expose the entire API through the aggregator

openshift · Jul 21, 2017 · b03a2c9 · b03a2c9
1 parent 9e1f03d
commit b03a2c9
Show file tree

Hide file tree

Showing 12 changed files with 1,430 additions and 520 deletions.
diff --git a/api/swagger-spec/openshift-openapi-spec.json b/api/swagger-spec/openshift-openapi-spec.json
diff --git a/pkg/cmd/server/api/group_coverage_test.go b/pkg/cmd/server/api/group_coverage_test.go
@@ -20,6 +20,9 @@ func TestKnownAPIGroups(t *testing.T) {
 		enabledGroups.Insert(enabledVersion.Group)
 	}
 
+	// TODO remove this and use a non-global registry.  These are in a wierd half-state right now
+	enabledGroups.Insert("apiextensions.k8s.io", "apiregistration.k8s.io")
+
 	knownGroups := sets.NewString(api.KnownKubeAPIGroups.List()...)
 	knownGroups.Insert(api.KnownOriginAPIGroups.List()...)
 
@@ -32,8 +35,15 @@ func TestKnownAPIGroups(t *testing.T) {
 }
 
 func TestAllowedAPIVersions(t *testing.T) {
+	// TODO remove this and use a non-global registry.  These are in a wierd half-state right now
+	skippedGroups := sets.NewString("apiextensions.k8s.io", "apiregistration.k8s.io")
+
 	// Make sure all versions we know about match registered versions
 	for group, versions := range api.KubeAPIGroupsToAllowedVersions {
+		if skippedGroups.Has(group) {
+			continue
+		}
+
 		enabled := sets.NewString()
 		for _, enabledVersion := range kapi.Registry.EnabledVersionsForGroup(group) {
 			enabled.Insert(enabledVersion.Version)

diff --git a/pkg/cmd/server/api/types.go b/pkg/cmd/server/api/types.go
@@ -47,6 +47,8 @@ var (
 	APIGroupExtensions            = "extensions"
 	APIGroupApps                  = "apps"
 	APIGroupAdmissionRegistration = "admissionregistration.k8s.io"
+	APIGroupAPIExtensions         = "apiextensions.k8s.io"
+	APIGroupAPIRegistration       = "apiregistration.k8s.io"
 	APIGroupAuthentication        = "authentication.k8s.io"
 	APIGroupAuthorization         = "authorization.k8s.io"
 	APIGroupImagePolicy           = "imagepolicy.k8s.io"
@@ -82,6 +84,8 @@ var (
 		APIGroupExtensions:            {"v1beta1"},
 		APIGroupApps:                  {"v1beta1"},
 		APIGroupAdmissionRegistration: {}, // alpha disabled by default
+		APIGroupAPIExtensions:         {"v1beta1"},
+		APIGroupAPIRegistration:       {"v1beta1"},
 		APIGroupAuthentication:        {"v1", "v1beta1"},
 		APIGroupAuthorization:         {"v1", "v1beta1"},
 		APIGroupAuthorizationRbac:     {"v1beta1"},

diff --git a/pkg/cmd/server/api/validation/master.go b/pkg/cmd/server/api/validation/master.go
@@ -229,6 +229,9 @@ func ValidateAggregatorConfig(config api.AggregatorConfig, fldPath *field.Path)
 	validationResults := ValidationResults{}
 
 	validationResults.AddErrors(ValidateCertInfo(config.ProxyClientInfo, false, fldPath.Child("proxyClientInfo"))...)
+	if len(config.ProxyClientInfo.CertFile) == 0 && len(config.ProxyClientInfo.KeyFile) == 0 {
+		validationResults.AddWarnings(field.Invalid(fldPath.Child("proxyClientInfo"), "", "if no client certificate is specified, the aggregator will be unable to proxy to remote servers"))
+	}
 
