make openshift start --write-config take a dir

README.md

@@ -60,7 +60,7 @@ Once the container is started, you can jump into a console inside the container
 
 If you just want to experiment with the API without worrying about security privileges, you can disable authorization checks by running this from the host system.  This command grants full access to anyone.
 
-    $ docker exec -it openshift-origin bash -c "openshift admin policy add-role-to-group cluster-admin system:authenticated system:unauthenticated --config=/var/lib/openshift/openshift.local.certificates/admin/.kubeconfig"
+    $ docker exec -it openshift-origin bash -c "openshift admin policy add-role-to-group cluster-admin system:authenticated system:unauthenticated --config=/var/lib/openshift/openshift.local.config/master/admin.kubeconfig"
 
 
 ### Start Developing
@@ -82,7 +82,7 @@ Once setup with a Go development environment and Docker, you can:
 3.  In another terminal window, switch to the directory and start an app:
 
         $ cd $GOPATH/src/github.com/openshift/origin
-        $ export OPENSHIFTCONFIG=`pwd`/openshift.local.certificates/admin/.kubeconfig 
+        $ export OPENSHIFTCONFIG=`pwd`/openshift.local.config/master/admin.kubeconfig 
         $ _output/local/go/bin/osc create -f examples/hello-openshift/hello-pod.json
 
 In your browser, go to [http://localhost:6061](http://localhost:6061) and you should see 'Welcome to OpenShift'.

docs/routing.md

@@ -32,10 +32,10 @@ Once it is pulled it will start and be visible in the `docker ps` list of contai
     [vagrant@openshiftdev origin]$ sudo /data/src/github.com/openshift/origin/_output/local/bin/linux/amd64/openshift start &
 
     If running in https mode, ensure osc can authenticate to the master
-    [vagrant@openshiftdev origin]$ export OPENSHIFTCONFIG=/data/src/github.com/openshift/origin/openshift.local.certificates/admin/.kubeconfig
+    [vagrant@openshiftdev origin]$ export OPENSHIFTCONFIG=/data/src/github.com/openshift/origin/openshift.local.config/master/admin.kubeconfig
     [vagrant@openshiftdev origin]$ sudo chmod a+r "$OPENSHIFTCONFIG"
-    [vagrant@openshiftdev origin]$ sudo chmod a+r openshift.local.certificates/openshift-router/.kubeconfig
-    [vagrant@openshiftdev origin]$ openshift ex router --create --credentials="openshift.local.certificates/openshift-router/.kubeconfig"
+    [vagrant@openshiftdev origin]$ sudo chmod a+r openshift.local.config/master/openshift-router.kubeconfig
+    [vagrant@openshiftdev origin]$ openshift ex router --create --credentials="openshift.local.config/master/openshift-router.kubeconfig"
     [vagrant@openshiftdev origin]$ osc get pods
 
 #### Clustered vagrant environment

examples/jenkins/README.md

@@ -35,7 +35,7 @@ Steps
 
     1. Go back to your browser, refresh and select the rubyJob build job.
     2. Choose `Configure`.
-    3. Locate the KUBECONFIG_CREDENTIALS parameter, and replace the default value with the contents of the `openshift.local.certificates/openshift-client/.kubeconfig` file.
+    3. Locate the KUBECONFIG_CREDENTIALS parameter, and replace the default value with the contents of the `openshift.local.config/master/openshift-client.kubeconfig` file.
     4. Click `Save`.
 
 6. Run the Jenkins build

examples/sample-app/README.md

@@ -129,13 +129,13 @@ This section covers how to perform all the steps of building, deploying, and upd
     installation, users would generate their own keys and not have access
     to the system keys.)
 
