Squashed 'cmd/service-catalog/go/src/github.com/kubernetes-incubator/service-catalog/' changes from 8f07b7b..7e650e7

7e650e7 origin build: add origin tooling
f32eec2 unit test for ./pkg/rest/core/fake rest client, addresses #860 Test ready to be reviewed (#1113)
e388aee explicitly always prefer latest OSBAPI Version (#1138)
962429e Merge branch 'pr/1135'
b6ee7ef fix rbac
cb1beb9 Merge branch 'pr/1131'
ecc5c01 Update Code of Conduct (#1137)
e7c5ab3 address one more PR comment
ddcbbad address PR comments
652a83b fix test expectation to match the new error message for missing service class
33417cc address PR comments
565fccf Use the chart name instead of the namespace (#1102)
bc61919 Add new terminal failure binding condition (#1057)
4e642d5 Added more detailed instructions on how to setup the repo (#1114)
bdaea23 update unit tests (#1123)
88a9642 validate the apiserver options (#1116)
b0af5fc fix whitespace in the copyright section
dee796a generated type changes
ef585c4 Rename the directory from default to defaultservicename to conform to go style guide. Wire admission controller into the apiserver
0b5d6c6 add firewall troubleshooting section (#1040)
fd9e6bc Fix Typo in Events Code of Conduct (#1126)
ebe6506 Fix Typo in Terminology (#1128)
0038b1e Merge branch 'pr/1122'
8411f31 make deprovisioning an instance asynchronously not fall-through to synchronous deprovision (#1067)
76c1d93 handle failures from list and test the not ready condition, cleanup
9241296 finish unit tests, passing
ed75774 Minor fixes based on go report card
9911e8d Add GoReport Widget (#1121)
dd24e5c clean up old cruft
08276c6 generated file changes
6489d90 Implement the default plan in admission controller
a6bb576 Code: Instance/Binding parameters from secret (#1079)
10bb148 Update generated files (#1115)
5291e6f v0.0.15 (#1118)
28a1ea6 Merge branch 'pr/1104'
bb4a2d2 Merge branch 'pr/1097'
1c14a90 push all arch images on release tags (#1108)
b587b2c Improve log output for deprovision
8887561 Remove PodPreset embedding from Binding (#1030)
1abdcc8 Adjust helm/tiller installation instructions (#1091)
f636f99 only skip tls verify if not behind the aggregator (#1101)
43b40ab controller_broker unit test bullet-proofing #1077 (#1099)
bb596b8 Use data store instead of database (#1100)
04fa477 Implementation: Support for Bearer token auth between Service Catalog and brokers (#1053)
9e46d3c refactor Jenkins e2e tests (#1082)
1f0a41e remove old/misleading comments about only doing soft delete if it's "our turn--" i.e. only if the finalizer we care about is at the head of the finalizers list.
5c1d9b8 Update OSB client (#1085)
a6e80ea Only do work for instances from a single queue (#1074)
2bd85d6 Merge branch 'pr/1076'
e324287 Tweaks to the walkthrough for local-up-cluster
d8b7899 Add a note to the walkthrough about getting bindings when using the aggregator (#1078)
ea44cf1 msg on Environment Variables to set for e2e (#1070)
d15554a Merge branch 'pr/1017'
faf966e Add comment re: async race condition in integration tests
ed2e096 v0.0.14 (#1071)
fc84ffd more PR feedback
283bed4 Add integration tests and some error checking; PR feedback
903a7a7 Add terminal condition for instance and do not retry failed provisions
REVERT: 8f07b7b origin: add required patches

git-subtree-dir: cmd/service-catalog/go/src/github.com/kubernetes-incubator/service-catalog
git-subtree-split: 7e650e7e39c3fc79a8ecc061cce2a70e899406ff

Author: Jeff Peeler

Jenkinsfile

@@ -110,15 +110,15 @@ node {
 
       // Run through the walkthrough on the cluster, once with an etcd-backed API server and once
       // with a TPR-backed one.
-      sh """${env.ROOT}/contrib/hack/test_walkthrough.sh \
+      sh """${env.ROOT}/contrib/jenkins/test_walkthrough.sh \
             --registry gcr.io/${test_project}/catalog/ \
             --version ${version} \
             --cleanup \
             --fix-auth \
             --create-artifacts
       """
 
