From f2afa3a016f693b572b0a8f953db87d1af99e4c2 Mon Sep 17 00:00:00 2001
From: Clayton Coleman <ccoleman@redhat.com>
Date: Wed, 25 Apr 2018 10:14:28 -0400
Subject: [PATCH 01/26] Remove node and origin images now that ansible is
 updated

---
 hack/lib/constants.sh | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/hack/lib/constants.sh b/hack/lib/constants.sh
index 6d1f834644e0..653775766e4e 100755
--- a/hack/lib/constants.sh
+++ b/hack/lib/constants.sh
@@ -362,9 +362,6 @@ function os::build::images() {
   ( os::build::image "${tag_prefix}-sti-builder"           images/builder/docker/sti-builder ) &
   ( os::build::image "${tag_prefix}-f5-router"             images/router/f5 ) &
   ( os::build::image "${tag_prefix}-node"                  images/node ) &
-  # These images are deprecated and will be removed once ansible is updated to stop using them
-  ( os::build::image "openshift/origin" images/origin ) &
-  ( os::build::image "openshift/node"   images/node ) &
 
   for i in `jobs -p`; do wait $i; done
 }

From 57e7c6c0d45fb7f7b2e4bb6dfc13ad5b4b46d0b9 Mon Sep 17 00:00:00 2001
From: Clayton Coleman <ccoleman@redhat.com>
Date: Wed, 25 Apr 2018 10:51:45 -0400
Subject: [PATCH 02/26] Remove origin-sti-build image and use
 origin-docker-build for both

The controller now uses only the one image.
---
 hack/lib/constants.sh                         |  2 -
 .../docker/custom-docker-builder/.cccp.yml    |  1 -
 .../docker/custom-docker-builder/Dockerfile   | 28 --------
 .../docker/custom-docker-builder/build.sh     | 70 -------------------
 images/builder/docker/sti-builder/.cccp.yml   |  1 -
 images/builder/docker/sti-builder/Dockerfile  | 18 -----
 .../builder/docker/sti-builder/bin/.gitignore |  1 -
 pkg/build/controller/strategy/docker.go       |  2 +-
 pkg/build/controller/strategy/docker_test.go  |  4 +-
 pkg/build/controller/strategy/sti.go          |  2 +-
 pkg/build/controller/strategy/sti_test.go     |  4 +-
 pkg/build/controller/strategy/util.go         |  6 +-
 .../controller/build.go                       |  2 +-
 13 files changed, 10 insertions(+), 131 deletions(-)
 delete mode 100644 images/builder/docker/custom-docker-builder/.cccp.yml
 delete mode 100644 images/builder/docker/custom-docker-builder/Dockerfile
 delete mode 100755 images/builder/docker/custom-docker-builder/build.sh
 delete mode 100644 images/builder/docker/sti-builder/.cccp.yml
 delete mode 100644 images/builder/docker/sti-builder/Dockerfile
 delete mode 100644 images/builder/docker/sti-builder/bin/.gitignore

diff --git a/hack/lib/constants.sh b/hack/lib/constants.sh
index 653775766e4e..69f1803118dc 100755
--- a/hack/lib/constants.sh
+++ b/hack/lib/constants.sh
@@ -315,7 +315,6 @@ readonly OS_ALL_IMAGES=(
   origin-deployer
   origin-docker-builder
   origin-keepalived-ipfailover
-  origin-sti-builder
   origin-haproxy-router
   origin-f5-router
   origin-egress-router
@@ -359,7 +358,6 @@ function os::build::images() {
   ( os::build::image "${tag_prefix}-deployer"              images/deployer ) &
   ( os::build::image "${tag_prefix}-recycler"              images/recycler ) &
   ( os::build::image "${tag_prefix}-docker-builder"        images/builder/docker/docker-builder ) &
-  ( os::build::image "${tag_prefix}-sti-builder"           images/builder/docker/sti-builder ) &
   ( os::build::image "${tag_prefix}-f5-router"             images/router/f5 ) &
   ( os::build::image "${tag_prefix}-node"                  images/node ) &
 
diff --git a/images/builder/docker/custom-docker-builder/.cccp.yml b/images/builder/docker/custom-docker-builder/.cccp.yml
deleted file mode 100644
index eba38fae795b..000000000000
--- a/images/builder/docker/custom-docker-builder/.cccp.yml
+++ /dev/null
@@ -1 +0,0 @@
-job-id: origin-custom-docker-builder
diff --git a/images/builder/docker/custom-docker-builder/Dockerfile b/images/builder/docker/custom-docker-builder/Dockerfile
deleted file mode 100644
index a43087da0c3e..000000000000
--- a/images/builder/docker/custom-docker-builder/Dockerfile
+++ /dev/null
@@ -1,28 +0,0 @@
-# This image is intended for testing purposes, it has the same behavior as
-# the origin-docker-builder image, but does so as a custom image so it can
-# be used with Custom build strategies.  It expects a set of
-# environment variables to parameterize the build:
-#
-#   OUTPUT_REGISTRY - the Docker registry URL to push this image to
-#   OUTPUT_IMAGE - the name to tag the image with
-#   SOURCE_URI - a URI to fetch the build context from
-#   SOURCE_REF - a reference to pass to Git for which commit to use (optional)
-#
-# This image expects to have the Docker socket bind-mounted into the container.
-# If "/root/.dockercfg" is bind mounted in, it will use that as authorization
-# to a Docker registry.
-#
-# The standard name for this image is openshift/origin-custom-docker-builder
-#
-FROM openshift/origin-base
-
-RUN INSTALL_PKGS="gettext automake make docker" && \
-    yum install -y $INSTALL_PKGS && \
-    rpm -V $INSTALL_PKGS && \
-    yum clean all
-
-LABEL io.k8s.display-name="OpenShift Origin Custom Builder Example" \
-      io.k8s.description="This is an example of a custom builder for use with OpenShift Origin."
-ENV HOME=/root
-COPY build.sh /tmp/build.sh
-CMD ["/tmp/build.sh"]
diff --git a/images/builder/docker/custom-docker-builder/build.sh b/images/builder/docker/custom-docker-builder/build.sh
deleted file mode 100755
index 8e9f5ae457b3..000000000000
--- a/images/builder/docker/custom-docker-builder/build.sh
+++ /dev/null
@@ -1,70 +0,0 @@
-#!/bin/bash
-
-# See https://docs.openshift.org/latest/creating_images/custom.html#custom-builder-image
-# for the list of environment variables set by OpenShift before the custom
-# builder image is run.
-#
-# Although set as part of the API, the environment variables
-# SOURCE_REPOSITORY/SOURCE_URI, SOURCE_CONTEXT_DIR and SOURCE_REF can also be
-# derived from the BUILD environment variable using a tool such as `jq`
-# (https://stedolan.github.io/jq/).  (Note: you would need to include the `jq`
-# binary in your custom builder image).  If necessary, this technique can be
-# used for extracting other values from the BUILD json from a shell script.
-#
-# SOURCE_REPOSITORY=$(jq -nr '(env.BUILD|fromjson).spec.source.git.uri')
-# SOURCE_URI=$(jq -nr '(env.BUILD|fromjson).spec.source.git.uri')
-# SOURCE_CONTEXT_DIR=$(jq -nr '(env.BUILD|fromjson).spec.source.contextDir')
-# SOURCE_REF=$(jq -nr '(env.BUILD|fromjson).spec.source.git.ref')
-
-set -o pipefail
-IFS=$'\n\t'
-
-DOCKER_SOCKET=/var/run/docker.sock
-
-if [ ! -e "${DOCKER_SOCKET}" ]; then
-  echo "Docker socket missing at ${DOCKER_SOCKET}"
-  exit 1
-fi
-
-if [ -n "${OUTPUT_IMAGE}" ]; then
-  TAG="${OUTPUT_REGISTRY}/${OUTPUT_IMAGE}"
-fi
-
-if [[ "${SOURCE_REPOSITORY}" != "git://"* ]] && [[ "${SOURCE_REPOSITORY}" != "git@"* ]]; then
-  URL="${SOURCE_REPOSITORY}"
-  if [[ "${URL}" != "http://"* ]] && [[ "${URL}" != "https://"* ]]; then
-    URL="https://${URL}"
-  fi
-  curl --head --silent --fail --location --max-time 16 $URL > /dev/null
-  if [ $? != 0 ]; then
-    echo "Could not access source url: ${SOURCE_REPOSITORY}"
-    exit 1
-  fi
-fi
-
-if [ -n "${SOURCE_REF}" ]; then
-  BUILD_DIR=$(mktemp --directory)
-  git clone --recursive "${SOURCE_REPOSITORY}" "${BUILD_DIR}"
-  if [ $? != 0 ]; then
-    echo "Error trying to fetch git source: ${SOURCE_REPOSITORY}"
-    exit 1
-  fi
-  pushd "${BUILD_DIR}"
-  git checkout "${SOURCE_REF}"
-  if [ $? != 0 ]; then
-    echo "Error trying to checkout branch: ${SOURCE_REF}"
-    exit 1
-  fi
-  popd
-  docker build --rm -t "${TAG}" "${BUILD_DIR}"
-else
-  docker build --rm -t "${TAG}" "${SOURCE_REPOSITORY}"
-fi
-
-if [[ -d /var/run/secrets/openshift.io/push ]] && [[ ! -e /root/.dockercfg ]]; then
-  cp /var/run/secrets/openshift.io/push/.dockercfg /root/.dockercfg
-fi
-
-if [ -n "${OUTPUT_IMAGE}" ] || [ -s "/root/.dockercfg" ]; then
-  docker push "${TAG}"
-fi
diff --git a/images/builder/docker/sti-builder/.cccp.yml b/images/builder/docker/sti-builder/.cccp.yml
deleted file mode 100644
index 6d570617fc4c..000000000000
--- a/images/builder/docker/sti-builder/.cccp.yml
+++ /dev/null
@@ -1 +0,0 @@
-job-id: origin-sti-builder
diff --git a/images/builder/docker/sti-builder/Dockerfile b/images/builder/docker/sti-builder/Dockerfile
deleted file mode 100644
index beb149c1fc31..000000000000
--- a/images/builder/docker/sti-builder/Dockerfile
+++ /dev/null
@@ -1,18 +0,0 @@
-#
-# This is the image that executes a S2I build inside Origin. It expects the
-# following environment variables:
-#
-#   BUILD - JSON string containing the openshift build object
-#
-# This image expects to have the Docker socket bind-mounted into the container.
-# If "/root/.dockercfg" is bind mounted in, it will use that as authorization to a
-# Docker registry.
-#
-# The standard name for this image is openshift/origin-sti-builder
-#
-FROM openshift/origin-control-plane
-
-LABEL io.k8s.display-name="OpenShift Origin S2I Builder" \
-      io.k8s.description="This is a component of OpenShift Origin and is responsible for executing source-to-image (s2i) image builds." \
-      io.openshift.tags="openshift,sti,builder"
-ENTRYPOINT ["/usr/bin/openshift-sti-build"]
diff --git a/images/builder/docker/sti-builder/bin/.gitignore b/images/builder/docker/sti-builder/bin/.gitignore
deleted file mode 100644
index 6457b7a1c1dd..000000000000
--- a/images/builder/docker/sti-builder/bin/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-openshift-sti-build
diff --git a/pkg/build/controller/strategy/docker.go b/pkg/build/controller/strategy/docker.go
index 03162276e1f6..3d2cb4ce50b8 100644
--- a/pkg/build/controller/strategy/docker.go
+++ b/pkg/build/controller/strategy/docker.go
@@ -57,7 +57,7 @@ func (bs *DockerBuildStrategy) CreateBuildPod(build *buildapi.Build) (*v1.Pod, e
 			ServiceAccountName: serviceAccount,
 			Containers: []v1.Container{
 				{
-					Name:    dockerBuild,
+					Name:    DockerBuild,
 					Image:   bs.Image,
 					Command: []string{"openshift-docker-build"},
 					Env:     copyEnvVarSlice(containerEnv),
diff --git a/pkg/build/controller/strategy/docker_test.go b/pkg/build/controller/strategy/docker_test.go
index 48514d355a7f..8a940a5e0400 100644
--- a/pkg/build/controller/strategy/docker_test.go
+++ b/pkg/build/controller/strategy/docker_test.go
@@ -43,8 +43,8 @@ func TestDockerCreateBuildPod(t *testing.T) {
 	}
 
 	container := actual.Spec.Containers[0]
-	if container.Name != dockerBuild {
-		t.Errorf("Expected %s, but got %s!", dockerBuild, container.Name)
+	if container.Name != DockerBuild {
+		t.Errorf("Expected %s, but got %s!", DockerBuild, container.Name)
 	}
 	if container.Image != strategy.Image {
 		t.Errorf("Expected %s image, got %s!", container.Image, strategy.Image)
diff --git a/pkg/build/controller/strategy/sti.go b/pkg/build/controller/strategy/sti.go
index f44437e7086f..7fe907347b80 100644
--- a/pkg/build/controller/strategy/sti.go
+++ b/pkg/build/controller/strategy/sti.go
@@ -80,7 +80,7 @@ func (bs *SourceBuildStrategy) CreateBuildPod(build *buildapi.Build) (*v1.Pod, e
 			ServiceAccountName: serviceAccount,
 			Containers: []v1.Container{
 				{
-					Name:    stiBuild,
+					Name:    StiBuild,
 					Image:   bs.Image,
 					Command: []string{"openshift-sti-build"},
 					Env:     copyEnvVarSlice(containerEnv),
diff --git a/pkg/build/controller/strategy/sti_test.go b/pkg/build/controller/strategy/sti_test.go
index ef733cad264e..d11a5524f594 100644
--- a/pkg/build/controller/strategy/sti_test.go
+++ b/pkg/build/controller/strategy/sti_test.go
@@ -75,8 +75,8 @@ func testSTICreateBuildPod(t *testing.T, rootAllowed bool) {
 	}
 
 	container := actual.Spec.Containers[0]
-	if container.Name != stiBuild {
-		t.Errorf("Expected %s, but got %s!", stiBuild, container.Name)
+	if container.Name != StiBuild {
+		t.Errorf("Expected %s, but got %s!", StiBuild, container.Name)
 	}
 	if container.Image != strategy.Image {
 		t.Errorf("Expected %s image, got %s!", container.Image, strategy.Image)
diff --git a/pkg/build/controller/strategy/util.go b/pkg/build/controller/strategy/util.go
index 995620ce1bdb..d40fc5d51fbb 100644
--- a/pkg/build/controller/strategy/util.go
+++ b/pkg/build/controller/strategy/util.go
@@ -42,11 +42,11 @@ const (
 
 const (
 	CustomBuild = "custom-build"
-	stiBuild    = "sti-build"
-	dockerBuild = "docker-build"
+	DockerBuild = "docker-build"
+	StiBuild    = "sti-build"
 )
 
-var BuildContainerNames = []string{CustomBuild, stiBuild, dockerBuild}
+var BuildContainerNames = []string{CustomBuild, StiBuild, DockerBuild}
 
 var (
 	// BuildControllerRefKind contains the schema.GroupVersionKind for builds.
diff --git a/pkg/cmd/openshift-controller-manager/controller/build.go b/pkg/cmd/openshift-controller-manager/controller/build.go
index c9dd8e3bb1bc..9b53a57b7174 100644
--- a/pkg/cmd/openshift-controller-manager/controller/build.go
+++ b/pkg/cmd/openshift-controller-manager/controller/build.go
@@ -57,7 +57,7 @@ func RunBuildController(ctx ControllerContext) (bool, error) {
 			Codec: annotationCodec,
 		},
 		SourceBuildStrategy: &buildstrategy.SourceBuildStrategy{
-			Image: imageTemplate.ExpandOrDie("sti-builder"),
+			Image: imageTemplate.ExpandOrDie("docker-builder"),
 			// TODO: this will be set to --storage-version (the internal schema we use)
 			Codec:          annotationCodec,
 			SecurityClient: securityClient.Security(),

From 4333db3960e1f134bbf606bd5a8ea7f4fd062c93 Mon Sep 17 00:00:00 2001
From: Clayton Coleman <ccoleman@redhat.com>
Date: Wed, 25 Apr 2018 10:55:55 -0400
Subject: [PATCH 03/26] Move dependencies out of the base image and into
 children

Reduces the size of the base image. RPMs explicitly list all their
dependencies to prevent accidental removal.
---
 images/base/Dockerfile                              |  7 ++-----
 images/base/Dockerfile.centos7                      |  7 ++-----
 images/base/Dockerfile.rhel7                        |  5 ++---
 images/builder/docker/docker-builder/Dockerfile     | 13 +++++++++++--
 images/node/Dockerfile                              | 13 ++++++++++---
 images/node/Dockerfile.centos7                      | 13 ++++++++++---
 images/origin/Dockerfile                            |  1 -
 images/origin/Dockerfile.centos7                    |  1 -
 test/extended/testdata/bindata.go                   |  2 +-
 test/extended/testdata/router-http-echo-server.yaml |  2 +-
 10 files changed, 39 insertions(+), 25 deletions(-)

diff --git a/images/base/Dockerfile b/images/base/Dockerfile
index 7f7fec3e6348..8eb089c7c343 100644
--- a/images/base/Dockerfile
+++ b/images/base/Dockerfile
@@ -8,12 +8,9 @@ FROM openshift/origin-source
 
 COPY *.repo /etc/yum.repos.d/
 RUN INSTALL_PKGS=" \
-      which git tar wget hostname sysvinit-tools util-linux bsdtar \
-      socat ethtool device-mapper iptables tree findutils nmap-ncat e2fsprogs \
-      xfsprogs lsof device-mapper-persistent-data ceph-common \
+      which tar wget hostname sysvinit-tools util-linux \
+      socat tree findutils lsof bind-utils \
       " && \
-    yum install -y centos-release-ceph-luminous && \
-    rpm -V centos-release-ceph-luminous && \
     yum install -y ${INSTALL_PKGS} && \
     rpm -V ${INSTALL_PKGS} && \
     yum clean all && \
diff --git a/images/base/Dockerfile.centos7 b/images/base/Dockerfile.centos7
index ce0088ac8b0e..821d122e8b53 100644
--- a/images/base/Dockerfile.centos7
+++ b/images/base/Dockerfile.centos7
@@ -7,12 +7,9 @@
 FROM openshift/origin-source
 
 RUN INSTALL_PKGS=" \
-      which git tar wget hostname sysvinit-tools util-linux bsdtar \
-      socat ethtool device-mapper iptables tree findutils nmap-ncat e2fsprogs \
-      xfsprogs lsof device-mapper-persistent-data ceph-common \
+      which tar wget hostname sysvinit-tools util-linux \
+      socat tree findutils lsof bind-utils \
       " && \
-    yum install -y centos-release-ceph-luminous && \
-    rpm -V centos-release-ceph-luminous && \
     yum install -y ${INSTALL_PKGS} && \
     rpm -V ${INSTALL_PKGS} && \
     yum clean all && \
diff --git a/images/base/Dockerfile.rhel7 b/images/base/Dockerfile.rhel7
index 7422160370d7..59c2de56d59b 100644
--- a/images/base/Dockerfile.rhel7
+++ b/images/base/Dockerfile.rhel7
@@ -7,9 +7,8 @@
 FROM rhel7
 
 RUN INSTALL_PKGS=" \
-      which git tar wget hostname sysvinit-tools util-linux bsdtar \
-      socat ethtool device-mapper iptables tree findutils nmap-ncat e2fsprogs \
-      xfsprogs lsof device-mapper-persistent-data ceph-common \
+      which tar wget hostname sysvinit-tools util-linux \
+      socat tree findutils lsof bind-utils \
       " && \
     yum --disablerepo=origin-local-release install -y $INSTALL_PKGS && \
     rpm -V $INSTALL_PKGS && \
diff --git a/images/builder/docker/docker-builder/Dockerfile b/images/builder/docker/docker-builder/Dockerfile
index de2341849320..7215bf28e829 100644
--- a/images/builder/docker/docker-builder/Dockerfile
+++ b/images/builder/docker/docker-builder/Dockerfile
@@ -12,7 +12,16 @@
 #
 FROM openshift/origin-control-plane
 
-LABEL io.k8s.display-name="OpenShift Origin Docker Builder" \
-      io.k8s.description="This is a component of OpenShift Origin and is responsible for executing Docker image builds." \
+RUN INSTALL_PKGS=" \
+      which tar wget hostname sysvinit-tools util-linux \
+      socat tree findutils lsof bind-utils \
+      git tar bsdtar \
+      " && \
+    yum install -y ${INSTALL_PKGS} && \
+    rpm -V ${INSTALL_PKGS} && \
+    yum clean all
+
+LABEL io.k8s.display-name="OpenShift Origin Builder" \
+      io.k8s.description="This is a component of OpenShift Origin and is responsible for executing image builds." \
       io.openshift.tags="openshift,builder"
 ENTRYPOINT ["/usr/bin/openshift-docker-build"]
diff --git a/images/node/Dockerfile b/images/node/Dockerfile
index df26538247be..7ba4a84a7222 100644
--- a/images/node/Dockerfile
+++ b/images/node/Dockerfile
@@ -13,10 +13,16 @@ COPY scripts/* /usr/local/bin/
 COPY system-container/system-container-wrapper.sh /usr/local/bin/
 COPY system-container/manifest.json system-container/config.json.template system-container/service.template system-container/tmpfiles.template /exports/
 
-RUN INSTALL_PKGS="origin-sdn-ovs libmnl libnetfilter_conntrack conntrack-tools \
+RUN INSTALL_PKGS=" \
+      socat ethtool device-mapper iptables nmap-ncat e2fsprogs \
+      xfsprogs device-mapper-persistent-data ceph-common \
+      origin-sdn-ovs libmnl libnetfilter_conntrack conntrack-tools \
       libnfnetlink iptables iproute bridge-utils procps-ng ethtool socat openssl \
       binutils xz kmod-libs kmod sysvinit-tools device-mapper-libs dbus \
-      iscsi-initiator-utils bind-utils" && \
+      iscsi-initiator-utils bind-utils \
+      " && \
+    yum install -y centos-release-ceph-luminous && \
+    rpm -V centos-release-ceph-luminous && \
     yum --enablerepo=origin-local-release install -y $INSTALL_PKGS && \
     rpm -V $INSTALL_PKGS && \
     yum clean all
@@ -25,6 +31,7 @@ LABEL io.k8s.display-name="OpenShift Origin Node" \
       io.k8s.description="This is a component of OpenShift Origin and contains the software for individual nodes when using SDN." \
       io.openshift.tags="openshift,node"
 
-ENV KUBECONFIG=/etc/origin/node/node.kubeconfig
+ENV OPENSHIFT_CONTAINERIZED=true \
+    KUBECONFIG=/etc/origin/node/node.kubeconfig
 
 ENTRYPOINT [ "/usr/local/bin/origin-node-run.sh" ]
diff --git a/images/node/Dockerfile.centos7 b/images/node/Dockerfile.centos7
index 5f21df6573e6..d44442b935cd 100644
--- a/images/node/Dockerfile.centos7
+++ b/images/node/Dockerfile.centos7
@@ -9,10 +9,16 @@ COPY scripts/* /usr/local/bin/
 COPY system-container/system-container-wrapper.sh /usr/local/bin/
 COPY system-container/manifest.json system-container/config.json.template system-container/service.template system-container/tmpfiles.template /exports/
 
-RUN INSTALL_PKGS="origin-sdn-ovs libmnl libnetfilter_conntrack conntrack-tools \
+RUN INSTALL_PKGS=" \
+      socat ethtool device-mapper iptables nmap-ncat e2fsprogs \
+      xfsprogs device-mapper-persistent-data ceph-common \
+      origin-sdn-ovs libmnl libnetfilter_conntrack conntrack-tools \
       libnfnetlink iptables iproute bridge-utils procps-ng ethtool socat openssl \
       binutils xz kmod-libs kmod sysvinit-tools device-mapper-libs dbus \
-      iscsi-initiator-utils bind-utils" && \
+      iscsi-initiator-utils bind-utils \
+      " && \
+    yum install -y centos-release-ceph-luminous && \
+    rpm -V centos-release-ceph-luminous && \
     yum --enablerepo=origin-local-release install -y $INSTALL_PKGS && \
     rpm -V $INSTALL_PKGS && \
     yum clean all
@@ -21,6 +27,7 @@ LABEL io.k8s.display-name="OpenShift Origin Node" \
       io.k8s.description="This is a component of OpenShift Origin and contains the software for individual nodes when using SDN." \
       io.openshift.tags="openshift,node"
 
-ENV KUBECONFIG=/etc/origin/node/node.kubeconfig
+ENV OPENSHIFT_CONTAINERIZED=true \
+    KUBECONFIG=/etc/origin/node/node.kubeconfig
 
 ENTRYPOINT [ "/usr/local/bin/origin-node-run.sh" ]
diff --git a/images/origin/Dockerfile b/images/origin/Dockerfile
index 8070bf2a7d62..1dd70d7c1c99 100644
--- a/images/origin/Dockerfile
+++ b/images/origin/Dockerfile
@@ -17,7 +17,6 @@ LABEL io.k8s.display-name="OpenShift Origin Application Platform" \
       io.openshift.tags="openshift,core"
 
 ENV HOME=/root \
-    OPENSHIFT_CONTAINERIZED=true \
     KUBECONFIG=/var/lib/origin/openshift.local.config/master/admin.kubeconfig
 
 WORKDIR /var/lib/origin
diff --git a/images/origin/Dockerfile.centos7 b/images/origin/Dockerfile.centos7
index 8070bf2a7d62..1dd70d7c1c99 100644
--- a/images/origin/Dockerfile.centos7
+++ b/images/origin/Dockerfile.centos7
@@ -17,7 +17,6 @@ LABEL io.k8s.display-name="OpenShift Origin Application Platform" \
       io.openshift.tags="openshift,core"
 
 ENV HOME=/root \
-    OPENSHIFT_CONTAINERIZED=true \
     KUBECONFIG=/var/lib/origin/openshift.local.config/master/admin.kubeconfig
 
 WORKDIR /var/lib/origin
diff --git a/test/extended/testdata/bindata.go b/test/extended/testdata/bindata.go
index 307d8bc15733..2eedbfb4a2e5 100644
--- a/test/extended/testdata/bindata.go
+++ b/test/extended/testdata/bindata.go
@@ -9843,7 +9843,7 @@ items:
           deploymentconfig: router-http-echo
       spec:
         containers:
-        - image: openshift/origin-base
+        - image: openshift/origin-node
           name: router-http-echo
           command:
             - /usr/bin/socat
diff --git a/test/extended/testdata/router-http-echo-server.yaml b/test/extended/testdata/router-http-echo-server.yaml
index 4a17bbd91e54..240b052eab95 100644
--- a/test/extended/testdata/router-http-echo-server.yaml
+++ b/test/extended/testdata/router-http-echo-server.yaml
@@ -20,7 +20,7 @@ items:
           deploymentconfig: router-http-echo
       spec:
         containers:
-        - image: openshift/origin-base
+        - image: openshift/origin-node
           name: router-http-echo
           command:
             - /usr/bin/socat

From 99e9405018b29de20ea3874bbbe8d62c1cc8278d Mon Sep 17 00:00:00 2001
From: Clayton Coleman <ccoleman@redhat.com>
Date: Wed, 25 Apr 2018 11:02:43 -0400
Subject: [PATCH 04/26] Create a new origin-cli image and reparent
 control-plane

---
 hack/lib/constants.sh            |  4 +++-
 images/cli/.cccp.yml             |  1 +
 images/cli/Dockerfile            | 16 ++++++++++++++++
 images/cli/OWNERS                |  8 ++++++++
 images/cli/bin/.gitignore        |  2 ++
 images/origin/Dockerfile         |  8 ++++----
 images/origin/Dockerfile.centos7 | 25 -------------------------
 origin.spec                      |  1 -
 test/cmd/builds.sh               |  2 +-
 9 files changed, 35 insertions(+), 32 deletions(-)
 create mode 100644 images/cli/.cccp.yml
 create mode 100644 images/cli/Dockerfile
 create mode 100644 images/cli/OWNERS
 create mode 100644 images/cli/bin/.gitignore
 delete mode 100644 images/origin/Dockerfile.centos7

diff --git a/hack/lib/constants.sh b/hack/lib/constants.sh
index 69f1803118dc..daa0a5d17f1b 100755
--- a/hack/lib/constants.sh
+++ b/hack/lib/constants.sh
@@ -310,6 +310,7 @@ readonly -f os::build::clean_windows_versioninfo
 readonly OS_ALL_IMAGES=(
   origin-pod
   origin-base
+  origin-cli
   origin-control-plane
   origin-node
   origin-deployer
@@ -343,8 +344,9 @@ function os::build::images() {
   # images that depend on "${tag_prefix}-source"
   ( os::build::image "${tag_prefix}-pod"                     images/pod ) &
   ( os::build::image "${tag_prefix}-template-service-broker" images/template-service-broker ) &
+  ( os::build::image "${tag_prefix}-cli"                     images/cli ) &
 
-  # images that depend on "${tag_prefix}-base"
+  # images that depend on "${tag_prefix}-base" or "${tag_prefix}-cli"
   ( os::build::image "${tag_prefix}-control-plane"      images/origin ) &
   ( os::build::image "${tag_prefix}-egress-router"      images/egress/router ) &
   ( os::build::image "${tag_prefix}-egress-http-proxy"  images/egress/http-proxy ) &
diff --git a/images/cli/.cccp.yml b/images/cli/.cccp.yml
new file mode 100644
index 000000000000..e64764f3c7b0
--- /dev/null
+++ b/images/cli/.cccp.yml
@@ -0,0 +1 @@
+job-id: origin-cli
diff --git a/images/cli/Dockerfile b/images/cli/Dockerfile
new file mode 100644
index 000000000000..24e4a86bc959
--- /dev/null
+++ b/images/cli/Dockerfile
@@ -0,0 +1,16 @@
+#
+# This is the official OpenShift CLI image. It can be used to get a CLI environment
+# for OpenShift.
+#
+# The standard name for this image is openshift/origin-cli
+#
+FROM openshift/origin-base
+
+RUN INSTALL_PKGS="origin-clients" && \
+    yum --enablerepo=origin-local-release install -y ${INSTALL_PKGS} && \
+    rpm -V ${INSTALL_PKGS} && \
+    yum clean all
+
+LABEL io.k8s.display-name="OpenShift Client" \
+      io.k8s.description="OpenShift is a platform for developing, building, and deploying containerized applications." \
+      io.openshift.tags="openshift,cli"
diff --git a/images/cli/OWNERS b/images/cli/OWNERS
new file mode 100644
index 000000000000..ef253fe96db0
--- /dev/null
+++ b/images/cli/OWNERS
@@ -0,0 +1,8 @@
+reviewers:
+  - smarterclayton
+  - stevekuznetsov
+  - sdodson
+approvers:
+  - smarterclayton
+  - kargakis
+  - stevekuznetsov
diff --git a/images/cli/bin/.gitignore b/images/cli/bin/.gitignore
new file mode 100644
index 000000000000..d6b7ef32c847
--- /dev/null
+++ b/images/cli/bin/.gitignore
@@ -0,0 +1,2 @@
+*
+!.gitignore
diff --git a/images/origin/Dockerfile b/images/origin/Dockerfile
index 1dd70d7c1c99..61690100aa05 100644
--- a/images/origin/Dockerfile
+++ b/images/origin/Dockerfile
@@ -1,10 +1,10 @@
 #
-# This is the official OpenShift Origin image. It has as its entrypoint the OpenShift
+# This is the official OpenShift image. It has as its entrypoint the OpenShift
 # all-in-one binary.
 #
 # The standard name for this image is openshift/origin-control-plane
 #
-FROM openshift/origin-base
+FROM openshift/origin-cli
 
 RUN INSTALL_PKGS="origin" && \
     yum --enablerepo=origin-local-release install -y ${INSTALL_PKGS} && \
@@ -12,8 +12,8 @@ RUN INSTALL_PKGS="origin" && \
     yum clean all && \
     setcap 'cap_net_bind_service=ep' /usr/bin/openshift
 
-LABEL io.k8s.display-name="OpenShift Origin Application Platform" \
-      io.k8s.description="OpenShift Origin is a platform for developing, building, and deploying containerized applications." \
+LABEL io.k8s.display-name="OpenShift Application Platform" \
+      io.k8s.description="OpenShift is a platform for developing, building, and deploying containerized applications." \
       io.openshift.tags="openshift,core"
 
 ENV HOME=/root \
diff --git a/images/origin/Dockerfile.centos7 b/images/origin/Dockerfile.centos7
deleted file mode 100644
index 1dd70d7c1c99..000000000000
--- a/images/origin/Dockerfile.centos7
+++ /dev/null
@@ -1,25 +0,0 @@
-#
-# This is the official OpenShift Origin image. It has as its entrypoint the OpenShift
-# all-in-one binary.
-#
-# The standard name for this image is openshift/origin-control-plane
-#
-FROM openshift/origin-base
-
-RUN INSTALL_PKGS="origin" && \
-    yum --enablerepo=origin-local-release install -y ${INSTALL_PKGS} && \
-    rpm -V ${INSTALL_PKGS} && \
-    yum clean all && \
-    setcap 'cap_net_bind_service=ep' /usr/bin/openshift
-
-LABEL io.k8s.display-name="OpenShift Origin Application Platform" \
-      io.k8s.description="OpenShift Origin is a platform for developing, building, and deploying containerized applications." \
-      io.openshift.tags="openshift,core"
-
-ENV HOME=/root \
-    KUBECONFIG=/var/lib/origin/openshift.local.config/master/admin.kubeconfig
-
-WORKDIR /var/lib/origin
-EXPOSE 8443 53
-
-ENTRYPOINT ["/usr/bin/openshift"]
diff --git a/origin.spec b/origin.spec
index 609f497e5d72..ae21840a3d6b 100644
--- a/origin.spec
+++ b/origin.spec
@@ -148,7 +148,6 @@ Provides:       tuned-profiles-%{name}-node
 %package clients
 Summary:        %{product_name} Client binaries for Linux
 Obsoletes:      openshift-clients < %{package_refector_version}
-Requires:       git
 Requires:       bash-completion
 
 %description clients
diff --git a/test/cmd/builds.sh b/test/cmd/builds.sh
index ff919affa8a5..5a15261f5a34 100755
--- a/test/cmd/builds.sh
+++ b/test/cmd/builds.sh
@@ -19,7 +19,7 @@ os::test::junit::declare_suite_start "cmd/builds"
 os::cmd::expect_success 'oc new-build centos/ruby-22-centos7 https://github.com/openshift/ruby-hello-world.git'
 os::cmd::expect_success 'oc get bc/ruby-hello-world'
 
-os::cmd::expect_success "cat '${OS_ROOT}/images/origin/Dockerfile' | oc new-build -D - --name=test"
+os::cmd::expect_success "cat '${OS_ROOT}/images/cli/Dockerfile' | oc new-build -D - --name=test"
 os::cmd::expect_success 'oc get bc/test'
 
 template='{{with .spec.output.to}}{{.kind}} {{.name}}{{end}}'

From b1b238aebedf2d634a8c8362e6e0320e192cfb2e Mon Sep 17 00:00:00 2001
From: Clayton Coleman <ccoleman@redhat.com>
Date: Wed, 25 Apr 2018 11:35:23 -0400
Subject: [PATCH 05/26] Create a hyperkube and hypershift image and RPMs

Remove both binaries from the origin binary. Future images will depend
on these instead of openshift-control-plane.
---
 hack/build-local-images.py              | 35 +++++++++++-----------
 hack/lib/constants.sh                   | 22 +++++++++-----
 images/hyperkube/.cccp.yml              |  1 +
 images/hyperkube/Dockerfile             | 16 ++++++++++
 images/hyperkube/OWNERS                 |  8 +++++
 images/hyperkube/bin/.gitignore         |  2 ++
 images/hypershift/.cccp.yml             |  1 +
 images/hypershift/Dockerfile            | 16 ++++++++++
 images/hypershift/OWNERS                |  8 +++++
 images/hypershift/bin/.gitignore        |  2 ++
 images/ipfailover/keepalived/Dockerfile |  8 ++---
 images/node/Dockerfile                  |  9 +++---
 images/node/Dockerfile.centos7          | 33 --------------------
 origin.spec                             | 40 +++++++++++++++++--------
 14 files changed, 123 insertions(+), 78 deletions(-)
 create mode 100644 images/hyperkube/.cccp.yml
 create mode 100644 images/hyperkube/Dockerfile
 create mode 100644 images/hyperkube/OWNERS
 create mode 100644 images/hyperkube/bin/.gitignore
 create mode 100644 images/hypershift/.cccp.yml
 create mode 100644 images/hypershift/Dockerfile
 create mode 100644 images/hypershift/OWNERS
 create mode 100644 images/hypershift/bin/.gitignore
 delete mode 100644 images/node/Dockerfile.centos7

diff --git a/hack/build-local-images.py b/hack/build-local-images.py
index 9d3f0c12612b..48cec00632fd 100755
--- a/hack/build-local-images.py
+++ b/hack/build-local-images.py
@@ -56,13 +56,10 @@
 # "enable_default: True" can be added to skip the image build
 # with no arguments
 image_config = {
-    "control-plane": {
-        "directory": "origin",
+    "cli": {
+        "directory": "cli",
         "binaries": {
-            "openshift": "/usr/bin/openshift",
             "oc": "/usr/bin/oc",
-            "hypershift": "/usr/bin/hypershift",
-            "hyperkube": "/usr/bin/hyperkube"
         },
         "files": {}
     },
@@ -71,8 +68,20 @@
         "binaries": {
             "openshift": "/usr/bin/openshift",
             "oc": "/usr/bin/oc",
+        },
+        "files": {}
+    },
+    "hyperkube": {
+        "directory": "hyperkube",
+        "binaries": {
+            "hyperkube": "/usr/bin/hyperkube",
+        },
+        "files": {}
+    },
+    "hypershift": {
+        "directory": "hypershift",
+        "binaries": {
             "hypershift": "/usr/bin/hypershift",
-            "hyperkube": "/usr/bin/hyperkube"
         },
         "files": {}
     },
@@ -97,13 +106,6 @@
         },
         "files": {}
     },
-    "sti-builder": {
-        "directory": "builder/docker/sti-builder",
-        "binaries": {
-            "openshift": "/usr/bin/openshift"
-        },
-        "files": {}
-    },
     "f5-router": {
         "directory": "router/f5",
         "binaries": {
@@ -141,7 +143,9 @@
     "node": {
         "directory": "node",
         "binaries": {
-            "openshift": "/usr/bin/openshift"
+            "openshift": "/usr/bin/openshift",
+            "openshift-node-config": "/usr/bin/openshift-node-config",
+            "hyperkube": "/usr/bin/hyperkube"
         },
         "files": {}
     },
@@ -173,9 +177,6 @@ def full_name(image):
     the image namespace as well as the pre-
     fix, if applicable.
     """
-    if image in ["node", "openvswitch", image_prefix]:
-        return "{}/{}".format(image_namespace, image)
-
     return "{}/{}-{}".format(image_namespace, image_prefix, image)
 
 
diff --git a/hack/lib/constants.sh b/hack/lib/constants.sh
index daa0a5d17f1b..028eb20a31ad 100755
--- a/hack/lib/constants.sh
+++ b/hack/lib/constants.sh
@@ -311,6 +311,8 @@ readonly OS_ALL_IMAGES=(
   origin-pod
   origin-base
   origin-cli
+  origin-hypershift
+  origin-hyperkube
   origin-control-plane
   origin-node
   origin-deployer
@@ -341,22 +343,26 @@ function os::build::images() {
   # determine the correct tag prefix
   tag_prefix="${OS_IMAGE_PREFIX:-"openshift/origin"}"
 
-  # images that depend on "${tag_prefix}-source"
+  # images that depend on "${tag_prefix}-source" or "${tag_prefix}-base"
   ( os::build::image "${tag_prefix}-pod"                     images/pod ) &
   ( os::build::image "${tag_prefix}-template-service-broker" images/template-service-broker ) &
   ( os::build::image "${tag_prefix}-cli"                     images/cli ) &
+  ( os::build::image "${tag_prefix}-hyperkube"               images/hyperkube ) &
+  ( os::build::image "${tag_prefix}-hypershift"              images/hypershift ) &
+  ( os::build::image "${tag_prefix}-egress-router"           images/egress/router ) &
+  ( os::build::image "${tag_prefix}-egress-http-proxy"       images/egress/http-proxy ) &
+  ( os::build::image "${tag_prefix}-egress-dns-proxy"        images/egress/dns-proxy ) &
+  ( os::build::image "${tag_prefix}-keepalived-ipfailover"   images/ipfailover/keepalived ) &
 
-  # images that depend on "${tag_prefix}-base" or "${tag_prefix}-cli"
-  ( os::build::image "${tag_prefix}-control-plane"      images/origin ) &
-  ( os::build::image "${tag_prefix}-egress-router"      images/egress/router ) &
-  ( os::build::image "${tag_prefix}-egress-http-proxy"  images/egress/http-proxy ) &
-  ( os::build::image "${tag_prefix}-egress-dns-proxy"   images/egress/dns-proxy ) &
+  for i in `jobs -p`; do wait $i; done
+
+  # images that depend on "${tag_prefix}-cli"
+  ( os::build::image "${tag_prefix}-control-plane"         images/origin ) &
 
   for i in `jobs -p`; do wait $i; done
 
-  # images that depend on "${tag_prefix}-control-plane
+  # images that depend on "${tag_prefix}-control-plane"
   ( os::build::image "${tag_prefix}-haproxy-router"        images/router/haproxy ) &
-  ( os::build::image "${tag_prefix}-keepalived-ipfailover" images/ipfailover/keepalived ) &
   ( os::build::image "${tag_prefix}-deployer"              images/deployer ) &
   ( os::build::image "${tag_prefix}-recycler"              images/recycler ) &
   ( os::build::image "${tag_prefix}-docker-builder"        images/builder/docker/docker-builder ) &
diff --git a/images/hyperkube/.cccp.yml b/images/hyperkube/.cccp.yml
new file mode 100644
index 000000000000..61bf2c5f5f99
--- /dev/null
+++ b/images/hyperkube/.cccp.yml
@@ -0,0 +1 @@
+job-id: origin-hyperkube
diff --git a/images/hyperkube/Dockerfile b/images/hyperkube/Dockerfile
new file mode 100644
index 000000000000..4f8067bd3ae7
--- /dev/null
+++ b/images/hyperkube/Dockerfile
@@ -0,0 +1,16 @@
+#
+# This is the official OpenShift CLI image. It can be used to get a CLI environment
+# for OpenShift.
+#
+# The standard name for this image is openshift/origin-hyperkube
+#
+FROM openshift/origin-base
+
+RUN INSTALL_PKGS="origin-hyperkube" && \
+    yum --enablerepo=origin-local-release install -y ${INSTALL_PKGS} && \
+    rpm -V ${INSTALL_PKGS} && \
+    yum clean all
+
+LABEL io.k8s.display-name="OpenShift Kubernetes Server Commands" \
+      io.k8s.description="OpenShift is a platform for developing, building, and deploying containerized applications." \
+      io.openshift.tags="openshift,hyperkube"
diff --git a/images/hyperkube/OWNERS b/images/hyperkube/OWNERS
new file mode 100644
index 000000000000..ef253fe96db0
--- /dev/null
+++ b/images/hyperkube/OWNERS
@@ -0,0 +1,8 @@
+reviewers:
+  - smarterclayton
+  - stevekuznetsov
+  - sdodson
+approvers:
+  - smarterclayton
+  - kargakis
+  - stevekuznetsov
diff --git a/images/hyperkube/bin/.gitignore b/images/hyperkube/bin/.gitignore
new file mode 100644
index 000000000000..d6b7ef32c847
--- /dev/null
+++ b/images/hyperkube/bin/.gitignore
@@ -0,0 +1,2 @@
+*
+!.gitignore
diff --git a/images/hypershift/.cccp.yml b/images/hypershift/.cccp.yml
new file mode 100644
index 000000000000..61bf2c5f5f99
--- /dev/null
+++ b/images/hypershift/.cccp.yml
@@ -0,0 +1 @@
+job-id: origin-hyperkube
diff --git a/images/hypershift/Dockerfile b/images/hypershift/Dockerfile
new file mode 100644
index 000000000000..0dc4e185d1c0
--- /dev/null
+++ b/images/hypershift/Dockerfile
@@ -0,0 +1,16 @@
+#
+# This is the official OpenShift CLI image. It can be used to get a CLI environment
+# for OpenShift.
+#
+# The standard name for this image is openshift/origin-hypershift
+#
+FROM openshift/origin-base
+
+RUN INSTALL_PKGS="origin-hypershift" && \
+    yum --enablerepo=origin-local-release install -y ${INSTALL_PKGS} && \
+    rpm -V ${INSTALL_PKGS} && \
+    yum clean all
+
+LABEL io.k8s.display-name="OpenShift Server Commands" \
+      io.k8s.description="OpenShift is a platform for developing, building, and deploying containerized applications." \
+      io.openshift.tags="openshift,hypershift"
diff --git a/images/hypershift/OWNERS b/images/hypershift/OWNERS
new file mode 100644
index 000000000000..ef253fe96db0
--- /dev/null
+++ b/images/hypershift/OWNERS
@@ -0,0 +1,8 @@
+reviewers:
+  - smarterclayton
+  - stevekuznetsov
+  - sdodson
+approvers:
+  - smarterclayton
+  - kargakis
+  - stevekuznetsov
diff --git a/images/hypershift/bin/.gitignore b/images/hypershift/bin/.gitignore
new file mode 100644
index 000000000000..d6b7ef32c847
--- /dev/null
+++ b/images/hypershift/bin/.gitignore
@@ -0,0 +1,2 @@
+*
+!.gitignore
diff --git a/images/ipfailover/keepalived/Dockerfile b/images/ipfailover/keepalived/Dockerfile
index f963bac18fc7..f19b3fb2c77d 100644
--- a/images/ipfailover/keepalived/Dockerfile
+++ b/images/ipfailover/keepalived/Dockerfile
@@ -1,9 +1,9 @@
 #
-# VIP failover monitoring container for OpenShift Origin.
+# VIP failover monitoring container for OpenShift.
 #
 # ImageName: openshift/origin-keepalived-ipfailover
 #
-FROM openshift/origin-control-plane
+FROM openshift/origin-base
 