-        $ export CURL_CA_BUNDLE=`pwd`/openshift.local.certificates/ca/cert.crt
-        $ sudo chmod a+rwX `pwd`/openshift.local.certificates/admin/.kubeconfig
+        $ export CURL_CA_BUNDLE=`pwd`/openshift.local.config/master/ca.crt
+        $ sudo chmod a+rwX `pwd`/openshift.local.config/master/admin.kubeconfig
 
 
 4. Bind a user names `test-admin` to the `view` role in the default namespace so you can observe progress in the web console
 
-        $ osadm policy add-role-to-user view test-admin --config=openshift.local.certificates/admin/.kubeconfig
+        $ osadm policy add-role-to-user view test-admin --config=openshift.local.config/master/admin.kubeconfig
 
 5. Login as `test-admin` using any password
         $ osc login --certificate-authority=`pwd`/openshift.local.certificates/ca/cert.crt
@@ -154,8 +154,8 @@ This section covers how to perform all the steps of building, deploying, and upd
 
 7. Deploy a private docker registry within OpenShift with the certs necessary for access to master:
 
-        $ sudo chmod +r ./openshift.local.certificates/openshift-registry/.kubeconfig
-        $ openshift ex registry --create --credentials=./openshift.local.certificates/openshift-registry/.kubeconfig --config=openshift.local.certificates/admin/.kubeconfig
+        $ sudo chmod +r ./openshift.local.config/master/openshift-registry.kubeconfig
+        $ openshift ex registry --create --credentials=./openshift.local.config/master/openshift-registry.kubeconfig --config=openshift.local.config/master/admin.kubeconfig
           docker-registry # the service
           docker-registry # the deployment config
 
@@ -372,8 +372,8 @@ the ip address shown below with the correct one for your environment.
             # take some time.  Your pod will stay in Pending state while the pull is completed
             $ docker pull openshift/origin-haproxy-router
 
-            $ sudo chmod +r `pwd`/openshift.local.certificates/openshift-router/.kubeconfig
-            $ openshift ex router --create --credentials="`pwd`/openshift.local.certificates/openshift-router/.kubeconfig" --config=openshift.local.certificates/admin/.kubeconfig
+            $ sudo chmod +r `pwd`/openshift.local.config/master/openshift-router.kubeconfig
+            $ openshift ex router --create --credentials="`pwd`/openshift.local.config/master/openshift-router.kubeconfig" --config=openshift.local.config/master/admin.kubeconfig
               router # the service
               router # the deployment config
 

examples/sample-app/container-setup.md

@@ -60,7 +60,7 @@ bits that are used in the sample app.
 
 ## Configure client security
 
-    $ export CURL_CA_BUNDLE=`pwd`/openshift.local.certificates/ca/cert.crt
+    $ export CURL_CA_BUNDLE=`pwd`/openshift.local.config/master/ca.crt
 
 For more information on this step, see [Application Build, Deploy, and Update
 Flow](https://github.com/openshift/origin/blob/master/examples/sample-app/README.md#application-build-deploy-and-update-flow),

hack/export-certs.sh

@@ -3,7 +3,7 @@
 # This command attempts to export the correct arguments for a curl client.
 # Exports CURL_ARGS which should be used with curl:
 #
-#   $ source hack/export-certs.sh ./openshift.local.certificates/admin
+#   $ source hack/export-certs.sh ./openshift.local.config/master/admin
 #   $ curl $CURL_ARGS <a protected URL>
 
 set -o errexit

hack/test-cmd.sh

@@ -50,9 +50,12 @@ KUBELET_PORT=${KUBELET_PORT:-10250}
 TEMP_DIR=${USE_TEMP:-$(mktemp -d /tmp/openshift-cmd.XXXX)}
 ETCD_DATA_DIR="${TEMP_DIR}/etcd"
 VOLUME_DIR="${TEMP_DIR}/volumes"
-CERT_DIR="${TEMP_DIR}/certs"
+FAKE_HOME_DIR="${TEMP_DIR}/openshift.local.home"
+SERVER_CONFIG_DIR="${TEMP_DIR}/openshift.local.config"
+MASTER_CONFIG_DIR="${SERVER_CONFIG_DIR}/master"
+NODE_CONFIG_DIR="${SERVER_CONFIG_DIR}/node-${KUBELET_HOST}"
 CONFIG_DIR="${TEMP_DIR}/configs"
-mkdir -p "${ETCD_DATA_DIR}" "${VOLUME_DIR}" "${CERT_DIR}" "${CONFIG_DIR}"
+mkdir -p "${ETCD_DATA_DIR}" "${VOLUME_DIR}" "${FAKE_HOME_DIR}" "${MASTER_CONFIG_DIR}" "${NODE_CONFIG_DIR}" "${CONFIG_DIR}"
 
