func GetScopedClientForUser(adminClient *client.Client, clientConfig restclient.Config, username string, scopes []string) (*client.Client, *kclient.Client, *restclient.Config, error) {
// make sure the user exists
if _, _, _, err := GetClientForUser(clientConfig, username); err != nil {
return nil, nil, nil, err
}
user, err := adminClient.Users().Get(username)
if err != nil {
return nil, nil, nil, err
}
token := &oauthapi.OAuthAccessToken{
ObjectMeta: kapi.ObjectMeta{Name: fmt.Sprintf("%s-token-plus-some-padding-here-to-make-the-limit-%d", username, rand.Int())},
ClientName: origin.OpenShiftCLIClientID,
ExpiresIn: 86400,
Scopes: scopes,
RedirectURI: "https://127.0.0.1:12000/oauth/token/implicit",
UserName: user.Name,
UserUID: string(user.UID),
}
if _, err := adminClient.OAuthAccessTokens().Create(token); err != nil {
return nil, nil, nil, err
}
scopedConfig := clientcmd.AnonymousClientConfig(&clientConfig)
scopedConfig.BearerToken = token.Name
kubeClient, err := kclient.New(&scopedConfig)
if err != nil {
return nil, nil, nil, err
}
osClient, err := client.New(&scopedConfig)
if err != nil {
return nil, nil, nil, err
}
return osClient, kubeClient, &scopedConfig, nil
}
func createProject(osClient *osclient.Client, clientConfig *restclient.Config, name string) (*sdnapi.NetNamespace, error) {
_, err := testserver.CreateNewProject(osClient, *clientConfig, name, name)
if err != nil {
return nil, fmt.Errorf("error creating project %q: %v", name, err)
}
backoff := utilwait.Backoff{
Duration: 100 * time.Millisecond,
Factor: 2,
Steps: 5,
}
var netns *sdnapi.NetNamespace
err = utilwait.ExponentialBackoff(backoff, func() (bool, error) {
netns, err = osClient.NetNamespaces().Get(name)
if kapierrors.IsNotFound(err) {
return false, nil
} else if err != nil {
return false, err
}
return true, nil
})
if err != nil {
return nil, fmt.Errorf("could not get NetNamepsace %q: %v", name, err)
}
return netns, nil
}
func describerMap(c *client.Client, kclient kclient.Interface, host string) map[string]kctl.Describer {
m := map[string]kctl.Describer{
"Build": &BuildDescriber{c, kclient},
"BuildConfig": &BuildConfigDescriber{c, host},
"BuildLog": &BuildLogDescriber{c},
"DeploymentConfig": NewDeploymentConfigDescriber(c, kclient),
"Identity": &IdentityDescriber{c},
"Image": &ImageDescriber{c},
"ImageStream": &ImageStreamDescriber{c},
"ImageStreamTag": &ImageStreamTagDescriber{c},
"ImageStreamImage": &ImageStreamImageDescriber{c},
"Route": &RouteDescriber{c},
"Project": &ProjectDescriber{c, kclient},
"Template": &TemplateDescriber{c, meta.NewAccessor(), kapi.Scheme, nil},
"Policy": &PolicyDescriber{c},
"PolicyBinding": &PolicyBindingDescriber{c},
"RoleBinding": &RoleBindingDescriber{c},
"Role": &RoleDescriber{c},
"ClusterPolicy": &ClusterPolicyDescriber{c},
"ClusterPolicyBinding": &ClusterPolicyBindingDescriber{c},
"ClusterRoleBinding": &ClusterRoleBindingDescriber{c},
"ClusterRole": &ClusterRoleDescriber{c},
"User": &UserDescriber{c},
"Group": &GroupDescriber{c.Groups()},
"UserIdentityMapping": &UserIdentityMappingDescriber{c},
}
return m
}
func getProjects(oClient *client.Client) ([]api.Project, error) {
projects, err := oClient.Projects().List(labels.Everything(), fields.Everything())
if err != nil {
return nil, err
}
return projects.Items, nil
}
func getTokenInfo(token string, osClient *osclient.Client) (string, *osintypes.InfoResponseData, error) {
