)", klog.KObj(tomServiceAccount).String(), member1)
|
||||
clusterClient := framework.GetClusterClient(member1)
|
||||
gomega.Expect(clusterClient).ShouldNot(gomega.BeNil())
|
||||
framework.RemoveServiceAccount(clusterClient, tomServiceAccount.Namespace, tomServiceAccount.Name)
|
||||
})
|
||||
|
||||
ginkgo.AfterEach(func() {
|
||||
framework.RemoveServiceAccount(kubeClient, tomServiceAccount.Namespace, tomServiceAccount.Name)
|
||||
framework.RemoveClusterRole(kubeClient, tomClusterRole.Name)
|
||||
framework.RemoveClusterRoleBinding(kubeClient, tomClusterRoleBinding.Name)
|
||||
})
|
||||
|
||||
ginkgo.AfterEach(func() {
|
||||
clusterClient := framework.GetClusterClient(member1)
|
||||
gomega.Expect(clusterClient).ShouldNot(gomega.BeNil())
|
||||
|
||||
framework.RemoveClusterRole(clusterClient, tomClusterRoleOnMember.Name)
|
||||
framework.RemoveClusterRoleBinding(clusterClient, tomClusterRoleBindingOnMember.Name)
|
||||
})
|
||||
|
||||
ginkgo.It("Serviceaccount(tom) access the member1 cluster", func() {
|
||||
tomToken, err := helper.GetTokenFromServiceAccount(kubeClient, tomServiceAccount.Namespace, tomServiceAccount.Name)
|
||||
gomega.Expect(err).ShouldNot(gomega.HaveOccurred())
|
||||
|
||||
ginkgo.By("access the member1 /api path with right", func() {
|
||||
gomega.Eventually(func() (bool, error) {
|
||||
code, err := helper.DoRequest(fmt.Sprintf(karmadaHost+clusterProxy+"api", member1), tomToken)
|
||||
gomega.Expect(err).ShouldNot(gomega.HaveOccurred())
|
||||
if code == 200 {
|
||||
return true, nil
|
||||
}
|
||||
return false, nil
|
||||
}, pollTimeout, pollInterval).Should(gomega.Equal(true))
|
||||
})
|
||||
|
||||
ginkgo.It("Serviceaccount have no access in the member2 cluster", func() {
|
||||
framework.WaitServiceaccountPresentOnCluster(kubeClient, saName, saTom.Namespace)
|
||||
framework.WaitServiceaccountPresentOnMemberCluster(member1, saName, saTom.Namespace)
|
||||
framework.WaitClusterrolebindingPresentOnCluster(kubeClient, saBinding.Name)
|
||||
apiPath := "/apis/cluster.karmada.io/v1alpha1/clusters/" + member2 + "/proxy/apis"
|
||||
code := framework.GetClusterNode(apiPath, kubeClient, karmadaClient, saName, saTom.Namespace)
|
||||
gomega.Expect(code).ShouldNot(gomega.Equal(200))
|
||||
ginkgo.By("access the member1 /api/v1/nodes path without right", func() {
|
||||
code, err := helper.DoRequest(fmt.Sprintf(karmadaHost+clusterProxy+"api/v1/nodes", member1), tomToken)
|
||||
gomega.Expect(err).ShouldNot(gomega.HaveOccurred())
|
||||
gomega.Expect(code).Should(gomega.Equal(403))
|
||||
})
|
||||
|
||||
ginkgo.It("Serviceaccount does not have any permissions in the member1 cluster", func() {
|
||||
framework.WaitServiceaccountPresentOnCluster(kubeClient, saName, saTom.Namespace)
|
||||
framework.WaitServiceaccountPresentOnMemberCluster(member1, saName, saTom.Namespace)
|
||||
framework.WaitClusterrolebindingPresentOnCluster(kubeClient, saBinding.Name)
|
||||
apiPath := "/apis/cluster.karmada.io/v1alpha1/clusters/" + member1 + "/proxy/api/v1/nodes"
|
||||
code := framework.GetClusterNode(apiPath, kubeClient, karmadaClient, saName, saTom.Namespace)
|
||||
gomega.Expect(code).ShouldNot(gomega.Equal(200))
|
||||
gomega.Expect(code).Should(gomega.Equal(403))
|
||||
ginkgo.By("create rbac in member1 cluster", func() {
|
||||
clusterClient := framework.GetClusterClient(member1)
|
||||
gomega.Expect(clusterClient).ShouldNot(gomega.BeNil())
|
||||
|
||||
framework.CreateClusterRole(clusterClient, tomClusterRoleOnMember)
|
||||
framework.CreateClusterRoleBinding(clusterClient, tomClusterRoleBindingOnMember)
|
||||
})
