make templateinstance secret optional

openshift · Jun 27, 2017 · 073e82c · 073e82c
1 parent 3c328f7
commit 073e82c
Show file tree

Hide file tree

Showing 15 changed files with 198 additions and 125 deletions.
diff --git a/pkg/openapi/zz_generated.openapi.go b/pkg/openapi/zz_generated.openapi.go
@@ -9852,7 +9852,7 @@ func GetOpenAPIDefinitions(ref openapi.ReferenceCallback) map[string]openapi.Ope
 							},
 						},
 					},
-					Required: []string{"template", "secret", "requester"},
+					Required: []string{"template", "requester"},
 				},
 			},
 			Dependencies: []string{

diff --git a/pkg/template/apis/template/types.go b/pkg/template/apis/template/types.go
@@ -98,7 +98,7 @@ type TemplateInstanceSpec struct {
 
 	// Secret is a reference to a Secret object containing the necessary
 	// template parameters.
-	Secret kapi.LocalObjectReference
+	Secret *kapi.LocalObjectReference
 
 	// Requester holds the identity of the agent requesting the template
 	// instantiation.

diff --git a/pkg/template/apis/template/v1/generated.pb.go b/pkg/template/apis/template/v1/generated.pb.go
diff --git a/pkg/template/apis/template/v1/types.go b/pkg/template/apis/template/v1/types.go
@@ -117,7 +117,7 @@ type TemplateInstanceSpec struct {
 
 	// secret is a reference to a Secret object containing the necessary
 	// template parameters.
-	Secret kapiv1.LocalObjectReference `json:"secret" protobuf:"bytes,2,opt,name=secret"`
+	Secret *kapiv1.LocalObjectReference `json:"secret,omitempty" protobuf:"bytes,2,opt,name=secret"`
 
 	// requester holds the identity of the agent requesting the template
 	// instantiation.

diff --git a/pkg/template/apis/template/v1/zz_generated.conversion.go b/pkg/template/apis/template/v1/zz_generated.conversion.go
@@ -336,8 +336,14 @@ func autoConvert_v1_TemplateInstanceSpec_To_template_TemplateInstanceSpec(in *Te
 	if err := Convert_v1_Template_To_template_Template(&in.Template, &out.Template, s); err != nil {
 		return err
 	}
-	if err := api_v1.Convert_v1_LocalObjectReference_To_api_LocalObjectReference(&in.Secret, &out.Secret, s); err != nil {
-		return err
+	if in.Secret != nil {
+		in, out := &in.Secret, &out.Secret
+		*out = new(api.LocalObjectReference)
+		if err := api_v1.Convert_v1_LocalObjectReference_To_api_LocalObjectReference(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.Secret = nil
 	}
 	out.Requester = (*template.TemplateInstanceRequester)(unsafe.Pointer(in.Requester))
 	return nil
@@ -351,8 +357,14 @@ func autoConvert_template_TemplateInstanceSpec_To_v1_TemplateInstanceSpec(in *te
 	if err := Convert_template_Template_To_v1_Template(&in.Template, &out.Template, s); err != nil {
 		return err
 	}
-	if err := api_v1.Convert_api_LocalObjectReference_To_v1_LocalObjectReference(&in.Secret, &out.Secret, s); err != nil {
-		return err
+	if in.Secret != nil {
+		in, out := &in.Secret, &out.Secret
+		*out = new(api_v1.LocalObjectReference)
+		if err := api_v1.Convert_api_LocalObjectReference_To_v1_LocalObjectReference(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.Secret = nil
 	}
 	out.Requester = (*TemplateInstanceRequester)(unsafe.Pointer(in.Requester))
 	return nil

diff --git a/pkg/template/apis/template/v1/zz_generated.deepcopy.go b/pkg/template/apis/template/v1/zz_generated.deepcopy.go
@@ -8,6 +8,7 @@ import (
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	conversion "k8s.io/apimachinery/pkg/conversion"
 	runtime "k8s.io/apimachinery/pkg/runtime"
+	api_v1 "k8s.io/kubernetes/pkg/api/v1"
 	reflect "reflect"
 )
 
