Register OpenShift resources to API groups #12986
Conversation
| knet "k8s.io/kubernetes/pkg/util/net" | ||
|
|
||
| build "github.com/openshift/origin/pkg/build/api" | ||
| buildv1 "github.com/openshift/origin/pkg/build/api/v1" |
There was a problem hiding this comment.
buildapi and buildapiv1 may be more appropriate.
| @@ -12,7 +12,6 @@ import ( | |||
| "k8s.io/kubernetes/pkg/util/diff" | |||
| "k8s.io/kubernetes/pkg/util/intstr" | |||
|
|
|||
| v1 "github.com/openshift/origin/pkg/api/v1" | |||
| deployapi "github.com/openshift/origin/pkg/deploy/api" | |||
| _ "github.com/openshift/origin/pkg/deploy/api/install" | |||
| deployv1 "github.com/openshift/origin/pkg/deploy/api/v1" | |||
There was a problem hiding this comment.
deployapi and deployapiv1 may be more appropriate.
| found := false | ||
| for _, g := range groups.Groups { | ||
| if g.Name == buildv1.GroupName { | ||
| found = true |
| @@ -171,6 +175,124 @@ func TestWellKnownOAuthOff(t *testing.T) { | |||
| } | |||
| } | |||
|
|
|||
| func TestApiGroups(t *testing.T) { | |||
| testutil.RequireEtcd(t) | |||
There was a problem hiding this comment.
Split this test function into three function TestBuildApiGroup TestDeployApiGroup TestTemplateApiGroup maybe better, and add another common test config function. :)
There was a problem hiding this comment.
@guangxuli mind if all this refactoring will be a follow up? don't want to increase the diff size of already big change :-)
pkg/build/api/v1/register.go
Outdated
| @@ -7,7 +7,7 @@ import ( | |||
|
|
|||
| const GroupName = "" | |||
|
|
|||
| // SchemeGroupVersion is group version used to register these objects | |||
| // LegacySchemeGroupVersion is group version used to register these objects | |||
| var SchemeGroupVersion = unversioned.GroupVersion{Group: GroupName, Version: "v1"} | |||
There was a problem hiding this comment.
godoc misaligned w/ field name (i'm not sure which is correct....)
|
please make sure the extended builds tests get run on this PR before it merges. |
|
@bparees this is a long way to be testable :) |
mfojtik
force-pushed
the
apigroups
branch
4 times, most recently
from
ece8195 to
29c7713
Compare
|
@sttts @deads2k this should now include all api groups for all origin resources. Besides broken tests, there are couple things that are worrying me:
@smarterclayton @liggitt PTAL if you have any comments/concerns/etc. before I go on the journey of fixing all tests... |
| @@ -21,7 +21,20 @@ var OldestVersion = unversioned.GroupVersion{Group: "", Version: "v1"} | |||
| // may be assumed to be most preferred to least preferred, and clients may | |||
| // choose to prefer the earlier items in the list over the latter items when presented | |||
| // with a set of versions to choose. | |||
| var Versions = []unversioned.GroupVersion{{Group: "", Version: "v1"}} | |||
| var Versions = []unversioned.GroupVersion{ | |||
There was a problem hiding this comment.
@deads2k is there any less-uglier way to determine if a resource is "openshift"?
(or this will go away once we have client-go that includes k8s client as well?).
There was a problem hiding this comment.
I don't even remember what this is used for. I thought we used reflection to find out if it was an openshift type.
There was a problem hiding this comment.
i found this in our client that use this to distinguish between kube and origin resources...
|
@sttts ./pkg/api/... unit tests are working \o/ |
| @@ -133,7 +133,7 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole { | |||
| }, | |||
| }, | |||
| Rules: []authorizationapi.PolicyRule{ | |||
| authorizationapi.NewRule("impersonate").Groups(kapiGroup).Resources(authorizationapi.SystemUserResource).Names(SystemAdminUsername).RuleOrDie(), | |||
| authorizationapi.NewRule("impersonate").Groups(authzGroup, legacyAuthzGroup, userGroup).Resources(authorizationapi.SystemUserResource).Names(SystemAdminUsername).RuleOrDie(), | |||
There was a problem hiding this comment.
@deads2k PTAL (i think authzGroup is not required, what fixed this was addition of userGroup)
There was a problem hiding this comment.
@deads2k PTAL (i think authzGroup is not required, what fixed this was addition of userGroup)
Our system users kind should be grouped, so the new code is probably overly loose.
|
[test] |
pkg/deploy/api/test/ok.go
Outdated
| @@ -240,7 +240,7 @@ func OkHPAForDeploymentConfig(config *deployapi.DeploymentConfig, min, max int) | |||
| Spec: autoscaling.HorizontalPodAutoscalerSpec{ | |||
| ScaleTargetRef: autoscaling.CrossVersionObjectReference{ | |||
| Name: config.Name, | |||
| Kind: "DeploymentConfig", | |||
| Kind: "DeploymentConfig.deploy.openshift.io", | |||
There was a problem hiding this comment.
