add serializeable start config

hack/test-cmd.sh

@@ -75,7 +75,7 @@ OPENSHIFT_ON_PANIC=crash openshift start --master="${API_SCHEME}://${API_HOST}:$
 OS_PID=$!
 
 if [[ "${API_SCHEME}" == "https" ]]; then
-    export CURL_CA_BUNDLE="${CERT_DIR}/admin/root.crt"
+    export CURL_CA_BUNDLE="${CERT_DIR}/ca/cert.crt"
     export CURL_CERT="${CERT_DIR}/admin/cert.crt"
     export CURL_KEY="${CERT_DIR}/admin/key.key"
 fi
@@ -174,14 +174,18 @@ echo "templates: ok"
 [ "$(osc get --help 2>&1 | grep 'Display one or many resources')" ]
 [ "$(openshift cli get --help 2>&1 | grep 'Display one or many resources')" ]
 [ "$(openshift kubectl get --help 2>&1 | grep 'Display one or many resources')" ]
-[ "$(openshift start --help 2>&1 | grep 'Start an OpenShift server')" ]
+[ "$(openshift start --help 2>&1 | grep 'Start an OpenShift all-in-one server')" ]
+[ "$(openshift start master --help 2>&1 | grep 'Start an OpenShift master')" ]
+[ "$(openshift start node --help 2>&1 | grep 'Start an OpenShift node')" ]
 [ "$(osc get --help 2>&1 | grep 'osc')" ]
 
 # help for given command through help command must be consistent
 [ "$(osc help get 2>&1 | grep 'Display one or many resources')" ]
 [ "$(openshift cli help get 2>&1 | grep 'Display one or many resources')" ]
 [ "$(openshift kubectl help get 2>&1 | grep 'Display one or many resources')" ]
-[ "$(openshift help start 2>&1 | grep 'Start an OpenShift server')" ]
+[ "$(openshift help start 2>&1 | grep 'Start an OpenShift all-in-one server')" ]
+[ "$(openshift help start master 2>&1 | grep 'Start an OpenShift master')" ]
+[ "$(openshift help start node 2>&1 | grep 'Start an OpenShift node')" ]
 [ "$(openshift cli help update 2>&1 | grep 'openshift')" ]
 
 # runnable commands with required flags must error consistently

hack/test-end-to-end.sh

@@ -50,9 +50,12 @@ LOG_DIR="${LOG_DIR:-${BASETMPDIR}/logs}"
 ARTIFACT_DIR="${ARTIFACT_DIR:-${BASETMPDIR}/artifacts}"
 mkdir -p $LOG_DIR
 mkdir -p $ARTIFACT_DIR
+
+DEFAULT_SERVER_IP=`ifconfig | grep -Ev "(127.0.0.1|172.17.42.1)" | grep "inet " | head -n 1 | awk '{print $2}'`
+API_HOST="${API_HOST:-${DEFAULT_SERVER_IP}}"
 API_PORT="${API_PORT:-8443}"
 API_SCHEME="${API_SCHEME:-https}"
-API_HOST="${API_HOST:-localhost}"
+MASTER_ADDR="${API_SCHEME}://${API_HOST}:${API_PORT}"
 PUBLIC_MASTER_HOST="${PUBLIC_MASTER_HOST:-${API_HOST}}"
 KUBELET_SCHEME="${KUBELET_SCHEME:-http}"
 KUBELET_PORT="${KUBELET_PORT:-10250}"
@@ -168,25 +171,32 @@ echo "[INFO] Using images:              ${USE_IMAGES}"
 