-      sh """${env.ROOT}/contrib/hack/test_walkthrough.sh \
+      sh """${env.ROOT}/contrib/jenkins/test_walkthrough.sh \
             --registry gcr.io/${test_project}/catalog/ \
             --version ${version} \
             --with-tpr \

Makefile

@@ -214,7 +214,7 @@ $(BINDIR)/e2e.test: .init
 .PHONY: verify verify-client-gen
 verify: .init .generate_files verify-client-gen
 	@echo Running gofmt:
-	@$(DOCKER_CMD) gofmt -l -s $(TOP_SRC_DIRS) > .out 2>&1 || true
+	@$(DOCKER_CMD) gofmt -l -s $(TOP_TEST_DIRS) $(TOP_SRC_DIRS) &> .out || true
 	@bash -c '[ "`cat .out`" == "" ] || \
 	  (echo -e "\n*** Please 'gofmt' the following:" ; cat .out ; echo ; false)'
 	@rm .out

ORIGIN-SYNC-README.txt

@@ -0,0 +1,34 @@
+This is a how-to for syncing the latest code from service-catalog and merging
+it into the openshift/origin repository.
+
+Prerequisite setup:
+- git clone of service-catalog repo from https://github.com/kubernetes-incubator/service-catalog.git
+- $ git remote add openshift [email protected]:openshift/service-catalog.git
+- ensure there aren't any patches in the openshift/origin repo that need to be
+  put in the openshift/service-catalog:origin-patches branch (git log
+  cmd/service-catalog)
+
+If patches need bringing over from openshift/origin, put them in the
+service-catalog:origin-patches branch. Then squash all the changes into the
+service-catalog:origin-patches-squashed branch. The reason this is important
+to do is because once the subtree merge is performed, anything under
+cmd/service-catalog/... will be overwritten. Also, make sure to rebase the
+origin-patches branch as needed.
+
+# syncs the openshift/service-catalog repo with the upstream tag
+# (in service-catalog repo)
+$ TAG=v0.0.10
+$ git pull origin
+$ git push openshift $TAG
+
+# updates code to latest tag and adds origin patches on top
+# (in service-catalog repo)
+$ git branch $TAG $TAG+origin
+$ git checkout $TAG+origin
+$ git cherry-pick <sha of origin-patches-squashed>
+$ git push openshift
+
+# pulls in code from openshift/service-catalog repo into OpenShift
+# (in origin repo)
+$ git pull
+$ git subtree pull --prefix cmd/service-catalog/go/src/github.com/kubernetes-incubator/service-catalog https://github.com/openshift/service-catalog $TAG+origin --squash -m "Merge version $TAG of Service Catalog from https://github.com/openshift/service-catalog:$TAG+origin"

README.md

@@ -2,6 +2,7 @@
 
 [![Build Status](https://travis-ci.org/kubernetes-incubator/service-catalog.svg?branch=master)](https://travis-ci.org/kubernetes-incubator/service-catalog "Travis")
 [![Build Status](https://service-catalog-jenkins.appspot.com/buildStatus/icon?job=service-catalog-master-testing)](https://service-catalog-jenkins.appspot.com/job/service-catalog-master-testing/ "Jenkins")
+[![Go Report Card](https://goreportcard.com/badge/github.com/kubernetes-incubator/service-catalog)](https://goreportcard.com/report/github.com/kubernetes-incubator/service-catalog)
 
 ### Introduction
 

charts/catalog/README.md

@@ -39,7 +39,7 @@ chart and their default values.
 
