templateservicebroker WIP #12953
templateservicebroker WIP #12953
Conversation
|
Also, I'm very interested in comment where there's // QUERY or // TODO in the codebase. |
|
Also any suggestions on name changes. I'm supposing something like:
|
jim-minter
force-pushed
the
template_service_broker
branch
2 times, most recently
from
75dae28 to
2c562cb
Compare
hack/update-generated-clientsets.sh
Outdated
| @@ -16,6 +16,7 @@ packages=( | |||
| github.com/openshift/origin/pkg/route | |||
| github.com/openshift/origin/pkg/sdn | |||
| github.com/openshift/origin/pkg/template | |||
| github.com/openshift/origin/pkg/templateservicebroker | |||
There was a problem hiding this comment.
I agree w/ your suggestion that these resources (mapping, provision request) should move under the /template api.
| } | ||
|
|
||
| type UUIDMapSpec struct { | ||
| TemplateProvisionRef kapi.ObjectReference |
There was a problem hiding this comment.
If, and it's probably a big if, we think that this is the only field we really need for UUIDMapping purposes, i think we should consider making UUIDMap a generic resource, rather than making it part of the template api. Then other brokers w/ a need for such mappings can also leverage it. (That would mean renaming the TemplateProvisionRef field to just Ref or something, of course).
Conversely, if we don't think that's a futureproof decision (we might later want to add template specific fields to the UUIDMap object) then I agree w/ your suggestion that we should name the resource object TemplateUUIDMap or something else more template specific, because otherwise oc get operations will be confusingly vague ("oc get uuidmaps").
There was a problem hiding this comment.
I think the hope is that the use of this object goes away if the underlying API supports "contexts" (i.e. complex co-ordinates rather than just UUIDs) in the future.
My understanding from the call we had with @smarterclayton was that the same non-namespaced object kind used by the templateservicebroker shouldn't be reused elsewhere because it would blur the security boundaries between components.
But it would potentially be neat to have a generic mapping object, e.g.
Spec:
From:
Kind: TemplateBrokerUUID
Value: <uuid>
To:
ObjectReference
There was a problem hiding this comment.
sounds like this should be a TemplateServiceUUIDMapSpec then. (TemplateService because what we are creating from a provision request is, ostensibly, a service instance of type template)
|
|
||
| func (c *MasterConfig) RunTemplateServiceBrokerControllers() { | ||
| go tsbcontroller.NewTemplateProvisionController(c.PrivilegedLoopbackKubernetesClientset, c.PrivilegedLoopbackOpenShiftClient, c.PrivilegedLoopbackKubeConfigPath).Run(utilwait.NeverStop) | ||
| go tsbcontroller.NewUUIDMapDeletionController(c.PrivilegedLoopbackOpenShiftClient).Run(utilwait.NeverStop) |
There was a problem hiding this comment.
probably just uuidmapcontroller as a name.
pkg/template/api/install/install.go
Outdated
| @@ -93,7 +93,7 @@ func newRESTMapper(externalVersions []unversioned.GroupVersion) meta.RESTMapper | |||
| worstToBestGroupVersions = append(worstToBestGroupVersions, externalVersions[i]) | |||
| } | |||
|
|
|||
| rootScoped := sets.NewString("SubjectAccessReview", "SelfSubjectAccessReview") | |||
| rootScoped := sets.NewString() | |||
There was a problem hiding this comment.
i don't understand the implications of this change (also not sure why something in here would need to be changing?)
There was a problem hiding this comment.
I think I'm just fixing an old copy/paste mistake!
| @@ -12,7 +12,7 @@ import ( | |||
| unversionedvalidation "k8s.io/kubernetes/pkg/api/unversioned/validation" | |||
| ) | |||
|
|
|||
| var parameterNameExp = regexp.MustCompile(`^[a-zA-Z0-9\_]+$`) | |||
| var parameterNameExp = regexp.MustCompile(`^[a-zA-Z0-9_]+$`) | |||
There was a problem hiding this comment.
was this broken before? what was the behavior? we need to be careful we're not making the parameter name field validation more restrictive. (I assume it's making it less restrictive by allowing _ when previously the escaping was doing who knows what)
There was a problem hiding this comment.
Both work identically, but I believe the \ is a syntax error which is being tolerated by the Golang regex parser.
| return &Broker{kc: kc, oc: oc} | ||
| } | ||
|
|
||
| // QUERY: does this need to be unique per cluster? |
There was a problem hiding this comment.
@bparees do you have any suggestions about where such a cluster-unique UUID should be generated and stashed?
There was a problem hiding this comment.
no, i'd ask @deads2k if there is already a uuid for the cluster that we can leverage.
