diff --git a/docs/man/man1/oadm-ipfailover.1 b/docs/man/man1/oadm-ipfailover.1 index 3529eed59487..aef3ab898f2d 100644 --- a/docs/man/man1/oadm-ipfailover.1 +++ b/docs/man/man1/oadm-ipfailover.1 @@ -35,10 +35,6 @@ If an IP failover configuration does not exist with the given name, the \-\-crea \fB\-\-create\fP=false If true, create the configuration if it does not exist. -.PP -\fB\-\-credentials\fP="" - Path to a .kubeconfig file that will contain the credentials the router should use to contact the master. - .PP \fB\-\-dry\-run\fP=false If true, show the result of the operation without performing it. diff --git a/docs/man/man1/oadm-registry.1 b/docs/man/man1/oadm-registry.1 index 37c690caad9f..ec758143acc4 100644 --- a/docs/man/man1/oadm-registry.1 +++ b/docs/man/man1/oadm-registry.1 @@ -33,10 +33,6 @@ NOTE: This command is intended to simplify the tasks of setting up a Docker regi \fB\-\-create\fP=false deprecated; this is now the default behavior -.PP -\fB\-\-credentials\fP="" - Path to a .kubeconfig file that will contain the credentials the registry should use to contact the master. - .PP \fB\-\-daemonset\fP=false If true, use a daemonset instead of a deployment config. diff --git a/docs/man/man1/oadm-router.1 b/docs/man/man1/oadm-router.1 index 2347259a37f4..a31cbde61530 100644 --- a/docs/man/man1/oadm-router.1 +++ b/docs/man/man1/oadm-router.1 @@ -27,10 +27,6 @@ If a router does not exist with the given name, this command will create a deplo \fB\-\-create\fP=false deprecated; this is now the default behavior -.PP -\fB\-\-credentials\fP="" - Path to a .kubeconfig file that will contain the credentials the router should use to contact the master. - .PP \fB\-\-default\-cert\fP="" Optional path to a certificate file that be used as the default certificate. The file should contain the cert, key, and any CA certs necessary for the router to serve the certificate. diff --git a/docs/man/man1/oc-adm-ipfailover.1 b/docs/man/man1/oc-adm-ipfailover.1 index 7fa6009d3fc0..569fb0a59b51 100644 --- a/docs/man/man1/oc-adm-ipfailover.1 +++ b/docs/man/man1/oc-adm-ipfailover.1 @@ -35,10 +35,6 @@ If an IP failover configuration does not exist with the given name, the \-\-crea \fB\-\-create\fP=false If true, create the configuration if it does not exist. -.PP -\fB\-\-credentials\fP="" - Path to a .kubeconfig file that will contain the credentials the router should use to contact the master. - .PP \fB\-\-dry\-run\fP=false If true, show the result of the operation without performing it. diff --git a/docs/man/man1/oc-adm-registry.1 b/docs/man/man1/oc-adm-registry.1 index b038bf7f26ab..e727b140ba26 100644 --- a/docs/man/man1/oc-adm-registry.1 +++ b/docs/man/man1/oc-adm-registry.1 @@ -33,10 +33,6 @@ NOTE: This command is intended to simplify the tasks of setting up a Docker regi \fB\-\-create\fP=false deprecated; this is now the default behavior -.PP -\fB\-\-credentials\fP="" - Path to a .kubeconfig file that will contain the credentials the registry should use to contact the master. - .PP \fB\-\-daemonset\fP=false If true, use a daemonset instead of a deployment config. diff --git a/docs/man/man1/oc-adm-router.1 b/docs/man/man1/oc-adm-router.1 index ccfa5cad1d25..0157e990b9c0 100644 --- a/docs/man/man1/oc-adm-router.1 +++ b/docs/man/man1/oc-adm-router.1 @@ -27,10 +27,6 @@ If a router does not exist with the given name, this command will create a deplo \fB\-\-create\fP=false deprecated; this is now the default behavior -.PP -\fB\-\-credentials\fP="" - Path to a .kubeconfig file that will contain the credentials the router should use to contact the master. - .PP \fB\-\-default\-cert\fP="" Optional path to a certificate file that be used as the default certificate. The file should contain the cert, key, and any CA certs necessary for the router to serve the certificate. diff --git a/docs/man/man1/openshift-admin-ipfailover.1 b/docs/man/man1/openshift-admin-ipfailover.1 index 9583d5eba78a..166499233e34 100644 --- a/docs/man/man1/openshift-admin-ipfailover.1 +++ b/docs/man/man1/openshift-admin-ipfailover.1 @@ -35,10 +35,6 @@ If an IP failover configuration does not exist with the given name, the \-\-crea \fB\-\-create\fP=false If true, create the configuration if it does not exist. -.PP -\fB\-\-credentials\fP="" - Path to a .kubeconfig file that will contain the credentials the router should use to contact the master. - .PP \fB\-\-dry\-run\fP=false If true, show the result of the operation without performing it. diff --git a/docs/man/man1/openshift-admin-registry.1 b/docs/man/man1/openshift-admin-registry.1 