 RUN INSTALL_PKGS="kmod keepalived iproute psmisc nmap-ncat net-tools ipset ipset-libs" && \
     yum install -y $INSTALL_PKGS && \
@@ -11,8 +11,8 @@ RUN INSTALL_PKGS="kmod keepalived iproute psmisc nmap-ncat net-tools ipset ipset
     yum clean all
 COPY . /var/lib/ipfailover/keepalived/
 
-LABEL io.k8s.display-name="OpenShift Origin IP Failover" \
-      io.k8s.description="This is a component of OpenShift Origin and runs a clustered keepalived instance across multiple hosts to allow highly available IP addresses." \
+LABEL io.k8s.display-name="OpenShift IP Failover" \
+      io.k8s.description="This is a component of OpenShift and runs a clustered keepalived instance across multiple hosts to allow highly available IP addresses." \
       io.openshift.tags="openshift,ha,ip,failover"
 EXPOSE 1985
 WORKDIR /var/lib/ipfailover
diff --git a/images/node/Dockerfile b/images/node/Dockerfile
index 7ba4a84a7222..967dafb2137f 100644
--- a/images/node/Dockerfile
+++ b/images/node/Dockerfile
@@ -1,5 +1,5 @@
 #
-# This is an OpenShift Origin node image with integrated OpenvSwitch SDN.
+# This is an OpenShift node image with integrated OpenvSwitch SDN.
 #
 # This image expects to have a volume mounted at /etc/origin/node that contains
 # a KUBECONFIG file giving the node permission to talk to the master and a
@@ -14,9 +14,10 @@ COPY system-container/system-container-wrapper.sh /usr/local/bin/
 COPY system-container/manifest.json system-container/config.json.template system-container/service.template system-container/tmpfiles.template /exports/
 
 RUN INSTALL_PKGS=" \
+      origin-hyperkube origin-node origin-sdn-ovs \
       socat ethtool device-mapper iptables nmap-ncat e2fsprogs \
       xfsprogs device-mapper-persistent-data ceph-common \
-      origin-sdn-ovs libmnl libnetfilter_conntrack conntrack-tools \
+      libmnl libnetfilter_conntrack conntrack-tools \
       libnfnetlink iptables iproute bridge-utils procps-ng ethtool socat openssl \
       binutils xz kmod-libs kmod sysvinit-tools device-mapper-libs dbus \
       iscsi-initiator-utils bind-utils \
@@ -27,8 +28,8 @@ RUN INSTALL_PKGS=" \
     rpm -V $INSTALL_PKGS && \
     yum clean all
 
-LABEL io.k8s.display-name="OpenShift Origin Node" \
-      io.k8s.description="This is a component of OpenShift Origin and contains the software for individual nodes when using SDN." \
+LABEL io.k8s.display-name="OpenShift Node" \
+      io.k8s.description="This is a component of OpenShift and contains the software for individual nodes when using SDN." \
       io.openshift.tags="openshift,node"
 
 ENV OPENSHIFT_CONTAINERIZED=true \
diff --git a/images/node/Dockerfile.centos7 b/images/node/Dockerfile.centos7
deleted file mode 100644
index d44442b935cd..000000000000
--- a/images/node/Dockerfile.centos7
+++ /dev/null
@@ -1,33 +0,0 @@
-#
-# This is an OpenShift Origin node image with integrated OpenvSwitch SDN
-#
-# The standard name for this image is openshift/origin-node
-#
-FROM openshift/origin-control-plane
-
-COPY scripts/* /usr/local/bin/
-COPY system-container/system-container-wrapper.sh /usr/local/bin/
-COPY system-container/manifest.json system-container/config.json.template system-container/service.template system-container/tmpfiles.template /exports/
-
-RUN INSTALL_PKGS=" \
-      socat ethtool device-mapper iptables nmap-ncat e2fsprogs \
-      xfsprogs device-mapper-persistent-data ceph-common \
-      origin-sdn-ovs libmnl libnetfilter_conntrack conntrack-tools \
-      libnfnetlink iptables iproute bridge-utils procps-ng ethtool socat openssl \
-      binutils xz kmod-libs kmod sysvinit-tools device-mapper-libs dbus \
-      iscsi-initiator-utils bind-utils \
-      " && \
-    yum install -y centos-release-ceph-luminous && \
-    rpm -V centos-release-ceph-luminous && \
-    yum --enablerepo=origin-local-release install -y $INSTALL_PKGS && \
-    rpm -V $INSTALL_PKGS && \
-    yum clean all
-
-LABEL io.k8s.display-name="OpenShift Origin Node" \
-      io.k8s.description="This is a component of OpenShift Origin and contains the software for individual nodes when using SDN." \
-      io.openshift.tags="openshift,node"
-
-ENV OPENSHIFT_CONTAINERIZED=true \
-    KUBECONFIG=/etc/origin/node/node.kubeconfig
-
-ENTRYPOINT [ "/usr/local/bin/origin-node-run.sh" ]
diff --git a/origin.spec b/origin.spec
index ae21840a3d6b..f6327a4a81ce 100644
--- a/origin.spec
+++ b/origin.spec
@@ -12,7 +12,7 @@
 %global openvswitch_version 2.6.1
 # this is the version we obsolete up to. The packaging changed for Origin
 # 1.0.6 and OSE 3.1 such that 'openshift' package names were no longer used.
-%global package_refector_version 3.0.2.900
+%global package_refactor_version 3.0.2.900
 %global golang_version 1.9.1
 # %commit and %os_git_vars are intended to be set by tito custom builders provided
 # in the .tito/lib directory. The values in this spec file will not be kept up to date.
@@ -86,7 +86,7 @@ BuildRequires:  krb5-devel
 BuildRequires:  rsync
 Requires:       %{name}-clients = %{version}-%{release}
 Requires:       iptables
-Obsoletes:      openshift < %{package_refector_version}
+Obsoletes:      openshift < %{package_refactor_version}
 
 #
 # The following Bundled Provides entries are populated automatically by the
@@ -107,13 +107,22 @@ teams and applications. It provides a secure and multi-tenant configuration for
 Kubernetes allowing you to safely host many different applications and workloads
 on a unified cluster.
 
+%package hypershift
+Summary:        %{product_name} server commands
+
+%description hypershift
+%{summary}
+
+%package hyperkube
+Summary:        %{product_name} Kubernetes server commands
+
+%description hyperkube
+%{summary}
+
 %package master
 Summary:        %{product_name} Master
 Requires:       %{name} = %{version}-%{release}
-Requires(post):   systemd
-Requires(preun):  systemd
-Requires(postun): systemd
-Obsoletes:      openshift-master < %{package_refector_version}
+Obsoletes:      openshift-master < %{package_refactor_version}
 
 %description master
 %{summary}
@@ -127,6 +136,7 @@ Summary: %{product_name} Test Suite
 %package node
 Summary:        %{product_name} Node
 Requires:       %{name} = %{version}-%{release}
+Requires:       %{name}-hyperkube = %{version}-%{release}
 Requires:       docker >= %{docker_version}
 Requires:       util-linux
 Requires:       socat
@@ -138,7 +148,7 @@ Requires:       conntrack-tools
 Requires(post):   systemd
 Requires(preun):  systemd
 Requires(postun): systemd
-Obsoletes:      openshift-node < %{package_refector_version}
+Obsoletes:      openshift-node < %{package_refactor_version}
 Obsoletes:      tuned-profiles-%{name}-node
 Provides:       tuned-profiles-%{name}-node
 
@@ -147,7 +157,7 @@ Provides:       tuned-profiles-%{name}-node
 
 %package clients
 Summary:        %{product_name} Client binaries for Linux
-Obsoletes:      openshift-clients < %{package_refector_version}
+Obsoletes:      openshift-clients < %{package_refactor_version}
 Requires:       bash-completion
 
 %description clients
@@ -156,7 +166,7 @@ Requires:       bash-completion
 %if 0%{?make_redistributable}
 %package clients-redistributable
 Summary:        %{product_name} Client binaries for Linux, Mac OSX, and Windows
-Obsoletes:      openshift-clients-redistributable < %{package_refector_version}
+Obsoletes:      openshift-clients-redistributable < %{package_refactor_version}
 BuildRequires:  goversioninfo
 
 %description clients-redistributable
@@ -178,7 +188,7 @@ Requires:         bind-utils
 Requires:         ethtool
 Requires:         procps-ng
 Requires:         iproute
-Obsoletes:        openshift-sdn-ovs < %{package_refector_version}
+Obsoletes:        openshift-sdn-ovs < %{package_refactor_version}
 
 %description sdn-ovs
 %{summary}
@@ -355,8 +365,6 @@ chmod 0744 $RPM_BUILD_ROOT/usr/sbin/%{name}-docker-excluder
 %doc README.md
 %license LICENSE
 %{_bindir}/openshift
-%{_bindir}/hyperkube
-%{_bindir}/hypershift
 %{_bindir}/openshift-deploy
 %{_bindir}/openshift-f5-router
 %{_bindir}/openshift-recycle
@@ -378,6 +386,14 @@ chmod 0744 $RPM_BUILD_ROOT/usr/sbin/%{name}-docker-excluder
 %{_libexecdir}/%{name}
 %{_libexecdir}/%{name}/extended.test
 
+%files hypershift
+%{_bindir}/hypershift
+%defattr(-,root,root,0700)
+
+%files hyperkube
+%{_bindir}/hyperkube
+%defattr(-,root,root,0700)
+
 %files master
 %defattr(-,root,root,0700)
 %config(noreplace) %{_sysconfdir}/origin/master

From c2a53499e6451ae70467bddcb6e9abcdea1be6f6 Mon Sep 17 00:00:00 2001
From: Clayton Coleman <ccoleman@redhat.com>
Date: Wed, 25 Apr 2018 20:40:50 -0400
Subject: [PATCH 06/26] Move a route helper into its own package

Clips a dependency.
---
 pkg/cmd/util/{ => route}/route.go | 2 +-
 pkg/oc/cli/cmd/create/route.go    | 7 ++++---
 pkg/oc/cli/cmd/expose.go          | 3 ++-
 3 files changed, 7 insertions(+), 5 deletions(-)
 rename pkg/cmd/util/{ => route}/route.go (99%)

diff --git a/pkg/cmd/util/route.go b/pkg/cmd/util/route/route.go
similarity index 99%
rename from pkg/cmd/util/route.go
rename to pkg/cmd/util/route/route.go
index a0c8062797a2..04581dcfe5a7 100644
--- a/pkg/cmd/util/route.go
+++ b/pkg/cmd/util/route/route.go
@@ -1,4 +1,4 @@
-package util
+package route
 
 import (
 	"fmt"
diff --git a/pkg/oc/cli/cmd/create/route.go b/pkg/oc/cli/cmd/create/route.go
index ccc11ccd465e..dc03c550a88b 100644
--- a/pkg/oc/cli/cmd/create/route.go
+++ b/pkg/oc/cli/cmd/create/route.go
@@ -11,6 +11,7 @@ import (
 	kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
 
 	cmdutil "github.com/openshift/origin/pkg/cmd/util"
+	"github.com/openshift/origin/pkg/cmd/util/route"
 	"github.com/openshift/origin/pkg/oc/cli/util/clientcmd"
 	routeapi "github.com/openshift/origin/pkg/route/apis/route"
 	routeclientinternal "github.com/openshift/origin/pkg/route/generated/internalclientset"
@@ -116,7 +117,7 @@ func CreateEdgeRoute(f *clientcmd.Factory, out io.Writer, cmd *cobra.Command, ar
 	if err != nil {
 		return err
 	}
-	route, err := cmdutil.UnsecuredRoute(kc, ns, routeName, serviceName, kcmdutil.GetFlagString(cmd, "port"), false)
+	route, err := route.UnsecuredRoute(kc, ns, routeName, serviceName, kcmdutil.GetFlagString(cmd, "port"), false)
 	if err != nil {
 		return err
 	}
@@ -235,7 +236,7 @@ func CreatePassthroughRoute(f *clientcmd.Factory, out io.Writer, cmd *cobra.Comm
 	if err != nil {
 		return err
 	}
-	route, err := cmdutil.UnsecuredRoute(kc, ns, routeName, serviceName, kcmdutil.GetFlagString(cmd, "port"), false)
+	route, err := route.UnsecuredRoute(kc, ns, routeName, serviceName, kcmdutil.GetFlagString(cmd, "port"), false)
 	if err != nil {
 		return err
 	}
@@ -348,7 +349,7 @@ func CreateReencryptRoute(f *clientcmd.Factory, out io.Writer, cmd *cobra.Comman
 	if err != nil {
 		return err
 	}
-	route, err := cmdutil.UnsecuredRoute(kc, ns, routeName, serviceName, kcmdutil.GetFlagString(cmd, "port"), false)
+	route, err := route.UnsecuredRoute(kc, ns, routeName, serviceName, kcmdutil.GetFlagString(cmd, "port"), false)
 	if err != nil {
 		return err
 	}
diff --git a/pkg/oc/cli/cmd/expose.go b/pkg/oc/cli/cmd/expose.go
index f8beaebc4428..b4ed565d56f6 100644
--- a/pkg/oc/cli/cmd/expose.go
+++ b/pkg/oc/cli/cmd/expose.go
@@ -12,6 +12,7 @@ import (
 	"k8s.io/kubernetes/pkg/kubectl/resource"
 
 	cmdutil "github.com/openshift/origin/pkg/cmd/util"
+	"github.com/openshift/origin/pkg/cmd/util/route"
 	"github.com/openshift/origin/pkg/oc/cli/util/clientcmd"
 )
 
@@ -135,7 +136,7 @@ func validate(cmd *cobra.Command, f *clientcmd.Factory, args []string) error {
 			// The upstream generator will incorrectly chose service.Port instead of service.TargetPort
 			// for the route TargetPort when no port is present.  Passing forcePort=true
 			// causes UnsecuredRoute to always set a Port so the upstream default is not used.
-			route, err := cmdutil.UnsecuredRoute(kc, namespace, info.Name, info.Name, kcmdutil.GetFlagString(cmd, "port"), true)
+			route, err := route.UnsecuredRoute(kc, namespace, info.Name, info.Name, kcmdutil.GetFlagString(cmd, "port"), true)
 			if err != nil {
 				return err
 			}

From f992a141e5f6af1193157717e082f2d2cbbf6654 Mon Sep 17 00:00:00 2001
From: Clayton Coleman <ccoleman@redhat.com>
Date: Wed, 25 Apr 2018 20:41:05 -0400
Subject: [PATCH 07/26] UPSTREAM: 63169: Remove unnecessary dependencies on
 api/core/v1

---
 .../kubernetes/staging/src/k8s.io/client-go/rest/config.go   | 5 ++---
 .../src/k8s.io/client-go/tools/clientcmd/client_config.go    | 3 +--
 .../client-go/tools/clientcmd/merged_client_builder.go       | 3 +--
 3 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/rest/config.go b/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/rest/config.go
index 72a78bc0a008..af2cbb99a9e9 100644
--- a/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/rest/config.go
+++ b/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/rest/config.go
@@ -29,7 +29,6 @@ import (
 
 	"github.com/golang/glog"
 
-	"k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -316,12 +315,12 @@ func InClusterConfig() (*Config, error) {
 		return nil, fmt.Errorf("unable to load in-cluster configuration, KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT must be defined")
 	}
 
-	token, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/" + v1.ServiceAccountTokenKey)
+	token, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/token")
 	if err != nil {
 		return nil, err
 	}
 	tlsClientConfig := TLSClientConfig{}
-	rootCAFile := "/var/run/secrets/kubernetes.io/serviceaccount/" + v1.ServiceAccountRootCAKey
+	rootCAFile := "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
 	if _, err := certutil.NewPool(rootCAFile); err != nil {
 		glog.Errorf("Expected to load root CA config from %s, but got err: %v", rootCAFile, err)
 	} else {
diff --git a/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/tools/clientcmd/client_config.go b/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/tools/clientcmd/client_config.go
index edbf1005e3a7..c15560521a2f 100644
--- a/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/tools/clientcmd/client_config.go
+++ b/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/tools/clientcmd/client_config.go
@@ -27,7 +27,6 @@ import (
 	"github.com/golang/glog"
 	"github.com/imdario/mergo"
 
-	"k8s.io/api/core/v1"
 	restclient "k8s.io/client-go/rest"
 	clientauth "k8s.io/client-go/tools/auth"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
@@ -329,7 +328,7 @@ func (config *DirectClientConfig) Namespace() (string, bool, error) {
 	}
 
 	if len(configContext.Namespace) == 0 {
-		return v1.NamespaceDefault, false, nil
+		return "default", false, nil
 	}
 
 	return configContext.Namespace, false, nil
diff --git a/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/tools/clientcmd/merged_client_builder.go b/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/tools/clientcmd/merged_client_builder.go
index 3f02111bd567..05038133b6b8 100644
--- a/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/tools/clientcmd/merged_client_builder.go
+++ b/vendor/k8s.io/kubernetes/staging/src/k8s.io/client-go/tools/clientcmd/merged_client_builder.go
@@ -22,7 +22,6 @@ import (
 
 	"github.com/golang/glog"
 
-	"k8s.io/api/core/v1"
 	restclient "k8s.io/client-go/rest"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 )
@@ -145,7 +144,7 @@ func (config *DeferredLoadingClientConfig) Namespace() (string, bool, error) {
 
 	if len(ns) > 0 {
 		// if we got a non-default namespace from the kubeconfig, use it
-		if ns != v1.NamespaceDefault {
+		if ns != "default" {
 			return ns, false, nil
 		}
 

From fe56488c614e2fe85a7ff51d2568e013f3ef2edb Mon Sep 17 00:00:00 2001
From: Clayton Coleman <ccoleman@redhat.com>
Date: Wed, 25 Apr 2018 20:41:49 -0400
Subject: [PATCH 08/26] hack/deps was missing some dependencies in the chain

---
 hack/lib/constants.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hack/lib/constants.sh b/hack/lib/constants.sh
index 028eb20a31ad..1912b18eed54 100755
--- a/hack/lib/constants.sh
+++ b/hack/lib/constants.sh
@@ -194,9 +194,9 @@ readonly -f os::util::list_go_src_dirs
 
 # os::util::list_go_deps outputs the list of dependencies for the project.
 function os::util::list_go_deps() {
-  go list -f '{{.ImportPath}}{{.Imports}}' ./pkg/... ./cmd/... | tr '[]' '  ' |
+  go list -f '{{.ImportPath}}{{.Imports}}' ./pkg/... ./cmd/... ./vendor/k8s.io/... | tr '[]' '  ' |
     sed -e 's|github.com/openshift/origin/vendor/||g' |
-    sed -e 's|github.com/openshift/origin/pkg/build/vendor/||g'
+    sed -e 's|k8s.io/kubernetes/staging/src/||g'
 }
 
 # os::util::list_test_packages_under lists all packages containing Golang test files that we

From bec58855d70b3d113289dfc62e4fc9c9382ba907 Mon Sep 17 00:00:00 2001
From: Clayton Coleman <ccoleman@redhat.com>
Date: Wed, 25 Apr 2018 20:43:15 -0400
Subject: [PATCH 09/26] Shared utility should not take a dependency on
 legacyscheme

cmd/util is used by more than kubectl/oc
---
 hack/import-restrictions.json                 |   2 +
 pkg/cmd/util/cmd.go                           | 138 ----------------
 pkg/cmd/util/print/print.go                   | 152 ++++++++++++++++++
 pkg/oc/admin/groups/sync/cli/sync.go          |   5 +-
 .../policy/reconcile_clusterrolebindings.go   |   4 +-
 pkg/oc/admin/policy/reconcile_clusterroles.go |   5 +-
 pkg/oc/admin/policy/reconcile_sccs.go         |   5 +-
 pkg/oc/admin/registry/registry.go             |   4 +-
 pkg/oc/admin/router/router.go                 |  11 +-
 pkg/oc/cli/cmd/expose.go                      |   1 -
 pkg/oc/cli/cmd/importer/appjson.go            |   4 +-
 pkg/oc/cli/cmd/newapp.go                      |   4 +-
 pkg/oc/experimental/ipfailover/ipfailover.go  |   5 +-
 13 files changed, 183 insertions(+), 157 deletions(-)
 create mode 100644 pkg/cmd/util/print/print.go

diff --git a/hack/import-restrictions.json b/hack/import-restrictions.json
index cef2a1ed528f..343debb1cc9b 100644
--- a/hack/import-restrictions.json
+++ b/hack/import-restrictions.json
@@ -477,6 +477,8 @@
       "github.com/openshift/origin/pkg/cmd/server/etcd",
       "github.com/openshift/origin/pkg/cmd/templates",
       "github.com/openshift/origin/pkg/cmd/util",
+      "github.com/openshift/origin/pkg/cmd/util/print",
+      "github.com/openshift/origin/pkg/cmd/util/route",
       "github.com/openshift/origin/pkg/cmd/util/term",
       "github.com/openshift/origin/pkg/cmd/util/variable",
       "github.com/openshift/origin/pkg/git",
diff --git a/pkg/cmd/util/cmd.go b/pkg/cmd/util/cmd.go
index 0bad56439d99..53dd6386ec97 100644
--- a/pkg/cmd/util/cmd.go
+++ b/pkg/cmd/util/cmd.go
@@ -11,12 +11,7 @@ import (
 	"github.com/spf13/cobra"
 
 	"k8s.io/apimachinery/pkg/api/meta"
-	"k8s.io/apimachinery/pkg/apimachinery"
-	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
-	"k8s.io/kubernetes/pkg/api/legacyscheme"
-	kapi "k8s.io/kubernetes/pkg/apis/core"
-	kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
 )
 
 var commaSepVarsPattern = regexp.MustCompile(".*=.*,.*=.*")
@@ -72,139 +67,6 @@ func ResolveResource(defaultResource schema.GroupResource, resourceString string
 	return defaultResource, name, nil
 }
 
-// convertItemsForDisplay returns a new list that contains parallel elements that have been converted to the most preferred external version
-func convertItemsForDisplay(objs []runtime.Object, preferredVersions ...schema.GroupVersion) ([]runtime.Object, error) {
-	ret := []runtime.Object{}
-
-	for i := range objs {
-		obj := objs[i]
-		kinds, _, err := legacyscheme.Scheme.ObjectKinds(obj)
-		if err != nil {
-			return nil, err
-		}
-
-		// Gather all groups where the object kind is known.
-		groups := []*apimachinery.GroupMeta{}
-		for _, kind := range kinds {
-			groupMeta, err := legacyscheme.Registry.Group(kind.Group)
-			if err != nil {
-				return nil, err
-			}
-			groups = append(groups, groupMeta)
-		}
-
-		// if no preferred versions given, pass all group versions found.
-		if len(preferredVersions) == 0 {
-			defaultGroupVersions := []runtime.GroupVersioner{}
-			for _, group := range groups {
-				defaultGroupVersions = append(defaultGroupVersions, group.GroupVersion)
-			}
-
-			defaultGroupVersioners := runtime.GroupVersioners(defaultGroupVersions)
-			convertedObject, err := legacyscheme.Scheme.ConvertToVersion(obj, defaultGroupVersioners)
-			if err != nil {
-				return nil, err
-			}
-			ret = append(ret, convertedObject)
-			continue
-		}
-
-		actualOutputVersion := schema.GroupVersion{}
-		// Find the first preferred version that contains the object kind group.
-		// If there are more groups for the given resource, prefer those that are first in the
-		// list of preferred versions.
-		for _, version := range preferredVersions {
-			for _, group := range groups {
-				if version.Group == group.GroupVersion.Group {
-					for _, externalVersion := range group.GroupVersions {
-						if version == externalVersion {
-							actualOutputVersion = externalVersion
-							break
-						}
-						if actualOutputVersion.Empty() {
-							actualOutputVersion = externalVersion
-						}
-					}
-				}
-				if !actualOutputVersion.Empty() {
-					break
-				}
-			}
-			if !actualOutputVersion.Empty() {
-				break
-			}
-		}
-
-		// if no preferred version found in the list of given GroupVersions,
-		// attempt to convert to first GroupVersion that satisfies a preferred version
-		if len(actualOutputVersion.Version) == 0 {
-			preferredVersioners := []runtime.GroupVersioner{}
-			for _, gv := range preferredVersions {
-				preferredVersions = append(preferredVersions, gv)
-			}
-			preferredVersioner := runtime.GroupVersioners(preferredVersioners)
-			convertedObject, err := legacyscheme.Scheme.ConvertToVersion(obj, preferredVersioner)
-			if err != nil {
-				return nil, err
-			}
-
-			ret = append(ret, convertedObject)
-			continue
-		}
-
-		convertedObject, err := legacyscheme.Scheme.ConvertToVersion(obj, actualOutputVersion)
-		if err != nil {
-			return nil, err
-		}
-
-		ret = append(ret, convertedObject)
-	}
-
-	return ret, nil
-}
-
-// convertItemsForDisplayFromDefaultCommand returns a new list that contains parallel elements that have been converted to the most preferred external version
-// TODO: move this function into the core factory PrintObjects method
-// TODO: print-objects should have preferred output versions
-func convertItemsForDisplayFromDefaultCommand(cmd *cobra.Command, objs []runtime.Object) ([]runtime.Object, error) {
-	requested := kcmdutil.GetFlagString(cmd, "output-version")
-	versions := []schema.GroupVersion{}
-	if len(requested) == 0 {
-		return convertItemsForDisplay(objs, versions...)
-	}
-
-	for _, v := range strings.Split(requested, ",") {
-		version, err := schema.ParseGroupVersion(v)
-		if err != nil {
-			return nil, err
-		}
-		versions = append(versions, version)
-	}
-
-	return convertItemsForDisplay(objs, versions...)
-}
-
-// VersionedPrintObject handles printing an object in the appropriate version by looking at 'output-version'
-// on the command
-func VersionedPrintObject(fn func(*cobra.Command, runtime.Object, io.Writer) error, c *cobra.Command, out io.Writer) func(runtime.Object) error {
-	return func(obj runtime.Object) error {
-		// TODO: fold into the core printer functionality (preferred output version)
-		if list, ok := obj.(*kapi.List); ok {
-			var err error
-			if list.Items, err = convertItemsForDisplayFromDefaultCommand(c, list.Items); err != nil {
-				return err
-			}
-		} else {
-			result, err := convertItemsForDisplayFromDefaultCommand(c, []runtime.Object{obj})
-			if err != nil {
-				return err
-			}
-			obj = result[0]
-		}
-		return fn(c, obj, out)
-	}
-}
-
 func WarnAboutCommaSeparation(errout io.Writer, values []string, flag string) {
 	if errout == nil {
 		return
diff --git a/pkg/cmd/util/print/print.go b/pkg/cmd/util/print/print.go
new file mode 100644
index 000000000000..e8004b222fab
--- /dev/null
+++ b/pkg/cmd/util/print/print.go
@@ -0,0 +1,152 @@
+package print
+
+import (
+	"io"
+	"strings"
+
+	"github.com/spf13/cobra"
+
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/apimachinery/pkg/apimachinery"
+	"k8s.io/apimachinery/pkg/apimachinery/registered"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
+)
+
+// convertItemsForDisplay returns a new list that contains parallel elements that have been converted to the most preferred external version
+func convertItemsForDisplay(scheme *runtime.Scheme, registry *registered.APIRegistrationManager, objs []runtime.Object, preferredVersions ...schema.GroupVersion) ([]runtime.Object, error) {
+	ret := []runtime.Object{}
+
+	for i := range objs {
+		obj := objs[i]
+		kinds, _, err := scheme.ObjectKinds(obj)
+		if err != nil {
+			return nil, err
+		}
+
+		// Gather all groups where the object kind is known.
+		groups := []*apimachinery.GroupMeta{}
+		for _, kind := range kinds {
+			groupMeta, err := registry.Group(kind.Group)
+			if err != nil {
+				return nil, err
+			}
+			groups = append(groups, groupMeta)
+		}
+
+		// if no preferred versions given, pass all group versions found.
+		if len(preferredVersions) == 0 {
+			defaultGroupVersions := []runtime.GroupVersioner{}
+			for _, group := range groups {
+				defaultGroupVersions = append(defaultGroupVersions, group.GroupVersion)
+			}
+
+			defaultGroupVersioners := runtime.GroupVersioners(defaultGroupVersions)
+			convertedObject, err := scheme.ConvertToVersion(obj, defaultGroupVersioners)
+			if err != nil {
+				return nil, err
+			}
+			ret = append(ret, convertedObject)
+			continue
+		}
+
+		actualOutputVersion := schema.GroupVersion{}
+		// Find the first preferred version that contains the object kind group.
+		// If there are more groups for the given resource, prefer those that are first in the
+		// list of preferred versions.
+		for _, version := range preferredVersions {
+			for _, group := range groups {
+				if version.Group == group.GroupVersion.Group {
+					for _, externalVersion := range group.GroupVersions {
+						if version == externalVersion {
+							actualOutputVersion = externalVersion
+							break
+						}
+						if actualOutputVersion.Empty() {
+							actualOutputVersion = externalVersion
+						}
+					}
+				}
+				if !actualOutputVersion.Empty() {
+					break
+				}
+			}
+			if !actualOutputVersion.Empty() {
+				break
+			}
+		}
+
+		// if no preferred version found in the list of given GroupVersions,
+		// attempt to convert to first GroupVersion that satisfies a preferred version
+		if len(actualOutputVersion.Version) == 0 {
+			preferredVersioners := []runtime.GroupVersioner{}
+			for _, gv := range preferredVersions {
+				preferredVersions = append(preferredVersions, gv)
+			}
+			preferredVersioner := runtime.GroupVersioners(preferredVersioners)
+			convertedObject, err := scheme.ConvertToVersion(obj, preferredVersioner)
+			if err != nil {
+				return nil, err
+			}
+
+			ret = append(ret, convertedObject)
+			continue
+		}
+
+		convertedObject, err := scheme.ConvertToVersion(obj, actualOutputVersion)
+		if err != nil {
+			return nil, err
+		}
+
+		ret = append(ret, convertedObject)
+	}
+
+	return ret, nil
+}
+
+// convertItemsForDisplayFromDefaultCommand returns a new list that contains parallel elements that have been converted to the most preferred external version
+// TODO: move this function into the core factory PrintObjects method
+// TODO: print-objects should have preferred output versions
+func convertItemsForDisplayFromDefaultCommand(scheme *runtime.Scheme, registry *registered.APIRegistrationManager, cmd *cobra.Command, objs []runtime.Object) ([]runtime.Object, error) {
+	requested := kcmdutil.GetFlagString(cmd, "output-version")
+	versions := []schema.GroupVersion{}
+	if len(requested) == 0 {
+		return convertItemsForDisplay(scheme, registry, objs, versions...)
+	}
+
+	for _, v := range strings.Split(requested, ",") {
+		version, err := schema.ParseGroupVersion(v)
+		if err != nil {
+			return nil, err
+		}
+		versions = append(versions, version)
+	}
+
+	return convertItemsForDisplay(scheme, registry, objs, versions...)
+}
+
+// VersionedPrintObject handles printing an object in the appropriate version by looking at 'output-version'
+// on the command
+func VersionedPrintObject(scheme *runtime.Scheme, registry *registered.APIRegistrationManager, fn func(*cobra.Command, runtime.Object, io.Writer) error, c *cobra.Command, out io.Writer) func(runtime.Object) error {
+	return func(obj runtime.Object) error {
+		// TODO: fold into the core printer functionality (preferred output version)
+
+		if items, err := meta.ExtractList(obj); err == nil {
+			items, err = convertItemsForDisplayFromDefaultCommand(scheme, registry, c, items)
+			if err != nil {
+				return err
+			}
+			if err := meta.SetList(obj, items); err != nil {
+				return err
+			}
+		} else {
+			result, err := convertItemsForDisplayFromDefaultCommand(scheme, registry, c, []runtime.Object{obj})
+			if err != nil {
+				return err
+			}
+			obj = result[0]
+		}
+		return fn(c, obj, out)
+	}
+}
diff --git a/pkg/oc/admin/groups/sync/cli/sync.go b/pkg/oc/admin/groups/sync/cli/sync.go
index 2ee3952b0c54..9902909c5c96 100644
--- a/pkg/oc/admin/groups/sync/cli/sync.go
+++ b/pkg/oc/admin/groups/sync/cli/sync.go
@@ -15,6 +15,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	kyaml "k8s.io/apimachinery/pkg/util/yaml"
+	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	kapi "k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/pkg/kubectl/cmd/templates"
 	kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
@@ -22,7 +23,7 @@ import (
 	"github.com/openshift/origin/pkg/cmd/server/apis/config"
 	configapilatest "github.com/openshift/origin/pkg/cmd/server/apis/config/latest"
 	"github.com/openshift/origin/pkg/cmd/server/apis/config/validation"
-	cmdutil "github.com/openshift/origin/pkg/cmd/util"
+	"github.com/openshift/origin/pkg/cmd/util/print"
 	"github.com/openshift/origin/pkg/oauthserver/ldaputil"
 	"github.com/openshift/origin/pkg/oauthserver/ldaputil/ldapclient"
 	"github.com/openshift/origin/pkg/oc/admin/groups/sync"
@@ -430,7 +431,7 @@ func (o *SyncOptions) Run(cmd *cobra.Command, f *clientcmd.Factory) error {
 	for _, item := range openshiftGroups {
 		list.Items = append(list.Items, item)
 	}
-	fn := cmdutil.VersionedPrintObject(kcmdutil.PrintObject, cmd, o.Out)
+	fn := print.VersionedPrintObject(legacyscheme.Scheme, legacyscheme.Registry, kcmdutil.PrintObject, cmd, o.Out)
 	if err := fn(list); err != nil {
 		return err
 	}
diff --git a/pkg/oc/admin/policy/reconcile_clusterrolebindings.go b/pkg/oc/admin/policy/reconcile_clusterrolebindings.go
index 524d908b9778..5a0dbabab884 100644
--- a/pkg/oc/admin/policy/reconcile_clusterrolebindings.go
+++ b/pkg/oc/admin/policy/reconcile_clusterrolebindings.go
@@ -12,6 +12,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	kutilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	kapi "k8s.io/kubernetes/pkg/apis/core"
 	kapihelper "k8s.io/kubernetes/pkg/apis/core/helper"
 	"k8s.io/kubernetes/pkg/apis/rbac"
@@ -25,6 +26,7 @@ import (
 	authorizationutil "github.com/openshift/origin/pkg/authorization/util"
 	"github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"
 	cmdutil "github.com/openshift/origin/pkg/cmd/util"
+	"github.com/openshift/origin/pkg/cmd/util/print"
 	"github.com/openshift/origin/pkg/oc/cli/util/clientcmd"
 )
 
@@ -188,7 +190,7 @@ func (o *ReconcileClusterRoleBindingsOptions) RunReconcileClusterRoleBindings(cm
 		for _, item := range changedClusterRoleBindings {
 			list.Items = append(list.Items, item)
 		}
-		fn := cmdutil.VersionedPrintObject(kcmdutil.PrintObject, cmd, o.Out)
+		fn := print.VersionedPrintObject(legacyscheme.Scheme, legacyscheme.Registry, kcmdutil.PrintObject, cmd, o.Out)
 		if err := fn(list); err != nil {
 			errs = append(errs, err)
 			return kutilerrors.NewAggregate(errs)
diff --git a/pkg/oc/admin/policy/reconcile_clusterroles.go b/pkg/oc/admin/policy/reconcile_clusterroles.go
index 4768006d75ac..ea0d850a3812 100644
--- a/pkg/oc/admin/policy/reconcile_clusterroles.go
+++ b/pkg/oc/admin/policy/reconcile_clusterroles.go
@@ -11,6 +11,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	kerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	kapi "k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/pkg/apis/rbac"
 	"k8s.io/kubernetes/pkg/kubectl/cmd/templates"
@@ -22,8 +23,8 @@ import (
 	authorizationtypedclient "github.com/openshift/origin/pkg/authorization/generated/internalclientset/typed/authorization/internalversion"
 	"github.com/openshift/origin/pkg/authorization/registry/util"
 	"github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"
-	cmdutil "github.com/openshift/origin/pkg/cmd/util"
 	osutil "github.com/openshift/origin/pkg/cmd/util"
+	"github.com/openshift/origin/pkg/cmd/util/print"
 	"github.com/openshift/origin/pkg/oc/cli/util/clientcmd"
 )
 
@@ -175,7 +176,7 @@ func (o *ReconcileClusterRolesOptions) RunReconcileClusterRoles(cmd *cobra.Comma
 		for _, item := range changedClusterRoles {
 			list.Items = append(list.Items, item)
 		}
-		fn := cmdutil.VersionedPrintObject(kcmdutil.PrintObject, cmd, o.Out)
+		fn := print.VersionedPrintObject(legacyscheme.Scheme, legacyscheme.Registry, kcmdutil.PrintObject, cmd, o.Out)
 		if err := fn(list); err != nil {
 			return err
 		}
diff --git a/pkg/oc/admin/policy/reconcile_sccs.go b/pkg/oc/admin/policy/reconcile_sccs.go
index 903f46ee8788..4445ea87316d 100644
--- a/pkg/oc/admin/policy/reconcile_sccs.go
+++ b/pkg/oc/admin/policy/reconcile_sccs.go
@@ -12,6 +12,7 @@ import (
 	kapierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	kapi "k8s.io/kubernetes/pkg/apis/core"
 	kapihelper "k8s.io/kubernetes/pkg/apis/core/helper"
 	kcoreclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/core/internalversion"
@@ -19,7 +20,7 @@ import (
 	kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
 
 	"github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"
-	cmdutil "github.com/openshift/origin/pkg/cmd/util"
+	"github.com/openshift/origin/pkg/cmd/util/print"
 	"github.com/openshift/origin/pkg/oc/cli/util/clientcmd"
 	securityapi "github.com/openshift/origin/pkg/security/apis/security"
 	securityclientinternal "github.com/openshift/origin/pkg/security/generated/internalclientset"
@@ -164,7 +165,7 @@ func (o *ReconcileSCCOptions) RunReconcileSCCs(cmd *cobra.Command, f *clientcmd.
 		for _, item := range changedSCCs {
 			list.Items = append(list.Items, item)
 		}
-		fn := cmdutil.VersionedPrintObject(kcmdutil.PrintObject, cmd, o.Out)
+		fn := print.VersionedPrintObject(legacyscheme.Scheme, legacyscheme.Registry, kcmdutil.PrintObject, cmd, o.Out)
 		if err := fn(list); err != nil {
 			return err
 		}
diff --git a/pkg/oc/admin/registry/registry.go b/pkg/oc/admin/registry/registry.go
index ce82854f599a..124f80fb5cf2 100644
--- a/pkg/oc/admin/registry/registry.go
+++ b/pkg/oc/admin/registry/registry.go
@@ -17,6 +17,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	kapi "k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/pkg/apis/extensions"
 	kcoreclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/core/internalversion"
@@ -25,6 +26,7 @@ import (
 
 	authapi "github.com/openshift/origin/pkg/authorization/apis/authorization"
 	cmdutil "github.com/openshift/origin/pkg/cmd/util"
+	"github.com/openshift/origin/pkg/cmd/util/print"
 	"github.com/openshift/origin/pkg/cmd/util/variable"
 	"github.com/openshift/origin/pkg/oc/cli/util/clientcmd"
 
@@ -474,7 +476,7 @@ func (opts *RegistryOptions) RunCmdRegistry() error {
 
 	if opts.Config.Action.ShouldPrint() {
 		opts.cmd.Flag("output-version").Value.Set("extensions/v1beta1,v1")
-		fn := cmdutil.VersionedPrintObject(kcmdutil.PrintObject, opts.cmd, opts.out)
+		fn := print.VersionedPrintObject(legacyscheme.Scheme, legacyscheme.Registry, kcmdutil.PrintObject, opts.cmd, opts.out)
 		if err := fn(list); err != nil {
 			return fmt.Errorf("unable to print object: %v", err)
 		}
diff --git a/pkg/oc/admin/router/router.go b/pkg/oc/admin/router/router.go
index 47241e6e3fe2..be86c2a109b5 100644
--- a/pkg/oc/admin/router/router.go
+++ b/pkg/oc/admin/router/router.go
@@ -19,19 +19,20 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/util/validation"
+	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	kapi "k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/pkg/kubectl/cmd/templates"
 	kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
 	"k8s.io/kubernetes/pkg/serviceaccount"
 
+	appsapi "github.com/openshift/origin/pkg/apps/apis/apps"
 	authapi "github.com/openshift/origin/pkg/authorization/apis/authorization"
+	configcmd "github.com/openshift/origin/pkg/bulk"
 	"github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"
 	cmdutil "github.com/openshift/origin/pkg/cmd/util"
-	"github.com/openshift/origin/pkg/oc/cli/util/clientcmd"
-
-	appsapi "github.com/openshift/origin/pkg/apps/apis/apps"
-	configcmd "github.com/openshift/origin/pkg/bulk"
+	"github.com/openshift/origin/pkg/cmd/util/print"
 	"github.com/openshift/origin/pkg/cmd/util/variable"
+	"github.com/openshift/origin/pkg/oc/cli/util/clientcmd"
 	"github.com/openshift/origin/pkg/oc/generate/app"
 	securityclientinternal "github.com/openshift/origin/pkg/security/generated/internalclientset"
 	oscc "github.com/openshift/origin/pkg/security/securitycontextconstraints"
@@ -826,7 +827,7 @@ func RunCmdRouter(f *clientcmd.Factory, cmd *cobra.Command, out, errout io.Write
 	list := &kapi.List{Items: objects}
 
 	if cfg.Action.ShouldPrint() {
-		fn := cmdutil.VersionedPrintObject(kcmdutil.PrintObject, cmd, out)
+		fn := print.VersionedPrintObject(legacyscheme.Scheme, legacyscheme.Registry, kcmdutil.PrintObject, cmd, out)
 		if err := fn(list); err != nil {
 			return fmt.Errorf("unable to print object: %v", err)
 		}
diff --git a/pkg/oc/cli/cmd/expose.go b/pkg/oc/cli/cmd/expose.go
index b4ed565d56f6..40244843cf4d 100644
--- a/pkg/oc/cli/cmd/expose.go
+++ b/pkg/oc/cli/cmd/expose.go
@@ -11,7 +11,6 @@ import (
 	kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
 	"k8s.io/kubernetes/pkg/kubectl/resource"
 