@@ -194,6 +195,11 @@ func DeepCopy_v1_TemplateInstanceSpec(in interface{}, out interface{}, c *conver
 		if err := DeepCopy_v1_Template(&in.Template, &out.Template, c); err != nil {
 			return err
 		}
+		if in.Secret != nil {
+			in, out := &in.Secret, &out.Secret
+			*out = new(api_v1.LocalObjectReference)
+			**out = **in
+		}
 		if in.Requester != nil {
 			in, out := &in.Requester, &out.Requester
 			*out = new(TemplateInstanceRequester)

diff --git a/pkg/template/apis/template/validation/validation.go b/pkg/template/apis/template/validation/validation.go
@@ -61,9 +61,13 @@ func ValidateTemplateInstance(templateInstance *templateapi.TemplateInstance) (a
 		err.Field = "spec.template." + err.Field
 		allErrs = append(allErrs, err)
 	}
-	if templateInstance.Spec.Secret.Name != "" {
-		for _, msg := range oapi.GetNameValidationFunc(validation.ValidateSecretName)(templateInstance.Spec.Secret.Name, false) {
-			allErrs = append(allErrs, field.Invalid(field.NewPath("spec.secret.name"), templateInstance.Spec.Secret.Name, msg))
+	if templateInstance.Spec.Secret != nil {
+		if templateInstance.Spec.Secret.Name != "" {
+			for _, msg := range oapi.GetNameValidationFunc(validation.ValidateSecretName)(templateInstance.Spec.Secret.Name, false) {
+				allErrs = append(allErrs, field.Invalid(field.NewPath("spec.secret.name"), templateInstance.Spec.Secret.Name, msg))
+			}
+		} else {
+			allErrs = append(allErrs, field.Required(field.NewPath("spec.secret.name"), ""))
 		}
 	}
 	if templateInstance.Spec.Requester == nil {

diff --git a/pkg/template/apis/template/validation/validation_test.go b/pkg/template/apis/template/validation/validation_test.go
@@ -294,7 +294,7 @@ func TestValidateTemplateInstance(t *testing.T) {
 							Namespace: "test",
 						},
 					},
-					Secret: kapi.LocalObjectReference{
+					Secret: &kapi.LocalObjectReference{
 						Name: "b@d",
 					},
 					Requester: &templateapi.TemplateInstanceRequester{
@@ -317,7 +317,47 @@ func TestValidateTemplateInstance(t *testing.T) {
 							Namespace: "test",
 						},
 					},
-					Secret: kapi.LocalObjectReference{
+					Secret: &kapi.LocalObjectReference{},
+					Requester: &templateapi.TemplateInstanceRequester{
+						Username: "test",
+					},
+				},
+			},
+			expectedErrorType: field.ErrorTypeRequired,
+		},
+		{
+			templateInstance: templateapi.TemplateInstance{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test",
+					Namespace: "test",
+				},
+				Spec: templateapi.TemplateInstanceSpec{
+					Template: templateapi.Template{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:      "test",
+							Namespace: "test",
+						},
+					},
+					Requester: &templateapi.TemplateInstanceRequester{
+						Username: "test",
+					},
+				},
+			},
+		},
+		{
+			templateInstance: templateapi.TemplateInstance{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test",
+					Namespace: "test",
+				},
+				Spec: templateapi.TemplateInstanceSpec{
+					Template: templateapi.Template{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:      "test",
+							Namespace: "test",
+						},
+					},
+					Secret: &kapi.LocalObjectReference{
 						Name: "test",
 					},
 					Requester: &templateapi.TemplateInstanceRequester{
@@ -367,7 +407,7 @@ func TestValidateTemplateInstanceUpdate(t *testing.T) {
 					},
 				},
 			},
-			Secret: kapi.LocalObjectReference{
+			Secret: &kapi.LocalObjectReference{
 				Name: "test",
 			},
 			Requester: &templateapi.TemplateInstanceRequester{

diff --git a/pkg/template/apis/template/zz_generated.deepcopy.go b/pkg/template/apis/template/zz_generated.deepcopy.go
@@ -8,6 +8,7 @@ import (
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	conversion "k8s.io/apimachinery/pkg/conversion"
 	runtime "k8s.io/apimachinery/pkg/runtime"
+	api "k8s.io/kubernetes/pkg/api"
 	reflect "reflect"
 )
 
@@ -194,6 +195,11 @@ func DeepCopy_template_TemplateInstanceSpec(in interface{}, out interface{}, c *
 		if err := DeepCopy_template_Template(&in.Template, &out.Template, c); err != nil {
 			return err
 		}
+		if in.Secret != nil {
+			in, out := &in.Secret, &out.Secret
+			*out = new(api.LocalObjectReference)
+			**out = **in
+		}
 		if in.Requester != nil {
 			in, out := &in.Requester, &out.Requester
 			*out = new(TemplateInstanceRequester)

diff --git a/pkg/template/controller/templateinstance_controller.go b/pkg/template/controller/templateinstance_controller.go
@@ -235,19 +235,23 @@ func (c *TemplateInstanceController) instantiate(templateInstance *templateapi.T
 