 # handle profiling defaults
 profile="${OPENSHIFT_PROFILE-}"
@@ -77,7 +80,7 @@ echo openshift: $out
 export OPENSHIFT_PROFILE="${WEB_PROFILE-}"
 
 # Specify the scheme and port for the listen address, but let the IP auto-discover. Set --public-master to localhost, for a stable link to the console.
-echo "[INFO] Create certificates for the OpenShift server to ${CERT_DIR}"
+echo "[INFO] Create certificates for the OpenShift server to ${MASTER_CONFIG_DIR}"
 # find the same IP that openshift start will bind to.  This allows access from pods that have to talk back to master
 ALL_IP_ADDRESSES=`ifconfig | grep "inet " | sed 's/adr://' | awk '{print $2}'`
 SERVER_HOSTNAME_LIST="${PUBLIC_MASTER_HOST},localhost"
@@ -88,42 +91,51 @@ done <<< "${ALL_IP_ADDRESSES}"
 
 openshift admin create-master-certs \
   --overwrite=false \
-  --cert-dir="${CERT_DIR}" \
+  --cert-dir="${MASTER_CONFIG_DIR}" \
   --hostnames="${SERVER_HOSTNAME_LIST}" \
   --master="${MASTER_ADDR}" \
   --public-master="${API_SCHEME}://${PUBLIC_MASTER_HOST}"
 
 openshift admin create-node-config \
   --listen="${KUBELET_SCHEME}://0.0.0.0:${KUBELET_PORT}" \
-  --node-dir="${CERT_DIR}/node-${KUBELET_HOST}" \
+  --node-dir="${NODE_CONFIG_DIR}" \
   --node="${KUBELET_HOST}" \
   --hostnames="${KUBELET_HOST}" \
   --master="${MASTER_ADDR}" \
-  --node-client-certificate-authority="${CERT_DIR}/ca/cert.crt" \
-  --certificate-authority="${CERT_DIR}/ca/cert.crt" \
-  --signer-cert="${CERT_DIR}/ca/cert.crt" \
-  --signer-key="${CERT_DIR}/ca/key.key" \
-  --signer-serial="${CERT_DIR}/ca/serial.txt"
-
-# Start openshift
-OPENSHIFT_ON_PANIC=crash openshift start \
+  --node-client-certificate-authority="${MASTER_CONFIG_DIR}/ca.crt" \
+  --certificate-authority="${MASTER_CONFIG_DIR}/ca.crt" \
+  --signer-cert="${MASTER_CONFIG_DIR}/ca.crt" \
+  --signer-key="${MASTER_CONFIG_DIR}/ca.key" \
+  --signer-serial="${MASTER_CONFIG_DIR}/ca.serial.txt"
+
+osadm create-bootstrap-policy-file --filename="${MASTER_CONFIG_DIR}/policy.json"
+
+# create openshift config
+openshift start \
+  --write-config=${SERVER_CONFIG_DIR} \
+  --create-certs=false \
   --master="${API_SCHEME}://${API_HOST}:${API_PORT}" \
   --listen="${API_SCHEME}://${API_HOST}:${API_PORT}" \
   --hostname="${KUBELET_HOST}" \
   --volume-dir="${VOLUME_DIR}" \
-  --cert-dir="${CERT_DIR}" \
-  --etcd-dir="${ETCD_DATA_DIR}" \
-  --create-certs=false 1>&2 &
+  --etcd-dir="${ETCD_DATA_DIR}" 
+
+
+# Start openshift
+OPENSHIFT_ON_PANIC=crash openshift start \
+  --master-config=${MASTER_CONFIG_DIR}/master-config.yaml \
+  --node-config=${NODE_CONFIG_DIR}/node-config.yaml \
+  1>&2 &
 OS_PID=$!
 
