Squashed 'cmd/service-catalog/go/src/github.com/kubernetes-incubator/…

…service-catalog/' changes from c3e3071633..231772fcc0

231772fcc0 origin build: add origin tooling
98af588 v0.1.11 release changes
01e2f90 v0.1.10 release changes
49af948 clear polling queue before starting new operation (openshift#1855)
252958e Refactor common serviceclass validations (openshift#1858)
68f55c6 Catalog Controller should listen on https and serve metrics over TLS secured channel (openshift#1851)
5d0f773 Refactor common broker validations (openshift#1865)
eeaf285 Add NamespacedServiceBroker switch to helm chart (openshift#1864)
d2c960c Add NamespacedServiceBroker Feature (openshift#1863)
ef15310 Fix NamespaceScoped doc text for ns types (openshift#1862)
8d0a637 fix async deprovision retry (openshift#1832)
a918a16 Update registry code from serviceclass to clusterserviceclass (openshift#1852)
4dfd13c Bump dependency on go-open-service-broker-client to 0.0.6 (openshift#1856)
958b7cd Rename SharedServicePlanSpec to CommonServicePlanSpec (openshift#1850)
426aec3 pick a better random port to listen on in integration tests (openshift#1844)
6a59ada OrphanMitigation condition and different handling of retry timeout (openshift#1789)
c9b8f60 Extracting common broker spec elements into embeddable struct (openshift#1841)
3f8fab6 Extract common service class spec fields (openshift#1834)
93dab13 Support for OSB [PR#452](openservicebrokerapi/servicebroker#452). (openshift#1849)
5e1e90d [WIP] Pass correct plan ID in deprovision request (for both deleting and orphan mitigation) (openshift#1847)
74f73c0 disable tests for deployment stage (openshift#1845)
82fc6e4 Revert "Pass correct plan ID in deprovision request (for both deleting and orphan mitigation) (openshift#1803)" (openshift#1843)
94b5795 gitignore integration.test binary (openshift#1840)
014c468 Extracting common plan spec into embeddable struct (openshift#1833)
5d7041b Use k8s NewUUID method exclusively  (openshift#1836)
eac3f96 A new test was added after prechecks happened for last pr. (openshift#1838)
4b5d159 Pass correct plan ID in deprovision request (for both deleting and orphan mitigation) (openshift#1803)
cc02f0e [svcat] Adding a filter to get plan. (openshift#1758)
70afb56 reset RemovedFromBroker flag on plans that are re-added by broker (openshift#1824)
712dd4a Add behavior to print deleted instance name (openshift#1806)
55505be Update catalog charts README configuration (openshift#1823)
6426c98 Controller reconciliation rework - part 2 (ServiceBinding) (openshift#1819)
c606560 Integrate svcat docs with Service Catalog's (openshift#1784)
e9aeeb0 Synchronize some generated code that was missed along the way (openshift#1801)
a63ebf7 Fix failing test: TestReconcileServiceInstanceWithFailedCondition (openshift#1813)
07ef743 Controller reconciliation rework - part 1 (ServiceInstance) (openshift#1779)
a7d602b Export the touch instance command (openshift#1809)
bddb9a7 Allow retries for instances with Failed condition after spec changes (openshift#1751)
a777af5 Add enhanced parameter options to provision (openshift#1785)
fd1a0b9 Print deleted bindings (openshift#1799)
36d437a Adding the ability to sync a service instance (openshift#1762)
1f60676 Remove Failed condition if there was no terminal failure (openshift#1788)
cd831de allow brokers to respond to getCatalog() with no services (openshift#1772) (openshift#1781)
e5c37ad Add ObservedGeneration and Provisioned into ServiceInstanceStatus (openshift#1748)
9021d8b Add carolynvs to OWNERS (openshift#1780)
b7643d6 Add all-namespaces flag to svcat (openshift#1782)
01e652f Use docker to interact with files made by docker (openshift#1777)
REVERT: c3e3071633 origin build: add origin tooling

git-subtree-dir: cmd/service-catalog/go/src/github.com/kubernetes-incubator/service-catalog
git-subtree-split: 231772fcc00be08b6b2665a39c4a3bacb0b2271f

