patch kubeconfig if token cannot be deleted via api

[juanvallejo]

Fixes #7011
Related bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1422252

Deletes a token in a kubeconfig user stanza even if the token could not be deleted via the API.

cc @openshift/cli-review @stevekuznetsov @deads2k

[juanvallejo]

[test]

[stevekuznetsov]

Not sure the logic makes sense to me -- oc logout should always remove the token from your .kube/config but should delete it using the API as a best-effort attempt.

If this does end up being the accepted logic, you should break this out into a separate method at the very least, four levels of nested logic smells and and doesn't read well for someone trying to glance over RunLogout().

[juanvallejo]

@stevekuznetsov thanks for the feedback, I extracted out existing code to patch config into a separate function, which is now being called before attempting to delete using api. PTAL

[stevekuznetsov]

Is the ordering here important? Not sure we want to be in a situation where we have deleted the token from config but failed before trying to delete it using the API.

[stevekuznetsov]

Doesn't this just mean we modified the in-memory copy of the config? Whereas the kclientcmd.ModifyConfig call later is what actually modifies the config on disk?

[juanvallejo]

re[test]

[stevekuznetsov]

NewAggregate does this for you

[juanvallejo]

I need to not append nil to the errs slice at the end in order to print a successful message or not by checking if len(errs) == 0 ...

[stevekuznetsov]

Just check if the output of Flatten is nil or not

[stevekuznetsov]

Flatten does this for you

[juanvallejo]

Although this also applies to cases outside of being logged in with a serviceaccount token, I am not sure how I feel about returning an error message everytime a user tries to log out when using a serviceaccount token. cc @fabianofranz

[fabianofranz]

I would make it a log with low level, but not print it by default.

[juanvallejo]

@fabianofranz Thanks, updated this line to glog instead. It will still print the server error (if any) however, just in case it is unrelated to the token not being found:

$ oc logout --loglevel=1
I0216 09:42:03.042611   13554 logout.go:137] An error ocurred deleting the token on the server. The token has been removed from your local configuration.

Error from server (NotFound): oauthaccesstokens "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tNjU3bjQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjVmMzk0Y2I0LWYzYWYtMTFlNi1iNDUxLTUwN2I5ZGFjOTZlMSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.c7TiHikwCsobsMTIYhB6O-FjRca6TJmccpN4jem4oKWh9UTE8SxjqnCtrjZe_-zJ0eZ-GovMgiaa5L0xcilcvnj7htKeT3XeycKcUzxYCGJj884UL-Ouu4dh0-vJElvEMu6AlpwxmaES99-aJbghaTOssIIVFQdP9-AsYA2iVS1BBbeCWLw7yrE1gRXVhSjRhntpUwr-OBGO7fV8_ky96FjmUltADw0cynZr6P_NN_DWZYrEhaK7TuAbc-14K9uzLqcAiG_RLJfR7fOUvjPBp9kQDfQ13PczYhvMhXxluMma7WyXOrsB9ia2D2dXJ2SIA4a6tuL_8K_7UPaiO-an9Q" not found

[smarterclayton]

Flake was

12:14:21 TASK [openshift-registry : Deploy latest configuration of registry DC] *********
12:14:21 Wednesday 15 February 2017  17:14:21 +0000 (0:00:00.565)       0:14:48.331 **** 
12:14:21 fatal: [ci-prtest590-ig-m-2w6c]: FAILED! => {"changed": true, "cmd": ["oc", "deploy", "docker-registry", "--latest"], "delta": "0:00:00.199192", "end": "2017-02-15 12:14:21.602776", "failed": true, "rc": 1, "start": "2017-02-15 12:14:21.403584", "stderr": "Flag --latest has been deprecated, use 'oc rollout latest' instead\nerror: #2 is already in progress (Running).\nOptionally, you can cancel this deployment using 'oc rollout cancel dc/docker-registry-2'.", "stdout": "", "stdout_lines": [], "warnings": []}

@Kargakis @mfojtik failed when deploying, looks familiar but has never happened in gce before

[fabianofranz]

@juanvallejo legit failure in https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin_future/281/

[juanvallejo]

@fabianofranz thanks!

[juanvallejo]

re[test]

[fabianofranz]

@stevekuznetsov anything else here?

[stevekuznetsov]

You're doing a glog.V(1).Infof with the flattened error below, so you'll always get a log about the delete failure. You should just do this here:

if configErr := deleteTokenFromConfig(*o.StartingKubeConfig, o.PathOptions, token); configErr == nil {
    glog.V(1).Info("Removed token from your local configuration.\n\n")
}
errs = append(errs, configErr)

[stevekuznetsov]

The logic now is -- we fail to delete from API server, and we fail to delete from config, but we print the logout message and return nil so we exit successfully. Are both of these operations meant to be best-effort?

[stevekuznetsov]

Don't do

if err != nil {
    return err
}
return nil

just do

return err

[stevekuznetsov]

This is outstanding @juanvallejo

[juanvallejo]

@stevekuznetsov

The logic now is -- we fail to delete from API server, and we fail to delete from config, but we print the logout message and return nil so we exit successfully. Are both of these operations meant to be best-effort?

Updated this to print Logged out user ... as long as there is no configError. Also, I return configError if there is one, since the server error gets logged regardless. PTAL

[juanvallejo]

re[test]

[stevekuznetsov]

You don't need to leak serverErr out of this scope anymore

[juanvallejo]

Thanks, fixed

[juanvallejo]

@stevekuznetsov thanks for the feedback, review comments addressed

[stevekuznetsov]

Don't \n in glog

[stevekuznetsov]

One small nit, otherwise LGTM

[openshift-bot]

Evaluated for origin test up to 3c0eb53

[openshift-bot]

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin_future/365/) (Base Commit: 3f36d2e)

[fabianofranz]

glog line breaks addressed, [merge].

[openshift-bot]

Evaluated for origin merge up to 3c0eb53

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin_future/365/) (Base Commit: 3ef5377) (Image: devenv-rhel7_5945)