create v1alpha1 aggregated api server

The aggregated API server serves the Hive v1alpha1 API as a proxy
to the Hive v1 API.

This code is based upon github.com/openshift/[email protected].

Author: staebler

Makefile

@@ -62,7 +62,7 @@ test-e2e-postinstall:
 
 # Builds all of hive's binaries (including utils).
 .PHONY: build
-build: manager hiveutil hiveadmission operator
+build: manager hiveutil hiveadmission operator hive-apiserver
 
 
 # Build manager binary
@@ -84,6 +84,11 @@ hiveutil: generate
 hiveadmission:
 	go build -o bin/hiveadmission github.com/openshift/hive/cmd/hiveadmission
 
+# Build v1alpha1 aggregated API server
+.PHONY: hive-apiserver
+hive-apiserver:
+	go build -o bin/hive-apiserver github.com/openshift/hive/cmd/hive-apiserver
+
 # Run against the configured Kubernetes cluster in ~/.kube/config
 .PHONY: run
 run: generate fmt vet
@@ -117,7 +122,8 @@ manifests: crd
 # Generate CRD yaml from our api types:
 .PHONY: crd
 crd:
-	go run vendor/sigs.k8s.io/controller-tools/cmd/controller-gen/main.go crd
+	# The apis-path is explicitly specified so that CRDs are not created for v1alpha1
+	go run tools/vendor/sigs.k8s.io/controller-tools/cmd/controller-gen/main.go crd --apis-path=pkg/apis/hive/v1
 
 # Run go fmt against code
 .PHONY: fmt
@@ -148,6 +154,10 @@ verify-lint:
 	@echo Verifying golint
 	@sh -c \
 	  'for file in $(GOFILES) ; do \
+	     if [[ $$file == "pkg/api/validation"* ]]; then continue; fi; \
+	     if [[ $$file == "pkg/hive/apis/hive/hiveconfig_types.go" ]]; then continue; fi; \
+	     if [[ $$file == "pkg/hive/apis/hive/hiveconversion/"* ]]; then continue; fi; \
+	     if [[ $$file == "pkg/hive/apiserver/registry/"* ]]; then continue; fi; \
 	     golint --set_exit_status $$file || exit 1 ; \
 	   done'
 

cmd/hive-apiserver/main.go

@@ -0,0 +1,56 @@
+package main
+
+import (
+	goflag "flag"
+	"fmt"
+	"math/rand"
+	"os"
+	"runtime"
+	"time"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+
+	genericapiserver "k8s.io/apiserver/pkg/server"
+	utilflag "k8s.io/component-base/cli/flag"
+	"k8s.io/component-base/logs"
+
+	"github.com/openshift/hive/pkg/cmd/hive-apiserver"
+)
+
+func main() {
+	stopCh := genericapiserver.SetupSignalHandler()
+
+	rand.Seed(time.Now().UTC().UnixNano())
+
+	pflag.CommandLine.SetNormalizeFunc(utilflag.WordSepNormalizeFunc)
+	pflag.CommandLine.AddGoFlagSet(goflag.CommandLine)
+
+	logs.InitLogs()
+	defer logs.FlushLogs()
+
+	if len(os.Getenv("GOMAXPROCS")) == 0 {
+		runtime.GOMAXPROCS(runtime.NumCPU())
+	}
+
+	command := NewHiveAPIServerCommand(stopCh)
+	if err := command.Execute(); err != nil {
+		fmt.Fprintf(os.Stderr, "%v\n", err)
+		os.Exit(1)
+	}
+}
+
+func NewHiveAPIServerCommand(stopCh <-chan struct{}) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "hive-apiserver",
+		Short: "Command for the Hive v1alpha1 API Server",
+		Run: func(cmd *cobra.Command, args []string) {
+			cmd.Help()
+			os.Exit(1)
+		},
+	}
+	start := hiveapiserver.NewHiveAPIServerCommand("start", os.Stdout, os.Stderr, stopCh)
+	cmd.AddCommand(start)
+
+	return cmd
+}