osResult := osClient.Get().AbsPath("oauth", "info").Param("code", token).Do()
if osResult.Error() != nil {
return "", nil, fmt.Errorf("Error making info request: %v", osResult.Error())
}
body, err := osResult.Raw()
if err != nil {
return "", nil, fmt.Errorf("Error reading info response: %v\n", err)
}
glog.V(1).Infof("Raw JSON: %v\n", string(body))
var accessData osintypes.InfoResponseData
err = json.Unmarshal(body, &accessData)
if err != nil {
return "", nil, fmt.Errorf("Error while unmarshalling info response: %v %v", err, string(body))
}
if accessData.Error == "invalid_request" {
return "", nil, fmt.Errorf("\"%v\" is not a valid token.\n", token)
}
if len(accessData.ErrorDescription) != 0 {
return "", nil, fmt.Errorf("%v\n", accessData.ErrorDescription)
}
return string(body), &accessData, nil
}
// assignVNID, revokeVNID and updateVNID methods updates in-memory structs and persists etcd objects
func (vmap *masterVNIDMap) assignVNID(osClient *osclient.Client, nsName string) error {
vmap.lock.Lock()
defer vmap.lock.Unlock()
netid, exists, err := vmap.allocateNetID(nsName)
if err != nil {
return err
}
if !exists {
// Create NetNamespace Object and update vnid map
netns := &osapi.NetNamespace{
TypeMeta: unversioned.TypeMeta{Kind: "NetNamespace"},
ObjectMeta: kapi.ObjectMeta{Name: nsName},
NetName: nsName,
NetID: netid,
}
_, err := osClient.NetNamespaces().Create(netns)
if err != nil {
vmap.releaseNetID(nsName)
return err
}
}
return nil
}
func updateNetNamespace(osClient *osclient.Client, netns *sdnapi.NetNamespace, action sdnapi.PodNetworkAction, args string) (*sdnapi.NetNamespace, error) {
sdnapi.SetChangePodNetworkAnnotation(netns, action, args)
_, err := osClient.NetNamespaces().Update(netns)
if err != nil {
return nil, err
}
backoff := utilwait.Backoff{
Duration: 100 * time.Millisecond,
Factor: 2,
Steps: 5,
}
name := netns.Name
err = utilwait.ExponentialBackoff(backoff, func() (bool, error) {
netns, err = osClient.NetNamespaces().Get(name)
if err != nil {
return false, err
}
if _, _, err := sdnapi.GetChangePodNetworkAnnotation(netns); err == sdnapi.ErrorPodNetworkAnnotationNotFound {
return true, nil
} else {
return false, nil
}
})
if err != nil {
return nil, err
}
return netns, nil
}
func getProjects(oClient *client.Client) ([]api.Project, error) {
projects, err := oClient.Projects().List(kapi.ListOptions{})
if err != nil {
return nil, err
}
return projects.Items, nil
}
func runTemplate(c *k8sclient.Client, oc *oclient.Client, appToRun string, ns string, domain string, apiserver string, pv bool) {
util.Info("\n\nInstalling: ")
util.Successf("%s\n\n", appToRun)
typeOfMaster := util.TypeOfMaster(c)
if typeOfMaster == util.Kubernetes {
jsonData, format, err := loadTemplateData(ns, appToRun, c, oc)
if err != nil {
printError("Failed to load app "+appToRun, err)
}
createTemplate(jsonData, format, appToRun, ns, domain, apiserver, c, oc, pv)
} else {
tmpl, err := oc.Templates(ns).Get(appToRun)
if err != nil {
printError("Failed to load template "+appToRun, err)
}
util.Infof("Loaded template with %d objects", len(tmpl.Objects))
processTemplate(tmpl, ns, domain, apiserver)
objectCount := len(tmpl.Objects)
util.Infof("Creating "+appToRun+" template resources from %d objects\n", objectCount)
for _, o := range tmpl.Objects {
err = processItem(c, oc, &o, ns, pv)
}
}
}
// RunGarbageCollectorController starts generic garbage collection for the cluster.
