Squashed 'cmd/service-catalog/go/src/github.com/kubernetes-incubator/…

…service-catalog/' changes from 7e650e7e39..ef63307bdb ef63307bdb origin build: add origin tooling a876fe3 v0.0.17 (openshift#1178) c5237fe correct osbapi service definition (openshift#1177) 6036d4e Adding walkthrough instructions for 1.7 (openshift#1171) 5f111dd Specifying that you need Helm v2.5.0 for installation (openshift#1170) 08043bd Adding more small fixes to the walkthrough & install docs (openshift#1169) d65d4a1 rbac targets needed to be renamed as well (openshift#1161) 590f6f2 Write helm command to file for api aggregation (openshift#1141) 49ddcf6 clean before building a specific arch (openshift#1168) 43f7cfb Splitting up the Walkthrough for 1.6 and 1.7 instructions (openshift#1163) 02e0217 Updates to README (openshift#1166) 57f2aa5 Adding instructions for installing from Macs (openshift#1164) dfe620e fix rate-limiting for polling queue (openshift#1143) ca5f335 Use Generation instead of checksum for Broker (openshift#1145) 5364daa Merge branch 'pr/1158' f34c5db move Travis deployment script to directory in 'contrib/' 2a00d7f Update incorrect port (openshift#1156) b0ed60e improve the repository's layout (openshift#1154) f870baf Follow up file / renames from openshift#1142 (openshift#1152) 826b4f9 remove unnecessary json annotations (openshift#1153) 33cb345 Rename resources. closes openshift#1080 (openshift#1142) 70c2b9b Add ability to specify CA certs to use for TLS authentication. (openshift#1112) 2aa5039 v0.0.16 (openshift#1140) 65de49c Comments for unit test bullet proofing (openshift#1139) REVERT: 7e650e7e39 origin build: add origin tooling git-subtree-dir: cmd/service-catalog/go/src/github.com/kubernetes-incubator/service-catalog git-subtree-split: ef63307bdbaa64efca204912f5361a4f3d3be2c8
jpeeler · Sep 5, 2017 · 03955cd · 03955cd
1 parent 1cd2988
commit 03955cd
Show file tree

Hide file tree

Showing 194 changed files with 8,723 additions and 7,640 deletions.
diff --git a/.gitignore b/.gitignore
@@ -20,5 +20,6 @@ contrib/build/*/tmp/*
 .pkg
 .kube
 .var
+docs/certs
 # this is for buildling service catalog with origin tooling
 _output
diff --git a/.travis.yml b/.travis.yml
@@ -9,7 +9,7 @@ script:
 - make verify build test images
 deploy:
   provider: script
-  script: scripts/deploy.sh
+  script: contrib/travis/deploy.sh
   on:
     repo: kubernetes-incubator/service-catalog
     all_branches: true
diff --git a/Makefile b/Makefile
@@ -326,6 +326,8 @@ images: user-broker-image controller-manager-image apiserver-image
 
 images-all: $(addprefix arch-image-,$(ALL_ARCH))
 arch-image-%:
+	$(MAKE) clean-bin
+	$(MAKE) ARCH=$* build
 	$(MAKE) ARCH=$* images
 
 define build-and-tag # (service, image, mutable_image, prefix)

diff --git a/ORIGIN-SYNC-README.txt b/ORIGIN-SYNC-README.txt
@@ -8,19 +8,45 @@ Prerequisite setup:
   put in the openshift/service-catalog:origin-patches branch (git log
   cmd/service-catalog)
 
+# syncs the openshift/service-catalog repo with the upstream tag
+# (in service-catalog repo)
+$ TAG=v0.0.10
+$ git pull origin (remote that points to service-catalog upstream)
+$ git push openshift $TAG
+
+(in service-catalog repo)
+# update master (not used, but looks weird if not updated)
+$ git checkout master
+$ git merge --ff-only $TAG
+$ git push
+
+(let's not worry about the -squashed branch here and remove this)
 If patches need bringing over from openshift/origin, put them in the
 service-catalog:origin-patches branch. Then squash all the changes into the
 service-catalog:origin-patches-squashed branch. The reason this is important
 to do is because once the subtree merge is performed, anything under
 cmd/service-catalog/... will be overwritten. Also, make sure to rebase the
 origin-patches branch as needed.
 