There was a problem hiding this comment.
no, i'd ask @deads2k if there is already a uuid for the cluster that we can leverage.
@marun @derekwaynecarr What does kube federation use?
| @@ -0,0 +1,146 @@ | |||
| package brokerapi | |||
There was a problem hiding this comment.
this seems like it belongs under a more generic path than templateservicebroker (presumably ultimately it will be provided by the brokerSDK though)
| meta, _ := meta.Accessor(obj) | ||
| ref := meta.GetOwnerReferences() | ||
| ref = append(ref, metatypes.OwnerReference{ | ||
| APIVersion: "v1", |
There was a problem hiding this comment.
obviously this can't stay hardcoded, but i'm not sure how we know what the version should be.
There was a problem hiding this comment.
per the IRC discussion with @deads2k, this is supposed to be the apigroup value, not a version.
There was a problem hiding this comment.
My takeaway from that conversation was that whatever goes in, it is going to have to change. I could do APIVersion: v1.SchemeGroupVersion.String() where v1 refers to github.com/openshift/origin/pkg/template/api/v1, but fundamentally that's just a complicated way of saying "v1".
| return errs[0] | ||
| } | ||
|
|
||
| // TODO: rollback on error? |
There was a problem hiding this comment.
no, just mark the provision as failed and rely on the user(or service catalog?) to de-provision the failed service.
| } | ||
|
|
||
| // TODO: rollback on error? | ||
| // TODO: wait for the template to finish deploying? |
There was a problem hiding this comment.
what defines "finish"? if the template defines a buildconfig+deploymentconfig and we need the buildconfig to build, produce an image, and deploy that image, to be usable, are we going to try to codify that logic? presumably not, so unless we want to introduce a template-readiness-probe, i'm inclined to say "no".
|
Action items:
|
jim-minter
force-pushed
the
template_service_broker
branch
from
2c562cb to
70f211c
Compare
jim-minter
force-pushed
the
template_service_broker
branch
from
70f211c to
fa932dd
Compare
|
@bparees @pmorie @smarterclayton @openshift/api-review review and comments on this PR would be welcome. |
pkg/client/templatebrokeruuidmaps.go
Outdated
| } | ||
|
|
||
| // Delete deletes a templatebrokeruuidmap, returns error if one occurs. | ||
| // QUERY: the opts *kapi.DeleteOptions here seems non-standard, is that OK? |
There was a problem hiding this comment.
request for comment
There was a problem hiding this comment.
what's non-standard about it?
There was a problem hiding this comment.
the addition of opts *kapi.DeleteOptions to the arguments - didn't think that seemed to appear elsewhere in pkg/client
There was a problem hiding this comment.
probably just haven't needed to expose it before...seems fine.
| return allErrs | ||
| } | ||
|
|
||
| func validateTemplateInstanceImpersonation(oc *client.Client, ctx kapi.Context, ti *api.TemplateInstance) field.ErrorList { |
There was a problem hiding this comment.
@deads2k this is where I'm trying to confirm that the current user has the right to impersonate ti.Spec.ImpersonateUser.
There was a problem hiding this comment.
@deads2k this is where I'm trying to confirm that the current user has the right to impersonate ti.Spec.ImpersonateUser.
Validation should not rely on anything outside of the object itself. Otherwise you can get inconsistent results depends on when or where you run it.
| return &Broker{kc: kc, oc: oc, lister: informers.Templates().Lister(), templateNamespace: templateNamespace} | ||
| } | ||
|
|
||
| // TODO: UUID this should be unique per cluster |
There was a problem hiding this comment.
@smarterclayton @bparees @deads2k @marun @derekwaynecarr I'm stuck on what the strategy should be for generating and storing a UUID for this that is different per installed cluster.
| @@ -51,3 +55,116 @@ func validateTemplateBody(template *api.Template) (allErrs field.ErrorList) { | |||
| allErrs = append(allErrs, unversionedvalidation.ValidateLabels(template.ObjectLabels, field.NewPath("labels"))...) | |||
| return | |||
| } | |||
|
|
|||
| // ValidateTemplate tests if required fields in the Template are set. | |||
| func ValidateTemplateInstance(oc *client.Client, ctx kapi.Context, ti *api.TemplateInstance) (allErrs field.ErrorList) { | |||
There was a problem hiding this comment.
Maybe this is different than what I'm expecting, but I expect everything in this package to be related to static validation of an object.
Validation packages cannot rely on clients or context. This looks a lot like an admission plugin.
There was a problem hiding this comment.
yeah i think your concern is valid, this validation logic should just make sure the username is a valid value (fits whatever regex we enforce on usernames).