index 061ee92fe622..59a188a7751e 100644 --- a/docs/man/man1/openshift-admin-registry.1 +++ b/docs/man/man1/openshift-admin-registry.1 @@ -33,10 +33,6 @@ NOTE: This command is intended to simplify the tasks of setting up a Docker regi \fB\-\-create\fP=false deprecated; this is now the default behavior -.PP -\fB\-\-credentials\fP="" - Path to a .kubeconfig file that will contain the credentials the registry should use to contact the master. - .PP \fB\-\-daemonset\fP=false If true, use a daemonset instead of a deployment config. diff --git a/docs/man/man1/openshift-admin-router.1 b/docs/man/man1/openshift-admin-router.1 index 3b9417014e18..15a1911b436f 100644 --- a/docs/man/man1/openshift-admin-router.1 +++ b/docs/man/man1/openshift-admin-router.1 @@ -27,10 +27,6 @@ If a router does not exist with the given name, this command will create a deplo \fB\-\-create\fP=false deprecated; this is now the default behavior -.PP -\fB\-\-credentials\fP="" - Path to a .kubeconfig file that will contain the credentials the router should use to contact the master. - .PP \fB\-\-default\-cert\fP="" Optional path to a certificate file that be used as the default certificate. The file should contain the cert, key, and any CA certs necessary for the router to serve the certificate. diff --git a/docs/man/man1/openshift-cli-adm-ipfailover.1 b/docs/man/man1/openshift-cli-adm-ipfailover.1 index 82d0636e0a35..1eb0a912125d 100644 --- a/docs/man/man1/openshift-cli-adm-ipfailover.1 +++ b/docs/man/man1/openshift-cli-adm-ipfailover.1 @@ -35,10 +35,6 @@ If an IP failover configuration does not exist with the given name, the \-\-crea \fB\-\-create\fP=false If true, create the configuration if it does not exist. -.PP -\fB\-\-credentials\fP="" - Path to a .kubeconfig file that will contain the credentials the router should use to contact the master. - .PP \fB\-\-dry\-run\fP=false If true, show the result of the operation without performing it. diff --git a/docs/man/man1/openshift-cli-adm-registry.1 b/docs/man/man1/openshift-cli-adm-registry.1 index 32a9ce6fc60c..44e273f1cb68 100644 --- a/docs/man/man1/openshift-cli-adm-registry.1 +++ b/docs/man/man1/openshift-cli-adm-registry.1 @@ -33,10 +33,6 @@ NOTE: This command is intended to simplify the tasks of setting up a Docker regi \fB\-\-create\fP=false deprecated; this is now the default behavior -.PP -\fB\-\-credentials\fP="" - Path to a .kubeconfig file that will contain the credentials the registry should use to contact the master. - .PP \fB\-\-daemonset\fP=false If true, use a daemonset instead of a deployment config. diff --git a/docs/man/man1/openshift-cli-adm-router.1 b/docs/man/man1/openshift-cli-adm-router.1 index 634c99db5f7e..275b891b0c4f 100644 --- a/docs/man/man1/openshift-cli-adm-router.1 +++ b/docs/man/man1/openshift-cli-adm-router.1 @@ -27,10 +27,6 @@ If a router does not exist with the given name, this command will create a deplo \fB\-\-create\fP=false deprecated; this is now the default behavior -.PP -\fB\-\-credentials\fP="" - Path to a .kubeconfig file that will contain the credentials the router should use to contact the master. - .PP \fB\-\-default\-cert\fP="" Optional path to a certificate file that be used as the default certificate. The file should contain the cert, key, and any CA certs necessary for the router to serve the certificate. diff --git a/docs/man/man1/openshift-ex-ipfailover.1 b/docs/man/man1/openshift-ex-ipfailover.1 index 9f4bca49438b..a2cdf8d3a89e 100644 --- a/docs/man/man1/openshift-ex-ipfailover.1 +++ b/docs/man/man1/openshift-ex-ipfailover.1 @@ -35,10 +35,6 @@ If an IP failover configuration does not exist with the given name, the \-\-crea \fB\-\-create\fP=false If true, create the configuration if it does not exist. -.PP -\fB\-\-credentials\fP="" - Path to a .kubeconfig file that will contain the credentials the router should use to contact the master. - .PP \fB\-\-dry\-run\fP=false If true, show the result of the operation without performing it. diff --git a/docs/proposals/ha-configuration.md b/docs/proposals/ha-configuration.md index 2ea8bcc126a5..a899ba0bd072 100644 --- a/docs/proposals/ha-configuration.md +++ b/docs/proposals/ha-configuration.md @@ -57,7 +57,6 @@ ability to setup a high availability configuration on a selection of nodes. = One or more of: --type=keepalived # For now, always keepalived. --create - --credentials= --no-headers= -o|--output= --output-version= @@ -69,9 +68,6 @@ ability to setup a high availability configuration on a selection of nodes. -i|--interface= -w|--watch-port= -u|--unicast # optional for now - add support later. - = - Path to .kubeconfig file containing - the credentials to use to contact - the master. = true|false - When using default output, whether or not to print headers. = Output format. @@ -169,14 +165,12 @@ example shown below. $ # Note: This step can also be performed after starting the $ # target or monitored service (in this example the $ # HAProxy router below). - $ openshift admin ha-config --credentials="${KUBECONFIG}" \ - --virtual-ips=10.1.1.100-104 \ + $ openshift admin ha-config --virtual-ips=10.1.1.100-104 \ --selector="hac=router-west" \ --watch-port=80 --create $ # Finally, start up the router using the same selector. - openshift admin router --credentials="${KUBECONFIG}" \ - --selector="hac=router-west" --create + openshift admin router --selector="hac=router-west" --create ## Exclusions diff --git a/pkg/bootstrap/docker/openshift/admin.go b/pkg/bootstrap/docker/openshift/admin.go index 449311a48d70..b25a76aeeb98 100644 --- a/pkg/bootstrap/docker/openshift/admin.go +++ b/pkg/bootstrap/docker/openshift/admin.go @@ -9,7 +9,6 @@ import ( "path/filepath" "github.com/golang/glog" - "github.com/openshift/origin/pkg/cmd/util/clientcmd" kapi "k8s.io/kubernetes/pkg/api" apierrors "k8s.io/kubernetes/pkg/api/errors" kclientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset" @@ -21,6 +20,7 @@ import ( "github.com/openshift/origin/pkg/cmd/admin/registry" "github.com/openshift/origin/pkg/cmd/admin/router" "github.com/openshift/origin/pkg/cmd/server/admin" + "github.com/openshift/origin/pkg/cmd/util/clientcmd" "github.com/openshift/origin/pkg/cmd/util/variable" ) @@ -151,7 +151,6 @@ func (h *Helper) InstallRouter(kubeClient kclientset.Interface, f *clientcmd.Fac Ports: "80:80,443:443", Replicas: 1, Labels: "router=", - Credentials: filepath.Join(masterDir, "admin.kubeconfig"), DefaultCertificate: filepath.Join(masterDir, "router.pem"), StatsPort: 1936, StatsUsername: "admin", diff --git a/pkg/cmd/admin/registry/registry.go b/pkg/cmd/admin/registry/registry.go index 889e68bc5793..ab0bd309e8ab 100644 --- a/pkg/cmd/admin/registry/registry.go +++ b/pkg/cmd/admin/registry/registry.go @@ -17,8 +17,6 @@ import ( "k8s.io/kubernetes/pkg/api/resource" "k8s.io/kubernetes/pkg/apis/extensions" kcoreclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/core/internalversion" - "k8s.io/kubernetes/pkg/client/restclient" - kclientcmd "k8s.io/kubernetes/pkg/client/unversioned/clientcmd" kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util" "k8s.io/kubernetes/pkg/runtime" "k8s.io/kubernetes/pkg/util/intstr" @@ -105,7 +103,6 @@ type RegistryConfig struct { Volume string HostMount string DryRun bool - Credentials string Selector string ServiceAccount string DaemonSet bool @@ -180,7 +177,6 @@ func NewCmdRegistry(f *clientcmd.Factory, parentName, name string, out, errout i cmd.Flags().StringVar(&cfg.Volume, "volume", cfg.Volume, "The volume path to use for registry storage; defaults to /registry which is the default for origin-docker-registry.") cmd.Flags().StringVar(&cfg.HostMount, "mount-host", cfg.HostMount, "If set, the registry volume will be created as a host-mount at this path.") cmd.Flags().Bool("create", false, "deprecated; this is now the default behavior") - cmd.Flags().StringVar(&cfg.Credentials, "credentials", "", "Path to a .kubeconfig file that will contain the credentials the registry should use to contact the master.") cmd.Flags().StringVar(&cfg.ServiceAccount, "service-account", cfg.ServiceAccount, "Name of the service account to use to run the registry pod.") cmd.Flags().StringVar(&cfg.Selector, "selector", cfg.Selector, "Selector used to filter nodes on deployment. Used to run registries on a specific set of nodes.") cmd.Flags().StringVar(&cfg.ServingCertPath, "tls-certificate", cfg.ServingCertPath, "An optional path to a PEM encoded certificate (which may contain the private key) for serving over TLS") @@ -188,12 +184,6 @@ func NewCmdRegistry(f *clientcmd.Factory, parentName, name string, out, errout i cmd.Flags().BoolVar(&cfg.DaemonSet, "daemonset", cfg.DaemonSet, "If true, use a daemonset instead of a deployment config.") cmd.Flags().BoolVar(&cfg.EnforceQuota, "enforce-quota", cfg.EnforceQuota, "If true, the registry will refuse to write blobs if they exceed quota limits") - // autocompletion hints - cmd.MarkFlagFilename("credentials", "kubeconfig") - - // Deprecate credentials - cmd.Flags().MarkDeprecated("credentials", "use --service-account to specify the service account the registry will use to make API calls") - cfg.Action.BindForOutput(cmd.Flags()) cmd.Flags().String("output-version", "", "The