forbidden to create organization in example test

[bjwswang]

Job: https://github.com/bestchains/fabric-operator/actions/runs/4130734207/jobs/7142008501

When

info "4.1.1 create org=org1, wait for the relevant components to start up."
kubectl create -f config/samples/orgs/org1.yaml --dry-run=client -o json |
	jq '.spec.caSpec.ingress.class = "'$IngressClassName'"' | jq '.spec.caSpec.storage.ca.class = "'$StorageClassName'"' |
	kubectl create --as=org1admin -f -

error occured

Error from server (Forbidden): error when creating "STDIN": organizations.ibp.com is forbidden: User "org1admin" cannot create resource "organizations" in API group "ibp.com" at the cluster scope

[bjwswang]

We should use kubectl create --as=org1admin --as-group=bestchains

[Abirdcfly]

I don't think we should add --as-group to the test to simulate the group.

We use the --as args because the default kubectl command will use the admin user (default in kubeconfig file), and we want to use another user to simulate, but when we simulate, we want to use this user. u4a-system automatically gets the group information corresponding to this user, so we don't need to provide it.

1. This is kubectl describe user org1admin in failed test:

Name:         org1admin
Namespace:    
Labels:       t7d.io.username=org1admin
Annotations:  <none>
API Version:  iam.tenxcloud.com/v1alpha1
Kind:         User
Metadata:
  Creation Timestamp:  2023-02-09T09:44:50Z
  Generation:          1
  Managed Fields:
    API Version:  iam.tenxcloud.com/v1alpha1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .:
          f:kubectl.kubernetes.io/last-applied-configuration:
        f:labels:
          .:
          f:t7d.io.username:
      f:spec:
        .:
        f:description:
        f:email:
        f:name:
        f:password:
        f:phone:
        f:role:
    Manager:         kubectl-client-side-apply
    Operation:       Update
    Time:            2023-02-09T09:44:50Z
  Resource Version:  3361
  UID:               76c71bd1-fad3-4813-94d6-226c275b5857
Spec:
  Description:  org1admin 用户信息的描述
  Email:        org1admin@tenxcloud.com
  Name:         org1admin
  Password:     $2a$10$eXHv4JD1hEfMA/vV6Whjae84bVI0CMeZpa43z97PurPQMmD8OAfe2
  Phone:        18890901212
  Role:         admin
Events:         <none>

2. this is kubectl describe user org1admin in other tests before.

Name:         org1admin
Namespace:    
Labels:       bestchains.organizaiton.org1=admin
              t7d.io.username=org1admin
Annotations:  bestchains:
                {"list":{"org1":{"organization":"org1","ids":{"network-sample30":{"name":"network-sample30","type":"orderer","attributes":{"hf.Affiliation...
API Version:  iam.tenxcloud.com/v1alpha1
Kind:         User
Metadata:
  Creation Timestamp:  2023-02-09T09:21:44Z
  Generation:          1
  Managed Fields:
    API Version:  iam.tenxcloud.com/v1alpha1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .:
          f:kubectl.kubernetes.io/last-applied-configuration:
        f:labels:
          .:
          f:t7d.io.username:
      f:spec:
        .:
        f:description:
        f:email:
        f:groups:
        f:name:
        f:password:
        f:phone:
        f:role:
    Manager:      kubectl-client-side-apply
    Operation:    Update
    Time:         2023-02-09T09:21:44Z
    API Version:  iam.tenxcloud.com/v1alpha1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          f:bestchains:
        f:labels:
          f:bestchains.organizaiton.org1:
    Manager:         ibp-operator
    Operation:       Update
    Time:            2023-02-09T09:21:47Z
  Resource Version:  4803
  UID:               94110a5c-7d49-4b94-bc50-35ced20d0ab4
Spec:
  Description:  org1admin 用户信息的描述
  Email:        org1admin@tenxcloud.com
  Groups:
    observability
    system:nodes
    system:masters
    resource-reader
    iam.tenxcloud.com
    observability
  Name:      org1admin
  Password:  $2a$10$693K.zP98yCs1qVwEp//DuWYOtLIE1doihtGhcCyYh3IpgSdGGba2
  Phone:     18890901212
  Role:      admin
Events:      <none>

we can see the group information is indeed not added to the user's spec.

[bjwswang]

well… this(no groups in user spec) is purposed.

[bjwswang]

obviously groups not retrieved correctly in kubectl simulation. maybe this is a bug in u4a

[bjwswang]

and i think we should assemble a real kubeconfig instead of simulation ?

[Abirdcfly]

After talking offline with nkwangleiGIT , I think we can merge #89 first, and then deal with the user identification problem in the test later.

Bug may come from the way we simulate in test, not u4a-system, or we should modify kube-api-server at installation time to use oidc-server.