.gitignore

@@ -24,6 +24,7 @@ vendor/github.com/petar/GoLLRB/doc/*
 contrib/examples/consumer/Gopkg.lock
 contrib/examples/consumer
 contrib/examples/vendor/*
+integration.test*
 # this is for buildling service catalog with origin tooling
 _output
 /go/src/github.com/kubernetes-incubator/service-catalog/_output

.travis.yml

@@ -41,6 +41,7 @@ jobs:
     # Test is implicit from the build matrix
     # Deploy
     - stage: deploy
+      script: skip
       deploy:
         skip_cleanup: true
         provider: script

Gopkg.toml

@@ -71,7 +71,7 @@ required = [
 
 [[constraint]]
   name = "github.com/pmorie/go-open-service-broker-client"
-  version = "0.0.4"
+  version = "0.0.6"
 
 [prune]
   non-go = true

Makefile

@@ -399,7 +399,7 @@ $(BINDIR)/svcat/$(TAG_VERSION)/$(PLATFORM)/$(ARCH)/svcat$(FILE_EXT): .init .gene
 svcat-publish: clean-bin svcat-all
 	# Download the latest client with https://download.svcat.sh/cli/latest/darwin/amd64/svcat
 	# Download an older client with  https://download.svcat.sh/cli/VERSION/darwin/amd64/svcat
-	cp -R $(BINDIR)/svcat/$(TAG_VERSION) $(BINDIR)/svcat/$(MUTABLE_TAG)
+	$(DOCKER_CMD) cp -R $(BINDIR)/svcat/$(TAG_VERSION) $(BINDIR)/svcat/$(MUTABLE_TAG)
 	# AZURE_STORAGE_CONNECTION_STRING will be used for auth in the following command
 	$(DOCKER_CMD) az storage blob upload-batch -d cli -s $(BINDIR)/svcat
 

OWNERS

@@ -7,3 +7,4 @@ approvers:
   - deads2k
   - pmorie
   - smarterclayton
+

charts/catalog/Chart.yaml

@@ -1,3 +1,3 @@
 name: catalog
 description: service-catalog API server and controller-manager helm chart
-version: 0.1.9
+version: 0.1.11

charts/catalog/README.md

@@ -40,8 +40,11 @@ chart and their default values.
 
 | Parameter | Description | Default |
 |-----------|-------------|---------|
-| `image` | apiserver image to use | `quay.io/kubernetes-service-catalog/service-catalog:v0.1.9` |
+| `image` | apiserver image to use | `quay.io/kubernetes-service-catalog/service-catalog:v0.1.11` |
 | `imagePullPolicy` | `imagePullPolicy` for the service catalog | `Always` |
+| `apiserver.aggregator.priority` | Priority of the APIService. | `100` |
+| `apiserver.aggregator.groupPriorityMinimum` | The minimum priority the group should have. | `10000` |
+| `apiserver.aggregator.versionPriority` | The ordering of this API inside of the group | `20` |
 | `apiserver.tls.requestHeaderCA` | Base64-encoded CA used to validate request-header authentication, when receiving delegated authentication from an aggregator. If not set, the service catalog API server will inherit this CA from the `extension-apiserver-authentication` ConfigMap if available. | `nil` |
 | `apiserver.service.type` | Type of service; valid values are `LoadBalancer` and `NodePort` | `NodePort` |
 | `apiserver.service.nodePort.securePort` | If service type is `NodePort`, specifies a port in allowable range (e.g. 30000 - 32767 on minikube); The TLS-enabled endpoint will be exposed here | `30443` |
@@ -54,11 +57,23 @@ chart and their default values.
 | `apiserver.storage.etcd.persistence.size` | PVC Storage Request | `4Gi` |
 | `apiserver.verbosity` | Log level; valid values are in the range 0 - 10 | `10` |
 | `apiserver.auth.enabled` | Enable authentication and authorization | `true` |
+| `apiserver.audit.activated` | If true, enables the use of audit features via this chart. | `false` |
+| `apiserver.audit.logPath` | If specified, audit log goes to specified path. | `"/tmp/service-catalog-apiserver-audit.log"` |
+| `apiserver.serviceAccount` | Service account. | `service-catalog-apiserver` |
+| `apiserver.serveOpenAPISpec` | If true, makes the API server serve the OpenAPI schema | `false` |
 | `controllerManager.verbosity` | Log level; valid values are in the range 0 - 10 | `10` |
 | `controllerManager.resyncInterval` | How often the controller should resync informers; duration format (`20m`, `1h`, etc) | `5m` |
 | `controllerManager.brokerRelistInterval` | How often the controller should relist the catalogs of ready brokers; duration format (`20m`, `1h`, etc) | `24h` |
+| `controllerManager.brokerRelistIntervalActivated` | Whether or not the controller supports a --broker-relist-interval flag. If this is set to true, brokerRelistInterval will be used as the value for that flag. | `true` |
+| `controllerManager.profiling.disabled` | Disable profiling via web interface host:port/debug/pprof/ | `false` |
+| `controllerManager.profiling.contentionProfiling` | Enables lock contention profiling, if profiling is enabled | `false` |
+| `controllerManager.leaderElection.activated` | Whether the controller has leader election enabled | `false` |
+| `controllerManager.serviceAccount` | Service account | `service-catalog-controller-manager` |
+| `controllerManager.apiserverSkipVerify` | Controls whether the API server's TLS verification should be skipped | `true` |
+| `controllerManager.enablePrometheusScrape` | Whether the controller will expose metrics on /metrics | `false` |
 | `useAggregator` | whether or not to set up the controller-manager to go through the main Kubernetes API server's API aggregator | `true` |
 | `rbacEnable` | If true, create & use RBAC resources | `true` |
+| `originatingIdentityEnabled` | Whether the OriginatingIdentity alpha feature should be enabled | `false` |
 | `asyncBindingOperationsEnabled` | Whether or not alpha support for async binding operations is enabled | `false` |
 
