Install gcompat in java runner images (#761)

* Install gcompat in java runner images * Bump go to 1.22.4 * Fix oauth2 * Fix oauth2 settings * Disable legacy oauth2 params test case * Add testcase for google pubsub io * Set gsa credential * Set GSA credential * fix ci * print expected result
streamnative · Jul 12, 2024 · 47ee638 · 47ee638
1 parent 6e02ca1
commit 47ee638
Show file tree

Hide file tree

Showing 15 changed files with 167 additions and 30 deletions.
diff --git a/.ci/clusters/values_skywalking_e2e_cluster_with_oauth.yaml b/.ci/clusters/values_skywalking_e2e_cluster_with_oauth.yaml
@@ -135,12 +135,12 @@ auth:
     enabled: true
     provider: "oauth2"
     oauth2:
-      issuerUrl: https://sts.windows.net/06a8a086-ae6e-45b5-a22e-ad90de23013e/
-      issuerUrlParam: https://sts.windows.net/06a8a086-ae6e-45b5-a22e-ad90de23013e/v2.0
-      audience: api://56c1bd14-3ba7-4804-b47b-d46de6dce33e
-      audienceParam: api://56c1bd14-3ba7-4804-b47b-d46de6dce33e/.default
-      brokerClientCredential: '{"client_id":"CLIENT_ID","client_secret":"CLIENT_SECRET","issuer_url":"https://sts.windows.net/06a8a086-ae6e-45b5-a22e-ad90de23013e/v2.0"}'
-      subjectClaim: appid
-      adminScope: appid
-      adminScopeParam: api://56c1bd14-3ba7-4804-b47b-d46de6dce33e/.default
+      issuerUrl: https://auth.sncloud-stg.dev/
+      issuerUrlParam: https://auth.sncloud-stg.dev/
+      audience: "urn:sn:pulsar:sndev:test"
+      audienceParam: "urn:sn:pulsar:sndev:test"
+      brokerClientCredential: '{"client_id":"CLIENT_ID","client_secret":"CLIENT_SECRET","issuer_url":"https://auth.sncloud-stg.dev/"}'
+      subjectClaim: https://streamnative.io/username
+      adminScope: https://streamnative.io/username
+      adminScopeParam: ""
       authenticationProviders: io.streamnative.pulsar.broker.authentication.AuthenticationProviderOAuth
diff --git a/.ci/examples/connect/pubsub.nar b/.ci/examples/connect/pubsub.nar
diff --git a/.ci/helm.sh b/.ci/helm.sh
@@ -620,4 +620,15 @@ function ci::verify_liveness_probe() {
     return 1
   fi
   echo "succeeded"
+}
+
+function ci::verify_pod_log() {
+  pod=$1
+  log=$2
+  sleep 30
+  kubectl logs --tail=-1 $pod | grep "$log"
+  while [[ $? -ne 0 ]]; do
+      sleep 5
+      kubectl logs --tail=-1 $pod | grep "$log"
+  done
 }
diff --git a/.ci/tests/integration-oauth2/cases/batch-source/manifests.yaml b/.ci/tests/integration-oauth2/cases/batch-source/manifests.yaml
@@ -37,16 +37,14 @@ spec:
       certSecretKey: ""
     authConfig:
       oauth2Config:
-        audience: api://56c1bd14-3ba7-4804-b47b-d46de6dce33e/.default
-        issuerUrl: https://sts.windows.net/06a8a086-ae6e-45b5-a22e-ad90de23013e/v2.0
-        scope: api://56c1bd14-3ba7-4804-b47b-d46de6dce33e/.default
+        audience: urn:sn:pulsar:sndev:test
+        issuerUrl: https://auth.sncloud-stg.dev/
         keySecretName: sn-platform-oauth2-private-key
         keySecretKey: auth.json
     cleanupAuthConfig:
       oauth2Config:
-        audience: api://56c1bd14-3ba7-4804-b47b-d46de6dce33e/.default
-        issuerUrl: https://sts.windows.net/06a8a086-ae6e-45b5-a22e-ad90de23013e/v2.0
-        scope: api://56c1bd14-3ba7-4804-b47b-d46de6dce33e/.default
+        audience: urn:sn:pulsar:sndev:test
+        issuerUrl: https://auth.sncloud-stg.dev/
         keySecretName: sn-platform-oauth2-private-key
         keySecretKey: auth.json
   image: streamnative/pulsar-io-batch-data-generator:3.2.2.1

