allow template instance controller to create CRDs

bparees · bparees · commit eed81f1551f3 · 2018-04-18T09:18:10.000-04:00
diff --git a/pkg/cmd/server/bootstrappolicy/controller_policy.go b/pkg/cmd/server/bootstrappolicy/controller_policy.go
@@ -163,6 +163,11 @@ func init() {
 			rbac.NewRule("create").Groups(kAuthzGroup).Resources("subjectaccessreviews").RuleOrDie(),
 			rbac.NewRule("update").Groups(templateGroup).Resources("templateinstances/status").RuleOrDie(),
 			rbac.NewRule("update").Groups(templateGroup).Resources("templateinstances/finalizers").RuleOrDie(),
+			// template instance controller needs to be able to create and get any resource the user is allowed to create.
+			rbac.NewRule("create").Groups(rbac.APIGroupAll).Resources(rbac.ResourceAll).RuleOrDie(),
+			rbac.NewRule("get").Groups(rbac.APIGroupAll).Resources(rbac.ResourceAll).RuleOrDie(),
+			// delete needed to be able to set ownerrefs on objects
+			rbac.NewRule("delete").Groups(rbac.APIGroupAll).Resources(rbac.ResourceAll).RuleOrDie(),
 		},
 	})
 
diff --git a/pkg/template/controller/templateinstance_controller.go b/pkg/template/controller/templateinstance_controller.go
@@ -11,13 +11,17 @@ import (
 	kerrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	kerrs "k8s.io/apimachinery/pkg/util/errors"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apiserver/pkg/authentication/user"
+	"k8s.io/client-go/discovery"
+	cacheddiscovery "k8s.io/client-go/discovery/cached"
+	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/util/workqueue"
@@ -51,9 +55,11 @@ const readinessTimeout = time.Hour
 // using its own service account, first verifying that the requester also has
 // permissions to instantiate.
 type TemplateInstanceController struct {
-	restmapper     meta.RESTMapper
-	config         *rest.Config
-	templateClient templateclient.Interface
+	restmapper        meta.RESTMapper
+	dynamicRestMapper *discovery.DeferredDiscoveryRESTMapper
+	config            *rest.Config
+	jsonConfig        *rest.Config
+	templateClient    templateclient.Interface
 
 	// FIXME: Remove then cient when the build configs are able to report the
 	//				status of the last build.
@@ -97,6 +103,13 @@ func NewTemplateInstanceController(config *rest.Config, kc kclientsetinternal.In
 		},
 	})
 
+	discoveryClient := cacheddiscovery.NewMemCacheClient(c.kc.Discovery())
+	c.dynamicRestMapper = discovery.NewDeferredDiscoveryRESTMapper(discoveryClient, meta.InterfacesForUnstructured)
+	c.dynamicRestMapper.Reset()
+
+	c.jsonConfig = rest.CopyConfig(c.config)
+	c.jsonConfig.ContentConfig = dynamic.ContentConfig()
+
 	prometheus.MustRegister(c)
 
 	return c
@@ -284,6 +297,8 @@ func (c *TemplateInstanceController) Run(workers int, stopCh <-chan struct{}) {
 		go wait.Until(c.runWorker, time.Second, stopCh)
 	}
 
+	go wait.Until(c.dynamicRestMapper.Reset, 30*time.Second, stopCh)
+
 	<-stopCh
 }
 
@@ -407,7 +422,7 @@ func (c *TemplateInstanceController) instantiate(templateInstance *templateapi.T
 		return err
 	}
 
-	errs := runtime.DecodeList(template.Objects, legacyscheme.Codecs.UniversalDecoder())
+	errs := runtime.DecodeList(template.Objects, legacyscheme.Codecs.LegacyCodec(schema.GroupVersion{Group: "", Version: "v1"}), unstructured.UnstructuredJSONScheme)
 	if len(errs) > 0 {
 		return kerrs.NewAggregate(errs)
 	}
@@ -424,7 +439,10 @@ func (c *TemplateInstanceController) instantiate(templateInstance *templateapi.T
 	}
 
 	for _, obj := range template.Objects {
-		meta, _ := meta.Accessor(obj)
+		meta, err := meta.Accessor(obj)
+		if err != nil {
+			return err
+		}
 		ref := meta.GetOwnerReferences()
 		ref = append(ref, templateInstanceOwnerRef)
 		meta.SetOwnerReferences(ref)
@@ -436,7 +454,14 @@ func (c *TemplateInstanceController) instantiate(templateInstance *templateapi.T
 			ObjectTyper:  legacyscheme.Scheme,
 			ClientMapper: bulk.ClientMapperFromConfig(c.config),
 		},
+		DynamicMapper: &resource.Mapper{
+			RESTMapper:   c.dynamicRestMapper,
+			ObjectTyper:  legacyscheme.Scheme,
+			ClientMapper: bulk.ClientMapperFromConfig(c.jsonConfig),
+		},
+
 		Op: func(info *resource.Info, namespace string, obj runtime.Object) (runtime.Object, error) {
+
 			if len(info.Namespace) > 0 {
 				namespace = info.Namespace
 			}
diff --git a/test/extended/testdata/bindata.go b/test/extended/testdata/bindata.go
diff --git a/test/extended/testdata/templates/templateservicebroker_bind.yaml b/test/extended/testdata/templates/templateservicebroker_bind.yaml
@@ -1,5 +1,7 @@
 apiVersion: v1
 kind: Template
+metadata:
+  name: tsbtemplate
 objects:
 - apiVersion: v1
   kind: Secret
@@ -47,7 +49,7 @@ objects:
           ports:
           - name: port
             port: 1234
-      - apiVersion: v1
+      - apiVersion: route.openshift.io/v1
         kind: Route
         metadata:
           annotations:
@@ -59,6 +61,31 @@ objects:
           to:
             kind: Service
             name: service
+      - apiVersion: apiextensions.k8s.io/v1beta1
+        kind: CustomResourceDefinition
+        metadata:
+          name: testcrds.testcrdgroup.io
+        spec:
+          group: testcrdgroup.io
+          version: v1
+          scope: Namespaced
+          names:
+            plural: testcrds
+            singular: testcrd
+            kind: TestCRD
+          validation:
+            openAPIV3Schema:
+              properties:
+                state:
+                  type: string
+                podName:
+                  type: string
+                method:
+                  type: string
+                error:
+                  type: string
+                description:
+                  type: string
 
 - apiVersion: template.openshift.io/v1
   kind: BrokerTemplateInstance
