handle multiple names for docker registry

Author: deads2k

pkg/cmd/server/origin/run_components.go

@@ -155,16 +155,17 @@ func (c *MasterConfig) RunServiceAccountPullSecretsControllers() {
 	serviceaccountcontrollers.NewDockercfgDeletedController(c.KubeClient(), serviceaccountcontrollers.DockercfgDeletedControllerOptions{}).Run()
 	serviceaccountcontrollers.NewDockercfgTokenDeletedController(c.KubeClient(), serviceaccountcontrollers.DockercfgTokenDeletedControllerOptions{}).Run()
 
-	dockercfgController := serviceaccountcontrollers.NewDockercfgController(c.KubeClient(), serviceaccountcontrollers.DockercfgControllerOptions{DefaultDockerURL: serviceaccountcontrollers.DefaultOpenshiftDockerURL})
+	dockerURLsIntialized := make(chan struct{})
+	dockercfgController := serviceaccountcontrollers.NewDockercfgController(c.KubeClient(), serviceaccountcontrollers.DockercfgControllerOptions{DockerURLsIntialized: dockerURLsIntialized})
 	go dockercfgController.Run(5, utilwait.NeverStop)
 
 	dockerRegistryControllerOptions := serviceaccountcontrollers.DockerRegistryServiceControllerOptions{
-		RegistryNamespace:   "default",
-		RegistryServiceName: "docker-registry",
-		DockercfgController: dockercfgController,
-		DefaultDockerURL:    serviceaccountcontrollers.DefaultOpenshiftDockerURL,
+		RegistryNamespace:    "default",
+		RegistryServiceName:  "docker-registry",
+		DockercfgController:  dockercfgController,
+		DockerURLsIntialized: dockerURLsIntialized,
 	}
-	serviceaccountcontrollers.NewDockerRegistryServiceController(c.KubeClient(), dockerRegistryControllerOptions).Run()
+	go serviceaccountcontrollers.NewDockerRegistryServiceController(c.KubeClient(), dockerRegistryControllerOptions).Run(10, make(chan struct{}))
 }
 
 // RunPolicyCache starts the policy cache

pkg/serviceaccounts/controllers/create_dockercfg_secrets.go

@@ -29,6 +29,10 @@ import (
 const (
 	ServiceAccountTokenSecretNameKey = "openshift.io/token-secret.name"
 	MaxRetriesBeforeResync           = 5
+
+	// ServiceAccountTokenValueAnnotation stores the actual value of the token so that a dockercfg secret can be
+	// made without having a value dockerURL
+	ServiceAccountTokenValueAnnotation = "openshift.io/token-secret.value"
 )
 
 // DockercfgControllerOptions contains options for the DockercfgController
@@ -37,14 +41,16 @@ type DockercfgControllerOptions struct {
 	// If zero, re-list will be delayed as long as possible
 	Resync time.Duration
 
-	DefaultDockerURL string
+	// DockerURLsIntialized is used to send a signal to this controller that it has the correct set of docker urls
+	DockerURLsIntialized chan struct{}
 }
 
 // NewDockercfgController returns a new *DockercfgController.
 func NewDockercfgController(cl client.Interface, options DockercfgControllerOptions) *DockercfgController {
 	e := &DockercfgController{
-		client: cl,
-		queue:  workqueue.NewRateLimitingQueue(workqueue.DefaultControllerRateLimiter()),
+		client:               cl,
+		queue:                workqueue.NewRateLimitingQueue(workqueue.DefaultControllerRateLimiter()),
+		dockerURLsIntialized: options.DockerURLsIntialized,
 	}
 
 	var serviceAccountCache cache.Store
@@ -76,7 +82,6 @@ func NewDockercfgController(cl client.Interface, options DockercfgControllerOpti
 
 	e.serviceAccountCache = NewEtcdMutationCache(serviceAccountCache)
 	e.syncHandler = e.syncServiceAccount
-	e.dockerURL = options.DefaultDockerURL
 
 	return e
 }
@@ -85,8 +90,9 @@ func NewDockercfgController(cl client.Interface, options DockercfgControllerOpti
 type DockercfgController struct {
 	client client.Interface
 
-	dockerURL     string
-	dockerURLLock sync.Mutex
+	dockerURLs           []string
+	dockerURLLock        sync.Mutex
+	dockerURLsIntialized chan struct{}
 
 	serviceAccountCache      MutationCache
 	serviceAccountController *framework.Controller
@@ -99,16 +105,30 @@ type DockercfgController struct {
 
 func (e *DockercfgController) Run(workers int, stopCh <-chan struct{}) {
 	defer utilruntime.HandleCrash()
-	go e.serviceAccountController.Run(stopCh)
-	for i := 0; i < workers; i++ {
-		go wait.Until(e.worker, time.Second, stopCh)
-	}
+	go e.waitForDockerURLs(workers, stopCh)
 
 	<-stopCh
 	glog.Infof("Shutting down dockercfg secret controller")
 	e.queue.ShutDown()
 }
 
+// waitForDockerURLs blocks until the dockerURLs are ready for use.  Otherwise, we'll create a bunch of useless dockercfg secrets
+func (e *DockercfgController) waitForDockerURLs(workers int, stopCh <-chan struct{}) {
+	defer utilruntime.HandleCrash()
+
+	// wait for the initialization to complete to be informed of a stop
+	select {
+	case <-e.dockerURLsIntialized:
+	case <-stopCh:
+		return
+	}
+
+	go e.serviceAccountController.Run(stopCh)
+	for i := 0; i < workers; i++ {
+		go wait.Until(e.worker, time.Second, stopCh)
+	}
+}
+
 func (e *DockercfgController) enqueueServiceAccount(serviceAccount *api.ServiceAccount) {
 	if !needsDockercfgSecret(serviceAccount) {
 		return
@@ -160,14 +180,15 @@ func (e *DockercfgController) worker_inner() bool {
 	return true
 }
 
-func (e *DockercfgController) SetDockerURL(newDockerURL string) {
+func (e *DockercfgController) SetDockerURLs(newDockerURLs ...string) {
 	e.dockerURLLock.Lock()
 	defer e.dockerURLLock.Unlock()
 
-	e.dockerURL = newDockerURL
+	e.dockerURLs = newDockerURLs
 }
 
 func needsDockercfgSecret(serviceAccount *api.ServiceAccount) bool {
+
 	mountableDockercfgSecrets, imageDockercfgPullSecrets := getGeneratedDockercfgSecretNames(serviceAccount)
 
 	// look for an ImagePullSecret in the form
@@ -328,9 +349,10 @@ func (e *DockercfgController) createDockerPullSecret(serviceAccount *api.Service
 			Name:      secret.Strategy.GenerateName(osautil.GetDockercfgSecretNamePrefix(serviceAccount)),
 			Namespace: tokenSecret.Namespace,
 			Annotations: map[string]string{
-				api.ServiceAccountNameKey:        serviceAccount.Name,
-				api.ServiceAccountUIDKey:         string(serviceAccount.UID),
-				ServiceAccountTokenSecretNameKey: string(tokenSecret.Name),
+				api.ServiceAccountNameKey:          serviceAccount.Name,
+				api.ServiceAccountUIDKey:           string(serviceAccount.UID),
+				ServiceAccountTokenSecretNameKey:   string(tokenSecret.Name),
+				ServiceAccountTokenValueAnnotation: string(tokenSecret.Data[api.ServiceAccountTokenKey]),
 			},
 		},
 		Type: api.SecretTypeDockercfg,
@@ -341,14 +363,15 @@ func (e *DockercfgController) createDockerPullSecret(serviceAccount *api.Service
 	e.dockerURLLock.Lock()
 	defer e.dockerURLLock.Unlock()
 
-	dockercfg := &credentialprovider.DockerConfig{
-		e.dockerURL: credentialprovider.DockerConfigEntry{
+	dockercfg := credentialprovider.DockerConfig{}
+	for _, dockerURL := range e.dockerURLs {
+		dockercfg[dockerURL] = credentialprovider.DockerConfigEntry{
 			Username: "serviceaccount",
 			Password: string(tokenSecret.Data[api.ServiceAccountTokenKey]),
 			Email:    "[email protected]",
-		},
+		}
 	}
-	dockercfgContent, err := json.Marshal(dockercfg)
+	dockercfgContent, err := json.Marshal(&dockercfg)
 	if err != nil {
 		return nil, err
 	}