-# syncs the openshift/service-catalog repo with the upstream tag
-# (in service-catalog repo)
-$ TAG=v0.0.10
-$ git pull origin
-$ git push openshift $TAG
+# Update 9/1 - a better way for handling patches
+(catalog repo)
+$ git fetch openshift
+(origin repo)
+$ git pull
+$ cd cmd/service-catalog
+$ git log .
+if patches, go ahead and descend to the path that will match the non-vendored repo
+$ cd go/src/github.com/kubernetes-incubator/service-catalog
+$ find SHAs needing bringing over (this could be done in one command, but for now do for each one):
+$ git format-patch -1 ce7709e81b90e24aebfb5366001645a7e7d78fd8 --relative
+$ mv *.patch to catalog repo
+$ git am <patch file> (in origin-patches)
+#unchecked
+$ git rebase $TAG
+$ git squash all origin patches into one commit... (technically optional, but looks nicer)
+$ git push openshift
 
+(NO LONGER NEEDED, not going to use squashed branch)
 # updates code to latest tag and adds origin patches on top
 # (in service-catalog repo)
 $ git branch $TAG $TAG+origin

diff --git a/README.md b/README.md
@@ -7,13 +7,13 @@
 ### Introduction
 
 The service-catalog project is in incubation to bring integration with service
-brokers to the Kubernetes ecosystem via the [Open Service Broker
-API](https://github.com/openservicebrokerapi/servicebroker). A service broker
-is an endpoint that manages a set of services.  The end-goal of the service-
-catalog project is to provide a way for Kubernetes users to consume services
-from brokers and easily configure their applications to use those services,
-without needing detailed knowledge about how those services are created /
-managed.
+brokers to the Kubernetes ecosystem via the [Open Service Broker API](https://github.com/openservicebrokerapi/servicebroker).
+
+A _service broker_ is an endpoint that manages a set of software offerings
+called _services_. The end-goal of the service-catalog project is to provide
+a way for Kubernetes users to consume services from brokers and easily
+configure their applications to use those services, without needing detailed
+knowledge about how those services are created or managed.
 
 As an example:
 
@@ -32,13 +32,14 @@ _somewhere_ in a simple way:
     cluster as the consumer or a different cluster, or even creating a new
     tenant in a multi-tenant SaaS system.  The point is that the
     consumer doesn't have to be aware of or care at all about the details.
-3.  The user _binds_ that service to their application
+3.  The user requests a _credential_ to use the service instance in their application
+
+    Credentials are delivered to users in normal Kubernetes secrets and
+    contain information necessary to connect to and authenticate to the
+    service instance.
 
-    _Binding_ means that the application is injected with the information
-    necessary to use the service, such as coordinates, credentials, and
-    configuration items.  Applications are injected using the existing
-    application configuration primitives in Kubernetes: Services, Secrets, and
-    ConfigMaps.
+For more introduction, including installation and self-guided demo 
+instructions, please see the [introduction](./docs/introduction.md) doc.
 
 For more details about the design and features of this project see the
 [design](docs/design.md) doc.
@@ -54,11 +55,11 @@ For more details about the design and features of this project see the
 ### Overall Status
 
 We are currently working toward a beta-quality release to be used in conjunction with
-Kubernetes 1.6. See the
+Kubernetes 1.8. See the
 [milestones list](https://github.com/kubernetes-incubator/service-catalog/milestones?direction=desc&sort=due_date&state=open) 
 for information about the issues and PRs in current and future milestones.
 