|
||||
|
||||
ginkgo.By("access the member1 /api/v1/nodes path with right", func() {
|
||||
gomega.Eventually(func() (bool, error) {
|
||||
code, err := helper.DoRequest(fmt.Sprintf(karmadaHost+clusterProxy+"api/v1/nodes", member1), tomToken)
|
||||
gomega.Expect(err).ShouldNot(gomega.HaveOccurred())
|
||||
if code == 200 {
|
||||
return true, nil
|
||||
}
|
||||
return false, nil
|
||||
}, pollTimeout, pollInterval).Should(gomega.Equal(true))
|
||||
})
|
||||
})
|
||||
})
|
||||
|
||||
ginkgo.When("Grant permission to Serviceaccount in member ", func() {
|
||||
ginkgo.JustBeforeEach(func() {
|
||||
framework.CreateMemberclusterRole(member1, saClustrole)
|
||||
framework.CreateMemberclusterRoleBinding(member1, saBinding2)
|
||||
})
|
||||
ginkgo.It("Serviceaccount(tom) access the member2 cluster", func() {
|
||||
tomToken, err := helper.GetTokenFromServiceAccount(kubeClient, tomServiceAccount.Namespace, tomServiceAccount.Name)
|
||||
gomega.Expect(err).ShouldNot(gomega.HaveOccurred())
|
||||
|
||||
ginkgo.JustAfterEach(func() {
|
||||
framework.RemoveMemberclusterRole(member1, saClustrole.Name)
|
||||
framework.RemoveMemberclusterRoleBinding(member1, saBinding2.Name)
|
||||
})
|
||||
|
||||
ginkgo.It("Grant permission to Serviceaccount in member1 cluster.", func() {
|
||||
framework.WaitServiceaccountPresentOnCluster(kubeClient, saName, saTom.Namespace)
|
||||
framework.WaitServiceaccountPresentOnMemberCluster(member1, saName, saTom.Namespace)
|
||||
framework.WaitClusterrolebindingPresentOnCluster(kubeClient, saBinding.Name)
|
||||
framework.WaitClusterrolebindingPresentOnMemberCluster(member1, saBinding2.Name)
|
||||
apiPath := "/apis/cluster.karmada.io/v1alpha1/clusters/" + member1 + "/proxy/api/v1/nodes"
|
||||
code := framework.GetClusterNode(apiPath, kubeClient, karmadaClient, saName, saTom.Namespace)
|
||||
gomega.Expect(code).Should(gomega.Equal(200))
|
||||
})
|
||||
|
||||
ginkgo.It("Grant no permission to Serviceaccount in member2 cluster.", func() {
|
||||
framework.WaitServiceaccountPresentOnCluster(kubeClient, saName, saTom.Namespace)
|
||||
framework.WaitServiceaccountPresentOnMemberCluster(member1, saName, saTom.Namespace)
|
||||
framework.WaitClusterrolebindingPresentOnCluster(kubeClient, saBinding.Name)
|
||||
framework.WaitClusterrolebindingPresentOnMemberCluster(member1, saBinding2.Name)
|
||||
apiPath := "/apis/cluster.karmada.io/v1alpha1/clusters/" + member2 + "/proxy/api/v1/nodes"
|
||||
code := framework.GetClusterNode(apiPath, kubeClient, karmadaClient, saName, saTom.Namespace)
|
||||
gomega.Expect(code).ShouldNot(gomega.Equal(200))
|
||||
gomega.Expect(code).Should(gomega.Equal(403))
|
||||
ginkgo.By("access the member2 /api path without right", func() {
|
||||
code, err := helper.DoRequest(fmt.Sprintf(karmadaHost+clusterProxy, member2), tomToken)
|
||||
gomega.Expect(err).ShouldNot(gomega.HaveOccurred())
|
||||
gomega.Expect(code).Should(gomega.Equal(403))
|
||||
})
|
||||
})
|
||||
})
|
||||
})
|
||||
|
|
|
|||
|
|
@ -1,243 +0,0 @@
|
|||
package framework
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"encoding/base64"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"os"
|
||||
"strings"
|
||||
|
||||
"github.com/onsi/ginkgo"
|
||||
"github.com/onsi/gomega"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
rbacv1 "k8s.io/api/rbac/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/client-go/kubernetes"
|
||||
"k8s.io/client-go/tools/clientcmd"
|
||||
|
||||
karmada "github.com/karmada-io/karmada/pkg/generated/clientset/versioned"
|
||||
)
|
||||
|
||||
// CreateClusterrole create clusterrole.