config/apiserver/apiserver.template.yaml

@@ -0,0 +1,146 @@
+apiVersion: v1
+kind: Template
+metadata:
+  name: apiserver-template
+
+parameters:
+- name: SVC_NAME
+  displayName: Service Name
+  description: The name of the hive v1alpha1 aggregated API server service.
+  value: hiveapi
+- name: SVC_NAMESPACE
+  displayName: Service Namespace
+  description: The namespace in which the hivev1alpha1 aggregated API server runs.
+  value: hive
+- name: HIVEAPI_IMAGE
+  displayName: Hive v1alpha1 API Server Image
+  description: Image of the Hive v1alpha1 aggregated API Server
+  value: 172.17.0.1:5000/hive:latest
+- name: CA_CRT
+  displayName: Hive v1alpha1 CA CRT
+  description: base64-encoded CA CRT for the hive v1alpha1 aggregated API Server
+  required: true
+- name: TLS_CRT
+  displayName: Hive v1alpha1 TLS CRT
+  description: base-64 encoded TLS CRT for the hive v1alpha1 aggregated API Server
+  required: true
+- name: TLS_KEY
+  displayName: Hive v1alpha1 TLS KEY
+  description: base-64 encoded TLS key for the hive v1alpha1 aggregated API Server
+  required: true
+
+objects:
+- apiVersion: v1
+  kind: Namespace
+  metadata:
+    name: ${SVC_NAMESPACE}
+
+- apiVersion: apiregistration.k8s.io/v1
+  kind: APIService
+  metadata:
+    name: v1alpha1.hive.openshift.io
+    labels:
+      api: hiveapi
+      apiserver: "true"
+  spec:
+    version: v1alpha1
+    group: hive.openshift.io
+    groupPriorityMinimum: 2000
+    service:
+      name: ${SVC_NAME}
+      namespace: ${SVC_NAMESPACE}
+    versionPriority: 10
+    caBundle: ${CA_CRT}
+
+- apiVersion: v1
+  kind: Service
+  metadata:
+    name: ${SVC_NAME}
+    namespace: ${SVC_NAMESPACE}
+    labels:
+      api: ${SVC_NAME}
+      apiserver: "true"
+  spec:
+    ports:
+    - port: 443
+      protocol: TCP
+      targetPort: 443
+    selector:
+      api: ${SVC_NAME}
+      apiserver: "true"
+
+- apiVersion: apps/v1beta1
+  kind: Deployment
+  metadata:
+    name: ${SVC_NAME}
+    namespace: ${SVC_NAMESPACE}
+    labels:
+      api: ${SVC_NAME}
+      apiserver: "true"
+  spec:
+    replicas: 1
+    template:
+      metadata:
+        labels:
+          api: ${SVC_NAME}
+          apiserver: "true"
+          etcd: ${SVC_NAME}
+      spec:
+        containers:
+        - name: apiserver
+          image: ${HIVEAPI_IMAGE}
+          volumeMounts:
+          - name: apiserver-certs
+            mountPath: /apiserver.local.config/certificates
+            readOnly: true
+          command:
+          - "hive-apiserver"
+          args:
+          - "start"
+          - "--tls-cert-file=/apiserver.local.config/certificates/tls.crt"
+          - "--tls-private-key-file=/apiserver.local.config/certificates/tls.key"
+          resources:
+            requests:
+              cpu: 100m
+              memory: 20Mi
+            limits:
+              cpu: 100m
+              memory: 30Mi
+        serviceAccountName: ${SVC_NAME}-sa
+        volumes:
+        - name: apiserver-certs
+          secret:
+            secretName: ${SVC_NAME}
+
+- apiVersion: v1
+  kind: Secret
+  type: kubernetes.io/tls
+  metadata:
+    name: ${SVC_NAME}
+    namespace: ${SVC_NAMESPACE}
+    labels:
+      api: ${SVC_NAME}
+      apiserver: "true"
+  data:
+    tls.crt: ${TLS_CRT}
+    tls.key: ${TLS_KEY}
+
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: ${SVC_NAME}-sa
+    namespace: ${SVC_NAMESPACE}
+
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: ClusterRoleBinding
+  metadata:
+    name: ${SVC_NAME}-cluster-admin
+    namespace: ${SVC_NAMESPACE}
+  subjects:
+    - kind: ServiceAccount
+      name: ${SVC_NAME}-sa
+      namespace: ${SVC_NAMESPACE}
+  roleRef:
+    kind: ClusterRole
+    name: cluster-admin
+    apiGroup: rbac.authorization.k8s.io