 | Parameter | Description | Default |
 |-----------|-------------|---------|
-| `apiserver.image` | apiserver image to use | `quay.io/kubernetes-service-catalog/apiserver:v0.0.13` |
+| `apiserver.image` | apiserver image to use | `quay.io/kubernetes-service-catalog/apiserver:v0.0.15` |
 | `apiserver.imagePullPolicy` | `imagePullPolicy` for the apiserver | `Always` |
 | `apiserver.tls.cert` | Base64-encoded x509 certificate | A self-signed certificate |
 | `apiserver.tls.key` | Base64-encoded private key | The private key for the certificate above |
@@ -53,7 +53,7 @@ chart and their default values.
 | `apiserver.storage.tpr.globalNamespace` | If storage type is `tpr`: Some service catalog resources are not namespaced, but third party resources must be; setting this designates a namespace that will be treated as a container for such resources | `servicecatalog` |
 | `apiserver.verbosity` | Log level; valid values are in the range 0 - 10 | `10` |
 | `apiserver.auth.enabled` | Enable authentication and authorization | `false` |
-| `controllerManager.image` | controller-manager image to use | `quay.io/kubernetes-service-catalog/controller-manager:v0.0.13` |
+| `controllerManager.image` | controller-manager image to use | `quay.io/kubernetes-service-catalog/controller-manager:v0.0.15` |
 | `controllerManager.imagePullPolicy` | `imagePullPolicy` for the controller-manager | `Always` |
 | `controllerManager.verbosity` | Log level; valid values are in the range 0 - 10 | `10` |
 | `controllerManager.resyncInterval` | How often the controller should resync informers; duration format (`20m`, `1h`, etc) | `5m` |

charts/catalog/templates/apiserver-deployment.yaml

@@ -38,7 +38,7 @@ spec:
         - {{ .Values.apiserver.audit.logPath }}
         {{- end}}
         - --admission-control
-        - "KubernetesNamespaceLifecycle"
+        - "KubernetesNamespaceLifecycle,DefaultServicePlan"
         - --secure-port
         - "8443"
         - --storage-type

charts/catalog/templates/controller-manager-deployment.yaml

@@ -55,7 +55,9 @@ spec:
         - --service-catalog-api-server-url
         - https://{{ template "fullname" . }}-apiserver
         {{- end }}
+        {{ if and (.Values.controllerManager.apiserverSkipVerify) (not .Values.useAggregator) -}}
         - "--service-catalog-insecure-skip-verify=true"
+        {{- end }}
         - -v
         - "{{ .Values.controllerManager.verbosity }}"
         - --resync-interval

charts/catalog/templates/rbac.yaml

@@ -114,7 +114,7 @@ items:
 - apiVersion: rbac.authorization.k8s.io/v1beta1
   kind: Role
   metadata:
-    name: "servicecatalog.k8s.io::leader-locking-controller-manager"
+    name: "servicecatalog.k8s.io:leader-locking-controller-manager"
     namespace: kube-system
   rules:
   - apiGroups: [""]
@@ -132,7 +132,7 @@ items:
   roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: Role
-    name: service-catalog-controller-manager
+    name: "servicecatalog.k8s.io:leader-locking-controller-manager"
   subjects:
   - apiGroup: ""
     kind: ServiceAccount

charts/catalog/values.yaml

@@ -1,7 +1,9 @@
 # Default values for Service Catalog
+# determines whether the API server should be registered with the kube-aggregator
+useAggregator: false
 apiserver:
   # apiserver image to use
-  image: quay.io/kubernetes-service-catalog/apiserver:v0.0.13
+  image: quay.io/kubernetes-service-catalog/apiserver:v0.0.15
   # imagePullPolicy for the apiserver; valid values are "IfNotPresent",
   # "Never", and "Always"
   imagePullPolicy: Always
@@ -70,7 +72,7 @@ apiserver:
   serviceAccount: service-catalog-apiserver
 controllerManager:
   # controller-manager image to use
-  image: quay.io/kubernetes-service-catalog/controller-manager:v0.0.13
+  image: quay.io/kubernetes-service-catalog/controller-manager:v0.0.15
   # imagePullPolicy for the controller-manager; valid values are
   # "IfNotPresent", "Never", and "Always"
   imagePullPolicy: Always
@@ -93,4 +95,5 @@ controllerManager:
     # Whether the controller has option to set leader election namespace.
     activated: false
   serviceAccount: service-catalog-controller-manager
-useAggregator: false
+  # Controls whether the API server's TLS verification should be skipped.
+  apiserverSkipVerify: true

charts/ups-broker/README.md

@@ -34,7 +34,7 @@ Service Broker
 
 | Parameter | Description | Default |
 |-----------|-------------|---------|
-| `image` | Image to use | `quay.io/kubernetes-service-catalog/user-broker:v0.0.13` |
+| `image` | Image to use | `quay.io/kubernetes-service-catalog/user-broker:v0.0.15` |
 | `imagePullPolicy` | `imagePullPolicy` for the ups-broker | `Always` |
 
