Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Separating storage #16170

Merged
merged 5 commits into from
Sep 6, 2017
Merged

Separating storage #16170

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
f8a30a7
switch image api to use SAR client, not registry
deads2k Sep 5, 2017
4c7d33c
move the docker registry v1 client
deads2k Sep 5, 2017
5188863
move image storage to apiserver
deads2k Sep 5, 2017
dfe2556
move oauth storage to server
deads2k Sep 5, 2017
70e6259
move authorization storage to separate server
deads2k Sep 5, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
6 changes: 1 addition & 5 deletions hack/import-restrictions.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,11 +42,7 @@
],
"ignoredSubTrees": [
"github.com/openshift/origin/pkg/dockerregistry",
"github.com/openshift/origin/pkg/cmd/dockerregistry",
"github.com/openshift/origin/pkg/cmd/server/origin",
"github.com/openshift/origin/pkg/generate/app",
"github.com/openshift/origin/pkg/image/importer",
"github.com/openshift/origin/pkg/image/registry/imagestreamimport"
"github.com/openshift/origin/pkg/cmd/dockerregistry"
],
"forbiddenImportPackageRoots": [
"github.com/openshift/origin/pkg/dockerregistry"
Expand Down
137 changes: 137 additions & 0 deletions pkg/authorization/apiserver/apiserver.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,137 @@
package apiserver

import (
"fmt"
"sync"

"k8s.io/apimachinery/pkg/apimachinery/registered"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/serializer"
"k8s.io/apiserver/pkg/registry/rest"
genericapiserver "k8s.io/apiserver/pkg/server"
restclient "k8s.io/client-go/rest"
rbacclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/rbac/internalversion"
kinternalinformers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
rbacregistryvalidation "k8s.io/kubernetes/pkg/registry/rbac/validation"

authorizationapiv1 "github.com/openshift/origin/pkg/authorization/apis/authorization/v1"
"github.com/openshift/origin/pkg/authorization/authorizer"
"github.com/openshift/origin/pkg/authorization/registry/clusterrole"
"github.com/openshift/origin/pkg/authorization/registry/clusterrolebinding"
"github.com/openshift/origin/pkg/authorization/registry/localresourceaccessreview"
"github.com/openshift/origin/pkg/authorization/registry/localsubjectaccessreview"
"github.com/openshift/origin/pkg/authorization/registry/resourceaccessreview"
"github.com/openshift/origin/pkg/authorization/registry/role"
"github.com/openshift/origin/pkg/authorization/registry/rolebinding"
rolebindingrestrictionetcd "github.com/openshift/origin/pkg/authorization/registry/rolebindingrestriction/etcd"
"github.com/openshift/origin/pkg/authorization/registry/selfsubjectrulesreview"
"github.com/openshift/origin/pkg/authorization/registry/subjectaccessreview"
"github.com/openshift/origin/pkg/authorization/registry/subjectrulesreview"
)

type AuthorizationAPIServerConfig struct {
GenericConfig *genericapiserver.Config

CoreAPIServerClientConfig *restclient.Config
KubeInternalInformers kinternalinformers.SharedInformerFactory
RuleResolver rbacregistryvalidation.AuthorizationRuleResolver
SubjectLocator authorizer.SubjectLocator

// TODO these should all become local eventually
Scheme *runtime.Scheme
Registry *registered.APIRegistrationManager
Codecs serializer.CodecFactory

makeV1Storage sync.Once
v1Storage map[string]rest.Storage
v1StorageErr error
}

type AuthorizationAPIServer struct {
GenericAPIServer *genericapiserver.GenericAPIServer
}

type completedConfig struct {
*AuthorizationAPIServerConfig
}

// Complete fills in any fields not set that are required to have valid data. It's mutating the receiver.
func (c *AuthorizationAPIServerConfig) Complete() completedConfig {
c.GenericConfig.Complete()

return completedConfig{c}
}

// SkipComplete provides a way to construct a server instance without config completion.
func (c *AuthorizationAPIServerConfig) SkipComplete() completedConfig {
return completedConfig{c}
}

