Fix OpenShift example

[derekwaynecarr]

Fixes #4997

This example requires OpenShift merges: openshift/origin#2015

I think an interesting use case driven from this example is the common need to take a set of files and bundle them into a secret. We have an experimental command that does this in OpenShift, but it is useful, and would be probably of general value to Kubernetes.

/cc @smarterclayton you should hopefully see this is much simpler now.

[derekwaynecarr]

/cc @deads2k

[smarterclayton]

Another use case brought up by this:

It's very difficult to use TLS on service accounts today. The signer cert has to be kept separate from the infrastructure, you have to generate the cert after the service is created (to get both the DNS name and the portalIP), and it's a lot of manual steps.

After seeing how we could do auto secret generation from the service account, I'm inclined to replicate that solution for service certificates.

A user in a namespace would create a secret with a name or annotation matching a service name and a secret.type "ServiceTLSCertificate". A controller (that has access to a signing cert for a CA that pods in the cluster can trust) would see that secret was created and fill out a cert for the service portalIP and DNS named by the secret's annotation. Any pods in that service could then mount that secret and have a cert automatically generated. The consumers of the service could get the CA for the service from DNS (which could automatically add the CA to DNSSEC via skydns).

[derekwaynecarr]

Any chance we can merge this now?

openshift/origin#2055 merged so the updated Docker images should have no more problems doing WATCH against Kubernetes resources.

[smarterclayton]

Stop breaking travis

[smarterclayton]

Boilerplate is wrong

[derekwaynecarr]

Just like @eparis to change boilerplate text and mess up my PRs, this should be all set now ;-)

[smarterclayton]

LGTM, will merge on green

[eparis]

I like stomping on people's PRs!

[smarterclayton]

All known flakes.