 if [[ "${API_SCHEME}" == "https" ]]; then
-    export CURL_CA_BUNDLE="${CERT_DIR}/ca/cert.crt"
-    export CURL_CERT="${CERT_DIR}/admin/cert.crt"
-    export CURL_KEY="${CERT_DIR}/admin/key.key"
+    export CURL_CA_BUNDLE="${MASTER_CONFIG_DIR}/ca.crt"
+    export CURL_CERT="${MASTER_CONFIG_DIR}/admin.crt"
+    export CURL_KEY="${MASTER_CONFIG_DIR}/admin.key"
 fi
 
 # set the home directory so we don't pick up the users .config
-export HOME="${TEMP_DIR}/home"
+export HOME="${FAKE_HOME_DIR}"
 
 wait_for_url "${KUBELET_SCHEME}://${KUBELET_HOST}:${KUBELET_PORT}/healthz" "kubelet: " 0.25 80
 wait_for_url "${API_SCHEME}://${API_HOST}:${API_PORT}/healthz" "apiserver: " 0.25 80
@@ -149,20 +161,20 @@ if [[ "${API_SCHEME}" == "https" ]]; then
 fi
 
 
-osc login --server=${KUBERNETES_MASTER} --certificate-authority="${CERT_DIR}/ca/cert.crt" -u test-user -p anything
+osc login --server=${KUBERNETES_MASTER} --certificate-authority="${MASTER_CONFIG_DIR}/ca.crt" -u test-user -p anything
 osc new-project project-foo --display-name="my project" --description="boring project description"
 [ "$(osc project | grep 'Using project "project-foo"')" ]
 
 
 # test config files from the --config flag
-osc get services --config="${CERT_DIR}/admin/.kubeconfig"
+osc get services --config="${MASTER_CONFIG_DIR}/admin.kubeconfig"
 
 # test config files from env vars
-OPENSHIFTCONFIG="${CERT_DIR}/admin/.kubeconfig" osc get services
+OPENSHIFTCONFIG="${MASTER_CONFIG_DIR}/admin.kubeconfig" osc get services
 
 # test config files in the home directory
 mkdir -p ${HOME}/.config/openshift
-mv ${CERT_DIR}/admin/.kubeconfig ${HOME}/.config/openshift/config
+cp ${MASTER_CONFIG_DIR}/admin.kubeconfig ${HOME}/.config/openshift/config
 osc get services
 mv ${HOME}/.config/openshift/config ${HOME}/.config/openshift/non-default-config
 echo "config files: ok"

hack/test-end-to-end.sh

@@ -45,7 +45,7 @@ if [[ -z "${BASETMPDIR-}" ]]; then
 fi
 ETCD_DATA_DIR="${BASETMPDIR}/etcd"
 VOLUME_DIR="${BASETMPDIR}/volumes"
-CERT_DIR="${BASETMPDIR}/certs"
+FAKE_HOME_DIR="${BASETMPDIR}/openshift.local.home"
 LOG_DIR="${LOG_DIR:-${BASETMPDIR}/logs}"
 ARTIFACT_DIR="${ARTIFACT_DIR:-${BASETMPDIR}/artifacts}"
 mkdir -p $LOG_DIR
@@ -61,6 +61,10 @@ KUBELET_SCHEME="${KUBELET_SCHEME:-https}"
 KUBELET_HOST="${KUBELET_HOST:-127.0.0.1}"
 KUBELET_PORT="${KUBELET_PORT:-10250}"
 