// New returns a new instance of AuthorizationAPIServer from the given config.
func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget) (*AuthorizationAPIServer, error) {
genericServer, err := c.AuthorizationAPIServerConfig.GenericConfig.SkipComplete().New("authorization.openshift.io-apiserver", delegationTarget) // completion is done in Complete, no need for a second time
if err != nil {
return nil, err
}

s := &AuthorizationAPIServer{
GenericAPIServer: genericServer,
}

v1Storage, err := c.V1RESTStorage()
if err != nil {
return nil, err
}

apiGroupInfo := genericapiserver.NewDefaultAPIGroupInfo(authorizationapiv1.GroupName, c.Registry, c.Scheme, metav1.ParameterCodec, c.Codecs)
apiGroupInfo.GroupMeta.GroupVersion = authorizationapiv1.SchemeGroupVersion
apiGroupInfo.VersionedResourcesStorageMap[authorizationapiv1.SchemeGroupVersion.Version] = v1Storage
if err := s.GenericAPIServer.InstallAPIGroup(&apiGroupInfo); err != nil {
return nil, err
}

return s, nil
}

func (c *AuthorizationAPIServerConfig) V1RESTStorage() (map[string]rest.Storage, error) {
c.makeV1Storage.Do(func() {
c.v1Storage, c.v1StorageErr = c.newV1RESTStorage()
})

return c.v1Storage, c.v1StorageErr
}

func (c *AuthorizationAPIServerConfig) newV1RESTStorage() (map[string]rest.Storage, error) {
rbacClient, err := rbacclient.NewForConfig(c.GenericConfig.LoopbackClientConfig)
if err != nil {
return nil, err
}

selfSubjectRulesReviewStorage := selfsubjectrulesreview.NewREST(c.RuleResolver, c.KubeInternalInformers.Rbac().InternalVersion().ClusterRoles().Lister())
subjectRulesReviewStorage := subjectrulesreview.NewREST(c.RuleResolver, c.KubeInternalInformers.Rbac().InternalVersion().ClusterRoles().Lister())
subjectAccessReviewStorage := subjectaccessreview.NewREST(c.GenericConfig.Authorizer)
subjectAccessReviewRegistry := subjectaccessreview.NewRegistry(subjectAccessReviewStorage)
localSubjectAccessReviewStorage := localsubjectaccessreview.NewREST(subjectAccessReviewRegistry)
resourceAccessReviewStorage := resourceaccessreview.NewREST(c.GenericConfig.Authorizer, c.SubjectLocator)
resourceAccessReviewRegistry := resourceaccessreview.NewRegistry(resourceAccessReviewStorage)
localResourceAccessReviewStorage := localresourceaccessreview.NewREST(resourceAccessReviewRegistry)
roleBindingRestrictionStorage, err := rolebindingrestrictionetcd.NewREST(c.GenericConfig.RESTOptionsGetter)
if err != nil {
return nil, fmt.Errorf("error building REST storage: %v", err)
}

v1Storage := map[string]rest.Storage{}
v1Storage["resourceAccessReviews"] = resourceAccessReviewStorage
v1Storage["subjectAccessReviews"] = subjectAccessReviewStorage
v1Storage["localSubjectAccessReviews"] = localSubjectAccessReviewStorage
v1Storage["localResourceAccessReviews"] = localResourceAccessReviewStorage
v1Storage["selfSubjectRulesReviews"] = selfSubjectRulesReviewStorage
v1Storage["subjectRulesReviews"] = subjectRulesReviewStorage
v1Storage["roles"] = role.NewREST(rbacClient.RESTClient())
v1Storage["roleBindings"] = rolebinding.NewREST(rbacClient.RESTClient())
v1Storage["clusterRoles"] = clusterrole.NewREST(rbacClient.RESTClient())
v1Storage["clusterRoleBindings"] = clusterrolebinding.NewREST(rbacClient.RESTClient())
v1Storage["roleBindingRestrictions"] = roleBindingRestrictionStorage
return v1Storage, nil
}
87 changes: 82 additions & 5 deletions pkg/cmd/server/origin/openshift_apiserver.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ import (

"github.com/openshift/origin/pkg/api"
"github.com/openshift/origin/pkg/api/v1"
authorizationapiserver "github.com/openshift/origin/pkg/authorization/apiserver"
"github.com/openshift/origin/pkg/authorization/authorizer"
authorizationinformer "github.com/openshift/origin/pkg/authorization/generated/informers/internalversion"
buildapiserver "github.com/openshift/origin/pkg/build/apiserver"
Expand All @@ -39,7 +40,9 @@ import (
oappsapiserver "github.com/openshift/origin/pkg/deploy/apiserver"
imageadmission "github.com/openshift/origin/pkg/image/admission"
imageapi "github.com/openshift/origin/pkg/image/apis/image"
imageapiserver "github.com/openshift/origin/pkg/image/apiserver"
networkapiserver "github.com/openshift/origin/pkg/network/apiserver"
oauthapiserver "github.com/openshift/origin/pkg/oauth/apiserver"
"github.com/openshift/origin/pkg/oc/admin/policy"
projectauth "github.com/openshift/origin/pkg/project/auth"
projectcache "github.com/openshift/origin/pkg/project/cache"
Expand All @@ -53,7 +56,7 @@ import (
userapiserver "github.com/openshift/origin/pkg/user/apiserver"
"github.com/openshift/origin/pkg/version"

