wire in aggregator #14285
wire in aggregator #14285
Conversation
|
[test] |
|
Well, that's a problem. @liggitt got suggestions? |
|
Well, it can proxy certificate based users at the moment, so its a strict improvement. Let's get some reviews on this much. |
|
@bparees you were asking. |
... |
Yeah. Technically its never worked, so changing the name can work. |
|
jessica actually gave me a path to console SC usage that doesn't require the aggregator after all, so i'm going to try that first. I'm still bleeding from my experience as an api server guinea pig. |
|
@sdodson I'm guessing that @pmorie and @derekwaynecarr have already engaged you regarding how to wire up the service catalog for its beta installation, but the instructions I've included in the description show the particular fields used for wiring the API server to enable the aggregator to route traffic to the service catalog. |
|
@ewolinetz and @jpeeler are collaborating (or about to) on that work. |
|
|
| // TODO this is probably an indication that we need explicit and precise control over the discovery chain | ||
| // but for now its a special case | ||
| // apps has to come last for compatibility with 1.5 kubectl clients | ||
| if apiService.Spec.Group == "apps" { |
There was a problem hiding this comment.
just to confirm, this won't conflict with apps.openshift.io?
pkg/cmd/server/origin/master.go
Outdated
|
|
||
| aggregatorConfig, err := c.createAggregatorConfig(*kc.Master.GenericConfig) | ||
| if err != nil { | ||
| glog.Fatalf("Failed to launch master: %v", err) |
There was a problem hiding this comment.
Failed to create aggregator config
pkg/authorization/api/types.go
Outdated
| @@ -22,7 +22,7 @@ const ( | |||
| VerbAll = "*" | |||
| NonResourceAll = "*" | |||
|
|
|||
| ScopesKey = "authorization.openshift.io/scopes" | |||
| ScopesKey = "scopes.authorization.openshift.io" | |||
There was a problem hiding this comment.
do we need to update/migrate something after this change?
There was a problem hiding this comment.
do we need to update/migrate something after this change?
No. I reasoned through this with jordan. It's merging in a separate pull.
|
LGTM, but will prefer @enj to have second look before merging. |
|
@smarterclayton I seem to be failing on Any idea what's up? |
|
comments addressed [merge] |
| if err != nil { | ||
| t.Fatalf("error starting server: %#v", err) | ||
| } | ||
| kubeConfigFile := masterConfig.MasterClients.OpenShiftLoopbackKubeConfig |
There was a problem hiding this comment.
I assume you will drop this commit so the comment gets added.
pkg/authorization/api/types.go
Outdated
| @@ -22,7 +22,7 @@ const ( | |||
| VerbAll = "*" | |||
| NonResourceAll = "*" | |||
|
|
|||
| ScopesKey = "authorization.openshift.io/scopes" | |||
| ScopesKey = "scopes.authorization.openshift.io" | |||
There was a problem hiding this comment.
er... so based on comments this never worked? How did we not notice?
| go apiserver.Run(utilwait.NeverStop) | ||
|
|
||
| // Attempt to verify the server came up for 20 seconds (100 tries * 100ms, 100ms timeout per try) | ||
| cmdutil.WaitForSuccessfulDial(c.TLS, c.Options.ServingInfo.BindNetwork, c.Options.ServingInfo.BindAddress, 100*time.Millisecond, 100*time.Millisecond, 100) |
There was a problem hiding this comment.
Do we not care if we fail here?
There was a problem hiding this comment.
Do we not care if we fail here?
pre-existing. Not really sure what it does
There was a problem hiding this comment.
pre-existing. Not really sure what it does
Tries a bunch of times and returns and error on failure (which we ignore and just keep going).
| if err != nil { | ||
| glog.Fatalf("Failed to create aggregator config: %v", err) | ||
| } | ||
| aggregatorServer, err := createAggregatorServer(aggregatorConfig, apiserver.GenericAPIServer, kc.Informers.InternalKubernetesInformers(), stopCh) |
There was a problem hiding this comment.
Do you plan to use kc.Informers.InternalKubernetesInformers() later?
There was a problem hiding this comment.
Do you plan to use kc.Informers.InternalKubernetesInformers() later?
it gets started elsewhere to drive this.
There was a problem hiding this comment.
it gets started elsewhere to drive this.
I do not understand what you mean. All I was saying is that createAggregatorServer does not use the sharedInformers parameter, so why bother passing it?
|
Looks like I have some verifies to sort through. |
|
This is a blocker for the 3.6 release, I'm putting this at [severity:blocker]. Will review |
|
rebased and fixed up verifies I think |
|
@smarterclayton I seem to be unable to make protobuf verification happy. Can you try and see? |
|
Evaluated for origin test up to c57c9c8 |
|
continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/1808/) (Base Commit: 69de7d3) |
|
Flake from journalctl output. |
|
Evaluated for origin merge up to c57c9c8 |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_request_origin/832/) (Base Commit: 63fe34a) (Extended Tests: blocker) (Image: devenv-rhel7_6280) |
I think there are more picks that are going to be required and I'm sorting out some bad behavior around hangs, but this is the direction I'm going in.
@openshift/api-review for the the aggregator config commit.
Right now, I've only tested this manually (no test image is yet pushed and it requires custom master-config.yaml and active nodes).
and then deleting everything but the files I wanted.
2. Generated a fresh master-config.yaml.
3. Replace stanzas in master-config.yaml with
sudo $(which openshift) start --master-config openshift.local.config/master/master-config.yaml --node-config openshift.local.config/node-deads-dev-01/node-config.yamlnice make WHAT=vendor/k8s.io/sample-apiserver/ && vendor/k8s.io/sample-apiserver/hack/build-image.shoc new-project wardle- new project to start withoadm policy add-scc-to-user privileged -z apiserver- etcd doesn't like running as non-root and I didn't feel like trying to deal with itoc create policybinding kube-system -n kube-systemoc create -f test/extended/testdata/aggregator/- create the resourcesoc get flunders- proof!