-**NOTE**: Some fields in our API will still be considered **ALPHA** after the
+**NOTE**: Some fields in our API may still be considered **ALPHA** after the
 API graduates to **BETA**.  These fields are prefixed with `alpha` in
 JSON/YAML.  Alpha fields are provided for use at your own risk, may not work
 correctly, may be subject to change or removal at any time, and will not have
@@ -76,7 +77,7 @@ for more information.
 
 Our goal is to have extensive use-case and functional documentation.
 
-See [here](./docs/v1) for [documentation](./docs/v1).
+See [here](./docs/v1) for detailed documentation.
 
 See [here](https://github.com/kubernetes-incubator/service-catalog/wiki/Examples) for examples and
 [here](https://github.com/openservicebrokerapi/servicebroker/blob/master/gettingStarted.md) for
@@ -85,13 +86,12 @@ broker servers that are compatible with this software.
 ### Terminology
 
 This project's problem domain contains a few inconvenient but unavoidable
-overloads with other Kubernetes terms.  Check out our [terminology
-page](./terminology.md) for definitions of terms as they are used in this
-project.
+overloads with other Kubernetes terms.  Check out our [terminology page](./terminology.md)
+for definitions of terms as they are used in this project.
 
 ### Contributing
 
-Interested in contributing?  Check out the [documentation](./CONTRIBUTING.md).
+Interested in contributing?  Check out the [contributing documentation](./CONTRIBUTING.md).
 
 Also see the [developer's guide](./docs/devguide.md) for information on how to
 build and test the code.

diff --git a/charts/catalog/README.md b/charts/catalog/README.md
@@ -39,7 +39,7 @@ chart and their default values.
 
 | Parameter | Description | Default |
 |-----------|-------------|---------|
-| `apiserver.image` | apiserver image to use | `quay.io/kubernetes-service-catalog/apiserver:v0.0.15` |
+| `apiserver.image` | apiserver image to use | `quay.io/kubernetes-service-catalog/apiserver:v0.0.17` |
 | `apiserver.imagePullPolicy` | `imagePullPolicy` for the apiserver | `Always` |
 | `apiserver.tls.cert` | Base64-encoded x509 certificate | A self-signed certificate |
 | `apiserver.tls.key` | Base64-encoded private key | The private key for the certificate above |
@@ -53,7 +53,7 @@ chart and their default values.
 | `apiserver.storage.tpr.globalNamespace` | If storage type is `tpr`: Some service catalog resources are not namespaced, but third party resources must be; setting this designates a namespace that will be treated as a container for such resources | `servicecatalog` |
 | `apiserver.verbosity` | Log level; valid values are in the range 0 - 10 | `10` |
 | `apiserver.auth.enabled` | Enable authentication and authorization | `false` |
-| `controllerManager.image` | controller-manager image to use | `quay.io/kubernetes-service-catalog/controller-manager:v0.0.15` |
+| `controllerManager.image` | controller-manager image to use | `quay.io/kubernetes-service-catalog/controller-manager:v0.0.17` |
 | `controllerManager.imagePullPolicy` | `imagePullPolicy` for the controller-manager | `Always` |
 | `controllerManager.verbosity` | Log level; valid values are in the range 0 - 10 | `10` |
 | `controllerManager.resyncInterval` | How often the controller should resync informers; duration format (`20m`, `1h`, etc) | `5m` |

diff --git a/charts/catalog/templates/rbac.yaml b/charts/catalog/templates/rbac.yaml
@@ -77,7 +77,7 @@ items:
   - apiGroups: [""]
     resources: ["events"]
     verbs:     ["create","patch","update"]
-  # TODO: do not grant global access, limit to particular secrets referenced from bindings
+  # TODO: do not grant global access, limit to particular secrets referenced from serviceinstancecredentials
   - apiGroups: [""]
     resources: ["secrets"]
     verbs:     ["get","create","delete"]
@@ -89,10 +89,10 @@ items:
     resources: ["serviceclasses"]
     verbs:     ["get","list","watch","create","patch","update","delete"]
   - apiGroups: ["servicecatalog.k8s.io"]
-    resources: ["bindings","brokers","instances"]
+    resources: ["servicebrokers","serviceinstances","serviceinstancecredentials"]
     verbs:     ["get","list","watch"]
   - apiGroups: ["servicecatalog.k8s.io"]
-    resources: ["bindings/status","brokers/status","instances/status"]
+    resources: ["servicebrokers/status","serviceinstances/status","serviceinstancecredentials/status"]
     verbs:     ["update"]
 # give the controller-manager service account access to whats defined in its role.
 - apiVersion: rbac.authorization.k8s.io/v1beta1