diff --git a/.ci/tests/integration-oauth2/cases/google-pubsub-source/manifests.yaml b/.ci/tests/integration-oauth2/cases/google-pubsub-source/manifests.yaml
@@ -0,0 +1,62 @@
+apiVersion: compute.functionmesh.io/v1alpha1
+kind: Source
+metadata:
+  name: pubsub-source
+  namespace: default
+spec:
+  className: org.apache.pulsar.ecosystem.io.pubsub.PubsubSource
+  clusterName: test-pulsar
+  forwardSourceMessageProperty: true
+  image: streamnative/pulsar-functions-pulsarctl-java-runner:3.2.2.1
+  java:
+    jar: /tmp/pulsar-io-google-pubsub.nar
+    jarLocation: function://public/default/pubsub
+  minReplicas: 1
+  name: test
+  namespace: default
+  output:
+    producerConf: {}
+    topic: persistent://public/default/test-pubsub-output
+    typeClassName: '[B'
+  processingGuarantee: atleast_once
+  pulsar:
+    pulsarConfig: test-pulsar
+    authConfig:
+      oauth2Config:
+        audience: urn:sn:pulsar:sndev:test
+        issuerUrl: https://auth.sncloud-stg.dev/
+        keySecretName: sn-platform-oauth2-private-key
+        keySecretKey: auth.json
+  replicas: 1
+  resources:
+    limits:
+      cpu: "0.2"
+      memory: 1.1G
+    requests:
+      cpu: "0.1"
+      memory: 1G
+  secretsMap:
+    pubsubCredential:
+      key: GCP_KEY
+      path: gcp-account
+  sourceConfig:
+    pubsubProjectId: sncloud-dev-pengcheng
+    pubsubTopicId: test-input
+  tenant: public
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: test-pulsar
+data:
+  webServiceURL: http://sn-platform-pulsar-broker.default.svc.cluster.local:8080
+  brokerServiceURL: pulsar://sn-platform-pulsar-broker.default.svc.cluster.local:6650
+---
+apiVersion: v1
+data:
+  GCP_KEY: GCP_KEY_DATA
+kind: Secret
+metadata:
+  name: gcp-account
+  namespace: default
+type: Opaque
diff --git a/.ci/tests/integration-oauth2/cases/google-pubsub-source/verify.sh b/.ci/tests/integration-oauth2/cases/google-pubsub-source/verify.sh
@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+set -e
+
+E2E_DIR=$(dirname "$0")
+BASE_DIR=$(cd "${E2E_DIR}"/../../../../..;pwd)
+PULSAR_NAMESPACE=${PULSAR_NAMESPACE:-"default"}
+PULSAR_RELEASE_NAME=${PULSAR_RELEASE_NAME:-"sn-platform"}
+E2E_KUBECONFIG=${E2E_KUBECONFIG:-"/tmp/e2e-k8s.config"}
+
+source "${BASE_DIR}"/.ci/helm.sh
+
+if [ ! "$KUBECONFIG" ]; then
+  export KUBECONFIG=${E2E_KUBECONFIG}
+fi
+
+kubectl apply -f "${BASE_DIR}"/.ci/tests/integration-oauth2/cases/google-pubsub-source/manifests.yaml > /dev/null 2>&1
+
+verify_fm_result=$(ci::verify_function_mesh pubsub-source 2>&1)
+if [ $? -ne 0 ]; then
+  echo "$verify_fm_result"
+  kubectl delete -f "${BASE_DIR}"/.ci/tests/integration-oauth2/cases/google-pubsub-source/manifests.yaml > /dev/null 2>&1 || true
+  exit 1
+fi
+
+verify_pod_log_result=$(NAMESPACE=${PULSAR_NAMESPACE} ci::verify_pod_log pubsub-source-source-0 "listening for messages on projects/sncloud-dev-pengcheng/subscriptions/test-input" 2>&1)
+if [ $? -ne 0 ]; then
+  echo "$verify_pod_log_result"
+  kubectl delete -f "${BASE_DIR}"/.ci/tests/integration-oauth2/cases/google-pubsub-source/manifests.yaml > /dev/null 2>&1 || true
+  exit 1
+fi
+
+echo "e2e-test: ok" | yq eval -
+kubectl delete -f "${BASE_DIR}"/.ci/tests/integration-oauth2/cases/google-pubsub-source/manifests.yaml > /dev/null 2>&1 || true
diff --git a/.ci/tests/integration-oauth2/cases/java-download-function-generic-auth/manifests.yaml b/.ci/tests/integration-oauth2/cases/java-download-function-generic-auth/manifests.yaml
@@ -42,7 +42,7 @@ spec:
       certSecretKey: ""
     authConfig:
       genericAuth:
-        clientAuthenticationParameters: '{"audience":"api://56c1bd14-3ba7-4804-b47b-d46de6dce33e/.default","issuerUrl":"https://sts.windows.net/06a8a086-ae6e-45b5-a22e-ad90de23013e/v2.0","privateKey":"/mnt/secrets/auth.json","type":"client_credentials","scope":"api://56c1bd14-3ba7-4804-b47b-d46de6dce33e/.default","issuer_url":"https://sts.windows.net/06a8a086-ae6e-45b5-a22e-ad90de23013e/v2.0","private_key":"/mnt/secrets/auth.json"}'
+        clientAuthenticationParameters: '{"audience":"urn:sn:pulsar:sndev:test","issuerUrl":"https://auth.sncloud-stg.dev/","privateKey":"/mnt/secrets/auth.json","type":"client_credentials","issuer_url":"https://auth.sncloud-stg.dev/","private_key":"/mnt/secrets/auth.json"}'
         clientAuthenticationPlugin: org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2
   java:
     jar: pulsar-functions-api-examples.jar

