Merge pull request #15993 from deads2k/tsb-22-install

Automatic merge from submit-queue

move the TSB templates to an install location

@ewolinetz @sdodson this separates the templates into
 1. apiserver config yaml for substitution by ansible
 2. rbac-template to be reconciled
 3. apiserver-template to accept the substituted apiserver config.yaml and be oc applied

@bparees @jim-minter This is splitting up pieces for ansible to consume

@stevekuznetsov Let's say I had this new requirement to synchronize the `install` folder from origin into a directory of @sdodson's choosing in openshift-ansible on every origin merge that changed a file in `install`?  This would let ownership of the file be clearly in origin by the developer working on it and @sdodson mentioned a way to actually use these origin files to drive the ansible install in CI, so that we get a matched set.

Author: openshift-merge-robot

hack/update-generated-bindata.sh

@@ -32,7 +32,7 @@ pushd "${OS_ROOT}" > /dev/null
     examples/heapster/... \
     examples/prometheus/... \
     examples/service-catalog/... \
-    examples/templateservicebroker/... \
+    install/... \
     pkg/image/admission/imagepolicy/api/v1/...
 
 "$(os::util::find::gopath_binary go-bindata)" \
@@ -54,12 +54,12 @@ pushd "${OS_ROOT}" > /dev/null
     examples/hello-openshift \
     examples/jenkins/... \
     examples/quickstarts/cakephp-mysql.json \
-    examples/templateservicebroker/...
+    install/...
 
 popd > /dev/null
 
 # If you hit this, please reduce other tests instead of importing more
-if [[ "$( cat "${OUTPUT_PARENT}/test/extended/testdata/bindata.go" | wc -c )" -gt 950000 ]]; then
+if [[ "$( cat "${OUTPUT_PARENT}/test/extended/testdata/bindata.go" | wc -c )" -gt 1500000 ]]; then
     echo "error: extended bindata is $( cat "${OUTPUT_PARENT}/test/extended/testdata/bindata.go" | wc -c ) bytes, reduce the size of the import" 1>&2
     exit 1
 fi

examples/templateservicebroker/apiserver-config.yaml renamed to install/templateservicebroker/apiserver-config.yaml

@@ -1,14 +1,12 @@
 apiVersion: template.openshift.io/v1
 kind: Template
 metadata:
-  name: template-service-broker
+  name: template-service-broker-apiserver
 parameters:
 - name: IMAGE
   value: openshift/origin:latest
 - name: NAMESPACE
   value: openshift-template-service-broker
-- name: KUBE_SYSTEM
-  value: kube-system
 - name: LOGLEVEL
   value: "0"
 - name: API_SERVER_CONFIG
@@ -100,41 +98,3 @@ objects:
     ports:
     - port: 443
       targetPort: 8443
-
-# to delegate authentication and authorization
-- apiVersion: authorization.openshift.io/v1
-  kind: ClusterRoleBinding
-  metadata:
-    name: auth-delegator-${NAMESPACE}
-  roleRef:
-    name: system:auth-delegator
-  subjects:
-  - kind: ServiceAccount
-    namespace: ${NAMESPACE}
-    name: apiserver
-
-# to have the template service broker powers
-- apiVersion: authorization.openshift.io/v1
-  kind: ClusterRoleBinding
-  metadata:
-    name: tsb-${NAMESPACE}
-  roleRef:
-    name: system:openshift:controller:template-service-broker
-  subjects:
-  - kind: ServiceAccount
-    namespace: ${NAMESPACE}
-    name: apiserver
-
-# to read the config for terminating authentication
-- apiVersion: authorization.openshift.io/v1
-  kind: RoleBinding
-  metadata:
-    namespace: ${KUBE_SYSTEM}
-    name: extension-apiserver-authentication-reader-${NAMESPACE}
-  roleRef:
-    namespace: kube-system
-    name: extension-apiserver-authentication-reader
-  subjects:
-  - kind: ServiceAccount
-    namespace: ${NAMESPACE}
-    name: apiserver

examples/templateservicebroker/templateservicebroker-template.yaml renamed to install/templateservicebroker/apiserver-template.yaml

@@ -0,0 +1,48 @@
+apiVersion: template.openshift.io/v1
+kind: Template
+metadata:
+  name: template-service-broker-rbac
+parameters:
+- name: NAMESPACE
+  value: openshift-template-service-broker
+- name: KUBE_SYSTEM
+  value: kube-system
+objects:
+
+# to delegate authentication and authorization
+- apiVersion: authorization.openshift.io/v1
+  kind: ClusterRoleBinding
+  metadata:
+    name: auth-delegator-${NAMESPACE}
+  roleRef:
+    name: system:auth-delegator
+  subjects:
+  - kind: ServiceAccount
+    namespace: ${NAMESPACE}
+    name: apiserver
+
+# to have the template service broker powers
+- apiVersion: authorization.openshift.io/v1
+  kind: ClusterRoleBinding
+  metadata:
+    name: tsb-${NAMESPACE}
+  roleRef:
+    name: system:openshift:controller:template-service-broker
+  subjects:
+  - kind: ServiceAccount
+    namespace: ${NAMESPACE}
+    name: apiserver
+
+# to read the config for terminating authentication
+- apiVersion: authorization.openshift.io/v1
+  kind: RoleBinding
+  metadata:
+    namespace: ${KUBE_SYSTEM}
+    name: extension-apiserver-authentication-reader-${NAMESPACE}
+  roleRef:
+    namespace: kube-system
+    name: extension-apiserver-authentication-reader
+  subjects:
+  - kind: ServiceAccount
+    namespace: ${NAMESPACE}
+    name: apiserver