 Specify each parameter using the `--set key=value[,key=value]` argument to

charts/ups-broker/values.yaml

@@ -1,5 +1,5 @@
 # Default values for User-Provided Service Broker
 # Image to use
-image: quay.io/kubernetes-service-catalog/user-broker:v0.0.13
+image: quay.io/kubernetes-service-catalog/user-broker:v0.0.15
 # ImagePullPolicy; valid values are "IfNotPresent", "Never", and "Always"
 imagePullPolicy: Always

cmd/apiserver/app/plugins.go

@@ -22,4 +22,5 @@ package app
 import (
 	// Admission policies
 	_ "github.com/kubernetes-incubator/service-catalog/plugin/pkg/admission/namespace/lifecycle"
+	_ "github.com/kubernetes-incubator/service-catalog/plugin/pkg/admission/serviceplan/defaultserviceplan"
 )

cmd/apiserver/app/server/options.go

@@ -19,8 +19,10 @@ package server
 import (
 	"os"
 
+	"github.com/golang/glog"
 	"github.com/kubernetes-incubator/service-catalog/pkg/registry/servicecatalog/server"
 	"github.com/spf13/pflag"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	genericserveroptions "k8s.io/apiserver/pkg/server/options"
 )
 
@@ -52,6 +54,21 @@ type ServiceCatalogServerOptions struct {
 	StandaloneMode bool
 }
 
+// NewServiceCatalogServerOptions creates a new instances of
+// ServiceCatalogServerOptions with all sub-options filled in.
+func NewServiceCatalogServerOptions() *ServiceCatalogServerOptions {
+	return &ServiceCatalogServerOptions{
+		GenericServerRunOptions: genericserveroptions.NewServerRunOptions(),
+		AdmissionOptions:        genericserveroptions.NewAdmissionOptions(),
+		SecureServingOptions:    genericserveroptions.NewSecureServingOptions(),
+		AuthenticationOptions:   genericserveroptions.NewDelegatingAuthenticationOptions(),
+		AuthorizationOptions:    genericserveroptions.NewDelegatingAuthorizationOptions(),
+		AuditOptions:            genericserveroptions.NewAuditOptions(),
+		EtcdOptions:             NewEtcdOptions(),
+		TPROptions:              NewTPROptions(),
+	}
+}
+
 func (s *ServiceCatalogServerOptions) addFlags(flags *pflag.FlagSet) {
 	flags.StringVar(
 		&s.StorageTypeString,
@@ -83,6 +100,32 @@ func (s *ServiceCatalogServerOptions) StorageType() (server.StorageType, error)
 	return server.StorageTypeFromString(s.StorageTypeString)
 }
 
+// Validate checks all subOptions flags have been set and that they
+// have not been set in a conflictory manner.
+func (s *ServiceCatalogServerOptions) Validate() error {
+	errors := []error{}
+	// TODO uncomment after 1.8 rebase expecting
+	// https://github.com/kubernetes/kubernetes/pull/50308/files
+	// errors = append(errors, s.AdmissionOptions.Validate()...)
+	errors = append(errors, s.SecureServingOptions.Validate()...)
+	errors = append(errors, s.AuthenticationOptions.Validate()...)
+	errors = append(errors, s.AuthorizationOptions.Validate()...)
+	// etcd options
+	if "etcd" == s.StorageTypeString {
+		etcdErrs := s.EtcdOptions.Validate()
+		if len(etcdErrs) > 0 {
+			glog.Errorln("Error validating etcd options, do you have `--etcd-servers localhost` set?")
+		}
+		errors = append(errors, etcdErrs...)
+	}
+	// TODO add alternative storage validation
+	// errors = append(errors, s.TPROptions.Validate()...)
+	// TODO uncomment after 1.8 rebase expecting
+	// https://github.com/kubernetes/kubernetes/pull/47043
+	// errors = append(errors, s.AuditOptions.Validate()...)
+	return utilerrors.NewAggregate(errors)
+}
+
 // standaloneMode returns true if the env var SERVICE_CATALOG_STANALONE=true
 // If enabled, we will assume no integration with Kubernetes API server is performed.
 // It is intended for testing purposes only.