 Specify each parameter using the `--set key=value[,key=value]` argument to

charts/catalog/templates/apiserver-deployment.yaml

@@ -61,6 +61,10 @@ spec:
         - --feature-gates
         - OriginatingIdentity=true
         {{- end }}
+        {{- if .Values.namespacedServiceBrokerEnabled }}
+        - --feature-gates
+        - NamespacedServiceBroker=true
+        {{- end }}
         {{- if .Values.apiserver.serveOpenAPISpec }}
         - --serve-openapi-spec
         {{- end }}

charts/catalog/templates/controller-manager-deployment.yaml

@@ -41,8 +41,8 @@ spec:
               fieldPath: metadata.namespace
         args:
         - controller-manager
-        - --port
-        - "8080"
+        - --secure-port
+        - "8444"
         {{ if .Values.controllerManager.leaderElection.activated -}}
         - "--leader-election-namespace={{ .Release.Namespace }}"
         - "--leader-elect-resource-lock=configmaps"
@@ -78,25 +78,31 @@ spec:
         - --feature-gates
         - AsyncBindingOperations=true
         {{- end }}
+        {{- if .Values.namespacedServiceBrokerEnabled }}
+        - --feature-gates
+        - NamespacedServiceBroker=true
+        {{- end }}
         ports:
-        - containerPort: 8080
+        - containerPort: 8444
         volumeMounts:
         - name: service-catalog-cert
-          mountPath: /etc/service-catalog-ssl
+          mountPath: /var/run/kubernetes-service-catalog
           readOnly: true
         readinessProbe:
           httpGet:
-            port: 8080
+            port: 8444
             path: /healthz
+            scheme: HTTPS
           failureThreshold: 1
           initialDelaySeconds: 20
           periodSeconds: 10
           successThreshold: 1
           timeoutSeconds: 2
         livenessProbe:
           httpGet:
-            port: 8080
+            port: 8444
             path: /healthz
+            scheme: HTTPS
           failureThreshold: 3
           initialDelaySeconds: 20
           periodSeconds: 10
@@ -109,3 +115,9 @@ spec:
           items:
           - key: tls.crt
             path: apiserver.crt
+          - key: tls.key
+            path: apiserver.key
+          {{- if .Values.apiserver.tls.requestHeaderCA }}
+          - key: requestheader-ca.crt
+            path: requestheader-ca.crt
+          {{- end }}