preferred API versions of the output objects") @@ -294,37 +284,10 @@ func (opts *RegistryOptions) RunCmdRegistry() error { // create new registry secretEnv := app.Environment{} - switch { - case len(opts.Config.ServiceAccount) == 0 && len(opts.Config.Credentials) == 0: - return fmt.Errorf("registry could not be created; a service account or the path to a .kubeconfig file must be provided") - case len(opts.Config.Credentials) > 0: - clientConfigLoadingRules := &kclientcmd.ClientConfigLoadingRules{ExplicitPath: opts.Config.Credentials} - credentials, err := clientConfigLoadingRules.Load() - if err != nil { - return fmt.Errorf("registry does not exist; the provided credentials %q could not be loaded: %v", opts.Config.Credentials, err) - } - config, err := kclientcmd.NewDefaultClientConfig(*credentials, &kclientcmd.ConfigOverrides{}).ClientConfig() - if err != nil { - return fmt.Errorf("registry does not exist; the provided credentials %q could not be used: %v", opts.Config.Credentials, err) - } - if err := restclient.LoadTLSFiles(config); err != nil { - return fmt.Errorf("registry does not exist; the provided credentials %q could not load certificate info: %v", opts.Config.Credentials, err) - } - if !config.Insecure && (len(config.KeyData) == 0 || len(config.CertData) == 0) { - return fmt.Errorf("registry does not exist; the provided credentials %q are missing the client certificate and/or key", opts.Config.Credentials) - } - - secretEnv = app.Environment{ - "OPENSHIFT_MASTER": config.Host, - "OPENSHIFT_CA_DATA": string(config.CAData), - "OPENSHIFT_KEY_DATA": string(config.KeyData), - "OPENSHIFT_CERT_DATA": string(config.CertData), - "OPENSHIFT_INSECURE": fmt.Sprintf("%t", config.Insecure), - } + if len(opts.Config.ServiceAccount) == 0 { + return fmt.Errorf("registry could not be created; a service account must be provided") } - needServiceAccountRole := len(opts.Config.ServiceAccount) > 0 && len(opts.Config.Credentials) == 0 - var servingCert, servingKey []byte if len(opts.Config.ServingCertPath) > 0 { data, err := ioutil.ReadFile(opts.Config.ServingCertPath) @@ -405,25 +368,24 @@ func (opts *RegistryOptions) RunCmdRegistry() error { for _, s := range secrets { objects = append(objects, s) } - if needServiceAccountRole { - objects = append(objects, - &kapi.ServiceAccount{ObjectMeta: kapi.ObjectMeta{Name: opts.Config.ServiceAccount}}, - &authapi.ClusterRoleBinding{ - ObjectMeta: kapi.ObjectMeta{Name: fmt.Sprintf("registry-%s-role", opts.Config.Name)}, - Subjects: []kapi.ObjectReference{ - { - Kind: "ServiceAccount", - Name: opts.Config.ServiceAccount, - Namespace: opts.namespace, - }, - }, - RoleRef: kapi.ObjectReference{ - Kind: "ClusterRole", - Name: "system:registry", + + objects = append(objects, + &kapi.ServiceAccount{ObjectMeta: kapi.ObjectMeta{Name: opts.Config.ServiceAccount}}, + &authapi.ClusterRoleBinding{ + ObjectMeta: kapi.ObjectMeta{Name: fmt.Sprintf("registry-%s-role", opts.Config.Name)}, + Subjects: []kapi.ObjectReference{ + { + Kind: "ServiceAccount", + Name: opts.Config.ServiceAccount, + Namespace: opts.namespace, }, }, - ) - } + RoleRef: kapi.ObjectReference{ + Kind: "ClusterRole", + Name: "system:registry", + }, + }, + ) if opts.Config.DaemonSet { objects = append(objects, &extensions.DaemonSet{ diff --git a/pkg/cmd/admin/router/router.go b/pkg/cmd/admin/router/router.go index f025f364c2fc..6eaae1af46d8 100644 --- a/pkg/cmd/admin/router/router.go +++ b/pkg/cmd/admin/router/router.go @@ -17,8 +17,6 @@ import ( "k8s.io/kubernetes/pkg/api/errors" "k8s.io/kubernetes/pkg/api/resource" kclientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset" - "k8s.io/kubernetes/pkg/client/restclient" - kclientcmd "k8s.io/kubernetes/pkg/client/unversioned/clientcmd" kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util" "k8s.io/kubernetes/pkg/runtime" "k8s.io/kubernetes/pkg/serviceaccount" @@ -131,10 +129,6 @@ type RouterConfig struct { // SecretsAsEnv sets the credentials as env vars, instead of secrets. SecretsAsEnv bool - // Credentials specifies the path to a .kubeconfig file with the credentials - // with which the router may contact the master. - Credentials string - // DefaultCertificate holds the certificate that will be used if no more // specific certificate is found. This is typically a wildcard certificate. DefaultCertificate string @@ -284,7 +278,6 @@ func NewCmdRouter(f *clientcmd.Factory, parentName, name string, out, errout io. cmd.Flags().StringVar(&cfg.Labels, "labels", cfg.Labels, "A set of labels to uniquely identify