Openshift - Arquillian Cube : tests fail to execute : unable to list projects when running test

[dcdh]

I have got a developer with proper cluster role to list projects.

By doing these manual steps, I am able to list projects: 1/ oc login -u developer -p developer 2/ oc whoami --show-token B9ONXUSkY2DFU-hPuIFLCIbaQa7gscHg0AUDCVwz3Uo 3/ list projects:

curl -k \                                                                                                                                                  (04-12 01:29)
    -H "Authorization: Bearer B9ONXUSkY2DFU-hPuIFLCIbaQa7gscHg0AUDCVwz3Uo" \
    -H 'Accept: application/json' \
    https://192.168.42.148:8443/apis/project.openshift.io/v1/projects       
{
  "kind": "ProjectList",
  "apiVersion": "project.openshift.io/v1",
  "metadata": {
    "selfLink": "/apis/project.openshift.io/v1/projects"
  },
  "items": [

My projects are listed so developer have the right to do it and the token used is ok.

Now when I want to use Arquillian Cube with Openshift to run a test (so it will list projects, create a project, pods and run tests) using this arquillian.xml:

<arquillian xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://jboss.org/schema/arquillian"
    xsi:schemaLocation="http://jboss.org/schema/arquillian http://jboss.org/schema/arquillian/arquillian_1_0.xsd">

    <extension qualifier="openshift">
        <property name="cube.username">developer</property>
        <property name="cube.password">developer</property>
<!--        <property name="cube.auth.token">B9ONXUSkY2DFU-hPuIFLCIbaQa7gscHg0AUDCVwz3Uo</property> -->
        <property name="cube.fmp.debug.output">true</property>
    </extension>

</arquillian>

It fails. From the log the "system:anonymous" is used to list all projects. So it seems that user developer is not used to authenticate.

Initializing Session:76bbce4a Using Kubernetes at: https://192.168.42.148:8443/ Next exception has been thrown while checking the existence of itest-76bbce4a namespace and the namespace is going to be created. The exception is io.fabric8.kubernetes.clnt.v3_1.KubernetesClientException: Failure executing: GET at: https://192.168.42.148:8443/apis/project.openshift.io/v1/projects. Message: Forbidden! User developer/192-168-42-148:8443 doesn't have permission. User "system:anonymous" cannot list all projects.project.openshift.io in the cluster. Creating project: itest-76bbce4a [ERROR] Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 1.347 s <<< FAILURE! - in com.damdamdeo.helloworld.HelloWorldFeatureIT [ERROR] com.damdamdeo.helloworld.HelloWorldFeatureIT Time elapsed: 1.346 s <<< ERROR! io.fabric8.kubernetes.clnt.v3_1.KubernetesClientException: Failure executing: POST at: https://192.168.42.148:8443/apis/project.openshift.io/v1/projectrequests. Message: Forbidden! User developer/192-168-42-148:8443 doesn't have permission. You may not request a new project via this API..

However with this arquillian.conf (notice I am using the token retrieved from 'oc whoami --show-token'):

<arquillian xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://jboss.org/schema/arquillian"
    xsi:schemaLocation="http://jboss.org/schema/arquillian http://jboss.org/schema/arquillian/arquillian_1_0.xsd">

    <extension qualifier="openshift">
<!--        <property name="cube.username">developer</property> -->
<!--        <property name="cube.password">developer</property> -->
        <property name="cube.auth.token">B9ONXUSkY2DFU-hPuIFLCIbaQa7gscHg0AUDCVwz3Uo</property>
        <property name="cube.fmp.debug.output">true</property>
    </extension>

</arquillian>

It works:

Initializing Session:6d4e8061 Using Kubernetes at: https://192.168.42.148:8443/ Creating project: itest-6d4e8061 To switch to the new project: oc project itest-6d4e8061 Did not find any kubernetes/openshift configuration files before starting the test execution. If you are using fabric8-maven-plugin, ensure mvn package fabric8:resource fabric8:build is run first to generate the resources. avr. 12, 2018 1:13:08 AM org.arquillian.cube.kubernetes.impl.resources.KubernetesResourcesApplier applyKubernetesResourcesAtClassScope INFOS: Creating environment for com.damdamdeo.helloworld.HelloWorldFeatureIT avr. 12, 2018 1:13:08 AM org.arquillian.cube.openshift.impl.CEEnvironmentProcessor createEnvironment INFOS: Creating environment for com.damdamdeo.helloworld.HelloWorldFeatureIT avr. 12, 2018 1:13:08 AM org.arquillian.cube.kubernetes.impl.resources.KubernetesResourcesApplier applyKubernetesResourcesAtMethodScope INFOS: Creating environment for com.damdamdeo.helloworld.HelloWorldFeatureIT method performInternalCucumberOperations avr. 12, 2018 1:13:08 AM org.arquillian.cube.openshift.impl.CEEnvironmentProcessor createOpenShiftResource INFOS: Creating environment for com.damdamdeo.helloworld.HelloWorldFeatureIT method public void cucumber.runtime.arquillian.runner.BaseCukeSpace.performInternalCucumberOperations(java.lang.Object,java.lang.Object) throws java.lang.Exception avr. 12, 2018 1:13:08 AM cucumber.runtime.arquillian.runner.BaseCukeSpace runFeatures INFOS: Running com/damdamdeo/helloworld/HelloWorld.feature Feature: Hello World IT avr. 12, 2018 1:13:09 AM org.arquillian.cube.kubernetes.impl.KubernetesAssistant deploy INFOS: application deployed, 3 object(s) created.

Expected behavior:

cube.username and cube.password should be used to authenticate the user to execute tests.

Workaround: log to openshift using 'oc login -u system:admin' before running tests (using 'mvn deploy').

Remark: login using the developer user is not working.

Versions:

arquillian-cube-openshift: 1.15.3

oc v3.6.1+008f2d5 kubernetes v1.6.1+5115d708d7 features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://192.168.42.148:8443 openshift v3.6.1+269e828-9 kubernetes v1.6.1+5115d708d7

[dipak-pawar]

Opened issue and PR for kubernetes-client.