+SERVER_CONFIG_DIR="${BASETMPDIR}/openshift.local.config"
+MASTER_CONFIG_DIR="${SERVER_CONFIG_DIR}/master"
+NODE_CONFIG_DIR="${SERVER_CONFIG_DIR}/node-${KUBELET_HOST}"
+
 # use the docker bridge ip address until there is a good way to get the auto-selected address from master
 # this address is considered stable
 # used as a resolve IP to test routing
@@ -177,7 +181,7 @@ echo "[INFO] `openshift version`"
 echo "[INFO] Server logs will be at:    ${LOG_DIR}/openshift.log"
 echo "[INFO] Test artifacts will be in: ${ARTIFACT_DIR}"
 echo "[INFO] Volumes dir is:            ${VOLUME_DIR}"
-echo "[INFO] Certs dir is:              ${CERT_DIR}"
+echo "[INFO] Config dir is:             ${SERVER_CONFIG_DIR}"
 echo "[INFO] Using images:              ${USE_IMAGES}"
 
 # Start All-in-one server and wait for health
@@ -191,48 +195,57 @@ do
 done <<< "${ALL_IP_ADDRESSES}"
 
 openshift admin create-master-certs \
-  --overwrite=false \
-  --cert-dir="${CERT_DIR}" \
-  --hostnames="${SERVER_HOSTNAME_LIST}" \
-  --master="${MASTER_ADDR}" \
-  --public-master="${API_SCHEME}://${PUBLIC_MASTER_HOST}"
+	--overwrite=false \
+	--cert-dir="${MASTER_CONFIG_DIR}" \
+	--hostnames="${SERVER_HOSTNAME_LIST}" \
+	--master="${MASTER_ADDR}" \
+	--public-master="${API_SCHEME}://${PUBLIC_MASTER_HOST}"
 
 openshift admin create-node-config \
-  --listen="${KUBELET_SCHEME}://0.0.0.0:${KUBELET_PORT}" \
-  --node-dir="${CERT_DIR}/node-${KUBELET_HOST}" \
-  --node="${KUBELET_HOST}" \
-  --hostnames="${KUBELET_HOST}" \
-  --master="${MASTER_ADDR}" \
-  --node-client-certificate-authority="${CERT_DIR}/ca/cert.crt" \
-  --certificate-authority="${CERT_DIR}/ca/cert.crt" \
-  --signer-cert="${CERT_DIR}/ca/cert.crt" \
-  --signer-key="${CERT_DIR}/ca/key.key" \
-  --signer-serial="${CERT_DIR}/ca/serial.txt"
+	--listen="${KUBELET_SCHEME}://0.0.0.0:${KUBELET_PORT}" \
+	--node-dir="${NODE_CONFIG_DIR}" \
+	--node="${KUBELET_HOST}" \
+	--hostnames="${KUBELET_HOST}" \
+	--master="${MASTER_ADDR}" \
+	--node-client-certificate-authority="${MASTER_CONFIG_DIR}/ca.crt" \
+	--certificate-authority="${MASTER_CONFIG_DIR}/ca.crt" \
+	--signer-cert="${MASTER_CONFIG_DIR}/ca.crt" \
+	--signer-key="${MASTER_CONFIG_DIR}/ca.key" \
+	--signer-serial="${MASTER_CONFIG_DIR}/ca.serial.txt"
+
+osadm create-bootstrap-policy-file --filename="${MASTER_CONFIG_DIR}/policy.json"
+
+# create openshift config
+openshift start \
+	--write-config=${SERVER_CONFIG_DIR} \
+	--create-certs=false \
+    --listen="${API_SCHEME}://0.0.0.0:${API_PORT}" \
+    --master="${MASTER_ADDR}" \
+    --public-master="${API_SCHEME}://${PUBLIC_MASTER_HOST}" \
+    --hostname="${KUBELET_HOST}" \
+    --volume-dir="${VOLUME_DIR}" \
+    --etcd-dir="${ETCD_DATA_DIR}" \
+    --images="${USE_IMAGES}"
+
 