the router and its components.") cmd.Flags().BoolVar(&cfg.SecretsAsEnv, "secrets-as-env", cfg.SecretsAsEnv, "If true, use environment variables for master secrets.") cmd.Flags().Bool("create", false, "deprecated; this is now the default behavior") - cmd.Flags().StringVar(&cfg.Credentials, "credentials", "", "Path to a .kubeconfig file that will contain the credentials the router should use to contact the master.") cmd.Flags().StringVar(&cfg.DefaultCertificate, "default-cert", cfg.DefaultCertificate, "Optional path to a certificate file that be used as the default certificate. The file should contain the cert, key, and any CA certs necessary for the router to serve the certificate.") cmd.Flags().StringVar(&cfg.Selector, "selector", cfg.Selector, "Selector used to filter nodes on deployment. Used to run routers on a specific set of nodes.") cmd.Flags().StringVar(&cfg.ServiceAccount, "service-account", cfg.ServiceAccount, "Name of the service account to use to run the router pod.") @@ -307,12 +300,6 @@ func NewCmdRouter(f *clientcmd.Factory, parentName, name string, out, errout io. cmd.Flags().StringVar(&cfg.ExternalHostPartitionPath, "external-host-partition-path", cfg.ExternalHostPartitionPath, "If the underlying router implementation uses partitions for control boundaries, this is the path to use for that partition.") cmd.Flags().BoolVar(&cfg.DisableNamespaceOwnershipCheck, "disable-namespace-ownership-check", cfg.DisableNamespaceOwnershipCheck, "Disables the namespace ownership check and allows different namespaces to claim either different paths to a route host or overlapping host names in case of a wildcard route. The default behavior (false) to restrict claims to the oldest namespace that has claimed either the host or the subdomain. Please be aware that if namespace ownership checks are disabled, routes in a different namespace can use this mechanism to 'steal' sub-paths for existing domains. This is only safe if route creation privileges are restricted, or if all the users can be trusted.") - cmd.MarkFlagFilename("credentials", "kubeconfig") - cmd.Flags().MarkDeprecated("credentials", "use --service-account to specify the service account the router will use to make API calls") - - // Deprecate credentials - cmd.Flags().MarkDeprecated("credentials", "use --service-account to specify the service account the router will use to make API calls") - cfg.Action.BindForOutput(cmd.Flags()) cmd.Flags().String("output-version", "", "The preferred API versions of the output objects") @@ -619,35 +606,9 @@ func RunCmdRouter(f *clientcmd.Factory, cmd *cobra.Command, out, errout io.Write // create new router secretEnv := app.Environment{} - switch { - case len(cfg.Credentials) == 0 && len(cfg.ServiceAccount) == 0: - return fmt.Errorf("router could not be created; you must specify a service account with --service-account, or a .kubeconfig file path containing credentials for connecting the router to the master with --credentials") - case len(cfg.Credentials) > 0: - clientConfigLoadingRules := &kclientcmd.ClientConfigLoadingRules{ExplicitPath: cfg.Credentials, Precedence: []string{}} - credentials, err := clientConfigLoadingRules.Load() - if err != nil { - return fmt.Errorf("router could not be created; the provided credentials %q could not be loaded: %v", cfg.Credentials, err) - } - config, err := kclientcmd.NewDefaultClientConfig(*credentials, &kclientcmd.ConfigOverrides{}).ClientConfig() - if err != nil { - return fmt.Errorf("router could not be created; the provided credentials %q could not be used: %v", cfg.Credentials, err) - } - if err := restclient.LoadTLSFiles(config); err != nil { - return fmt.Errorf("router could not be created; the provided credentials %q could not load certificate info: %v", cfg.Credentials, err) - } - insecure := "false" - if config.Insecure { - insecure = "true" - } - secretEnv.Add(app.Environment{ - "OPENSHIFT_MASTER": config.Host, - "OPENSHIFT_CA_DATA": string(config.CAData), - "OPENSHIFT_KEY_DATA": string(config.KeyData), - "OPENSHIFT_CERT_DATA": string(config.CertData), - "OPENSHIFT_INSECURE": insecure, - }) + if len(cfg.ServiceAccount) == 0 { + return fmt.Errorf("router could not be created; you must specify a service account with --service-account") } - createServiceAccount := len(cfg.ServiceAccount) > 0 && len(cfg.Credentials) == 0 defaultCert, err := fileutil.LoadData(cfg.DefaultCertificate) if err != nil { @@ -752,25 +713,25 @@ func RunCmdRouter(f *clientcmd.Factory, cmd *cobra.Command, out, errout io.Write for _, s := range secrets { objects = append(objects, s) } - if