authzapiv1 "github.com/openshift/origin/pkg/authorization/apis/authorization/v1"
authorizationapiv1 "github.com/openshift/origin/pkg/authorization/apis/authorization/v1"
buildapiv1 "github.com/openshift/origin/pkg/build/apis/build/v1"
imageapiv1 "github.com/openshift/origin/pkg/image/apis/image/v1"
networkapiv1 "github.com/openshift/origin/pkg/network/apis/network/v1"
Expand Down Expand Up @@ -84,7 +87,9 @@ type OpenshiftAPIConfig struct {
// these are all required to build our storage
RuleResolver rbacregistryvalidation.AuthorizationRuleResolver
SubjectLocator authorizer.SubjectLocator
LimitVerifier imageadmission.LimitVerifier

// for Images
LimitVerifier imageadmission.LimitVerifier
// RegistryHostnameRetriever retrieves the internal and external hostname of
// the integrated registry, or false if no such registry is available.
RegistryHostnameRetriever imageapi.RegistryHostnameRetriever
Expand All @@ -100,6 +105,7 @@ type OpenshiftAPIConfig struct {

EnableBuilds bool

// oauth API server
ServiceAccountMethod configapi.GrantHandlerType

ClusterQuotaMappingController *clusterquotamapping.ClusterQuotaMappingController
Expand Down Expand Up @@ -242,6 +248,30 @@ func (c *completedConfig) withAppsAPIServer(delegateAPIServer genericapiserver.D
return server.GenericAPIServer, legacyStorageMutators{legacyStorageMutatorFunc(legacyDCRollbackMutator.Mutate), &legacyStorageVersionMutator{version: oappsapiv1.SchemeGroupVersion, storage: storage}}, nil
}

func (c *completedConfig) withAuthorizationAPIServer(delegateAPIServer genericapiserver.DelegationTarget) (genericapiserver.DelegationTarget, legacyStorageMutator, error) {
config := &authorizationapiserver.AuthorizationAPIServerConfig{
GenericConfig: c.GenericConfig,
CoreAPIServerClientConfig: c.GenericConfig.LoopbackClientConfig,
KubeInternalInformers: c.KubeInternalInformers,
RuleResolver: c.RuleResolver,
SubjectLocator: c.SubjectLocator,
Codecs: kapi.Codecs,
Registry: kapi.Registry,
Scheme: kapi.Scheme,
}
server, err := config.Complete().New(delegateAPIServer)
if err != nil {
return nil, nil, err
}
storage, err := config.V1RESTStorage()
if err != nil {
return nil, nil, err
}
server.GenericAPIServer.PrepareRun() // this triggers openapi construction

return server.GenericAPIServer, &legacyStorageVersionMutator{version: authorizationapiv1.SchemeGroupVersion, storage: storage}, nil
}

func (c *completedConfig) withBuildAPIServer(delegateAPIServer genericapiserver.DelegationTarget) (genericapiserver.DelegationTarget, legacyStorageMutator, error) {
if !c.EnableBuilds {
return delegateAPIServer, legacyStorageMutatorFunc(func(map[schema.GroupVersion]map[string]rest.Storage) {}), nil
Expand All @@ -268,6 +298,31 @@ func (c *completedConfig) withBuildAPIServer(delegateAPIServer genericapiserver.
return server.GenericAPIServer, &legacyStorageVersionMutator{version: buildapiv1.SchemeGroupVersion, storage: storage}, nil
}

func (c *completedConfig) withImageAPIServer(delegateAPIServer genericapiserver.DelegationTarget) (genericapiserver.DelegationTarget, legacyStorageMutator, error) {
config := &imageapiserver.ImageAPIServerConfig{
GenericConfig: c.GenericConfig,
CoreAPIServerClientConfig: c.GenericConfig.LoopbackClientConfig,
LimitVerifier: c.LimitVerifier,
RegistryHostnameRetriever: c.RegistryHostnameRetriever,
AllowedRegistriesForImport: c.AllowedRegistriesForImport,
MaxImagesBulkImportedPerRepository: c.MaxImagesBulkImportedPerRepository,
Codecs: kapi.Codecs,
Registry: kapi.Registry,
Scheme: kapi.Scheme,
}
server, err := config.Complete().New(delegateAPIServer)
if err != nil {
return nil, nil, err
}
storage, err := config.V1RESTStorage()
if err != nil {
return nil, nil, err
}
server.GenericAPIServer.PrepareRun() // this triggers openapi construction