 	u := &user.DefaultInfo{Name: templateInstance.Spec.Requester.Username}
 
-	if err := util.Authorize(c.kc.Authorization().SubjectAccessReviews(), u, &authorization.ResourceAttributes{
-		Namespace: templateInstance.Namespace,
-		Verb:      "get",
-		Group:     kapi.GroupName,
-		Resource:  "secrets",
-		Name:      templateInstance.Spec.Secret.Name,
-	}); err != nil {
-		return err
-	}
+	var secret *kapi.Secret
+	if templateInstance.Spec.Secret != nil {
+		if err := util.Authorize(c.kc.Authorization().SubjectAccessReviews(), u, &authorization.ResourceAttributes{
+			Namespace: templateInstance.Namespace,
+			Verb:      "get",
+			Group:     kapi.GroupName,
+			Resource:  "secrets",
+			Name:      templateInstance.Spec.Secret.Name,
+		}); err != nil {
+			return err
+		}
 
-	secret, err := c.kc.Core().Secrets(templateInstance.Namespace).Get(templateInstance.Spec.Secret.Name, metav1.GetOptions{})
-	if err != nil {
-		return err
+		s, err := c.kc.Core().Secrets(templateInstance.Namespace).Get(templateInstance.Spec.Secret.Name, metav1.GetOptions{})
+		secret = s
+		if err != nil {
+			return err
+		}
 	}
 
 	template, err := c.copyTemplate(&templateInstance.Spec.Template)
@@ -262,10 +266,12 @@ func (c *TemplateInstanceController) instantiate(templateInstance *templateapi.T
 	}
 	template.ObjectLabels[templateapi.TemplateInstanceLabel] = templateInstance.Name
 
-	for i, param := range template.Parameters {
-		if value, ok := secret.Data[param.Name]; ok {
-			template.Parameters[i].Value = string(value)
-			template.Parameters[i].Generate = ""
+	if secret != nil {
+		for i, param := range template.Parameters {
+			if value, ok := secret.Data[param.Name]; ok {
+				template.Parameters[i].Value = string(value)
+				template.Parameters[i].Generate = ""
+			}
 		}
 	}
 

diff --git a/pkg/template/servicebroker/provision.go b/pkg/template/servicebroker/provision.go
@@ -84,7 +84,7 @@ func (b *Broker) ensureTemplateInstance(u user.Info, namespace string, instanceI
 		ObjectMeta: metav1.ObjectMeta{Name: instanceID},
 		Spec: templateapi.TemplateInstanceSpec{
 			Template: *template,
-			Secret:   kapi.LocalObjectReference{Name: secret.Name},
+			Secret:   &kapi.LocalObjectReference{Name: secret.Name},
 			Requester: &templateapi.TemplateInstanceRequester{
 				Username: u.GetName(),
 			},

diff --git a/test/extended/templates/templateinstance_cross_namespace.go b/test/extended/templates/templateinstance_cross_namespace.go
@@ -58,7 +58,7 @@ var _ = g.Describe("[templates] templateinstance cross-namespace test", func() {
 						},
 					},
 				},
-				Secret: kapi.LocalObjectReference{
+				Secret: &kapi.LocalObjectReference{
 					Name: "secret",
 				},
 			},

diff --git a/test/extended/templates/templateinstance_impersonation.go b/test/extended/templates/templateinstance_impersonation.go
@@ -67,15 +67,6 @@ var _ = g.Describe("[templates] templateinstance impersonation tests", func() {
 					Username: edituser1.Name,
 				},
 			},
-			// post the status to avoid kicking off the controller
-			Status: templateapi.TemplateInstanceStatus{
-				Conditions: []templateapi.TemplateInstanceCondition{
-					{
-						Type:   templateapi.TemplateInstanceReady,
-						Status: kapi.ConditionTrue,
-					},
-				},
-			},
 		}
 
 		tests = []struct {

diff --git a/test/extended/templates/templateinstance_security.go b/test/extended/templates/templateinstance_security.go
@@ -176,7 +176,7 @@ var _ = g.Describe("[templates] templateinstance security tests", func() {
 							},
 						},
 					},
-					Secret: kapi.LocalObjectReference{
+					Secret: &kapi.LocalObjectReference{
 						Name: "secret",
 					},
 				},

diff --git a/test/extended/templates/templateservicebroker_e2e.go b/test/extended/templates/templateservicebroker_e2e.go
@@ -160,7 +160,7 @@ var _ = g.Describe("[templates] templateservicebroker end-to-end test", func() {
 
 		o.Expect(templateInstance.Spec).To(o.Equal(templateapi.TemplateInstanceSpec{
 			Template: *template,
-			Secret: kapi.LocalObjectReference{
+			Secret: &kapi.LocalObjectReference{
 				Name: secret.Name,
 			},
 			Requester: &templateapi.TemplateInstanceRequester{