createServiceAccount { - objects = append(objects, - &kapi.ServiceAccount{ObjectMeta: kapi.ObjectMeta{Name: cfg.ServiceAccount}}, - &authapi.ClusterRoleBinding{ - ObjectMeta: kapi.ObjectMeta{Name: generateRoleBindingName(cfg.Name)}, - Subjects: []kapi.ObjectReference{ - { - Kind: "ServiceAccount", - Name: cfg.ServiceAccount, - Namespace: namespace, - }, - }, - RoleRef: kapi.ObjectReference{ - Kind: "ClusterRole", - Name: "system:router", + + objects = append(objects, + &kapi.ServiceAccount{ObjectMeta: kapi.ObjectMeta{Name: cfg.ServiceAccount}}, + &authapi.ClusterRoleBinding{ + ObjectMeta: kapi.ObjectMeta{Name: generateRoleBindingName(cfg.Name)}, + Subjects: []kapi.ObjectReference{ + { + Kind: "ServiceAccount", + Name: cfg.ServiceAccount, + Namespace: namespace, }, }, - ) - } + RoleRef: kapi.ObjectReference{ + Kind: "ClusterRole", + Name: "system:router", + }, + }, + ) + objects = append(objects, &deployapi.DeploymentConfig{ ObjectMeta: kapi.ObjectMeta{ Name: name, @@ -835,8 +796,8 @@ func RunCmdRouter(f *clientcmd.Factory, cmd *cobra.Command, out, errout io.Write } levelPrefixFilter := func(e error) string { - // only ignore SA/RB errors if we were creating the service account - if createServiceAccount && ignoreError(e, cfg.ServiceAccount, generateRoleBindingName(cfg.Name)) { + // ignore SA/RB errors if we were creating the service account + if ignoreError(e, cfg.ServiceAccount, generateRoleBindingName(cfg.Name)) { return "warning" } return "error" diff --git a/pkg/cmd/experimental/ipfailover/ipfailover.go b/pkg/cmd/experimental/ipfailover/ipfailover.go index bc5dcd2c7f33..5d29cd10ab67 100644 --- a/pkg/cmd/experimental/ipfailover/ipfailover.go +++ b/pkg/cmd/experimental/ipfailover/ipfailover.go @@ -92,7 +92,6 @@ func NewCmdIPFailoverConfig(f *clientcmd.Factory, parentName, name string, out, cmd.Flags().StringVar(&options.ImageTemplate.Format, "images", options.ImageTemplate.Format, "The image to base this IP failover configurator on - ${component} will be replaced based on --type.") cmd.Flags().BoolVar(&options.ImageTemplate.Latest, "latest-images", options.ImageTemplate.Latest, "If true, attempt to use the latest images instead of the current release") cmd.Flags().StringVarP(&options.Selector, "selector", "l", options.Selector, "Selector (label query) to filter nodes on.") - cmd.Flags().StringVar(&options.Credentials, "credentials", "", "Path to a .kubeconfig file that will contain the credentials the router should use to contact the master.") cmd.Flags().StringVar(&options.ServiceAccount, "service-account", options.ServiceAccount, "Name of the service account to use to run the ipfailover pod.") cmd.Flags().BoolVar(&options.Create, "create", options.Create, "If true, create the configuration if it does not exist.") @@ -108,10 +107,6 @@ func NewCmdIPFailoverConfig(f *clientcmd.Factory, parentName, name string, out, cmd.Flags().IntVar(&options.VRRPIDOffset, "vrrp-id-offset", options.VRRPIDOffset, "Offset to use for setting ids of VRRP instances (default offset is 0). This allows multiple ipfailover instances to run within the same cluster.") cmd.Flags().Int32VarP(&options.Replicas, "replicas", "r", options.Replicas, "The replication factor of this IP failover configuration; commonly 2 when high availability is desired. Please ensure this matches the number of nodes that satisfy the selector (or default selector) specified.") - // autocompletion hints - cmd.MarkFlagFilename("credentials", "kubeconfig") - cmd.Flags().MarkDeprecated("credentials", "use --service-account to specify the service account the ipfailover pod will use to make API calls") - options.Action.BindForOutput(cmd.Flags()) cmd.Flags().String("output-version", "", "The preferred API versions of the output objects") diff --git a/pkg/ipfailover/keepalived/generator.go b/pkg/ipfailover/keepalived/generator.go index 1d88beaea306..adb91459a579 100644 --- a/pkg/ipfailover/keepalived/generator.go +++ b/pkg/ipfailover/keepalived/generator.go @@ -5,8 +5,6 @@ import ( "strconv" kapi "k8s.io/kubernetes/pkg/api" - "k8s.io/kubernetes/pkg/client/restclient" - kclientcmd "k8s.io/kubernetes/pkg/client/unversioned/clientcmd" dapi "github.com/openshift/origin/pkg/deploy/api" "github.com/openshift/origin/pkg/generate/app" @@ -17,50 +15,14 @@ const defaultInterface = "eth0" const libModulesVolumeName = "lib-modules" const libModulesPath = "/lib/modules" -// Get kube client configuration from a file containing credentials for -// connecting to the master. -func getClientConfig(path string) (*restclient.Config, error) { - if 0 == len(path) { - return nil, nil - } - - rules := &kclientcmd.ClientConfigLoadingRules{ExplicitPath: path, Precedence: []string{}} - credentials, err := rules.Load() - if err != nil { - return nil, fmt.Errorf("Could not load credentials from %q: %v", path, err) - } - - config, err := kclientcmd.NewDefaultClientConfig(*credentials, &kclientcmd.ConfigOverrides{}).ClientConfig() - if err != nil { - return nil, fmt.Errorf("Credentials %q error: %v", path, err) - } - - if err = restclient.LoadTLSFiles(config); err != nil { - return nil, fmt.Errorf("Unable to load certificate info using credentials from %q: %v", path, err) - } - - return config, nil -} - // Generate the IP failover monitor (keepalived) container environment entries. -func generateEnvEntries(name string, options *ipfailover.IPFailoverConfigCmdOptions, kconfig *restclient.Config) app.Environment { +func generateEnvEntries(name string, options *ipfailover.IPFailoverConfigCmdOptions) app.Environment { watchPort := strconv.Itoa(options.WatchPort) replicas := strconv.FormatInt(int64(options.Replicas), 10) interval := strconv.Itoa(options.CheckInterval) VRRPIDOffset := strconv.Itoa(options.VRRPIDOffset) env := app.Environment{} - if kconfig != nil { - insecureStr := strconv.FormatBool(kconfig.Insecure) - env.Add(app.Environment{ - "OPENSHIFT_MASTER": kconfig.Host, - "OPENSHIFT_CA_DATA": string(kconfig.CAData), - "OPENSHIFT_KEY_DATA": string(kconfig.KeyData), - "OPENSHIFT_CERT_DATA": string(kconfig.CertData), - "OPENSHIFT_INSECURE": insecureStr, - }) - - } env.Add(app.Environment{ "OPENSHIFT_HA_CONFIG_NAME": name, @@ -133,12 +95,7 @@ func generateContainerConfig(name string, options *ipfailover.IPFailoverConfigCm return containers, nil } - config, err := getClientConfig(options.Credentials) - if err != nil { - return containers, err - } - - env := generateEnvEntries(name, options, config) + env := generateEnvEntries(name, options) c := generateFailoverMonitorContainerConfig(name, options, env) if c != nil { diff --git a/pkg/ipfailover/types.go b/pkg/ipfailover/types.go index 59a81a1c5dfd..501e9606c606 100644 --- a/pkg/ipfailover/types.go +++ b/pkg/ipfailover/types.go @@ -39,7 +39,6 @@ type IPFailoverConfigCmdOptions struct { Type string ImageTemplate variable.ImageTemplate - Credentials string ServicePort int Selector string Create bool diff --git a/test/cmd/admin.sh b/test/cmd/admin.sh index 95e6b7246081..a4e905bb965d 100755 --- a/test/cmd/admin.sh +++ b/test/cmd/admin.sh @@ -307,11 +307,9 @@ os::test::junit::declare_suite_end os::test::junit::declare_suite_start "cmd/admin/router" # Test running a router os::cmd::expect_failure_and_text 'oadm router --dry-run' 'does not exist' -encoded_json='{"kind":"ServiceAccount","apiVersion":"v1","metadata":{"name":"router"}}' -os::cmd::expect_success "echo '${encoded_json}' | oc create -f - -n default" os::cmd::expect_success "oadm policy add-scc-to-user privileged system:serviceaccount:default:router" -os::cmd::expect_success_and_text "oadm router -o yaml --credentials=${KUBECONFIG} --service-account=router -n default" 'image:.*\-haproxy\-router:' -os::cmd::expect_success "oadm router --credentials=${KUBECONFIG} --images='${USE_IMAGES}' --service-account=router -n default" +os::cmd::expect_success_and_text "oadm router -o yaml --service-account=router -n default" 'image:.*\-haproxy\-router:' +os::cmd::expect_success "oadm router --images='${USE_IMAGES}' --service-account=router -n default" os::cmd::expect_success_and_text 'oadm router -n default' 'service exists' os::cmd::expect_success_and_text 'oc get dc/router -o yaml -n default' 'readinessProbe' echo "router: ok" @@ -326,7 +324,7 @@ os::cmd::expect_success "oadm registry --daemonset --images='${USE_IMAGES}'" os::cmd::expect_success_and_text 'oadm registry --daemonset' 'service exists' os::cmd::try_until_text 'oc get ds/docker-registry --template="{{.status.desiredNumberScheduled}}"' '1' # clean up so we can test non-daemonset -os::cmd::expect_success "oc delete ds/docker-registry svc/docker-registry sa/registry clusterrolebinding/registry-registry-role" +os::cmd::expect_success "oadm registry --daemonset -o yaml | oc delete -f -" echo "registry daemonset: ok" # Test running a registry @@ -342,7 +340,7 @@ os::test::junit::declare_suite_end os::test::junit::declare_suite_start "cmd/admin/apply" workingdir=$(mktemp -d) -os::cmd::expect_success "oadm registry --credentials=${KUBECONFIG} -o yaml > ${workingdir}/oadm_registry.yaml" +os::cmd::expect_success "oadm registry -o yaml > ${workingdir}/oadm_registry.yaml" os::util::sed "s/5000/6000/g" ${workingdir}/oadm_registry.yaml os::cmd::expect_success "oc apply -f ${workingdir}/oadm_registry.yaml" os::cmd::expect_success_and_text 'oc get dc/docker-registry -o yaml' '6000' diff --git a/test/cmd/router.sh b/test/cmd/router.sh index 1276d99b7c6f..01723adde824 100755 --- a/test/cmd/router.sh +++ b/test/cmd/router.sh @@ -24,7 +24,6 @@ os::cmd::expect_failure_and_text 'oadm router --dry-run --host-network=false -o os::cmd::expect_success_and_not_text 'oadm router --dry-run --host-network=false --host-ports=false -o yaml' 'hostPort: 1936' os::cmd::expect_failure_and_text 'oadm router --dry-run --host-network=false --stats-port=1937 -o yaml' 'hostPort: 1937' os::cmd::expect_failure_and_text 'oadm router --dry-run --service-account=other -o yaml' 'service account "other" is not allowed to access the host network on nodes' -os::cmd::expect_failure_and_not_text 'oadm router --dry-run --host-network=false -o yaml --credentials=${KUBECONFIG}' 'ServiceAccount' # set ports internally os::cmd::expect_failure_and_text 'oadm router --dry-run --host-network=false -o yaml' 'containerPort: 80' os::cmd::expect_failure_and_text 'oadm router --dry-run --host-network=false --ports=80:8080 -o yaml' 'port: 8080' @@ -36,7 +35,6 @@ os::cmd::expect_success_and_not_text "oadm router --dry-run --host-network=false # client env vars are optional os::cmd::expect_success_and_not_text 'oadm router --dry-run --host-network=false --host-ports=false -o yaml' 'OPENSHIFT_MASTER' os::cmd::expect_success_and_not_text 'oadm router --dry-run --host-network=false --host-ports=false --secrets-as-env -o yaml' 'OPENSHIFT_MASTER' -os::cmd::expect_success_and_text 'oadm router --dry-run --host-network=false --host-ports=false --secrets-as-env --credentials=${KUBECONFIG} -o yaml' 'OPENSHIFT_MASTER' # canonical hostname os::cmd::expect_success_and_text 'oadm router --dry-run --host-network=false --host-ports=false --router-canonical-hostname=a.b.c.d -o yaml' 'a.b.c.d' os::cmd::expect_success_and_text 'oadm router --dry-run --host-network=false --host-ports=false --router-canonical-hostname=1a.b.c.d -o yaml' '1a.b.c.d' @@ -57,15 +55,14 @@ os::cmd::expect_success_and_text "oadm router --dry-run -o yaml" 'host: localhos os::cmd::expect_success_and_text "oadm router --dry-run --host-network=false -o yaml" 'hostPort' os::cmd::expect_failure_and_text "oadm router --ports=80,8443:443" 'container port 8443 and host port 443 must be equal' -os::cmd::expect_success_and_text "oadm router -o yaml --credentials=${KUBECONFIG}" 'image:.*-haproxy-router:' -os::cmd::expect_success "oadm router --credentials=${KUBECONFIG} --images='${USE_IMAGES}'" +os::cmd::expect_success_and_text "oadm router -o yaml" 'image:.*-haproxy-router:' +os::cmd::expect_success "oadm router --images='${USE_IMAGES}'" os::cmd::expect_success_and_text 'oadm router' 'service exists' os::cmd::expect_success_and_text 'oc get dc/router -o yaml' 'readinessProbe' # only when using hostnetwork should we force the probes to use localhost -os::cmd::expect_success_and_not_text "oadm router -o yaml --credentials=${KUBECONFIG} --host-network=false" 'host: localhost' -os::cmd::expect_success "oc delete dc/router" -os::cmd::expect_success "oc delete service router" +os::cmd::expect_success_and_not_text "oadm router -o yaml --host-network=false" 'host: localhost' +os::cmd::expect_success "oadm router -o yaml | oc delete -f -" echo "router: ok" # test ipfailover diff --git a/test/old-start-configs/v1.0.0/test-end-to-end.sh b/test/old-start-configs/v1.0.0/test-end-to-end.sh index dd0283ee4e3c..c63b43eb543c 100755 --- a/test/old-start-configs/v1.0.0/test-end-to-end.sh +++ b/test/old-start-configs/v1.0.0/test-end-to-end.sh @@ -296,12 +296,13 @@ echo "Log in as 'e2e-user' to see the 'test' project." # install the router echo "[INFO] Installing the router" -# COMPATIBILITY add --service-account parameter -openshift admin router --create --credentials="${MASTER_CONFIG_DIR}/openshift-router.kubeconfig" --images="${USE_IMAGES}" --service-account=router +# COMPATIBILITY remove --credentials parameter +openshift admin router --create --images="${USE_IMAGES}" # install the registry. The --mount-host option is provided to reuse local storage. echo "[INFO] Installing the registry" -openshift admin registry --create --credentials="${MASTER_CONFIG_DIR}/openshift-registry.kubeconfig" --images="${USE_IMAGES}" +# COMPATIBILITY remove --credentials parameter +openshift admin registry --create --images="${USE_IMAGES}" echo "[INFO] Pre-pulling and pushing ruby-22-centos7" docker pull centos/ruby-22-centos7:latest