return server.GenericAPIServer, &legacyStorageVersionMutator{version: imageapiv1.SchemeGroupVersion, storage: storage}, nil
}

func (c *completedConfig) withNetworkAPIServer(delegateAPIServer genericapiserver.DelegationTarget) (genericapiserver.DelegationTarget, legacyStorageMutator, error) {
config := &networkapiserver.NetworkAPIServerConfig{
GenericConfig: c.GenericConfig,
Expand All @@ -288,6 +343,28 @@ func (c *completedConfig) withNetworkAPIServer(delegateAPIServer genericapiserve
return server.GenericAPIServer, &legacyStorageVersionMutator{version: networkapiv1.SchemeGroupVersion, storage: storage}, nil
}

func (c *completedConfig) withOAuthAPIServer(delegateAPIServer genericapiserver.DelegationTarget) (genericapiserver.DelegationTarget, legacyStorageMutator, error) {
config := &oauthapiserver.OAuthAPIServerConfig{
GenericConfig: c.GenericConfig,
CoreAPIServerClientConfig: c.GenericConfig.LoopbackClientConfig,
ServiceAccountMethod: c.ServiceAccountMethod,
Codecs: kapi.Codecs,
Registry: kapi.Registry,
Scheme: kapi.Scheme,
}
server, err := config.Complete().New(delegateAPIServer)
if err != nil {
return nil, nil, err
}
storage, err := config.V1RESTStorage()
if err != nil {
return nil, nil, err
}
server.GenericAPIServer.PrepareRun() // this triggers openapi construction

return server.GenericAPIServer, &legacyStorageVersionMutator{version: oauthapiv1.SchemeGroupVersion, storage: storage}, nil
}

func (c *completedConfig) withTemplateAPIServer(delegateAPIServer genericapiserver.DelegationTarget) (genericapiserver.DelegationTarget, legacyStorageMutator, error) {
config := &templateapiserver.TemplateConfig{
GenericConfig: c.GenericConfig,
Expand Down Expand Up @@ -346,8 +423,11 @@ func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget)
legacyStorageModifier := legacyStorageMutators{}

delegateAPIServer, legacyStorageModifier = addAPIServerOrDie(delegateAPIServer, legacyStorageModifier, c.withAppsAPIServer)
delegateAPIServer, legacyStorageModifier = addAPIServerOrDie(delegateAPIServer, legacyStorageModifier, c.withAuthorizationAPIServer)
delegateAPIServer, legacyStorageModifier = addAPIServerOrDie(delegateAPIServer, legacyStorageModifier, c.withBuildAPIServer)
delegateAPIServer, legacyStorageModifier = addAPIServerOrDie(delegateAPIServer, legacyStorageModifier, c.withImageAPIServer)
delegateAPIServer, legacyStorageModifier = addAPIServerOrDie(delegateAPIServer, legacyStorageModifier, c.withNetworkAPIServer)
delegateAPIServer, legacyStorageModifier = addAPIServerOrDie(delegateAPIServer, legacyStorageModifier, c.withOAuthAPIServer)
delegateAPIServer, legacyStorageModifier = addAPIServerOrDie(delegateAPIServer, legacyStorageModifier, c.withTemplateAPIServer)
delegateAPIServer, legacyStorageModifier = addAPIServerOrDie(delegateAPIServer, legacyStorageModifier, c.withUserAPIServer)

Expand Down Expand Up @@ -518,9 +598,6 @@ var apiGroupsVersions = []apiGroupInfo{
{PreferredVersion: "v1", Versions: []schema.GroupVersion{projectapiv1.SchemeGroupVersion}},
{PreferredVersion: "v1", Versions: []schema.GroupVersion{quotaapiv1.SchemeGroupVersion}},
{PreferredVersion: "v1", Versions: []schema.GroupVersion{routeapiv1.SchemeGroupVersion}},
{PreferredVersion: "v1", Versions: []schema.GroupVersion{imageapiv1.SchemeGroupVersion}},
{PreferredVersion: "v1", Versions: []schema.GroupVersion{authzapiv1.SchemeGroupVersion}},
{PreferredVersion: "v1", Versions: []schema.GroupVersion{oauthapiv1.SchemeGroupVersion}},
}

// isPreferredGroupVersion returns true if the given GroupVersion is preferred version in
Expand Down