After that, if it turns out the user doesn't have the requisite permissions (or doesn't exist), we should find that out when we actually go to instantiate the template as the user, and when it fails, mark the provision request as failed.
There was a problem hiding this comment.
@bparees this isn't checking if the impersonated user can instantiate arbitrary objects from the template (indeed, that is already done as you state). This is checking if the user creating the TemplateInstance object with a given ImpersonteUser has permissions to impersonate that user. I can move this to an admission plugin.
| return field.ErrorList{field.InternalError(field.NewPath("spec.impersonateUser"), errors.New("no user context available"))} | ||
| } | ||
|
|
||
| if ti.Spec.ImpersonateUser != user.GetName() { |
There was a problem hiding this comment.
I haven't seen the types, but you're going to need the full subject. user, groups, extra (we store scopes here). Otherwise your impersonation may fail to create objects they only have permission to access via group bindings.
There was a problem hiding this comment.
I'd understood that I'd only receive a principal name (a username) from the servicebroker API caller (for example, it would be hard for the caller to enumerate group memberships to send them, and also hard for me to trust on receipt).
When I make API calls later impersonating that username, I understood that the ImpersonationFilter backend would look up the group memberships for the passed username dynamically at that point? Thus it is not necessary/appropriate to persist any group information at this stage?
Are you saying that a design whereby I only receive a username will not fly? If so, what things must I receive and is there a pre-existing type which encompasses them?
| if ti.Spec.ImpersonateUser != user.GetName() { | ||
| sar := authorizationapi.AddUserToSAR(user, | ||
| &authorizationapi.SubjectAccessReview{ | ||
| Action: authorizationapi.Action{ |
There was a problem hiding this comment.
Clever, reasonable, deserving of a comment and worthy of refactoring the API server filter to ensure consistency.
pkg/client/client.go
Outdated
| @@ -193,6 +195,16 @@ func (c *Client) Templates(namespace string) TemplateInterface { | |||
| return newTemplates(c, namespace) | |||
| } | |||
|
|
|||
| // Templates provides a REST client for Templates | |||
pkg/openservicebroker/route.go
Outdated
| ws.Route(ws.DELETE("/service_instances/{instance_id}").To(shim(deprovision))) | ||
| ws.Route(ws.GET("/service_instances/{instance_id}/last_operation").To(shim(lastOperation))) | ||
| ws.Route(ws.PUT("/service_instances/{instance_id}/service_bindings/{binding_id}").To(shim(bind))) | ||
| ws.Route(ws.DELETE("/service_instances/{instance_id}/service_bindings/{binding_id}").To(shim(unbind))) |
There was a problem hiding this comment.
are these routes protected by auth or not? we will ultimately need them to be protected by auth (and then the SC will need to have openshift credentials to invoke the broker). At least that is my understanding from @smarterclayton. Probably worth confirming with @pmorie.
There was a problem hiding this comment.
Yes, these are protected by authn/authz, although I haven't currently defined a bootstrap ClusterRole or ClusterRoleBinding so currently OOTB only system:admin can call them. Should this be done?
There was a problem hiding this comment.
yes i think we're going to want a specific set of SC credentials used to call this, and not give the SC system:admin credentials.
There was a problem hiding this comment.
ClusterRole defined. I think setting up the user and binding is an install time activity.
There was a problem hiding this comment.
Agree that we want auth on these routes. Unfortunately the API only supports basic auth at this point :(
There was a problem hiding this comment.
You guys need David and Jordan to review how this is going to fit into the authz and authn stuff. I'm ok delaying slightly, but i really don't want two different ways to authorize service broker and regular APIs.
pkg/openservicebroker/validation.go
Outdated
| key != templateapi.ImpersonateUserParameterKey { | ||
| errors = append(errors, field.Invalid(field.NewPath("parameters."+key), key, fmt.Sprintf("does not match %v", validation.ParameterNameRegexp))) | ||
| } | ||
| } |
There was a problem hiding this comment.
consider making it an error if the impersonate or namespace keys are not present since we can't doing anything safe or sensible without them.
There was a problem hiding this comment.
This is already done in the next layer down - I was trying to keep pkg/openservicebroker more generic.
pkg/openservicebroker/validation.go
Outdated
| for key := range breq.Parameters { | ||
| if !validation.ParameterNameRegexp.MatchString(key) { | ||
| errors = append(errors, field.Invalid(field.NewPath("parameters."+key), key, fmt.Sprintf("does not match %v", validation.ParameterNameRegexp))) | ||
| } |
There was a problem hiding this comment.
what parameters do we expect on a bind? what would we do with them?
perhaps it's an error if we get any parameters? either that or we should just ignore any parameters that are provided.