-	cmdutil "github.com/openshift/origin/pkg/cmd/util"
 	"github.com/openshift/origin/pkg/cmd/util/route"
 	"github.com/openshift/origin/pkg/oc/cli/util/clientcmd"
 )
diff --git a/pkg/oc/cli/cmd/importer/appjson.go b/pkg/oc/cli/cmd/importer/appjson.go
index 90aaca5212bf..4c68d8f262ef 100644
--- a/pkg/oc/cli/cmd/importer/appjson.go
+++ b/pkg/oc/cli/cmd/importer/appjson.go
@@ -22,7 +22,7 @@ import (
 	kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
 
 	configcmd "github.com/openshift/origin/pkg/bulk"
-	cmdutil "github.com/openshift/origin/pkg/cmd/util"
+	"github.com/openshift/origin/pkg/cmd/util/print"
 	"github.com/openshift/origin/pkg/oc/cli/util/clientcmd"
 	"github.com/openshift/origin/pkg/oc/generate/app"
 	"github.com/openshift/origin/pkg/oc/generate/appjson"
@@ -128,7 +128,7 @@ func (o *AppJSONOptions) Complete(f *clientcmd.Factory, cmd *cobra.Command, args
 
 	o.Action.Bulk.Mapper = clientcmd.ResourceMapper(f)
 	o.Action.Bulk.Op = configcmd.Create
-	o.PrintObject = cmdutil.VersionedPrintObject(kcmdutil.PrintObject, cmd, o.Action.Out)
+	o.PrintObject = print.VersionedPrintObject(legacyscheme.Scheme, legacyscheme.Registry, kcmdutil.PrintObject, cmd, o.Action.Out)
 
 	o.Generator, _ = cmd.Flags().GetString("generator")
 
diff --git a/pkg/oc/cli/cmd/newapp.go b/pkg/oc/cli/cmd/newapp.go
index 74118ec08bc8..508c7629d93e 100644
--- a/pkg/oc/cli/cmd/newapp.go
+++ b/pkg/oc/cli/cmd/newapp.go
@@ -22,6 +22,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/wait"
 	restclient "k8s.io/client-go/rest"
+	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	kapi "k8s.io/kubernetes/pkg/apis/core"
 	kcoreclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/core/internalversion"
 	ctl "k8s.io/kubernetes/pkg/kubectl"
@@ -33,6 +34,7 @@ import (
 	buildapi "github.com/openshift/origin/pkg/build/apis/build"
 	configcmd "github.com/openshift/origin/pkg/bulk"
 	cmdutil "github.com/openshift/origin/pkg/cmd/util"
+	"github.com/openshift/origin/pkg/cmd/util/print"
 	"github.com/openshift/origin/pkg/git"
 	imageapi "github.com/openshift/origin/pkg/image/apis/image"
 	imageclientinternal "github.com/openshift/origin/pkg/image/generated/internalclientset"
@@ -198,7 +200,7 @@ func (o *ObjectGeneratorOptions) Complete(baseName, commandName string, f *clien
 	o.BaseName = baseName
 	o.CommandName = commandName
 
-	o.PrintObject = cmdutil.VersionedPrintObject(kcmdutil.PrintObject, c, out)
+	o.PrintObject = print.VersionedPrintObject(legacyscheme.Scheme, legacyscheme.Registry, kcmdutil.PrintObject, c, out)
 	o.LogsForObject = f.LogsForObject
 	if err := CompleteAppConfig(o.Config, f, c, args); err != nil {
 		return err
diff --git a/pkg/oc/experimental/ipfailover/ipfailover.go b/pkg/oc/experimental/ipfailover/ipfailover.go
index c0ae06332021..56a1d3adf94e 100644
--- a/pkg/oc/experimental/ipfailover/ipfailover.go
+++ b/pkg/oc/experimental/ipfailover/ipfailover.go
@@ -17,12 +17,13 @@ import (
 
 	configcmd "github.com/openshift/origin/pkg/bulk"
 	"github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"
-	cmdutil "github.com/openshift/origin/pkg/cmd/util"
+	"github.com/openshift/origin/pkg/cmd/util/print"
 	"github.com/openshift/origin/pkg/cmd/util/variable"
 	"github.com/openshift/origin/pkg/oc/cli/util/clientcmd"
 	"github.com/openshift/origin/pkg/oc/experimental/ipfailover/ipfailover"
 	"github.com/openshift/origin/pkg/oc/experimental/ipfailover/keepalived"
 	securityclientinternal "github.com/openshift/origin/pkg/security/generated/internalclientset"
+	"k8s.io/kubernetes/pkg/api/legacyscheme"
 )
 
 var (
@@ -205,7 +206,7 @@ func Run(f *clientcmd.Factory, options *ipfailover.IPFailoverConfigCmdOptions, c
 	list.Items = append(configList, list.Items...)
 
 	if options.Action.ShouldPrint() {
-		return cmdutil.VersionedPrintObject(kcmdutil.PrintObject, cmd, options.Action.Out)(list)
+		return print.VersionedPrintObject(legacyscheme.Scheme, legacyscheme.Registry, kcmdutil.PrintObject, cmd, options.Action.Out)(list)
 	}
 
 	if errs := options.Action.WithMessage(fmt.Sprintf("Creating IP failover %s", name), "created").Run(list, namespace); len(errs) > 0 {

From e2c02429870935a5ce465f31355148825561360b Mon Sep 17 00:00:00 2001
From: Clayton Coleman <ccoleman@redhat.com>
Date: Wed, 25 Apr 2018 20:44:32 -0400
Subject: [PATCH 10/26] Move kubeletclient reference out of an api package

---
 pkg/cmd/server/apis/config/helpers.go         | 26 ----------------
 .../server/kubernetes/master/master_config.go |  3 +-
 .../server/kubernetes/node/client/client.go   | 31 +++++++++++++++++++
 3 files changed, 33 insertions(+), 27 deletions(-)
 create mode 100644 pkg/cmd/server/kubernetes/node/client/client.go

diff --git a/pkg/cmd/server/apis/config/helpers.go b/pkg/cmd/server/apis/config/helpers.go
index 8a4382805a69..b684bda474e3 100644
--- a/pkg/cmd/server/apis/config/helpers.go
+++ b/pkg/cmd/server/apis/config/helpers.go
@@ -16,8 +16,6 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 	restclient "k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
-	api "k8s.io/kubernetes/pkg/apis/core"
-	kubeletclient "k8s.io/kubernetes/pkg/kubelet/client"
 
 	cmdutil "github.com/openshift/origin/pkg/cmd/util"
 )
@@ -361,30 +359,6 @@ func GetOAuthClientCertCAs(options MasterConfig) ([]*x509.Certificate, error) {
 	return allCerts, nil
 }
 
-func GetKubeletClientConfig(options MasterConfig) *kubeletclient.KubeletClientConfig {
-	config := &kubeletclient.KubeletClientConfig{
-		Port: options.KubeletClientInfo.Port,
-		PreferredAddressTypes: []string{
-			string(api.NodeHostName),
-			string(api.NodeInternalIP),
-			string(api.NodeExternalIP),
-		},
-	}
-
-	if len(options.KubeletClientInfo.CA) > 0 {
-		config.EnableHttps = true
-		config.CAFile = options.KubeletClientInfo.CA
-	}
-
-	if len(options.KubeletClientInfo.ClientCert.CertFile) > 0 {
-		config.EnableHttps = true
-		config.CertFile = options.KubeletClientInfo.ClientCert.CertFile
-		config.KeyFile = options.KubeletClientInfo.ClientCert.KeyFile
-	}
-
-	return config
-}
-
 func IsPasswordAuthenticator(provider IdentityProvider) bool {
 	switch provider.Provider.(type) {
 	case
diff --git a/pkg/cmd/server/kubernetes/master/master_config.go b/pkg/cmd/server/kubernetes/master/master_config.go
index 5210c88231ff..db9aa15b0249 100644
--- a/pkg/cmd/server/kubernetes/master/master_config.go
+++ b/pkg/cmd/server/kubernetes/master/master_config.go
@@ -77,6 +77,7 @@ import (
 	configapi "github.com/openshift/origin/pkg/cmd/server/apis/config"
 	"github.com/openshift/origin/pkg/cmd/server/crypto"
 	"github.com/openshift/origin/pkg/cmd/server/election"
+	nodeclient "github.com/openshift/origin/pkg/cmd/server/kubernetes/node/client"
 	cmdutil "github.com/openshift/origin/pkg/cmd/util"
 	cmdflags "github.com/openshift/origin/pkg/cmd/util/flags"
 	oauthutil "github.com/openshift/origin/pkg/oauth/util"
@@ -504,7 +505,7 @@ func buildKubeApiserverConfig(
 
 			EventTTL: apiserverOptions.EventTTL,
 
-			KubeletClientConfig: *configapi.GetKubeletClientConfig(masterConfig),
+			KubeletClientConfig: *nodeclient.GetKubeletClientConfig(masterConfig),
 
 			EnableLogsSupport:     false, // don't expose server logs
 			EnableCoreControllers: true,
diff --git a/pkg/cmd/server/kubernetes/node/client/client.go b/pkg/cmd/server/kubernetes/node/client/client.go
new file mode 100644
index 000000000000..8e72d67a1d57
--- /dev/null
+++ b/pkg/cmd/server/kubernetes/node/client/client.go
@@ -0,0 +1,31 @@
+package client
+
+import (
+	kubeletclient "k8s.io/kubernetes/pkg/kubelet/client"
+
+	configapi "github.com/openshift/origin/pkg/cmd/server/apis/config"
+)
+
+func GetKubeletClientConfig(options configapi.MasterConfig) *kubeletclient.KubeletClientConfig {
+	config := &kubeletclient.KubeletClientConfig{
+		Port: options.KubeletClientInfo.Port,
+		PreferredAddressTypes: []string{
+			string("Hostname"),
+			string("InternalIP"),
+			string("ExternalIP"),
+		},
+	}
+
+	if len(options.KubeletClientInfo.CA) > 0 {
+		config.EnableHttps = true
+		config.CAFile = options.KubeletClientInfo.CA
+	}
+
+	if len(options.KubeletClientInfo.ClientCert.CertFile) > 0 {
+		config.EnableHttps = true
+		config.CertFile = options.KubeletClientInfo.ClientCert.CertFile
+		config.KeyFile = options.KubeletClientInfo.ClientCert.KeyFile
+	}
+
+	return config
+}

From f451bc0e25f541dbcecbd365d730150530388f4e Mon Sep 17 00:00:00 2001
From: Clayton Coleman <ccoleman@redhat.com>
Date: Wed, 25 Apr 2018 20:45:36 -0400
Subject: [PATCH 11/26] Move admission config util to point of use package

---
 pkg/cmd/server/apis/config/latest/helpers.go  | 29 -----------------
 .../server/origin/admission/chain_builder.go  | 31 ++++++++++++++++++-
 2 files changed, 30 insertions(+), 30 deletions(-)

diff --git a/pkg/cmd/server/apis/config/latest/helpers.go b/pkg/cmd/server/apis/config/latest/helpers.go
index b321c591db65..2b1fd32b4f17 100644
--- a/pkg/cmd/server/apis/config/latest/helpers.go
+++ b/pkg/cmd/server/apis/config/latest/helpers.go
@@ -11,9 +11,7 @@ import (
 	"github.com/ghodss/yaml"
 
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/util/sets"
 	kyaml "k8s.io/apimachinery/pkg/util/yaml"
-	"k8s.io/apiserver/pkg/apis/apiserver"
 
 	configapi "github.com/openshift/origin/pkg/cmd/server/apis/config"
 )
@@ -160,30 +158,3 @@ func IsAdmissionPluginActivated(reader io.Reader, defaultValue bool) (bool, erro
 
 	return !activationConfig.Disable, nil
 }
-
-func ConvertOpenshiftAdmissionConfigToKubeAdmissionConfig(in map[string]configapi.AdmissionPluginConfig) (*apiserver.AdmissionConfiguration, error) {
-	ret := &apiserver.AdmissionConfiguration{}
-
-	for _, pluginName := range sets.StringKeySet(in).List() {
-		openshiftConfig := in[pluginName]
-
-		kubeConfig := apiserver.AdmissionPluginConfiguration{
-			Name: pluginName,
-			Path: openshiftConfig.Location,
-		}
-
-		if openshiftConfig.Configuration != nil {
-			configBytes, err := runtime.Encode(Codec, openshiftConfig.Configuration)
-			if err != nil {
-				return nil, err
-			}
-			kubeConfig.Configuration = &runtime.Unknown{
-				Raw: configBytes,
-			}
-		}
-
-		ret.Plugins = append(ret.Plugins, kubeConfig)
-	}
-
-	return ret, nil
-}
diff --git a/pkg/cmd/server/origin/admission/chain_builder.go b/pkg/cmd/server/origin/admission/chain_builder.go
index 9f3a9e2177aa..add076c8247e 100644
--- a/pkg/cmd/server/origin/admission/chain_builder.go
+++ b/pkg/cmd/server/origin/admission/chain_builder.go
@@ -8,9 +8,11 @@ import (
 	"os"
 	"reflect"
 
+	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apiserver/pkg/admission"
 	"k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle"
+	"k8s.io/apiserver/pkg/apis/apiserver"
 	noderestriction "k8s.io/kubernetes/plugin/pkg/admission/noderestriction"
 	expandpvcadmission "k8s.io/kubernetes/plugin/pkg/admission/persistentvolume/resize"
 	saadmit "k8s.io/kubernetes/plugin/pkg/admission/serviceaccount"
@@ -190,7 +192,7 @@ func NewAdmissionChains(
 		for pluginName, config := range options.AdmissionConfig.PluginConfig {
 			pluginConfig[pluginName] = *config
 		}
-		upstreamAdmissionConfig, err := configapilatest.ConvertOpenshiftAdmissionConfigToKubeAdmissionConfig(pluginConfig)
+		upstreamAdmissionConfig, err := convertOpenshiftAdmissionConfigToKubeAdmissionConfig(pluginConfig)
 		if err != nil {
 			return nil, err
 		}
@@ -375,3 +377,30 @@ func splitStream(config io.Reader) (io.Reader, io.Reader, error) {
 
 	return bytes.NewBuffer(configBytes), bytes.NewBuffer(configBytes), nil
 }
+
+func convertOpenshiftAdmissionConfigToKubeAdmissionConfig(in map[string]configapi.AdmissionPluginConfig) (*apiserver.AdmissionConfiguration, error) {
+	ret := &apiserver.AdmissionConfiguration{}
+
+	for _, pluginName := range sets.StringKeySet(in).List() {
+		openshiftConfig := in[pluginName]
+
+		kubeConfig := apiserver.AdmissionPluginConfiguration{
+			Name: pluginName,
+			Path: openshiftConfig.Location,
+		}
+
+		if openshiftConfig.Configuration != nil {
+			configBytes, err := runtime.Encode(configapilatest.Codec, openshiftConfig.Configuration)
+			if err != nil {
+				return nil, err
+			}
+			kubeConfig.Configuration = &runtime.Unknown{
+				Raw: configBytes,
+			}
+		}
+
+		ret.Plugins = append(ret.Plugins, kubeConfig)
+	}
+
+	return ret, nil
+}

From 74bb02b6f036f33f7bfc1eee82290e8a6d9cc0e7 Mon Sep 17 00:00:00 2001
From: Clayton Coleman <ccoleman@redhat.com>
Date: Wed, 25 Apr 2018 20:47:15 -0400
Subject: [PATCH 12/26] Move references to kube-proxy out of interface packages

---
 .../kubernetes/network/network_config.go      | 15 ++-
 .../server/kubernetes/network/sdn_linux.go    |  3 +-
 .../kubernetes/network/sdn_unsupported.go     |  3 +-
 .../server/kubernetes/node/options/options.go | 99 -------------------
 pkg/network/apis/network/annotations.go       | 65 ++++++++++++
 pkg/network/master/vnids.go                   | 16 +--
 pkg/network/master/vnids_test.go              | 19 ++--
 pkg/network/netid.go                          | 63 +-----------
 pkg/network/node/node.go                      |  2 +-
 pkg/network/plugin.go                         | 12 ---
 pkg/network/proxy/proxy.go                    |  2 +-
 .../diagnostics/cluster/network/setup.go      |  4 +-
 pkg/oc/admin/network/isolate_projects.go      |  3 +-
 pkg/oc/admin/network/join_projects.go         |  6 +-
 pkg/oc/admin/network/make_projects_global.go  |  6 +-
 pkg/oc/admin/network/project_options.go       |  6 +-
 test/integration/sdn_test.go                  | 12 +--
 17 files changed, 120 insertions(+), 216 deletions(-)
 create mode 100644 pkg/network/apis/network/annotations.go

diff --git a/pkg/cmd/server/kubernetes/network/network_config.go b/pkg/cmd/server/kubernetes/network/network_config.go
index 384451d65c01..0ca3c8c6edee 100644
--- a/pkg/cmd/server/kubernetes/network/network_config.go
+++ b/pkg/cmd/server/kubernetes/network/network_config.go
@@ -16,6 +16,7 @@ import (
 	kclientsetinternal "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
 	kinternalinformers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
 	"k8s.io/kubernetes/pkg/proxy/apis/kubeproxyconfig"
+	proxyconfig "k8s.io/kubernetes/pkg/proxy/config"
 
 	configapi "github.com/openshift/origin/pkg/cmd/server/apis/config"
 	"github.com/openshift/origin/pkg/cmd/server/kubernetes/network/transport"
@@ -46,9 +47,19 @@ type NetworkConfig struct {
 	DNSServer *dns.Server
 
 	// SDNNode is an optional SDN node interface
-	SDNNode network.NodeInterface
+	SDNNode NodeInterface
 	// SDNProxy is an optional service endpoints filterer
-	SDNProxy network.ProxyInterface
+	SDNProxy ProxyInterface
+}
+
+type ProxyInterface interface {
+	proxyconfig.EndpointsHandler
+
+	Start(proxyconfig.EndpointsHandler) error
+}
+
+type NodeInterface interface {
+	Start() error
 }
 
 // configureKubeConfigForClientCertRotation attempts to watch for client certificate rotation on the kubelet's cert
diff --git a/pkg/cmd/server/kubernetes/network/sdn_linux.go b/pkg/cmd/server/kubernetes/network/sdn_linux.go
index 0467fd1cadb9..dd62f3d03b4c 100644
--- a/pkg/cmd/server/kubernetes/network/sdn_linux.go
+++ b/pkg/cmd/server/kubernetes/network/sdn_linux.go
@@ -14,7 +14,6 @@ import (
 	"k8s.io/kubernetes/pkg/proxy/apis/kubeproxyconfig"
 
 	configapi "github.com/openshift/origin/pkg/cmd/server/apis/config"
-	"github.com/openshift/origin/pkg/network"
 	networkinformers "github.com/openshift/origin/pkg/network/generated/informers/internalversion"
 	networkclient "github.com/openshift/origin/pkg/network/generated/internalclientset"
 	sdnnode "github.com/openshift/origin/pkg/network/node"
@@ -25,7 +24,7 @@ func NewSDNInterfaces(options configapi.NodeConfig, networkClient networkclient.
 	kubeClientset kclientset.Interface, kubeClient kinternalclientset.Interface,
 	internalKubeInformers kinternalinformers.SharedInformerFactory,
 	internalNetworkInformers networkinformers.SharedInformerFactory,
-	proxyconfig *kubeproxyconfig.KubeProxyConfiguration) (network.NodeInterface, network.ProxyInterface, error) {
+	proxyconfig *kubeproxyconfig.KubeProxyConfiguration) (NodeInterface, ProxyInterface, error) {
 
 	runtimeEndpoint := options.DockerConfig.DockerShimSocket
 	runtime, ok := options.KubeletArguments["container-runtime"]
diff --git a/pkg/cmd/server/kubernetes/network/sdn_unsupported.go b/pkg/cmd/server/kubernetes/network/sdn_unsupported.go
index 0868b88d106f..e3f573db1f50 100644
--- a/pkg/cmd/server/kubernetes/network/sdn_unsupported.go
+++ b/pkg/cmd/server/kubernetes/network/sdn_unsupported.go
@@ -11,7 +11,6 @@ import (
 	"k8s.io/kubernetes/pkg/proxy/apis/kubeproxyconfig"
 
 	configapi "github.com/openshift/origin/pkg/cmd/server/apis/config"
-	"github.com/openshift/origin/pkg/network"
 	networkinformers "github.com/openshift/origin/pkg/network/generated/informers/internalversion"
 	networkclient "github.com/openshift/origin/pkg/network/generated/internalclientset"
 )
@@ -20,7 +19,7 @@ func NewSDNInterfaces(options configapi.NodeConfig, networkClient networkclient.
 	kubeClientset kclientset.Interface, kubeClient kinternalclientset.Interface,
 	internalKubeInformers kinternalinformers.SharedInformerFactory,
 	internalNetworkInformers networkinformers.SharedInformerFactory,
-	proxyconfig *kubeproxyconfig.KubeProxyConfiguration) (network.NodeInterface, network.ProxyInterface, error) {
+	proxyconfig *kubeproxyconfig.KubeProxyConfiguration) (NodeInterface, ProxyInterface, error) {
 
 	return nil, nil, fmt.Errorf("SDN not supported on this platform")
 }
diff --git a/pkg/cmd/server/kubernetes/node/options/options.go b/pkg/cmd/server/kubernetes/node/options/options.go
index 7c5fc6bfe15b..e69bb5afaa0e 100644
--- a/pkg/cmd/server/kubernetes/node/options/options.go
+++ b/pkg/cmd/server/kubernetes/node/options/options.go
@@ -20,7 +20,6 @@ import (
 	configapi "github.com/openshift/origin/pkg/cmd/server/apis/config"
 	cmdutil "github.com/openshift/origin/pkg/cmd/util"
 	"github.com/openshift/origin/pkg/cmd/util/variable"
-	"github.com/openshift/origin/pkg/network"
 )
 
 // ComputeKubeletFlags returns the flags to use when starting the kubelet.
@@ -117,18 +116,6 @@ func ComputeKubeletFlags(startingArgs map[string][]string, options configapi.Nod
 		}
 	}
 
-	// default cluster-dns to the master's DNS if possible, but only if we can reach the master
-	// TODO: this exists to support legacy cases where the node defaulted to the master's DNS.
-	//   we can remove this when we drop support for master DNS when CoreDNS is in use everywhere.
-	if len(args["cluster-dns"]) == 0 {
-		if clientConfig, err := configapi.GetClientConfig(options.MasterKubeConfig, options.MasterClientConnectionOverrides); err == nil {
-			if externalKubeClient, err := kclientsetexternal.NewForConfig(clientConfig); err == nil {
-				args["cluster-dns"] = getClusterDNS(externalKubeClient, args["cluster-dns"])
-			}
-		}
-
-	}
-
 	// there is a special case.  If you set `--cgroups-per-qos=false` and `--enforce-node-allocatable` is
 	// an empty string, `--enforce-node-allocatable=""` needs to be explicitly set
 	// cgroups-per-qos defaults to true
@@ -189,89 +176,3 @@ func hasArgPrefix(needle string, haystack []string) bool {
 
 	return false
 }
-
-func getClusterDNS(dnsClient kclientsetexternal.Interface, currClusterDNS []string) []string {
-	var clusterDNS net.IP
-	if len(currClusterDNS) == 0 {
-		if service, err := dnsClient.Core().Services(metav1.NamespaceDefault).Get("kubernetes", metav1.GetOptions{}); err == nil {
-			if includesServicePort(service.Spec.Ports, 53, "dns") {
-				// Use master service if service includes "dns" port 53.
-				clusterDNS = net.ParseIP(service.Spec.ClusterIP)
-			}
-		}
-	}
-	if clusterDNS == nil {
-		if endpoint, err := dnsClient.Core().Endpoints(metav1.NamespaceDefault).Get("kubernetes", metav1.GetOptions{}); err == nil {
-			if endpointIP, ok := firstEndpointIPWithNamedPort(endpoint, 53, "dns"); ok {
-				// Use first endpoint if endpoint includes "dns" port 53.
-				clusterDNS = net.ParseIP(endpointIP)
-			} else if endpointIP, ok := firstEndpointIP(endpoint, 53); ok {
-				// Test and use first endpoint if endpoint includes any port 53.
-				if err := cmdutil.WaitForSuccessfulDial(false, "tcp", fmt.Sprintf("%s:%d", endpointIP, 53), 50*time.Millisecond, 0, 2); err == nil {
-					clusterDNS = net.ParseIP(endpointIP)
-				}
-			}
-		}
-	}
-	if clusterDNS != nil && !clusterDNS.IsUnspecified() {
-		return []string{clusterDNS.String()}
-	}
-
-	return currClusterDNS
-}
-
-// TODO: more generic location
-func includesEndpointPort(ports []kapiv1.EndpointPort, port int) bool {
-	for _, p := range ports {
-		if p.Port == int32(port) {
-			return true
-		}
-	}
-	return false
-}
-
-// TODO: more generic location
-func includesServicePort(ports []kapiv1.ServicePort, port int, portName string) bool {
-	for _, p := range ports {
-		if p.Port == int32(port) && p.Name == portName {
-			return true
-		}
-	}
-	return false
-}
-
-// TODO: more generic location
-func firstEndpointIP(endpoints *kapiv1.Endpoints, port int) (string, bool) {
-	for _, s := range endpoints.Subsets {
-		if !includesEndpointPort(s.Ports, port) {
-			continue
-		}
-		for _, a := range s.Addresses {
-			return a.IP, true
-		}
-	}
-	return "", false
-}
-
-// TODO: more generic location
-func firstEndpointIPWithNamedPort(endpoints *kapiv1.Endpoints, port int, portName string) (string, bool) {
-	for _, s := range endpoints.Subsets {
-		if !includesNamedEndpointPort(s.Ports, port, portName) {
-			continue
-		}
-		for _, a := range s.Addresses {
-			return a.IP, true
-		}
-	}
-	return "", false
-}
-
-// TODO: more generic location
-func includesNamedEndpointPort(ports []kapiv1.EndpointPort, port int, portName string) bool {
-	for _, p := range ports {
-		if p.Port == int32(port) && p.Name == portName {
-			return true
-		}
-	}
-	return false
-}
diff --git a/pkg/network/apis/network/annotations.go b/pkg/network/apis/network/annotations.go
new file mode 100644
index 000000000000..395793d8dce1
--- /dev/null
+++ b/pkg/network/apis/network/annotations.go
@@ -0,0 +1,65 @@
+package network
+
+import (
+	"fmt"
+	"strings"
+)
+
+type PodNetworkAction string
+
+const (
+
+	// ChangePodNetworkAnnotation is an annotation on NetNamespace to request change of pod network
+	ChangePodNetworkAnnotation string = "pod.network.openshift.io/multitenant.change-network"
+
+	// Acceptable values for ChangePodNetworkAnnotation
+	GlobalPodNetwork  PodNetworkAction = "global"
+	JoinPodNetwork    PodNetworkAction = "join"
+	IsolatePodNetwork PodNetworkAction = "isolate"
+)
+
+var (
+	ErrorPodNetworkAnnotationNotFound = fmt.Errorf("ChangePodNetworkAnnotation not found")
+)
+
+// GetChangePodNetworkAnnotation fetches network change intent from NetNamespace
+func GetChangePodNetworkAnnotation(netns *NetNamespace) (PodNetworkAction, string, error) {
+	value, ok := netns.Annotations[ChangePodNetworkAnnotation]
+	if !ok {
+		return PodNetworkAction(""), "", ErrorPodNetworkAnnotationNotFound
+	}
+
+	args := strings.Split(value, ":")
+	switch PodNetworkAction(args[0]) {
+	case GlobalPodNetwork:
+		return GlobalPodNetwork, "", nil
+	case JoinPodNetwork:
+		if len(args) != 2 {
+			return PodNetworkAction(""), "", fmt.Errorf("invalid namespace for join pod network: %s", value)
+		}
+		namespace := args[1]
+		return JoinPodNetwork, namespace, nil
+	case IsolatePodNetwork:
+		return IsolatePodNetwork, "", nil
+	}
+
+	return PodNetworkAction(""), "", fmt.Errorf("invalid ChangePodNetworkAnnotation: %s", value)
+}
+
+// SetChangePodNetworkAnnotation sets network change intent on NetNamespace
+func SetChangePodNetworkAnnotation(netns *NetNamespace, action PodNetworkAction, params string) {
+	if netns.Annotations == nil {
+		netns.Annotations = make(map[string]string)
+	}
+
+	value := string(action)
+	if len(params) != 0 {
+		value = fmt.Sprintf("%s:%s", value, params)
+	}
+	netns.Annotations[ChangePodNetworkAnnotation] = value
+}
+
+// DeleteChangePodNetworkAnnotation removes network change intent from NetNamespace
+func DeleteChangePodNetworkAnnotation(netns *NetNamespace) {
+	delete(netns.Annotations, ChangePodNetworkAnnotation)
+}
diff --git a/pkg/network/master/vnids.go b/pkg/network/master/vnids.go
index 58772f99e8a0..719cf1f8bbb7 100644
--- a/pkg/network/master/vnids.go
+++ b/pkg/network/master/vnids.go
@@ -140,7 +140,7 @@ func (vmap *masterVNIDMap) releaseNetID(nsName string) error {
 	return nil
 }
 
-func (vmap *masterVNIDMap) updateNetID(nsName string, action network.PodNetworkAction, args string) (uint32, error) {
+func (vmap *masterVNIDMap) updateNetID(nsName string, action networkapi.PodNetworkAction, args string) (uint32, error) {
 	var netid uint32
 	allocated := false
 
@@ -152,15 +152,15 @@ func (vmap *masterVNIDMap) updateNetID(nsName string, action network.PodNetworkA
 
 	// Determine new network ID
 	switch action {
-	case network.GlobalPodNetwork:
+	case networkapi.GlobalPodNetwork:
 		netid = network.GlobalVNID
-	case network.JoinPodNetwork:
+	case networkapi.JoinPodNetwork:
 		joinNsName := args
 		var found bool
 		if netid, found = vmap.getVNID(joinNsName); !found {
 			return 0, fmt.Errorf("netid not found for namespace %q", joinNsName)
 		}
-	case network.IsolatePodNetwork:
+	case networkapi.IsolatePodNetwork:
 		if nsName == kapi.NamespaceDefault {
 			return 0, fmt.Errorf("network isolation for namespace %q is not allowed", nsName)
 		}
@@ -240,12 +240,12 @@ func (vmap *masterVNIDMap) updateVNID(networkClient networkclient.Interface, ori
 	// Informer cache should not be mutated, so get a copy of the object
 	netns := origNetns.DeepCopy()
 
-	action, args, err := network.GetChangePodNetworkAnnotation(netns)
-	if err == network.ErrorPodNetworkAnnotationNotFound {
+	action, args, err := networkapi.GetChangePodNetworkAnnotation(netns)
+	if err == networkapi.ErrorPodNetworkAnnotationNotFound {
 		// Nothing to update
 		return nil
 	} else if !vmap.allowRenumbering {
-		network.DeleteChangePodNetworkAnnotation(netns)
+		networkapi.DeleteChangePodNetworkAnnotation(netns)
 		_, _ = networkClient.Network().NetNamespaces().Update(netns)
 		return fmt.Errorf("network plugin does not allow NetNamespace renumbering")
 	}
@@ -258,7 +258,7 @@ func (vmap *masterVNIDMap) updateVNID(networkClient networkclient.Interface, ori
 		return err
 	}
 	netns.NetID = netid
-	network.DeleteChangePodNetworkAnnotation(netns)
+	networkapi.DeleteChangePodNetworkAnnotation(netns)
 
 	if _, err := networkClient.Network().NetNamespaces().Update(netns); err != nil {
 		return err
diff --git a/pkg/network/master/vnids_test.go b/pkg/network/master/vnids_test.go
index 1698a155ac7d..1ffc5153272e 100644
--- a/pkg/network/master/vnids_test.go
+++ b/pkg/network/master/vnids_test.go
@@ -6,6 +6,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"github.com/openshift/origin/pkg/network"
+	networkapi "github.com/openshift/origin/pkg/network/apis/network"
 )
 
 func TestMasterVNIDMap(t *testing.T) {
@@ -34,27 +35,27 @@ func TestMasterVNIDMap(t *testing.T) {
 	checkCurrentVNIDs(t, vmap, 4, 3)
 
 	// update vnids
-	_, err = vmap.updateNetID("alpha", network.JoinPodNetwork, "bravo")
+	_, err = vmap.updateNetID("alpha", networkapi.JoinPodNetwork, "bravo")
 	checkNoErr(t, err)
-	_, err = vmap.updateNetID("alpha", network.JoinPodNetwork, "bogus")
+	_, err = vmap.updateNetID("alpha", networkapi.JoinPodNetwork, "bogus")
 	checkErr(t, err)
-	_, err = vmap.updateNetID("bogus", network.JoinPodNetwork, "alpha")
+	_, err = vmap.updateNetID("bogus", networkapi.JoinPodNetwork, "alpha")
 	checkErr(t, err)
 	checkCurrentVNIDs(t, vmap, 4, 2)
 
-	_, err = vmap.updateNetID("alpha", network.GlobalPodNetwork, "")
+	_, err = vmap.updateNetID("alpha", networkapi.GlobalPodNetwork, "")
 	checkNoErr(t, err)
-	_, err = vmap.updateNetID("charlie", network.GlobalPodNetwork, "")
+	_, err = vmap.updateNetID("charlie", networkapi.GlobalPodNetwork, "")
 	checkNoErr(t, err)
-	_, err = vmap.updateNetID("bogus", network.GlobalPodNetwork, "")
+	_, err = vmap.updateNetID("bogus", networkapi.GlobalPodNetwork, "")
 	checkErr(t, err)
 	checkCurrentVNIDs(t, vmap, 4, 1)
 
-	_, err = vmap.updateNetID("alpha", network.IsolatePodNetwork, "")
+	_, err = vmap.updateNetID("alpha", networkapi.IsolatePodNetwork, "")
 	checkNoErr(t, err)
-	_, err = vmap.updateNetID("bravo", network.IsolatePodNetwork, "")
+	_, err = vmap.updateNetID("bravo", networkapi.IsolatePodNetwork, "")
 	checkNoErr(t, err)
-	_, err = vmap.updateNetID("bogus", network.IsolatePodNetwork, "")
+	_, err = vmap.updateNetID("bogus", networkapi.IsolatePodNetwork, "")
 	checkErr(t, err)
 	checkCurrentVNIDs(t, vmap, 4, 2)
 
diff --git a/pkg/network/netid.go b/pkg/network/netid.go
index 0d19615bb14d..1cc159c8d9d6 100644
--- a/pkg/network/netid.go
+++ b/pkg/network/netid.go
@@ -1,14 +1,7 @@
 package network
 
 // Accessor methods to annotate NetNamespace for multitenant support
-import (
-	"fmt"
-	"strings"
-
-	networkapi "github.com/openshift/origin/pkg/network/apis/network"
-)
-
-type PodNetworkAction string
+import "fmt"
 
 const (
 	// Maximum VXLAN Virtual Network Identifier(VNID) as per RFC#7348
@@ -17,18 +10,6 @@ const (
 	MinVNID = uint32(10)
 	// VNID: 0 reserved for default namespace and can reach any network in the cluster
 	GlobalVNID = uint32(0)
-
-	// ChangePodNetworkAnnotation is an annotation on NetNamespace to request change of pod network
-	ChangePodNetworkAnnotation string = "pod.network.openshift.io/multitenant.change-network"
-
-	// Acceptable values for ChangePodNetworkAnnotation
-	GlobalPodNetwork  PodNetworkAction = "global"
-	JoinPodNetwork    PodNetworkAction = "join"
-	IsolatePodNetwork PodNetworkAction = "isolate"
-)
-
-var (
-	ErrorPodNetworkAnnotationNotFound = fmt.Errorf("ChangePodNetworkAnnotation not found")
 )
 
 // Check if the given vnid is valid or not
@@ -44,45 +25,3 @@ func ValidVNID(vnid uint32) error {
 	}
 	return nil
 }
-
-// GetChangePodNetworkAnnotation fetches network change intent from NetNamespace
-func GetChangePodNetworkAnnotation(netns *networkapi.NetNamespace) (PodNetworkAction, string, error) {
-	value, ok := netns.Annotations[ChangePodNetworkAnnotation]
-	if !ok {
-		return PodNetworkAction(""), "", ErrorPodNetworkAnnotationNotFound
-	}
-
-	args := strings.Split(value, ":")
-	switch PodNetworkAction(args[0]) {
-	case GlobalPodNetwork:
-		return GlobalPodNetwork, "", nil
-	case JoinPodNetwork:
-		if len(args) != 2 {
-			return PodNetworkAction(""), "", fmt.Errorf("invalid namespace for join pod network: %s", value)
-		}
-		namespace := args[1]
-		return JoinPodNetwork, namespace, nil
-	case IsolatePodNetwork:
-		return IsolatePodNetwork, "", nil
-	}
-
-	return PodNetworkAction(""), "", fmt.Errorf("invalid ChangePodNetworkAnnotation: %s", value)
-}
-
-// SetChangePodNetworkAnnotation sets network change intent on NetNamespace
-func SetChangePodNetworkAnnotation(netns *networkapi.NetNamespace, action PodNetworkAction, params string) {
-	if netns.Annotations == nil {
-		netns.Annotations = make(map[string]string)
-	}
-
-	value := string(action)
-	if len(params) != 0 {
-		value = fmt.Sprintf("%s:%s", value, params)
-	}
-	netns.Annotations[ChangePodNetworkAnnotation] = value
-}
-
-// DeleteChangePodNetworkAnnotation removes network change intent from NetNamespace
-func DeleteChangePodNetworkAnnotation(netns *networkapi.NetNamespace) {
-	delete(netns.Annotations, ChangePodNetworkAnnotation)
-}
diff --git a/pkg/network/node/node.go b/pkg/network/node/node.go
index 34cda5f3f157..fb7aac89828b 100644
--- a/pkg/network/node/node.go
+++ b/pkg/network/node/node.go
@@ -126,7 +126,7 @@ type OsdnNode struct {
 }
 
 // Called by higher layers to create the plugin SDN node instance
-func New(c *OsdnNodeConfig) (network.NodeInterface, error) {
+func New(c *OsdnNodeConfig) (*OsdnNode, error) {
 	var policy osdnPolicy
 	var pluginId int
 	var minOvsVersion string
diff --git a/pkg/network/plugin.go b/pkg/network/plugin.go
index 1a40d44959a6..559d6de6eadc 100644
--- a/pkg/network/plugin.go
+++ b/pkg/network/plugin.go
@@ -3,8 +3,6 @@ package network
 import (
 	"strings"
 	"time"
-
-	proxyconfig "k8s.io/kubernetes/pkg/proxy/config"
 )
 
 const (
@@ -29,13 +27,3 @@ func IsOpenShiftMultitenantNetworkPlugin(pluginName string) bool {
 	}
 	return false
 }
-
-type NodeInterface interface {
-	Start() error
-}
-
-type ProxyInterface interface {
-	proxyconfig.EndpointsHandler
-
-	Start(proxyconfig.EndpointsHandler) error
-}
diff --git a/pkg/network/proxy/proxy.go b/pkg/network/proxy/proxy.go
index caad860105b0..2e90f53e25c4 100644
--- a/pkg/network/proxy/proxy.go
+++ b/pkg/network/proxy/proxy.go
@@ -66,7 +66,7 @@ type OsdnProxy struct {
 
 // Called by higher layers to create the proxy plugin instance; only used by nodes
 func New(pluginName string, networkClient networkclient.Interface, kClient kclientset.Interface,
-	networkInformers networkinformers.SharedInformerFactory) (network.ProxyInterface, error) {
+	networkInformers networkinformers.SharedInformerFactory) (*OsdnProxy, error) {
 	return &OsdnProxy{
 		kClient:          kClient,
 		networkClient:    networkClient,
diff --git a/pkg/oc/admin/diagnostics/diagnostics/cluster/network/setup.go b/pkg/oc/admin/diagnostics/diagnostics/cluster/network/setup.go
index 83ecf03f5e02..8b0d2e64fb99 100644
--- a/pkg/oc/admin/diagnostics/diagnostics/cluster/network/setup.go
+++ b/pkg/oc/admin/diagnostics/diagnostics/cluster/network/setup.go
@@ -250,7 +250,7 @@ func (d *NetworkDiagnostic) makeNamespaceGlobal(nsName string) error {
 		return err
 	}
 
-	network.SetChangePodNetworkAnnotation(netns, network.GlobalPodNetwork, "")
+	networkapi.SetChangePodNetworkAnnotation(netns, networkapi.GlobalPodNetwork, "")
 
 	if _, err = d.NetNamespacesClient.NetNamespaces().Update(netns); err != nil {
 		return err
@@ -262,7 +262,7 @@ func (d *NetworkDiagnostic) makeNamespaceGlobal(nsName string) error {
 			return false, err
 		}
 
-		if _, _, err = network.GetChangePodNetworkAnnotation(updatedNetNs); err == network.ErrorPodNetworkAnnotationNotFound {
+		if _, _, err = networkapi.GetChangePodNetworkAnnotation(updatedNetNs); err == networkapi.ErrorPodNetworkAnnotationNotFound {
 			return true, nil
 		}
 		// Pod network change not applied yet
diff --git a/pkg/oc/admin/network/isolate_projects.go b/pkg/oc/admin/network/isolate_projects.go
index e9926920da3c..1b4753317b32 100644
--- a/pkg/oc/admin/network/isolate_projects.go
+++ b/pkg/oc/admin/network/isolate_projects.go
@@ -12,6 +12,7 @@ import (
 	kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
 
 	"github.com/openshift/origin/pkg/network"
+	networkapi "github.com/openshift/origin/pkg/network/apis/network"
 	"github.com/openshift/origin/pkg/oc/cli/util/clientcmd"
 )
 
@@ -77,7 +78,7 @@ func (i *IsolateOptions) Run() error {
 			errList = append(errList, fmt.Errorf("network isolation for project %q is forbidden", project.Name))
 			continue
 		}
-		if err = i.Options.UpdatePodNetwork(project.Name, network.IsolatePodNetwork, ""); err != nil {
+		if err = i.Options.UpdatePodNetwork(project.Name, networkapi.IsolatePodNetwork, ""); err != nil {
 			errList = append(errList, fmt.Errorf("network isolation for project %q failed, error: %v", project.Name, err))
 		}
 	}
diff --git a/pkg/oc/admin/network/join_projects.go b/pkg/oc/admin/network/join_projects.go
index ec56bac0ac10..12cfaf4b5dbf 100644
--- a/pkg/oc/admin/network/join_projects.go
+++ b/pkg/oc/admin/network/join_projects.go
@@ -11,9 +11,9 @@ import (
 	"k8s.io/kubernetes/pkg/kubectl/cmd/templates"
 	kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
 
-	"github.com/openshift/origin/pkg/oc/cli/util/clientcmd"
-
 	"github.com/openshift/origin/pkg/network"
+	networkapi "github.com/openshift/origin/pkg/network/apis/network"
+	"github.com/openshift/origin/pkg/oc/cli/util/clientcmd"
 )
 
 const JoinProjectsNetworkCommandName = "join-projects"
@@ -91,7 +91,7 @@ func (j *JoinOptions) Run() error {
 	errList := []error{}
 	for _, project := range projects {
 		if project.Name != j.joinProjectName {
-			if err = j.Options.UpdatePodNetwork(project.Name, network.JoinPodNetwork, j.joinProjectName); err != nil {
+			if err = j.Options.UpdatePodNetwork(project.Name, networkapi.JoinPodNetwork, j.joinProjectName); err != nil {
 				errList = append(errList, fmt.Errorf("project %q failed to join %q, error: %v", project.Name, j.joinProjectName, err))
 			}
 		}
diff --git a/pkg/oc/admin/network/make_projects_global.go b/pkg/oc/admin/network/make_projects_global.go
index ea2a46134b8f..43f01bc76799 100644
--- a/pkg/oc/admin/network/make_projects_global.go
+++ b/pkg/oc/admin/network/make_projects_global.go
@@ -10,9 +10,9 @@ import (
 	"k8s.io/kubernetes/pkg/kubectl/cmd/templates"
 	kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
 
