Cleanup oadm router somewhat

[smarterclayton]

Still more work to do in the router command, it's gotten... opaque.

@liggitt

[smarterclayton]

@detiber starting with 1.2/3.2 we will want to pass --subdomain=ROUTER_SUBDOMAIN to oadm router in a single le. The default config should remain for back compat.

[smarterclayton]

[test]

[smarterclayton]

Ok, this now includes even more function - it:

• remove hostport support from oadm router - it's useless and someone can set that on their own
• store default certificate as a secret and plumb the path all the way down to the haproxy instance
• change the default from using ENV for secrets to using service account, and generate resources for each thing that needs to be set
  • default certificate is passed as bytes if this flag is set, otherwise is set as a path environment variable
• cleanup the SCC warning on the router
• the --ports mapping is now repurposed to the mapping on the router service (to make routers easier to remap)
• support --subdomain as a template

I've done local testing and everything seems to be ok, but needs a bit more look and love.

@detiber FYI this is changing router default to create a service account - all other flags are the same, but you can now omit --credentials, and we probably want to start setting --subdomain

@pweil- @ramr for review

[liggitt]

is this standard? if so, [citation needed] as a comment

[smarterclayton]

It's the RH standard, vs ubuntu which is using the older /etc/ssl

[smarterclayton]

@ramr review please

[smarterclayton]

moar eyes

[pweil-]

@Kargakis - would you mind giving this some eyeballs since I'm tied up still?

[0xmichalis]

https://github.com/kubernetes/kubernetes/blob/0866c377e9a84a73e0ff78efdd1def7f7e8b437a/pkg/api/types.go#L2311

[smarterclayton]

Not in our branch yet

On Wed, Feb 17, 2016 at 11:51 AM, Michail Kargakis <[email protected]

wrote:

In pkg/cmd/admin/router/router.go
#7251 (comment):

        Name:      secretsVolumeName,
        ReadOnly:  true,
        MountPath: secretsPath,
    }

•   mounts = append(mounts, mount)
  

• }

• if len(defaultCert) > 0 {

•   // TODO: extract the private key from the CRT and set it as its own key
  

•   // TODO: use upstream constants for this
  

•   secret := &kapi.Secret{
  

•       ObjectMeta: kapi.ObjectMeta{
  

•           Name: fmt.Sprintf("%s-certs", cfg.Name),
  

•       },
  

•       Type: "kubernetes.io/tls",
  

https://github.com/kubernetes/kubernetes/blob/0866c377e9a84a73e0ff78efdd1def7f7e8b437a/pkg/api/types.go#L2311

—
Reply to this email directly or view it on GitHub
https://github.com/openshift/origin/pull/7251/files#r53193982.

[smarterclayton]

@liggitt review last commit

[liggitt]

one question on newline in encoding PEM blocks

[smarterclayton]

Does add trailing newline.

[smarterclayton]

[merge]

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_requests_origin/5028/) (Image: devenv-rhel7_3476)

[openshift-bot]

Evaluated for origin merge up to 241d02b

[smarterclayton]

[test]

[smarterclayton]

Well this is a nice flake:

ERROR: gave up waiting for https://127.0.0.1:38443/healthz

!!! Error in /data/src/github.com/openshift/origin/hack/../hack/util.sh:370
    'return 1' exited with status 1
Call stack:
    1: /data/src/github.com/openshift/origin/hack/../hack/util.sh:370 start_os_master(...)
    2: /data/src/github.com/openshift/origin/hack/update-generated-swagger-spec.sh:50 main(...)
Exiting with status 1
[INFO] Dumping container logs to /tmp/openshift/generate-swagger-spec//logs
[INFO] Dumping all resources to /tmp/openshift/generate-swagger-spec//logs/export_all.json
Authentication required for https://127.0.0.1:38443 (openshift)
Username: system:admin
Password: error: username system:admin is invalid for basic auth
error: failed to negotiate an api version; server supports: map[], client supports: map[v1:{} v1beta3:{} extensions/v1beta1:{} metrics/v1alpha1:{} componentconfig/v1alpha1:{} authorization.k8s.io/v1beta1:{}]

[smarterclayton]

[test]

[smarterclayton]

Error from server: buildconfigs "test" not found
W0219 00:44:52.316886    5128 cmd.go:212] -p POD is DEPRECATED and will be removed in a future version. Use exec POD instead.
!!! Error in hack/../hack/../test/end-to-end/core.sh:299
    'grep -q "unable to validate against any security context constraint"' exited with status 0 1
Call stack:
    1: hack/../hack/../test/end-to-end/core.sh:299 main(...)
Exiting with status 1
Error from server: User "e2e-default-admin" cannot list all buildconfigs in the cluster

[test]

[openshift-bot]

Evaluated for origin test up to 241d02b

[openshift-bot]

continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/1380/)