 echo "[INFO] Starting OpenShift server"
 sudo env "PATH=${PATH}" OPENSHIFT_PROFILE=web OPENSHIFT_ON_PANIC=crash openshift start \
-     --listen="${API_SCHEME}://0.0.0.0:${API_PORT}" \
-     --master="${MASTER_ADDR}" \
-     --public-master="${API_SCHEME}://${PUBLIC_MASTER_HOST}" \
-     --hostname="${KUBELET_HOST}" \
-     --volume-dir="${VOLUME_DIR}" \
-     --etcd-dir="${ETCD_DATA_DIR}" \
-     --cert-dir="${CERT_DIR}" \
-     --loglevel=4 \
-     --images="${USE_IMAGES}" \
-     --create-certs=false \
-     &> "${LOG_DIR}/openshift.log" &
+	--master-config=${MASTER_CONFIG_DIR}/master-config.yaml \
+	--node-config=${NODE_CONFIG_DIR}/node-config.yaml \
+    --loglevel=4 \
+    &> "${LOG_DIR}/openshift.log" &
 OS_PID=$!
+
+export HOME="${FAKE_HOME_DIR}"
 
 if [[ "${API_SCHEME}" == "https" ]]; then
-	export CURL_CA_BUNDLE="${CERT_DIR}/ca/cert.crt"
-	export CURL_CERT="${CERT_DIR}/admin/cert.crt"
-	export CURL_KEY="${CERT_DIR}/admin/key.key"
-
-	# Make osc use ${CERT_DIR}/admin/.kubeconfig, and ignore anything in the running user's $HOME dir
-	export HOME="${CERT_DIR}/admin"
-	sudo chmod -R a+rwX "${HOME}"
-	export OPENSHIFTCONFIG="${CERT_DIR}/admin/.kubeconfig"
+	export CURL_CA_BUNDLE="${MASTER_CONFIG_DIR}/ca.crt"
+	export CURL_CERT="${MASTER_CONFIG_DIR}/admin.crt"
+	export CURL_KEY="${MASTER_CONFIG_DIR}/admin.key"
+
+	# Make osc use ${MASTER_CONFIG_DIR}/admin.kubeconfig, and ignore anything in the running user's $HOME dir
+	export OPENSHIFTCONFIG="${MASTER_CONFIG_DIR}/admin.kubeconfig"
+	sudo chmod -R a+rwX "${OPENSHIFTCONFIG}"
 	echo "[INFO] To debug: export OPENSHIFTCONFIG=$OPENSHIFTCONFIG"
 fi
 
@@ -253,12 +266,12 @@ echo "Log in as 'e2e-user' to see the 'test' project."
 
 # install the router
 echo "[INFO] Installing the router"
-openshift admin router --create --credentials="${CERT_DIR}/openshift-router/.kubeconfig" --images="${USE_IMAGES}"
+openshift admin router --create --credentials="${MASTER_CONFIG_DIR}/openshift-router.kubeconfig" --images="${USE_IMAGES}"
 
 # install the registry. The --mount-host option is provided to reuse local storage.
 echo "[INFO] Installing the registry"
 # TODO: add --images="${USE_IMAGES}" when the Docker registry is built alongside OpenShift
-openshift admin registry --create --credentials="${CERT_DIR}/openshift-registry/.kubeconfig" --mount-host="/tmp/openshift.local.registry" --images='openshift/origin-${component}:latest'
+openshift admin registry --create --credentials="${MASTER_CONFIG_DIR}/openshift-registry.kubeconfig" --mount-host="/tmp/openshift.local.registry" --images='openshift/origin-${component}:latest'
 
 echo "[INFO] Pre-pulling and pushing ruby-20-centos7"
 docker pull openshift/ruby-20-centos7:latest