-	"github.com/openshift/origin/pkg/oc/cli/util/clientcmd"
-
 	"github.com/openshift/origin/pkg/network"
+	networkapi "github.com/openshift/origin/pkg/network/apis/network"
+	"github.com/openshift/origin/pkg/oc/cli/util/clientcmd"
 )
 
 const MakeGlobalProjectsNetworkCommandName = "make-projects-global"
@@ -73,7 +73,7 @@ func (m *MakeGlobalOptions) Run() error {
 
 	errList := []error{}
 	for _, project := range projects {
-		if err = m.Options.UpdatePodNetwork(project.Name, network.GlobalPodNetwork, ""); err != nil {
+		if err = m.Options.UpdatePodNetwork(project.Name, networkapi.GlobalPodNetwork, ""); err != nil {
 			errList = append(errList, fmt.Errorf("removing network isolation for project %q failed, error: %v", project.Name, err))
 		}
 	}
diff --git a/pkg/oc/admin/network/project_options.go b/pkg/oc/admin/network/project_options.go
index 35c2412282b7..b6de641556df 100644
--- a/pkg/oc/admin/network/project_options.go
+++ b/pkg/oc/admin/network/project_options.go
@@ -159,7 +159,7 @@ func (p *ProjectOptions) GetProjects() ([]*projectapi.Project, error) {
 	return projectList, nil
 }
 
-func (p *ProjectOptions) UpdatePodNetwork(nsName string, action network.PodNetworkAction, args string) error {
+func (p *ProjectOptions) UpdatePodNetwork(nsName string, action networkapi.PodNetworkAction, args string) error {
 	// Get corresponding NetNamespace for given namespace
 	netns, err := p.Oclient.Network().NetNamespaces().Get(nsName, metav1.GetOptions{})
 	if err != nil {
@@ -167,7 +167,7 @@ func (p *ProjectOptions) UpdatePodNetwork(nsName string, action network.PodNetwo
 	}
 
 	// Apply pod network change intent
-	network.SetChangePodNetworkAnnotation(netns, action, args)
+	networkapi.SetChangePodNetworkAnnotation(netns, action, args)
 
 	// Update NetNamespace object
 	_, err = p.Oclient.Network().NetNamespaces().Update(netns)
@@ -187,7 +187,7 @@ func (p *ProjectOptions) UpdatePodNetwork(nsName string, action network.PodNetwo
 			return false, err
 		}
 
-		if _, _, err = network.GetChangePodNetworkAnnotation(updatedNetNs); err == network.ErrorPodNetworkAnnotationNotFound {
+		if _, _, err = networkapi.GetChangePodNetworkAnnotation(updatedNetNs); err == networkapi.ErrorPodNetworkAnnotationNotFound {
 			return true, nil
 		}
 		// Pod network change not applied yet
diff --git a/test/integration/sdn_test.go b/test/integration/sdn_test.go
index 23e5b87ab55d..3cf820061b23 100644
--- a/test/integration/sdn_test.go
+++ b/test/integration/sdn_test.go
@@ -39,8 +39,8 @@ func createProject(clientConfig *restclient.Config, name string) (*networkapi.Ne
 	return netns, nil
 }
 
-func updateNetNamespace(osClient networkclient.NetworkInterface, netns *networkapi.NetNamespace, action network.PodNetworkAction, args string) (*networkapi.NetNamespace, error) {
-	network.SetChangePodNetworkAnnotation(netns, action, args)
+func updateNetNamespace(osClient networkclient.NetworkInterface, netns *networkapi.NetNamespace, action networkapi.PodNetworkAction, args string) (*networkapi.NetNamespace, error) {
+	networkapi.SetChangePodNetworkAnnotation(netns, action, args)
 	_, err := osClient.NetNamespaces().Update(netns)
 	if err != nil {
 		return nil, err
@@ -53,7 +53,7 @@ func updateNetNamespace(osClient networkclient.NetworkInterface, netns *networka
 			return false, err
 		}
 
-		if _, _, err := network.GetChangePodNetworkAnnotation(netns); err == network.ErrorPodNetworkAnnotationNotFound {
+		if _, _, err := networkapi.GetChangePodNetworkAnnotation(netns); err == networkapi.ErrorPodNetworkAnnotationNotFound {
 			return true, nil
 		} else {
 			return false, nil
@@ -102,7 +102,7 @@ func TestOadmPodNetwork(t *testing.T) {
 		t.Fatalf("expected unique NetIDs, got %d, %d, %d", origNetns1.NetID, origNetns2.NetID, origNetns3.NetID)
 	}
 
-	newNetns2, err := updateNetNamespace(clusterAdminNetworkClient, origNetns2, network.JoinPodNetwork, "one")
+	newNetns2, err := updateNetNamespace(clusterAdminNetworkClient, origNetns2, networkapi.JoinPodNetwork, "one")
 	if err != nil {
 		t.Fatalf("error updating namespace: %v", err)
 	}
@@ -117,7 +117,7 @@ func TestOadmPodNetwork(t *testing.T) {
 		t.Fatalf("expected netns1 (%d) to be unchanged (%d)", newNetns1.NetID, origNetns1.NetID)
 	}
 
-	newNetns1, err = updateNetNamespace(clusterAdminNetworkClient, origNetns1, network.GlobalPodNetwork, "")
+	newNetns1, err = updateNetNamespace(clusterAdminNetworkClient, origNetns1, networkapi.GlobalPodNetwork, "")
 	if err != nil {
 		t.Fatalf("error updating namespace: %v", err)
 	}
@@ -132,7 +132,7 @@ func TestOadmPodNetwork(t *testing.T) {
 		t.Fatalf("expected netns2 (%d) to be unchanged (%d)", newNetns2.NetID, origNetns1.NetID)
 	}
 
-	newNetns1, err = updateNetNamespace(clusterAdminNetworkClient, newNetns1, network.IsolatePodNetwork, "")
+	newNetns1, err = updateNetNamespace(clusterAdminNetworkClient, newNetns1, networkapi.IsolatePodNetwork, "")
 	if err != nil {
 		t.Fatalf("error updating namespace: %v", err)
 	}

From 709bc6c046b85bdbf3f6a8057e55d2283703e35a Mon Sep 17 00:00:00 2001
From: Clayton Coleman <ccoleman@redhat.com>
Date: Wed, 25 Apr 2018 20:47:50 -0400
Subject: [PATCH 13/26] Simplify some node defaulting and remove call to master

We use local node DNS everywhere and no longer need to default to the
cluster DNS
---
 pkg/cmd/server/kubernetes/node/options/options.go | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

diff --git a/pkg/cmd/server/kubernetes/node/options/options.go b/pkg/cmd/server/kubernetes/node/options/options.go
index e69bb5afaa0e..2c8f85978e06 100644
--- a/pkg/cmd/server/kubernetes/node/options/options.go
+++ b/pkg/cmd/server/kubernetes/node/options/options.go
@@ -5,21 +5,16 @@ import (
 	"net"
 	"sort"
 	"strings"
-	"time"
 
 	"github.com/openshift/origin/pkg/cmd/server/crypto"
-	kapiv1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
-	kclientsetexternal "k8s.io/client-go/kubernetes"
 	"k8s.io/kubernetes/pkg/features"
-	kubeletcni "k8s.io/kubernetes/pkg/kubelet/network/cni"
-	kubelettypes "k8s.io/kubernetes/pkg/kubelet/types"
 
 	configapi "github.com/openshift/origin/pkg/cmd/server/apis/config"
 	cmdutil "github.com/openshift/origin/pkg/cmd/util"
 	"github.com/openshift/origin/pkg/cmd/util/variable"
+	"github.com/openshift/origin/pkg/network"
 )
 
 // ComputeKubeletFlags returns the flags to use when starting the kubelet.
@@ -62,9 +57,9 @@ func ComputeKubeletFlags(startingArgs map[string][]string, options configapi.Nod
 	setIfUnset(args, "fail-swap-on", "false")
 	setIfUnset(args, "cluster-dns", options.DNSIP)
 	setIfUnset(args, "cluster-domain", options.DNSDomain)
-	setIfUnset(args, "host-network-sources", kubelettypes.ApiserverSource, kubelettypes.FileSource)
-	setIfUnset(args, "host-pid-sources", kubelettypes.ApiserverSource, kubelettypes.FileSource)
-	setIfUnset(args, "host-ipc-sources", kubelettypes.ApiserverSource, kubelettypes.FileSource)
+	setIfUnset(args, "host-network-sources", "api", "file")
+	setIfUnset(args, "host-pid-sources", "api", "file")
+	setIfUnset(args, "host-ipc-sources", "api", "file")
 	setIfUnset(args, "http-check-frequency", "0s") // no remote HTTP pod creation access
 	setIfUnset(args, "file-check-frequency", fmt.Sprintf("%ds", fileCheckInterval))
 	setIfUnset(args, "pod-infra-container-image", imageTemplate.ExpandOrDie("pod"))
@@ -91,7 +86,7 @@ func ComputeKubeletFlags(startingArgs map[string][]string, options configapi.Nod
 
 	if network.IsOpenShiftNetworkPlugin(options.NetworkConfig.NetworkPluginName) {
 		// SDN plugin pod setup/teardown is implemented as a CNI plugin
-		setIfUnset(args, "network-plugin", kubeletcni.CNIPluginName)
+		setIfUnset(args, "network-plugin", "cni")
 	} else {
 		setIfUnset(args, "network-plugin", options.NetworkConfig.NetworkPluginName)
 	}

From 6bdd01c9b7a488317539ed82c905a06125d5bf7e Mon Sep 17 00:00:00 2001
From: Clayton Coleman <ccoleman@redhat.com>
Date: Wed, 25 Apr 2018 20:50:52 -0400
Subject: [PATCH 14/26] Build a shim binary that converts node-config.yaml to
 kubelet args

Will remove the need to have the kubelet start from openshift master
---
 .../openshift-node-config.go                  | 64 +++++++++++++++++++
 hack/lib/constants.sh                         |  1 +
 pkg/cmd/server/origin/node/node.go            | 43 +++++++++++++
 pkg/cmd/server/start/start_node.go            | 37 +----------
 4 files changed, 110 insertions(+), 35 deletions(-)
 create mode 100644 cmd/openshift-node-config/openshift-node-config.go
 create mode 100644 pkg/cmd/server/origin/node/node.go

diff --git a/cmd/openshift-node-config/openshift-node-config.go b/cmd/openshift-node-config/openshift-node-config.go
new file mode 100644
index 000000000000..abbf6a7a3171
--- /dev/null
+++ b/cmd/openshift-node-config/openshift-node-config.go
@@ -0,0 +1,64 @@
+package main
+
+import (
+	"fmt"
+	"math/rand"
+	"os"
+	"time"
+
+	"github.com/MakeNowJust/heredoc"
+	"github.com/ghodss/yaml"
+	"github.com/golang/glog"
+	"github.com/spf13/cobra"
+
+	"k8s.io/apiserver/pkg/util/logs"
+
+	"github.com/openshift/origin/pkg/cmd/flagtypes"
+	configapi "github.com/openshift/origin/pkg/cmd/server/apis/config"
+	configapilatest "github.com/openshift/origin/pkg/cmd/server/apis/config/latest"
+	configapiv1 "github.com/openshift/origin/pkg/cmd/server/apis/config/v1"
+	"github.com/openshift/origin/pkg/cmd/server/origin/node"
+)
+
+func main() {
+	logs.InitLogs()
+	defer logs.FlushLogs()
+
+	rand.Seed(time.Now().UTC().UnixNano())
+
+	var configFile string
+
+	cmd := &cobra.Command{
+		Use: "openshift-node-config",
+		Long: heredoc.Doc(`
+			Generate Kubelet configuration from node-config.yaml
+
+			This command converts an existing OpenShift node configuration into the appropriate
+			Kubelet command-line flags.
+		`),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			configapi.AddToScheme(configapi.Scheme)
+			configapiv1.AddToScheme(configapi.Scheme)
+
+			if len(configFile) == 0 {
+				return fmt.Errorf("you must specify a --config file to read")
+			}
+			nodeConfig, err := configapilatest.ReadAndResolveNodeConfig(configFile)
+			if err != nil {
+				return fmt.Errorf("unable to read node config: %v", err)
+			}
+			if glog.V(2) {
+				out, _ := yaml.Marshal(nodeConfig)
+				glog.V(2).Infof("Node config:\n%s", out)
+			}
+			return node.WriteKubeletFlags(*nodeConfig)
+		},
+		SilenceUsage: true,
+	}
+	cmd.Flags().StringVar(&configFile, "config", "", "The config file to convert to Kubelet arguments.")
+	flagtypes.GLog(cmd.PersistentFlags())
+
+	if err := cmd.Execute(); err != nil {
+		os.Exit(1)
+	}
+}
diff --git a/hack/lib/constants.sh b/hack/lib/constants.sh
index 1912b18eed54..d2bbfbcd4083 100755
--- a/hack/lib/constants.sh
+++ b/hack/lib/constants.sh
@@ -46,6 +46,7 @@ readonly OS_CROSS_COMPILE_TARGETS=(
   cmd/oc
   cmd/oadm
   cmd/template-service-broker
+  cmd/openshift-node-config
   vendor/k8s.io/kubernetes/cmd/hyperkube
 )
 readonly OS_CROSS_COMPILE_BINARIES=("${OS_CROSS_COMPILE_TARGETS[@]##*/}")
diff --git a/pkg/cmd/server/origin/node/node.go b/pkg/cmd/server/origin/node/node.go
new file mode 100644
index 000000000000..6e110365181f
--- /dev/null
+++ b/pkg/cmd/server/origin/node/node.go
@@ -0,0 +1,43 @@
+package node
+
+import (
+	"fmt"
+	"regexp"
+	"strconv"
+	"strings"
+
+	configapi "github.com/openshift/origin/pkg/cmd/server/apis/config"
+	nodeoptions "github.com/openshift/origin/pkg/cmd/server/kubernetes/node/options"
+)
+
+// safeArgRegexp matches only characters that are known safe. DO NOT add to this list
+// without fully considering whether that new character can be used to break shell escaping
+// rules.
+var safeArgRegexp = regexp.MustCompile(`^[\da-zA-Z\-=_\.,/\:]+$`)
+
+// shellEscapeArg quotes an argument if it contains characters that my cause a shell
+// interpreter to split the single argument into multiple.
+func shellEscapeArg(s string) string {
+	if safeArgRegexp.MatchString(s) {
+		return s
+	}
+	return strconv.Quote(s)
+}
+
+// WriteKubeletFlags writes the correct set of flags to start a Kubelet from the provided node config to
+// stdout, instead of launching anything.
+func WriteKubeletFlags(nodeConfig configapi.NodeConfig) error {
+	kubeletArgs, err := nodeoptions.ComputeKubeletFlags(nodeConfig.KubeletArguments, nodeConfig)
+	if err != nil {
+		return fmt.Errorf("cannot create kubelet args: %v", err)
+	}
+	if err := nodeoptions.CheckFlags(kubeletArgs); err != nil {
+		return err
+	}
+	var outputArgs []string
+	for _, s := range kubeletArgs {
+		outputArgs = append(outputArgs, shellEscapeArg(s))
+	}
+	fmt.Println(strings.Join(outputArgs, " "))
+	return nil
+}
diff --git a/pkg/cmd/server/start/start_node.go b/pkg/cmd/server/start/start_node.go
index f56a46c1aa6e..d9d1a9af769f 100644
--- a/pkg/cmd/server/start/start_node.go
+++ b/pkg/cmd/server/start/start_node.go
@@ -7,8 +7,6 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
-	"regexp"
-	"strconv"
 	"strings"
 	"syscall"
 
@@ -35,6 +33,7 @@ import (
 	networkoptions "github.com/openshift/origin/pkg/cmd/server/kubernetes/network/options"
 	"github.com/openshift/origin/pkg/cmd/server/kubernetes/node"
 	nodeoptions "github.com/openshift/origin/pkg/cmd/server/kubernetes/node/options"
+	originnode "github.com/openshift/origin/pkg/cmd/server/origin/node"
 	cmdutil "github.com/openshift/origin/pkg/cmd/util"
 	utilflags "github.com/openshift/origin/pkg/cmd/util/flags"
 	"github.com/openshift/origin/pkg/version"
@@ -281,7 +280,7 @@ func (o NodeOptions) RunNode() error {
 	}
 
 	if o.NodeArgs.WriteFlagsOnly {
-		return WriteKubeletFlags(*nodeConfig)
+		return originnode.WriteKubeletFlags(*nodeConfig)
 	}
 
 	return StartNode(*nodeConfig, o.NodeArgs.Components)
@@ -427,38 +426,6 @@ func execKubelet(kubeletArgs []string) error {
 	return syscall.Exec(kubeletPath, args, os.Environ())
 }
 
-// safeArgRegexp matches only characters that are known safe. DO NOT add to this list
-// without fully considering whether that new character can be used to break shell escaping
-// rules.
-var safeArgRegexp = regexp.MustCompile(`^[\da-zA-Z\-=_\.,/\:]+$`)
-
-// shellEscapeArg quotes an argument if it contains characters that my cause a shell
-// interpreter to split the single argument into multiple.
-func shellEscapeArg(s string) string {
-	if safeArgRegexp.MatchString(s) {
-		return s
-	}
-	return strconv.Quote(s)
-}
-
-// WriteKubeletFlags writes the correct set of flags to start a Kubelet from the provided node config to
-// stdout, instead of launching anything.
-func WriteKubeletFlags(nodeConfig configapi.NodeConfig) error {
-	kubeletArgs, err := nodeoptions.ComputeKubeletFlags(nodeConfig.KubeletArguments, nodeConfig)
-	if err != nil {
-		return fmt.Errorf("cannot create kubelet args: %v", err)
-	}
-	if err := nodeoptions.CheckFlags(kubeletArgs); err != nil {
-		return err
-	}
-	var outputArgs []string
-	for _, s := range kubeletArgs {
-		outputArgs = append(outputArgs, shellEscapeArg(s))
-	}
-	fmt.Println(strings.Join(outputArgs, " "))
-	return nil
-}
-
 // StartNode launches the node processes.
 func StartNode(nodeConfig configapi.NodeConfig, components *utilflags.ComponentFlag) error {
 	kubeletArgs, err := nodeoptions.ComputeKubeletFlags(nodeConfig.KubeletArguments, nodeConfig)

From 94e032a6b5bbd12cedf4543c3cb82c58923c2143 Mon Sep 17 00:00:00 2001
From: Clayton Coleman <ccoleman@redhat.com>
Date: Wed, 25 Apr 2018 22:17:18 -0400
Subject: [PATCH 15/26] Use the openshift/origin-cli|node images where
 appropriate

---
 examples/service-catalog/service-catalog.yaml |   2 +-
 install/etcd/etcd.yaml                        |   2 +-
 install/kube-apiserver/apiserver.yaml         |   2 +-
 .../kube-controller-manager.yaml              |   2 +-
 install/kube-dns/install.yaml                 |   6 +-
 install/kube-proxy/install.yaml               |   6 +-
 install/kube-scheduler/kube-scheduler.yaml    |   2 +-
 install/openshift-apiserver/install.yaml      |   4 +-
 .../openshift-controller-manager/install.yaml |   4 +-
 .../install.yaml                              |   4 +-
 pkg/oc/bootstrap/bindata.go                   |  34 ++---
 pkg/oc/bootstrap/clusteradd/cmd.go            |   6 +-
 .../componentinstall/apply_template.go        |  14 +-
 .../template_service_broker.go                |   2 +-
 pkg/oc/bootstrap/clusterup/kubelet/config.go  |   4 +-
 pkg/oc/bootstrap/clusterup/kubelet/flags.go   |   2 +-
 pkg/oc/bootstrap/docker/run_self_hosted.go    | 141 ++++++++++++------
 pkg/oc/bootstrap/docker/up.go                 |  27 +++-
 test/extended/testdata/bindata.go             |  32 ++--
 19 files changed, 187 insertions(+), 109 deletions(-)

diff --git a/examples/service-catalog/service-catalog.yaml b/examples/service-catalog/service-catalog.yaml
index bc5836bef407..57649344b26a 100644
--- a/examples/service-catalog/service-catalog.yaml
+++ b/examples/service-catalog/service-catalog.yaml
@@ -70,7 +70,7 @@ objects:
         - env:
           - name: ETCD_DATA_DIR
             value: /data-dir
-          image: quay.io/coreos/etcd
+          image: quay.io/coreos/etcd:v3.3
           imagePullPolicy: IfNotPresent
           name: etcd
           resources: {}
diff --git a/install/etcd/etcd.yaml b/install/etcd/etcd.yaml
index b6f0e0b18bef..0e7c8ce915ad 100644
--- a/install/etcd/etcd.yaml
+++ b/install/etcd/etcd.yaml
@@ -11,7 +11,7 @@ spec:
   hostNetwork: true
   containers:
   - name: etcd
-    image: OPENSHIFT_IMAGE
+    image: IMAGE
     imagePullPolicy: OPENSHIFT_PULL_POLICY
     workingDir: /var/lib/etcd
     command: ["/bin/bash", "-c"]
diff --git a/install/kube-apiserver/apiserver.yaml b/install/kube-apiserver/apiserver.yaml
index b0dbc2542d82..6bb0109e0aa4 100644
--- a/install/kube-apiserver/apiserver.yaml
+++ b/install/kube-apiserver/apiserver.yaml
@@ -11,7 +11,7 @@ spec:
   hostNetwork: true
   containers:
   - name: api
-    image: OPENSHIFT_IMAGE
+    image: IMAGE
     imagePullPolicy: OPENSHIFT_PULL_POLICY
     command: ["/bin/bash", "-c"]
     args:
diff --git a/install/kube-controller-manager/kube-controller-manager.yaml b/install/kube-controller-manager/kube-controller-manager.yaml
index a316e6583ce4..5bd1f769191f 100644
--- a/install/kube-controller-manager/kube-controller-manager.yaml
+++ b/install/kube-controller-manager/kube-controller-manager.yaml
@@ -11,7 +11,7 @@ spec:
   hostNetwork: true
   containers:
   - name: controllers
-    image: OPENSHIFT_IMAGE
+    image: IMAGE
     imagePullPolicy: OPENSHIFT_PULL_POLICY
     command: ["hyperkube", "kube-controller-manager"]
     args:
diff --git a/install/kube-dns/install.yaml b/install/kube-dns/install.yaml
index f4be63b80db7..fc70f828119e 100644
--- a/install/kube-dns/install.yaml
+++ b/install/kube-dns/install.yaml
@@ -5,7 +5,7 @@ metadata:
 parameters:
 - name: NAMESPACE
   value: kube-dns
-- name: OPENSHIFT_IMAGE
+- name: IMAGE
   value: openshift/origin-control-plane:latest
 - name: OPENSHIFT_PULL_POLICY
   value: Always
@@ -43,9 +43,9 @@ objects:
         serviceAccountName: kube-dns
         containers:
         - name: kube-proxy
-          image: ${OPENSHIFT_IMAGE}
+          image: ${IMAGE}
           imagePullPolicy: ${OPENSHIFT_PULL_POLICY}
-          command: ["openshift", "start", "node"]
+          command: ["openshift", "start", "network"]
           args:
           - "--enable=dns"
           - "--config=/etc/origin/node/node-config.yaml"
diff --git a/install/kube-proxy/install.yaml b/install/kube-proxy/install.yaml
index 1cd435a0ee5e..a74c01c70bd3 100644
--- a/install/kube-proxy/install.yaml
+++ b/install/kube-proxy/install.yaml
@@ -3,7 +3,7 @@ kind: Template
 metadata:
   name: kube-proxy
 parameters:
-- name: OPENSHIFT_IMAGE
+- name: IMAGE
   value: openshift/origin-control-plane
 - name: OPENSHIFT_PULL_POLICY
   value: Always
@@ -55,9 +55,9 @@ objects:
         hostNetwork: true
         containers:
         - name: kube-proxy
-          image: ${OPENSHIFT_IMAGE}
+          image: ${IMAGE}
           imagePullPolicy: ${OPENSHIFT_PULL_POLICY}
-          command: ["openshift", "start", "node"]
+          command: ["openshift", "start", "network"]
           args:
           - "--enable=proxy"
           - "--listen=https://0.0.0.0:8444"
diff --git a/install/kube-scheduler/kube-scheduler.yaml b/install/kube-scheduler/kube-scheduler.yaml
index 87471e5684d3..aa05ab8a3834 100644
--- a/install/kube-scheduler/kube-scheduler.yaml
+++ b/install/kube-scheduler/kube-scheduler.yaml
@@ -11,7 +11,7 @@ spec:
   hostNetwork: true
   containers:
   - name: scheduler
-    image: OPENSHIFT_IMAGE
+    image: IMAGE
     imagePullPolicy: OPENSHIFT_PULL_POLICY
     command: ["hyperkube", "kube-scheduler"]
     args:
diff --git a/install/openshift-apiserver/install.yaml b/install/openshift-apiserver/install.yaml
index b975dcff6471..144a18664397 100644
--- a/install/openshift-apiserver/install.yaml
+++ b/install/openshift-apiserver/install.yaml
@@ -3,7 +3,7 @@ kind: Template
 metadata:
   name: openshift-apiserver
 parameters:
-- name: OPENSHIFT_IMAGE
+- name: IMAGE
   value: openshift/origin-control-plane:latest
 - name: OPENSHIFT_PULL_POLICY
   value: Always
@@ -41,7 +41,7 @@ objects:
         hostNetwork: true
         containers:
         - name: apiserver
-          image: ${OPENSHIFT_IMAGE}
+          image: ${IMAGE}
           imagePullPolicy: ${OPENSHIFT_PULL_POLICY}
           env:
           - name: ADDITIONAL_ALLOWED_REGISTRIES
diff --git a/install/openshift-controller-manager/install.yaml b/install/openshift-controller-manager/install.yaml
index e51dd9b0e0c0..fd8ca0493d10 100644
--- a/install/openshift-controller-manager/install.yaml
+++ b/install/openshift-controller-manager/install.yaml
@@ -3,7 +3,7 @@ kind: Template
 metadata:
   name: openshift-controller-manager
 parameters:
-- name: OPENSHIFT_IMAGE
+- name: IMAGE
   value: openshift/origin-control-plane:latest
 - name: OPENSHIFT_PULL_POLICY
   value: Always
@@ -42,7 +42,7 @@ objects:
         hostNetwork: true
         containers:
         - name: c
-          image: ${OPENSHIFT_IMAGE}
+          image: ${IMAGE}
           imagePullPolicy: ${OPENSHIFT_PULL_POLICY}
           command: ["hypershift", "openshift-controller-manager"]
           args:
diff --git a/install/openshift-web-console-operator/install.yaml b/install/openshift-web-console-operator/install.yaml
index 70e0cf8efeae..7345f8d12a2d 100644
--- a/install/openshift-web-console-operator/install.yaml
+++ b/install/openshift-web-console-operator/install.yaml
@@ -1,7 +1,7 @@
 apiVersion: template.openshift.io/v1
 kind: Template
 parameters:
-- name: OPENSHIFT_IMAGE
+- name: IMAGE
   value: openshift/origin-control-plane:latest
 - name: OPENSHIFT_PULL_POLICY
   value: Always
@@ -52,7 +52,7 @@ objects:
         serviceAccountName: openshift-web-console-operator
         containers:
         - name: operator
-          image: ${OPENSHIFT_IMAGE}
+          image: ${IMAGE}
           imagePullPolicy: ${OPENSHIFT_PULL_POLICY}
           command: ["hypershift", "experimental", "openshift-webconsole-operator"]
           args:
diff --git a/pkg/oc/bootstrap/bindata.go b/pkg/oc/bootstrap/bindata.go
index a9e5bb1ad34a..285217732d77 100644
--- a/pkg/oc/bootstrap/bindata.go
+++ b/pkg/oc/bootstrap/bindata.go
@@ -16086,7 +16086,7 @@ objects:
         - env:
           - name: ETCD_DATA_DIR
             value: /data-dir
-          image: quay.io/coreos/etcd
+          image: quay.io/coreos/etcd:v3.3
           imagePullPolicy: IfNotPresent
           name: etcd
           resources: {}
@@ -16272,7 +16272,7 @@ spec:
   hostNetwork: true
   containers:
   - name: etcd
-    image: OPENSHIFT_IMAGE
+    image: IMAGE
     imagePullPolicy: OPENSHIFT_PULL_POLICY
     workingDir: /var/lib/etcd
     command: ["/bin/bash", "-c"]
@@ -16325,7 +16325,7 @@ spec:
   hostNetwork: true
   containers:
   - name: api
-    image: OPENSHIFT_IMAGE
+    image: IMAGE
     imagePullPolicy: OPENSHIFT_PULL_POLICY
     command: ["/bin/bash", "-c"]
     args:
@@ -16391,7 +16391,7 @@ spec:
   hostNetwork: true
   containers:
   - name: controllers
-    image: OPENSHIFT_IMAGE
+    image: IMAGE
     imagePullPolicy: OPENSHIFT_PULL_POLICY
     command: ["hyperkube", "kube-controller-manager"]
     args:
@@ -16456,7 +16456,7 @@ metadata:
 parameters:
 - name: NAMESPACE
   value: kube-dns
-- name: OPENSHIFT_IMAGE
+- name: IMAGE
   value: openshift/origin-control-plane:latest
 - name: OPENSHIFT_PULL_POLICY
   value: Always
@@ -16494,9 +16494,9 @@ objects:
         serviceAccountName: kube-dns
         containers:
         - name: kube-proxy
-          image: ${OPENSHIFT_IMAGE}
+          image: ${IMAGE}
           imagePullPolicy: ${OPENSHIFT_PULL_POLICY}
-          command: ["openshift", "start", "node"]
+          command: ["openshift", "start", "network"]
           args:
           - "--enable=dns"
           - "--config=/etc/origin/node/node-config.yaml"
@@ -16556,7 +16556,7 @@ kind: Template
 metadata:
   name: kube-proxy
 parameters:
-- name: OPENSHIFT_IMAGE
+- name: IMAGE
   value: openshift/origin-control-plane
 - name: OPENSHIFT_PULL_POLICY
   value: Always
@@ -16608,9 +16608,9 @@ objects:
         hostNetwork: true
         containers:
         - name: kube-proxy
-          image: ${OPENSHIFT_IMAGE}
+          image: ${IMAGE}
           imagePullPolicy: ${OPENSHIFT_PULL_POLICY}
-          command: ["openshift", "start", "node"]
+          command: ["openshift", "start", "network"]
           args:
           - "--enable=proxy"
           - "--listen=https://0.0.0.0:8444"
@@ -16656,7 +16656,7 @@ spec:
   hostNetwork: true
   containers:
   - name: scheduler
-    image: OPENSHIFT_IMAGE
+    image: IMAGE
     imagePullPolicy: OPENSHIFT_PULL_POLICY
     command: ["hyperkube", "kube-scheduler"]
     args:
@@ -16705,7 +16705,7 @@ kind: Template
 metadata:
   name: openshift-apiserver
 parameters:
-- name: OPENSHIFT_IMAGE
+- name: IMAGE
   value: openshift/origin-control-plane:latest
 - name: OPENSHIFT_PULL_POLICY
   value: Always
@@ -16743,7 +16743,7 @@ objects:
         hostNetwork: true
         containers:
         - name: apiserver
-          image: ${OPENSHIFT_IMAGE}
+          image: ${IMAGE}
           imagePullPolicy: ${OPENSHIFT_PULL_POLICY}
           env:
           - name: ADDITIONAL_ALLOWED_REGISTRIES
@@ -17124,7 +17124,7 @@ kind: Template
 metadata:
   name: openshift-controller-manager
 parameters:
-- name: OPENSHIFT_IMAGE
+- name: IMAGE
   value: openshift/origin-control-plane:latest
 - name: OPENSHIFT_PULL_POLICY
   value: Always
@@ -17163,7 +17163,7 @@ objects:
         hostNetwork: true
         containers:
         - name: c
-          image: ${OPENSHIFT_IMAGE}
+          image: ${IMAGE}
           imagePullPolicy: ${OPENSHIFT_PULL_POLICY}
           command: ["hypershift", "openshift-controller-manager"]
           args:
@@ -17257,7 +17257,7 @@ func installOpenshiftWebConsoleOperatorInstallRbacYaml() (*asset, error) {
 var _installOpenshiftWebConsoleOperatorInstallYaml = []byte(`apiVersion: template.openshift.io/v1
 kind: Template
 parameters:
-- name: OPENSHIFT_IMAGE
+- name: IMAGE
   value: openshift/origin-control-plane:latest
 - name: OPENSHIFT_PULL_POLICY
   value: Always
@@ -17308,7 +17308,7 @@ objects:
         serviceAccountName: openshift-web-console-operator
         containers:
         - name: operator
-          image: ${OPENSHIFT_IMAGE}
+          image: ${IMAGE}
           imagePullPolicy: ${OPENSHIFT_PULL_POLICY}
           command: ["hypershift", "experimental", "openshift-webconsole-operator"]
           args:
diff --git a/pkg/oc/bootstrap/clusteradd/cmd.go b/pkg/oc/bootstrap/clusteradd/cmd.go
index 58ccbd35e8b1..43274cc959d3 100644
--- a/pkg/oc/bootstrap/clusteradd/cmd.go
+++ b/pkg/oc/bootstrap/clusteradd/cmd.go
@@ -116,7 +116,7 @@ func NewCmdAdd(name, fullName string, out, errout io.Writer) *cobra.Command {
 // Start runs the start tasks ensuring that they are executed in sequence
 func (c *ClusterAddConfig) Run() error {
 	componentsToInstall := []componentinstall.Component{}
-	installContext, err := componentinstall.NewComponentInstallContext(c.openshiftImage(), c.imageFormat(), c.BaseDir,
+	installContext, err := componentinstall.NewComponentInstallContext(c.cliImage(), c.imageFormat(), c.BaseDir,
 		c.ServerLogLevel)
 	if err != nil {
 		return err
@@ -214,6 +214,10 @@ func (c *ClusterAddConfig) openshiftImage() string {
 	return c.ImageTemplate.ExpandOrDie("control-plane")
 }
 
+func (c *ClusterAddConfig) cliImage() string {
+	return c.ImageTemplate.ExpandOrDie("cli")
+}
+
 func (c *ClusterAddConfig) GetLogDir() string {
 	return path.Join(c.BaseDir, "logs")
 }
diff --git a/pkg/oc/bootstrap/clusteradd/componentinstall/apply_template.go b/pkg/oc/bootstrap/clusteradd/componentinstall/apply_template.go
index 7ee650672ea8..9b5a8870a9a9 100644
--- a/pkg/oc/bootstrap/clusteradd/componentinstall/apply_template.go
+++ b/pkg/oc/bootstrap/clusteradd/componentinstall/apply_template.go
@@ -28,10 +28,10 @@ type Template struct {
 	WaitCondition func() (bool, error)
 }
 
-func (t Template) MakeReady(image, baseDir string, params map[string]string) Component {
+func (t Template) MakeReady(cliImage, baseDir string, params map[string]string) Component {
 	return installReadyTemplate{
 		template: t,
-		image:    image,
+		image:    cliImage,
 		baseDir:  baseDir,
 		params:   params,
 	}
@@ -152,13 +152,3 @@ func toPrivilegedSAFile(namespace string, privilegedSANames []string) []byte {
 	}
 	return []byte(output)
 }
-
-func InstallTemplates(templates []Template, image, baseDir string, params map[string]string, dockerClient dockerhelper.Interface,
-	logdir string) error {
-	components := []Component{}
-	for _, template := range templates {
-		components = append(components, template.MakeReady(image, baseDir, params))
-	}
-
-	return InstallComponents(components, dockerClient, logdir)
-}
diff --git a/pkg/oc/bootstrap/clusteradd/components/template-service-broker/template_service_broker.go b/pkg/oc/bootstrap/clusteradd/components/template-service-broker/template_service_broker.go
index 6ae40a128480..9875f3825791 100644
--- a/pkg/oc/bootstrap/clusteradd/components/template-service-broker/template_service_broker.go
+++ b/pkg/oc/bootstrap/clusteradd/components/template-service-broker/template_service_broker.go
@@ -81,7 +81,7 @@ func (c *TemplateServiceBrokerComponentOptions) Install(dockerClient dockerhelpe
 	// the service catalog may not be here, but as a best effort try to register
 	register_template_service_broker.RegisterTemplateServiceBroker(
 		dockerClient,
-		c.InstallContext.ClientImage(),
+		c.InstallContext.ImageFormat(),
 		c.InstallContext.BaseDir(),
 		masterConfigDir,
 		logdir,
diff --git a/pkg/oc/bootstrap/clusterup/kubelet/config.go b/pkg/oc/bootstrap/clusterup/kubelet/config.go
index 51e2aed69000..e270c600879b 100644
--- a/pkg/oc/bootstrap/clusterup/kubelet/config.go
+++ b/pkg/oc/bootstrap/clusterup/kubelet/config.go
@@ -22,6 +22,8 @@ const (
 type NodeStartConfig struct {
 	// ContainerBinds is a list of local/path:image/path pairs
 	ContainerBinds []string
+	// NodeImage is the docker image for the openshift cli
+	CLIImage string
 	// NodeImage is the docker image for openshift start node
 	NodeImage string
 
@@ -49,7 +51,7 @@ func (opt NodeStartConfig) MakeNodeConfig(dockerClient dockerhelper.Interface, b
 	}
 	createConfigCmd = append(createConfigCmd, opt.Args...)
 
-	containerId, rc, err := imageRunHelper.Image(opt.NodeImage).
+	containerId, rc, err := imageRunHelper.Image(opt.CLIImage).
 		Privileged().
 		HostNetwork().
 		HostPid().
diff --git a/pkg/oc/bootstrap/clusterup/kubelet/flags.go b/pkg/oc/bootstrap/clusterup/kubelet/flags.go
index fd58ef8ee9d3..f21b2e349611 100644
--- a/pkg/oc/bootstrap/clusterup/kubelet/flags.go
+++ b/pkg/oc/bootstrap/clusterup/kubelet/flags.go
@@ -13,7 +13,7 @@ import (
 type KubeletStartFlags struct {
 	// ContainerBinds is a list of local/path:image/path pairs
 	ContainerBinds []string
-	// NodeImage is the docker image for openshift start node
+	// NodeImage is the docker image for openshift start node and the kubelet
 	NodeImage       string
 	Environment     []string
 	UseSharedVolume bool
diff --git a/pkg/oc/bootstrap/docker/run_self_hosted.go b/pkg/oc/bootstrap/docker/run_self_hosted.go
index acf20279ff3a..2495e32e7f72 100644
--- a/pkg/oc/bootstrap/docker/run_self_hosted.go
+++ b/pkg/oc/bootstrap/docker/run_self_hosted.go
@@ -11,12 +11,10 @@ import (
 	"time"
 
 	"github.com/golang/glog"
-	"github.com/openshift/origin/pkg/oc/bootstrap/docker/host"
-	kruntime "k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/kubernetes/pkg/api/legacyscheme"
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	kruntime "k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/serializer/json"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -24,47 +22,81 @@ import (
 	"k8s.io/client-go/rest"
 	kclientcmd "k8s.io/client-go/tools/clientcmd"
 	aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"
+	"k8s.io/kubernetes/pkg/api/legacyscheme"
 
 	"github.com/openshift/origin/pkg/oc/bootstrap"
 	"github.com/openshift/origin/pkg/oc/bootstrap/clusteradd/componentinstall"
 	"github.com/openshift/origin/pkg/oc/bootstrap/clusterup/kubeapiserver"
 	"github.com/openshift/origin/pkg/oc/bootstrap/clusterup/kubelet"
 	"github.com/openshift/origin/pkg/oc/bootstrap/clusterup/staticpods"
+	"github.com/openshift/origin/pkg/oc/bootstrap/docker/dockerhelper"
+	"github.com/openshift/origin/pkg/oc/bootstrap/docker/host"
 
 	// install our apis into the legacy scheme
 	_ "github.com/openshift/origin/pkg/api/install"
 )
 
+type staticInstall struct {
+	Location       string
+	ComponentImage string
+}
+
+type componentInstallTemplate struct {
+	ComponentImage string
+	Template       componentinstall.Template
+}
+
 var (
-	// staticPodLocations should only include those pods that *must* be run statically because they
+	// staticPodInstalls should only include those pods that *must* be run statically because they
 	// bring up the services required to run the workload controllers.
 	// etcd, kube-apiserver, kube-controller-manager, kube-scheduler (this is because sig-scheduling is expanding the scheduler responsibilities)
-	staticPodLocations = []string{
-		"install/etcd/etcd.yaml",
-		"install/kube-apiserver/apiserver.yaml",
-		"install/kube-controller-manager/kube-controller-manager.yaml",
-		"install/kube-scheduler/kube-scheduler.yaml",
+	staticPodInstalls = []staticInstall{
+		{
+			Location:       "install/etcd/etcd.yaml",
+			ComponentImage: "control-plane",
+		},
+		{
+			Location:       "install/kube-apiserver/apiserver.yaml",
+			ComponentImage: "hypershift",
+		},
+		{
+			Location:       "install/kube-controller-manager/kube-controller-manager.yaml",
+			ComponentImage: "hyperkube",
+		},
+		{
+			Location:       "install/kube-scheduler/kube-scheduler.yaml",
+			ComponentImage: "hyperkube",
+		},
 	}
 
 	runlevelOneLabel      = map[string]string{"openshift.io/run-level": "1"}
-	runLevelOneComponents = []componentinstall.Template{
+	runLevelOneComponents = []componentInstallTemplate{
 		{
-			Name:            "kube-proxy",
-			Namespace:       "kube-proxy",
-			NamespaceObj:    newNamespaceBytes("kube-proxy", runlevelOneLabel),
-			InstallTemplate: bootstrap.MustAsset("install/kube-proxy/install.yaml"),
+			ComponentImage: "control-plane",
+			Template: componentinstall.Template{
+				Name:            "kube-proxy",
+				Namespace:       "kube-proxy",
+				NamespaceObj:    newNamespaceBytes("kube-proxy", runlevelOneLabel),
+				InstallTemplate: bootstrap.MustAsset("install/kube-proxy/install.yaml"),
+			},
 		},
 		{
-			Name:            "kube-dns",
-			Namespace:       "kube-dns",
-			NamespaceObj:    newNamespaceBytes("kube-dns", runlevelOneLabel),
-			InstallTemplate: bootstrap.MustAsset("install/kube-dns/install.yaml"),
+			ComponentImage: "control-plane",
+			Template: componentinstall.Template{
+				Name:            "kube-dns",
+				Namespace:       "kube-dns",
+				NamespaceObj:    newNamespaceBytes("kube-dns", runlevelOneLabel),
+				InstallTemplate: bootstrap.MustAsset("install/kube-dns/install.yaml"),
+			},
 		},
 		{
-			Name:            "openshift-apiserver",
-			Namespace:       "openshift-apiserver",
-			NamespaceObj:    newNamespaceBytes("openshift-apiserver", runlevelOneLabel),
-			InstallTemplate: bootstrap.MustAsset("install/openshift-apiserver/install.yaml"),
+			ComponentImage: "hypershift",
+			Template: componentinstall.Template{
+				Name:            "openshift-apiserver",
+				Namespace:       "openshift-apiserver",
+				NamespaceObj:    newNamespaceBytes("openshift-apiserver", runlevelOneLabel),
+				InstallTemplate: bootstrap.MustAsset("install/openshift-apiserver/install.yaml"),
+			},
 		},
 	}
 