golangci.yml

@@ -1,5 +1,8 @@
 run:
   deadline: 30m
+  skip-files:
+    - pkg/hive/apis/hive/hiveconfig_types.go
+    - pkg/hive/apis/hive/hiveconversion/conversion.go
 
 linters:
   disable-all: true

pkg/api/doc.go

@@ -0,0 +1,2 @@
+// Package api should not be used.
+package api

pkg/api/install/install.go

@@ -0,0 +1,12 @@
+package install
+
+import (
+	"k8s.io/apimachinery/pkg/runtime"
+
+	hivev1alpha1 "github.com/openshift/hive/pkg/hive/apis/hive/install"
+)
+
+// InternalHive install the Hive API for internal consumption
+func InternalHive(scheme *runtime.Scheme) {
+	hivev1alpha1.Install(scheme)
+}

pkg/api/serialization_test.go

@@ -0,0 +1,63 @@
+package api_test
+
+import (
+	_ "k8s.io/kubernetes/pkg/apis/core/install"
+	// install all APIs
+	_ "github.com/openshift/hive/pkg/api/install"
+)
+
+// TODO (staebler): Determine if these round-trip serialization tests offer value for Hive's use-case.
+/*
+func v1alpha1Fuzzer(t *testing.T, seed int64) *fuzz.Fuzzer {
+	f := fuzzer.FuzzerFor(kapitesting.FuzzerFuncs, rand.NewSource(seed), legacyscheme.Codecs)
+	f.Funcs(
+		func(j *hiveapi.ClusterImageSet, c fuzz.Continue) {
+			c.FuzzNoCustom(j)
+		},
+
+		func(j *runtime.Object, c fuzz.Continue) {
+			// runtime.EmbeddedObject causes a panic inside of fuzz because runtime.Object isn't handled.
+		},
+		func(t *time.Time, c fuzz.Continue) {
+			// This is necessary because the standard fuzzed time.Time object is
+			// completely nil, but when JSON unmarshals dates it fills in the
+			// unexported loc field with the time.UTC object, resulting in
+			// reflect.DeepEqual returning false in the round trip tests. We solve it
+			// by using a date that will be identical to the one JSON unmarshals.
+			*t = time.Date(2000, 1, 1, 1, 1, 1, 0, time.UTC)
+		},
+		func(u64 *uint64, c fuzz.Continue) {
+			// TODO: uint64's are NOT handled right.
+			*u64 = c.RandUint64() >> 8
+		},
+	)
+	return f
+}
+
+const fuzzIters = 20
+
+// For debugging problems
+func TestSpecificKind(t *testing.T) {
+	seed := int64(2703387474910584091)
+	fuzzer := v1alpha1Fuzzer(t, seed)
+
+	legacyscheme.Scheme.Log(t)
+	defer legacyscheme.Scheme.Log(nil)
+
+	gvk := hiveapi.SchemeGroupVersion.WithKind("ClusterImageSet")
+	// TODO: make upstream CodecFactory customizable
+	codecs := serializer.NewCodecFactory(legacyscheme.Scheme)
+	for i := 0; i < fuzzIters; i++ {
+		roundtrip.RoundTripSpecificKindWithoutProtobuf(t, gvk, legacyscheme.Scheme, codecs, fuzzer, nil)
+	}
+}
+
+// TestRoundTripTypes applies the round-trip test to all round-trippable Kinds
+// in all of the API groups registered for test in the testapi package.
+func TestRoundTripTypes(t *testing.T) {
+	seed := rand.Int63()
+	fuzzer := v1alpha1Fuzzer(t, seed)
+
+	roundtrip.RoundTripTypes(t, legacyscheme.Scheme, legacyscheme.Codecs, fuzzer, nil)
+}
+*/

pkg/api/validation/register.go

@@ -0,0 +1,16 @@
+package validation
+
+import (
+	hivevalidation "github.com/openshift/hive/pkg/hive/apis/hive/validation"
+	// required to be loaded before we register
+	_ "github.com/openshift/hive/pkg/api/install"
+	hiveapi "github.com/openshift/hive/pkg/hive/apis/hive"
+)
+
+func init() {
+	registerAll()
+}
+
+func registerAll() {
+	Validator.MustRegister(&hiveapi.ClusterImageSet{}, false, hivevalidation.ValidateClusterImageSet, hivevalidation.ValidateClusterImageSetUpdate)
+}