Merge pull request #15226 from liggitt/aggregator-registration

OpenShift Bot · web-flow · commit 9ae8fcea8f12 · 2017-07-17T17:34:28.000-04:00
Merged by openshift-bot
diff --git a/pkg/cmd/server/origin/aggregator.go b/pkg/cmd/server/origin/aggregator.go
@@ -34,11 +34,9 @@ import (
 	"k8s.io/apiserver/pkg/server/healthz"
 	kubeclientset "k8s.io/client-go/kubernetes"
 	"k8s.io/kube-aggregator/pkg/apis/apiregistration"
-	"k8s.io/kube-aggregator/pkg/apis/apiregistration/install"
 	aggregatorapiserver "k8s.io/kube-aggregator/pkg/apiserver"
 	apiregistrationclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/internalclientset/typed/apiregistration/internalversion"
 	"k8s.io/kube-aggregator/pkg/controllers/autoregister"
-	kapi "k8s.io/kubernetes/pkg/api"
 	informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
 )
 
@@ -52,8 +50,10 @@ func (c *MasterConfig) createAggregatorConfig(kubeAPIServerConfig genericapiserv
 	genericConfig.OpenAPIConfig = nil
 	genericConfig.SwaggerConfig = nil
 
+	// This depends on aggregator types being registered into the kapi.Scheme, which is currently done in Start() to avoid concurrent scheme modification
+	//
 	// install our types into the scheme so that "normal" RESTOptionsGetters can work for us
-	install.Install(kapi.GroupFactoryRegistry, kapi.Registry, kapi.Scheme)
+	// install.Install(kapi.GroupFactoryRegistry, kapi.Registry, kapi.Scheme)
 
 	client, err := kubeclientset.NewForConfig(genericConfig.LoopbackClientConfig)
 	if err != nil {
diff --git a/pkg/cmd/server/start/start_master.go b/pkg/cmd/server/start/start_master.go
@@ -23,6 +23,8 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/wait"
 	utilwait "k8s.io/apimachinery/pkg/util/wait"
+	aggregatorinstall "k8s.io/kube-aggregator/pkg/apis/apiregistration/install"
+	kapi "k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/capabilities"
 	kinformers "k8s.io/kubernetes/pkg/client/informers/informers_generated/externalversions"
 	"k8s.io/kubernetes/pkg/cloudprovider"
@@ -402,6 +404,13 @@ func (m *Master) Start() error {
 		return fmt.Errorf("KubernetesMasterConfig is required to start this server - use of external Kubernetes is no longer supported.")
 	}
 
+	if len(m.config.AggregatorConfig.ProxyClientInfo.KeyFile) > 0 {
+		// install aggregator types into the scheme so that "normal" RESTOptionsGetters can work for us.
+		// done in Start() prior to doing any other initialization so we don't mutate the scheme after it is being used by clients in other goroutines.
+		// TODO: make scheme threadsafe and do this as part of aggregator config building
+		aggregatorinstall.Install(kapi.GroupFactoryRegistry, kapi.Registry, kapi.Scheme)
+	}
+
 	// we have a strange, optional linkage from controllers to the API server regarding the plug.  In the end, this should be structured
 	// as a separate API server which can be chained as a delegate
 	var controllerPlug plug.Plug
diff --git a/test/integration/aggregator_test.go b/test/integration/aggregator_test.go
@@ -0,0 +1,124 @@
+package integration
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	apiregistrationclientset "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
+
+	"github.com/openshift/origin/pkg/cmd/server/admin"
+	configapi "github.com/openshift/origin/pkg/cmd/server/api"
+	projectclientset "github.com/openshift/origin/pkg/project/generated/clientset"
+	testutil "github.com/openshift/origin/test/util"
+	testserver "github.com/openshift/origin/test/util/server"
+)
+
+func TestAggregator(t *testing.T) {
+	testutil.RequireEtcd(t)
+	defer testutil.DumpEtcdOnFailure(t)
+
+	masterConfig, err := testserver.DefaultMasterOptions()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Set up the aggregator ca and proxy cert
+	caDir, err := ioutil.TempDir("", "aggregator-ca")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		os.Remove(caDir)
+	}()
+	signerOptions := &admin.CreateSignerCertOptions{
+		Name:       "aggregator-proxy-ca",
+		CertFile:   filepath.Join(caDir, "aggregator-proxy-ca.crt"),
+		KeyFile:    filepath.Join(caDir, "aggregator-proxy-ca.key"),
+		SerialFile: filepath.Join(caDir, "aggregator-proxy-ca.serial"),
+		Output:     ioutil.Discard,
+	}
+	if _, err := signerOptions.CreateSignerCert(); err != nil {
+		t.Fatal(err)
+	}
+	proxyClientOptions := &admin.CreateClientCertOptions{
+		SignerCertOptions: &admin.SignerCertOptions{
+			CertFile:   signerOptions.CertFile,
+			KeyFile:    signerOptions.KeyFile,
+			SerialFile: signerOptions.SerialFile,
+		},
+		CertFile: filepath.Join(caDir, "aggregator-proxy.crt"),
+		KeyFile:  filepath.Join(caDir, "aggregator-proxy.key"),
+		User:     "aggregator-proxy",
+	}
+	if _, err := proxyClientOptions.CreateClientCert(); err != nil {
+		t.Fatal(err)
+	}
+
+	// Configure the aggregator and auth config
+	masterConfig.AggregatorConfig.ProxyClientInfo.CertFile = proxyClientOptions.CertFile
+	masterConfig.AggregatorConfig.ProxyClientInfo.KeyFile = proxyClientOptions.KeyFile
+	masterConfig.AuthConfig.RequestHeader = &configapi.RequestHeaderAuthenticationOptions{
+		ClientCA:            signerOptions.CertFile,
+		ClientCommonNames:   []string{proxyClientOptions.User},
+		UsernameHeaders:     []string{"X-Remote-User"},
+		GroupHeaders:        []string{"X-Remote-Group"},
+		ExtraHeaderPrefixes: []string{"X-Remote-Extra-"},
+	}
+
+	// Get clients
+	clusterAdminKubeConfig, err := testserver.StartConfiguredMaster(masterConfig)
+	if err != nil {
+		t.Fatal(err)
+	}
+	clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
+	if err != nil {
+		t.Fatal(err)
+	}
+	openshiftClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
+	if err != nil {
+		t.Fatal(err)
+	}
+	openshiftProjectClient, err := projectclientset.NewForConfig(clusterAdminClientConfig)
+	if err != nil {
+		t.Fatal(err)
+	}
+	kubeClient, err := testutil.GetClusterAdminKubeClient(clusterAdminKubeConfig)
+	if err != nil {
+		t.Fatal(err)
+	}
+	apiregistrationClient, err := apiregistrationclientset.NewForConfig(clusterAdminClientConfig)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Get resources
+	// Kube resource
+	if _, err := kubeClient.Core().Namespaces().Get("default", metav1.GetOptions{}); err != nil {
+		t.Fatal(err)
+	}
+	// Legacy openshift resource
+	if _, err := openshiftClient.Projects().Get("default", metav1.GetOptions{}); err != nil {
+		t.Fatal(err)
+	}
+	// Groupified openshift resource
+	if _, err := openshiftProjectClient.Projects().Get("default", metav1.GetOptions{}); err != nil {
+		t.Fatal(err)
+	}
+
+	// Get aggregator resources
+	// Legacy group
+	if _, err := apiregistrationClient.ApiregistrationV1beta1().APIServices().Get("v1.", metav1.GetOptions{}); err != nil {
+		t.Fatal(err)
+	}
+	// Openshift group
+	if _, err := apiregistrationClient.ApiregistrationV1beta1().APIServices().Get("v1.project.openshift.io", metav1.GetOptions{}); err != nil {
+		t.Fatal(err)
+	}
+	// Kube group
+	if _, err := apiregistrationClient.ApiregistrationV1beta1().APIServices().Get("v1beta1.rbac.authorization.k8s.io", metav1.GetOptions{}); err != nil {
+		t.Fatal(err)
+	}
+}