@@ -74,14 +106,17 @@ var (
 	// in cluster up.
 	// TODO we can take a guess at readiness by making sure that pods in the namespace exist and all pods are healthy
 	// TODO it's not perfect, but its fairly good as a starting point.
-	componentsToInstall = []componentinstall.Template{
+	componentsToInstall = []componentInstallTemplate{
 		{
-			Name:              "openshift-controller-manager",
-			Namespace:         "openshift-controller-manager",
-			NamespaceObj:      newNamespaceBytes("openshift-controller-manager", nil),
-			PrivilegedSANames: []string{"openshift-controller-manager"},
-			RBACTemplate:      bootstrap.MustAsset("install/openshift-controller-manager/install-rbac.yaml"),
-			InstallTemplate:   bootstrap.MustAsset("install/openshift-controller-manager/install.yaml"),
+			ComponentImage: "hypershift",
+			Template: componentinstall.Template{
+				Name:              "openshift-controller-manager",
+				Namespace:         "openshift-controller-manager",
+				NamespaceObj:      newNamespaceBytes("openshift-controller-manager", nil),
+				PrivilegedSANames: []string{"openshift-controller-manager"},
+				RBACTemplate:      bootstrap.MustAsset("install/openshift-controller-manager/install-rbac.yaml"),
+				InstallTemplate:   bootstrap.MustAsset("install/openshift-controller-manager/install.yaml"),
+			},
 		},
 	}
 )
@@ -116,9 +151,7 @@ func (c *ClusterUpConfig) StartSelfHosted(out io.Writer) error {
 		"NODE_CONFIG_HOST_PATH":                         configDirs.nodeConfigDir,
 		"KUBEDNS_CONFIG_HOST_PATH":                      configDirs.kubeDNSConfigDir,
 		"OPENSHIFT_PULL_POLICY":                         c.defaultPullPolicy,
-		"OPENSHIFT_IMAGE":                               c.openshiftImage(),
 		"LOGLEVEL":                                      fmt.Sprintf("%d", c.ServerLogLevel),
-		"IMAGE":                                         c.openshiftImage(),
 	}
 
 	clientConfigBuilder, err := kclientcmd.LoadFromFile(filepath.Join(c.LocalDirFor(kubeapiserver.KubeAPIServerDirName), "admin.kubeconfig"))
@@ -139,9 +172,9 @@ func (c *ClusterUpConfig) StartSelfHosted(out io.Writer) error {
 		return err
 	}
 
-	err = componentinstall.InstallTemplates(
+	err = installComponentTemplates(
 		runLevelOneComponents,
-		c.openshiftImage(),
+		c.ImageTemplate.Format,
 		c.BaseDir,
 		templateSubstitutionValues,
 		c.GetDockerClient(),
@@ -182,9 +215,9 @@ func (c *ClusterUpConfig) StartSelfHosted(out io.Writer) error {
 
 	go watchAPIServices(aggregatorClient)
 
-	err = componentinstall.InstallTemplates(
+	err = installComponentTemplates(
 		componentsToInstall,
-		c.openshiftImage(),
+		c.ImageTemplate.Format,
 		c.BaseDir,
 		templateSubstitutionValues,
 		c.GetDockerClient(),
@@ -316,7 +349,6 @@ func (c *ClusterUpConfig) BuildConfig() (*configDirs, error) {
 		"/path/to/master/config-dir":              configs.masterConfigDir,
 		"/path/to/openshift-apiserver/config-dir": configs.openshiftAPIServerConfigDir,
 		"ETCD_VOLUME":                             "emptyDir:\n",
-		"OPENSHIFT_IMAGE":                         c.openshiftImage(),
 		"OPENSHIFT_PULL_POLICY":                   c.defaultPullPolicy,
 	}
 
@@ -326,9 +358,14 @@ func (c *ClusterUpConfig) BuildConfig() (*configDirs, error) {
 	}
 
 	glog.V(2).Infof("Creating static pod definitions in %q", configs.podManifestDir)
-	glog.V(3).Infof("Substitutions: %#v", substitutions)
-	for _, staticPodLocation := range staticPodLocations {
-		if err := staticpods.UpsertStaticPod(staticPodLocation, substitutions, configs.podManifestDir); err != nil {
+	for _, staticPod := range staticPodInstalls {
+		if len(staticPod.ComponentImage) > 0 {
+			substitutions["IMAGE"] = c.ImageTemplate.ExpandOrDie(staticPod.ComponentImage)
+		} else {
+			delete(substitutions, "IMAGE")
+		}
+		glog.V(3).Infof("Substitutions: %#v", substitutions)
+		if err := staticpods.UpsertStaticPod(staticPod.Location, substitutions, configs.podManifestDir); err != nil {
 			return nil, err
 		}
 	}
@@ -373,7 +410,8 @@ func (c *ClusterUpConfig) makeNodeConfig(masterConfigDir string) (string, error)
 
 	container := kubelet.NewNodeStartConfig()
 	container.ContainerBinds = append(container.ContainerBinds, masterConfigDir+":/var/lib/origin/openshift.local.masterconfig:z")
-	container.NodeImage = c.openshiftImage()
+	container.CLIImage = c.cliImage()
+	container.NodeImage = c.nodeImage()
 	container.Args = []string{
 		fmt.Sprintf("--certificate-authority=%s", "/var/lib/origin/openshift.local.masterconfig/ca.crt"),
 		fmt.Sprintf("--dns-bind-address=0.0.0.0:%d", c.DNSPort),
@@ -400,7 +438,7 @@ func (c *ClusterUpConfig) makeNodeConfig(masterConfigDir string) (string, error)
 func (c *ClusterUpConfig) makeKubeletFlags(out io.Writer, nodeConfigDir string) ([]string, error) {
 	container := kubelet.NewKubeletStartFlags()
 	container.ContainerBinds = append(container.ContainerBinds, nodeConfigDir+":/var/lib/origin/openshift.local.config/node:z")
-	container.NodeImage = c.openshiftImage()
+	container.NodeImage = c.nodeImage()
 	container.UseSharedVolume = !c.UseNsenterMount
 
 	kubeletFlags, err := container.MakeKubeletFlags(c.GetDockerClient(), c.BaseDir)
@@ -480,7 +518,7 @@ func (c *ClusterUpConfig) startKubelet(out io.Writer, masterConfigDir, nodeConfi
 	// /sys/devices/virtual/net/vethXXX/brport/hairpin_mode, so make this rw, not ro.
 	container.ContainerBinds = append(container.ContainerBinds, "/sys/devices/virtual/net:/sys/devices/virtual/net:rw")
 
-	container.NodeImage = c.openshiftImage()
+	container.NodeImage = c.nodeImage()
 	container.HTTPProxy = c.HTTPProxy
 	container.HTTPSProxy = c.HTTPSProxy
 	container.NoProxy = c.NoProxy
@@ -583,3 +621,22 @@ func newNamespaceBytes(namespace string, labels map[string]string) []byte {
 	}
 	return output
 }
+
+func installComponentTemplates(templates []componentInstallTemplate, imageFormat, baseDir string, params map[string]string, dockerClient dockerhelper.Interface,
+	logdir string) error {
+	components := []componentinstall.Component{}
+	cliImage := strings.Replace(imageFormat, "${component}", "cli", -1)
+	for _, template := range templates {
+		paramsWithImage := make(map[string]string)
+		for k, v := range params {
+			paramsWithImage[k] = v
+		}
+		if len(template.ComponentImage) > 0 {
+			paramsWithImage["IMAGE"] = strings.Replace(imageFormat, "${component}", template.ComponentImage, -1)
+		}
+
+		components = append(components, template.Template.MakeReady(cliImage, baseDir, paramsWithImage))
+	}
+
+	return componentinstall.InstallComponents(components, dockerClient, logdir)
+}
diff --git a/pkg/oc/bootstrap/docker/up.go b/pkg/oc/bootstrap/docker/up.go
index b96501227f79..313a92840f8b 100644
--- a/pkg/oc/bootstrap/docker/up.go
+++ b/pkg/oc/bootstrap/docker/up.go
@@ -675,7 +675,16 @@ func checkExistingOpenShiftContainer(dockerHelper *dockerhelper.Helper) error {
 // checkOpenShiftImage checks whether the OpenShift image exists.
 // If not it tells the Docker daemon to pull it.
 func (c *ClusterUpConfig) checkOpenShiftImage() error {
-	return c.DockerHelper().CheckAndPull(c.openshiftImage(), c.Out)
+	if err := c.DockerHelper().CheckAndPull(c.openshiftImage(), c.Out); err != nil {
+		return err
+	}
+	if err := c.DockerHelper().CheckAndPull(c.cliImage(), c.Out); err != nil {
+		return err
+	}
+	if err := c.DockerHelper().CheckAndPull(c.nodeImage(), c.Out); err != nil {
+		return err
+	}
+	return nil
 }
 
 // checkDockerInsecureRegistry checks to see if the Docker daemon has an appropriate insecure registry argument set so that our services can access the registry
@@ -935,6 +944,22 @@ func (c *ClusterUpConfig) openshiftImage() string {
 	return c.ImageTemplate.ExpandOrDie("control-plane")
 }
 
+func (c *ClusterUpConfig) hypershiftImage() string {
+	return c.ImageTemplate.ExpandOrDie("hypershift")
+}
+
+func (c *ClusterUpConfig) hyperkubeImage() string {
+	return c.ImageTemplate.ExpandOrDie("hyperkube")
+}
+
+func (c *ClusterUpConfig) cliImage() string {
+	return c.ImageTemplate.ExpandOrDie("cli")
+}
+
+func (c *ClusterUpConfig) nodeImage() string {
+	return c.ImageTemplate.ExpandOrDie("node")
+}
+
 func (c *ClusterUpConfig) determineAdditionalIPs(ip string) ([]string, error) {
 	additionalIPs := sets.NewString()
 	serverIPs, err := c.OpenShiftHelper().OtherIPs(ip)
diff --git a/test/extended/testdata/bindata.go b/test/extended/testdata/bindata.go
index 2eedbfb4a2e5..7be8bcaddec1 100644
--- a/test/extended/testdata/bindata.go
+++ b/test/extended/testdata/bindata.go
@@ -31188,7 +31188,7 @@ spec:
   hostNetwork: true
   containers:
   - name: etcd
-    image: OPENSHIFT_IMAGE
+    image: IMAGE
     imagePullPolicy: OPENSHIFT_PULL_POLICY
     workingDir: /var/lib/etcd
     command: ["/bin/bash", "-c"]
@@ -31241,7 +31241,7 @@ spec:
   hostNetwork: true
   containers:
   - name: api
-    image: OPENSHIFT_IMAGE
+    image: IMAGE
     imagePullPolicy: OPENSHIFT_PULL_POLICY
     command: ["/bin/bash", "-c"]
     args:
@@ -31307,7 +31307,7 @@ spec:
   hostNetwork: true
   containers:
   - name: controllers
-    image: OPENSHIFT_IMAGE
+    image: IMAGE
     imagePullPolicy: OPENSHIFT_PULL_POLICY
     command: ["hyperkube", "kube-controller-manager"]
     args:
@@ -31372,7 +31372,7 @@ metadata:
 parameters:
 - name: NAMESPACE
   value: kube-dns
-- name: OPENSHIFT_IMAGE
+- name: IMAGE
   value: openshift/origin-control-plane:latest
 - name: OPENSHIFT_PULL_POLICY
   value: Always
@@ -31410,9 +31410,9 @@ objects:
         serviceAccountName: kube-dns
         containers:
         - name: kube-proxy
-          image: ${OPENSHIFT_IMAGE}
+          image: ${IMAGE}
           imagePullPolicy: ${OPENSHIFT_PULL_POLICY}
-          command: ["openshift", "start", "node"]
+          command: ["openshift", "start", "network"]
           args:
           - "--enable=dns"
           - "--config=/etc/origin/node/node-config.yaml"
@@ -31472,7 +31472,7 @@ kind: Template
 metadata:
   name: kube-proxy
 parameters:
-- name: OPENSHIFT_IMAGE
+- name: IMAGE
   value: openshift/origin-control-plane
 - name: OPENSHIFT_PULL_POLICY
   value: Always
@@ -31524,9 +31524,9 @@ objects:
         hostNetwork: true
         containers:
         - name: kube-proxy
-          image: ${OPENSHIFT_IMAGE}
+          image: ${IMAGE}
           imagePullPolicy: ${OPENSHIFT_PULL_POLICY}
-          command: ["openshift", "start", "node"]
+          command: ["openshift", "start", "network"]
           args:
           - "--enable=proxy"
           - "--listen=https://0.0.0.0:8444"
@@ -31572,7 +31572,7 @@ spec:
   hostNetwork: true
   containers:
   - name: scheduler
-    image: OPENSHIFT_IMAGE
+    image: IMAGE
     imagePullPolicy: OPENSHIFT_PULL_POLICY
     command: ["hyperkube", "kube-scheduler"]
     args:
@@ -31621,7 +31621,7 @@ kind: Template
 metadata:
   name: openshift-apiserver
 parameters:
-- name: OPENSHIFT_IMAGE
+- name: IMAGE
   value: openshift/origin-control-plane:latest
 - name: OPENSHIFT_PULL_POLICY
   value: Always
@@ -31659,7 +31659,7 @@ objects:
         hostNetwork: true
         containers:
         - name: apiserver
-          image: ${OPENSHIFT_IMAGE}
+          image: ${IMAGE}
           imagePullPolicy: ${OPENSHIFT_PULL_POLICY}
           env:
           - name: ADDITIONAL_ALLOWED_REGISTRIES
@@ -32040,7 +32040,7 @@ kind: Template
 metadata:
   name: openshift-controller-manager
 parameters:
-- name: OPENSHIFT_IMAGE
+- name: IMAGE
   value: openshift/origin-control-plane:latest
 - name: OPENSHIFT_PULL_POLICY
   value: Always
@@ -32079,7 +32079,7 @@ objects:
         hostNetwork: true
         containers:
         - name: c
-          image: ${OPENSHIFT_IMAGE}
+          image: ${IMAGE}
           imagePullPolicy: ${OPENSHIFT_PULL_POLICY}
           command: ["hypershift", "openshift-controller-manager"]
           args:
@@ -32173,7 +32173,7 @@ func installOpenshiftWebConsoleOperatorInstallRbacYaml() (*asset, error) {
 var _installOpenshiftWebConsoleOperatorInstallYaml = []byte(`apiVersion: template.openshift.io/v1
 kind: Template
 parameters:
-- name: OPENSHIFT_IMAGE
+- name: IMAGE
   value: openshift/origin-control-plane:latest
 - name: OPENSHIFT_PULL_POLICY
   value: Always
@@ -32224,7 +32224,7 @@ objects:
         serviceAccountName: openshift-web-console-operator
         containers:
         - name: operator
-          image: ${OPENSHIFT_IMAGE}
+          image: ${IMAGE}
           imagePullPolicy: ${OPENSHIFT_PULL_POLICY}
           command: ["hypershift", "experimental", "openshift-webconsole-operator"]
           args:

From 544e2bf9e6a9237dbfc4a5b05ed91a720f83ef33 Mon Sep 17 00:00:00 2001
From: Clayton Coleman <ccoleman@redhat.com>
Date: Wed, 25 Apr 2018 23:42:13 -0400
Subject: [PATCH 16/26] LDAP sync commands should only import LDAP validation

---
 .../server/apis/config/validation/allinone.go |   9 +-
 .../apis/config/validation/common/common.go   | 172 ++++++++++++++++++
 pkg/cmd/server/apis/config/validation/etcd.go |  12 +-
 .../apis/config/validation/{ => ldap}/ldap.go |  33 ++--
 .../server/apis/config/validation/master.go   |  90 ++++-----
 pkg/cmd/server/apis/config/validation/node.go |  13 +-
 .../server/apis/config/validation/oauth.go    |  64 +++----
 .../apis/config/validation/validation.go      | 163 ++---------------
 pkg/cmd/server/start/start_node.go            |   3 +-
 pkg/oc/admin/groups/examples/examples_test.go |   4 +-
 pkg/oc/admin/groups/sync/cli/prune.go         |   4 +-
 pkg/oc/admin/groups/sync/cli/sync.go          |   4 +-
 12 files changed, 297 insertions(+), 274 deletions(-)
 create mode 100644 pkg/cmd/server/apis/config/validation/common/common.go
 rename pkg/cmd/server/apis/config/validation/{ => ldap}/ldap.go (88%)

diff --git a/pkg/cmd/server/apis/config/validation/allinone.go b/pkg/cmd/server/apis/config/validation/allinone.go
index 032dc029a4cd..4f05bbe4afad 100644
--- a/pkg/cmd/server/apis/config/validation/allinone.go
+++ b/pkg/cmd/server/apis/config/validation/allinone.go
@@ -1,9 +1,12 @@
 package validation
 
-import "github.com/openshift/origin/pkg/cmd/server/apis/config"
+import (
+	"github.com/openshift/origin/pkg/cmd/server/apis/config"
+	"github.com/openshift/origin/pkg/cmd/server/apis/config/validation/common"
+)
 
-func ValidateAllInOneConfig(master *config.MasterConfig, node *config.NodeConfig) ValidationResults {
-	validationResults := ValidationResults{}
+func ValidateAllInOneConfig(master *config.MasterConfig, node *config.NodeConfig) common.ValidationResults {
+	validationResults := common.ValidationResults{}
 
 	validationResults.Append(ValidateMasterConfig(master, nil))
 
diff --git a/pkg/cmd/server/apis/config/validation/common/common.go b/pkg/cmd/server/apis/config/validation/common/common.go
new file mode 100644
index 000000000000..bab718b60f02
--- /dev/null
+++ b/pkg/cmd/server/apis/config/validation/common/common.go
@@ -0,0 +1,172 @@
+package common
+
+import (
+	"fmt"
+	"io/ioutil"
+	"net"
+	"net/url"
+	"os"
+	"strconv"
+	"unicode"
+	"unicode/utf8"
+
+	utilvalidation "k8s.io/apimachinery/pkg/util/validation"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+
+	"github.com/openshift/origin/pkg/cmd/server/apis/config"
+)
+
+func ValidateStringSource(s config.StringSource, fieldPath *field.Path) ValidationResults {
+	validationResults := ValidationResults{}
+	methods := 0
+	if len(s.Value) > 0 {
+		methods++
+	}
+	if len(s.File) > 0 {
+		methods++
+		fileErrors := ValidateFile(s.File, fieldPath.Child("file"))
+		validationResults.AddErrors(fileErrors...)
+
+		// If the file was otherwise ok, and its value will be used verbatim, warn about trailing whitespace
+		if len(fileErrors) == 0 && len(s.KeyFile) == 0 {
+			if data, err := ioutil.ReadFile(s.File); err != nil {
+				validationResults.AddErrors(field.Invalid(fieldPath.Child("file"), s.File, fmt.Sprintf("could not read file: %v", err)))
+			} else if len(data) > 0 {
+				r, _ := utf8.DecodeLastRune(data)
+				if unicode.IsSpace(r) {
+					validationResults.AddWarnings(field.Invalid(fieldPath.Child("file"), s.File, "contains trailing whitespace which will be included in the value"))
+				}
+			}
+		}
+	}
+	if len(s.Env) > 0 {
+		methods++
+	}
+	if methods > 1 {
+		validationResults.AddErrors(field.Invalid(fieldPath, "", "only one of value, file, and env can be specified"))
+	}
+
+	if len(s.KeyFile) > 0 {
+		validationResults.AddErrors(ValidateFile(s.KeyFile, fieldPath.Child("keyFile"))...)
+	}
+
+	return validationResults
+}
+
+func ValidateSpecifiedIP(ipString string, fldPath *field.Path) field.ErrorList {
+	allErrs := field.ErrorList{}
+
+	ip := net.ParseIP(ipString)
+	if ip == nil {
+		allErrs = append(allErrs, field.Invalid(fldPath, ipString, "must be a valid IP"))
+	} else if ip.IsUnspecified() {
+		allErrs = append(allErrs, field.Invalid(fldPath, ipString, "cannot be an unspecified IP"))
+	}
+
+	return allErrs
+}
+
+func ValidateSpecifiedIPPort(ipPortString string, fldPath *field.Path) field.ErrorList {
+	allErrs := field.ErrorList{}
+
+	ipString, portString, err := net.SplitHostPort(ipPortString)
+	if err != nil {
+		allErrs = append(allErrs, field.Invalid(fldPath, ipPortString, "must be a valid IP:PORT"))
+		return allErrs
+	}
+
+	ip := net.ParseIP(ipString)
+	if ip == nil {
+		allErrs = append(allErrs, field.Invalid(fldPath, ipString, "must be a valid IP"))
+	} else if ip.IsUnspecified() {
+		allErrs = append(allErrs, field.Invalid(fldPath, ipString, "cannot be an unspecified IP"))
+	}
+	port, err := strconv.Atoi(portString)
+	if err != nil {
+		allErrs = append(allErrs, field.Invalid(fldPath, portString, "must be a valid port"))
+	} else {
+		for _, msg := range utilvalidation.IsValidPortNum(port) {
+			allErrs = append(allErrs, field.Invalid(fldPath, port, msg))
+		}
+	}
+
+	return allErrs
+}
+
+func ValidateSecureURL(urlString string, fldPath *field.Path) (*url.URL, field.ErrorList) {
+	url, urlErrs := ValidateURL(urlString, fldPath)
+	if len(urlErrs) == 0 && url.Scheme != "https" {
+		urlErrs = append(urlErrs, field.Invalid(fldPath, urlString, "must use https scheme"))
+	}
+	return url, urlErrs
+}
+
+func ValidateURL(urlString string, fldPath *field.Path) (*url.URL, field.ErrorList) {
+	allErrs := field.ErrorList{}
+
+	urlObj, err := url.Parse(urlString)
+	if err != nil {
+		allErrs = append(allErrs, field.Invalid(fldPath, urlString, "must be a valid URL"))
+		return nil, allErrs
+	}
+	if len(urlObj.Scheme) == 0 {
+		allErrs = append(allErrs, field.Invalid(fldPath, urlString, "must contain a scheme (e.g. https://)"))
+	}
+	if len(urlObj.Host) == 0 {
+		allErrs = append(allErrs, field.Invalid(fldPath, urlString, "must contain a host"))
+	}
+	return urlObj, allErrs
+}
+
+func ValidateFile(path string, fldPath *field.Path) field.ErrorList {
+	allErrs := field.ErrorList{}
+
+	if len(path) == 0 {
+		allErrs = append(allErrs, field.Required(fldPath, ""))
+	} else if _, err := os.Stat(path); err != nil {
+		allErrs = append(allErrs, field.Invalid(fldPath, path, fmt.Sprintf("could not read file: %v", err)))
+	}
+
+	return allErrs
+}
+
+func ValidateDir(path string, fldPath *field.Path) field.ErrorList {
+	allErrs := field.ErrorList{}
+	if len(path) == 0 {
+		allErrs = append(allErrs, field.Required(fldPath, ""))
+	} else {
+		fileInfo, err := os.Stat(path)
+		if err != nil {
+			allErrs = append(allErrs, field.Invalid(fldPath, path, fmt.Sprintf("could not read info: %v", err)))
+		} else if !fileInfo.IsDir() {
+			allErrs = append(allErrs, field.Invalid(fldPath, path, "not a directory"))
+		}
+	}
+
+	return allErrs
+}
+
+// TODO: this should just be two return arrays, no need to be clever
+type ValidationResults struct {
+	Warnings field.ErrorList
+	Errors   field.ErrorList
+}
+
+func (r *ValidationResults) Append(additionalResults ValidationResults) {
+	r.AddErrors(additionalResults.Errors...)
+	r.AddWarnings(additionalResults.Warnings...)
+}
+
+func (r *ValidationResults) AddErrors(errors ...*field.Error) {
+	if len(errors) == 0 {
+		return
+	}
+	r.Errors = append(r.Errors, errors...)
+}
+
+func (r *ValidationResults) AddWarnings(warnings ...*field.Error) {
+	if len(warnings) == 0 {
+		return
+	}
+	r.Warnings = append(r.Warnings, warnings...)
+}
diff --git a/pkg/cmd/server/apis/config/validation/etcd.go b/pkg/cmd/server/apis/config/validation/etcd.go
index b714bf89b168..e85d5d3a221c 100644
--- a/pkg/cmd/server/apis/config/validation/etcd.go
+++ b/pkg/cmd/server/apis/config/validation/etcd.go
@@ -4,9 +4,11 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/openshift/origin/pkg/cmd/server/apis/config"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/validation/field"
+
+	"github.com/openshift/origin/pkg/cmd/server/apis/config"
+	"github.com/openshift/origin/pkg/cmd/server/apis/config/validation/common"
 )
 
 // ValidateEtcdConnectionInfo validates the connection info. If a server EtcdConfig is provided,
@@ -19,14 +21,14 @@ func ValidateEtcdConnectionInfo(config config.EtcdConnectionInfo, server *config
 		allErrs = append(allErrs, field.Required(fldPath.Child("urls"), ""))
 	}
 	for i, u := range config.URLs {
-		_, urlErrs := ValidateURL(u, fldPath.Child("urls").Index(i))
+		_, urlErrs := common.ValidateURL(u, fldPath.Child("urls").Index(i))
 		if len(urlErrs) > 0 {
 			allErrs = append(allErrs, urlErrs...)
 		}
 	}
 
 	if len(config.CA) > 0 {
-		allErrs = append(allErrs, ValidateFile(config.CA, fldPath.Child("ca"))...)
+		allErrs = append(allErrs, common.ValidateFile(config.CA, fldPath.Child("ca"))...)
 	}
 	allErrs = append(allErrs, ValidateCertInfo(config.ClientCert, false, fldPath)...)
 
@@ -51,8 +53,8 @@ func ValidateEtcdConnectionInfo(config config.EtcdConnectionInfo, server *config
 	return allErrs
 }
 
-func ValidateEtcdConfig(config *config.EtcdConfig, fldPath *field.Path) ValidationResults {
-	validationResults := ValidationResults{}
+func ValidateEtcdConfig(config *config.EtcdConfig, fldPath *field.Path) common.ValidationResults {
+	validationResults := common.ValidationResults{}
 
 	servingInfoPath := fldPath.Child("servingInfo")
 	validationResults.Append(ValidateServingInfo(config.ServingInfo, true, servingInfoPath))
diff --git a/pkg/cmd/server/apis/config/validation/ldap.go b/pkg/cmd/server/apis/config/validation/ldap/ldap.go
similarity index 88%
rename from pkg/cmd/server/apis/config/validation/ldap.go
rename to pkg/cmd/server/apis/config/validation/ldap/ldap.go
index 169607617b30..da42798ea719 100644
--- a/pkg/cmd/server/apis/config/validation/ldap.go
+++ b/pkg/cmd/server/apis/config/validation/ldap/ldap.go
@@ -1,4 +1,4 @@
-package validation
+package ldap
 
 import (
 	"fmt"
@@ -9,13 +9,14 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation/field"
 
 	configapi "github.com/openshift/origin/pkg/cmd/server/apis/config"
+	"github.com/openshift/origin/pkg/cmd/server/apis/config/validation/common"
 	"github.com/openshift/origin/pkg/oauthserver/ldaputil"
 )
 
-func ValidateLDAPSyncConfig(config *configapi.LDAPSyncConfig) ValidationResults {
-	validationResults := ValidationResults{}
+func ValidateLDAPSyncConfig(config *configapi.LDAPSyncConfig) common.ValidationResults {
+	validationResults := common.ValidationResults{}
 
-	validationResults.Append(ValidateStringSource(config.BindPassword, field.NewPath("bindPassword")))
+	validationResults.Append(common.ValidateStringSource(config.BindPassword, field.NewPath("bindPassword")))
 	bindPassword, _ := configapi.ResolveStringValue(config.BindPassword)
 	validationResults.Append(ValidateLDAPClientConfig(config.URL, config.BindDN, bindPassword, config.CA, config.Insecure, nil))
 
@@ -56,8 +57,8 @@ func ValidateLDAPSyncConfig(config *configapi.LDAPSyncConfig) ValidationResults
 	return validationResults
 }
 
-func ValidateLDAPClientConfig(url, bindDN, bindPassword, CA string, insecure bool, fldPath *field.Path) ValidationResults {
-	validationResults := ValidationResults{}
+func ValidateLDAPClientConfig(url, bindDN, bindPassword, CA string, insecure bool, fldPath *field.Path) common.ValidationResults {
+	validationResults := common.ValidationResults{}
 
 	if len(url) == 0 {
 		validationResults.AddErrors(field.Required(fldPath.Child("url"), ""))
@@ -91,7 +92,7 @@ func ValidateLDAPClientConfig(url, bindDN, bindPassword, CA string, insecure boo
 		}
 	} else {
 		if len(CA) > 0 {
-			validationResults.AddErrors(ValidateFile(CA, fldPath.Child("ca"))...)
+			validationResults.AddErrors(common.ValidateFile(CA, fldPath.Child("ca"))...)
 		}
 	}
 
@@ -104,8 +105,8 @@ func ValidateLDAPClientConfig(url, bindDN, bindPassword, CA string, insecure boo
 	return validationResults
 }
 
-func ValidateRFC2307Config(config *configapi.RFC2307Config) ValidationResults {
-	validationResults := ValidationResults{}
+func ValidateRFC2307Config(config *configapi.RFC2307Config) common.ValidationResults {
+	validationResults := common.ValidationResults{}
 
 	validationResults.Append(ValidateLDAPQuery(config.AllGroupsQuery, field.NewPath("groupsQuery")))
 	if len(config.GroupUIDAttribute) == 0 {
@@ -130,8 +131,8 @@ func ValidateRFC2307Config(config *configapi.RFC2307Config) ValidationResults {
 	return validationResults
 }
 
-func ValidateActiveDirectoryConfig(config *configapi.ActiveDirectoryConfig) ValidationResults {
-	validationResults := ValidationResults{}
+func ValidateActiveDirectoryConfig(config *configapi.ActiveDirectoryConfig) common.ValidationResults {
+	validationResults := common.ValidationResults{}
 
 	validationResults.Append(ValidateLDAPQuery(config.AllUsersQuery, field.NewPath("usersQuery")))
 	if len(config.UserNameAttributes) == 0 {
@@ -144,8 +145,8 @@ func ValidateActiveDirectoryConfig(config *configapi.ActiveDirectoryConfig) Vali
 	return validationResults
 }
 
-func ValidateAugmentedActiveDirectoryConfig(config *configapi.AugmentedActiveDirectoryConfig) ValidationResults {
-	validationResults := ValidationResults{}
+func ValidateAugmentedActiveDirectoryConfig(config *configapi.AugmentedActiveDirectoryConfig) common.ValidationResults {
+	validationResults := common.ValidationResults{}
 
 	validationResults.Append(ValidateLDAPQuery(config.AllUsersQuery, field.NewPath("usersQuery")))
 	if len(config.UserNameAttributes) == 0 {
@@ -167,11 +168,11 @@ func ValidateAugmentedActiveDirectoryConfig(config *configapi.AugmentedActiveDir
 	return validationResults
 }
 
-func ValidateLDAPQuery(query configapi.LDAPQuery, fldPath *field.Path) ValidationResults {
+func ValidateLDAPQuery(query configapi.LDAPQuery, fldPath *field.Path) common.ValidationResults {
 	return validateLDAPQuery(query, fldPath, false)
 }
-func validateLDAPQuery(query configapi.LDAPQuery, fldPath *field.Path, isDNOnly bool) ValidationResults {
-	validationResults := ValidationResults{}
+func validateLDAPQuery(query configapi.LDAPQuery, fldPath *field.Path, isDNOnly bool) common.ValidationResults {
+	validationResults := common.ValidationResults{}
 
 	if _, err := ldap.ParseDN(query.BaseDN); err != nil {
 		validationResults.AddErrors(field.Invalid(fldPath.Child("baseDN"), query.BaseDN,
diff --git a/pkg/cmd/server/apis/config/validation/master.go b/pkg/cmd/server/apis/config/validation/master.go
index c351e75f0c4d..098bcb003998 100644
--- a/pkg/cmd/server/apis/config/validation/master.go
+++ b/pkg/cmd/server/apis/config/validation/master.go
@@ -23,6 +23,7 @@ import (
 	kvalidation "k8s.io/kubernetes/pkg/apis/core/validation"
 
 	configapi "github.com/openshift/origin/pkg/cmd/server/apis/config"
+	"github.com/openshift/origin/pkg/cmd/server/apis/config/validation/common"
 	"github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"
 	"github.com/openshift/origin/pkg/cmd/server/cm"
 	oauthutil "github.com/openshift/origin/pkg/oauth/util"
@@ -31,35 +32,10 @@ import (
 	"github.com/openshift/origin/pkg/util/labelselector"
 )
 
-// TODO: this should just be two return arrays, no need to be clever
-type ValidationResults struct {
-	Warnings field.ErrorList
-	Errors   field.ErrorList
-}
-
-func (r *ValidationResults) Append(additionalResults ValidationResults) {
-	r.AddErrors(additionalResults.Errors...)
-	r.AddWarnings(additionalResults.Warnings...)
-}
-
-func (r *ValidationResults) AddErrors(errors ...*field.Error) {
-	if len(errors) == 0 {
-		return
-	}
-	r.Errors = append(r.Errors, errors...)
-}
-
-func (r *ValidationResults) AddWarnings(warnings ...*field.Error) {
-	if len(warnings) == 0 {
-		return
-	}
-	r.Warnings = append(r.Warnings, warnings...)
-}
-
-func ValidateMasterConfig(config *configapi.MasterConfig, fldPath *field.Path) ValidationResults {
-	validationResults := ValidationResults{}
+func ValidateMasterConfig(config *configapi.MasterConfig, fldPath *field.Path) common.ValidationResults {
+	validationResults := common.ValidationResults{}
 
-	if _, urlErrs := ValidateURL(config.MasterPublicURL, fldPath.Child("masterPublicURL")); len(urlErrs) > 0 {
+	if _, urlErrs := common.ValidateURL(config.MasterPublicURL, fldPath.Child("masterPublicURL")); len(urlErrs) > 0 {
 		validationResults.AddErrors(urlErrs...)
 	}
 
@@ -152,8 +128,8 @@ func ValidateMasterConfig(config *configapi.MasterConfig, fldPath *field.Path) V
 	return validationResults
 }
 
-func ValidateMasterAuthConfig(config configapi.MasterAuthConfig, fldPath *field.Path) ValidationResults {
-	validationResults := ValidationResults{}
+func ValidateMasterAuthConfig(config configapi.MasterAuthConfig, fldPath *field.Path) common.ValidationResults {
+	validationResults := common.ValidationResults{}
 
 	if len(config.OAuthMetadataFile) > 0 {
 		if _, _, err := oauthutil.LoadOAuthMetadataFile(config.OAuthMetadataFile); err != nil {
@@ -166,7 +142,7 @@ func ValidateMasterAuthConfig(config configapi.MasterAuthConfig, fldPath *field.
 		if len(wta.ConfigFile) == 0 {
 			validationResults.AddErrors(field.Required(configFile, ""))
 		} else {
-			validationResults.AddErrors(ValidateFile(wta.ConfigFile, configFile)...)
+			validationResults.AddErrors(common.ValidateFile(wta.ConfigFile, configFile)...)
 		}
 
 		cacheTTL := fldPath.Child("webhookTokenAuthenticators", "cacheTTL")
@@ -202,8 +178,8 @@ func ValidateMasterAuthConfig(config configapi.MasterAuthConfig, fldPath *field.
 	return validationResults
 }
 
-func ValidateAggregatorConfig(config configapi.AggregatorConfig, fldPath *field.Path) ValidationResults {
-	validationResults := ValidationResults{}
+func ValidateAggregatorConfig(config configapi.AggregatorConfig, fldPath *field.Path) common.ValidationResults {
+	validationResults := common.ValidationResults{}
 
 	validationResults.AddErrors(ValidateCertInfo(config.ProxyClientInfo, false, fldPath.Child("proxyClientInfo"))...)
 	if len(config.ProxyClientInfo.CertFile) == 0 && len(config.ProxyClientInfo.KeyFile) == 0 {
@@ -213,8 +189,8 @@ func ValidateAggregatorConfig(config configapi.AggregatorConfig, fldPath *field.
 	return validationResults
 }
 
-func ValidateAuditConfig(config configapi.AuditConfig, fldPath *field.Path) ValidationResults {
-	validationResults := ValidationResults{}
+func ValidateAuditConfig(config configapi.AuditConfig, fldPath *field.Path) common.ValidationResults {
+	validationResults := common.ValidationResults{}
 	if !config.Enabled {
 		return validationResults
 	}
@@ -295,8 +271,8 @@ func ValidateAuditConfig(config configapi.AuditConfig, fldPath *field.Path) Vali
 	return validationResults
 }
 
-func ValidateControllerConfig(config configapi.ControllerConfig, fldPath *field.Path) ValidationResults {
-	validationResults := ValidationResults{}
+func ValidateControllerConfig(config configapi.ControllerConfig, fldPath *field.Path) common.ValidationResults {
+	validationResults := common.ValidationResults{}
 
 	if election := config.Election; election != nil {
 		if len(election.LockName) == 0 {
@@ -324,8 +300,8 @@ func ValidateControllerConfig(config configapi.ControllerConfig, fldPath *field.
 	return validationResults
 }
 
-func ValidateAPILevels(apiLevels []string, knownAPILevels, deadAPILevels []string, fldPath *field.Path) ValidationResults {
-	validationResults := ValidationResults{}
+func ValidateAPILevels(apiLevels []string, knownAPILevels, deadAPILevels []string, fldPath *field.Path) common.ValidationResults {
+	validationResults := common.ValidationResults{}
 
 	if len(apiLevels) == 0 {
 		validationResults.AddErrors(field.Required(fldPath, ""))
@@ -386,8 +362,8 @@ func ValidateStorageVersionLevel(level string, knownAPILevels, deadAPILevels []s
 	return allErrs
 }
 
-func ValidateServiceAccountConfig(config configapi.ServiceAccountConfig, fldPath *field.Path) ValidationResults {
-	validationResults := ValidationResults{}
+func ValidateServiceAccountConfig(config configapi.ServiceAccountConfig, fldPath *field.Path) common.ValidationResults {
+	validationResults := common.ValidationResults{}
 
 	managedNames := sets.NewString(config.ManagedNames...)
 	managedNamesPath := fldPath.Child("managedNames")
@@ -409,7 +385,7 @@ func ValidateServiceAccountConfig(config configapi.ServiceAccountConfig, fldPath
 
 	if len(config.PrivateKeyFile) > 0 {
 		privateKeyFilePath := fldPath.Child("privateKeyFile")
-		if fileErrs := ValidateFile(config.PrivateKeyFile, privateKeyFilePath); len(fileErrs) > 0 {
+		if fileErrs := common.ValidateFile(config.PrivateKeyFile, privateKeyFilePath); len(fileErrs) > 0 {
 			validationResults.AddErrors(fileErrs...)
 		} else if _, err := cert.PrivateKeyFromFile(config.PrivateKeyFile); err != nil {
 			validationResults.AddErrors(field.Invalid(privateKeyFilePath, config.PrivateKeyFile, err.Error()))
@@ -423,7 +399,7 @@ func ValidateServiceAccountConfig(config configapi.ServiceAccountConfig, fldPath
 	}
 	for i, publicKeyFile := range config.PublicKeyFiles {
 		idxPath := fldPath.Child("publicKeyFiles").Index(i)
-		if fileErrs := ValidateFile(publicKeyFile, idxPath); len(fileErrs) > 0 {
+		if fileErrs := common.ValidateFile(publicKeyFile, idxPath); len(fileErrs) > 0 {
 			validationResults.AddErrors(fileErrs...)
 		} else if _, err := cert.PublicKeysFromFile(publicKeyFile); err != nil {
 			validationResults.AddErrors(field.Invalid(idxPath, publicKeyFile, err.Error()))
@@ -431,7 +407,7 @@ func ValidateServiceAccountConfig(config configapi.ServiceAccountConfig, fldPath
 	}
 
 	if len(config.MasterCA) > 0 {
-		validationResults.AddErrors(ValidateFile(config.MasterCA, fldPath.Child("masterCA"))...)
+		validationResults.AddErrors(common.ValidateFile(config.MasterCA, fldPath.Child("masterCA"))...)
 	} else {
 		validationResults.AddWarnings(field.Invalid(fldPath.Child("masterCA"), "", "master CA information will not be automatically injected into pods, which will prevent verification of the API server from inside a pod"))
 	}
@@ -494,18 +470,18 @@ func ValidateKubeletConnectionInfo(config configapi.KubeletConnectionInfo, fldPa
 	}
 
 	if len(config.CA) > 0 {
-		allErrs = append(allErrs, ValidateFile(config.CA, fldPath.Child("ca"))...)
+		allErrs = append(allErrs, common.ValidateFile(config.CA, fldPath.Child("ca"))...)
 	}
 	allErrs = append(allErrs, ValidateCertInfo(config.ClientCert, false, fldPath)...)
 
 	return allErrs
 }
 
-func ValidateKubernetesMasterConfig(config configapi.KubernetesMasterConfig, fldPath *field.Path) ValidationResults {
-	validationResults := ValidationResults{}
+func ValidateKubernetesMasterConfig(config configapi.KubernetesMasterConfig, fldPath *field.Path) common.ValidationResults {
+	validationResults := common.ValidationResults{}
 
 	if len(config.MasterIP) > 0 {
-		validationResults.AddErrors(ValidateSpecifiedIP(config.MasterIP, fldPath.Child("masterIP"))...)
+		validationResults.AddErrors(common.ValidateSpecifiedIP(config.MasterIP, fldPath.Child("masterIP"))...)
 	}
 
 	validationResults.AddErrors(ValidateCertInfo(config.ProxyClientInfo, false, fldPath.Child("proxyClientInfo"))...)
@@ -526,7 +502,7 @@ func ValidateKubernetesMasterConfig(config configapi.KubernetesMasterConfig, fld
 	}
 
 	if len(config.SchedulerConfigFile) > 0 {
-		validationResults.AddErrors(ValidateFile(config.SchedulerConfigFile, fldPath.Child("schedulerConfigFile"))...)
+		validationResults.AddErrors(common.ValidateFile(config.SchedulerConfigFile, fldPath.Child("schedulerConfigFile"))...)
 	}
 
 	if len(config.PodEvictionTimeout) > 0 {
@@ -579,8 +555,8 @@ func ValidatePolicyConfig(config configapi.PolicyConfig, fldPath *field.Path) fi
 	return allErrs
 }
 
-func ValidateProjectConfig(config configapi.ProjectConfig, fldPath *field.Path) ValidationResults {
-	validationResults := ValidationResults{}
+func ValidateProjectConfig(config configapi.ProjectConfig, fldPath *field.Path) common.ValidationResults {
+	validationResults := common.ValidationResults{}
 
 	if _, _, err := configapi.ParseNamespaceAndName(config.ProjectRequestTemplate); err != nil {
 		validationResults.AddErrors(field.Invalid(fldPath.Child("projectRequestTemplate"), config.ProjectRequestTemplate, "must be in the form: namespace/templateName"))
@@ -625,8 +601,8 @@ func ValidateRoutingConfig(config configapi.RoutingConfig, fldPath *field.Path)
 	return allErrs
 }
 
-func ValidateAPIServerExtendedArguments(config configapi.ExtendedArguments, fldPath *field.Path) ValidationResults {
-	validationResults := ValidationResults{}
+func ValidateAPIServerExtendedArguments(config configapi.ExtendedArguments, fldPath *field.Path) common.ValidationResults {
+	validationResults := common.ValidationResults{}
 
 	validationResults.AddErrors(ValidateExtendedArguments(config, apiserveroptions.NewServerRunOptions().AddFlags, fldPath)...)
 