 	return validationResults
 }

diff --git a/pkg/cmd/server/api/validation/master_test.go b/pkg/cmd/server/api/validation/master_test.go
@@ -400,7 +400,7 @@ func TestValidateAdmissionPluginConfigConflicts(t *testing.T) {
 	// these fields have warnings in the empty case
 	defaultWarningFields := sets.NewString(
 		"serviceAccountConfig.managedNames", "serviceAccountConfig.publicKeyFiles", "serviceAccountConfig.privateKeyFile", "serviceAccountConfig.masterCA",
-		"projectConfig.securityAllocator", "kubernetesMasterConfig.proxyClientInfo", "auditConfig.auditFilePath")
+		"projectConfig.securityAllocator", "kubernetesMasterConfig.proxyClientInfo", "auditConfig.auditFilePath", "aggregatorConfig.proxyClientInfo")
 
 	for _, tc := range testCases {
 		results := ValidateMasterConfig(&tc.options, nil)

diff --git a/pkg/cmd/server/bootstrappolicy/policy.go b/pkg/cmd/server/bootstrappolicy/policy.go
@@ -46,19 +46,21 @@ var (
 	readWrite = []string{"get", "list", "watch", "create", "update", "patch", "delete", "deletecollection"}
 	read      = []string{"get", "list", "watch"}
 
-	kapiGroup           = kapi.GroupName
-	appsGroup           = apps.GroupName
-	autoscalingGroup    = autoscaling.GroupName
-	batchGroup          = batch.GroupName
-	certificatesGroup   = certificates.GroupName
-	extensionsGroup     = extensions.GroupName
-	networkingGroup     = "networking.k8s.io"
-	policyGroup         = policy.GroupName
-	rbacGroup           = rbac.GroupName
-	securityGroup       = securityapi.GroupName
-	legacySecurityGroup = securityapi.LegacyGroupName
-	storageGroup        = storage.GroupName
-	settingsGroup       = settings.GroupName
+	kapiGroup            = kapi.GroupName
+	appsGroup            = apps.GroupName
+	autoscalingGroup     = autoscaling.GroupName
+	apiExtensionsGroup   = "apiextensions.k8s.io"
+	apiRegistrationGroup = "apiregistration.k8s.io"
+	batchGroup           = batch.GroupName
+	certificatesGroup    = certificates.GroupName
+	extensionsGroup      = extensions.GroupName
+	networkingGroup      = "networking.k8s.io"
+	policyGroup          = policy.GroupName
+	rbacGroup            = rbac.GroupName
+	securityGroup        = securityapi.GroupName
+	legacySecurityGroup  = securityapi.LegacyGroupName
+	storageGroup         = storage.GroupName
+	settingsGroup        = settings.GroupName
 
 	authzGroup          = authorizationapi.GroupName
 	kAuthzGroup         = kauthorizationapi.GroupName
@@ -162,6 +164,10 @@ func GetOpenshiftBootstrapClusterRoles() []authorizationapi.ClusterRole {
 
 				authorizationapi.NewRule(read...).Groups(appsGroup).Resources("statefulsets", "statefulsets/status", "deployments", "deployments/scale", "deployments/status", "controllerrevisions").RuleOrDie(),
 
+				authorizationapi.NewRule(read...).Groups(apiExtensionsGroup).Resources("customresourcedefinitions", "customresourcedefinitions/status").RuleOrDie(),
+
+				authorizationapi.NewRule(read...).Groups(apiRegistrationGroup).Resources("apiservices", "apiservices/status").RuleOrDie(),
+
 				authorizationapi.NewRule(read...).Groups(autoscalingGroup).Resources("horizontalpodautoscalers", "horizontalpodautoscalers/status").RuleOrDie(),
 
 				// TODO do we still need scheduledjobs?

diff --git a/pkg/cmd/server/origin/aggregator.go b/pkg/cmd/server/origin/aggregator.go
@@ -41,11 +41,8 @@ import (
 	"k8s.io/kubernetes/pkg/master/thirdparty"
 )
 