charts/catalog/values.yaml

@@ -1,6 +1,6 @@
 # Default values for Service Catalog
 # service-catalog image to use
-image: quay.io/kubernetes-service-catalog/service-catalog:v0.1.9
+image: quay.io/kubernetes-service-catalog/service-catalog:v0.1.11
 # imagePullPolicy for the service-catalog; valid values are "IfNotPresent",
 # "Never", and "Always"
 imagePullPolicy: Always
@@ -111,3 +111,5 @@ controllerManager:
 originatingIdentityEnabled: false
 # Whether the AsyncBindingOperations alpha feature should be enabled
 asyncBindingOperationsEnabled: false
+# Whether the NamespacedServiceBroker alpha feature should be enabled
+namespacedServiceBrokerEnabled: false

charts/ups-broker/README.md

@@ -34,7 +34,7 @@ Service Broker
 
 | Parameter | Description | Default |
 |-----------|-------------|---------|
-| `image` | Image to use | `quay.io/kubernetes-service-catalog/user-broker:v0.1.9` |
+| `image` | Image to use | `quay.io/kubernetes-service-catalog/user-broker:v0.1.11` |
 | `imagePullPolicy` | `imagePullPolicy` for the ups-broker | `Always` |
 
 Specify each parameter using the `--set key=value[,key=value]` argument to

charts/ups-broker/values.yaml

@@ -1,6 +1,6 @@
 # Default values for User-Provided Service Broker
 # Image to use
-image: quay.io/kubernetes-service-catalog/user-broker:v0.1.9
+image: quay.io/kubernetes-service-catalog/user-broker:v0.1.11
 # ImagePullPolicy; valid values are "IfNotPresent", "Never", and "Always"
 imagePullPolicy: Always
 # Certificate details to use for TLS. Leave blank to not use TLS

cmd/controller-manager/app/controller_manager.go

@@ -93,6 +93,10 @@ func Run(controllerManagerOptions *options.ControllerManagerServer) error {
 	// 	glog.Errorf("unable to register configz: %s", err)
 	// }
 
+	if controllerManagerOptions.Port > 0 {
+		glog.Warning("program option --port is obsolete and ignored, specify --secure-port instead")
+	}
+
 	// Build the K8s kubeconfig / client / clientBuilder
 	glog.V(4).Info("Building k8s kubeconfig")
 
@@ -142,6 +146,14 @@ func Run(controllerManagerOptions *options.ControllerManagerServer) error {
 	}
 	serviceCatalogKubeconfig.Insecure = controllerManagerOptions.ServiceCatalogInsecureSkipVerify
 
+	// Initialize SSL/TLS configuration.  Ensures we have a certificate and key to use.
+	// This is the same code as what is done in the API Server.  By default, Helm created
+	// cert and key for us, this just ensures the files are found and are readable and
+	// creates self signed versions if not.
+	if err := controllerManagerOptions.SecureServingOptions.MaybeDefaultWithSelfSignedCerts("" /*AdvertiseAddress*/, nil /*alternateDNS*/, []net.IP{net.ParseIP("127.0.0.1")}); err != nil {
+		return fmt.Errorf("failed to establish SecureServingOptions %v", err)
+	}
+
 	glog.V(4).Info("Starting http server and mux")
 	// Start http server and handlers
 	go func() {
@@ -165,10 +177,12 @@ func Run(controllerManagerOptions *options.ControllerManagerServer) error {
 			}
 		}
 		server := &http.Server{
-			Addr:    net.JoinHostPort(controllerManagerOptions.Address, strconv.Itoa(int(controllerManagerOptions.Port))),
+			Addr: net.JoinHostPort(controllerManagerOptions.SecureServingOptions.BindAddress.String(),
+				strconv.Itoa(int(controllerManagerOptions.SecureServingOptions.BindPort))),
 			Handler: mux,
 		}
-		glog.Fatal(server.ListenAndServe())
+		glog.Fatal(server.ListenAndServeTLS(controllerManagerOptions.SecureServingOptions.ServerCert.CertKey.CertFile,
+			controllerManagerOptions.SecureServingOptions.ServerCert.CertKey.KeyFile))
 	}()
 