|
||||
func CreateClusterrole(client kubernetes.Interface, clusterrole *rbacv1.ClusterRole) {
|
||||
ginkgo.By(fmt.Sprintf("Creating ClusterRole(%s)", clusterrole.Name), func() {
|
||||
_, err := client.RbacV1().ClusterRoles().Create(context.TODO(), clusterrole, metav1.CreateOptions{})
|
||||
gomega.Expect(err).ShouldNot(gomega.HaveOccurred())
|
||||
})
|
||||
}
|
||||
|
||||
// CreateClusterroleBinding create clusterrolebinding.
|
||||
func CreateClusterroleBinding(client kubernetes.Interface, clusterrolebinding *rbacv1.ClusterRoleBinding) {
|
||||
ginkgo.By(fmt.Sprintf("Creating ClusterRoleBinding(%s)", clusterrolebinding.Name), func() {
|
||||
_, err := client.RbacV1().ClusterRoleBindings().Create(context.TODO(), clusterrolebinding, metav1.CreateOptions{})
|
||||
gomega.Expect(err).ShouldNot(gomega.HaveOccurred())
|
||||
})
|
||||
}
|
||||
|
||||
// WaitClusterrolebindingPresentOnCluster wait for Clusterrolebinding ready in cluster until timeout.
|
||||
func WaitClusterrolebindingPresentOnCluster(client kubernetes.Interface, name string) {
|
||||
ginkgo.By(fmt.Sprintf("wait for clusterRoleBinding(%s) present ", name), func() {
|
||||
gomega.Eventually(func(g gomega.Gomega) (bool, error) {
|
||||
_, err := client.RbacV1().ClusterRoleBindings().Get(context.TODO(), name, metav1.GetOptions{})
|
||||
g.Expect(err).NotTo(gomega.HaveOccurred())
|
||||
return true, nil
|
||||
}, pollTimeout, pollInterval).Should(gomega.Equal(true))
|
||||
})
|
||||
}
|
||||
|
||||
// RemoveClusterrole delete clusterrole.
|
||||
func RemoveClusterrole(client kubernetes.Interface, name string) {
|
||||
ginkgo.By(fmt.Sprintf("Remove ClusterRole(%s)", name), func() {
|
||||
err := client.RbacV1().ClusterRoles().Delete(context.TODO(), name, metav1.DeleteOptions{})
|
||||
gomega.Expect(err).ShouldNot(gomega.HaveOccurred())
|
||||
})
|
||||
}
|
||||
|
||||
// RemoveclusterroleBinding delete clusterrolebinding.
|
||||
func RemoveclusterroleBinding(client kubernetes.Interface, name string) {
|
||||
ginkgo.By(fmt.Sprintf("Remove ClusterRole(%s)", name), func() {
|
||||
err := client.RbacV1().ClusterRoleBindings().Delete(context.TODO(), name, metav1.DeleteOptions{})
|
||||
gomega.Expect(err).ShouldNot(gomega.HaveOccurred())
|
||||
})
|
||||
}
|
||||
|
||||
// CreateMermberclusterSa create serviceaccount for member cluster.
|
||||
func CreateMermberclusterSa(cluster string, serviceaccount *corev1.ServiceAccount) {
|
||||
ginkgo.By(fmt.Sprintf("Creating serviceaccount(%s) in membercluster (%s) in namespace %s", serviceaccount.Name, cluster, serviceaccount.Namespace), func() {
|
||||
clusterClient := GetClusterClient(cluster)
|
||||
gomega.Expect(clusterClient).ShouldNot(gomega.BeNil())
|
||||
_, err := clusterClient.CoreV1().ServiceAccounts(serviceaccount.Namespace).Create(context.TODO(), serviceaccount, metav1.CreateOptions{})
|
||||
gomega.Expect(err).ShouldNot(gomega.HaveOccurred())
|
||||
})
|
||||
|
||||
}
|
||||
|
||||
// CreateKarmadaSa create serviceaccount for karmada.
