// installComponents attempts to create pods to run installable images identified by the user. If an image
// is installable, we check whether it requires access to the user token. If so, the caller must have
// explicitly granted that access (because the token may be the user's).
func (c *AppConfig) installComponents(components app.ComponentReferences) ([]runtime.Object, string, error) {
if c.SkipGeneration {
return nil, "", nil
}
jobs := components.InstallableComponentRefs()
switch {
case len(jobs) > 1:
return nil, "", fmt.Errorf("only one installable component may be provided: %s", jobs.HumanString(", "))
case len(jobs) == 0:
return nil, "", nil
}
job := jobs[0]
if len(components) > 1 {
return nil, "", fmt.Errorf("%q is installable and may not be specified with other components", job.Input().Value)
}
input := job.Input()
imageRef, err := app.InputImageFromMatch(input.ResolvedMatch)
if err != nil {
return nil, "", fmt.Errorf("can't include %q: %v", input, err)
}
glog.V(4).Infof("Resolved match for installer %#v", input.ResolvedMatch)
imageRef.AsImageStream = false
imageRef.AsResolvedImage = true
name := c.Name
if len(name) == 0 {
var ok bool
name, ok = imageRef.SuggestName()
if !ok {
return nil, "", fmt.Errorf("can't suggest a valid name, please specify a name with --name")
}
}
imageRef.ObjectName = name
glog.V(4).Infof("Proposed installable image %#v", imageRef)
generatorInput := input.ResolvedMatch.GeneratorInput
if generatorInput.Token != nil && !c.AllowSecretUse || c.SecretAccessor == nil {
return nil, "", ErrRequiresExplicitAccess{*input.ResolvedMatch}
}
pod, secret, err := imageRef.InstallablePod(generatorInput, c.SecretAccessor)
if err != nil {
return nil, "", err
}
objects := []runtime.Object{pod}
if secret != nil {
objects = append(objects, secret)
}
for i := range objects {
outil.AddObjectAnnotations(objects[i], map[string]string{
GeneratedForJob: "true",
GeneratedForJobFor: input.String(),
})
}
return objects, name, nil
}
// installComponents attempts to create pods to run installable images identified by the user. If an image
// is installable, we check whether it requires access to the user token. If so, the caller must have
// explicitly granted that access (because the token may be the user's).
func (c *AppConfig) installComponents(components app.ComponentReferences, env app.Environment) ([]runtime.Object, string, error) {
if c.SkipGeneration {
return nil, "", nil
}
jobs := components.InstallableComponentRefs()
switch {
case len(jobs) > 1:
return nil, "", fmt.Errorf("only one installable component may be provided: %s", jobs.HumanString(", "))
case len(jobs) == 0:
return nil, "", nil
}
job := jobs[0]
if len(components) > 1 {
return nil, "", fmt.Errorf("%q is installable and may not be specified with other components", job.Input().Value)
}
input := job.Input()
imageRef, err := app.InputImageFromMatch(input.ResolvedMatch)
if err != nil {
return nil, "", fmt.Errorf("can't include %q: %v", input, err)
}
glog.V(4).Infof("Resolved match for installer %#v", input.ResolvedMatch)
imageRef.AsImageStream = false
imageRef.AsResolvedImage = true
imageRef.Env = env
name := c.Name
if len(name) == 0 {
var ok bool
name, ok = imageRef.SuggestName()
if !ok {
return nil, "", fmt.Errorf("can't suggest a valid name, please specify a name with --name")
}
}
imageRef.ObjectName = name
glog.V(4).Infof("Proposed installable image %#v", imageRef)
secretAccessor := c.SecretAccessor
generatorInput := input.ResolvedMatch.GeneratorInput
token := generatorInput.Token
if token != nil && !c.AllowSecretUse || secretAccessor == nil {
if !c.DryRun {
return nil, "", ErrRequiresExplicitAccess{Match: *input.ResolvedMatch, Input: generatorInput}
}
secretAccessor = &fakeSecretAccessor{token: "FAKE_TOKEN"}
}
objects := []runtime.Object{}
serviceAccountName := "installer"
if token != nil && token.ServiceAccount {
if _, err := c.KubeClient.ServiceAccounts(c.originNamespace).Get(serviceAccountName); err != nil {
if kerrors.IsNotFound(err) {
objects = append(objects,
// create a new service account
&kapi.ServiceAccount{ObjectMeta: kapi.ObjectMeta{Name: serviceAccountName}},
// grant the service account the edit role on the project (TODO: installer)
&authapi.RoleBinding{
ObjectMeta: kapi.ObjectMeta{Name: "installer-role-binding"},
Subjects: []kapi.ObjectReference{{Kind: "ServiceAccount", Name: serviceAccountName}},
RoleRef: kapi.ObjectReference{Name: "edit"},
},
)
}
}
}
pod, secret, err := imageRef.InstallablePod(generatorInput, secretAccessor, serviceAccountName)
if err != nil {
return nil, "", err
}
objects = append(objects, pod)
if secret != nil {
objects = append(objects, secret)
}
for i := range objects {
outil.AddObjectAnnotations(objects[i], map[string]string{
GeneratedForJob: "true",
GeneratedForJobFor: input.String(),
})
}
describeGeneratedJob(c.Out, job, pod, secret, c.originNamespace)
return objects, name, nil
}