@@ -655,8 +631,8 @@ func deprecatedAdmissionPluginNames() sets.String {
 	return sets.NewString("openshift.io/OriginResourceQuota")
 }
 
-func ValidateAdmissionPluginConfig(pluginConfig map[string]*configapi.AdmissionPluginConfig, fieldPath *field.Path) ValidationResults {
-	validationResults := ValidationResults{}
+func ValidateAdmissionPluginConfig(pluginConfig map[string]*configapi.AdmissionPluginConfig, fieldPath *field.Path) common.ValidationResults {
+	validationResults := common.ValidationResults{}
 
 	deprecatedPlugins := deprecatedAdmissionPluginNames()
 
@@ -711,8 +687,8 @@ func ValidateIngressIPNetworkCIDR(config *configapi.MasterConfig, fldPath *field
 	return
 }
 
-func ValidateDeprecatedClusterNetworkConfig(config *configapi.MasterConfig, fldPath *field.Path) ValidationResults {
-	validationResults := ValidationResults{}
+func ValidateDeprecatedClusterNetworkConfig(config *configapi.MasterConfig, fldPath *field.Path) common.ValidationResults {
+	validationResults := common.ValidationResults{}
 
 	if len(config.NetworkConfig.ClusterNetworks) > 1 {
 		if config.NetworkConfig.DeprecatedHostSubnetLength != 0 {
diff --git a/pkg/cmd/server/apis/config/validation/node.go b/pkg/cmd/server/apis/config/validation/node.go
index 1eeed66f2293..5f95628880bf 100644
--- a/pkg/cmd/server/apis/config/validation/node.go
+++ b/pkg/cmd/server/apis/config/validation/node.go
@@ -9,9 +9,10 @@ import (
 	kubeletoptions "k8s.io/kubernetes/cmd/kubelet/app/options"
 
 	configapi "github.com/openshift/origin/pkg/cmd/server/apis/config"
+	"github.com/openshift/origin/pkg/cmd/server/apis/config/validation/common"
 )
 
-func ValidateNodeConfig(config *configapi.NodeConfig, fldPath *field.Path) ValidationResults {
+func ValidateNodeConfig(config *configapi.NodeConfig, fldPath *field.Path) common.ValidationResults {
 	validationResults := ValidateInClusterNodeConfig(config, fldPath)
 	if bootstrap := config.KubeletArguments["bootstrap-kubeconfig"]; len(bootstrap) > 0 {
 		validationResults.AddErrors(ValidateKubeConfig(bootstrap[0], fldPath.Child("kubeletArguments", "bootstrap-kubeconfig"))...)
@@ -21,15 +22,15 @@ func ValidateNodeConfig(config *configapi.NodeConfig, fldPath *field.Path) Valid
 	return validationResults
 }
 
-func ValidateInClusterNodeConfig(config *configapi.NodeConfig, fldPath *field.Path) ValidationResults {
-	validationResults := ValidationResults{}
+func ValidateInClusterNodeConfig(config *configapi.NodeConfig, fldPath *field.Path) common.ValidationResults {
+	validationResults := common.ValidationResults{}
 
 	hasBootstrapConfig := len(config.KubeletArguments["bootstrap-kubeconfig"]) > 0
 	if len(config.NodeName) == 0 && !hasBootstrapConfig {
 		validationResults.AddErrors(field.Required(fldPath.Child("nodeName"), ""))
 	}
 	if len(config.NodeIP) > 0 {
-		validationResults.AddErrors(ValidateSpecifiedIP(config.NodeIP, fldPath.Child("nodeIP"))...)
+		validationResults.AddErrors(common.ValidateSpecifiedIP(config.NodeIP, fldPath.Child("nodeIP"))...)
 	}
 
 	servingInfoPath := fldPath.Child("servingInfo")
@@ -44,11 +45,11 @@ func ValidateInClusterNodeConfig(config *configapi.NodeConfig, fldPath *field.Pa
 	}
 	if len(config.DNSIP) > 0 {
 		if !hasBootstrapConfig || config.DNSIP != "0.0.0.0" {
-			validationResults.AddErrors(ValidateSpecifiedIP(config.DNSIP, fldPath.Child("dnsIP"))...)
+			validationResults.AddErrors(common.ValidateSpecifiedIP(config.DNSIP, fldPath.Child("dnsIP"))...)
 		}
 	}
 	for i, nameserver := range config.DNSNameservers {
-		validationResults.AddErrors(ValidateSpecifiedIPPort(nameserver, fldPath.Child("dnsNameservers").Index(i))...)
+		validationResults.AddErrors(common.ValidateSpecifiedIPPort(nameserver, fldPath.Child("dnsNameservers").Index(i))...)
 	}
 
 	validationResults.AddErrors(ValidateImageConfig(config.ImageConfig, fldPath.Child("imageConfig"))...)
diff --git a/pkg/cmd/server/apis/config/validation/oauth.go b/pkg/cmd/server/apis/config/validation/oauth.go
index ef08c264d994..4d6131fc167a 100644
--- a/pkg/cmd/server/apis/config/validation/oauth.go
+++ b/pkg/cmd/server/apis/config/validation/oauth.go
@@ -12,6 +12,8 @@ import (
 
 	configapi "github.com/openshift/origin/pkg/cmd/server/apis/config"
 	"github.com/openshift/origin/pkg/cmd/server/apis/config/latest"
+	"github.com/openshift/origin/pkg/cmd/server/apis/config/validation/common"
+	"github.com/openshift/origin/pkg/cmd/server/apis/config/validation/ldap"
 	oauthvalidation "github.com/openshift/origin/pkg/oauth/apis/oauth/validation"
 	"github.com/openshift/origin/pkg/oauthserver/authenticator/tokens"
 	"github.com/openshift/origin/pkg/oauthserver/server/errorpage"
@@ -21,22 +23,22 @@ import (
 	"github.com/openshift/origin/pkg/user/apis/user/validation"
 )
 
-func ValidateOAuthConfig(config *configapi.OAuthConfig, fldPath *field.Path) ValidationResults {
-	validationResults := ValidationResults{}
+func ValidateOAuthConfig(config *configapi.OAuthConfig, fldPath *field.Path) common.ValidationResults {
+	validationResults := common.ValidationResults{}
 
 	if config.MasterCA == nil {
 		validationResults.AddErrors(field.Invalid(fldPath.Child("masterCA"), config.MasterCA, "a filename or empty string is required"))
 	} else if len(*config.MasterCA) > 0 {
-		validationResults.AddErrors(ValidateFile(*config.MasterCA, fldPath.Child("masterCA"))...)
+		validationResults.AddErrors(common.ValidateFile(*config.MasterCA, fldPath.Child("masterCA"))...)
 	}
 
 	if len(config.MasterURL) == 0 {
 		validationResults.AddErrors(field.Required(fldPath.Child("masterURL"), ""))
-	} else if _, urlErrs := ValidateURL(config.MasterURL, fldPath.Child("masterURL")); len(urlErrs) > 0 {
+	} else if _, urlErrs := common.ValidateURL(config.MasterURL, fldPath.Child("masterURL")); len(urlErrs) > 0 {
 		validationResults.AddErrors(urlErrs...)
 	}
 
-	if _, urlErrs := ValidateURL(config.MasterPublicURL, fldPath.Child("masterPublicURL")); len(urlErrs) > 0 {
+	if _, urlErrs := common.ValidateURL(config.MasterPublicURL, fldPath.Child("masterPublicURL")); len(urlErrs) > 0 {
 		validationResults.AddErrors(urlErrs...)
 	}
 
@@ -157,8 +159,8 @@ var validMappingMethods = sets.NewString(
 	string(identitymapper.MappingMethodGenerate),
 )
 
-func ValidateIdentityProvider(identityProvider configapi.IdentityProvider, fldPath *field.Path) ValidationResults {
-	validationResults := ValidationResults{}
+func ValidateIdentityProvider(identityProvider configapi.IdentityProvider, fldPath *field.Path) common.ValidationResults {
+	validationResults := common.ValidationResults{}
 
 	if len(identityProvider.Name) == 0 {
 		validationResults.AddErrors(field.Required(fldPath.Child("name"), ""))
@@ -185,7 +187,7 @@ func ValidateIdentityProvider(identityProvider configapi.IdentityProvider, fldPa
 			validationResults.AddErrors(ValidateRemoteConnectionInfo(provider.RemoteConnectionInfo, providerPath)...)
 
 		case (*configapi.HTPasswdPasswordIdentityProvider):
-			validationResults.AddErrors(ValidateFile(provider.File, providerPath.Child("file"))...)
+			validationResults.AddErrors(common.ValidateFile(provider.File, providerPath.Child("file"))...)
 
 		case (*configapi.LDAPPasswordIdentityProvider):
 			validationResults.Append(ValidateLDAPIdentityProvider(provider, providerPath))
@@ -211,12 +213,12 @@ func ValidateIdentityProvider(identityProvider configapi.IdentityProvider, fldPa
 	return validationResults
 }
 
-func ValidateLDAPIdentityProvider(provider *configapi.LDAPPasswordIdentityProvider, fldPath *field.Path) ValidationResults {
-	validationResults := ValidationResults{}
+func ValidateLDAPIdentityProvider(provider *configapi.LDAPPasswordIdentityProvider, fldPath *field.Path) common.ValidationResults {
+	validationResults := common.ValidationResults{}
 
-	validationResults.Append(ValidateStringSource(provider.BindPassword, fldPath.Child("bindPassword")))
+	validationResults.Append(common.ValidateStringSource(provider.BindPassword, fldPath.Child("bindPassword")))
 	bindPassword, _ := configapi.ResolveStringValue(provider.BindPassword)
-	validationResults.Append(ValidateLDAPClientConfig(provider.URL, provider.BindDN, bindPassword, provider.CA, provider.Insecure, fldPath))
+	validationResults.Append(ldap.ValidateLDAPClientConfig(provider.URL, provider.BindDN, bindPassword, provider.CA, provider.Insecure, fldPath))
 
 	// At least one attribute to use as the user id is required
 	if len(provider.Attributes.ID) == 0 {
@@ -227,8 +229,8 @@ func ValidateLDAPIdentityProvider(provider *configapi.LDAPPasswordIdentityProvid
 }
 
 // RemoteConnection fields validated separately -- this is for keystone-specific validation
-func ValidateKeystoneIdentityProvider(provider *configapi.KeystonePasswordIdentityProvider, identityProvider configapi.IdentityProvider, fldPath *field.Path) ValidationResults {
-	validationResults := ValidationResults{}
+func ValidateKeystoneIdentityProvider(provider *configapi.KeystonePasswordIdentityProvider, identityProvider configapi.IdentityProvider, fldPath *field.Path) common.ValidationResults {
+	validationResults := common.ValidationResults{}
 	validationResults.AddErrors(ValidateRemoteConnectionInfo(provider.RemoteConnectionInfo, fldPath)...)
 
 	providerURL, err := url.Parse(provider.RemoteConnectionInfo.URL)
@@ -244,11 +246,11 @@ func ValidateKeystoneIdentityProvider(provider *configapi.KeystonePasswordIdenti
 	return validationResults
 }
 
-func ValidateRequestHeaderIdentityProvider(provider *configapi.RequestHeaderIdentityProvider, identityProvider configapi.IdentityProvider, fieldPath *field.Path) ValidationResults {
-	validationResults := ValidationResults{}
+func ValidateRequestHeaderIdentityProvider(provider *configapi.RequestHeaderIdentityProvider, identityProvider configapi.IdentityProvider, fieldPath *field.Path) common.ValidationResults {
+	validationResults := common.ValidationResults{}
 
 	if len(provider.ClientCA) > 0 {
-		validationResults.AddErrors(ValidateFile(provider.ClientCA, fieldPath.Child("provider", "clientCA"))...)
+		validationResults.AddErrors(common.ValidateFile(provider.ClientCA, fieldPath.Child("provider", "clientCA"))...)
 	} else if len(provider.ClientCommonNames) > 0 {
 		validationResults.AddErrors(field.Invalid(fieldPath.Child("provider", "clientCommonNames"), provider.ClientCommonNames, "clientCA must be specified in order to use clientCommonNames"))
 	}
@@ -266,7 +268,7 @@ func ValidateRequestHeaderIdentityProvider(provider *configapi.RequestHeaderIden
 	}
 
 	if len(provider.ChallengeURL) > 0 {
-		url, urlErrs := ValidateURL(provider.ChallengeURL, fieldPath.Child("provider", "challengeURL"))
+		url, urlErrs := common.ValidateURL(provider.ChallengeURL, fieldPath.Child("provider", "challengeURL"))
 		validationResults.AddErrors(urlErrs...)
 		if len(urlErrs) == 0 && !strings.Contains(url.RawQuery, tokens.URLToken) && !strings.Contains(url.RawQuery, tokens.QueryToken) {
 			validationResults.AddWarnings(
@@ -279,7 +281,7 @@ func ValidateRequestHeaderIdentityProvider(provider *configapi.RequestHeaderIden
 		}
 	}
 	if len(provider.LoginURL) > 0 {
-		url, urlErrs := ValidateURL(provider.LoginURL, fieldPath.Child("provider", "loginURL"))
+		url, urlErrs := common.ValidateURL(provider.LoginURL, fieldPath.Child("provider", "loginURL"))
 		validationResults.AddErrors(urlErrs...)
 		if len(urlErrs) == 0 {
 			if !strings.Contains(url.RawQuery, tokens.URLToken) && !strings.Contains(url.RawQuery, tokens.QueryToken) {
@@ -318,7 +320,7 @@ func ValidateOAuthIdentityProvider(clientID string, clientSecret configapi.Strin
 	if len(clientID) == 0 {
 		allErrs = append(allErrs, field.Required(fieldPath.Child("provider", "clientID"), ""))
 	}
-	clientSecretResults := ValidateStringSource(clientSecret, fieldPath.Child("provider", "clientSecret"))
+	clientSecretResults := common.ValidateStringSource(clientSecret, fieldPath.Child("provider", "clientSecret"))
 	allErrs = append(allErrs, clientSecretResults.Errors...)
 	if len(clientSecretResults.Errors) == 0 {
 		clientSecret, err := configapi.ResolveStringValue(clientSecret)
@@ -332,8 +334,8 @@ func ValidateOAuthIdentityProvider(clientID string, clientSecret configapi.Strin
 	return allErrs
 }
 
-func ValidateGitHubIdentityProvider(provider *configapi.GitHubIdentityProvider, challenge bool, mappingMethod string, fieldPath *field.Path) ValidationResults {
-	validationResults := ValidationResults{}
+func ValidateGitHubIdentityProvider(provider *configapi.GitHubIdentityProvider, challenge bool, mappingMethod string, fieldPath *field.Path) common.ValidationResults {
+	validationResults := common.ValidationResults{}
 
 	validationResults.AddErrors(ValidateOAuthIdentityProvider(provider.ClientID, provider.ClientSecret, fieldPath)...)
 
@@ -357,8 +359,8 @@ func ValidateGitHubIdentityProvider(provider *configapi.GitHubIdentityProvider,
 	return validationResults
 }
 
-func ValidateGoogleIdentityProvider(provider *configapi.GoogleIdentityProvider, challenge bool, mappingMethod string, fieldPath *field.Path) ValidationResults {
-	validationResults := ValidationResults{}
+func ValidateGoogleIdentityProvider(provider *configapi.GoogleIdentityProvider, challenge bool, mappingMethod string, fieldPath *field.Path) common.ValidationResults {
+	validationResults := common.ValidationResults{}
 
 	validationResults.AddErrors(ValidateOAuthIdentityProvider(provider.ClientID, provider.ClientSecret, fieldPath)...)
 
@@ -378,11 +380,11 @@ func ValidateGitLabIdentityProvider(provider *configapi.GitLabIdentityProvider,
 
 	allErrs = append(allErrs, ValidateOAuthIdentityProvider(provider.ClientID, provider.ClientSecret, fieldPath)...)
 
-	_, urlErrs := ValidateSecureURL(provider.URL, fieldPath.Child("provider", "url"))
+	_, urlErrs := common.ValidateSecureURL(provider.URL, fieldPath.Child("provider", "url"))
 	allErrs = append(allErrs, urlErrs...)
 
 	if len(provider.CA) != 0 {
-		allErrs = append(allErrs, ValidateFile(provider.CA, fieldPath.Child("provider", "ca"))...)
+		allErrs = append(allErrs, common.ValidateFile(provider.CA, fieldPath.Child("provider", "ca"))...)
 	}
 
 	return allErrs
@@ -397,18 +399,18 @@ func ValidateOpenIDIdentityProvider(provider *configapi.OpenIDIdentityProvider,
 	// http://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint
 	providerPath := fieldPath.Child("provider")
 	urlsPath := providerPath.Child("urls")
-	_, urlErrs := ValidateSecureURL(provider.URLs.Authorize, urlsPath.Child("authorize"))
+	_, urlErrs := common.ValidateSecureURL(provider.URLs.Authorize, urlsPath.Child("authorize"))
 	allErrs = append(allErrs, urlErrs...)
 
 	// Communication with the Token Endpoint MUST utilize TLS
 	// http://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint
-	_, urlErrs = ValidateSecureURL(provider.URLs.Token, urlsPath.Child("token"))
+	_, urlErrs = common.ValidateSecureURL(provider.URLs.Token, urlsPath.Child("token"))
 	allErrs = append(allErrs, urlErrs...)
 
 	if len(provider.URLs.UserInfo) != 0 {
 		// Communication with the UserInfo Endpoint MUST utilize TLS
 		// http://openid.net/specs/openid-connect-core-1_0.html#UserInfo
-		_, urlErrs = ValidateSecureURL(provider.URLs.UserInfo, urlsPath.Child("userInfo"))
+		_, urlErrs = common.ValidateSecureURL(provider.URLs.UserInfo, urlsPath.Child("userInfo"))
 		allErrs = append(allErrs, urlErrs...)
 	}
 
@@ -418,7 +420,7 @@ func ValidateOpenIDIdentityProvider(provider *configapi.OpenIDIdentityProvider,
 	}
 
 	if len(provider.CA) != 0 {
-		allErrs = append(allErrs, ValidateFile(provider.CA, providerPath.Child("ca"))...)
+		allErrs = append(allErrs, common.ValidateFile(provider.CA, providerPath.Child("ca"))...)
 	}
 
 	return allErrs
@@ -443,7 +445,7 @@ func validateSessionConfig(config *configapi.SessionConfig, fldPath *field.Path)
 	// Validate session secrets file, if specified
 	sessionSecretsFilePath := fldPath.Child("sessionSecretsFile")
 	if len(config.SessionSecretsFile) > 0 {
-		fileErrs := ValidateFile(config.SessionSecretsFile, sessionSecretsFilePath)
+		fileErrs := common.ValidateFile(config.SessionSecretsFile, sessionSecretsFilePath)
 		if len(fileErrs) != 0 {
 			// Missing file
 			allErrs = append(allErrs, fileErrs...)
diff --git a/pkg/cmd/server/apis/config/validation/validation.go b/pkg/cmd/server/apis/config/validation/validation.go
index c3966c78bb72..8647f9709f3f 100644
--- a/pkg/cmd/server/apis/config/validation/validation.go
+++ b/pkg/cmd/server/apis/config/validation/validation.go
@@ -4,14 +4,8 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
-	"io/ioutil"
 	"net"
-	"net/url"
-	"os"
-	"strconv"
 	"strings"
-	"unicode"
-	"unicode/utf8"
 
 	"github.com/spf13/pflag"
 
@@ -20,48 +14,12 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation/field"
 
 	"github.com/openshift/origin/pkg/cmd/server/apis/config"
+	"github.com/openshift/origin/pkg/cmd/server/apis/config/validation/common"
 	"github.com/openshift/origin/pkg/cmd/server/crypto"
 	cmdutil "github.com/openshift/origin/pkg/cmd/util"
 	cmdflags "github.com/openshift/origin/pkg/cmd/util/flags"
 )
 
-func ValidateStringSource(s config.StringSource, fieldPath *field.Path) ValidationResults {
-	validationResults := ValidationResults{}
-	methods := 0
-	if len(s.Value) > 0 {
-		methods++
-	}
-	if len(s.File) > 0 {
-		methods++
-		fileErrors := ValidateFile(s.File, fieldPath.Child("file"))
-		validationResults.AddErrors(fileErrors...)
-
-		// If the file was otherwise ok, and its value will be used verbatim, warn about trailing whitespace
-		if len(fileErrors) == 0 && len(s.KeyFile) == 0 {
-			if data, err := ioutil.ReadFile(s.File); err != nil {
-				validationResults.AddErrors(field.Invalid(fieldPath.Child("file"), s.File, fmt.Sprintf("could not read file: %v", err)))
-			} else if len(data) > 0 {
-				r, _ := utf8.DecodeLastRune(data)
-				if unicode.IsSpace(r) {
-					validationResults.AddWarnings(field.Invalid(fieldPath.Child("file"), s.File, "contains trailing whitespace which will be included in the value"))
-				}
-			}
-		}
-	}
-	if len(s.Env) > 0 {
-		methods++
-	}
-	if methods > 1 {
-		validationResults.AddErrors(field.Invalid(fieldPath, "", "only one of value, file, and env can be specified"))
-	}
-
-	if len(s.KeyFile) > 0 {
-		validationResults.AddErrors(ValidateFile(s.KeyFile, fieldPath.Child("keyFile"))...)
-	}
-
-	return validationResults
-}
-
 func ValidateHostPort(value string, fldPath *field.Path) field.ErrorList {
 	allErrs := field.ErrorList{}
 
@@ -92,11 +50,11 @@ func ValidateCertInfo(certInfo config.CertInfo, required bool, fldPath *field.Pa
 	}
 
 	if len(certInfo.CertFile) > 0 {
-		allErrs = append(allErrs, ValidateFile(certInfo.CertFile, fldPath.Child("certFile"))...)
+		allErrs = append(allErrs, common.ValidateFile(certInfo.CertFile, fldPath.Child("certFile"))...)
 	}
 
 	if len(certInfo.KeyFile) > 0 {
-		allErrs = append(allErrs, ValidateFile(certInfo.KeyFile, fldPath.Child("keyFile"))...)
+		allErrs = append(allErrs, common.ValidateFile(certInfo.KeyFile, fldPath.Child("keyFile"))...)
 	}
 
 	// validate certfile/keyfile load/parse?
@@ -104,8 +62,8 @@ func ValidateCertInfo(certInfo config.CertInfo, required bool, fldPath *field.Pa
 	return allErrs
 }
 
-func ValidateServingInfo(info config.ServingInfo, certificatesRequired bool, fldPath *field.Path) ValidationResults {
-	validationResults := ValidationResults{}
+func ValidateServingInfo(info config.ServingInfo, certificatesRequired bool, fldPath *field.Path) common.ValidationResults {
+	validationResults := common.ValidationResults{}
 
 	validationResults.AddErrors(ValidateHostPort(info.BindAddress, fldPath.Child("bindAddress"))...)
 	validationResults.AddErrors(ValidateCertInfo(info.ServerCert, certificatesRequired, fldPath)...)
@@ -124,7 +82,7 @@ func ValidateServingInfo(info config.ServingInfo, certificatesRequired bool, fld
 
 	if len(info.ServerCert.CertFile) > 0 {
 		if len(info.ClientCA) > 0 {
-			validationResults.AddErrors(ValidateFile(info.ClientCA, fldPath.Child("clientCA"))...)
+			validationResults.AddErrors(common.ValidateFile(info.ClientCA, fldPath.Child("clientCA"))...)
 		}
 	} else {
 		if certificatesRequired && len(info.ClientCA) > 0 {
@@ -144,8 +102,8 @@ func ValidateServingInfo(info config.ServingInfo, certificatesRequired bool, fld
 	return validationResults
 }
 
-func ValidateNamedCertificates(fldPath *field.Path, namedCertificates []config.NamedCertificate) ValidationResults {
-	validationResults := ValidationResults{}
+func ValidateNamedCertificates(fldPath *field.Path, namedCertificates []config.NamedCertificate) common.ValidationResults {
+	validationResults := common.ValidationResults{}
 
 	takenNames := sets.NewString()
 	for i, namedCertificate := range namedCertificates {
@@ -217,8 +175,8 @@ func ValidateNamedCertificates(fldPath *field.Path, namedCertificates []config.N
 	return validationResults
 }
 
-func ValidateHTTPServingInfo(info config.HTTPServingInfo, fldPath *field.Path) ValidationResults {
-	validationResults := ValidationResults{}
+func ValidateHTTPServingInfo(info config.HTTPServingInfo, fldPath *field.Path) common.ValidationResults {
+	validationResults := common.ValidationResults{}
 
 	validationResults.Append(ValidateServingInfo(info.ServingInfo, true, fldPath))
 
@@ -236,7 +194,7 @@ func ValidateHTTPServingInfo(info config.HTTPServingInfo, fldPath *field.Path) V
 func ValidateKubeConfig(path string, fldPath *field.Path) field.ErrorList {
 	allErrs := field.ErrorList{}
 
-	allErrs = append(allErrs, ValidateFile(path, fldPath)...)
+	allErrs = append(allErrs, common.ValidateFile(path, fldPath)...)
 	// TODO: load and parse
 
 	return allErrs
@@ -248,12 +206,12 @@ func ValidateRemoteConnectionInfo(remoteConnectionInfo config.RemoteConnectionIn
 	if len(remoteConnectionInfo.URL) == 0 {
 		allErrs = append(allErrs, field.Required(fldPath.Child("url"), ""))
 	} else {
-		_, urlErrs := ValidateURL(remoteConnectionInfo.URL, fldPath.Child("url"))
+		_, urlErrs := common.ValidateURL(remoteConnectionInfo.URL, fldPath.Child("url"))
 		allErrs = append(allErrs, urlErrs...)
 	}
 
 	if len(remoteConnectionInfo.CA) > 0 {
-		allErrs = append(allErrs, ValidateFile(remoteConnectionInfo.CA, fldPath.Child("ca"))...)
+		allErrs = append(allErrs, common.ValidateFile(remoteConnectionInfo.CA, fldPath.Child("ca"))...)
 	}
 
 	allErrs = append(allErrs, ValidateCertInfo(remoteConnectionInfo.ClientCert, false, fldPath)...)
@@ -265,7 +223,7 @@ func ValidatePodManifestConfig(podManifestConfig *config.PodManifestConfig, fldP
 	allErrs := field.ErrorList{}
 
 	// the Path can be a file or a directory
-	allErrs = append(allErrs, ValidateFile(podManifestConfig.Path, fldPath.Child("path"))...)
+	allErrs = append(allErrs, common.ValidateFile(podManifestConfig.Path, fldPath.Child("path"))...)
 	if podManifestConfig.FileCheckIntervalSeconds < 1 {
 		allErrs = append(allErrs, field.Invalid(fldPath.Child("fileCheckIntervalSeconds"), podManifestConfig.FileCheckIntervalSeconds, "interval has to be positive"))
 	}
@@ -273,99 +231,6 @@ func ValidatePodManifestConfig(podManifestConfig *config.PodManifestConfig, fldP
 	return allErrs
 }
 
-func ValidateSpecifiedIP(ipString string, fldPath *field.Path) field.ErrorList {
-	allErrs := field.ErrorList{}
-
-	ip := net.ParseIP(ipString)
-	if ip == nil {
-		allErrs = append(allErrs, field.Invalid(fldPath, ipString, "must be a valid IP"))
-	} else if ip.IsUnspecified() {
-		allErrs = append(allErrs, field.Invalid(fldPath, ipString, "cannot be an unspecified IP"))
-	}
-
-	return allErrs
-}
-
-func ValidateSpecifiedIPPort(ipPortString string, fldPath *field.Path) field.ErrorList {
-	allErrs := field.ErrorList{}
-
-	ipString, portString, err := net.SplitHostPort(ipPortString)
-	if err != nil {
-		allErrs = append(allErrs, field.Invalid(fldPath, ipPortString, "must be a valid IP:PORT"))
-		return allErrs
-	}
-
-	ip := net.ParseIP(ipString)
-	if ip == nil {
-		allErrs = append(allErrs, field.Invalid(fldPath, ipString, "must be a valid IP"))
-	} else if ip.IsUnspecified() {
-		allErrs = append(allErrs, field.Invalid(fldPath, ipString, "cannot be an unspecified IP"))
-	}
-	port, err := strconv.Atoi(portString)
-	if err != nil {
-		allErrs = append(allErrs, field.Invalid(fldPath, portString, "must be a valid port"))
-	} else {
-		for _, msg := range utilvalidation.IsValidPortNum(port) {
-			allErrs = append(allErrs, field.Invalid(fldPath, port, msg))
-		}
-	}
-
-	return allErrs
-}
-
-func ValidateSecureURL(urlString string, fldPath *field.Path) (*url.URL, field.ErrorList) {
-	url, urlErrs := ValidateURL(urlString, fldPath)
-	if len(urlErrs) == 0 && url.Scheme != "https" {
-		urlErrs = append(urlErrs, field.Invalid(fldPath, urlString, "must use https scheme"))
-	}
-	return url, urlErrs
-}
-
-func ValidateURL(urlString string, fldPath *field.Path) (*url.URL, field.ErrorList) {
-	allErrs := field.ErrorList{}
-
-	urlObj, err := url.Parse(urlString)
-	if err != nil {
-		allErrs = append(allErrs, field.Invalid(fldPath, urlString, "must be a valid URL"))
-		return nil, allErrs
-	}
-	if len(urlObj.Scheme) == 0 {
-		allErrs = append(allErrs, field.Invalid(fldPath, urlString, "must contain a scheme (e.g. https://)"))
-	}
-	if len(urlObj.Host) == 0 {
-		allErrs = append(allErrs, field.Invalid(fldPath, urlString, "must contain a host"))
-	}
-	return urlObj, allErrs
-}
-
-func ValidateFile(path string, fldPath *field.Path) field.ErrorList {
-	allErrs := field.ErrorList{}
-
-	if len(path) == 0 {
-		allErrs = append(allErrs, field.Required(fldPath, ""))
-	} else if _, err := os.Stat(path); err != nil {
-		allErrs = append(allErrs, field.Invalid(fldPath, path, fmt.Sprintf("could not read file: %v", err)))
-	}
-
-	return allErrs
-}
-
-func ValidateDir(path string, fldPath *field.Path) field.ErrorList {
-	allErrs := field.ErrorList{}
-	if len(path) == 0 {
-		allErrs = append(allErrs, field.Required(fldPath, ""))
-	} else {
-		fileInfo, err := os.Stat(path)
-		if err != nil {
-			allErrs = append(allErrs, field.Invalid(fldPath, path, fmt.Sprintf("could not read info: %v", err)))
-		} else if !fileInfo.IsDir() {
-			allErrs = append(allErrs, field.Invalid(fldPath, path, "not a directory"))
-		}
-	}
-
-	return allErrs
-}
-
 func ValidateExtendedArguments(config config.ExtendedArguments, flagFunc func(*pflag.FlagSet), fldPath *field.Path) field.ErrorList {
 	allErrs := field.ErrorList{}
 
diff --git a/pkg/cmd/server/start/start_node.go b/pkg/cmd/server/start/start_node.go
index d9d1a9af769f..68aa10e7e1b8 100644
--- a/pkg/cmd/server/start/start_node.go
+++ b/pkg/cmd/server/start/start_node.go
@@ -28,6 +28,7 @@ import (
 	configapi "github.com/openshift/origin/pkg/cmd/server/apis/config"
 	configapilatest "github.com/openshift/origin/pkg/cmd/server/apis/config/latest"
 	"github.com/openshift/origin/pkg/cmd/server/apis/config/validation"
+	"github.com/openshift/origin/pkg/cmd/server/apis/config/validation/common"
 	"github.com/openshift/origin/pkg/cmd/server/crypto"
 	"github.com/openshift/origin/pkg/cmd/server/kubernetes/network"
 	networkoptions "github.com/openshift/origin/pkg/cmd/server/kubernetes/network/options"
@@ -248,7 +249,7 @@ func (o NodeOptions) RunNode() error {
 		}
 	}
 
-	var validationResults validation.ValidationResults
+	var validationResults common.ValidationResults
 	switch {
 	case o.NodeArgs.Components.Calculated().Equal(NewNetworkComponentFlag().Calculated()):
 		if len(nodeConfig.NodeName) == 0 {
diff --git a/pkg/oc/admin/groups/examples/examples_test.go b/pkg/oc/admin/groups/examples/examples_test.go
index 8315c3630c46..1dd2ff31c124 100644
--- a/pkg/oc/admin/groups/examples/examples_test.go
+++ b/pkg/oc/admin/groups/examples/examples_test.go
@@ -10,7 +10,7 @@ import (
 	"github.com/openshift/origin/pkg/cmd/server/apis/config"
 	_ "github.com/openshift/origin/pkg/cmd/server/apis/config/install"
 	configapilatest "github.com/openshift/origin/pkg/cmd/server/apis/config/latest"
-	"github.com/openshift/origin/pkg/cmd/server/apis/config/validation"
+	"github.com/openshift/origin/pkg/cmd/server/apis/config/validation/ldap"
 )
 
 func TestLDAPSyncConfigFixtures(t *testing.T) {
@@ -47,7 +47,7 @@ func TestLDAPSyncConfigFixtures(t *testing.T) {
 			continue
 		}
 
-		if results := validation.ValidateLDAPSyncConfig(&config); len(results.Errors) > 0 {
+		if results := ldap.ValidateLDAPSyncConfig(&config); len(results.Errors) > 0 {
 			t.Errorf("validation of fixture at %q failed with %d errors:", fixture, len(results.Errors))
 			for _, err := range results.Errors {
 				t.Error(err)
diff --git a/pkg/oc/admin/groups/sync/cli/prune.go b/pkg/oc/admin/groups/sync/cli/prune.go
index 5a139e2162b9..fa73a21cd150 100644
--- a/pkg/oc/admin/groups/sync/cli/prune.go
+++ b/pkg/oc/admin/groups/sync/cli/prune.go
@@ -14,7 +14,7 @@ import (
 	cmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
 
 	"github.com/openshift/origin/pkg/cmd/server/apis/config"
-	"github.com/openshift/origin/pkg/cmd/server/apis/config/validation"
+	"github.com/openshift/origin/pkg/cmd/server/apis/config/validation/ldap"
 	"github.com/openshift/origin/pkg/oauthserver/ldaputil"
 	"github.com/openshift/origin/pkg/oauthserver/ldaputil/ldapclient"
 	"github.com/openshift/origin/pkg/oc/admin/groups/sync"
@@ -163,7 +163,7 @@ func (o *PruneOptions) Complete(whitelistFile, blacklistFile, configFile string,
 }
 
 func (o *PruneOptions) Validate() error {
-	results := validation.ValidateLDAPSyncConfig(o.Config)
+	results := ldap.ValidateLDAPSyncConfig(o.Config)
 	if o.GroupInterface == nil {
 		results.Errors = append(results.Errors, field.Required(field.NewPath("groupInterface"), ""))
 	}
diff --git a/pkg/oc/admin/groups/sync/cli/sync.go b/pkg/oc/admin/groups/sync/cli/sync.go
index 9902909c5c96..438af1721dbf 100644
--- a/pkg/oc/admin/groups/sync/cli/sync.go
+++ b/pkg/oc/admin/groups/sync/cli/sync.go
@@ -22,7 +22,7 @@ import (
 
 	"github.com/openshift/origin/pkg/cmd/server/apis/config"
 	configapilatest "github.com/openshift/origin/pkg/cmd/server/apis/config/latest"
-	"github.com/openshift/origin/pkg/cmd/server/apis/config/validation"
+	"github.com/openshift/origin/pkg/cmd/server/apis/config/validation/ldap"
 	"github.com/openshift/origin/pkg/cmd/util/print"
 	"github.com/openshift/origin/pkg/oauthserver/ldaputil"
 	"github.com/openshift/origin/pkg/oauthserver/ldaputil/ldapclient"
@@ -346,7 +346,7 @@ func (o *SyncOptions) Validate() error {
 		return fmt.Errorf("sync source must be one of the following: %v", strings.Join(AllowedSourceTypes, ","))
 	}
 
-	results := validation.ValidateLDAPSyncConfig(o.Config)
+	results := ldap.ValidateLDAPSyncConfig(o.Config)
 	if o.GroupInterface == nil {
 		results.Errors = append(results.Errors, field.Required(field.NewPath("groupInterface"), ""))
 	}

From 2583c1505e6f7eb748b0431d3a142e11fd5376c0 Mon Sep 17 00:00:00 2001
From: Clayton Coleman <ccoleman@redhat.com>
Date: Wed, 25 Apr 2018 23:43:00 -0400
Subject: [PATCH 17/26] Remove commands that require master and node validation

Breaks dependencies on the entire controller manager and apiserver stack
in oc. Config diagnostics were of questionable value, validation was
deprecated and experimental.
---
 contrib/completions/bash/oc                   | 177 +-----------------
 contrib/completions/zsh/oc                    | 177 +-----------------
 docs/man/man1/.files_generated_oc             |   7 -
 .../oc-adm-diagnostics-masterconfigcheck.1    |   3 -
 .../man1/oc-adm-diagnostics-nodeconfigcheck.1 |   3 -
 .../oc-ex-diagnostics-masterconfigcheck.1     |   3 -
 .../man1/oc-ex-diagnostics-nodeconfigcheck.1  |   3 -
 docs/man/man1/oc-ex-validate-master-config.1  |   3 -
 docs/man/man1/oc-ex-validate-node-config.1    |   3 -
 docs/man/man1/oc-ex-validate.1                |   3 -
 .../diagnostics/host/check_master_config.go   |  69 -------
 .../diagnostics/host/check_node_config.go     |  66 -------
 pkg/oc/admin/diagnostics/host.go              |   6 -
 pkg/oc/admin/validate/master.go               | 167 -----------------
 pkg/oc/admin/validate/node.go                 |  98 ----------
 pkg/oc/admin/validate/validate.go             |  38 ----
 pkg/oc/cli/cli.go                             |   2 -
 test/cmd/diagnostics.sh                       |  15 --
 18 files changed, 4 insertions(+), 839 deletions(-)
 delete mode 100644 docs/man/man1/oc-adm-diagnostics-masterconfigcheck.1
 delete mode 100644 docs/man/man1/oc-adm-diagnostics-nodeconfigcheck.1
 delete mode 100644 docs/man/man1/oc-ex-diagnostics-masterconfigcheck.1
 delete mode 100644 docs/man/man1/oc-ex-diagnostics-nodeconfigcheck.1
 delete mode 100644 docs/man/man1/oc-ex-validate-master-config.1
 delete mode 100644 docs/man/man1/oc-ex-validate-node-config.1
 delete mode 100644 docs/man/man1/oc-ex-validate.1
 delete mode 100644 pkg/oc/admin/diagnostics/diagnostics/host/check_master_config.go
 delete mode 100644 pkg/oc/admin/diagnostics/diagnostics/host/check_node_config.go
 delete mode 100644 pkg/oc/admin/validate/master.go
 delete mode 100644 pkg/oc/admin/validate/node.go
 delete mode 100644 pkg/oc/admin/validate/validate.go

diff --git a/contrib/completions/bash/oc b/contrib/completions/bash/oc
index 4bcfd23f9ce1..157aa7a28b2c 100644
--- a/contrib/completions/bash/oc
+++ b/contrib/completions/bash/oc
@@ -2694,54 +2694,6 @@ _oc_adm_diagnostics_etcdwritevolume()
     noun_aliases=()
 }
 
-_oc_adm_diagnostics_masterconfigcheck()
-{
-    last_command="oc_adm_diagnostics_masterconfigcheck"
-    commands=()
-
-    flags=()
-    two_word_flags=()
-    local_nonpersistent_flags=()
-    flags_with_completion=()
-    flags_completion=()
-
-    flags+=("--diaglevel=")
-    two_word_flags+=("-l")
-    local_nonpersistent_flags+=("--diaglevel=")
-    flags+=("--host")
-    local_nonpersistent_flags+=("--host")
-    flags+=("--master-config=")
-    local_nonpersistent_flags+=("--master-config=")
-    flags+=("--node-config=")
-    local_nonpersistent_flags+=("--node-config=")
-    flags+=("--as=")
-    flags+=("--as-group=")
-    flags+=("--cache-dir=")
-    flags+=("--certificate-authority=")
-    flags+=("--client-certificate=")
-    flags+=("--client-key=")
-    flags+=("--cluster=")
-    flags+=("--config=")
-    flags+=("--context=")
-    flags+=("--insecure-skip-tls-verify")
-    flags+=("--loglevel=")
-    flags+=("--logspec=")
-    flags+=("--match-server-version")
-    flags+=("--namespace=")
-    two_word_flags+=("-n")
-    flags+=("--password=")
-    flags+=("--request-timeout=")
-    flags+=("--server=")
-    two_word_flags+=("-s")
-    flags+=("--token=")
-    flags+=("--user=")
-    flags+=("--username=")
-
-    must_have_one_flag=()
-    must_have_one_noun=()
-    noun_aliases=()
-}
-
 _oc_adm_diagnostics_masternode()
 {
     last_command="oc_adm_diagnostics_masternode"
@@ -2896,54 +2848,6 @@ _oc_adm_diagnostics_networkcheck()
     noun_aliases=()
 }
 
-_oc_adm_diagnostics_nodeconfigcheck()
-{
-    last_command="oc_adm_diagnostics_nodeconfigcheck"
-    commands=()
-
-    flags=()
-    two_word_flags=()
-    local_nonpersistent_flags=()
-    flags_with_completion=()
-    flags_completion=()
-
-    flags+=("--diaglevel=")
-    two_word_flags+=("-l")
-    local_nonpersistent_flags+=("--diaglevel=")
-    flags+=("--host")
-    local_nonpersistent_flags+=("--host")
-    flags+=("--master-config=")
-    local_nonpersistent_flags+=("--master-config=")
-    flags+=("--node-config=")
-    local_nonpersistent_flags+=("--node-config=")
-    flags+=("--as=")
-    flags+=("--as-group=")
-    flags+=("--cache-dir=")
-    flags+=("--certificate-authority=")
-    flags+=("--client-certificate=")
-    flags+=("--client-key=")
-    flags+=("--cluster=")
-    flags+=("--config=")
-    flags+=("--context=")
-    flags+=("--insecure-skip-tls-verify")
-    flags+=("--loglevel=")
-    flags+=("--logspec=")
-    flags+=("--match-server-version")
-    flags+=("--namespace=")
-    two_word_flags+=("-n")
-    flags+=("--password=")
-    flags+=("--request-timeout=")
-    flags+=("--server=")
-    two_word_flags+=("-s")
-    flags+=("--token=")
-    flags+=("--user=")
-    flags+=("--username=")
-
-    must_have_one_flag=()
-    must_have_one_noun=()
-    noun_aliases=()
-}
-
 _oc_adm_diagnostics_nodedefinitions()
 {
     last_command="oc_adm_diagnostics_nodedefinitions"
@@ -3151,11 +3055,9 @@ _oc_adm_diagnostics()
     commands+=("configcontexts")
     commands+=("diagnosticpod")
     commands+=("etcdwritevolume")
-    commands+=("masterconfigcheck")
     commands+=("masternode")
     commands+=("metricsapiproxy")
     commands+=("networkcheck")
-    commands+=("nodeconfigcheck")
     commands+=("nodedefinitions")
     commands+=("routecertificatevalidation")
     commands+=("serviceexternalips")
@@ -12220,82 +12122,6 @@ _oc_explain()
     noun_aliases=()
 }
 
-_oc_export()
-{
-    last_command="oc_export"
-    commands=()
-
-    flags=()
-    two_word_flags=()
-    local_nonpersistent_flags=()
-    flags_with_completion=()
-    flags_completion=()
-
-    flags+=("--all-namespaces")
-    local_nonpersistent_flags+=("--all-namespaces")
-    flags+=("--allow-missing-template-keys")
-    local_nonpersistent_flags+=("--allow-missing-template-keys")
-    flags+=("--as-template=")
-    local_nonpersistent_flags+=("--as-template=")
-    flags+=("--exact")
-    local_nonpersistent_flags+=("--exact")
-    flags+=("--filename=")
-    flags_with_completion+=("--filename")
-    flags_completion+=("_filedir")
-    two_word_flags+=("-f")
-    flags_with_completion+=("-f")
-    flags_completion+=("_filedir")
-    local_nonpersistent_flags+=("--filename=")
-    flags+=("--no-headers")
-    local_nonpersistent_flags+=("--no-headers")
-    flags+=("--output=")
-    two_word_flags+=("-o")
-    local_nonpersistent_flags+=("--output=")
-    flags+=("--raw")
-    local_nonpersistent_flags+=("--raw")
-    flags+=("--selector=")
-    two_word_flags+=("-l")
-    local_nonpersistent_flags+=("--selector=")
-    flags+=("--show-labels")
-    local_nonpersistent_flags+=("--show-labels")
-    flags+=("--sort-by=")
-    local_nonpersistent_flags+=("--sort-by=")
-    flags+=("--template=")
-    flags_with_completion+=("--template")
-    flags_completion+=("_filedir")
-    local_nonpersistent_flags+=("--template=")
-    flags+=("--as=")
-    flags+=("--as-group=")
-    flags+=("--cache-dir=")
-    flags+=("--certificate-authority=")
-    flags+=("--client-certificate=")
-    flags+=("--client-key=")
-    flags+=("--cluster=")
-    flags+=("--config=")
-    flags+=("--context=")
-    flags+=("--insecure-skip-tls-verify")
-    flags+=("--loglevel=")
-    flags+=("--logspec=")
-    flags+=("--match-server-version")
-    flags+=("--namespace=")
-    flags_with_completion+=("--namespace")
-    flags_completion+=("__oc_get_namespaces")
-    two_word_flags+=("-n")
-    flags_with_completion+=("-n")
-    flags_completion+=("__oc_get_namespaces")
-    flags+=("--password=")
-    flags+=("--request-timeout=")
-    flags+=("--server=")
-    two_word_flags+=("-s")
-    flags+=("--token=")
-    flags+=("--user=")
-    flags+=("--username=")
-
-    must_have_one_flag=()
-    must_have_one_noun=()
-    noun_aliases=()
-}
-
 _oc_expose()
 {
     last_command="oc_expose"
@@ -13459,6 +13285,8 @@ _oc_logs()
     local_nonpersistent_flags+=("--tail=")
     flags+=("--timestamps")
     local_nonpersistent_flags+=("--timestamps")
+    flags+=("--version=")
+    local_nonpersistent_flags+=("--version=")
     flags+=("--as=")
     flags+=("--as-group=")
     flags+=("--cache-dir=")
@@ -18111,7 +17939,6 @@ _oc_root_command()
     commands+=("ex")
     commands+=("exec")
     commands+=("explain")
-    commands+=("export")
     commands+=("expose")
     commands+=("extract")
     commands+=("get")
diff --git a/contrib/completions/zsh/oc b/contrib/completions/zsh/oc
index afeb7862747d..5781de90fa7c 100644
--- a/contrib/completions/zsh/oc
+++ b/contrib/completions/zsh/oc
@@ -2836,54 +2836,6 @@ _oc_adm_diagnostics_etcdwritevolume()
     noun_aliases=()
 }
 