|
||||
func CreateKarmadaSa(client kubernetes.Interface, serviceaccount *corev1.ServiceAccount) {
|
||||
ginkgo.By(fmt.Sprintf("Creating serviceaccount(%s) in karmadaCluster in namespace %s", serviceaccount.Name, serviceaccount.Namespace), func() {
|
||||
_, err := client.CoreV1().ServiceAccounts(serviceaccount.Namespace).Create(context.TODO(), serviceaccount, metav1.CreateOptions{})
|
||||
gomega.Expect(err).ShouldNot(gomega.HaveOccurred())
|
||||
})
|
||||
}
|
||||
|
||||
// RemoveMermberclusterSa delete serviceaccount for member cluster.
|
||||
func RemoveMermberclusterSa(cluster, name, namespace string) {
|
||||
ginkgo.By(fmt.Sprintf("Remove serviceaccount(%s) in membercluster (%s)", name, cluster), func() {
|
||||
clusterClient := GetClusterClient(cluster)
|
||||
gomega.Expect(clusterClient).ShouldNot(gomega.BeNil())
|
||||
err := clusterClient.CoreV1().ServiceAccounts(namespace).Delete(context.TODO(), name, metav1.DeleteOptions{})
|
||||
gomega.Expect(err).ShouldNot(gomega.HaveOccurred())
|
||||
})
|
||||
}
|
||||
|
||||
// RemoveKarmadalusterSa delete serviceaccount for karmada cluster.
|
||||
func RemoveKarmadalusterSa(client kubernetes.Interface, name, namespace string) {
|
||||
ginkgo.By(fmt.Sprintf("Remove serviceaccount(%s) in karmadaCluster", name), func() {
|
||||
err := client.CoreV1().ServiceAccounts(namespace).Delete(context.TODO(), name, metav1.DeleteOptions{})
|
||||
gomega.Expect(err).ShouldNot(gomega.HaveOccurred())
|
||||
})
|
||||
}
|
||||
|
||||
// CreateMemberclusterRole create clusterrole with config.
|
||||
func CreateMemberclusterRole(cluster string, clusterrole *rbacv1.ClusterRole) {
|
||||
ginkgo.By(fmt.Sprintf("Creating member clusterrole(%s) in clustermember(%s)", clusterrole.Name, cluster), func() {
|
||||
clusterClient := GetClusterClient(cluster)
|
||||
gomega.Expect(clusterClient).ShouldNot(gomega.BeNil())
|
||||
_, err := clusterClient.RbacV1().ClusterRoles().Create(context.TODO(), clusterrole, metav1.CreateOptions{})
|
||||
gomega.Expect(err).ShouldNot(gomega.HaveOccurred())
|
||||
})
|
||||
}
|
||||
|
||||
// RemoveMemberclusterRole delete member cluster clusterRole.
|
||||
func RemoveMemberclusterRole(cluster string, clusterroleName string) {
|
||||
ginkgo.By(fmt.Sprintf("Remove clusterRole(%s) in member(%s) ", clusterroleName, cluster), func() {
|
||||
clusterClient := GetClusterClient(cluster)
|
||||
gomega.Expect(clusterClient).ShouldNot(gomega.BeNil())
|
||||
err := clusterClient.RbacV1().ClusterRoles().Delete(context.TODO(), clusterroleName, metav1.DeleteOptions{})
|
||||
gomega.Expect(err).ShouldNot(gomega.HaveOccurred())
|
||||
})
|
||||
}
|
||||
|
||||
// CreateMemberclusterRoleBinding create membercluster clusterrolebinding.
|
||||
func CreateMemberclusterRoleBinding(cluster string, clusterrolebinding *rbacv1.ClusterRoleBinding) {
|
||||
ginkgo.By(fmt.Sprintf("Creating member clusterrolebinding(%s)", clusterrolebinding.Name), func() {
|
||||
clusterClient := GetClusterClient(cluster)
|
||||
gomega.Expect(clusterClient).ShouldNot(gomega.BeNil())
|
||||
_, err := clusterClient.RbacV1().ClusterRoleBindings().Create(context.TODO(), clusterrolebinding, metav1.CreateOptions{})
|
||||
gomega.Expect(err).ShouldNot(gomega.HaveOccurred())
|
||||
})
|
||||
}
|
||||
|
||||
// WaitClusterrolebindingPresentOnMemberCluster wait for Clusterrolebinding ready in member cluster until timeout.