install/templateservicebroker/rbac-template.yaml

@@ -17,9 +17,11 @@ import (
 )
 
 const (
-	tsbNamespace        = "openshift-template-service-broker"
-	tsbTemplateName     = "template-service-broker"
-	tsbTemplateLocation = "examples/templateservicebroker/templateservicebroker-template.yaml"
+	tsbNamespace                 = "openshift-template-service-broker"
+	tsbRBACTemplateName          = "template-service-broker-rbac"
+	tsbAPIServerTemplateName     = "template-service-broker-apiserver"
+	tsbRBACTemplateLocation      = "install/templateservicebroker/rbac-template.yaml"
+	tsbAPIServerTemplateLocation = "install/templateservicebroker/apiserver-template.yaml"
 )
 
 // InstallServiceCatalog checks whether the template service broker is installed and installs it if not already installed
@@ -35,20 +37,27 @@ func (h *Helper) InstallTemplateServiceBroker(f *clientcmd.Factory, imageFormat
 	}
 
 	// create the template in the tsbNamespace to make it easy to instantiate
-	if err := ImportObjects(f, tsbNamespace, tsbTemplateLocation); err != nil {
+	if err := ImportObjects(f, tsbNamespace, tsbRBACTemplateLocation); err != nil {
+		return errors.NewError("cannot create template service broker permissions template").WithCause(err)
+	}
+	if err := ImportObjects(f, tsbNamespace, tsbAPIServerTemplateLocation); err != nil {
 		return errors.NewError("cannot create template service broker template").WithCause(err)
 	}
 
+	if err = instantiateTemplate(osClient, clientcmd.ResourceMapper(f), tsbNamespace, tsbRBACTemplateName, tsbNamespace, map[string]string{}, true); err != nil {
+		return errors.NewError("cannot instantiate template service broker permissions").WithCause(err)
+	}
+
 	// create the actual resources required
 	imageTemplate := variable.NewDefaultImageTemplate()
 	imageTemplate.Format = imageFormat
 	imageTemplate.Latest = false
 
-	if err = instantiateTemplate(osClient, clientcmd.ResourceMapper(f), tsbNamespace, tsbTemplateName, tsbNamespace, map[string]string{
+	if err = instantiateTemplate(osClient, clientcmd.ResourceMapper(f), tsbNamespace, tsbAPIServerTemplateName, tsbNamespace, map[string]string{
 		"IMAGE":    imageTemplate.ExpandOrDie(""),
 		"LOGLEVEL": fmt.Sprint(serverLogLevel),
 	}, true); err != nil {
-		return errors.NewError("cannot instantiate logger accounts").WithCause(err)
+		return errors.NewError("cannot instantiate template service broker resources").WithCause(err)
 	}
 
 	// Wait for the apiserver endpoint to become available

pkg/oc/bootstrap/bindata.go

@@ -124,7 +124,20 @@ func setUser(cli *exutil.CLI, user *userapi.User) {
 // speak to it and a close method which provides the proxy.  The caller must
 // call the close method, usually done in AfterEach
 func EnsureTSB(tsbOC *exutil.CLI) (osbclient.Client, func() error) {
-	configPath := exutil.FixturePath("..", "..", "examples", "templateservicebroker", "templateservicebroker-template.yaml")
+	{
+		configPath := exutil.FixturePath("..", "..", "install", "templateservicebroker", "rbac-template.yaml")
+		stdout, _, err := tsbOC.WithoutNamespace().Run("process").Args("-f", configPath, "-p", "NAMESPACE="+tsbOC.Namespace()).Outputs()
+		if err != nil {
+			e2e.Logf("Error processing TSB template at %s: %v \n", configPath, err)
+		}
+		err = tsbOC.WithoutNamespace().AsAdmin().Run("create").Args("-f", "-").InputString(stdout).Execute()
+		if err != nil {
+			// If template tests run in parallel this could be created twice, we don't really care.
+			e2e.Logf("Error creating TSB resources: %v \n", err)
+		}
+	}
+
+	configPath := exutil.FixturePath("..", "..", "install", "templateservicebroker", "apiserver-template.yaml")
 
 	err := tsbOC.AsAdmin().Run("new-app").Args(configPath, "-p", "LOGLEVEL=4", "-p", "NAMESPACE="+tsbOC.Namespace()).Execute()
 	o.Expect(err).NotTo(o.HaveOccurred())