 	// Create event broadcaster

cmd/controller-manager/app/options/options.go

@@ -30,6 +30,14 @@ import (
 	k8scomponentconfig "github.com/kubernetes-incubator/service-catalog/pkg/kubernetes/pkg/apis/componentconfig"
 	"github.com/kubernetes-incubator/service-catalog/pkg/kubernetes/pkg/client/leaderelectionconfig"
 	osb "github.com/pmorie/go-open-service-broker-client/v2"
+	genericoptions "k8s.io/apiserver/pkg/server/options"
+)
+
+const (
+	// Use the same SSL configuration as we use in Catalog API Server.
+	// Store generated SSL certificates in a place that won't collide with the
+	// k8s core API server.
+	certDirectory = "/var/run/kubernetes-service-catalog"
 )
 
 // ControllerManagerServer is the main context object for the controller
@@ -43,7 +51,7 @@ const (
 	defaultServiceBrokerRelistInterval            = 24 * time.Hour
 	defaultContentType                            = "application/json"
 	defaultBindAddress                            = "0.0.0.0"
-	defaultPort                                   = 10000
+	defaultPort                                   = 8444
 	defaultK8sKubeconfigPath                      = "./kubeconfig"
 	defaultServiceCatalogKubeconfigPath           = "./service-catalog-kubeconfig"
 	defaultOSBAPIContextProfile                   = true
@@ -61,7 +69,7 @@ func NewControllerManagerServer() *ControllerManagerServer {
 	s := ControllerManagerServer{
 		ControllerManagerConfiguration: componentconfig.ControllerManagerConfiguration{
 			Address:                                defaultBindAddress,
-			Port:                                   defaultPort,
+			Port:                                   0,
 			ContentType:                            defaultContentType,
 			K8sKubeconfigPath:                      defaultK8sKubeconfigPath,
 			ServiceCatalogKubeconfigPath:           defaultServiceCatalogKubeconfigPath,
@@ -76,16 +84,22 @@ func NewControllerManagerServer() *ControllerManagerServer {
 			EnableContentionProfiling:              false,
 			ReconciliationRetryDuration:            defaultReconciliationRetryDuration,
 			OperationPollingMaximumBackoffDuration: defaultOperationPollingMaximumBackoffDuration,
+			SecureServingOptions:                   genericoptions.NewSecureServingOptions(),
 		},
 	}
+	// set defaults, these will be overriden by user specified flags
+	s.SecureServingOptions.BindPort = defaultPort
+	s.SecureServingOptions.ServerCert.CertDirectory = certDirectory
 	s.LeaderElection.LeaderElect = true
 	return &s
 }
 
 // AddFlags adds flags for a ControllerManagerServer to the specified FlagSet.
 func (s *ControllerManagerServer) AddFlags(fs *pflag.FlagSet) {
-	fs.Var(k8scomponentconfig.IPVar{Val: &s.Address}, "address", "The IP address to serve on (set to 0.0.0.0 for all interfaces)")
-	fs.Int32Var(&s.Port, "port", s.Port, "The port that the controller-manager's http service runs on")
+	fs.Var(k8scomponentconfig.IPVar{Val: &s.Address}, "address", "DEPRECATED: see --bind-address instead")
+	fs.MarkDeprecated("address", "see --bind-address instead")
+	fs.Int32Var(&s.Port, "port", 0, "DEPRECATED: see --secure-port instead")
+	fs.MarkDeprecated("port", "see --secure-port instead")
 	fs.StringVar(&s.ContentType, "api-content-type", s.ContentType, "Content type of requests sent to API servers")
 	fs.StringVar(&s.K8sAPIServerURL, "k8s-api-server-url", "", "The URL for the k8s API server")
 	fs.StringVar(&s.K8sKubeconfigPath, "k8s-kubeconfig", "", "Path to k8s core kubeconfig")
@@ -103,6 +117,6 @@ func (s *ControllerManagerServer) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&s.LeaderElectionNamespace, "leader-election-namespace", s.LeaderElectionNamespace, "Namespace to use for leader election lock")
 	fs.DurationVar(&s.ReconciliationRetryDuration, "reconciliation-retry-duration", s.ReconciliationRetryDuration, "The maximum amount of time to retry reconciliations on a resource before failing")
 	fs.DurationVar(&s.OperationPollingMaximumBackoffDuration, "operation-polling-maximum-backoff-duration", s.OperationPollingMaximumBackoffDuration, "The maximum amount of time to back-off while polling an OSB API operation")
-
+	s.SecureServingOptions.AddFlags(fs)
 	utilfeature.DefaultFeatureGate.AddFlag(fs)
 }