|
||||
func WaitClusterrolebindingPresentOnMemberCluster(cluster string, clusterroleBindName string) {
|
||||
ginkgo.By(fmt.Sprintf("wait for clusterRoleBinding(%s) present in member(%s) cluster ", clusterroleBindName, cluster), func() {
|
||||
clusterClient := GetClusterClient(cluster)
|
||||
gomega.Expect(clusterClient).ShouldNot(gomega.BeNil())
|
||||
gomega.Eventually(func(g gomega.Gomega) (bool, error) {
|
||||
_, err := clusterClient.RbacV1().ClusterRoleBindings().Get(context.TODO(), clusterroleBindName, metav1.GetOptions{})
|
||||
g.Expect(err).NotTo(gomega.HaveOccurred())
|
||||
return true, nil
|
||||
}, pollTimeout, pollInterval).Should(gomega.Equal(true))
|
||||
})
|
||||
}
|
||||
|
||||
// RemoveMemberclusterRoleBinding delete member cluster clusterRoleBinding.
|
||||
func RemoveMemberclusterRoleBinding(cluster string, clusterroleBindName string) {
|
||||
ginkgo.By(fmt.Sprintf("Remove clusterRoleBinding(%s) in member(%s) ", clusterroleBindName, cluster), func() {
|
||||
clusterClient := GetClusterClient(cluster)
|
||||
gomega.Expect(clusterClient).ShouldNot(gomega.BeNil())
|
||||
err := clusterClient.RbacV1().ClusterRoleBindings().Delete(context.TODO(), clusterroleBindName, metav1.DeleteOptions{})
|
||||
gomega.Expect(err).ShouldNot(gomega.HaveOccurred())
|
||||
})
|
||||
}
|
||||
|
||||
// WaitServiceaccountPresentOnCluster wait for sa ready on cluster untill timeout.
|
||||
func WaitServiceaccountPresentOnCluster(client kubernetes.Interface, saname, namespace string) {
|
||||
ginkgo.By(fmt.Sprintf("wait for serviceaccount (%s) present in karmadacluster in namespace %s", saname, namespace), func() {
|
||||
gomega.Eventually(func(g gomega.Gomega) (bool, error) {
|
||||
_, err := client.CoreV1().ServiceAccounts(namespace).Get(context.TODO(), saname, metav1.GetOptions{})
|
||||
g.Expect(err).NotTo(gomega.HaveOccurred())
|
||||
return true, nil
|
||||
}, pollTimeout, pollInterval).Should(gomega.Equal(true))
|
||||
})
|
||||
}
|
||||
|
||||
// WaitServiceaccountPresentOnMemberCluster wait for sa ready on targetmember cluster untill timeout.
|
||||
func WaitServiceaccountPresentOnMemberCluster(cluster, saname, namespace string) {
|
||||
ginkgo.By(fmt.Sprintf("wait for serviceaccount (%s) present in member(%s) cluster in namespace %s ", saname, cluster, namespace), func() {
|
||||
clusterClient := GetClusterClient(cluster)
|
||||
gomega.Expect(clusterClient).ShouldNot(gomega.BeNil())
|
||||
gomega.Eventually(func(g gomega.Gomega) (bool, error) {
|
||||
_, err := clusterClient.CoreV1().ServiceAccounts(namespace).Get(context.TODO(), saname, metav1.GetOptions{})
|
||||
g.Expect(err).NotTo(gomega.HaveOccurred())
|
||||
return true, nil
|
||||
}, pollTimeout, pollInterval).Should(gomega.Equal(true))
|
||||
})
|
||||
}
|
||||
|
||||
// WaitSecretPresentOnCluster wait for Clusterrolebinding ready until timeout.
|
||||
func WaitSecretPresentOnCluster(client kubernetes.Interface, saname, namespace string) (secretName string) {
|
||||
ginkgo.By(fmt.Sprintf("wait for secret (%s) present in cluster in namespace %s", saname, namespace), func() {
|
||||
gomega.Eventually(func(g gomega.Gomega) (bool, error) {
|
||||
listSecret, err := client.CoreV1().Secrets(namespace).List(context.TODO(), metav1.ListOptions{})
|
||||
gomega.Expect(err).ShouldNot(gomega.HaveOccurred())
|
||||
sclist := []string{}
|
||||
for _, scName := range listSecret.Items {
|
||||
sclist = append(sclist, scName.Name)
|
||||
}
|
||||
for _, k := range sclist {
|
||||
secretName = k
|
||||
}
|
||||
return strings.HasPrefix(secretName, saname), nil
|
||||
}, pollTimeout, pollInterval).Should(gomega.Equal(true))
|
||||
})
|
||||
return
|
||||
}
|
||||
|
||||
// GetSecretInfo get token/url of the karmada cluster.