func (c *MasterConfig) RunGarbageCollectorController(client *osclient.Client, config *restclient.Config) {
if !c.ControllerManager.EnableGarbageCollector {
return
}
groupVersionResources, err := client.Discovery().ServerPreferredResources()
if err != nil {
glog.Fatalf("Failed to get supported resources from server: %v", err)
}
config = restclient.AddUserAgent(config, "generic-garbage-collector")
config.ContentConfig.NegotiatedSerializer = serializer.DirectCodecFactory{CodecFactory: metaonly.NewMetadataCodecFactory()}
// TODO: needs to take GVR
metaOnlyClientPool := dynamic.NewClientPool(config, dynamic.LegacyAPIPathResolverFunc)
config.ContentConfig.NegotiatedSerializer = nil
// TODO: needs to take GVR
clientPool := dynamic.NewClientPool(config, dynamic.LegacyAPIPathResolverFunc)
garbageCollector, err := garbagecollector.NewGarbageCollector(metaOnlyClientPool, clientPool, groupVersionResources)
if err != nil {
glog.Fatalf("Failed to start the garbage collector: %v", err)
}
workers := int(c.ControllerManager.ConcurrentGCSyncs)
go garbageCollector.Run(workers, utilwait.NeverStop)
}
func validateAndGetNetworkPluginName(originClient *osclient.Client, pluginName string) (string, error) {
if sdnplugin.IsOpenShiftNetworkPlugin(pluginName) {
// Detect any plugin mismatches between node and master
clusterNetwork, err := originClient.ClusterNetwork().Get(sdnapi.ClusterNetworkDefault)
if kerrs.IsNotFound(err) {
return "", fmt.Errorf("master has not created a default cluster network, network plugin %q can not start", pluginName)
} else if err != nil {
return "", fmt.Errorf("cannot fetch %q cluster network: %v", sdnapi.ClusterNetworkDefault, err)
}
if clusterNetwork.PluginName != strings.ToLower(pluginName) {
if len(clusterNetwork.PluginName) != 0 {
return "", fmt.Errorf("detected network plugin mismatch between OpenShift node(%q) and master(%q)", pluginName, clusterNetwork.PluginName)
} else {
// Do not return error in this case
glog.Warningf(`either there is network plugin mismatch between OpenShift node(%q) and master or OpenShift master is running an older version where we did not persist plugin name`, pluginName)
}
}
} else if pluginName == "" {
// Auto detect network plugin configured by master
clusterNetwork, err := originClient.ClusterNetwork().Get(sdnapi.ClusterNetworkDefault)
if err == nil {
return clusterNetwork.PluginName, nil
}
}
return pluginName, nil
}
func describerMap(c *client.Client, kclient kclient.Interface, host string) map[unversioned.GroupKind]kctl.Describer {
m := map[unversioned.GroupKind]kctl.Describer{
buildapi.Kind("Build"): &BuildDescriber{c, kclient},
buildapi.Kind("BuildConfig"): &BuildConfigDescriber{c, host},
deployapi.Kind("DeploymentConfig"): &DeploymentConfigDescriber{c, kclient, nil},
authorizationapi.Kind("Identity"): &IdentityDescriber{c},
imageapi.Kind("Image"): &ImageDescriber{c},
imageapi.Kind("ImageStream"): &ImageStreamDescriber{c},
imageapi.Kind("ImageStreamTag"): &ImageStreamTagDescriber{c},
imageapi.Kind("ImageStreamImage"): &ImageStreamImageDescriber{c},
routeapi.Kind("Route"): &RouteDescriber{c, kclient},
projectapi.Kind("Project"): &ProjectDescriber{c, kclient},
templateapi.Kind("Template"): &TemplateDescriber{c, meta.NewAccessor(), kapi.Scheme, nil},
authorizationapi.Kind("Policy"): &PolicyDescriber{c},
authorizationapi.Kind("PolicyBinding"): &PolicyBindingDescriber{c},
authorizationapi.Kind("RoleBinding"): &RoleBindingDescriber{c},
authorizationapi.Kind("Role"): &RoleDescriber{c},
authorizationapi.Kind("ClusterPolicy"): &ClusterPolicyDescriber{c},
authorizationapi.Kind("ClusterPolicyBinding"): &ClusterPolicyBindingDescriber{c},
authorizationapi.Kind("ClusterRoleBinding"): &ClusterRoleBindingDescriber{c},
authorizationapi.Kind("ClusterRole"): &ClusterRoleDescriber{c},
oauthapi.Kind("OAuthAccessToken"): &OAuthAccessTokenDescriber{c},
userapi.Kind("User"): &UserDescriber{c},
userapi.Kind("Group"): &GroupDescriber{c.Groups()},