-_oc_adm_diagnostics_masterconfigcheck()
-{
-    last_command="oc_adm_diagnostics_masterconfigcheck"
-    commands=()
-
-    flags=()
-    two_word_flags=()
-    local_nonpersistent_flags=()
-    flags_with_completion=()
-    flags_completion=()
-
-    flags+=("--diaglevel=")
-    two_word_flags+=("-l")
-    local_nonpersistent_flags+=("--diaglevel=")
-    flags+=("--host")
-    local_nonpersistent_flags+=("--host")
-    flags+=("--master-config=")
-    local_nonpersistent_flags+=("--master-config=")
-    flags+=("--node-config=")
-    local_nonpersistent_flags+=("--node-config=")
-    flags+=("--as=")
-    flags+=("--as-group=")
-    flags+=("--cache-dir=")
-    flags+=("--certificate-authority=")
-    flags+=("--client-certificate=")
-    flags+=("--client-key=")
-    flags+=("--cluster=")
-    flags+=("--config=")
-    flags+=("--context=")
-    flags+=("--insecure-skip-tls-verify")
-    flags+=("--loglevel=")
-    flags+=("--logspec=")
-    flags+=("--match-server-version")
-    flags+=("--namespace=")
-    two_word_flags+=("-n")
-    flags+=("--password=")
-    flags+=("--request-timeout=")
-    flags+=("--server=")
-    two_word_flags+=("-s")
-    flags+=("--token=")
-    flags+=("--user=")
-    flags+=("--username=")
-
-    must_have_one_flag=()
-    must_have_one_noun=()
-    noun_aliases=()
-}
-
 _oc_adm_diagnostics_masternode()
 {
     last_command="oc_adm_diagnostics_masternode"
@@ -3038,54 +2990,6 @@ _oc_adm_diagnostics_networkcheck()
     noun_aliases=()
 }
 
-_oc_adm_diagnostics_nodeconfigcheck()
-{
-    last_command="oc_adm_diagnostics_nodeconfigcheck"
-    commands=()
-
-    flags=()
-    two_word_flags=()
-    local_nonpersistent_flags=()
-    flags_with_completion=()
-    flags_completion=()
-
-    flags+=("--diaglevel=")
-    two_word_flags+=("-l")
-    local_nonpersistent_flags+=("--diaglevel=")
-    flags+=("--host")
-    local_nonpersistent_flags+=("--host")
-    flags+=("--master-config=")
-    local_nonpersistent_flags+=("--master-config=")
-    flags+=("--node-config=")
-    local_nonpersistent_flags+=("--node-config=")
-    flags+=("--as=")
-    flags+=("--as-group=")
-    flags+=("--cache-dir=")
-    flags+=("--certificate-authority=")
-    flags+=("--client-certificate=")
-    flags+=("--client-key=")
-    flags+=("--cluster=")
-    flags+=("--config=")
-    flags+=("--context=")
-    flags+=("--insecure-skip-tls-verify")
-    flags+=("--loglevel=")
-    flags+=("--logspec=")
-    flags+=("--match-server-version")
-    flags+=("--namespace=")
-    two_word_flags+=("-n")
-    flags+=("--password=")
-    flags+=("--request-timeout=")
-    flags+=("--server=")
-    two_word_flags+=("-s")
-    flags+=("--token=")
-    flags+=("--user=")
-    flags+=("--username=")
-
-    must_have_one_flag=()
-    must_have_one_noun=()
-    noun_aliases=()
-}
-
 _oc_adm_diagnostics_nodedefinitions()
 {
     last_command="oc_adm_diagnostics_nodedefinitions"
@@ -3293,11 +3197,9 @@ _oc_adm_diagnostics()
     commands+=("configcontexts")
     commands+=("diagnosticpod")
     commands+=("etcdwritevolume")
-    commands+=("masterconfigcheck")
     commands+=("masternode")
     commands+=("metricsapiproxy")
     commands+=("networkcheck")
-    commands+=("nodeconfigcheck")
     commands+=("nodedefinitions")
     commands+=("routecertificatevalidation")
     commands+=("serviceexternalips")
@@ -12362,82 +12264,6 @@ _oc_explain()
     noun_aliases=()
 }
 
-_oc_export()
-{
-    last_command="oc_export"
-    commands=()
-
-    flags=()
-    two_word_flags=()
-    local_nonpersistent_flags=()
-    flags_with_completion=()
-    flags_completion=()
-
-    flags+=("--all-namespaces")
-    local_nonpersistent_flags+=("--all-namespaces")
-    flags+=("--allow-missing-template-keys")
-    local_nonpersistent_flags+=("--allow-missing-template-keys")
-    flags+=("--as-template=")
-    local_nonpersistent_flags+=("--as-template=")
-    flags+=("--exact")
-    local_nonpersistent_flags+=("--exact")
-    flags+=("--filename=")
-    flags_with_completion+=("--filename")
-    flags_completion+=("_filedir")
-    two_word_flags+=("-f")
-    flags_with_completion+=("-f")
-    flags_completion+=("_filedir")
-    local_nonpersistent_flags+=("--filename=")
-    flags+=("--no-headers")
-    local_nonpersistent_flags+=("--no-headers")
-    flags+=("--output=")
-    two_word_flags+=("-o")
-    local_nonpersistent_flags+=("--output=")
-    flags+=("--raw")
-    local_nonpersistent_flags+=("--raw")
-    flags+=("--selector=")
-    two_word_flags+=("-l")
-    local_nonpersistent_flags+=("--selector=")
-    flags+=("--show-labels")
-    local_nonpersistent_flags+=("--show-labels")
-    flags+=("--sort-by=")
-    local_nonpersistent_flags+=("--sort-by=")
-    flags+=("--template=")
-    flags_with_completion+=("--template")
-    flags_completion+=("_filedir")
-    local_nonpersistent_flags+=("--template=")
-    flags+=("--as=")
-    flags+=("--as-group=")
-    flags+=("--cache-dir=")
-    flags+=("--certificate-authority=")
-    flags+=("--client-certificate=")
-    flags+=("--client-key=")
-    flags+=("--cluster=")
-    flags+=("--config=")
-    flags+=("--context=")
-    flags+=("--insecure-skip-tls-verify")
-    flags+=("--loglevel=")
-    flags+=("--logspec=")
-    flags+=("--match-server-version")
-    flags+=("--namespace=")
-    flags_with_completion+=("--namespace")
-    flags_completion+=("__oc_get_namespaces")
-    two_word_flags+=("-n")
-    flags_with_completion+=("-n")
-    flags_completion+=("__oc_get_namespaces")
-    flags+=("--password=")
-    flags+=("--request-timeout=")
-    flags+=("--server=")
-    two_word_flags+=("-s")
-    flags+=("--token=")
-    flags+=("--user=")
-    flags+=("--username=")
-
-    must_have_one_flag=()
-    must_have_one_noun=()
-    noun_aliases=()
-}
-
 _oc_expose()
 {
     last_command="oc_expose"
@@ -13601,6 +13427,8 @@ _oc_logs()
     local_nonpersistent_flags+=("--tail=")
     flags+=("--timestamps")
     local_nonpersistent_flags+=("--timestamps")
+    flags+=("--version=")
+    local_nonpersistent_flags+=("--version=")
     flags+=("--as=")
     flags+=("--as-group=")
     flags+=("--cache-dir=")
@@ -18253,7 +18081,6 @@ _oc_root_command()
     commands+=("ex")
     commands+=("exec")
     commands+=("explain")
-    commands+=("export")
     commands+=("expose")
     commands+=("extract")
     commands+=("get")
diff --git a/docs/man/man1/.files_generated_oc b/docs/man/man1/.files_generated_oc
index 8bc3ca494ba2..5bd9dfafd21f 100644
--- a/docs/man/man1/.files_generated_oc
+++ b/docs/man/man1/.files_generated_oc
@@ -50,11 +50,9 @@ oc-adm-diagnostics-diagnosticpod.1
 oc-adm-diagnostics-etcdwritevolume.1
 oc-adm-diagnostics-inpod-networkcheck.1
 oc-adm-diagnostics-inpod-poddiagnostic.1
-oc-adm-diagnostics-masterconfigcheck.1
 oc-adm-diagnostics-masternode.1
 oc-adm-diagnostics-metricsapiproxy.1
 oc-adm-diagnostics-networkcheck.1
-oc-adm-diagnostics-nodeconfigcheck.1
 oc-adm-diagnostics-nodedefinitions.1
 oc-adm-diagnostics-routecertificatevalidation.1
 oc-adm-diagnostics-serviceexternalips.1
@@ -206,11 +204,9 @@ oc-ex-diagnostics-diagnosticpod.1
 oc-ex-diagnostics-etcdwritevolume.1
 oc-ex-diagnostics-inpod-networkcheck.1
 oc-ex-diagnostics-inpod-poddiagnostic.1
-oc-ex-diagnostics-masterconfigcheck.1
 oc-ex-diagnostics-masternode.1
 oc-ex-diagnostics-metricsapiproxy.1
 oc-ex-diagnostics-networkcheck.1
-oc-ex-diagnostics-nodeconfigcheck.1
 oc-ex-diagnostics-nodedefinitions.1
 oc-ex-diagnostics-routecertificatevalidation.1
 oc-ex-diagnostics-serviceexternalips.1
@@ -221,9 +217,6 @@ oc-ex-ipfailover.1
 oc-ex-options.1
 oc-ex-prune-groups.1
 oc-ex-sync-groups.1
-oc-ex-validate-master-config.1
-oc-ex-validate-node-config.1
-oc-ex-validate.1
 oc-ex.1
 oc-exec.1
 oc-explain.1
diff --git a/docs/man/man1/oc-adm-diagnostics-masterconfigcheck.1 b/docs/man/man1/oc-adm-diagnostics-masterconfigcheck.1
deleted file mode 100644
index b6fd7a0f9896..000000000000
--- a/docs/man/man1/oc-adm-diagnostics-masterconfigcheck.1
+++ /dev/null
@@ -1,3 +0,0 @@
-This file is autogenerated, but we've stopped checking such files into the
-repository to reduce the need for rebases. Please run hack/generate-docs.sh to
-populate this file.
diff --git a/docs/man/man1/oc-adm-diagnostics-nodeconfigcheck.1 b/docs/man/man1/oc-adm-diagnostics-nodeconfigcheck.1
deleted file mode 100644
index b6fd7a0f9896..000000000000
--- a/docs/man/man1/oc-adm-diagnostics-nodeconfigcheck.1
+++ /dev/null
@@ -1,3 +0,0 @@
-This file is autogenerated, but we've stopped checking such files into the
-repository to reduce the need for rebases. Please run hack/generate-docs.sh to
-populate this file.
diff --git a/docs/man/man1/oc-ex-diagnostics-masterconfigcheck.1 b/docs/man/man1/oc-ex-diagnostics-masterconfigcheck.1
deleted file mode 100644
index b6fd7a0f9896..000000000000
--- a/docs/man/man1/oc-ex-diagnostics-masterconfigcheck.1
+++ /dev/null
@@ -1,3 +0,0 @@
-This file is autogenerated, but we've stopped checking such files into the
-repository to reduce the need for rebases. Please run hack/generate-docs.sh to
-populate this file.
diff --git a/docs/man/man1/oc-ex-diagnostics-nodeconfigcheck.1 b/docs/man/man1/oc-ex-diagnostics-nodeconfigcheck.1
deleted file mode 100644
index b6fd7a0f9896..000000000000
--- a/docs/man/man1/oc-ex-diagnostics-nodeconfigcheck.1
+++ /dev/null
@@ -1,3 +0,0 @@
-This file is autogenerated, but we've stopped checking such files into the
-repository to reduce the need for rebases. Please run hack/generate-docs.sh to
-populate this file.
diff --git a/docs/man/man1/oc-ex-validate-master-config.1 b/docs/man/man1/oc-ex-validate-master-config.1
deleted file mode 100644
index b6fd7a0f9896..000000000000
--- a/docs/man/man1/oc-ex-validate-master-config.1
+++ /dev/null
@@ -1,3 +0,0 @@
-This file is autogenerated, but we've stopped checking such files into the
-repository to reduce the need for rebases. Please run hack/generate-docs.sh to
-populate this file.
diff --git a/docs/man/man1/oc-ex-validate-node-config.1 b/docs/man/man1/oc-ex-validate-node-config.1
deleted file mode 100644
index b6fd7a0f9896..000000000000
--- a/docs/man/man1/oc-ex-validate-node-config.1
+++ /dev/null
@@ -1,3 +0,0 @@
-This file is autogenerated, but we've stopped checking such files into the
-repository to reduce the need for rebases. Please run hack/generate-docs.sh to
-populate this file.
diff --git a/docs/man/man1/oc-ex-validate.1 b/docs/man/man1/oc-ex-validate.1
deleted file mode 100644
index b6fd7a0f9896..000000000000
--- a/docs/man/man1/oc-ex-validate.1
+++ /dev/null
@@ -1,3 +0,0 @@
-This file is autogenerated, but we've stopped checking such files into the
-repository to reduce the need for rebases. Please run hack/generate-docs.sh to
-populate this file.
diff --git a/pkg/oc/admin/diagnostics/diagnostics/host/check_master_config.go b/pkg/oc/admin/diagnostics/diagnostics/host/check_master_config.go
deleted file mode 100644
index 35bca7a0ce6b..000000000000
--- a/pkg/oc/admin/diagnostics/diagnostics/host/check_master_config.go
+++ /dev/null
@@ -1,69 +0,0 @@
-package host
-
-import (
-	"errors"
-	"fmt"
-
-	master "github.com/openshift/origin/pkg/cmd/server/apis/config"
-	configvalidation "github.com/openshift/origin/pkg/cmd/server/apis/config/validation"
-	"github.com/openshift/origin/pkg/oc/admin/diagnostics/diagnostics/log"
-	"github.com/openshift/origin/pkg/oc/admin/diagnostics/diagnostics/types"
-)
-
-// MasterConfigCheck is a Diagnostic to check that the master config file is valid
-type MasterConfigCheck struct {
-	MasterConfigFile string
-	masterConfig     *master.MasterConfig
-}
-
-const MasterConfigCheckName = "MasterConfigCheck"
-
-func (d *MasterConfigCheck) Name() string {
-	return MasterConfigCheckName
-}
-
-func (d *MasterConfigCheck) Description() string {
-	return "Check the master config file"
-}
-
-func (d *MasterConfigCheck) Requirements() (client bool, host bool) {
-	return false, true
-}
-
-func (d *MasterConfigCheck) Complete(logger *log.Logger) error {
-	masterConfig, err := GetMasterConfig(d.MasterConfigFile, logger)
-	if err != nil {
-		return err
-	}
-	d.masterConfig = masterConfig
-	return nil
-}
-
-func (d *MasterConfigCheck) CanRun() (bool, error) {
-	if len(d.MasterConfigFile) == 0 {
-		return false, errors.New("No master config file was detected")
-	}
-
-	return true, nil
-}
-
-func (d *MasterConfigCheck) Check() types.DiagnosticResult {
-	r := types.NewDiagnosticResult(MasterConfigCheckName)
-
-	results := configvalidation.ValidateMasterConfig(masterConfig, nil)
-	if len(results.Errors) > 0 {
-		errText := fmt.Sprintf("Validation of master config file '%s' failed:\n", d.MasterConfigFile)
-		for _, err := range results.Errors {
-			errText += fmt.Sprintf("%v\n", err)
-		}
-		r.Error("DH0004", nil, errText)
-	}
-	if len(results.Warnings) > 0 {
-		warnText := fmt.Sprintf("Validation of master config file '%s' warned:\n", d.MasterConfigFile)
-		for _, warn := range results.Warnings {
-			warnText += fmt.Sprintf("%v\n", warn)
-		}
-		r.Warn("DH0005", nil, warnText)
-	}
-	return r
-}
diff --git a/pkg/oc/admin/diagnostics/diagnostics/host/check_node_config.go b/pkg/oc/admin/diagnostics/diagnostics/host/check_node_config.go
deleted file mode 100644
index 6ae5711cf00c..000000000000
--- a/pkg/oc/admin/diagnostics/diagnostics/host/check_node_config.go
+++ /dev/null
@@ -1,66 +0,0 @@
-package host
-
-import (
-	"errors"
-	"fmt"
-
-	configapilatest "github.com/openshift/origin/pkg/cmd/server/apis/config/latest"
-	configvalidation "github.com/openshift/origin/pkg/cmd/server/apis/config/validation"
-	"github.com/openshift/origin/pkg/oc/admin/diagnostics/diagnostics/types"
-)
-
-// NodeConfigCheck is a Diagnostic to check that the node config file is valid
-type NodeConfigCheck struct {
-	NodeConfigFile string
-}
-
-const NodeConfigCheckName = "NodeConfigCheck"
-
-func (d NodeConfigCheck) Name() string {
-	return NodeConfigCheckName
-}
-
-func (d NodeConfigCheck) Description() string {
-	return "Check the node config file"
-}
-
-func (d NodeConfigCheck) Requirements() (client bool, host bool) {
-	return false, true
-}
-
-func (d NodeConfigCheck) CanRun() (bool, error) {
-	if len(d.NodeConfigFile) == 0 {
-		return false, errors.New("No node config file was detected")
-	}
-
-	return true, nil
-}
-
-func (d NodeConfigCheck) Check() types.DiagnosticResult {
-	r := types.NewDiagnosticResult(NodeConfigCheckName)
-	r.Debug("DH1001", fmt.Sprintf("Looking for node config file at '%s'", d.NodeConfigFile))
-	nodeConfig, err := configapilatest.ReadAndResolveNodeConfig(d.NodeConfigFile)
-	if err != nil {
-		r.Error("DH1002", err, fmt.Sprintf("Could not read node config file '%s':\n(%T) %[2]v", d.NodeConfigFile, err))
-		return r
-	}
-
-	r.Info("DH1003", fmt.Sprintf("Found a node config file: %[1]s", d.NodeConfigFile))
-
-	results := configvalidation.ValidateNodeConfig(nodeConfig, nil)
-	if len(results.Errors) > 0 {
-		errText := fmt.Sprintf("Validation of node config file '%s' failed:\n", d.NodeConfigFile)
-		for _, err := range results.Errors {
-			errText += fmt.Sprintf("%v\n", err)
-		}
-		r.Error("DH1004", nil, errText)
-	}
-	if len(results.Warnings) > 0 {
-		warnText := fmt.Sprintf("Validation of node config file '%s' warned:\n", d.NodeConfigFile)
-		for _, warn := range results.Warnings {
-			warnText += fmt.Sprintf("%v\n", warn)
-		}
-		r.Warn("DH1005", nil, warnText)
-	}
-	return r
-}
diff --git a/pkg/oc/admin/diagnostics/host.go b/pkg/oc/admin/diagnostics/host.go
index 962961168f12..774b7d9ca407 100644
--- a/pkg/oc/admin/diagnostics/host.go
+++ b/pkg/oc/admin/diagnostics/host.go
@@ -23,8 +23,6 @@ func availableHostDiagnostics() types.DiagnosticList {
 	return types.DiagnosticList{
 		&systemddiags.AnalyzeLogs{},
 		&systemddiags.UnitStatus{},
-		&hostdiags.MasterConfigCheck{},
-		&hostdiags.NodeConfigCheck{},
 		&hostdiags.EtcdWriteVolume{},
 	}
 }
@@ -55,10 +53,6 @@ func (o DiagnosticsOptions) buildHostDiagnostics() ([]types.Diagnostic, error) {
 			d = &systemddiags.AnalyzeLogs{SystemdUnits: systemdUnits}
 		case systemddiags.UnitStatusName:
 			d = &systemddiags.UnitStatus{SystemdUnits: systemdUnits}
-		case hostdiags.MasterConfigCheckName:
-			d = &hostdiags.MasterConfigCheck{MasterConfigFile: o.MasterConfigLocation}
-		case hostdiags.NodeConfigCheckName:
-			d = &hostdiags.NodeConfigCheck{NodeConfigFile: o.NodeConfigLocation}
 		case hostdiags.EtcdWriteName:
 			etcd := o.ParameterizedDiagnostics[hostdiags.EtcdWriteName].(*hostdiags.EtcdWriteVolume)
 			etcd.MasterConfigLocation = o.MasterConfigLocation
diff --git a/pkg/oc/admin/validate/master.go b/pkg/oc/admin/validate/master.go
deleted file mode 100644
index d92db693904f..000000000000
--- a/pkg/oc/admin/validate/master.go
+++ /dev/null
@@ -1,167 +0,0 @@
-package validate
-
-import (
-	"errors"
-	"fmt"
-	"io"
-	"os"
-	"text/tabwriter"
-
-	"github.com/spf13/cobra"
-
-	"k8s.io/apimachinery/pkg/util/validation/field"
-	"k8s.io/kubernetes/pkg/kubectl/cmd/templates"
-	cmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
-
-	configapilatest "github.com/openshift/origin/pkg/cmd/server/apis/config/latest"
-
-	"github.com/openshift/origin/pkg/cmd/server/apis/config/validation"
-)
-
-const (
-	ValidateMasterConfigRecommendedName    = "master-config"
-	validateMasterConfigDeprecationMessage = `This command is deprecated and will be removed. Use 'oc adm diagnostics MasterConfigCheck --master-config=path/to/config.yaml' instead.`
-)
-
-var (
-	validateMasterConfigLong = templates.LongDesc(`
-		Validate the configuration file for a master server.
-
-		This command validates that a configuration file intended to be used for a master server is valid.`)
-
-	validateMasterConfigExample = templates.Examples(`
-		# Validate master server configuration file
-		%s openshift.local.config/master/master-config.yaml`)
-)
-
-type ValidateMasterConfigOptions struct {
-	// MasterConfigFile is the location of the config file to be validated
-	MasterConfigFile string
-
-	// Out is the writer to write output to
-	Out io.Writer
-}
-
-// NewCommandValidateMasterConfig provides a CLI handler for the `validate all-in-one` command
-func NewCommandValidateMasterConfig(name, fullName string, out io.Writer) *cobra.Command {
-	options := &ValidateMasterConfigOptions{
-		Out: out,
-	}
-
-	cmd := &cobra.Command{
-		Use:        fmt.Sprintf("%s SOURCE", name),
-		Short:      "Validate the configuration file for a master server",
-		Long:       validateMasterConfigLong,
-		Example:    fmt.Sprintf(validateMasterConfigExample, fullName),
-		Deprecated: validateMasterConfigDeprecationMessage,
-		Run: func(c *cobra.Command, args []string) {
-			if err := options.Complete(args); err != nil {
-				cmdutil.CheckErr(cmdutil.UsageErrorf(c, err.Error()))
-			}
-
-			ok, err := options.Run()
-			cmdutil.CheckErr(err)
-			if !ok {
-				fmt.Fprintf(options.Out, "FAILURE: Validation failed for file: %s\n", options.MasterConfigFile)
-				os.Exit(1)
-			}
-
-			fmt.Fprintf(options.Out, "SUCCESS: Validation succeeded for file: %s\n", options.MasterConfigFile)
-		},
-	}
-
-	return cmd
-}
-
-func (o *ValidateMasterConfigOptions) Complete(args []string) error {
-	if len(args) != 1 {
-		return errors.New("exactly one source file is required")
-	}
-	o.MasterConfigFile = args[0]
-	return nil
-}
-
-// Run runs the master config validation and returns the result of the validation as a boolean as well as any errors
-// that occurred trying to validate the file
-func (o *ValidateMasterConfigOptions) Run() (bool, error) {
-	masterConfig, err := configapilatest.ReadAndResolveMasterConfig(o.MasterConfigFile)
-	if err != nil {
-		return true, err
-	}
-
-	results := validation.ValidateMasterConfig(masterConfig, nil)
-	writer := tabwriter.NewWriter(o.Out, minColumnWidth, tabWidth, padding, padchar, flags)
-	err = prettyPrintValidationResults(results, writer)
-	if err != nil {
-		return len(results.Errors) == 0, fmt.Errorf("could not print results: %v", err)
-	}
-	writer.Flush()
-	return len(results.Errors) == 0, nil
-}
-
-const (
-	minColumnWidth            = 4
-	tabWidth                  = 4
-	padding                   = 2
-	padchar                   = byte(' ')
-	flags                     = 0
-	validationErrorHeadings   = "ERROR\tFIELD\tVALUE\tDETAILS\n"
-	validationWarningHeadings = "WARNING\tFIELD\tVALUE\tDETAILS\n"
-)
-
-// prettyPrintValidationResults prints the contents of the ValidationResults into the buffer of a tabwriter.Writer.
-// The writer must be Flush()ed after calling this to write the buffered data.
-func prettyPrintValidationResults(results validation.ValidationResults, writer *tabwriter.Writer) error {
-	if len(results.Errors) > 0 {
-		fmt.Fprintf(writer, "VALIDATION ERRORS:\t\t\t\n")
-		err := prettyPrintValidationErrorList(validationErrorHeadings, results.Errors, writer)
-		if err != nil {
-			return err
-		}
-	}
-	if len(results.Warnings) > 0 {
-		fmt.Fprintf(writer, "VALIDATION WARNINGS:\t\t\t\n")
-		err := prettyPrintValidationErrorList(validationWarningHeadings, results.Warnings, writer)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// prettyPrintValidationErrorList prints the contents of the ValidationErrorList into the buffer of a tabwriter.Writer.
-// The writer must be Flush()ed after calling this to write the buffered data.
-func prettyPrintValidationErrorList(headings string, validationErrors field.ErrorList, writer *tabwriter.Writer) error {
-	if len(validationErrors) > 0 {
-		fmt.Fprintf(writer, headings)
-		for _, err := range validationErrors {
-			err := prettyPrintValidationError(err, writer)
-			if err != nil {
-				return err
-			}
-		}
-	}
-	return nil
-}
-
-// prettyPrintValidationError prints the contents of the ValidationError into the buffer of a tabwriter.Writer.
-// The writer must be Flush()ed after calling this to write the buffered data.
-func prettyPrintValidationError(validationError *field.Error, writer *tabwriter.Writer) error {
-	_, printError := fmt.Fprintf(writer, "%s\t%s\t%s\t%s\n",
-		toString(validationError.Type),
-		validationError.Field,
-		toString(validationError.BadValue),
-		validationError.Detail)
-
-	return printError
-}
-
-const missingValue = "<none>"
-
-func toString(v interface{}) string {
-	value := fmt.Sprintf("%v", v)
-	if len(value) == 0 {
-		value = missingValue
-	}
-	return value
-}
diff --git a/pkg/oc/admin/validate/node.go b/pkg/oc/admin/validate/node.go
deleted file mode 100644
index c9784c7fb1ac..000000000000
--- a/pkg/oc/admin/validate/node.go
+++ /dev/null
@@ -1,98 +0,0 @@
-package validate
-
-import (
-	"errors"
-	"fmt"
-	"io"
-	"os"
-	"text/tabwriter"
-
-	"github.com/spf13/cobra"
-
-	"k8s.io/kubernetes/pkg/kubectl/cmd/templates"
-	cmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
-
-	configapilatest "github.com/openshift/origin/pkg/cmd/server/apis/config/latest"
-	"github.com/openshift/origin/pkg/cmd/server/apis/config/validation"
-)
-
-const (
-	ValidateNodeConfigRecommendedName    = "node-config"
-	validateNodeConfigDeprecationMessage = `This command is deprecated and will be removed. Use 'oc adm diagnostics NodeConfigCheck --node-config=path/to/config.yaml' instead.`
-)
-
-var (
-	validateNodeConfigLong = templates.LongDesc(`
-		Validate the configuration file for a node.
-
-		This command validates that a configuration file intended to be used for a node is valid.`)
-
-	validateNodeConfigExample = templates.Examples(`
-		# Validate node configuration file
-  	%s openshift.local.config/master/node-config.yaml`)
-)
-
-type ValidateNodeConfigOptions struct {
-	// NodeConfigFile is the location of the config file to be validated
-	NodeConfigFile string
-
-	// Out is the writer to write output to
-	Out io.Writer
-}
-
-// NewCommandValidateMasterConfig provides a CLI handler for the `validate all-in-one` command
-func NewCommandValidateNodeConfig(name, fullName string, out io.Writer) *cobra.Command {
-	options := &ValidateNodeConfigOptions{
-		Out: out,
-	}
-
-	cmd := &cobra.Command{
-		Use:        fmt.Sprintf("%s SOURCE", name),
-		Short:      "Validate the configuration file for a node",
-		Long:       validateNodeConfigLong,
-		Example:    fmt.Sprintf(validateNodeConfigExample, fullName),
-		Deprecated: validateNodeConfigDeprecationMessage,
-		Run: func(c *cobra.Command, args []string) {
-			if err := options.Complete(args); err != nil {
-				cmdutil.CheckErr(cmdutil.UsageErrorf(c, err.Error()))
-			}
-
-			ok, err := options.Run()
-			cmdutil.CheckErr(err)
-			if !ok {
-				fmt.Fprintf(options.Out, "FAILURE: Validation failed for file: %s\n", options.NodeConfigFile)
-				os.Exit(1)
-			}
-
-			fmt.Fprintf(options.Out, "SUCCESS: Validation succeeded for file: %s\n", options.NodeConfigFile)
-		},
-	}
-
-	return cmd
-}
-
-func (o *ValidateNodeConfigOptions) Complete(args []string) error {
-	if len(args) != 1 {
-		return errors.New("exactly one source file is required")
-	}
-	o.NodeConfigFile = args[0]
-	return nil
-}
-
-// Run runs the node config validation and returns the result of the validation as a boolean as well as any errors
-// that occurred trying to validate the file
-func (o *ValidateNodeConfigOptions) Run() (ok bool, err error) {
-	nodeConfig, err := configapilatest.ReadAndResolveNodeConfig(o.NodeConfigFile)
-	if err != nil {
-		return true, err
-	}
-
-	results := validation.ValidateNodeConfig(nodeConfig, nil)
-	writer := tabwriter.NewWriter(o.Out, minColumnWidth, tabWidth, padding, padchar, flags)
-	err = prettyPrintValidationResults(results, writer)
-	if err != nil {
-		return len(results.Errors) == 0, fmt.Errorf("could not print results: %v", err)
-	}
-	writer.Flush()
-	return len(results.Errors) == 0, nil
-}
diff --git a/pkg/oc/admin/validate/validate.go b/pkg/oc/admin/validate/validate.go
deleted file mode 100644
index d009ba2d0b47..000000000000
--- a/pkg/oc/admin/validate/validate.go
+++ /dev/null
@@ -1,38 +0,0 @@
-package validate
-
-import (
-	"io"
-
-	"github.com/spf13/cobra"
-	"k8s.io/kubernetes/pkg/kubectl/cmd/templates"
-	cmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
-)
-
-const (
-	ValidateRecommendedName = "validate"
-
-	validateDeprecationMessage = `and will be removed. Use "oc adm diagnostics" to run configuration validations instead.
-See sub-command help text for specific instructions with "oc adm diagnostics".`
-)
-
-var validateLong = templates.LongDesc(`
-	Validate configuration file integrity
-
-	The commands here allow administrators to validate the integrity of configuration files.`)
-
-func NewCommandValidate(name, fullName string, out, errOut io.Writer) *cobra.Command {
-	// Parent command to which all subcommands are added.
-	cmds := &cobra.Command{
-		Use:        name,
-		Short:      "Validate configuration file integrity",
-		Long:       validateLong,
-		Deprecated: validateDeprecationMessage,
-		Run:        cmdutil.DefaultSubCommandRun(errOut),
-	}
-
-	cmds.AddCommand(NewCommandValidateMasterConfig(ValidateMasterConfigRecommendedName,
-		fullName+" "+ValidateMasterConfigRecommendedName, out))
-	cmds.AddCommand(NewCommandValidateNodeConfig(ValidateNodeConfigRecommendedName,
-		fullName+" "+ValidateNodeConfigRecommendedName, out))
-	return cmds
-}
diff --git a/pkg/oc/cli/cli.go b/pkg/oc/cli/cli.go
index fbd1c1697c2a..f10a2adb09e2 100644
--- a/pkg/oc/cli/cli.go
+++ b/pkg/oc/cli/cli.go
@@ -21,7 +21,6 @@ import (
 	"github.com/openshift/origin/pkg/oc/admin"
 	diagnostics "github.com/openshift/origin/pkg/oc/admin/diagnostics"
 	sync "github.com/openshift/origin/pkg/oc/admin/groups/sync/cli"
-	"github.com/openshift/origin/pkg/oc/admin/validate"
 	"github.com/openshift/origin/pkg/oc/cli/cmd"
 	"github.com/openshift/origin/pkg/oc/cli/cmd/cluster"
 	"github.com/openshift/origin/pkg/oc/cli/cmd/image"
@@ -284,7 +283,6 @@ func newExperimentalCommand(name, fullName string) *cobra.Command {
 
 	f := clientcmd.New(experimental.PersistentFlags())
 
-	experimental.AddCommand(validate.NewCommandValidate(validate.ValidateRecommendedName, fullName+" "+validate.ValidateRecommendedName, out, errout))
 	experimental.AddCommand(exipfailover.NewCmdIPFailoverConfig(f, fullName, "ipfailover", out, errout))
 	experimental.AddCommand(dockergc.NewCmdDockerGCConfig(f, fullName, "dockergc", out, errout))
 	experimental.AddCommand(buildchain.NewCmdBuildChain(name, fullName+" "+buildchain.BuildChainRecommendedCommandName, f, out))
diff --git a/test/cmd/diagnostics.sh b/test/cmd/diagnostics.sh
index 928c831fe96d..1a29069014c3 100755
--- a/test/cmd/diagnostics.sh
+++ b/test/cmd/diagnostics.sh
@@ -11,18 +11,6 @@ trap os::test::junit::reconcile_output EXIT
 
 os::test::junit::declare_suite_start "cmd/diagnostics"
 
-# validate config that was generated
-os::cmd::expect_success "oc adm diagnostics MasterConfigCheck --master-config='${MASTER_CONFIG_DIR}/master-config.yaml'"
-os::cmd::expect_success "oc adm diagnostics NodeConfigCheck --node-config='${NODE_CONFIG_DIR}/node-config.yaml'"
-# breaking the config fails the validation check
-cp "${MASTER_CONFIG_DIR}/master-config.yaml" "${BASETMPDIR}/master-config-broken.yaml"
-os::util::sed '7,12d' "${BASETMPDIR}/master-config-broken.yaml"
-os::cmd::expect_failure_and_text "oc adm diagnostics MasterConfigCheck --master-config='${BASETMPDIR}/master-config-broken.yaml'" 'ERROR'
-
-cp "${NODE_CONFIG_DIR}/node-config.yaml" "${BASETMPDIR}/node-config-broken.yaml"
-os::util::sed '5,10d' "${BASETMPDIR}/node-config-broken.yaml"
-os::cmd::expect_failure_and_text "oc adm diagnostics NodeConfigCheck --node-config='${BASETMPDIR}/node-config-broken.yaml'" 'ERROR'
-
 os::cmd::expect_success 'oc adm policy reconcile-cluster-roles --additive-only=false --confirm'
 
 os::cmd::expect_success 'oc adm diagnostics ClusterRoleBindings '
@@ -32,9 +20,6 @@ os::cmd::expect_success 'oc adm diagnostics ConfigContexts '
 os::cmd::expect_failure_and_text "oc adm diagnostics DiagnosticPod --prevent-modification --images=foo"  'prevented because the --prevent-modification flag was specified'
 # EtcdWriteVolume can't run without etcd. Just exercise flags.
 os::cmd::expect_success "oc adm diagnostics EtcdWriteVolume --duration=10s --help"
-os::cmd::expect_success "oc adm diagnostics MasterConfigCheck --master-config=${MASTER_CONFIG_DIR}/master-config.yaml"
-os::cmd::expect_success "oc adm diagnostics masterconfigcheck --master-config=${MASTER_CONFIG_DIR}/master-config.yaml"
-os::cmd::expect_success "oc adm diagnostics NodeConfigCheck --node-config=${NODE_CONFIG_DIR}/node-config.yaml"
 os::cmd::expect_success "oc adm diagnostics serviceexternalips --master-config=${MASTER_CONFIG_DIR}/master-config.yaml"
 os::cmd::expect_failure_and_text 'oc adm diagnostics ClusterRegistry' "DClu1006 from diagnostic ClusterRegistry"
 # MasterNode fails in test, possibly because the hostname doesn't resolve? Disabled

From 2b73820caeddd47ceb538393af0da32692e725a6 Mon Sep 17 00:00:00 2001
From: Clayton Coleman <ccoleman@redhat.com>
Date: Wed, 25 Apr 2018 23:44:08 -0400
Subject: [PATCH 18/26] Remove systemd units that are no longer referenced

---
 pkg/oc/admin/diagnostics/diagnostics/systemd/locate_units.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/oc/admin/diagnostics/diagnostics/systemd/locate_units.go b/pkg/oc/admin/diagnostics/diagnostics/systemd/locate_units.go
index ccd8731e2c04..d74f2dbd451d 100644
--- a/pkg/oc/admin/diagnostics/diagnostics/systemd/locate_units.go
+++ b/pkg/oc/admin/diagnostics/diagnostics/systemd/locate_units.go
@@ -30,7 +30,7 @@ func GetSystemdUnits(logger *log.Logger) map[string]types.SystemdUnit {
 	}
 
 	logger.Notice("DS1001", "Performing systemd discovery")
-	for _, name := range []string{"origin-master-controllers", "origin-master-api", "origin-node", "atomic-openshift-master-controllers", "atomic-openshift-master-api", "atomic-openshift-node", "docker", "openvswitch", "iptables", "etcd", "kubernetes"} {
+	for _, name := range []string{"origin-node", "atomic-openshift-node", "docker", "iptables"} {
 		systemdUnits[name] = discoverSystemdUnit(logger, name)
 
 		if systemdUnits[name].Exists {

From 1d1cc66b6be755d9b9ccfbfd4b57479997c924e8 Mon Sep 17 00:00:00 2001
From: Clayton Coleman <ccoleman@redhat.com>
Date: Thu, 26 Apr 2018 00:26:54 -0400
Subject: [PATCH 19/26] Move group coverage test after dependency orders
 changed

Move it closer to where we need to test it (config package doesn't bring
those dependencies into scope anymore).
---
 .../server/apis/config/group_coverage_test.go | 57 -------------------
 pkg/cmd/server/apis/config/types.go           |  5 ++
 pkg/cmd/server/origin/legacy_test.go          | 47 +++++++++++++++
 3 files changed, 52 insertions(+), 57 deletions(-)
 delete mode 100644 pkg/cmd/server/apis/config/group_coverage_test.go

diff --git a/pkg/cmd/server/apis/config/group_coverage_test.go b/pkg/cmd/server/apis/config/group_coverage_test.go
deleted file mode 100644
index 37b6e77d1c0b..000000000000
--- a/pkg/cmd/server/apis/config/group_coverage_test.go
+++ /dev/null
@@ -1,57 +0,0 @@
-package config_test
-
-import (
-	"reflect"
-	"testing"
-
-	"k8s.io/apimachinery/pkg/util/sets"
-	"k8s.io/kubernetes/pkg/api/legacyscheme"
-
-	"github.com/openshift/origin/pkg/cmd/server/apis/config"
-
-	_ "github.com/openshift/origin/pkg/api/install"
-)
-
-func TestKnownAPIGroups(t *testing.T) {
-	unexposedGroups := sets.NewString("componentconfig", "metrics", "policy", "federation", "scheduling.k8s.io")
-
-	enabledGroups := sets.NewString()
-	for _, enabledVersion := range legacyscheme.Registry.EnabledVersions() {
-		enabledGroups.Insert(enabledVersion.Group)
-	}
-
-	// TODO remove this and use a non-global registry.  These are in a wierd half-state right now
-	enabledGroups.Insert("apiextensions.k8s.io", "apiregistration.k8s.io")
-
-	knownGroups := sets.NewString(config.KnownKubeAPIGroups.List()...)
-	knownGroups.Insert(config.KnownOriginAPIGroups.List()...)
-
-	if missingKnownGroups := knownGroups.Difference(enabledGroups); len(missingKnownGroups) > 0 {
-		t.Errorf("KnownKubeAPIGroups or KnownOriginAPIGroups are missing from registered.EnabledVersions: %v", missingKnownGroups.List())
-	}
-	if unknownEnabledGroups := enabledGroups.Difference(knownGroups).Difference(unexposedGroups); len(unknownEnabledGroups) > 0 {
-		t.Errorf("KnownKubeAPIGroups or KnownOriginAPIGroups is missing groups from registered.EnabledVersions: %v", unknownEnabledGroups.List())
-	}
-}
-
-func TestAllowedAPIVersions(t *testing.T) {
-	// TODO remove this and use a non-global registry.  These are in a wierd half-state right now
-	skippedGroups := sets.NewString("apiextensions.k8s.io", "apiregistration.k8s.io")
-
-	// Make sure all versions we know about match registered versions
-	for group, versions := range config.KubeAPIGroupsToAllowedVersions {
-		if skippedGroups.Has(group) {
-			continue
-		}
-
-		enabled := sets.NewString()
-		for _, enabledVersion := range legacyscheme.Registry.EnabledVersionsForGroup(group) {
-			enabled.Insert(enabledVersion.Version)
-		}
-		expected := sets.NewString(versions...)
-		actual := enabled.Difference(sets.NewString(config.KubeDefaultDisabledVersions[group]...))
-		if e, a := expected.List(), actual.List(); !reflect.DeepEqual(e, a) {
-			t.Errorf("For group %s, expected versions %#v, got %#v", group, e, a)
-		}
-	}
-}
diff --git a/pkg/cmd/server/apis/config/types.go b/pkg/cmd/server/apis/config/types.go
index 0f4a558dde0a..f95e402c0a06 100644
--- a/pkg/cmd/server/apis/config/types.go
+++ b/pkg/cmd/server/apis/config/types.go
@@ -41,6 +41,7 @@ var (
 