|
||||
func GetSecretInfo(client kubernetes.Interface, karmadaClient karmada.Interface, saname, namespace string) (token string, url string) {
|
||||
secretName := WaitSecretPresentOnCluster(client, saname, namespace)
|
||||
ta, err := client.CoreV1().Secrets(namespace).Get(context.TODO(), secretName, metav1.GetOptions{})
|
||||
if err != nil {
|
||||
fmt.Println(err.Error())
|
||||
}
|
||||
token = base64.StdEncoding.EncodeToString(ta.Data["token"])
|
||||
kubeconfig := os.Getenv("KUBECONFIG")
|
||||
config, err := clientcmd.BuildConfigFromFlags("", kubeconfig)
|
||||
url = config.Host
|
||||
if err != nil {
|
||||
panic(err.Error())
|
||||
}
|
||||
return token, url
|
||||
}
|
||||
|
||||
// GetClusterNode use bearer token call karmada api.
|
||||
func GetClusterNode(path string, client kubernetes.Interface, karmadaClient karmada.Interface, saname, namespace string) int {
|
||||
token, apiurl := GetSecretInfo(client, karmadaClient, saname, namespace)
|
||||
// changge toekn to decodestring
|
||||
to1, err := base64.StdEncoding.DecodeString(token)
|
||||
if err != nil {
|
||||
fmt.Println(err.Error())
|
||||
}
|
||||
t1 := string(to1)
|
||||
t := "Bearer " + t1
|
||||
url := apiurl + path
|
||||
// insecure the httprequest
|
||||
tr := &http.Transport{
|
||||
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
|
||||
}
|
||||
httpClient := &http.Client{Transport: tr}
|
||||
res, err := http.NewRequest("GET", url, nil)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
res.Header.Add("Authorization", t)
|
||||
resp, err := httpClient.Do(res)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
return resp.StatusCode
|
||||
}
|
||||
|
|
@ -0,0 +1,71 @@
|
|||
package framework
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
|
||||
"github.com/onsi/ginkgo"
|
||||
"github.com/onsi/gomega"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
rbacv1 "k8s.io/api/rbac/v1"
|
||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/client-go/kubernetes"
|
||||
)
|
||||
|
||||
// CreateClusterRole create clusterRole.
|
||||
func CreateClusterRole(client kubernetes.Interface, clusterRole *rbacv1.ClusterRole) {
|
||||
ginkgo.By(fmt.Sprintf("Creating ClusterRole(%s)", clusterRole.Name), func() {
|
||||
_, err := client.RbacV1().ClusterRoles().Create(context.TODO(), clusterRole, metav1.CreateOptions{})
|
||||
gomega.Expect(err).ShouldNot(gomega.HaveOccurred())
|
||||
})
|
||||
}
|
||||
|
||||
// CreateClusterRoleBinding create clusterRoleBinding.
|
||||
func CreateClusterRoleBinding(client kubernetes.Interface, clusterRoleBinding *rbacv1.ClusterRoleBinding) {
|
||||
ginkgo.By(fmt.Sprintf("Creating ClusterRoleBinding(%s)", clusterRoleBinding.Name), func() {
|
||||
_, err := client.RbacV1().ClusterRoleBindings().Create(context.TODO(), clusterRoleBinding, metav1.CreateOptions{})
|
||||
gomega.Expect(err).ShouldNot(gomega.HaveOccurred())
|
||||
})
|
||||
}
|
||||
|
||||
// RemoveClusterRole delete clusterRole.
|
||||
func RemoveClusterRole(client kubernetes.Interface, name string) {
|
||||
ginkgo.By(fmt.Sprintf("Remove ClusterRole(%s)", name), func() {
|
||||
err := client.RbacV1().ClusterRoles().Delete(context.TODO(), name, metav1.DeleteOptions{})
|
||||
if apierrors.IsNotFound(err) {
|
||||
return
|
||||
}
|
||||
gomega.Expect(err).ShouldNot(gomega.HaveOccurred())
|
||||
})
|
||||
}
|
||||
|
||||
// RemoveClusterRoleBinding delete clusterRoleBinding.