userapi.Kind("UserIdentityMapping"): &UserIdentityMappingDescriber{c},
quotaapi.Kind("ClusterResourceQuota"): &ClusterQuotaDescriber{c},
quotaapi.Kind("AppliedClusterResourceQuota"): &AppliedClusterQuotaDescriber{c},
}
return m
}
func getTemplates(c *oclient.Client, ns string) *tapi.TemplateList {
templates, err := c.Templates(ns).List(api.ListOptions{})
if err != nil {
util.Fatalf("No Templates found in namespace %s\n", ns)
}
return templates
}
func ensureNamespaceExists(c *k8sclient.Client, oc *oclient.Client, ns string) error {
typeOfMaster := util.TypeOfMaster(c)
if typeOfMaster == util.Kubernetes {
nss := c.Namespaces()
_, err := nss.Get(ns)
if err != nil {
// lets assume it doesn't exist!
util.Infof("Creating new Namespace: %s\n", ns)
entity := kapi.Namespace{
ObjectMeta: kapi.ObjectMeta{Name: ns},
}
_, err := nss.Create(&entity)
return err
}
} else {
_, err := oc.Projects().Get(ns)
if err != nil {
// lets assume it doesn't exist!
request := projectapi.ProjectRequest{
ObjectMeta: kapi.ObjectMeta{Name: ns},
}
util.Infof("Creating new Project: %s\n", ns)
_, err := oc.ProjectRequests().Create(&request)
return err
}
}
return nil
}
func createRoutesForDomain(ns string, domain string, c *k8sclient.Client, oc *oclient.Client, fac *cmdutil.Factory) error {
rc, err := c.Services(ns).List(labels.Everything())
if err != nil {
util.Errorf("Failed to load services in namespace %s with error %v", ns, err)
return err
}
items := rc.Items
for _, service := range items {
// TODO use the external load balancer as a way to know if we should create a route?
name := service.ObjectMeta.Name
if name != "kubernetes" {
routes := oc.Routes(ns)
_, err = routes.Get(name)
if err != nil {
hostName := name + "." + domain
route := rapi.Route{
ObjectMeta: kapi.ObjectMeta{
Name: name,
},
Host: hostName,
ServiceName: name,
}
// lets create the route
_, err = routes.Create(&route)
if err != nil {
util.Errorf("Failed to create the route %s with error %v", name, err)
return err
}
}
}
}
return nil
}
func getTemplates(c *oclient.Client, ns string) *tapi.TemplateList {
rc, err := c.Templates(ns).List(labels.Everything(), fields.Everything())
if err != nil {
util.Fatalf("No Templates found in namespace %s\n", ns)
}
return rc
}
func adminCan(client *osclient.Client, action authorizationapi.AuthorizationAttributes) (bool, error) {
if resp, err := client.SubjectAccessReviews().Create(&authorizationapi.SubjectAccessReview{Action: action}); err != nil {
return false, err
} else if resp.Allowed {
return true, nil
}
return false, nil
}
func getNetworkInfo(osClient *osclient.Client) (*NetworkInfo, error) {
cn, err := osClient.ClusterNetwork().Get(osapi.ClusterNetworkDefault)
if err != nil {
return nil, err
}
return parseNetworkInfo(cn.Network, cn.ServiceNetwork)
}
//checkKibana verifies the various integration points between Kibana and logging
func checkKibana(r types.DiagnosticResult, osClient *client.Client, kClient *kclient.Client, project string) {
oauthclient, err := osClient.OAuthClients().Get(kibanaProxyOauthClientName)
if err != nil {
r.Error("AGL0115", err, fmt.Sprintf("Error retrieving the OauthClient '%s': %s. Unable to check Kibana", kibanaProxyOauthClientName, err))
return
}
checkKibanaSecret(r, osClient, kClient, project, oauthclient)
checkKibanaRoutesInOauthClient(r, osClient, project, oauthclient)
}
func GetOpenShiftNetworkPlugin(osClient *osclient.Client) (string, bool, error) {
cn, err := osClient.ClusterNetwork().Get(api.ClusterNetworkDefault)
if err != nil {
if kerrors.IsNotFound(err) {
return "", false, nil
}
return "", false, err
}
return cn.PluginName, sdnapi.IsOpenShiftNetworkPlugin(cn.PluginName), nil
}
func validateTemplates(c *oclient.Client, f *cmdutil.Factory) (Result, error) {
ns, _, err := f.DefaultNamespace()
if err != nil {
return Failure, err
}
rc, err := c.Templates(ns).Get("management")
if rc != nil {
return Success, err
}
return Failure, err
}
// WaitForPolicyUpdate checks if the given client can perform the named verb and action.