diff --git a/charts/catalog/values.yaml b/charts/catalog/values.yaml
@@ -3,7 +3,7 @@
 useAggregator: false
 apiserver:
   # apiserver image to use
-  image: quay.io/kubernetes-service-catalog/apiserver:v0.0.15
+  image: quay.io/kubernetes-service-catalog/apiserver:v0.0.17
   # imagePullPolicy for the apiserver; valid values are "IfNotPresent",
   # "Never", and "Always"
   imagePullPolicy: Always
@@ -72,7 +72,7 @@ apiserver:
   serviceAccount: service-catalog-apiserver
 controllerManager:
   # controller-manager image to use
-  image: quay.io/kubernetes-service-catalog/controller-manager:v0.0.15
+  image: quay.io/kubernetes-service-catalog/controller-manager:v0.0.17
   # imagePullPolicy for the controller-manager; valid values are
   # "IfNotPresent", "Never", and "Always"
   imagePullPolicy: Always

diff --git a/charts/ups-broker/README.md b/charts/ups-broker/README.md
@@ -34,7 +34,7 @@ Service Broker
 
 | Parameter | Description | Default |
 |-----------|-------------|---------|
-| `image` | Image to use | `quay.io/kubernetes-service-catalog/user-broker:v0.0.15` |
+| `image` | Image to use | `quay.io/kubernetes-service-catalog/user-broker:v0.0.17` |
 | `imagePullPolicy` | `imagePullPolicy` for the ups-broker | `Always` |
 
 Specify each parameter using the `--set key=value[,key=value]` argument to

diff --git a/charts/ups-broker/templates/broker-deployment.yaml b/charts/ups-broker/templates/broker-deployment.yaml
@@ -27,6 +27,14 @@ spec:
         args:
         - --port
         - "8080"
+        {{- if .Values.tls.cert}}
+        - --tlsCert
+        - "{{ .Values.tls.cert }}"
+        {{- end}}
+        {{- if .Values.tls.key}}
+        - --tlsKey
+        - "{{ .Values.tls.key }}"
+        {{- end}}
         ports:
         - containerPort: 8080
         readinessProbe:

diff --git a/charts/ups-broker/values.yaml b/charts/ups-broker/values.yaml
@@ -1,5 +1,11 @@
 # Default values for User-Provided Service Broker
 # Image to use
-image: quay.io/kubernetes-service-catalog/user-broker:v0.0.15
+image: quay.io/kubernetes-service-catalog/user-broker:v0.0.17
 # ImagePullPolicy; valid values are "IfNotPresent", "Never", and "Always"
 imagePullPolicy: Always
+# Certificate details to use for TLS. Leave blank to not use TLS
+tls:
+  # base-64 encoded PEM data for the TLS certificate
+  cert:
+  # base-64 encoded PEM data for the private key matching the certificate
+  key:
diff --git a/cmd/controller-manager/app/controller_manager.go b/cmd/controller-manager/app/controller_manager.go
@@ -84,7 +84,7 @@ the core control loops shipped with the service catalog.`,
 const controllerManagerAgentName = "service-catalog-controller-manager"
 const controllerDiscoveryAgentName = "service-catalog-controller-discovery"
 