 # Start All-in-one server and wait for health
 # Specify the scheme and port for the listen address, but let the IP auto-discover.	Set --public-master to localhost, for a stable link to the console.
+echo "[INFO] Create certificates for the OpenShift server"
+# find the same IP that openshift start will bind to.  This allows access from pods that have to talk back to master
+ALL_IP_ADDRESSES=`ifconfig | grep "inet " | awk '{print $2}'`
+SERVER_HOSTNAME_LIST="${PUBLIC_MASTER_HOST},localhost"
+while read -r IP_ADDRESS
+do
+	SERVER_HOSTNAME_LIST="${SERVER_HOSTNAME_LIST},${IP_ADDRESS}"
+done <<< "${ALL_IP_ADDRESSES}"
+
+openshift admin create-all-certs --overwrite=false --cert-dir="${CERT_DIR}" --hostnames="${SERVER_HOSTNAME_LIST}" --nodes="127.0.0.1" --master="${MASTER_ADDR}" --public-master="${API_SCHEME}://${PUBLIC_MASTER_HOST}"
+
+
 echo "[INFO] Starting OpenShift server"
 sudo env "PATH=${PATH}" OPENSHIFT_ON_PANIC=crash openshift start \
-     --listen="${API_SCHEME}://0.0.0.0:${API_PORT}" --public-master="${API_SCHEME}://${PUBLIC_MASTER_HOST}" \
+     --listen="${API_SCHEME}://0.0.0.0:${API_PORT}"  --master="${MASTER_ADDR}" --public-master="${API_SCHEME}://${PUBLIC_MASTER_HOST}" \
      --hostname="127.0.0.1" --volume-dir="${VOLUME_DIR}" \
      --etcd-dir="${ETCD_DATA_DIR}" --cert-dir="${CERT_DIR}" --loglevel=4 \
-     --images="${USE_IMAGES}" \
+     --images="${USE_IMAGES}" --create-certs=false\
      &> "${LOG_DIR}/openshift.log" &
 OS_PID=$!
 
 if [[ "${API_SCHEME}" == "https" ]]; then
-	export CURL_CA_BUNDLE="${CERT_DIR}/master/root.crt"
+	export CURL_CA_BUNDLE="${CERT_DIR}/ca/cert.crt"
 	export CURL_CERT="${CERT_DIR}/admin/cert.crt"
 	export CURL_KEY="${CERT_DIR}/admin/key.key"
 
-	# Generate the certs first
-	wait_for_file "${CERT_DIR}/openshift-client/key.key" 0.5 80
-	wait_for_file "${CERT_DIR}/admin/key.key" 0.5 80
-	wait_for_file "${CURL_CA_BUNDLE}" 0.5 80
-
 	# Read client cert data in to send to containerized components
 	sudo chmod -R a+rX "${CERT_DIR}/openshift-client/"
 
@@ -204,6 +214,9 @@ wait_for_url "${API_SCHEME}://${API_HOST}:${API_PORT}/api/v1beta1/minions/127.0.
 # Set KUBERNETES_MASTER for osc
 export KUBERNETES_MASTER="${API_SCHEME}://${API_HOST}:${API_PORT}"
 
+# add e2e-user as a viewer for the default namespace so we can see infrastructure pieces appear
+openshift ex policy add-user view anypassword:e2e-user --namespace=default
+
 # create test project so that this shows up in the console
 openshift ex new-project test --description="This is an example project to demonstrate OpenShift v3" --admin="anypassword:e2e-user"
 

hack/test-integration.sh

@@ -44,12 +44,23 @@ start_etcd
 trap cleanup EXIT SIGINT
 
 function exectest() {
+  echo "running $1..."
+
   out=$("${testexec}" -test.run="^$1$" "${@:2}" 2>&1)
+
+  tput cuu 1 # Move up one line
+  tput el    # Clear "running" line
+
   res=$?
   if [[ ${res} -eq 0 ]]; then
-    echo ok $1
+    tput setaf 2 # green
+    echo "ok      $1"
+    tput sgr0    # reset
     exit 0
   else
+    tput setaf 1 # red
+    echo "failed  $1"
+    tput sgr0    # reset
     echo "${out}"
     exit 1
   fi

hack/verify-gofmt.sh

@@ -25,6 +25,7 @@ find_files() {
       \( \
         -wholename './output' \
         -o -wholename './_output' \
+        -o -wholename './.git' \
         -o -wholename './release' \
         -o -wholename './pkg/assets/bindata.go' \
         -o -wholename './target' \