// If PolicyCachePollTimeout is reached without the expected condition matching, an error is returned
func WaitForPolicyUpdate(c *client.Client, namespace, verb string, resource unversioned.GroupResource, allowed bool) error {
review := &authorizationapi.LocalSubjectAccessReview{Action: authorizationapi.AuthorizationAttributes{Verb: verb, Group: resource.Group, Resource: resource.Resource}}
err := wait.Poll(PolicyCachePollInterval, PolicyCachePollTimeout, func() (bool, error) {
response, err := c.LocalSubjectAccessReviews(namespace).Create(review)
if err != nil {
return false, err
}
return response.Allowed == allowed, nil
})
return err
}
func (vmap *nodeVNIDMap) populateVNIDs(osClient *osclient.Client) error {
nets, err := osClient.NetNamespaces().List(kapi.ListOptions{})
if err != nil {
return err
}
for _, net := range nets.Items {
vmap.setVNID(net.Name, net.NetID)
}
return nil
}
func validateConsoleDeploymentConfig(c *oclient.Client, f *cmdutil.Factory) (Result, error) {
ns, _, err := f.DefaultNamespace()
if err != nil {
return Failure, err
}
rc, err := c.DeploymentConfigs(ns).Get("fabric8")
if rc != nil {
return Success, err
}
return Failure, err
}
func removeBuildStrategyRoleResources(t *testing.T, clusterAdminClient, projectAdminClient, projectEditorClient *client.Client) {
// remove resources from role so that certain build strategies are forbidden
removeBuildStrategyPrivileges(t, clusterAdminClient.ClusterRoles(), bootstrappolicy.EditRoleName)
if err := testutil.WaitForPolicyUpdate(projectEditorClient, testutil.Namespace(), "create", authorizationapi.DockerBuildResource, false); err != nil {
t.Error(err)
}
removeBuildStrategyPrivileges(t, clusterAdminClient.ClusterRoles(), bootstrappolicy.AdminRoleName)
if err := testutil.WaitForPolicyUpdate(projectAdminClient, testutil.Namespace(), "create", authorizationapi.DockerBuildResource, false); err != nil {
t.Error(err)
}
}
func isDeploymentConfigAvailable(c *oclient.Client, ns string, name string) bool {
deployment, err := c.DeploymentConfigs(ns).Get(name)
if err != nil {
return false
}
if deployment.Status.Replicas == 0 {
return false
}
replicas := deployment.Status.Replicas
available := deployment.Status.AvailableReplicas
unavailable := deployment.Status.UnavailableReplicas
return unavailable == 0 && available > 0 && replicas > 0
}
func runBuildRunningPodDeleteTest(t *testing.T, clusterAdminClient *client.Client, clusterAdminKubeClient *kclient.Client) {
buildWatch, err := clusterAdminClient.Builds(testutil.Namespace()).Watch(labels.Everything(), fields.Everything(), "0")
if err != nil {
t.Fatalf("Couldn't subscribe to Builds %v", err)
}
defer buildWatch.Stop()
created, err := clusterAdminClient.Builds(testutil.Namespace()).Create(mockBuild())
if err != nil {
t.Fatalf("Couldn't create Build: %v", err)
}
podWatch, err := clusterAdminKubeClient.Pods(testutil.Namespace()).Watch(labels.Everything(), fields.Everything(), created.ResourceVersion)
if err != nil {
t.Fatalf("Couldn't subscribe to Pods %v", err)
}
defer podWatch.Stop()
// wait for initial build event from the creation of the imagerepo with tag latest