-var catalogGVR = schema.GroupVersionResource{Group: "servicecatalog.k8s.io", Version: "v1alpha1", Resource: "brokers"}
+var catalogGVR = schema.GroupVersionResource{Group: "servicecatalog.k8s.io", Version: "v1alpha1", Resource: "servicebrokers"}
 
 // Run runs the service-catalog controller-manager; should never exit.
 func Run(controllerManagerOptions *options.ControllerManagerServer) error {
@@ -323,16 +323,16 @@ func StartControllers(s *options.ControllerManagerServer,
 		// All shared informers are v1alpha1 API level
 		serviceCatalogSharedInformers := informerFactory.Servicecatalog().V1alpha1()
 
-		glog.V(5).Infof("Creating controller; broker relist interval: %v", s.BrokerRelistInterval)
+		glog.V(5).Infof("Creating controller; broker relist interval: %v", s.ServiceBrokerRelistInterval)
 		serviceCatalogController, err := controller.NewController(
 			coreClient,
 			serviceCatalogClientBuilder.ClientOrDie(controllerManagerAgentName).ServicecatalogV1alpha1(),
-			serviceCatalogSharedInformers.Brokers(),
+			serviceCatalogSharedInformers.ServiceBrokers(),
 			serviceCatalogSharedInformers.ServiceClasses(),
-			serviceCatalogSharedInformers.Instances(),
-			serviceCatalogSharedInformers.Bindings(),
+			serviceCatalogSharedInformers.ServiceInstances(),
+			serviceCatalogSharedInformers.ServiceInstanceCredentials(),
 			osb.NewClient,
-			s.BrokerRelistInterval,
+			s.ServiceBrokerRelistInterval,
 			s.OSBAPIPreferredVersion,
 			recorder,
 		)

diff --git a/cmd/controller-manager/app/options/options.go b/cmd/controller-manager/app/options/options.go
@@ -16,7 +16,7 @@ limitations under the License.
 
 // The controller is responsible for running control loops that reconcile
 // the state of service catalog API resources with service brokers, service
-// classes, service instances, and service bindings.
+// classes, service instances, and service instance credentials.
 
 package options
 
@@ -39,7 +39,7 @@ type ControllerManagerServer struct {
 
 const (
 	defaultResyncInterval               = 5 * time.Minute
-	defaultBrokerRelistInterval         = 24 * time.Hour
+	defaultServiceBrokerRelistInterval  = 24 * time.Hour
 	defaultContentType                  = "application/json"
 	defaultBindAddress                  = "0.0.0.0"
 	defaultPort                         = 10000
@@ -63,7 +63,7 @@ func NewControllerManagerServer() *ControllerManagerServer {
 			K8sKubeconfigPath:            defaultK8sKubeconfigPath,
 			ServiceCatalogKubeconfigPath: defaultServiceCatalogKubeconfigPath,
 			ResyncInterval:               defaultResyncInterval,
-			BrokerRelistInterval:         defaultBrokerRelistInterval,
+			ServiceBrokerRelistInterval:  defaultServiceBrokerRelistInterval,
 			OSBAPIContextProfile:         defaultOSBAPIContextProfile,
 			OSBAPIPreferredVersion:       defaultOSBAPIPreferredVersion,
 			ConcurrentSyncs:              defaultConcurrentSyncs,
@@ -88,7 +88,7 @@ func (s *ControllerManagerServer) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&s.ServiceCatalogKubeconfigPath, "service-catalog-kubeconfig", "", "Path to service-catalog kubeconfig")
 	fs.BoolVar(&s.ServiceCatalogInsecureSkipVerify, "service-catalog-insecure-skip-verify", s.ServiceCatalogInsecureSkipVerify, "Skip verification of the TLS certificate for the service-catalog API server")
 	fs.DurationVar(&s.ResyncInterval, "resync-interval", s.ResyncInterval, "The interval on which the controller will resync its informers")
-	fs.DurationVar(&s.BrokerRelistInterval, "broker-relist-interval", s.BrokerRelistInterval, "The interval on which a broker's catalog is relisted after the broker becomes ready")
+	fs.DurationVar(&s.ServiceBrokerRelistInterval, "broker-relist-interval", s.ServiceBrokerRelistInterval, "The interval on which a broker's catalog is relisted after the broker becomes ready")
 	fs.BoolVar(&s.OSBAPIContextProfile, "enable-osb-api-context-profile", s.OSBAPIContextProfile, "This does nothing.")
 	fs.MarkHidden("enable-osb-api-context-profile")
 	fs.StringVar(&s.OSBAPIPreferredVersion, "osb-api-preferred-version", s.OSBAPIPreferredVersion, "The string to send as the version header.")