cmd/apiserver/app/server/run_server.go

@@ -43,6 +43,12 @@ func RunServer(opts *ServiceCatalogServerOptions) error {
 		if there is a need to stop the API server */
 		opts.StopCh = make(chan struct{})
 	}
+
+	err = opts.Validate()
+	if nil != err {
+		return err
+	}
+
 	if storageType == server.StorageTypeTPR {
 		return runTPRServer(opts)
 	}
@@ -102,12 +108,6 @@ func runEtcdServer(opts *ServiceCatalogServerOptions) error {
 		return err
 	}
 
-	// etcd options
-	if errs := etcdOpts.Validate(); len(errs) > 0 {
-		glog.Errorln("Error validating etcd options, do you have `--etcd-servers localhost` set?")
-		return errs[0]
-	}
-
 	glog.V(4).Infoln("Creating storage factory")
 
 	// The API server stores objects using a particular API version for each

cmd/apiserver/app/server/run_server_test.go

@@ -29,7 +29,7 @@ import (
 
 // make sure RunServer returns with an error when TPR fails to install
 func TestRunServerInstallTPRFails(t *testing.T) {
-	options := &ServiceCatalogServerOptions{}
+	options := NewServiceCatalogServerOptions()
 
 	fakeClientset := &kubeclientfake.Clientset{}
 	fakeClientset.AddReactor("get", "thirdpartyresources", func(core.Action) (bool, runtime.Object, error) {

cmd/apiserver/app/server/server.go

@@ -25,6 +25,7 @@ import (
 	"github.com/kubernetes-incubator/service-catalog/pkg"
 	"github.com/kubernetes-incubator/service-catalog/pkg/registry/servicecatalog/server"
 	"github.com/kubernetes-incubator/service-catalog/plugin/pkg/admission/namespace/lifecycle"
+	"github.com/kubernetes-incubator/service-catalog/plugin/pkg/admission/serviceplan/defaultserviceplan"
 	"github.com/spf13/cobra"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apiserver/pkg/admission"
@@ -135,4 +136,5 @@ func NewCommandServer(
 // registerAllAdmissionPlugins registers all admission plugins
 func registerAllAdmissionPlugins(plugins *admission.Plugins) {
 	lifecycle.Register(plugins)
+	defaultserviceplan.Register(plugins)
 }

cmd/controller-manager/app/options/options.go

@@ -50,7 +50,7 @@ const (
 	defaultLeaderElectionNamespace      = "kube-system"
 )
 
-var defaultOSBAPIPreferredVersion = osb.Version2_12().HeaderValue()
+var defaultOSBAPIPreferredVersion = osb.LatestAPIVersion().HeaderValue()
 
 // NewControllerManagerServer creates a new ControllerManagerServer with a
 // default config.

code-of-conduct.md

@@ -52,7 +52,7 @@ The Kubernetes team does not condone any statements by speakers contrary to thes
 team reserves the right to deny entrance and/or eject from an event (without refund) any individual found to
 be engaging in discriminatory or offensive speech or actions.
 
-Please bring any concerns to to the immediate attention of Kubernetes event staff
+Please bring any concerns to the immediate attention of Kubernetes event staff.
 
 
 [![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/code-of-conduct.md?pixel)]()

contrib/examples/apiserver/broker.yaml

@@ -4,10 +4,13 @@ metadata:
   name: test-broker
 spec:
   url: http://beefco.de
-  # put the basic auth for the broker in a secret, and reference the secret here.
-  # service-catalog will use the contents of the secret. The secret should have "username"
-  # and "password" keys
+  # Put the basic auth for the broker in a secret, and reference the secret here.
+  # Service Catalog will use the contents of the secret. The secret should have "username"
+  # and "password" keys.
+  # Alternatively you can use bearer token auth for which the secret should have a
+  # "token" key with bearer token.
   authInfo:
-    basicAuthSecret:
-      namespace: some-namespace
-      name: secret-name
+    basic:
+      secretRef:
+        namespace: some-namespace
+        name: secret-name

contrib/examples/walkthrough/ups-binding-pp.yaml

@@ -0,0 +1,11 @@
+apiVersion: servicecatalog.k8s.io/v1alpha1
+kind: Instance
+metadata:
+  name: ups-instance-default
+  namespace: test-ns
+spec:
+  serviceClassName: user-provided-service
+  parameters:
+    credentials:
+      name: root
+      password: letmein