event := waitForWatch(t, "initial build added", buildWatch)
if e, a := watchapi.Added, event.Type; e != a {
t.Fatalf("expected watch event type %s, got %s", e, a)
}
newBuild := event.Object.(*buildapi.Build)
// initial pod creation for build
event = waitForWatch(t, "build pod created", podWatch)
if e, a := watchapi.Added, event.Type; e != a {
t.Fatalf("expected watch event type %s, got %s", e, a)
}
event = waitForWatch(t, "build updated to pending", buildWatch)
if e, a := watchapi.Modified, event.Type; e != a {
t.Fatalf("expected watch event type %s, got %s", e, a)
}
newBuild = event.Object.(*buildapi.Build)
if newBuild.Status.Phase != buildapi.BuildPhasePending {
t.Fatalf("expected build status to be marked pending, but was marked %s", newBuild.Status.Phase)
}
clusterAdminKubeClient.Pods(testutil.Namespace()).Delete(buildutil.GetBuildPodName(newBuild), kapi.NewDeleteOptions(0))
event = waitForWatch(t, "build updated to error", buildWatch)
if e, a := watchapi.Modified, event.Type; e != a {
t.Fatalf("expected watch event type %s, got %s", e, a)
}
newBuild = event.Object.(*buildapi.Build)
if newBuild.Status.Phase != buildapi.BuildPhaseError {
t.Fatalf("expected build status to be marked error, but was marked %s", newBuild.Status.Phase)
}
}
// WaitForPolicyUpdate checks if the given client can perform the named verb and action.
// If PolicyCachePollTimeout is reached without the expected condition matching, an error is returned
func WaitForPolicyUpdate(c *client.Client, namespace, verb, resource string, allowed bool) error {
review := &authorizationapi.SubjectAccessReview{Verb: verb, Resource: resource}
err := wait.Poll(PolicyCachePollInterval, PolicyCachePollTimeout, func() (bool, error) {
response, err := c.SubjectAccessReviews(namespace).Create(review)
if err != nil {
return false, err
}
if response.Allowed != allowed {
return false, nil
}
return true, nil
})
return err
}
func (vmap *masterVNIDMap) revokeVNID(osClient *osclient.Client, nsName string) error {
vmap.lock.Lock()
defer vmap.lock.Unlock()
// Delete NetNamespace object
if err := osClient.NetNamespaces().Delete(nsName); err != nil {
return err
}
if err := vmap.releaseNetID(nsName); err != nil {
return err
}
return nil
}
func loadTemplateData(ns string, templateName string, c *k8sclient.Client, oc *oclient.Client) ([]byte, string, error) {
typeOfMaster := util.TypeOfMaster(c)
if typeOfMaster == util.Kubernetes {
catalogName := "catalog-" + templateName
configMap, err := c.ConfigMaps(ns).Get(catalogName)
if err != nil {
return nil, "", err
}
for k, v := range configMap.Data {
if strings.LastIndex(k, ".json") >= 0 {
return []byte(v), "json", nil
}
if strings.LastIndex(k, ".yml") >= 0 || strings.LastIndex(k, ".yaml") >= 0 {
return []byte(v), "yaml", nil
}
}
return nil, "", fmt.Errorf("Could not find a key for the catalog %s which ends with `.json` or `.yml`", catalogName)
} else {
template, err := oc.Templates(ns).Get(templateName)
if err != nil {
return nil, "", err
}
data, err := json.Marshal(template)
return data, "json", err
}
return nil, "", nil
}