|
||||
func RemoveClusterRoleBinding(client kubernetes.Interface, name string) {
|
||||
ginkgo.By(fmt.Sprintf("Remove ClusterRoleBinding(%s)", name), func() {
|
||||
err := client.RbacV1().ClusterRoleBindings().Delete(context.TODO(), name, metav1.DeleteOptions{})
|
||||
if apierrors.IsNotFound(err) {
|
||||
return
|
||||
}
|
||||
gomega.Expect(err).ShouldNot(gomega.HaveOccurred())
|
||||
})
|
||||
}
|
||||
|
||||
// CreateServiceAccount create serviceaccount.
|
||||
func CreateServiceAccount(client kubernetes.Interface, serviceaccount *corev1.ServiceAccount) {
|
||||
ginkgo.By(fmt.Sprintf("Creating ServiceAccount(%s/%s)", serviceaccount.Namespace, serviceaccount.Name), func() {
|
||||
_, err := client.CoreV1().ServiceAccounts(serviceaccount.Namespace).Create(context.TODO(), serviceaccount, metav1.CreateOptions{})
|
||||
gomega.Expect(err).ShouldNot(gomega.HaveOccurred())
|
||||
})
|
||||
}
|
||||
|
||||
// RemoveServiceAccount delete serviceaccount.
|
||||
func RemoveServiceAccount(client kubernetes.Interface, namespace, name string) {
|
||||
ginkgo.By(fmt.Sprintf("Remove ServiceAccount(%s/%s)", namespace, name), func() {
|
||||
err := client.CoreV1().ServiceAccounts(namespace).Delete(context.TODO(), name, metav1.DeleteOptions{})
|
||||
if apierrors.IsNotFound(err) {
|
||||
return
|
||||
}
|
||||
gomega.Expect(err).ShouldNot(gomega.HaveOccurred())
|
||||
})
|
||||
}
|
||||
|
|
@ -67,6 +67,7 @@ const (
|
|||
var (
|
||||
kubeconfig string
|
||||
restConfig *rest.Config
|
||||
karmadaHost string
|
||||
kubeClient kubernetes.Interface
|
||||
karmadaClient karmada.Interface
|
||||
dynamicClient dynamic.Interface
|
||||
|
|
@ -91,6 +92,8 @@ var _ = ginkgo.BeforeSuite(func() {
|
|||
restConfig, err = clientcmd.BuildConfigFromFlags("", kubeconfig)
|
||||
gomega.Expect(err).ShouldNot(gomega.HaveOccurred())
|
||||
|
||||
karmadaHost = restConfig.Host
|
||||
|
||||
kubeClient, err = kubernetes.NewForConfig(restConfig)
|
||||
gomega.Expect(err).ShouldNot(gomega.HaveOccurred())
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,98 @@
|
|||
package helper
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"encoding/base64"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"time"
|
||||
|
||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/wait"
|
||||
"k8s.io/client-go/kubernetes"
|
||||
"k8s.io/klog/v2"
|
||||
)
|
||||
|
||||
const (
|
||||
// pollInterval defines the interval time for a poll operation.
|
||||
pollInterval = 5 * time.Second
|
||||
// pollTimeout defines the time after which the poll operation times out.
|
||||
pollTimeout = 300 * time.Second
|
||||
)
|
||||
|
||||
// GetTokenFromServiceAccount get token from serviceAccount's related secret.