 	APIGroupKube                  = ""
 	APIGroupApps                  = "apps"
+	APIGroupAdmission             = "admission.k8s.io"
 	APIGroupAdmissionRegistration = "admissionregistration.k8s.io"
 	APIGroupAPIExtensions         = "apiextensions.k8s.io"
 	APIGroupAPIRegistration       = "apiregistration.k8s.io"
@@ -81,6 +82,7 @@ var (
 		APIGroupExtensions:            {"v1beta1"},
 		APIGroupEvents:                {"v1beta1"},
 		APIGroupApps:                  {"v1", "v1beta1", "v1beta2"},
+		APIGroupAdmission:             {},
 		APIGroupAdmissionRegistration: {"v1beta1"},
 		APIGroupAPIExtensions:         {"v1beta1"},
 		APIGroupAPIRegistration:       {"v1", "v1beta1"},
@@ -90,6 +92,7 @@ var (
 		APIGroupAutoscaling:           {"v1", "v2beta1"},
 		APIGroupBatch:                 {"v1", "v1beta1", "v2alpha1"}, // v2alpha1 has to stay on to keep cronjobs on for backwards compatibility
 		APIGroupCertificates:          {"v1beta1"},
+		APIGroupImagePolicy:           {},
 		APIGroupNetworking:            {"v1"},
 		APIGroupPolicy:                {"v1beta1"},
 		APIGroupStorage:               {"v1", "v1beta1"},
@@ -120,8 +123,10 @@ var (
 		APIGroupExtensions:            {},
 		APIGroupAutoscaling:           {"v2alpha1"},
 		APIGroupBatch:                 {},
+		APIGroupImagePolicy:           {"v1alpha1"},
 		APIGroupPolicy:                {},
 		APIGroupApps:                  {},
+		APIGroupAdmission:             {"v1beta1"},
 		APIGroupAdmissionRegistration: {"v1alpha1"},
 		APIGroupAuthorizationRbac:     {"v1alpha1"},
 		APIGroupSettings:              {"v1alpha1"},
diff --git a/pkg/cmd/server/origin/legacy_test.go b/pkg/cmd/server/origin/legacy_test.go
index a852ffe1898d..e46e4c3a5c0b 100644
--- a/pkg/cmd/server/origin/legacy_test.go
+++ b/pkg/cmd/server/origin/legacy_test.go
@@ -1,12 +1,15 @@
 package origin
 
 import (
+	"reflect"
 	"strings"
 	"testing"
 
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
 
 	"github.com/openshift/origin/pkg/api/latest"
+	"github.com/openshift/origin/pkg/cmd/server/apis/config"
 )
 
 func TestLegacyKinds(t *testing.T) {
@@ -17,3 +20,47 @@ func TestLegacyKinds(t *testing.T) {
 		}
 	}
 }
+
+func TestKnownAPIGroups(t *testing.T) {
+	unexposedGroups := sets.NewString("componentconfig", "metrics", "policy", "federation", "scheduling.k8s.io")
+
+	enabledGroups := sets.NewString()
+	for _, enabledVersion := range legacyscheme.Registry.EnabledVersions() {
+		enabledGroups.Insert(enabledVersion.Group)
+	}
+
+	// TODO remove this and use a non-global registry.  These are in a wierd half-state right now
+	enabledGroups.Insert("apiextensions.k8s.io", "apiregistration.k8s.io")
+
+	knownGroups := sets.NewString(config.KnownKubeAPIGroups.List()...)
+	knownGroups.Insert(config.KnownOriginAPIGroups.List()...)
+
+	if missingKnownGroups := knownGroups.Difference(enabledGroups); len(missingKnownGroups) > 0 {
+		t.Errorf("KnownKubeAPIGroups or KnownOriginAPIGroups are missing from registered.EnabledVersions: %v", missingKnownGroups.List())
+	}
+	if unknownEnabledGroups := enabledGroups.Difference(knownGroups).Difference(unexposedGroups); len(unknownEnabledGroups) > 0 {
+		t.Errorf("KnownKubeAPIGroups or KnownOriginAPIGroups is missing groups from registered.EnabledVersions: %v", unknownEnabledGroups.List())
+	}
+}
+
+func TestAllowedAPIVersions(t *testing.T) {
+	// TODO remove this and use a non-global registry.  These are in a wierd half-state right now
+	skippedGroups := sets.NewString("apiextensions.k8s.io", "apiregistration.k8s.io")
+
+	// Make sure all versions we know about match registered versions
+	for group, versions := range config.KubeAPIGroupsToAllowedVersions {
+		if skippedGroups.Has(group) {
+			continue
+		}
+
+		enabled := sets.NewString()
+		for _, enabledVersion := range legacyscheme.Registry.EnabledVersionsForGroup(group) {
+			enabled.Insert(enabledVersion.Version)
+		}
+		expected := sets.NewString(versions...)
+		actual := enabled.Difference(sets.NewString(config.KubeDefaultDisabledVersions[group]...))
+		if e, a := expected.List(), actual.List(); !reflect.DeepEqual(e, a) {
+			t.Errorf("For group %s, expected versions %#v, got %#v", group, e, a)
+		}
+	}
+}

From 55f0162044dd84c0d6d30211b3fd8dfbf14789c0 Mon Sep 17 00:00:00 2001
From: Clayton Coleman <ccoleman@redhat.com>
Date: Thu, 26 Apr 2018 00:29:10 -0400
Subject: [PATCH 20/26] UPSTREAM: 63177: kubectl takes a dependency on the
 controllers

---
 .../k8s.io/kubernetes/pkg/kubectl/rollback.go | 97 +++++++++++++++++--
 1 file changed, 91 insertions(+), 6 deletions(-)

diff --git a/vendor/k8s.io/kubernetes/pkg/kubectl/rollback.go b/vendor/k8s.io/kubernetes/pkg/kubectl/rollback.go
index 10ede4b53d3c..10ac083bebb2 100644
--- a/vendor/k8s.io/kubernetes/pkg/kubectl/rollback.go
+++ b/vendor/k8s.io/kubernetes/pkg/kubectl/rollback.go
@@ -32,18 +32,19 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/json"
+	"k8s.io/apimachinery/pkg/util/strategicpatch"
 	"k8s.io/apimachinery/pkg/watch"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	api "k8s.io/kubernetes/pkg/apis/core"
 	apiv1 "k8s.io/kubernetes/pkg/apis/core/v1"
 	"k8s.io/kubernetes/pkg/apis/extensions"
-	"k8s.io/kubernetes/pkg/controller/daemon"
-	deploymentutil "k8s.io/kubernetes/pkg/controller/deployment/util"
-	"k8s.io/kubernetes/pkg/controller/statefulset"
 	kapps "k8s.io/kubernetes/pkg/kubectl/apps"
 	sliceutil "k8s.io/kubernetes/pkg/kubectl/util/slice"
 	printersinternal "k8s.io/kubernetes/pkg/printers/internalversion"
+	// kubectl should not be taking dependencies on logic in the controllers
+	deploymentutil "k8s.io/kubernetes/pkg/controller/deployment/util"
 )
 
 const (
@@ -278,7 +279,7 @@ func (r *DaemonSetRollbacker) Rollback(obj runtime.Object, updatedAnnotations ma
 	}
 
 	// Skip if the revision already matches current DaemonSet
-	done, err := daemon.Match(ds, toHistory)
+	done, err := daemonSetMatch(ds, toHistory)
 	if err != nil {
 		return "", err
 	}
@@ -294,6 +295,42 @@ func (r *DaemonSetRollbacker) Rollback(obj runtime.Object, updatedAnnotations ma
 	return rollbackSuccess, nil
 }
 
+// daemonMatch check if the given DaemonSet's template matches the template stored in the given history.
+func daemonSetMatch(ds *appsv1.DaemonSet, history *appsv1.ControllerRevision) (bool, error) {
+	patch, err := getDaemonSetPatch(ds)
+	if err != nil {
+		return false, err
+	}
+	return bytes.Equal(patch, history.Data.Raw), nil
+}
+
+// getPatch returns a strategic merge patch that can be applied to restore a Daemonset to a
+// previous version. If the returned error is nil the patch is valid. The current state that we save is just the
+// PodSpecTemplate. We can modify this later to encompass more state (or less) and remain compatible with previously
+// recorded patches.
+func getDaemonSetPatch(ds *appsv1.DaemonSet) ([]byte, error) {
+	dsBytes, err := json.Marshal(ds)
+	if err != nil {
+		return nil, err
+	}
+	var raw map[string]interface{}
+	err = json.Unmarshal(dsBytes, &raw)
+	if err != nil {
+		return nil, err
+	}
+	objCopy := make(map[string]interface{})
+	specCopy := make(map[string]interface{})
+
+	// Create a patch of the DaemonSet that replaces spec.template
+	spec := raw["spec"].(map[string]interface{})
+	template := spec["template"].(map[string]interface{})
+	specCopy["template"] = template
+	template["$patch"] = "replace"
+	objCopy["spec"] = specCopy
+	patch, err := json.Marshal(objCopy)
+	return patch, err
+}
+
 type StatefulSetRollbacker struct {
 	c kubernetes.Interface
 }
@@ -321,7 +358,7 @@ func (r *StatefulSetRollbacker) Rollback(obj runtime.Object, updatedAnnotations
 	}
 
 	if dryRun {
-		appliedSS, err := statefulset.ApplyRevision(sts, toHistory)
+		appliedSS, err := applyRevision(sts, toHistory)
 		if err != nil {
 			return "", err
 		}
@@ -329,7 +366,7 @@ func (r *StatefulSetRollbacker) Rollback(obj runtime.Object, updatedAnnotations
 	}
 
 	// Skip if the revision already matches current StatefulSet
-	done, err := statefulset.Match(sts, toHistory)
+	done, err := statefulsetMatch(sts, toHistory)
 	if err != nil {
 		return "", err
 	}
@@ -345,6 +382,54 @@ func (r *StatefulSetRollbacker) Rollback(obj runtime.Object, updatedAnnotations
 	return rollbackSuccess, nil
 }
 
+var appsCodec = legacyscheme.Codecs.LegacyCodec(appsv1.SchemeGroupVersion)
+
+// applyRevision returns a new StatefulSet constructed by restoring the state in revision to set. If the returned error
+// is nil, the returned StatefulSet is valid.
+func applyRevision(set *appsv1.StatefulSet, revision *appsv1.ControllerRevision) (*appsv1.StatefulSet, error) {
+	clone := set.DeepCopy()
+	patched, err := strategicpatch.StrategicMergePatch([]byte(runtime.EncodeOrDie(appsCodec, clone)), revision.Data.Raw, clone)
+	if err != nil {
+		return nil, err
+	}
+	err = json.Unmarshal(patched, clone)
+	if err != nil {
+		return nil, err
+	}
+	return clone, nil
+}
+
+// statefulsetMatch check if the given StatefulSet's template matches the template stored in the given history.
+func statefulsetMatch(ss *appsv1.StatefulSet, history *appsv1.ControllerRevision) (bool, error) {
+	patch, err := getStatefulSetPatch(ss)
+	if err != nil {
+		return false, err
+	}
+	return bytes.Equal(patch, history.Data.Raw), nil
+}
+
+// getStatefulSetPatch returns a strategic merge patch that can be applied to restore a StatefulSet to a
+// previous version. If the returned error is nil the patch is valid. The current state that we save is just the
+// PodSpecTemplate. We can modify this later to encompass more state (or less) and remain compatible with previously
+// recorded patches.
+func getStatefulSetPatch(set *appsv1.StatefulSet) ([]byte, error) {
+	str, err := runtime.Encode(appsCodec, set)
+	if err != nil {
+		return nil, err
+	}
+	var raw map[string]interface{}
+	json.Unmarshal([]byte(str), &raw)
+	objCopy := make(map[string]interface{})
+	specCopy := make(map[string]interface{})
+	spec := raw["spec"].(map[string]interface{})
+	template := spec["template"].(map[string]interface{})
+	specCopy["template"] = template
+	template["$patch"] = "replace"
+	objCopy["spec"] = specCopy
+	patch, err := json.Marshal(objCopy)
+	return patch, err
+}
+
 // findHistory returns a controllerrevision of a specific revision from the given controllerrevisions.
 // It returns nil if no such controllerrevision exists.
 // If toRevision is 0, the last previously used history is returned.

From 47228f7b94702bf6bbbfa7b6908eaa6af53a9451 Mon Sep 17 00:00:00 2001
From: Clayton Coleman <ccoleman@redhat.com>
Date: Thu, 26 Apr 2018 00:48:13 -0400
Subject: [PATCH 21/26] Remove an oc dependency on the RBAC server

Move the dependency into the master startup flow.
---
 pkg/cmd/server/bootstrappolicy/all.go | 15 ++++++++++++---
 pkg/cmd/server/origin/master.go       | 17 +++++++++++++++--
 2 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/pkg/cmd/server/bootstrappolicy/all.go b/pkg/cmd/server/bootstrappolicy/all.go
index 714d0d5f9c21..52878abf8cc3 100644
--- a/pkg/cmd/server/bootstrappolicy/all.go
+++ b/pkg/cmd/server/bootstrappolicy/all.go
@@ -1,11 +1,20 @@
 package bootstrappolicy
 
 import (
-	rbacrest "k8s.io/kubernetes/pkg/registry/rbac/rest"
+	"k8s.io/kubernetes/pkg/apis/rbac"
 )
 
-func Policy() *rbacrest.PolicyData {
-	return &rbacrest.PolicyData{
+type PolicyData struct {
+	ClusterRoles        []rbac.ClusterRole
+	ClusterRoleBindings []rbac.ClusterRoleBinding
+	Roles               map[string][]rbac.Role
+	RoleBindings        map[string][]rbac.RoleBinding
+	// ClusterRolesToAggregate maps from previous clusterrole name to the new clusterrole name
+	ClusterRolesToAggregate map[string]string
+}
+
+func Policy() *PolicyData {
+	return &PolicyData{
 		ClusterRoles:            GetBootstrapClusterRoles(),
 		ClusterRoleBindings:     GetBootstrapClusterRoleBindings(),
 		Roles:                   GetBootstrapNamespaceRoles(),
diff --git a/pkg/cmd/server/origin/master.go b/pkg/cmd/server/origin/master.go
index 7d5fb50ab792..4dd92c39255a 100644
--- a/pkg/cmd/server/origin/master.go
+++ b/pkg/cmd/server/origin/master.go
@@ -16,6 +16,7 @@ import (
 	aggregatorapiserver "k8s.io/kube-aggregator/pkg/apiserver"
 	kubeapiserver "k8s.io/kubernetes/pkg/master"
 	kcorestorage "k8s.io/kubernetes/pkg/registry/core/rest"
+	rbacrest "k8s.io/kubernetes/pkg/registry/rbac/rest"
 
 	"github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"
 	kubernetes "github.com/openshift/origin/pkg/cmd/server/kubernetes/master"
@@ -264,7 +265,7 @@ func (c *MasterConfig) Run(stopCh <-chan struct{}) error {
 	}
 
 	// add post-start hooks
-	aggregatedAPIServer.GenericAPIServer.AddPostStartHookOrDie("authorization.openshift.io-bootstrapclusterroles", bootstrappolicy.Policy().EnsureRBACPolicy())
+	aggregatedAPIServer.GenericAPIServer.AddPostStartHookOrDie("authorization.openshift.io-bootstrapclusterroles", bootstrapData(bootstrappolicy.Policy()).EnsureRBACPolicy())
 	aggregatedAPIServer.GenericAPIServer.AddPostStartHookOrDie("authorization.openshift.io-ensureopenshift-infra", ensureOpenShiftInfraNamespace)
 	aggregatedAPIServer.GenericAPIServer.AddPostStartHookOrDie("quota.openshift.io-clusterquotamapping", c.startClusterQuotaMapping)
 	for name, fn := range c.additionalPostStartHooks {
@@ -322,7 +323,7 @@ func (c *MasterConfig) RunKubeAPIServer(stopCh <-chan struct{}) error {
 		}
 	}
 
-	aggregatedAPIServer.GenericAPIServer.AddPostStartHookOrDie("authorization.openshift.io-bootstrapclusterroles", bootstrappolicy.Policy().EnsureRBACPolicy())
+	aggregatedAPIServer.GenericAPIServer.AddPostStartHookOrDie("authorization.openshift.io-bootstrapclusterroles", bootstrapData(bootstrappolicy.Policy()).EnsureRBACPolicy())
 	aggregatedAPIServer.GenericAPIServer.AddPostStartHookOrDie("authorization.openshift.io-ensureopenshift-infra", ensureOpenShiftInfraNamespace)
 	aggregatedAPIServer.GenericAPIServer.AddPostStartHookOrDie("quota.openshift.io-clusterquotamapping", c.startClusterQuotaMapping)
 	// add post-start hooks
@@ -470,3 +471,15 @@ func (c *MasterConfig) startClusterQuotaMapping(context apiserver.PostStartHookC
 	go c.ClusterQuotaMappingController.Run(5, context.StopCh)
 	return nil
 }
+
+// bootstrapData casts our policy data to the rbacrest helper that can
+// materialize the policy.
+func bootstrapData(data *bootstrappolicy.PolicyData) *rbacrest.PolicyData {
+	return &rbacrest.PolicyData{
+		ClusterRoles:            data.ClusterRoles,
+		ClusterRoleBindings:     data.ClusterRoleBindings,
+		Roles:                   data.Roles,
+		RoleBindings:            data.RoleBindings,
+		ClusterRolesToAggregate: data.ClusterRolesToAggregate,
+	}
+}

From 7aac93a9cefafb1e4eff1008a3e15a4bcddbf78d Mon Sep 17 00:00:00 2001
From: Clayton Coleman <ccoleman@redhat.com>
Date: Thu, 26 Apr 2018 00:48:38 -0400
Subject: [PATCH 22/26] Mark `oc export` deprecated and simplify what it does

Instead of calling the apiserver code, clear status. Mark deprecated in
favor of oc get --export (which itself is now of questionable value). A
future release should provide better logic for stripping out unnecessary
fields.
---
 hack/import-restrictions.json   | 18 ++++-----------
 pkg/oc/cli/cmd/export.go        |  2 ++
 pkg/oc/cli/cmd/exporter.go      | 40 ++++++---------------------------
 pkg/oc/cli/cmd/exporter_test.go |  5 +++--
 4 files changed, 16 insertions(+), 49 deletions(-)

diff --git a/hack/import-restrictions.json b/hack/import-restrictions.json
index 343debb1cc9b..1029ebc54386 100644
--- a/hack/import-restrictions.json
+++ b/hack/import-restrictions.json
@@ -386,6 +386,9 @@
     "checkedPackageRoots": [
       "github.com/openshift/origin/pkg/oc"
     ],
+    "ignoredSubTrees": [
+      "github.com/openshift/origin/pkg/oc/admin/groups/examples"
+    ],
     "allowedImportPackageRoots": [
       "vendor/github.com/aws/aws-sdk-go",
       "vendor/github.com/containers/image",
@@ -452,7 +455,6 @@
       "github.com/openshift/origin/pkg/apps/apis/apps/test",
       "github.com/openshift/origin/pkg/apps/client/internalversion",
       "github.com/openshift/origin/pkg/apps/client/v1",
-      "github.com/openshift/origin/pkg/apps/registry/deployconfig",
       "github.com/openshift/origin/pkg/apps/util",
       "github.com/openshift/origin/pkg/authorization/apis/authorization",
       "github.com/openshift/origin/pkg/authorization/reaper",
@@ -462,8 +464,6 @@
       "github.com/openshift/origin/pkg/build/apis/build/install",
       "github.com/openshift/origin/pkg/build/client",
       "github.com/openshift/origin/pkg/build/client/internalversion",
-      "github.com/openshift/origin/pkg/build/registry/build",
-      "github.com/openshift/origin/pkg/build/registry/buildconfig",
       "github.com/openshift/origin/pkg/build/util",
       "github.com/openshift/origin/pkg/bulk",
       "github.com/openshift/origin/pkg/client/config",
@@ -472,7 +472,7 @@
       "github.com/openshift/origin/pkg/cmd/server/apis/config",
       "github.com/openshift/origin/pkg/cmd/server/apis/config/install",
       "github.com/openshift/origin/pkg/cmd/server/apis/config/latest",
-      "github.com/openshift/origin/pkg/cmd/server/apis/config/validation",
+      "github.com/openshift/origin/pkg/cmd/server/apis/config/validation/ldap",
       "github.com/openshift/origin/pkg/cmd/server/bootstrappolicy",
       "github.com/openshift/origin/pkg/cmd/server/etcd",
       "github.com/openshift/origin/pkg/cmd/templates",
@@ -550,16 +550,6 @@
       "vendor/k8s.io/kubernetes/pkg/serviceaccount",
       "vendor/k8s.io/kubernetes/pkg/version",
 
-      "vendor/k8s.io/kubernetes/pkg/registry/core/endpoint",
-      "vendor/k8s.io/kubernetes/pkg/registry/core/namespace",
-      "vendor/k8s.io/kubernetes/pkg/registry/core/node",
-      "vendor/k8s.io/kubernetes/pkg/registry/core/persistentvolume",
-      "vendor/k8s.io/kubernetes/pkg/registry/core/persistentvolumeclaim",
-      "vendor/k8s.io/kubernetes/pkg/registry/core/pod",
-      "vendor/k8s.io/kubernetes/pkg/registry/core/replicationcontroller",
-      "vendor/k8s.io/kubernetes/pkg/registry/core/resourcequota",
-      "vendor/k8s.io/kubernetes/pkg/registry/core/secret",
-      "vendor/k8s.io/kubernetes/pkg/registry/core/serviceaccount",
       "vendor/k8s.io/kubernetes/pkg/registry/rbac/reconciliation",
       "vendor/k8s.io/kubernetes/pkg/registry/rbac/validation"
     ]
diff --git a/pkg/oc/cli/cmd/export.go b/pkg/oc/cli/cmd/export.go
index 024a33c04fd4..4583c9153af9 100644
--- a/pkg/oc/cli/cmd/export.go
+++ b/pkg/oc/cli/cmd/export.go
@@ -66,6 +66,8 @@ func NewCmdExport(fullName string, f *clientcmd.Factory, in io.Reader, out io.Wr
 			kcmdutil.CheckErr(err)
 		},
 	}
+	cmd.Deprecated = "Use the `get --export` command instead."
+
 	cmd.Flags().String("as-template", "", "Output a Template object with specified name instead of a List or single object.")
 	cmd.Flags().Bool("exact", false, "If true, preserve fields that may be cluster specific, such as service clusterIPs or generated names")
 	cmd.Flags().Bool("raw", false, "If true, do not alter the resources in any way after they are loaded.")
diff --git a/pkg/oc/cli/cmd/exporter.go b/pkg/oc/cli/cmd/exporter.go
index f88d5ff0bdbc..5758536dbe90 100644
--- a/pkg/oc/cli/cmd/exporter.go
+++ b/pkg/oc/cli/cmd/exporter.go
@@ -11,24 +11,10 @@ import (
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
-	apirequest "k8s.io/apiserver/pkg/endpoints/request"
 	kapi "k8s.io/kubernetes/pkg/apis/core"
-	"k8s.io/kubernetes/pkg/registry/core/endpoint"
-	"k8s.io/kubernetes/pkg/registry/core/namespace"
-	"k8s.io/kubernetes/pkg/registry/core/node"
-	"k8s.io/kubernetes/pkg/registry/core/persistentvolume"
-	"k8s.io/kubernetes/pkg/registry/core/persistentvolumeclaim"
-	"k8s.io/kubernetes/pkg/registry/core/pod"
-	"k8s.io/kubernetes/pkg/registry/core/replicationcontroller"
-	"k8s.io/kubernetes/pkg/registry/core/resourcequota"
-	"k8s.io/kubernetes/pkg/registry/core/secret"
-	"k8s.io/kubernetes/pkg/registry/core/serviceaccount"
 
 	appsapi "github.com/openshift/origin/pkg/apps/apis/apps"
-	deployrest "github.com/openshift/origin/pkg/apps/registry/deployconfig"
 	buildapi "github.com/openshift/origin/pkg/build/apis/build"
-	buildrest "github.com/openshift/origin/pkg/build/registry/build"
-	buildconfigrest "github.com/openshift/origin/pkg/build/registry/buildconfig"
 	imageapi "github.com/openshift/origin/pkg/image/apis/image"
 	routeapi "github.com/openshift/origin/pkg/route/apis/route"
 	osautil "github.com/openshift/origin/pkg/serviceaccounts/util"
@@ -66,18 +52,15 @@ func (e *DefaultExporter) Export(obj runtime.Object, exact bool) error {
 	} else {
 		glog.V(4).Infof("Object of type %v does not have ObjectMeta: %v", reflect.TypeOf(obj), err)
 	}
-	ctx := apirequest.NewContext()
 
 	switch t := obj.(type) {
 	case *kapi.Endpoints:
-		endpoint.Strategy.PrepareForCreate(ctx, obj)
 	case *kapi.ResourceQuota:
-		resourcequota.Strategy.PrepareForCreate(ctx, obj)
+		t.Status = kapi.ResourceQuotaStatus{}
 	case *kapi.LimitRange:
 	// TODO: this needs to be fixed
 	//  limitrange.Strategy.PrepareForCreate(obj)
 	case *kapi.Node:
-		node.Strategy.PrepareForCreate(ctx, obj)
 		if exact {
 			return nil
 		}
@@ -85,15 +68,13 @@ func (e *DefaultExporter) Export(obj runtime.Object, exact bool) error {
 		// we clear that without exact so that the node value can be reused.
 		t.Status = kapi.NodeStatus{}
 	case *kapi.Namespace:
-		namespace.Strategy.PrepareForCreate(ctx, obj)
 	case *kapi.PersistentVolumeClaim:
-		persistentvolumeclaim.Strategy.PrepareForCreate(ctx, obj)
+		t.Status = kapi.PersistentVolumeClaimStatus{}
 	case *kapi.PersistentVolume:
-		persistentvolume.Strategy.PrepareForCreate(ctx, obj)
 	case *kapi.ReplicationController:
-		replicationcontroller.Strategy.PrepareForCreate(ctx, obj)
+		t.Status = kapi.ReplicationControllerStatus{}
 	case *kapi.Pod:
-		pod.Strategy.PrepareForCreate(ctx, obj)
+		t.Status = kapi.PodStatus{}
 	case *kapi.PodTemplate:
 	case *kapi.Service:
 		// TODO: service does not yet have a strategy
@@ -110,7 +91,6 @@ func (e *DefaultExporter) Export(obj runtime.Object, exact bool) error {
 			}
 		}
 	case *kapi.Secret:
-		secret.Strategy.PrepareForCreate(ctx, obj)
 		if exact {
 			return nil
 		}
@@ -119,7 +99,6 @@ func (e *DefaultExporter) Export(obj runtime.Object, exact bool) error {
 			return ErrExportOmit
 		}
 	case *kapi.ServiceAccount:
-		serviceaccount.Strategy.PrepareForCreate(ctx, obj)
 		if exact {
 			return nil
 		}
@@ -146,22 +125,17 @@ func (e *DefaultExporter) Export(obj runtime.Object, exact bool) error {
 		t.Secrets = newMountableSecrets
 
 	case *appsapi.DeploymentConfig:
-		return deployrest.CommonStrategy.Export(ctx, obj, exact)
+		t.Status = appsapi.DeploymentConfigStatus{}
 
 	case *buildapi.BuildConfig:
-		// Use the legacy strategy to avoid setting prune defaults if
-		// the object wasn't created with them in the first place.
-		// TODO: use the exportstrategy pattern instead.
-		buildconfigrest.LegacyStrategy.PrepareForCreate(ctx, obj)
-		// TODO: should be handled by prepare for create
-		t.Status.LastVersion = 0
+		t.Status = buildapi.BuildConfigStatus{}
+
 		for i := range t.Spec.Triggers {
 			if p := t.Spec.Triggers[i].ImageChange; p != nil {
 				p.LastTriggeredImageID = ""
 			}
 		}
 	case *buildapi.Build:
-		buildrest.Strategy.PrepareForCreate(ctx, obj)
 		// TODO: should be handled by prepare for create
 		t.Status.Duration = 0
 		t.Status.Phase = buildapi.BuildPhaseNew
diff --git a/pkg/oc/cli/cmd/exporter_test.go b/pkg/oc/cli/cmd/exporter_test.go
index dbd2f9a3b303..3072e47cf113 100644
--- a/pkg/oc/cli/cmd/exporter_test.go
+++ b/pkg/oc/cli/cmd/exporter_test.go
@@ -6,6 +6,7 @@ import (
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/diff"
 	kapi "k8s.io/kubernetes/pkg/apis/core"
 
 	appsapi "github.com/openshift/origin/pkg/apps/apis/apps"
@@ -33,7 +34,7 @@ func TestExport(t *testing.T) {
 			expectedObj: &appsapi.DeploymentConfig{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:       "config",
-					Generation: 1,
+					Generation: 0,
 				},
 				Spec:   appstest.OkDeploymentConfigSpec(),
 				Status: appsapi.DeploymentConfigStatus{},
@@ -157,7 +158,7 @@ func TestExport(t *testing.T) {
 		}
 
 		if !reflect.DeepEqual(test.object, test.expectedObj) {
-			t.Errorf("%s: object mismatch: expected \n%#v\ngot \n%#v\n", test.name, test.expectedObj, test.object)
+			t.Errorf("%s: object mismatch: %s", test.name, diff.ObjectReflectDiff(test.expectedObj, test.object))
 		}
 	}
 }

From 267b5341be8209359174d48142521c8f8c832f74 Mon Sep 17 00:00:00 2001
From: Clayton Coleman <ccoleman@redhat.com>
Date: Thu, 26 Apr 2018 01:37:57 -0400
Subject: [PATCH 23/26] Add an openshift/origin-tests image with the e2e suite

---
 hack/lib/constants.sh       |  4 +++-
 images/hypershift/.cccp.yml |  2 +-
 images/tests/.cccp.yml      |  1 +
 images/tests/Dockerfile     | 16 ++++++++++++++++
 images/tests/OWNERS         |  8 ++++++++
 images/tests/bin/.gitignore |  2 ++
 6 files changed, 31 insertions(+), 2 deletions(-)
 create mode 100644 images/tests/.cccp.yml
 create mode 100644 images/tests/Dockerfile
 create mode 100644 images/tests/OWNERS
 create mode 100644 images/tests/bin/.gitignore

diff --git a/hack/lib/constants.sh b/hack/lib/constants.sh
index d2bbfbcd4083..122a426899d4 100755
--- a/hack/lib/constants.sh
+++ b/hack/lib/constants.sh
@@ -326,6 +326,7 @@ readonly OS_ALL_IMAGES=(
   origin-egress-dns-proxy
   origin-recycler
   origin-template-service-broker
+  origin-tests
 )
 
 # os::build::images builds all images in this repo.
@@ -358,7 +359,8 @@ function os::build::images() {
   for i in `jobs -p`; do wait $i; done
 
   # images that depend on "${tag_prefix}-cli"
-  ( os::build::image "${tag_prefix}-control-plane"         images/origin ) &
+  ( os::build::image "${tag_prefix}-tests"         images/tests ) &
+  ( os::build::image "${tag_prefix}-control-plane" images/origin ) &
 
   for i in `jobs -p`; do wait $i; done
 
diff --git a/images/hypershift/.cccp.yml b/images/hypershift/.cccp.yml
index 61bf2c5f5f99..a997f43ee14e 100644
--- a/images/hypershift/.cccp.yml
+++ b/images/hypershift/.cccp.yml
@@ -1 +1 @@
-job-id: origin-hyperkube
+job-id: origin-hypershift
diff --git a/images/tests/.cccp.yml b/images/tests/.cccp.yml
new file mode 100644
index 000000000000..48ad8d0658d2
--- /dev/null
+++ b/images/tests/.cccp.yml
@@ -0,0 +1 @@
+job-id: origin-tests
diff --git a/images/tests/Dockerfile b/images/tests/Dockerfile
new file mode 100644
index 000000000000..df40dd5115e2
--- /dev/null
+++ b/images/tests/Dockerfile
@@ -0,0 +1,16 @@
+#
+# This is the official OpenShift test image. It can be used to verify
+# an installation of OpenShift completed successfully.
+#
+# The standard name for this image is openshift/origin-tests
+#
+FROM openshift/origin-cli
+
+RUN INSTALL_PKGS="origin-tests" && \
+    yum --enablerepo=origin-local-release install -y ${INSTALL_PKGS} && \
+    rpm -V ${INSTALL_PKGS} && \
+    yum clean all
+
+LABEL io.k8s.display-name="OpenShift End-to-End Tests" \
+      io.k8s.description="OpenShift is a platform for developing, building, and deploying containerized applications." \
+      io.openshift.tags="openshift,tests,e2e"
diff --git a/images/tests/OWNERS b/images/tests/OWNERS
new file mode 100644
index 000000000000..ef253fe96db0
--- /dev/null
+++ b/images/tests/OWNERS
@@ -0,0 +1,8 @@
+reviewers:
+  - smarterclayton
+  - stevekuznetsov
+  - sdodson
+approvers:
+  - smarterclayton
+  - kargakis
+  - stevekuznetsov
diff --git a/images/tests/bin/.gitignore b/images/tests/bin/.gitignore
new file mode 100644
index 000000000000..d6b7ef32c847
--- /dev/null
+++ b/images/tests/bin/.gitignore
@@ -0,0 +1,2 @@
+*
+!.gitignore

From cef740ec421fefa8f67bd786e0469794ba1f53d7 Mon Sep 17 00:00:00 2001
From: Clayton Coleman <ccoleman@redhat.com>
Date: Thu, 26 Apr 2018 13:59:14 -0400
Subject: [PATCH 24/26] Move openshift-node-config into the node image

Do not remove openshift binary from the node image quite yet.
---
 images/node/scripts/openshift-node | 2 +-
 origin.spec                        | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/images/node/scripts/openshift-node b/images/node/scripts/openshift-node
index bf81e942a63c..3f27ccde5d11 100755
--- a/images/node/scripts/openshift-node
+++ b/images/node/scripts/openshift-node
@@ -14,5 +14,5 @@ config=/etc/origin/node/bootstrap-node-config.yaml
 if [[ -f /etc/origin/node/node-config.yaml ]]; then
   config=/etc/origin/node/node-config.yaml
 fi
-flags=$( /usr/bin/openshift start node --write-flags "--config=${config}" --loglevel=${DEBUG_LOGLEVEL:-2} )
+flags=$( /usr/bin/openshift-node-config "--config=${config}" )
 exec /usr/bin/hyperkube kubelet --v=${DEBUG_LOGLEVEL:-2} ${flags}
\ No newline at end of file
diff --git a/origin.spec b/origin.spec
index f6327a4a81ce..d43f9b0af410 100644
--- a/origin.spec
+++ b/origin.spec
@@ -262,7 +262,7 @@ PLATFORM="$(go env GOHOSTOS)/$(go env GOHOSTARCH)"
 install -d %{buildroot}%{_bindir}
 
 # Install linux components
-for bin in oc oadm openshift hypershift hyperkube template-service-broker
+for bin in oc oadm openshift hypershift hyperkube template-service-broker openshift-node-config
 do
   echo "+++ INSTALLING ${bin}"
   install -p -m 755 _output/local/bin/${PLATFORM}/${bin} %{buildroot}%{_bindir}/${bin}
@@ -399,6 +399,7 @@ chmod 0744 $RPM_BUILD_ROOT/usr/sbin/%{name}-docker-excluder
 %config(noreplace) %{_sysconfdir}/origin/master
 
 %files node
+%{_bindir}/openshift-node-config
 %{_sysconfdir}/systemd/system.conf.d/origin-accounting.conf
 %config(noreplace) %{_sysconfdir}/sysconfig/%{name}-node
 %defattr(-,root,root,0700)

From cdaa6f8d92c58a5df23e03c8c285ed139eed6128 Mon Sep 17 00:00:00 2001
From: Clayton Coleman <ccoleman@redhat.com>
Date: Sat, 28 Apr 2018 18:44:55 -0400
Subject: [PATCH 25/26] Remove parts of oc status that depend on oc in node
 container

Will restore in the future. Also reduce logging level on tests below the
unintelligible threshold.
---
 pkg/oc/bootstrap/docker/status.go | 34 -------------------------------
 pkg/oc/bootstrap/docker/up.go     |  2 +-
 test/extended/clusterup.sh        | 14 ++++++-------
 3 files changed, 8 insertions(+), 42 deletions(-)

diff --git a/pkg/oc/bootstrap/docker/status.go b/pkg/oc/bootstrap/docker/status.go
index 9c0ac0c32af9..f659643e1501 100644
--- a/pkg/oc/bootstrap/docker/status.go
+++ b/pkg/oc/bootstrap/docker/status.go
@@ -17,7 +17,6 @@ import (
 	configapilatest "github.com/openshift/origin/pkg/cmd/server/apis/config/latest"
 	"github.com/openshift/origin/pkg/oc/bootstrap/docker/dockerhelper"
 	"github.com/openshift/origin/pkg/oc/bootstrap/docker/errors"
-	"github.com/openshift/origin/pkg/oc/bootstrap/docker/exec"
 	"github.com/openshift/origin/pkg/oc/bootstrap/docker/openshift"
 	"github.com/openshift/origin/pkg/oc/cli/util/clientcmd"
 )
@@ -112,39 +111,6 @@ func (c *ClientStatusConfig) Status(f *clientcmd.Factory, out io.Writer) error {
 
 	fmt.Fprint(out, status(container, masterConfig))
 
-	notReady := 0
-
-	eh := exec.NewExecHelper(dockerClient, openshift.ContainerName)
-
-	stdout, _, _ := eh.Command("oc", "get", "dc", "docker-registry", "-n", "default", "-o", "template", "--template", "{{.status.availableReplicas}}").Output()
-	if stdout != "1" {
-		fmt.Fprintln(out, "Notice: Docker registry is not yet ready")
-		notReady++
-	}
-
-	stdout, _, _ = eh.Command("oc", "get", "dc", "router", "-n", "default", "-o", "template", "--template", "{{.status.availableReplicas}}").Output()
-	if stdout != "1" {
-		fmt.Fprintln(out, "Notice: Router is not yet ready")
-		notReady++
-	}
-
-	stdout, _, _ = eh.Command("oc", "get", "job", "persistent-volume-setup", "-n", "default", "-o", "template", "--template", "{{.status.succeeded}}").Output()
-	if stdout != "1" {
-		fmt.Fprintln(out, "Notice: Persistent volumes are not yet ready")
-		notReady++
-	}
-
-	stdout, _, _ = eh.Command("oc", "get", "is", "-n", "openshift", "-o", "template", "--template", `{{range .items}}{{if not .status.tags}}notready{{end}}{{end}}`).Output()
-	if len(stdout) > 0 {
-		fmt.Fprintln(out, "Notice: Imagestreams are not yet ready")
-		notReady++
-	}
-
-	if notReady > 0 {
-		fmt.Fprintf(out, "\nNotice: %d OpenShift component(s) are not yet ready (see above)\n", notReady)
-		return fmt.Errorf("")
-	}
-
 	return nil
 }
 
diff --git a/pkg/oc/bootstrap/docker/up.go b/pkg/oc/bootstrap/docker/up.go
index 313a92840f8b..9e6fde285da0 100644
--- a/pkg/oc/bootstrap/docker/up.go
+++ b/pkg/oc/bootstrap/docker/up.go
@@ -231,7 +231,7 @@ func (c *ClusterUpConfig) Complete(cmd *cobra.Command) error {
 	// Set the ImagePullPolicy field in static pods and components based in whether users specified
 	// the --tag flag or not.
 	c.defaultPullPolicy = "Always"
-	if cmd.Flag("tag").Changed {
+	if cmd.Flag("image").Changed || cmd.Flag("tag").Changed {
 		c.defaultPullPolicy = "IfNotPresent"
 	}
 
diff --git a/test/extended/clusterup.sh b/test/extended/clusterup.sh
index 5093979b88c6..aa2ffdf7f942 100755
--- a/test/extended/clusterup.sh
+++ b/test/extended/clusterup.sh
@@ -169,7 +169,7 @@ function os::test::extended::clusterup::noargs () {
     os::test::extended::clusterup::standard_test \
       --base-dir=${base_dir} \
       --tag="$ORIGIN_COMMIT" \
-      --loglevel=5 \
+      --loglevel=4 \
       ${@}
 }
 
@@ -177,8 +177,8 @@ function os::test::extended::clusterup::noargs () {
 function os::test::extended::clusterup::enable () {
     local base_dir
     base_dir=$(os::test::extended::clusterup::make_base_dir "enable")
-    os::cmd::expect_success "oc cluster up --loglevel=5 --base-dir=${base_dir} --tag=${ORIGIN_COMMIT} --enable=* --write-config"
-    os::cmd::expect_failure_and_text "oc cluster up --loglevel=5 --base-dir=${base_dir} --tag=${ORIGIN_COMMIT} --enable=foo" 'use cluster add instead'
+    os::cmd::expect_success "oc cluster up --loglevel=4 --base-dir=${base_dir} --tag=${ORIGIN_COMMIT} --enable=* --write-config"
+    os::cmd::expect_failure_and_text "oc cluster up --loglevel=4 --base-dir=${base_dir} --tag=${ORIGIN_COMMIT} --enable=foo" 'use cluster add instead'
 }
 
 # Tests creating a cluster with specific host directories
@@ -349,19 +349,19 @@ readonly extra_args=(
     # Test the previous OCP release
     # TODO - enable this once v3.9 ships, v3.7 didn't have a TSB image so it's
     # annoying to test.
-    #"--loglevel=5 --image=registry.access.redhat.com/openshift3/ose --tag=v3.7"
+    #"--loglevel=4 --image=registry.access.redhat.com/openshift3/ose --tag=v3.7"
 
     # Test the previous origin release
     # TODO - enable this once oc cluster up v3.9 supports modifiying cluster
     # roles on a 3.7 cluster image (https://github.com/openshift/origin/issues/17867)
-    # "--loglevel=5 --image=docker.io/openshift/origin --tag=v3.7.0"
+    # "--loglevel=4 --image=docker.io/openshift/origin --tag=v3.7.0"
 
     # Test the current published release
     # disabling this based on irc with clayton.  This is more strict than openshift-ansible.
-    #"--loglevel=5"  # can't be empty, so pass something benign
+    #"--loglevel=4"  # can't be empty, so pass something benign
 
     # Test the code being delivered
-    "--loglevel=5 --server-loglevel=5 --tag=${ORIGIN_COMMIT}"
+    "--loglevel=4 --server-loglevel=4 --tag=${ORIGIN_COMMIT}"
 
 )
 tests=("${1:-"${default_tests[@]}"}")

From 7b613e480708e1c1352db04e00cf3e481e1ec4fe Mon Sep 17 00:00:00 2001
From: Clayton Coleman <ccoleman@redhat.com>
Date: Wed, 2 May 2018 11:32:41 -0400
Subject: [PATCH 26/26] React to service catalog changes

---
 examples/service-catalog/service-catalog.yaml | 4 +++-
 pkg/oc/bootstrap/bindata.go                   | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/examples/service-catalog/service-catalog.yaml b/examples/service-catalog/service-catalog.yaml
index 57649344b26a..3caabb386772 100644
--- a/examples/service-catalog/service-catalog.yaml
+++ b/examples/service-catalog/service-catalog.yaml
@@ -41,7 +41,7 @@ objects:
           - service-catalog
           args:
           - apiserver
-          - --admission-control
+          - --enable-admission-plugins
           - KubernetesNamespaceLifecycle,DefaultServicePlan,ServiceBindingsLifecycle,ServicePlanChangeValidator,BrokerAuthSarCheck
           - --storage-type
           - etcd
@@ -146,6 +146,8 @@ objects:
           - "3"
           - --leader-election-namespace
           - kube-service-catalog
+          - --leader-elect-resource-lock
+          - configmaps
           - --broker-relist-interval
           - "5m"
           - --feature-gates
diff --git a/pkg/oc/bootstrap/bindata.go b/pkg/oc/bootstrap/bindata.go
index 285217732d77..e5371b5369ee 100644
--- a/pkg/oc/bootstrap/bindata.go
+++ b/pkg/oc/bootstrap/bindata.go
@@ -16057,7 +16057,7 @@ objects:
           - service-catalog
           args:
           - apiserver
-          - --admission-control
+          - --enable-admission-plugins
           - KubernetesNamespaceLifecycle,DefaultServicePlan,ServiceBindingsLifecycle,ServicePlanChangeValidator,BrokerAuthSarCheck
           - --storage-type
           - etcd
@@ -16162,6 +16162,8 @@ objects:
           - "3"
           - --leader-election-namespace
           - kube-service-catalog
+          - --leader-elect-resource-lock
+          - configmaps
           - --broker-relist-interval
           - "5m"
           - --feature-gates