Merge pull request #20426 from soltysh/external_prune

Switch prune to externals

Author: openshift-merge-robot

hack/import-restrictions.json

@@ -514,7 +514,6 @@
       "github.com/openshift/origin/pkg/authorization/util",
       "github.com/openshift/origin/pkg/build/apis/build",
       "github.com/openshift/origin/pkg/build/apis/build/install",
-      "github.com/openshift/origin/pkg/build/apis/build/v1",
       "github.com/openshift/origin/pkg/build/buildapihelpers",
       "github.com/openshift/origin/pkg/build/client",
       "github.com/openshift/origin/pkg/build/client/internalversion",

pkg/oc/cli/admin/groups/sync/interfaces.go

@@ -1,8 +1,8 @@
 package sync
 
 import (
+	userv1client "github.com/openshift/client-go/user/clientset/versioned/typed/user/v1"
 	"github.com/openshift/origin/pkg/oc/lib/groupsync/interfaces"
-	usertypedclient "github.com/openshift/origin/pkg/user/generated/internalclientset/typed/user/internalversion"
 )
 
 // SyncBuilder describes an object that can build all the schema-specific parts of an LDAPGroupSyncer
@@ -30,7 +30,7 @@ type GroupNameRestrictions interface {
 // a client that can retrieve OpenShift groups to satisfy those lists
 type OpenShiftGroupNameRestrictions interface {
 	GroupNameRestrictions
-	GetClient() usertypedclient.GroupInterface
+	GetClient() userv1client.GroupInterface
 }
 
 // MappedNameRestrictions describes an object that holds user name mappings for a group sync job

pkg/oc/cli/admin/groups/sync/prune.go

@@ -3,7 +3,6 @@ package sync
 import (
 	"errors"
 	"fmt"
-	"io"
 	"os"
 
 	"github.com/spf13/cobra"
@@ -14,13 +13,12 @@ import (
 	kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
 	"k8s.io/kubernetes/pkg/kubectl/genericclioptions"
 
+	userv1client "github.com/openshift/client-go/user/clientset/versioned/typed/user/v1"
 	"github.com/openshift/origin/pkg/cmd/server/apis/config"
 	"github.com/openshift/origin/pkg/cmd/server/apis/config/validation/ldap"
 	"github.com/openshift/origin/pkg/oauthserver/ldaputil"
 	"github.com/openshift/origin/pkg/oauthserver/ldaputil/ldapclient"
 	"github.com/openshift/origin/pkg/oc/lib/groupsync"
-	userclientinternal "github.com/openshift/origin/pkg/user/generated/internalclientset"
-	usertypedclient "github.com/openshift/origin/pkg/user/generated/internalclientset/typed/user/internalversion"
 )
 
 const PruneRecommendedName = "prune"
@@ -53,92 +51,73 @@ var (
 
 type PruneOptions struct {
 	// Config is the LDAP sync config read from file
-	Config *config.LDAPSyncConfig
+	Config     *config.LDAPSyncConfig
+	ConfigFile string
 
 	// Whitelist are the names of OpenShift group or LDAP group UIDs to use for syncing
-	Whitelist []string
+	Whitelist     []string
+	WhitelistFile string
 
 	// Blacklist are the names of OpenShift group or LDAP group UIDs to exclude
-	Blacklist []string
+	Blacklist     []string
+	BlacklistFile string
 
 	// Confirm determines whether or not to write to OpenShift
 	Confirm bool
 
 	// GroupInterface is the interface used to interact with OpenShift Group objects
-	GroupInterface usertypedclient.GroupInterface
+	GroupInterface userv1client.GroupInterface
 
-	// Stderr is the writer to write warnings and errors to
-	Stderr io.Writer
-
-	// Out is the writer to write output to
-	Out io.Writer
+	genericclioptions.IOStreams
 }
 
-func NewPruneOptions() *PruneOptions {
+func NewPruneOptions(streams genericclioptions.IOStreams) *PruneOptions {
 	return &PruneOptions{
-		Stderr:    os.Stderr,
 		Whitelist: []string{},
+		IOStreams: streams,
 	}
 }
 
 func NewCmdPrune(name, fullName string, f kcmdutil.Factory, streams genericclioptions.IOStreams) *cobra.Command {
-	options := NewPruneOptions()
-	options.Out = streams.Out
-
-	whitelistFile := ""
-	blacklistFile := ""
-	configFile := ""
-
+	o := NewPruneOptions(streams)
 	cmd := &cobra.Command{
 		Use:     fmt.Sprintf("%s [WHITELIST] [--whitelist=WHITELIST-FILE] [--blacklist=BLACKLIST-FILE] --sync-config=CONFIG-SOURCE", name),
 		Short:   "Remove old OpenShift groups referencing missing records on an external provider",
 		Long:    pruneLong,
 		Example: fmt.Sprintf(pruneExamples, fullName),
-		Run: func(c *cobra.Command, args []string) {
-			kcmdutil.CheckErr(options.Complete(whitelistFile, blacklistFile, configFile, args, f))
-			kcmdutil.CheckErr(options.Validate())
-			err := options.Run(c, f)
-			if err != nil {
-				if aggregate, ok := err.(kerrs.Aggregate); ok {
-					for _, err := range aggregate.Errors() {
-						fmt.Printf("%s\n", err)
-					}
-					os.Exit(1)
-				}
-			}
-			kcmdutil.CheckErr(err)
+		Run: func(cmd *cobra.Command, args []string) {
+			kcmdutil.CheckErr(o.Complete(f, cmd, args))
+			kcmdutil.CheckErr(o.Validate())
+			kcmdutil.CheckErr(o.Run())
 		},
 	}
 
-	cmd.Flags().StringVar(&whitelistFile, "whitelist", whitelistFile, "path to the group whitelist file")
+	cmd.Flags().StringVar(&o.WhitelistFile, "whitelist", o.WhitelistFile, "path to the group whitelist file")
 	cmd.MarkFlagFilename("whitelist", "txt")
-	cmd.Flags().StringVar(&blacklistFile, "blacklist", whitelistFile, "path to the group blacklist file")
+	cmd.Flags().StringVar(&o.BlacklistFile, "blacklist", o.BlacklistFile, "path to the group blacklist file")
 	cmd.MarkFlagFilename("blacklist", "txt")
 	// TODO(deads): enable this once we're able to support string slice elements that have commas
-	// cmd.Flags().StringSliceVar(&options.Blacklist, "blacklist-group", options.Blacklist, "group to blacklist")
-
-	cmd.Flags().StringVar(&configFile, "sync-config", configFile, "path to the sync config")
+	// cmd.Flags().StringSliceVar(&o.Blacklist, "blacklist-group", o.Blacklist, "group to blacklist")
+	cmd.Flags().StringVar(&o.ConfigFile, "sync-config", o.ConfigFile, "path to the sync config")
 	cmd.MarkFlagFilename("sync-config", "yaml", "yml")
-
-	cmd.Flags().BoolVar(&options.Confirm, "confirm", false, "if true, modify OpenShift groups; if false, display groups")
+	cmd.Flags().BoolVar(&o.Confirm, "confirm", o.Confirm, "if true, modify OpenShift groups; if false, display groups")
 
 	return cmd
 }
 
-func (o *PruneOptions) Complete(whitelistFile, blacklistFile, configFile string, args []string, f kcmdutil.Factory) error {
+func (o *PruneOptions) Complete(f kcmdutil.Factory, cmd *cobra.Command, args []string) error {
 	var err error
-
-	o.Config, err = decodeSyncConfigFromFile(configFile)
+	o.Config, err = decodeSyncConfigFromFile(o.ConfigFile)
 	if err != nil {
 		return err
 	}
 
-	o.Whitelist, err = buildOpenShiftGroupNameList(args, whitelistFile, o.Config.LDAPGroupUIDToOpenShiftGroupNameMapping)
+	o.Whitelist, err = buildOpenShiftGroupNameList(args, o.WhitelistFile, o.Config.LDAPGroupUIDToOpenShiftGroupNameMapping)
 	if err != nil {
 		return err
 	}
 
-	o.Blacklist, err = buildOpenShiftGroupNameList([]string{}, blacklistFile, o.Config.LDAPGroupUIDToOpenShiftGroupNameMapping)
+	o.Blacklist, err = buildOpenShiftGroupNameList([]string{}, o.BlacklistFile, o.Config.LDAPGroupUIDToOpenShiftGroupNameMapping)
 	if err != nil {
 		return err
 	}
@@ -147,11 +126,11 @@ func (o *PruneOptions) Complete(whitelistFile, blacklistFile, configFile string,
 	if err != nil {
 		return err
 	}
-	userClient, err := userclientinternal.NewForConfig(clientConfig)
+	userClient, err := userv1client.NewForConfig(clientConfig)
 	if err != nil {
 		return err
 	}
-	o.GroupInterface = userClient.User().Groups()
+	o.GroupInterface = userClient.Groups()
 
 	return nil
 }
@@ -170,7 +149,7 @@ func (o *PruneOptions) Validate() error {
 
 // Run creates the GroupSyncer specified and runs it to sync groups
 // the arguments are only here because its the only way to get the printer we need
-func (o *PruneOptions) Run(cmd *cobra.Command, f kcmdutil.Factory) error {
+func (o *PruneOptions) Run() error {
 	bindPassword, err := config.ResolveStringValue(o.Config.BindPassword)
 	if err != nil {
 		return err
@@ -236,7 +215,7 @@ func (o *PruneOptions) GetBlacklist() []string {
 	return o.Blacklist
 }
 
-func (o *PruneOptions) GetClient() usertypedclient.GroupInterface {
+func (o *PruneOptions) GetClient() userv1client.GroupInterface {
 	return o.GroupInterface
 }
 

pkg/oc/cli/admin/groups/sync/sync.go

@@ -20,6 +20,7 @@ import (
 	kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
 	"k8s.io/kubernetes/pkg/kubectl/genericclioptions"
 
+	userv1client "github.com/openshift/client-go/user/clientset/versioned/typed/user/v1"
 	"github.com/openshift/origin/pkg/cmd/server/apis/config"
 	configapilatest "github.com/openshift/origin/pkg/cmd/server/apis/config/latest"
 	"github.com/openshift/origin/pkg/cmd/server/apis/config/validation/ldap"
@@ -29,8 +30,6 @@ import (
 	"github.com/openshift/origin/pkg/oc/lib/groupsync"
 	"github.com/openshift/origin/pkg/oc/lib/groupsync/interfaces"
 	"github.com/openshift/origin/pkg/oc/lib/groupsync/syncerror"
-	userclientinternal "github.com/openshift/origin/pkg/user/generated/internalclientset"
-	usertypedclient "github.com/openshift/origin/pkg/user/generated/internalclientset/typed/user/internalversion"
 )
 
 const SyncRecommendedName = "sync"
@@ -97,7 +96,7 @@ type SyncOptions struct {
 	Confirm bool
 
 	// GroupInterface is the interface used to interact with OpenShift Group objects
-	GroupInterface usertypedclient.GroupInterface
+	GroupInterface userv1client.GroupInterface
 
 	// Stderr is the writer to write warnings and errors to
 	Stderr io.Writer
@@ -226,11 +225,11 @@ func (o *SyncOptions) Complete(typeArg, whitelistFile, blacklistFile, configFile
 	if err != nil {
 		return err
 	}
-	userClient, err := userclientinternal.NewForConfig(clientConfig)
+	userClient, err := userv1client.NewForConfig(clientConfig)
 	if err != nil {
 		return err
 	}
-	o.GroupInterface = userClient.User().Groups()
+	o.GroupInterface = userClient.Groups()
 
 	return nil
 }
@@ -506,7 +505,7 @@ func (o *SyncOptions) GetBlacklist() []string {
 	return o.Blacklist
 }
 
-func (o *SyncOptions) GetClient() usertypedclient.GroupInterface {
+func (o *SyncOptions) GetClient() userv1client.GroupInterface {
 	return o.GroupInterface
 }
 

pkg/oc/cli/admin/prune/auth/bindings.go

@@ -4,23 +4,26 @@ import (
 	"fmt"
 	"io"
 
+	corev1 "k8s.io/api/core/v1"
 	kerrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	kapi "k8s.io/kubernetes/pkg/apis/core"
+	"k8s.io/kubernetes/pkg/apis/core"
+	corev1conversions "k8s.io/kubernetes/pkg/apis/core/v1"
 
-	authclient "github.com/openshift/origin/pkg/authorization/generated/internalclientset"
+	authv1client "github.com/openshift/client-go/authorization/clientset/versioned/typed/authorization/v1"
+	authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization"
 )
 
 // reapClusterBindings removes the subject from cluster-level role bindings
-func reapClusterBindings(removedSubject kapi.ObjectReference, c authclient.Interface, out io.Writer) []error {
+func reapClusterBindings(removedSubject corev1.ObjectReference, c authv1client.AuthorizationV1Interface, out io.Writer) []error {
 	errors := []error{}
 
-	clusterBindings, err := c.Authorization().ClusterRoleBindings().List(metav1.ListOptions{})
+	clusterBindings, err := c.ClusterRoleBindings().List(metav1.ListOptions{})
 	if err != nil {
 		return []error{err}
 	}
 	for _, binding := range clusterBindings.Items {
-		retainedSubjects := []kapi.ObjectReference{}
+		retainedSubjects := []corev1.ObjectReference{}
 		for _, subject := range binding.Subjects {
 			if subject != removedSubject {
 				retainedSubjects = append(retainedSubjects, subject)
@@ -29,7 +32,13 @@ func reapClusterBindings(removedSubject kapi.ObjectReference, c authclient.Inter
 		if len(retainedSubjects) != len(binding.Subjects) {
 			updatedBinding := binding
 			updatedBinding.Subjects = retainedSubjects
-			if _, err := c.Authorization().ClusterRoleBindings().Update(&updatedBinding); err != nil && !kerrors.IsNotFound(err) {
+			coreSubjects, err := convertObjectReference(retainedSubjects)
+			if err != nil {
+				errors = append(errors, err)
+				continue
+			}
+			updatedBinding.UserNames, updatedBinding.GroupNames = authorizationapi.StringSubjectsFor(binding.Namespace, coreSubjects)
+			if _, err := c.ClusterRoleBindings().Update(&updatedBinding); err != nil && !kerrors.IsNotFound(err) {
 				errors = append(errors, err)
 			} else {
 				fmt.Fprintf(out, "clusterrolebinding.rbac.authorization.k8s.io/"+updatedBinding.Name+" updated\n")
@@ -40,15 +49,15 @@ func reapClusterBindings(removedSubject kapi.ObjectReference, c authclient.Inter
 }
 
 // reapNamespacedBindings removes the subject from namespaced role bindings
-func reapNamespacedBindings(removedSubject kapi.ObjectReference, c authclient.Interface, out io.Writer) []error {
+func reapNamespacedBindings(removedSubject corev1.ObjectReference, c authv1client.AuthorizationV1Interface, out io.Writer) []error {
 	errors := []error{}
 
-	namespacedBindings, err := c.Authorization().RoleBindings(metav1.NamespaceAll).List(metav1.ListOptions{})
+	namespacedBindings, err := c.RoleBindings(metav1.NamespaceAll).List(metav1.ListOptions{})
 	if err != nil {
 		return []error{err}
 	}
 	for _, binding := range namespacedBindings.Items {
-		retainedSubjects := []kapi.ObjectReference{}
+		retainedSubjects := []corev1.ObjectReference{}
 		for _, subject := range binding.Subjects {
 			if subject != removedSubject {
 				retainedSubjects = append(retainedSubjects, subject)
@@ -57,7 +66,13 @@ func reapNamespacedBindings(removedSubject kapi.ObjectReference, c authclient.In
 		if len(retainedSubjects) != len(binding.Subjects) {
 			updatedBinding := binding
 			updatedBinding.Subjects = retainedSubjects
-			if _, err := c.Authorization().RoleBindings(binding.Namespace).Update(&updatedBinding); err != nil && !kerrors.IsNotFound(err) {
+			coreSubjects, err := convertObjectReference(retainedSubjects)
+			if err != nil {
+				errors = append(errors, err)
+				continue
+			}
+			updatedBinding.UserNames, updatedBinding.GroupNames = authorizationapi.StringSubjectsFor(binding.Namespace, coreSubjects)
+			if _, err := c.RoleBindings(binding.Namespace).Update(&updatedBinding); err != nil && !kerrors.IsNotFound(err) {
 				errors = append(errors, err)
 			} else {
 				fmt.Fprintf(out, "rolebinding.rbac.authorization.k8s.io/"+updatedBinding.Name+" updated\n")
@@ -66,3 +81,15 @@ func reapNamespacedBindings(removedSubject kapi.ObjectReference, c authclient.In
 	}
 	return errors
 }
+
+func convertObjectReference(ins []corev1.ObjectReference) ([]core.ObjectReference, error) {
+	result := []core.ObjectReference{}
+	for _, subject := range ins {
+		ref := &core.ObjectReference{}
+		if err := corev1conversions.Convert_v1_ObjectReference_To_core_ObjectReference(&subject, ref, nil); err != nil {
+			return nil, err
+		}
+		result = append(result, *ref)
+	}
+	return result, nil
+}

pkg/oc/cli/admin/prune/auth/group.go

@@ -4,24 +4,24 @@ import (
 	"fmt"
 	"io"
 
+	corev1 "k8s.io/api/core/v1"
 	kerrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
-	kapi "k8s.io/kubernetes/pkg/apis/core"
 
-	authclient "github.com/openshift/origin/pkg/authorization/generated/internalclientset"
-	securitytypedclient "github.com/openshift/origin/pkg/security/generated/internalclientset/typed/security/internalversion"
+	authv1client "github.com/openshift/client-go/authorization/clientset/versioned/typed/authorization/v1"
+	securityv1client "github.com/openshift/client-go/security/clientset/versioned/typed/security/v1"
 )
 
 func reapForGroup(
-	authorizationClient authclient.Interface,
-	securityClient securitytypedclient.SecurityContextConstraintsInterface,
+	authorizationClient authv1client.AuthorizationV1Interface,
+	securityClient securityv1client.SecurityContextConstraintsInterface,
 	name string,
 	out io.Writer) error {
 
 	errors := []error{}
 
-	removedSubject := kapi.ObjectReference{Kind: "Group", Name: name}
+	removedSubject := corev1.ObjectReference{Kind: "Group", Name: name}
 	errors = append(errors, reapClusterBindings(removedSubject, authorizationClient, out)...)
 	errors = append(errors, reapNamespacedBindings(removedSubject, authorizationClient, out)...)