pkg/authorization/authorizer/subjects_test.go

@@ -33,7 +33,7 @@ func TestSubjects(t *testing.T) {
 			Resource: "pods",
 		},
 		expectedUsers:  util.NewStringSet("Anna", "ClusterAdmin", "Ellen", "Valerie", "system:kube-client", "system:openshift-client", "system:openshift-deployer"),
-		expectedGroups: util.NewStringSet("RootUsers", "system:cluster-admins"),
+		expectedGroups: util.NewStringSet("RootUsers", "system:cluster-admins", "system:nodes"),
 	}
 	test.policies = newDefaultGlobalPolicies()
 	test.policies = append(test.policies, newAdzePolicies()...)

pkg/cmd/openshift/openshift.go

@@ -18,7 +18,8 @@ import (
 	"github.com/openshift/origin/pkg/cmd/infra/builder"
 	"github.com/openshift/origin/pkg/cmd/infra/deployer"
 	"github.com/openshift/origin/pkg/cmd/infra/router"
-	"github.com/openshift/origin/pkg/cmd/server"
+	"github.com/openshift/origin/pkg/cmd/server/certs"
+	"github.com/openshift/origin/pkg/cmd/server/start"
 	"github.com/openshift/origin/pkg/cmd/templates"
 	"github.com/openshift/origin/pkg/cmd/util/clientcmd"
 	"github.com/openshift/origin/pkg/version"
@@ -78,8 +79,9 @@ func NewCommandOpenShift() *cobra.Command {
 	root.SetUsageTemplate(templates.MainUsageTemplate())
 	root.SetHelpTemplate(templates.MainHelpTemplate())
 
-	openshiftStartCommand, _ := server.NewCommandStartServer("start")
-	root.AddCommand(openshiftStartCommand)
+	startAllInOne, _ := start.NewCommandStartAllInOne()
+	root.AddCommand(startAllInOne)
+	root.AddCommand(certs.NewCommandAdmin())
 	root.AddCommand(cli.NewCommandCLI("cli", "openshift cli"))
 	root.AddCommand(cli.NewCmdKubectl("kube"))
 	root.AddCommand(newExperimentalCommand("openshift", "ex"))