Um... this is wrong, Kind does not get group versions appended to it.
There was a problem hiding this comment.
CrossVersionObjectReference should have a Group field.
There was a problem hiding this comment.
yeah.. it only have APIVersion
There was a problem hiding this comment.
I will open upstream issue
There was a problem hiding this comment.
I'm pretty sure that's the API version field that has the group and version squashed together with a slash :-(
mfojtik
force-pushed
the
apigroups
branch
2 times, most recently
from
af5aadc to
e01344a
Compare
| SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes, addConversionFuncs, addDefaultingFuncs) | ||
| AddToScheme = SchemeBuilder.AddToScheme | ||
| ) | ||
|
|
||
| // Adds the list of known types to api.Scheme. | ||
| // addKnownTypes adds types to API group |
There was a problem hiding this comment.
... adds the API group types to the scheme
pkg/image/api/install/apigroup.go
Outdated
| @@ -14,11 +17,17 @@ func init() { | |||
| GroupName: api.GroupName, | |||
| VersionPreferenceOrder: []string{v1.SchemeGroupVersion.Version}, | |||
pkg/image/api/install/apigroup.go
Outdated
| @@ -14,11 +17,17 @@ func init() { | |||
| GroupName: api.GroupName, | |||
| VersionPreferenceOrder: []string{v1.SchemeGroupVersion.Version}, | |||
| ImportPrefix: importPrefix, | |||
| //AddInternalObjectsToScheme: api.AddToScheme, | |||
| AddInternalObjectsToScheme: func(scheme *runtime.Scheme) error { | |||
| docker10.AddToScheme(scheme) | |||
There was a problem hiding this comment.
aggregate errors... ok for testing
mfojtik
force-pushed
the
apigroups
branch
3 times, most recently
from
baaba1a to
bf2e2c2
Compare
|
@deads2k @liggitt @sttts @smarterclayton squashed and prettified for easier reviewing. all unit tests should be green by now. |
|
(starting integration manually: https://ci.openshift.redhat.com/jenkins/view/Origin%20Test%20Jobs/job/test_pull_requests_origin_integration/11177/console) |
|
For admission, why don't we put something early in the chain that
collapses groups to core for now and slate a follow up?
|
Mutable admission attributes aren't tech debt I'm eager to take on |
|
And if we push to prod? I'll take a targeted protection for cohabitation
over a cluster compromise...
On Mar 16, 2017, at 9:08 PM, Jordan Liggitt <[email protected]> wrote:
For admission, why don't we put something early in the chain that collapses
groups to core for now and slate a follow up?
Mutable admission attributes aren't tech debt I'm eager to take on
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#12986 (comment)>,
or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ABG_p2jWAtZH7jJ7Ctw95MIvtdfBtYv9ks5rmdztgaJpZM4MC0WX>
.
|
|
Alternative - transform at the begin lining of each, go through and
selectively audit until all transforms are removed.
|
|
continuous-integration/openshift-jenkins/merge SUCCESS (Image: devenv-rhel7_6074) |
…sionResources in namespace controller
|
re-[merge] (forgot to update bootstrap test fixture) |
|
Evaluated for origin test up to 3e9c0f0 |
|
continuous-integration/openshift-jenkins/test Running (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/283/) (Base Commit: bd446c7) |
|
Evaluated for origin testextended up to 3e9c0f0 |
|
Evaluated for origin merge up to 3e9c0f0 |
|
@smarterclayton @liggitt will mfojtik@9a9032f do? I looked at other admission controllers and it seems image policy is special as it takes list of resources to enforce the policy as part of configuration... I don't see any other admission plugin having the same problem (but maybe I'm wrong ;-) |
|
continuous-integration/openshift-jenkins/testextended FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin_extended/46/) (Base Commit: bd446c7) (Extended Tests: core) |
|
continuous-integration/openshift-jenkins/test SUCCESS |
|
|
|
🎉 |
|
This did not fix the concern I had with image policy - that actually
exposes another hole. See my comments on the linked commit.
On Mar 17, 2017, at 8:32 AM, Dr. Stefan Schimanski <[email protected]> wrote:
🎉
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#12986 (comment)>,
or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ABG_pyGtFTzDwhvsZyN8pTOB-P79J_tiks5rmn1CgaJpZM4MC0WX>
.
|
This is a work-in-progress PR that registers the OpenShift types into API groups.
authorization.openshift.iobuild.openshift.iodeploy.openshift.io=>apps.openshift.ioimage.openshift.iooauth.openshift.ioproject.openshift.ioroute.openshift.iooc exposegeneratornetworking.openshift.iosecurity.openshift.iotemplate.openshift.iouser.openshift.io