There was a problem hiding this comment.
The next layer down currently rejects all binds with any parameters set.
pkg/template/api/v1/types.go
Outdated
| // status is ... | ||
| Status kapi.ConditionStatus `json:"status" protobuf:"bytes,2,opt,name=status"` | ||
| // lasttransitiontime is ... | ||
| LastTransitionTime unversioned.Time `json:"lastTransitionTime" protobuf:"bytes,3,opt,name=lastTransitionTime"` |
There was a problem hiding this comment.
"last" transition time? would this just be the time at which this condition was added?
There was a problem hiding this comment.
The field isn't necessary for our purposes, I was following https://github.com/kubernetes/community/blob/master/contributors/devel/api-conventions.md#typical-status-properties ...
There was a problem hiding this comment.
We want transitionTime for conditions if a client would need to show "created 2 minutes ago" or similar.
pkg/template/api/v1/types.go
Outdated
| // TemplateInstanceCreated is ... | ||
| TemplateInstanceCreated TemplateInstanceConditionType = "Created" | ||
| // TemplateInstanceFailed is ... | ||
| TemplateInstanceFailed TemplateInstanceConditionType = "Failed" |
There was a problem hiding this comment.
I don't believe these are conventional according to https://github.com/kubernetes/community/blob/master/contributors/devel/api-conventions.md ...
There was a problem hiding this comment.
So "New" will be implied by the absence of any condition?
There was a problem hiding this comment.
Effectively, yes.
There was a problem hiding this comment.
I find that strange since these conditions are going to be what users see when they are trying to understand the state of their provision request. Seems like we can be more helpful by providing more descriptive/specific conditions.
| @@ -51,3 +55,116 @@ func validateTemplateBody(template *api.Template) (allErrs field.ErrorList) { | |||
| allErrs = append(allErrs, unversionedvalidation.ValidateLabels(template.ObjectLabels, field.NewPath("labels"))...) | |||
| return | |||
| } | |||
|
|
|||
| // ValidateTemplate tests if required fields in the Template are set. | |||
| func ValidateTemplateInstance(oc *client.Client, ctx kapi.Context, ti *api.TemplateInstance) (allErrs field.ErrorList) { | |||
There was a problem hiding this comment.
yeah i think your concern is valid, this validation logic should just make sure the username is a valid value (fits whatever regex we enforce on usernames).
After that, if it turns out the user doesn't have the requisite permissions (or doesn't exist), we should find that out when we actually go to instantiate the template as the user, and when it fails, mark the provision request as failed.
pkg/template/servicebroker/bind.go
Outdated
|
|
||
| namespace := uuidmap.Spec.TemplateInstanceRef.Namespace | ||
|
|
||
| services, resp := b.getServices(namespace, instance_id) |
There was a problem hiding this comment.
need to discuss with @pmorie and @smarterclayton but i suspect binding is also going to need to do impersonation... impersonating the user requesting the binding (which can be different from the user who requested the provisioning).
so at a minimum: should use the provision impersonate user to do this
better: bind call should provide a user name to impersonate when doing this
otherwise i can theoretically bind to something i can't otherwise access and exfiltrate the credentials. (or we can make the argument that the SC should not have allowed that bind call to be made, and we don't need to do anything. again @pmorie and @smarterclayton)
There was a problem hiding this comment.
OK - as a starting point I will have the bind call read the impersonation user from its parameters.
| return nil, openservicebroker.NewResponse(http.StatusInternalServerError, nil, err) | ||
| } | ||
|
|
||
| func (b *Broker) ensureTP(namespace string, instance_id string, template *api.Template, secret *kapi.Secret, impersonate string, didWork *bool) (*api.TemplateInstance, *openservicebroker.Response) { |
There was a problem hiding this comment.
nit: naming on ensureTP isn't obvious.
| ) | ||
|
|
||
| // This controller watches for TemplateBrokerUUIDMap objects which are set to gracefully | ||
| // delete, and deletes them when their time is up. |
There was a problem hiding this comment.
we have to do this? i assumed k8s would handle the graceful deletion itself.
There was a problem hiding this comment.
That was my understanding - @smarterclayton ?
There was a problem hiding this comment.
Need to have a discussion about this specifically - graceful can be used to signal deletion in this fashion (synchronous GC will use it), but I'm not clear the intent yet.
jim-minter
force-pushed
the
template_service_broker
branch
from
fa932dd to
637db06
Compare
openshift-bot
added
the
needs-rebase
jim-minter
force-pushed
the
template_service_broker
branch
from
637db06 to
9ca3f6c
Compare
jim-minter
removed
the
needs-rebase
| @@ -1,3 +0,0 @@ | |||
| This file is autogenerated, but we've stopped checking such files into the | |||
There was a problem hiding this comment.
You need to update to latest master, these should stay
There was a problem hiding this comment.
@Kargakis I'm confused - on latest master, if I do a make update, these files are removed?
There was a problem hiding this comment.
ah, I see - some issue with my local build environment - using hack/env seems to have fixed this, thanks
|
[test] |
jim-minter
force-pushed
the
template_service_broker
branch
6 times, most recently
from
a196973 to
188e0a3
Compare
jim-minter
force-pushed
the
template_service_broker
branch
from
9743ad1 to
c8c17b7
Compare
|
(pushed latest codebase) @smarterclayton all your changes made, ptal. |
|
API approved. May have some iteration prerelease but this is fine for now. |
jim-minter
force-pushed
the
template_service_broker
branch
6 times, most recently
from
d5fe55c to
bc7f714
Compare
jim-minter
force-pushed
the
template_service_broker
branch
2 times, most recently
from
874f5cd to
c02902f
Compare
|
[testextended][extended:core(templates)] |
test/extended/templates/helpers.go
Outdated
| } | ||
| } | ||
|
|
||
| func loopWithTimeout(d time.Duration, f func() bool) { |
There was a problem hiding this comment.
couldn't use kubernetes/pkg/util/wait.Poll?
| @@ -147,6 +150,9 @@ function os::test::extended::setup () { | |||
|
|
|||
| os::log::info "Creating image streams" | |||
| oc create -n openshift -f "${OS_ROOT}/examples/image-streams/image-streams-centos7.json" --config="${ADMIN_KUBECONFIG}" | |||
|
|
|||
| os::log::info "Creating sample app" | |||
| oc create -n openshift -f "${OS_ROOT}/examples/sample-app/application-template-stibuild.json" --config="${ADMIN_KUBECONFIG}" | |||
There was a problem hiding this comment.
why did this need to be added?
There was a problem hiding this comment.
discussed on IRC, it's needed by the broker (to have a valid template to instantiate) and creating it in the TC risks flakes due to tests running in parallel.
There was a problem hiding this comment.
That's not a great reason....
There was a problem hiding this comment.
This won't work on GCE
There was a problem hiding this comment.
why's that? it doesn't seem to assume anything the line directly above it doesn't also assume.
There was a problem hiding this comment.
@jim-minter evidently this script isn't run on GCE environments. let's chat tomorrow about how to rework this requirement, but for now i'm going to merge this since this test isn't being run on GCE today anyway.
jim-minter
force-pushed
the
template_service_broker
branch
from
c02902f to
0ae2afe
Compare
|
Evaluated for origin testextended up to 0ae2afe |
|
Evaluated for origin test up to 0ae2afe |
|
continuous-integration/openshift-jenkins/testextended SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin_extended/75/) (Base Commit: 04d74e0) (Extended Tests: core(templates)) |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/412/) (Base Commit: 04d74e0) |
|
[merge] |
|
Evaluated for origin merge up to 0ae2afe |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_request_origin/184/) (Base Commit: 15e3269) |
| @@ -121,6 +121,9 @@ function os::test::extended::setup () { | |||
| cp "${SERVER_CONFIG_DIR}/master/master-config.yaml" "${SERVER_CONFIG_DIR}/master/master-config.orig2.yaml" | |||
| openshift ex config patch "${SERVER_CONFIG_DIR}/master/master-config.orig2.yaml" --patch="{\"auditConfig\": {\"enabled\": true}}" > "${SERVER_CONFIG_DIR}/master/master-config.yaml" | |||
|
|
|||
| cp "${SERVER_CONFIG_DIR}/master/master-config.yaml" "${SERVER_CONFIG_DIR}/master/master-config.orig2.yaml" | |||
| openshift ex config patch "${SERVER_CONFIG_DIR}/master/master-config.orig2.yaml" --patch="{\"enableTemplateServiceBroker\": true}" > "${SERVER_CONFIG_DIR}/master/master-config.yaml" | |||
There was a problem hiding this comment.
This should just string the patches together like we do in hack/lib/start.sh
@bparees @pmorie @smarterclayton initial review and comments on this would be welcome.
Currently the code is in a separate directory pkg/templateservicebroker, simply because that's how I started off. I now suppose that the vast majority of the code would be better off under pkg/template. I don't know if it's easier to start looking through this as it stands, or whether it'd be easier (less repeated boilerplate) if I did the merge before your initial review. LMK.