diff --git a/contrib/cmd/user-broker/user-broker.go b/contrib/cmd/user-broker/user-broker.go
@@ -33,11 +33,15 @@ import (
 )
 
 var options struct {
-	Port int
+	Port    int
+	TLSCert string
+	TLSKey  string
 }
 
 func init() {
 	flag.IntVar(&options.Port, "port", 8005, "use '--port' option to specify the port for broker to listen on")
+	flag.StringVar(&options.TLSCert, "tlsCert", "", "base-64 encoded PEM block to use as the certificate for TLS. If '--tlsCert' is used, then '--tlsKey' must also be used. If '--tlsCert' is not used, then TLS will not be used.")
+	flag.StringVar(&options.TLSKey, "tlsKey", "", "base-64 encoded PEM block to use as the private key matching the TLS certificate. If '--tlsKey' is used, then '--tlsCert' must also be used")
 	flag.Parse()
 }
 
@@ -60,9 +64,22 @@ func runWithContext(ctx context.Context) error {
 		fmt.Printf("%s/%s\n", path.Base(os.Args[0]), pkg.VERSION)
 		return nil
 	}
+	if (options.TLSCert != "" || options.TLSKey != "") &&
+		(options.TLSCert == "" || options.TLSKey == "") {
+		fmt.Println("To use TLS, both --tlsCert and --tlsKey must be used")
+		return nil
+	}
 
 	addr := ":" + strconv.Itoa(options.Port)
-	return server.Run(ctx, addr, controller.CreateController())
+	ctrlr := controller.CreateController()
+
+	var err error
+	if options.TLSCert == "" && options.TLSKey == "" {
+		err = server.Run(ctx, addr, ctrlr)
+	} else {
+		err = server.RunTLS(ctx, addr, options.TLSCert, options.TLSKey, ctrlr)
+	}
+	return err
 }
 
 // cancelOnInterrupt calls f when os.Interrupt or SIGTERM is received.

diff --git a/contrib/examples/apiserver/binding.yaml b/contrib/examples/apiserver/binding.yaml
@@ -1,5 +1,5 @@
 apiVersion: servicecatalog.k8s.io/v1alpha1
-kind: Binding
+kind: ServiceInstanceCredential
 metadata:
   name: test-binding
   namespace: test-ns

diff --git a/contrib/examples/apiserver/broker.yaml b/contrib/examples/apiserver/broker.yaml
@@ -1,5 +1,5 @@
 apiVersion: servicecatalog.k8s.io/v1alpha1
-kind: Broker
+kind: ServiceBroker
 metadata:
   name: test-broker
 spec:

diff --git a/contrib/examples/apiserver/instance.yaml b/contrib/examples/apiserver/instance.yaml
@@ -1,5 +1,5 @@
 apiVersion: servicecatalog.k8s.io/v1alpha1
-kind: Instance
+kind: ServiceInstance
 metadata:
   name: test-instance
   namespace: test-ns

diff --git a/contrib/examples/walkthrough/README.md b/contrib/examples/walkthrough/README.md
@@ -1,4 +1,6 @@
 ## Walkthrough Resources
 
-This directory contains API resources for use with the [demo
-walkthrough](../../../docs/walkthrough.md).
+This directory contains API resources for use with the demo walkthrough.
+
+Please see [the introduction document](../../../docs/introduction.md) for 
+instructions.