diff --git a/.ci/tests/integration-oauth2/cases/java-download-function/manifests.yaml b/.ci/tests/integration-oauth2/cases/java-download-function/manifests.yaml
@@ -45,9 +45,8 @@ spec:
       certSecretKey: ""
     authConfig:
       oauth2Config:
-        audience: api://56c1bd14-3ba7-4804-b47b-d46de6dce33e/.default
-        issuerUrl: https://sts.windows.net/06a8a086-ae6e-45b5-a22e-ad90de23013e/v2.0
-        scope: api://56c1bd14-3ba7-4804-b47b-d46de6dce33e/.default
+        audience: urn:sn:pulsar:sndev:test
+        issuerUrl: https://auth.sncloud-stg.dev/
         keySecretName: sn-platform-oauth2-private-key
         keySecretKey: auth.json
   java:

diff --git a/.ci/tests/integration-oauth2/cases/java-function/manifests.yaml b/.ci/tests/integration-oauth2/cases/java-function/manifests.yaml
@@ -42,9 +42,8 @@ spec:
       certSecretKey: ""
     authConfig:
       oauth2Config:
-        audience: api://56c1bd14-3ba7-4804-b47b-d46de6dce33e/.default
-        issuerUrl: https://sts.windows.net/06a8a086-ae6e-45b5-a22e-ad90de23013e/v2.0
-        scope: api://56c1bd14-3ba7-4804-b47b-d46de6dce33e/.default
+        audience: urn:sn:pulsar:sndev:test
+        issuerUrl: https://auth.sncloud-stg.dev/
         keySecretName: sn-platform-oauth2-private-key
         keySecretKey: auth.json
   java:

diff --git a/.ci/tests/integration-oauth2/cases/py-download-from-http-function/manifests.yaml b/.ci/tests/integration-oauth2/cases/py-download-from-http-function/manifests.yaml
@@ -39,9 +39,8 @@ spec:
       hostnameVerification: true
     authConfig:
       oauth2Config:
-        audience: api://56c1bd14-3ba7-4804-b47b-d46de6dce33e/.default
-        issuerUrl: https://sts.windows.net/06a8a086-ae6e-45b5-a22e-ad90de23013e/v2.0
-        scope: api://56c1bd14-3ba7-4804-b47b-d46de6dce33e/.default
+        audience: urn:sn:pulsar:sndev:test
+        issuerUrl: https://auth.sncloud-stg.dev/
         keySecretName: sn-platform-oauth2-private-key
         keySecretKey: auth.json
   python:

diff --git a/.ci/tests/integration-oauth2/cases/py-download-function-legacy/manifests.yaml b/.ci/tests/integration-oauth2/cases/py-download-function-legacy/manifests.yaml
@@ -52,7 +52,7 @@ data:
 ---
 apiVersion: v1
 data:
-  clientAuthenticationParameters: eyJhdWRpZW5jZSI6ImFwaTovLzU2YzFiZDE0LTNiYTctNDgwNC1iNDdiLWQ0NmRlNmRjZTMzZS8uZGVmYXVsdCIsImlzc3VlclVybCI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzA2YThhMDg2LWFlNmUtNDViNS1hMjJlLWFkOTBkZTIzMDEzZS92Mi4wIiwicHJpdmF0ZUtleSI6Ii9tbnQvc2VjcmV0cy9hdXRoLmpzb24iLCJ0eXBlIjoiY2xpZW50X2NyZWRlbnRpYWxzIiwic2NvcGUiOiJhcGk6Ly81NmMxYmQxNC0zYmE3LTQ4MDQtYjQ3Yi1kNDZkZTZkY2UzM2UvLmRlZmF1bHQiLCJpc3N1ZXJfdXJsIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvMDZhOGEwODYtYWU2ZS00NWI1LWEyMmUtYWQ5MGRlMjMwMTNlL3YyLjAiLCJwcml2YXRlX2tleSI6Ii9tbnQvc2VjcmV0cy9hdXRoLmpzb24ifQo=
+  clientAuthenticationParameters: eyJhdWRpZW5jZSI6InVybjpzbjpwdWxzYXI6c25kZXY6dGVzdCIsImlzc3VlclVybCI6Imh0dHBzOi8vYXV0aC5zbmNsb3VkLXN0Zy5kZXYvIiwicHJpdmF0ZUtleSI6Ii9tbnQvc2VjcmV0cy9hdXRoLmpzb24iLCJ0eXBlIjoiY2xpZW50X2NyZWRlbnRpYWxzIiwiaXNzdWVyX3VybCI6Imh0dHBzOi8vYXV0aC5zbmNsb3VkLXN0Zy5kZXYvIiwicHJpdmF0ZV9rZXkiOiIvbW50L3NlY3JldHMvYXV0aC5qc29uIn0=
   clientAuthenticationPlugin: b3JnLmFwYWNoZS5wdWxzYXIuY2xpZW50LmltcGwuYXV0aC5vYXV0aDIuQXV0aGVudGljYXRpb25PQXV0aDI=
 kind: Secret
 metadata:

diff --git a/.ci/tests/integration-oauth2/cases/py-download-function/manifests.yaml b/.ci/tests/integration-oauth2/cases/py-download-function/manifests.yaml
@@ -39,9 +39,8 @@ spec:
       hostnameVerification: true
     authConfig:
       oauth2Config:
-        audience: api://56c1bd14-3ba7-4804-b47b-d46de6dce33e/.default
-        issuerUrl: https://sts.windows.net/06a8a086-ae6e-45b5-a22e-ad90de23013e/v2.0
-        scope: api://56c1bd14-3ba7-4804-b47b-d46de6dce33e/.default
+        audience: urn:sn:pulsar:sndev:test
+        issuerUrl: https://auth.sncloud-stg.dev/
         keySecretName: sn-platform-oauth2-private-key
         keySecretKey: auth.json
   python:

diff --git a/.ci/tests/integration-oauth2/e2e.yaml b/.ci/tests/integration-oauth2/e2e.yaml
@@ -73,6 +73,7 @@ setup:
       command: |
         bash .ci/upload_function_with_oauth.sh java
         bash .ci/upload_function_with_oauth.sh py
+        bash .ci/upload_function_with_oauth.sh pubsub
 
     # testing download packages from http
     - name: start nginx http server
@@ -88,6 +89,10 @@ setup:
       command: |
         kubectl cp .ci/examples/py-examples/exclamation.zip nginx-0:/tmp
 
+    - name: set gcloud auth
+      command: |
+        sed -i "s/GCP_KEY_DATA/${GSA_CREDENTIAL}/g" .ci/tests/integration-oauth2/cases/google-pubsub-source/manifests.yaml
+
     - name: install function-mesh operator
       command: |
         make manager
@@ -128,8 +133,10 @@ verify:
       expected: expected.data.yaml
     - query: timeout 5m bash .ci/tests/integration-oauth2/cases/py-download-function/verify.sh
       expected: expected.data.yaml
-    - query: timeout 5m bash .ci/tests/integration-oauth2/cases/py-download-function-legacy/verify.sh
-      expected: expected.data.yaml
+    # latest pulsarctl has some error for handling legacy oauth2 params, so remove it temporarily
+    # https://github.com/streamnative/pulsarctl/pull/1506 should fix it
+    #- query: timeout 5m bash .ci/tests/integration-oauth2/cases/py-download-function-legacy/verify.sh
+    #  expected: expected.data.yaml
     - query: timeout 5m bash .ci/tests/integration-oauth2/cases/py-download-from-http-function/verify.sh
       expected: expected.data.yaml
     - query: timeout 5m bash .ci/tests/integration-oauth2/cases/batch-source/verify.sh

diff --git a/.ci/upload_function_with_oauth.sh b/.ci/upload_function_with_oauth.sh
@@ -44,4 +44,8 @@ case ${1} in
     kubectl cp "${PULSAR_HOME}/.ci/examples/go-examples" "${NAMESPACE}/${CLUSTER}-pulsar-broker-0:/pulsar/"
     kubectl exec -n ${NAMESPACE} ${CLUSTER}-pulsar-broker-0 -- sh -c 'bin/pulsar-admin --auth-plugin $brokerClientAuthenticationPlugin --auth-params $brokerClientAuthenticationParameters packages upload function://public/default/test-go-function --path /pulsar/go-examples/exclamationFunc --description "test golang function"'
     ;;
+  pubsub)
+    kubectl cp "${PULSAR_HOME}/.ci/examples/connect" "${NAMESPACE}/${CLUSTER}-pulsar-broker-0:/pulsar/connect"
+    kubectl exec -n ${NAMESPACE} ${CLUSTER}-pulsar-broker-0 -- sh -c 'bin/pulsar-admin --auth-plugin $brokerClientAuthenticationPlugin --auth-params $brokerClientAuthenticationParameters packages upload function://public/default/pubsub --path /pulsar/connect/pubsub.nar --description "pub sub io"'
+    ;;
 esac
diff --git a/.github/workflows/test-integration-skywalking-e2e.yml b/.github/workflows/test-integration-skywalking-e2e.yml
@@ -11,13 +11,20 @@ on:
       - 'LICENSE'
       - 'mesh-worker-service/README.md'
       - 'tools/README.md'
+
+# cancel old workflow if new one is triggered
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions: read-all
 jobs:
   integration:
     runs-on: ubuntu-latest
     env:
       AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
       AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+      GSA_CREDENTIAL: ${{ secrets.GSA_CREDENTIAL }}
     timeout-minutes: 80
     strategy:
       matrix: