cluster up: improve compatibility with previous versions

Author: csrwng

pkg/oc/bootstrap/docker/openshift/admin.go

@@ -24,7 +24,6 @@ import (
 	configcmd "github.com/openshift/origin/pkg/config/cmd"
 	"github.com/openshift/origin/pkg/oc/admin/policy"
 	"github.com/openshift/origin/pkg/oc/bootstrap/docker/errors"
-	securitytypedclient "github.com/openshift/origin/pkg/security/generated/internalclientset/typed/security/internalversion"
 )
 
 const (
@@ -47,11 +46,7 @@ func (h *Helper) InstallRegistry(kubeClient kclientset.Interface, f *clientcmd.F
 		return errors.NewError("error retrieving docker registry service").WithCause(err).WithDetails(h.OriginLog())
 	}
 
-	securityClient, err := f.OpenshiftInternalSecurityClient()
-	if err != nil {
-		return err
-	}
-	err = AddSCCToServiceAccount(securityClient.Security(), "privileged", "registry", "default", out)
+	err = h.AddSCCToServiceAccount("privileged", "registry", "default", out)
 	if err != nil {
 		return errors.NewError("cannot add privileged SCC to registry service account").WithCause(err).WithDetails(h.OriginLog())
 	}
@@ -121,18 +116,9 @@ func (h *Helper) InstallRouter(kubeClient kclientset.Interface, f *clientcmd.Fac
 	}
 
 	// Add router SA to privileged SCC
-	securityClient, err := f.OpenshiftInternalSecurityClient()
-	if err != nil {
-		return err
-	}
-	privilegedSCC, err := securityClient.Security().SecurityContextConstraints().Get("privileged", metav1.GetOptions{})
-	if err != nil {
-		return errors.NewError("cannot retrieve privileged SCC").WithCause(err).WithDetails(h.OriginLog())
-	}
-	privilegedSCC.Users = append(privilegedSCC.Users, serviceaccount.MakeUsername("default", "router"))
-	_, err = securityClient.Security().SecurityContextConstraints().Update(privilegedSCC)
+	err = h.AddSCCToServiceAccount("privileged", "router", "default", out)
 	if err != nil {
-		return errors.NewError("cannot update privileged SCC").WithCause(err).WithDetails(h.OriginLog())
+		return errors.NewError("cannot add privileged SCC to router service account").WithCause(err).WithDetails(h.OriginLog())
 	}
 
 	routingSuffix := h.routingSuffix
@@ -197,14 +183,11 @@ func (h *Helper) InstallRouter(kubeClient kclientset.Interface, f *clientcmd.Fac
 	return nil
 }
 
-func AddClusterRole(authorizationClient authorizationtypedclient.ClusterRoleBindingsGetter, role, user string) error {
-	clusterRoleBindingAccessor := policy.NewClusterRoleBindingAccessor(authorizationClient)
-	addClusterReaderRole := policy.RoleModificationOptions{
-		RoleName:            role,
-		RoleBindingAccessor: clusterRoleBindingAccessor,
-		Users:               []string{user},
-	}
-	return addClusterReaderRole.AddRole()
+func (h *Helper) AddClusterRole(role, user string, out io.Writer) error {
+	command := []string{"oc", "adm", "policy", "add-cluster-role-to-user", role, user}
+	result, err := h.execHelper.Command(command...).CombinedOutput()
+	fmt.Fprintf(out, "%s", result)
+	return err
 }
 
 func AddRoleToServiceAccount(authorizationClient authorizationtypedclient.RoleBindingsGetter, role, sa, namespace string) error {
@@ -223,21 +206,12 @@ func AddRoleToServiceAccount(authorizationClient authorizationtypedclient.RoleBi
 	return addRole.AddRole()
 }
 
-func AddSCCToServiceAccount(securityClient securitytypedclient.SecurityContextConstraintsGetter, scc, sa, namespace string, out io.Writer) error {
-	modifySCC := policy.SCCModificationOptions{
-		SCCName:      scc,
-		SCCInterface: securityClient.SecurityContextConstraints(),
-		Subjects: []kapi.ObjectReference{
-			{
-				Namespace: namespace,
-				Name:      sa,
-				Kind:      "ServiceAccount",
-			},
-		},
-
-		Out: out,
-	}
-	return modifySCC.AddSCC()
+func (h *Helper) AddSCCToServiceAccount(scc, sa, namespace string, out io.Writer) error {
+	user := serviceaccount.MakeUsername(namespace, sa)
+	command := []string{"oc", "adm", "policy", "add-scc-to-user", scc, user}
+	result, err := h.execHelper.Command(command...).CombinedOutput()
+	fmt.Fprintf(out, "%s", result)
+	return err
 }
 
 // catFiles concatenates multiple source files into a single destination file

pkg/oc/bootstrap/docker/openshift/ansible.go

@@ -198,7 +198,7 @@ func (r *ansibleRunner) createServiceAccount(namespace string) error {
 		return errors.NewError(fmt.Sprintf("cannot create %s service account", serviceAccount.Name)).WithCause(err).WithDetails(r.Helper.OriginLog())
 	}
 	// Add privileged SCC to serviceAccount
-	if err = AddSCCToServiceAccount(r.SecurityClient.Security(), "privileged", serviceAccount.Name, namespace, &bytes.Buffer{}); err != nil {
+	if err = r.AddSCCToServiceAccount("privileged", serviceAccount.Name, namespace, &bytes.Buffer{}); err != nil {
 		return errors.NewError("cannot add privileged security context constraint to service account").WithCause(err).WithDetails(r.Helper.OriginLog())
 	}
 	return nil

pkg/oc/bootstrap/docker/openshift/helper.go

@@ -90,6 +90,7 @@ var (
 	}
 	version15 = semver.MustParse("1.5.0")
 	version35 = semver.MustParse("3.5.0")
+	version36 = semver.MustParse("3.6.0")
 	version37 = semver.MustParse("3.7.0")
 )
 
@@ -696,6 +697,10 @@ func useAggregator(version semver.Version) bool {
 	return version.GTE(version37)
 }
 
+func enableAdmissionRegistrationAPI(version semver.Version) bool {
+	return version.GT(version36)
+}
+
 func (h *Helper) updateConfig(configDir string, opt *StartOptions) error {
 	cfg, configPath, err := h.GetConfigFromLocalDir(configDir)
 	if err != nil {
@@ -710,11 +715,6 @@ func (h *Helper) updateConfig(configDir string, opt *StartOptions) error {
 		Configuration: &configapi.DefaultAdmissionConfig{},
 	}
 
-	if cfg.KubernetesMasterConfig.APIServerArguments == nil {
-		cfg.KubernetesMasterConfig.APIServerArguments = configapi.ExtendedArguments{}
-	}
-	cfg.KubernetesMasterConfig.APIServerArguments["runtime-config"] = append(cfg.KubernetesMasterConfig.APIServerArguments["runtime-config"], "apis/admissionregistration.k8s.io/v1alpha1=true")
-
 	if len(opt.RoutingSuffix) > 0 {
 		cfg.RoutingConfig.Subdomain = opt.RoutingSuffix
 	} else {
@@ -767,6 +767,14 @@ func (h *Helper) updateConfig(configDir string, opt *StartOptions) error {
 	if err != nil {
 		return err
 	}
+
+	if enableAdmissionRegistrationAPI(version) {
+		if cfg.KubernetesMasterConfig.APIServerArguments == nil {
+			cfg.KubernetesMasterConfig.APIServerArguments = configapi.ExtendedArguments{}
+		}
+		cfg.KubernetesMasterConfig.APIServerArguments["runtime-config"] = append(cfg.KubernetesMasterConfig.APIServerArguments["runtime-config"], "apis/admissionregistration.k8s.io/v1alpha1=true")
+	}
+
 	if useAggregator(version) || opt.ServiceCatalog {
 		// setup the api aggegrator
 		cfg.AggregatorConfig = configapi.AggregatorConfig{

pkg/oc/bootstrap/docker/openshift/logging.go

@@ -38,7 +38,7 @@ func (h *Helper) InstallLoggingViaAnsible(f *clientcmd.Factory, serverIP, public
 
 	// Create logging namespace
 	out := &bytes.Buffer{}
-	err = CreateProject(f, loggingNamespace, "", "", "oc", out)
+	err = h.CreateProject(f, loggingNamespace, "", "", "", out)
 	if err != nil {
 		return errors.NewError("cannot create logging project").WithCause(err).WithDetails(out.String())
 	}
@@ -65,18 +65,10 @@ func (h *Helper) InstallLogging(f *clientcmd.Factory, publicHostname, loggerHost
 	if err != nil {
 		return errors.NewError("cannot obtain API clients").WithCause(err).WithDetails(h.OriginLog())
 	}
-	authorizationClient, err := f.OpenshiftInternalAuthorizationClient()
-	if err != nil {
-		return errors.NewError("cannot obtain API clients").WithCause(err).WithDetails(h.OriginLog())
-	}
 	templateClient, err := f.OpenshiftInternalTemplateClient()
 	if err != nil {
 		return errors.NewError("cannot obtain API clients").WithCause(err).WithDetails(h.OriginLog())
 	}
-	securityClient, err := f.OpenshiftInternalSecurityClient()
-	if err != nil {
-		return errors.NewError("cannot obtain API clients").WithCause(err).WithDetails(h.OriginLog())
-	}
 
 	_, err = kubeClient.Core().Namespaces().Get(loggingNamespace, metav1.GetOptions{})
 	if err == nil {
@@ -86,7 +78,7 @@ func (h *Helper) InstallLogging(f *clientcmd.Factory, publicHostname, loggerHost
 
 	// Create logging namespace
 	out := &bytes.Buffer{}
-	err = CreateProject(f, loggingNamespace, "", "", "oc", out)
+	err = h.CreateProject(f, loggingNamespace, "", "", "", out)
 	if err != nil {
 		return errors.NewError("cannot create logging project").WithCause(err).WithDetails(out.String())
 	}
@@ -98,17 +90,17 @@ func (h *Helper) InstallLogging(f *clientcmd.Factory, publicHostname, loggerHost
 	}
 
 	// Add oauth-editor cluster role to logging-deployer sa
-	if err = AddClusterRole(authorizationClient.Authorization(), "oauth-editor", "system:serviceaccount:logging:logging-deployer"); err != nil {
+	if err = h.AddClusterRole("oauth-editor", "system:serviceaccount:logging:logging-deployer", out); err != nil {
 		return errors.NewError("cannot add oauth editor role to logging deployer service account").WithCause(err).WithDetails(h.OriginLog())
 	}
 
 	// Add cluster-reader cluster role to aggregated-logging-fluentd sa
-	if err = AddClusterRole(authorizationClient.Authorization(), "cluster-reader", "system:serviceaccount:logging:aggregated-logging-fluentd"); err != nil {
+	if err = h.AddClusterRole("cluster-reader", "system:serviceaccount:logging:aggregated-logging-fluentd", out); err != nil {
 		return errors.NewError("cannot cluster reader role to logging fluentd service account").WithCause(err).WithDetails(h.OriginLog())
 	}
 
 	// Add privileged SCC to aggregated-logging-fluentd sa
-	if err = AddSCCToServiceAccount(securityClient.Security(), "privileged", "aggregated-logging-fluentd", loggingNamespace, out); err != nil {
+	if err = h.AddSCCToServiceAccount("privileged", "aggregated-logging-fluentd", loggingNamespace, out); err != nil {
 		return errors.NewError("cannot add privileged security context constraint to logging fluentd service account").WithCause(err).WithDetails(h.OriginLog())
 	}
 

pkg/oc/bootstrap/docker/openshift/metrics.go

@@ -1,6 +1,7 @@
 package openshift
 
 import (
+	"bytes"
 	"fmt"
 
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -96,8 +97,9 @@ func (h *Helper) InstallMetrics(f *clientcmd.Factory, hostName, imagePrefix, ima
 	}
 
 	// Add cluster reader role to heapster service account
-	if err = AddClusterRole(authorizationClient.Authorization(), "cluster-reader", "system:serviceaccount:openshift-infra:heapster"); err != nil {
-		return errors.NewError("cannot add cluster reader role to heapster service account").WithCause(err).WithDetails(h.OriginLog())
+	cmdOutput := &bytes.Buffer{}
+	if err = h.AddClusterRole("cluster-reader", "system:serviceaccount:openshift-infra:heapster", cmdOutput); err != nil {
+		return errors.NewError("cannot add cluster reader role to heapster service account").WithCause(err).WithDetails(cmdOutput.String())
 	}
 
 	// Create metrics deployer secret

pkg/oc/bootstrap/docker/openshift/project.go

@@ -2,9 +2,8 @@ package openshift
 
 import (
 	"io"
-	"io/ioutil"
+	"strings"
 
-	"k8s.io/apimachinery/pkg/api/errors"
 	kclientcmd "k8s.io/client-go/tools/clientcmd"
 
 	"github.com/openshift/origin/pkg/cmd/util/clientcmd"
@@ -13,36 +12,16 @@ import (
 )
 
 // CreateProject creates a project
-func CreateProject(f *clientcmd.Factory, name, display, desc, basecmd string, out io.Writer) error {
-	projectClient, err := f.OpenshiftInternalProjectClient()
-	if err != nil {
-		return err
-	}
-	pathOptions := config.NewPathOptionsWithConfig("")
-	opt := &cmd.NewProjectOptions{
-		ProjectName: name,
-		DisplayName: display,
-		Description: desc,
-
-		Name: basecmd,
-
-		Client: projectClient.Project(),
-
-		ProjectOptions: &cmd.ProjectOptions{PathOptions: pathOptions},
-		Out:            ioutil.Discard,
+func (h *Helper) CreateProject(f *clientcmd.Factory, name, display, desc, token string, out io.Writer) error {
+	command := []string{"oc", "new-project", name, "--display-name", display, "--description", desc}
+	if len(token) > 0 {
+		command = append(command, "--token", token)
 	}
-	err = opt.ProjectOptions.Complete(f, []string{}, ioutil.Discard)
-	if err != nil {
-		return err
-	}
-	err = opt.Run()
-	if err != nil {
-		if errors.IsAlreadyExists(err) {
-			return setCurrentProject(f, name, out)
-		}
-		return err
+	result, err := h.execHelper.Command(command...).CombinedOutput()
+	if err == nil || (err != nil && strings.Contains(result, "AlreadyExists")) {
+		return setCurrentProject(f, name, out)
 	}
-	return nil
+	return err
 }
 
 func setCurrentProject(f *clientcmd.Factory, name string, out io.Writer) error {
@@ -52,11 +31,18 @@ func setCurrentProject(f *clientcmd.Factory, name string, out io.Writer) error {
 	return opt.RunProject()
 }
 
-func LoggedInUserFactory() (*clientcmd.Factory, error) {
+// LoggedInUserFactory returns a factory for the currently logged in
+// user as well as a token.
+func LoggedInUserFactory() (*clientcmd.Factory, string, error) {
 	cfg, err := config.NewOpenShiftClientConfigLoadingRules().Load()
 	if err != nil {
-		return nil, err
+		return nil, "", err
 	}
 	defaultCfg := kclientcmd.NewDefaultClientConfig(*cfg, &kclientcmd.ConfigOverrides{})
-	return clientcmd.NewFactory(defaultCfg), nil
+	clientCfg, err := defaultCfg.ClientConfig()
+	if err != nil {
+		return nil, "", err
+	}
+
+	return clientcmd.NewFactory(defaultCfg), clientCfg.BearerToken, nil
 }

pkg/oc/bootstrap/docker/openshift/pvsetup.go

@@ -124,15 +124,17 @@ func (h *Helper) ensurePVInstallerSA(authorizationClient authorizationtypedclien
 		}
 	}
 
-	err = AddSCCToServiceAccount(securityClient.Security(), "privileged", "pvinstaller", "default", &bytes.Buffer{})
+	cmdOut := &bytes.Buffer{}
+	err = h.AddSCCToServiceAccount("privileged", "pvinstaller", "default", cmdOut)
 	if err != nil {
-		return errors.NewError("cannot add privileged SCC to pvinstaller service account").WithCause(err).WithDetails(h.OriginLog())
+		return errors.NewError("cannot add privileged SCC to pvinstaller service account").WithCause(err).WithDetails(cmdOut.String())
 	}
 
 	saUser := serviceaccount.MakeUsername(pvSetupNamespace, pvInstallerSA)
-	err = AddClusterRole(authorizationClient, "cluster-admin", saUser)
+	cmdOut = &bytes.Buffer{}
+	err = h.AddClusterRole("cluster-admin", saUser, cmdOut)
 	if err != nil {
-		return errors.NewError("cannot add cluster role to service account (%s/%s)", pvSetupNamespace, pvInstallerSA).WithCause(err).WithDetails(h.OriginLog())
+		return errors.NewError("cannot add cluster role to service account (%s/%s)", pvSetupNamespace, pvInstallerSA).WithCause(err).WithDetails(cmdOut.String())
 	}
 
 	return nil

pkg/oc/bootstrap/docker/up.go

@@ -1117,11 +1117,11 @@ func (c *ClientStartConfig) Login(out io.Writer) error {
 
 // CreateProject creates a new project for the current user
 func (c *ClientStartConfig) CreateProject(out io.Writer) error {
-	f, err := openshift.LoggedInUserFactory()
+	f, token, err := openshift.LoggedInUserFactory()
 	if err != nil {
 		return errors.NewError("cannot get logged in user client").WithCause(err)
 	}
-	return openshift.CreateProject(f, initialProjectName, initialProjectDisplay, initialProjectDesc, "oc", out)
+	return c.OpenShiftHelper().CreateProject(f, initialProjectName, initialProjectDisplay, initialProjectDesc, token, out)
 }
 
 // RemoveTemporaryDirectory removes the local configuration directory

test/extended/clusterup.sh

@@ -277,16 +277,10 @@ readonly default_tests=(
     "numerichostname"
     "portinuse"
     "svcaccess"
-
-# enable once https://github.com/openshift/origin/issues/16995 is fixed
-#    "default"
-# enable once https://github.com/openshift/origin/issues/16995 is fixed
-#    "image::ose3.3"
-# enable once https://github.com/openshift/origin/issues/16995 is fixed
-#    "image::ose3.4"
-# enable once https://github.com/openshift/origin/issues/16995 is fixed
-#    "image::ose3.5"
-
+    "default"
+    "image::ose3.3"
+    "image::ose3.4"
+    "image::ose3.5"
     "image::ose3.6"
 
 # logging+metrics team needs to fix/enable these tests.