-func (c *MasterConfig) createAggregatorConfig(kubeAPIServerConfig genericapiserver.Config) (*aggregatorapiserver.Config, error) {
-	// make a shallow copy to let us twiddle a few things
-	// most of the config actually remains the same.  We only need to mess with a couple items related to the particulars of the aggregator
-	genericConfig := kubeAPIServerConfig
-
+func (c *MasterConfig) createAggregatorConfig(genericConfig genericapiserver.Config) (*aggregatorapiserver.Config, error) {
+	// this is a shallow copy so let's twiddle a few things
 	// the aggregator doesn't wire these up.  It just delegates them to the kubeapiserver
 	genericConfig.EnableSwaggerUI = false
 	genericConfig.SwaggerConfig = nil
@@ -58,13 +55,18 @@ func (c *MasterConfig) createAggregatorConfig(kubeAPIServerConfig genericapiserv
 		c.ClientGoKubeInformers.Core().V1().Services().Lister(),
 	)
 
-	certBytes, err := ioutil.ReadFile(c.Options.AggregatorConfig.ProxyClientInfo.CertFile)
-	if err != nil {
-		return nil, err
-	}
-	keyBytes, err := ioutil.ReadFile(c.Options.AggregatorConfig.ProxyClientInfo.KeyFile)
-	if err != nil {
-		return nil, err
+	var certBytes []byte
+	var keyBytes []byte
+	var err error
+	if len(c.Options.AggregatorConfig.ProxyClientInfo.CertFile) > 0 {
+		certBytes, err = ioutil.ReadFile(c.Options.AggregatorConfig.ProxyClientInfo.CertFile)
+		if err != nil {
+			return nil, err
+		}
+		keyBytes, err = ioutil.ReadFile(c.Options.AggregatorConfig.ProxyClientInfo.KeyFile)
+		if err != nil {
+			return nil, err
+		}
 	}
 
 	aggregatorConfig := &aggregatorapiserver.Config{

diff --git a/pkg/cmd/server/origin/master.go b/pkg/cmd/server/origin/master.go
@@ -168,15 +168,6 @@ func (c *MasterConfig) Run(kubeAPIServerConfig *kubeapiserver.Config, assetConfi
 	// this sets up the openapi endpoints
 	preparedKubeAPIServer := kubeAPIServer.GenericAPIServer.PrepareRun()
 
-	// presence of the key indicates whether or not to enable the aggregator
-	if len(c.Options.AggregatorConfig.ProxyClientInfo.KeyFile) == 0 {
-		go preparedKubeAPIServer.Run(utilwait.NeverStop)
-
-		// Attempt to verify the server came up for 20 seconds (100 tries * 100ms, 100ms timeout per try)
-		cmdutil.WaitForSuccessfulDial(c.TLS, c.Options.ServingInfo.BindNetwork, c.Options.ServingInfo.BindAddress, 100*time.Millisecond, 100*time.Millisecond, 100)
-		return
-	}
-
 	aggregatorConfig, err := c.createAggregatorConfig(*kubeAPIServerConfig.GenericConfig)
 	if err != nil {
 		glog.Fatalf("Failed to create aggregator config: %v", err)

diff --git a/pkg/cmd/server/start/start_master.go b/pkg/cmd/server/start/start_master.go
@@ -403,12 +403,10 @@ func (m *Master) Start() error {
 		return fmt.Errorf("KubernetesMasterConfig is required to start this server - use of external Kubernetes is no longer supported.")
 	}
 
-	if len(m.config.AggregatorConfig.ProxyClientInfo.KeyFile) > 0 {
-		// install aggregator types into the scheme so that "normal" RESTOptionsGetters can work for us.
-		// done in Start() prior to doing any other initialization so we don't mutate the scheme after it is being used by clients in other goroutines.
-		// TODO: make scheme threadsafe and do this as part of aggregator config building
-		aggregatorinstall.Install(kapi.GroupFactoryRegistry, kapi.Registry, kapi.Scheme)
-	}
+	// install aggregator types into the scheme so that "normal" RESTOptionsGetters can work for us.
+	// done in Start() prior to doing any other initialization so we don't mutate the scheme after it is being used by clients in other goroutines.
+	// TODO: make scheme threadsafe and do this as part of aggregator config building
+	aggregatorinstall.Install(kapi.GroupFactoryRegistry, kapi.Registry, kapi.Scheme)
 