|
||||
func GetTokenFromServiceAccount(client kubernetes.Interface, saNamespace, saName string) (string, error) {
|
||||
var saRefSecret string
|
||||
err := wait.PollImmediate(pollInterval, pollTimeout, func() (done bool, err error) {
|
||||
sa, err := client.CoreV1().ServiceAccounts(saNamespace).Get(context.TODO(), saName, metav1.GetOptions{})
|
||||
if err != nil {
|
||||
if apierrors.IsNotFound(err) {
|
||||
return false, nil
|
||||
}
|
||||
return false, err
|
||||
}
|
||||
|
||||
if sa.Secrets == nil || len(sa.Secrets) == 0 {
|
||||
return false, nil
|
||||
}
|
||||
saRefSecret = sa.Secrets[0].Name
|
||||
return true, nil
|
||||
})
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
klog.Infof("Get serviceAccount(%s/%s)'s refer secret(%s)", saNamespace, saName, saRefSecret)
|
||||
var token string
|
||||
err = wait.PollImmediate(pollInterval, pollTimeout, func() (done bool, err error) {
|
||||
secret, err := client.CoreV1().Secrets(saNamespace).Get(context.TODO(), saRefSecret, metav1.GetOptions{})
|
||||
if err != nil {
|
||||
if apierrors.IsNotFound(err) {
|
||||
return false, nil
|
||||
}
|
||||
return false, err
|
||||
}
|
||||
tokenByte, ok := secret.Data["token"]
|
||||
if !ok {
|
||||
return false, nil
|
||||
}
|
||||
token = base64.StdEncoding.EncodeToString(tokenByte)
|
||||
return true, nil
|
||||
})
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
return token, nil
|
||||
}
|
||||
|
||||
// DoRequest use bearer token to call karmada-apiserver.
|
||||
func DoRequest(urlPath string, token string) (int, error) {
|
||||
decodeToken, err := base64.StdEncoding.DecodeString(token)
|
||||
if err != nil {
|
||||
klog.Infof("DoRequest decode token failed: %v", err)
|
||||
return 0, err
|
||||
}
|
||||
bearToken := fmt.Sprintf("Bearer %s", string(decodeToken))
|
||||
|
||||
res, err := http.NewRequest("GET", urlPath, nil)
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
res.Header.Add("Authorization", bearToken)
|
||||
|
||||
// #nosec
|
||||
transport := &http.Transport{
|
||||
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
|
||||
}
|
||||
httpClient := &http.Client{Transport: transport}
|
||||
resp, err := httpClient.Do(res)
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
|
||||
return resp.StatusCode, nil
|
||||
}
|
||||
|
|
@ -556,37 +556,27 @@ func NewConfigMap(namespace string, name string, data map[string]string) *corev1
|
|||
// NewServiceaccount will build a new serviceaccount.
|
||||
func NewServiceaccount(namespace, name string) *corev1.ServiceAccount {
|
||||
return &corev1.ServiceAccount{
|
||||
TypeMeta: metav1.TypeMeta{},
|
||||
ObjectMeta: metav1.ObjectMeta{Name: name, Namespace: namespace},
|
||||
Secrets: []corev1.ObjectReference{},
|
||||
}
|
||||
}
|
||||
|
||||
// NewClusterroles will build a new clusterrole resource.
|
||||
func NewClusterroles(name, apigroup, resource, resourcename string) *rbacv1.ClusterRole {
|
||||
// NewClusterRole will build a new clusterRole object.
|
||||
func NewClusterRole(name string, rules []rbacv1.PolicyRule) *rbacv1.ClusterRole {
|
||||
return &rbacv1.ClusterRole{
|
||||
TypeMeta: metav1.TypeMeta{},
|
||||
ObjectMeta: metav1.ObjectMeta{Name: name},
|
||||
Rules: []rbacv1.PolicyRule{{
|
||||
APIGroups: []string{apigroup},
|
||||
Verbs: []string{"*"},
|
||||
Resources: []string{resource},
|
||||
// ResourceNames: []string{"member1","member2","member3"},
|
||||
ResourceNames: []string{resourcename},
|
||||
}},
|
||||
Rules: rules,
|
||||
}
|
||||
}
|
||||
|
||||
// NewClusterrolebindings will bild a new clusterrolebinding.
|
||||
func NewClusterrolebindings(name, clsterroleName string, subject []rbacv1.Subject) *rbacv1.ClusterRoleBinding {
|
||||
// NewClusterRoleBinding will build a new clusterRoleBinding object.
|
||||
func NewClusterRoleBinding(name, roleRefName string, subject []rbacv1.Subject) *rbacv1.ClusterRoleBinding {
|
||||
return &rbacv1.ClusterRoleBinding{
|
||||
TypeMeta: metav1.TypeMeta{},
|
||||
ObjectMeta: metav1.ObjectMeta{Name: name},
|
||||
Subjects: subject,
|
||||
RoleRef: rbacv1.RoleRef{
|
||||
APIGroup: "rbac.authorization.k8s.io",
|
||||
Kind: "ClusterRole",
|
||||
Name: clsterroleName,
|
||||
Name: roleRefName,
|
||||
},
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue