handle bootstrap openshift namespace roles

deads2k · deads2k · commit e0c3469832f8 · 2017-08-07T12:03:53.000-04:00
diff --git a/pkg/cmd/server/origin/ensure.go b/pkg/cmd/server/origin/ensure.go
@@ -17,6 +17,7 @@ import (
 	"github.com/openshift/origin/pkg/oc/admin/policy"
 
 	authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization"
+	"github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"
 )
 
 // ensureComponentAuthorizationRules initializes the cluster policies
@@ -52,12 +53,18 @@ func (c *MasterConfig) ensureComponentAuthorizationRules(context genericapiserve
 				utilruntime.HandleError(fmt.Errorf("unable to convert role.%s/%s in %v: %v", rbac.GroupName, rbacRole.Name, namespace, err))
 				continue
 			}
-			if _, err := c.PrivilegedLoopbackOpenShiftClient.Roles(namespace).Create(role); err != nil {
+			if _, err := c.PrivilegedLoopbackOpenShiftClient.Roles(namespace).Create(role); err != nil && !kapierror.IsAlreadyExists(err) {
 				// don't fail on failures, try to create as many as you can
 				utilruntime.HandleError(fmt.Errorf("unable to reconcile role.%s/%s in %v: %v", rbac.GroupName, role.Name, namespace, err))
 			}
 		}
 	}
+	for _, role := range bootstrappolicy.GetBootstrapOpenshiftRoles(c.Options.PolicyConfig.OpenShiftSharedResourcesNamespace){
+		if _, err := c.PrivilegedLoopbackOpenShiftClient.Roles(c.Options.PolicyConfig.OpenShiftSharedResourcesNamespace).Create(&role); err != nil  && !kapierror.IsAlreadyExists(err){
+			// don't fail on failures, try to create as many as you can
+			utilruntime.HandleError(fmt.Errorf("unable to reconcile role.%s/%s in %v: %v", rbac.GroupName, role.Name, c.Options.PolicyConfig.OpenShiftSharedResourcesNamespace, err))
+		}
+	}
 
 	// ensure bootstrap namespaced rolebindings are created or reconciled
 	for namespace, roleBindings := range kbootstrappolicy.NamespaceRoleBindings() {
@@ -67,12 +74,18 @@ func (c *MasterConfig) ensureComponentAuthorizationRules(context genericapiserve
 				utilruntime.HandleError(fmt.Errorf("unable to convert rolebinding.%s/%s in %v: %v", rbac.GroupName, rbacRoleBinding.Name, namespace, err))
 				continue
 			}
-			if _, err := c.PrivilegedLoopbackOpenShiftClient.RoleBindings(namespace).Create(roleBinding); err != nil {
+			if _, err := c.PrivilegedLoopbackOpenShiftClient.RoleBindings(namespace).Create(roleBinding); err != nil   && !kapierror.IsAlreadyExists(err){
 				// don't fail on failures, try to create as many as you can
 				utilruntime.HandleError(fmt.Errorf("unable to reconcile rolebinding.%s/%s in %v: %v", rbac.GroupName, roleBinding.Name, namespace, err))
 			}
 		}
 	}
+	for _, roleBinding := range bootstrappolicy.GetBootstrapOpenshiftRoleBindings(c.Options.PolicyConfig.OpenShiftSharedResourcesNamespace){
+		if _, err := c.PrivilegedLoopbackOpenShiftClient.RoleBindings(c.Options.PolicyConfig.OpenShiftSharedResourcesNamespace).Create(&roleBinding); err != nil  && !kapierror.IsAlreadyExists(err){
+			// don't fail on failures, try to create as many as you can
+			utilruntime.HandleError(fmt.Errorf("unable to reconcile rolebinding.%s/%s in %v: %v", rbac.GroupName, roleBinding.Name, c.Options.PolicyConfig.OpenShiftSharedResourcesNamespace, err))
+		}
+	}
 
 	return nil
 }

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,7 @@ import (`
`17`	`17`	`"github.com/openshift/origin/pkg/oc/admin/policy"`
`18`	`18`
`19`	`19`	`authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization"`
	`20`	`+ "github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"`
`20`	`21`	`)`
`21`	`22`
`22`	`23`	`// ensureComponentAuthorizationRules initializes the cluster policies`
`@@ -52,12 +53,18 @@ func (c *MasterConfig) ensureComponentAuthorizationRules(context genericapiserve`
`52`	`53`	`utilruntime.HandleError(fmt.Errorf("unable to convert role.%s/%s in %v: %v", rbac.GroupName, rbacRole.Name, namespace, err))`
`53`	`54`	`continue`
`54`	`55`	`}`
`55`		`- if _, err := c.PrivilegedLoopbackOpenShiftClient.Roles(namespace).Create(role); err != nil {`
	`56`	`+ if _, err := c.PrivilegedLoopbackOpenShiftClient.Roles(namespace).Create(role); err != nil && !kapierror.IsAlreadyExists(err) {`
`56`	`57`	`// don't fail on failures, try to create as many as you can`
`57`	`58`	`utilruntime.HandleError(fmt.Errorf("unable to reconcile role.%s/%s in %v: %v", rbac.GroupName, role.Name, namespace, err))`
`58`	`59`	`}`
`59`	`60`	`}`
`60`	`61`	`}`
	`62`	`+ for _, role := range bootstrappolicy.GetBootstrapOpenshiftRoles(c.Options.PolicyConfig.OpenShiftSharedResourcesNamespace){`
	`63`	`+ if _, err := c.PrivilegedLoopbackOpenShiftClient.Roles(c.Options.PolicyConfig.OpenShiftSharedResourcesNamespace).Create(&role); err != nil && !kapierror.IsAlreadyExists(err){`
	`64`	`+ // don't fail on failures, try to create as many as you can`
	`65`	`+ utilruntime.HandleError(fmt.Errorf("unable to reconcile role.%s/%s in %v: %v", rbac.GroupName, role.Name, c.Options.PolicyConfig.OpenShiftSharedResourcesNamespace, err))`
	`66`	`+ }`
	`67`	`+ }`
`61`	`68`
`62`	`69`	`// ensure bootstrap namespaced rolebindings are created or reconciled`
`63`	`70`	`for namespace, roleBindings := range kbootstrappolicy.NamespaceRoleBindings() {`
`@@ -67,12 +74,18 @@ func (c *MasterConfig) ensureComponentAuthorizationRules(context genericapiserve`
`67`	`74`	`utilruntime.HandleError(fmt.Errorf("unable to convert rolebinding.%s/%s in %v: %v", rbac.GroupName, rbacRoleBinding.Name, namespace, err))`
`68`	`75`	`continue`
`69`	`76`	`}`
`70`		`- if _, err := c.PrivilegedLoopbackOpenShiftClient.RoleBindings(namespace).Create(roleBinding); err != nil {`
	`77`	`+ if _, err := c.PrivilegedLoopbackOpenShiftClient.RoleBindings(namespace).Create(roleBinding); err != nil && !kapierror.IsAlreadyExists(err){`
`71`	`78`	`// don't fail on failures, try to create as many as you can`
`72`	`79`	`utilruntime.HandleError(fmt.Errorf("unable to reconcile rolebinding.%s/%s in %v: %v", rbac.GroupName, roleBinding.Name, namespace, err))`
`73`	`80`	`}`
`74`	`81`	`}`
`75`	`82`	`}`
	`83`	`+ for _, roleBinding := range bootstrappolicy.GetBootstrapOpenshiftRoleBindings(c.Options.PolicyConfig.OpenShiftSharedResourcesNamespace){`
	`84`	`+ if _, err := c.PrivilegedLoopbackOpenShiftClient.RoleBindings(c.Options.PolicyConfig.OpenShiftSharedResourcesNamespace).Create(&roleBinding); err != nil && !kapierror.IsAlreadyExists(err){`
	`85`	`+ // don't fail on failures, try to create as many as you can`
	`86`	`+ utilruntime.HandleError(fmt.Errorf("unable to reconcile rolebinding.%s/%s in %v: %v", rbac.GroupName, roleBinding.Name, c.Options.PolicyConfig.OpenShiftSharedResourcesNamespace, err))`
	`87`	`+ }`
	`88`	`+ }`
`76`	`89`
`77`	`90`	`return nil`
`78`	`91`	`}`