pkg/cmd/server/api/helpers.go

@@ -0,0 +1,125 @@
+package api
+
+import (
+	"crypto/x509"
+	"fmt"
+	"io/ioutil"
+
+	kclient "github.com/GoogleCloudPlatform/kubernetes/pkg/client"
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/client/clientcmd"
+
+	"github.com/openshift/origin/pkg/client"
+	"github.com/openshift/origin/pkg/cmd/server/crypto"
+)
+
+func GetKubeClient(kubeConfigFile string) (*kclient.Client, *kclient.Config, error) {
+	loadingRules := &clientcmd.ClientConfigLoadingRules{CommandLinePath: kubeConfigFile}
+	loader := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(loadingRules, &clientcmd.ConfigOverrides{})
+
+	kubeConfig, err := loader.ClientConfig()
+	if err != nil {
+		return nil, nil, err
+	}
+	kubeClient, err := kclient.New(kubeConfig)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return kubeClient, kubeConfig, nil
+}
+
+func GetOpenShiftClient(kubeConfigFile string) (*client.Client, *kclient.Config, error) {
+	loadingRules := &clientcmd.ClientConfigLoadingRules{CommandLinePath: kubeConfigFile}
+	loader := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(loadingRules, &clientcmd.ConfigOverrides{})
+
+	kubeConfig, err := loader.ClientConfig()
+	if err != nil {
+		return nil, nil, err
+	}
+	openshiftClient, err := client.New(kubeConfig)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return openshiftClient, kubeConfig, nil
+}
+
+func UseTLS(servingInfo ServingInfo) bool {
+	return len(servingInfo.ServerCert.CertFile) > 0
+}
+
+// GetAPIClientCertCAPool returns the cert pool used to validate client certificates to the API server
+func GetAPIClientCertCAPool(options MasterConfig) (*x509.CertPool, error) {
+	certs, err := getAPIClientCertCAs(options)
+	if err != nil {
+		return nil, err
+	}
+	roots := x509.NewCertPool()
+	for _, root := range certs {
+		roots.AddCert(root)
+	}
+	return roots, nil
+}
+
+// GetClientCertCAPool returns a cert pool containing all client CAs that could be presented (union of API and OAuth)
+func GetClientCertCAPool(options MasterConfig) (*x509.CertPool, error) {
+	roots := x509.NewCertPool()
+
+	// Add CAs for OAuth
+	certs, err := getOAuthClientCertCAs(options)
+	if err != nil {
+		return nil, err
+	}
+	for _, root := range certs {
+		roots.AddCert(root)
+	}
+
+	// Add CAs for API
+	certs, err = getAPIClientCertCAs(options)
+	if err != nil {
+		return nil, err
+	}
+	for _, root := range certs {
+		roots.AddCert(root)
+	}
+
+	return roots, nil
+}
+
+// GetAPIServerCertCAPool returns the cert pool containing the roots for the API server cert
+func GetAPIServerCertCAPool(options MasterConfig) (*x509.CertPool, error) {
+	caRoots, err := crypto.GetTLSCARoots(options.ServingInfo.ClientCA)
+	if err != nil {
+		return nil, err
+	}
+	roots := x509.NewCertPool()
+	for _, root := range caRoots.Roots {
+		roots.AddCert(root)
+	}
+	return roots, nil
+}
+
+func getOAuthClientCertCAs(options MasterConfig) ([]*x509.Certificate, error) {
+	caFile := options.OAuthConfig.ProxyCA
+	if len(caFile) == 0 {
+		return nil, nil
+	}
+	caPEMBlock, err := ioutil.ReadFile(caFile)
+	if err != nil {
+		return nil, err
+	}
+	certs, err := crypto.CertsFromPEM(caPEMBlock)
+	if err != nil {
+		return nil, fmt.Errorf("Error reading %s: %s", caFile, err)
+	}
+	return certs, nil
+}
+
+func getAPIClientCertCAs(options MasterConfig) ([]*x509.Certificate, error) {
+	apiClientCertCAs, err := crypto.GetTLSCARoots(options.ServingInfo.ClientCA)
+	if err != nil {
+		return nil, err
+	}
+
+	return apiClientCertCAs.Roots, nil
+}

pkg/cmd/server/api/latest/latest.go

@@ -0,0 +1,24 @@
+package latest
+
+import (
+	"github.com/openshift/origin/pkg/cmd/server/api/v1"
+)
+
+// Version is the string that represents the current external default version.
+const Version = "v1"
+
+// OldestVersion is the string that represents the oldest server version supported,
+// for client code that wants to hardcode the lowest common denominator.
+const OldestVersion = "v1"
+
+// Versions is the list of versions that are recognized in code. The order provided
+// may be assumed to be least feature rich to most feature rich, and clients may
+// choose to prefer the latter items in the list over the former items when presented
+// with a set of versions to choose.
+var Versions = []string{"v1"}
+
+// Codec is the default codec for serializing output that should use
+// the latest supported version.  Use this Codec when writing to
+// disk, a data store that is not dynamically versioned, or in tests.
+// This codec can decode any object that Kubernetes is aware of.
+var Codec = v1.Codec

pkg/cmd/server/api/register.go

@@ -0,0 +1,17 @@
+package api
+
+import (
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/runtime"
+)
+
+var Scheme = runtime.NewScheme()
+
+func init() {
+	Scheme.AddKnownTypes("",
+		&MasterConfig{},
+		&NodeConfig{},
+	)
+}
+
+func (*MasterConfig) IsAnAPIObject() {}
+func (*NodeConfig) IsAnAPIObject()   {}