 	// we have a strange, optional linkage from controllers to the API server regarding the plug.  In the end, this should be structured
 	// as a separate API server which can be chained as a delegate

diff --git a/test/integration/etcd_storage_path_test.go b/test/integration/etcd_storage_path_test.go
@@ -437,6 +437,13 @@ var etcdStorageData = map[schema.GroupVersionResource]struct {
 	},
 	// --
 
+	// k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1
+	gvr("apiregistration.k8s.io", "v1beta1", "apiservices"): {
+		stub:             `{"metadata": {"name": "as1.foo.com"}, "spec": {"group": "foo.com", "version": "as1", "groupPriorityMinimum":100, "versionPriority":10}}`,
+		expectedEtcdPath: "kubernetes.io/apiservices/as1.foo.com",
+	},
+	// --
+
 	// k8s.io/kubernetes/pkg/apis/apps/v1beta1
 	gvr("apps", "v1beta1", "deployments"): {
 		stub:             `{"metadata": {"name": "deployment2"}, "spec": {"selector": {"matchLabels": {"f": "z"}}, "template": {"metadata": {"labels": {"f": "z"}}, "spec": {"containers": [{"image": "fedora:latest", "name": "container6"}]}}}}`,

diff --git a/test/integration/master_routes_test.go b/test/integration/master_routes_test.go
@@ -32,6 +32,8 @@ var expectedIndex = []string{
 	"/apis/",
 	"/apis/apiextensions.k8s.io",
 	"/apis/apiextensions.k8s.io/v1beta1",
+	"/apis/apiregistration.k8s.io",
+	"/apis/apiregistration.k8s.io/v1beta1",
 	"/apis/apps",
 	"/apis/apps.openshift.io",
 	"/apis/apps.openshift.io/v1",
@@ -84,13 +86,18 @@ var expectedIndex = []string{
 	"/apis/user.openshift.io/v1",
 	"/controllers",
 	"/healthz",
+	"/healthz/autoregister-completion",
 	"/healthz/ping",
+	"/healthz/poststarthook/apiservice-registration-controller",
+	"/healthz/poststarthook/apiservice-status-available-controller",
 	"/healthz/poststarthook/bootstrap-controller",
 	"/healthz/poststarthook/ca-registration",
 	// "/healthz/poststarthook/extensions/third-party-resources",  // Do not enable this controller, we do not support it
 	"/healthz/poststarthook/generic-apiserver-start-informers",
+	"/healthz/poststarthook/kube-apiserver-autoregistration",
 	"/healthz/poststarthook/start-apiextensions-controllers",
 	"/healthz/poststarthook/start-apiextensions-informers",
+	"/healthz/poststarthook/start-kube-aggregator-informers",
 	"/healthz/ready",
 	"/metrics",
 	"/oapi",
@@ -223,6 +230,8 @@ func TestWellKnownOAuthOff(t *testing.T) {
 var preferredVersions = map[string]string{
 	"":                          "v1",
 	"apps":                      "v1beta1",
+	"apiextensions.k8s.io":      "v1beta1",
+	"apiregistration.k8s.io":    "v1beta1",
 	"authentication.k8s.io":     "v1",
 	"authorization.k8s.io":      "v1",
 	"autoscaling":               "v1",

diff --git a/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml b/test/testdata/bootstrappolicy/bootstrap_cluster_roles.yaml
@@ -102,6 +102,26 @@ items:
     - get
     - list
     - watch
+  - apiGroups:
+    - apiextensions.k8s.io
+    attributeRestrictions: null
+    resources:
+    - customresourcedefinitions
+    - customresourcedefinitions/status
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - apiregistration.k8s.io
+    attributeRestrictions: null
+    resources:
+    - apiservices
+    - apiservices/status
+    verbs:
+    - get
+    - list
+    - watch
   - apiGroups:
     - autoscaling
     attributeRestrictions: null