Squashed 'cmd/service-catalog/go/src/github.com/kubernetes-incubator/…

…service-catalog/' changes from c91fecb..1bfff53

1bfff53 instance never provisioned should just delete (openshift#891)
1ae26db Adding a fake broker server (openshift#928)
6403076 docs: fix quoting issue, clarify naming in auth.md (openshift#931)
8ac0775 Merge branch 'pr/927'
02af952 Merge branch 'pr/876'
2aa84f9 add Jenkins badge to README
0c08788 Brokers must have at least one service (openshift#930)
cbfa39b Add PodPreset support (openshift#917)
0d9b810 refactor Jenkins GitHub status postback to work on non-PR commits (openshift#916)
066159d Converting the AuthSecret field to a union AuthInfo type (openshift#877)
203af5c Add leader election namespace configuration (openshift#920)
5831502 Add example JSON schema to controller unit tests (openshift#918)
b78ab99 Fix usage of finalizers (openshift#894)
d3d29f0 Enable pprof in controller-manager (openshift#896)
f4233a0 Correct parameter schema support (openshift#912)
05c6f00 bump image tags from v0.0.8 to v0.0.9 (openshift#910)
97d278a Add support for OSB parameter schemas (openshift#822)
3e4120e Fix nil dereference panic on request timeout (openshift#906)
d8c7494 Add feature gate for audit options in helm chart (openshift#904)
89ce1cd Decompose controller unit tests (openshift#899)
a1e83b2 Add e2e for walkthrough (openshift#832)
4679685 Add support for audit log options (openshift#897)
262a94f Do not allow updates to an object if asynchronous operation is in progress (openshift#853)
7295dad Validate that a ServiceClass must have at least one plan (openshift#879)
9db9fa4 Decompose controller.go (openshift#893)
c3ea9bd Nits in our types (openshift#854)
1d8280a bump tags from v0.0.7 to v0.0.8 (openshift#892)
5e6925d Clean up the OSB client (openshift#888)
fe6aee9 cleaning up logs and adding more log detail (openshift#874)
f41516f Detect if a TPR update represents a soft delete (openshift#836)
9ce99f3 Add functions on Makefile for build and tag
REVERT: c91fecb Merge pull request openshift#1 from jpeeler/origin-build
REVERT: 55ccf3d origin build: add _output to .gitignore
REVERT: 8352e14 origin build: make build-go and build-cross work
REVERT: d969641 origin build: modify hard coded path
REVERT: 30000cc origin build: add origin tooling

git-subtree-dir: cmd/service-catalog/go/src/github.com/kubernetes-incubator/service-catalog
git-subtree-split: 1bfff53

.gitignore

@@ -20,5 +20,3 @@ contrib/build/*/tmp/*
 .pkg
 .kube
 .var
-# this is for buildling service catalog with origin tooling
-_output

Jenkinsfile

@@ -24,6 +24,8 @@ limitations under the License.
 // TEST_ZONE:      GCP Zone in which to create test GKE cluster
 // TEST_ACCOUNT:   GCP service account credentials (JSON file) to use for testing.
 
+def repo_url = params.REPO_URL
+
 def updatePullRequest(flow, success = false) {
   def state, message
   switch (flow) {
@@ -39,10 +41,14 @@ def updatePullRequest(flow, success = false) {
     default:
       error('flow can only be run or verify')
   }
-  setGitHubPullRequestStatus(
-      context: env.JOB_NAME,
-      message: message,
-      state: state)
+
+  step([
+      $class: "GitHubCommitStatusSetter",
+      reposSource: [$class: "ManuallyEnteredRepositorySource", url: "${repo_url}"],
+      contextSource: [$class: "ManuallyEnteredCommitContextSource", context: "${JOB_NAME}"],
+      errorHandlers: [[$class: "ChangingBuildStatusErrorHandler", result: "UNSTABLE"]],
+      statusResultSource: [ $class: "ConditionalStatusResultSource", results: [[$class: "AnyBuildResult", message: message, state: state]] ]
+  ]);
 }
 
 // Verify required parameters

Makefile

@@ -249,6 +249,9 @@ test-integration: .init $(scBuildImageTarget) build
 	# golang integration tests
 	$(DOCKER_CMD) test/integration.sh
 
+clean-e2e:
+	rm -f $(BINDIR)/e2e.test
+
 test-e2e: .generate_files $(BINDIR)/e2e.test
 	$(BINDIR)/e2e.test
 
@@ -292,26 +295,24 @@ clean-coverage:
 images: user-broker-image \
     controller-manager-image apiserver-image
 
+define build-and-tag # (service, image, mutable_image, prefix)
+	$(eval build_path := "$(4)build/$(1)")
+	$(eval tmp_build_path := "$(build_path)/tmp")
+	mkdir -p $(tmp_build_path)
+	cp $(BINDIR)/$(1) $(tmp_build_path)
+	docker build -t $(2) $(build_path)
+	docker tag $(2) $(3)
+	rm -rf $(tmp_build_path)
+endef
+
 user-broker-image: contrib/build/user-broker/Dockerfile $(BINDIR)/user-broker
-	mkdir -p contrib/build/user-broker/tmp
-	cp $(BINDIR)/user-broker contrib/build/user-broker/tmp
-	docker build -t $(USER_BROKER_IMAGE) contrib/build/user-broker
-	docker tag $(USER_BROKER_IMAGE) $(USER_BROKER_MUTABLE_IMAGE)
-	rm -rf contrib/build/user-broker/tmp
+	$(call build-and-tag,"user-broker",$(USER_BROKER_IMAGE),$(USER_BROKER_MUTABLE_IMAGE),"contrib/")
 
 apiserver-image: build/apiserver/Dockerfile $(BINDIR)/apiserver
-	mkdir -p build/apiserver/tmp
-	cp $(BINDIR)/apiserver build/apiserver/tmp
-	docker build -t $(APISERVER_IMAGE) build/apiserver
-	docker tag $(APISERVER_IMAGE) $(APISERVER_MUTABLE_IMAGE)
-	rm -rf build/apiserver/tmp
+	$(call build-and-tag,"apiserver",$(APISERVER_IMAGE),$(APISERVER_MUTABLE_IMAGE))
 
 controller-manager-image: build/controller-manager/Dockerfile $(BINDIR)/controller-manager
-	mkdir -p build/controller-manager/tmp
-	cp $(BINDIR)/controller-manager build/controller-manager/tmp
-	docker build -t $(CONTROLLER_MANAGER_IMAGE) build/controller-manager
-	docker tag $(CONTROLLER_MANAGER_IMAGE) $(CONTROLLER_MANAGER_MUTABLE_IMAGE)
-	rm -rf build/controller-manager/tmp
+	$(call build-and-tag,"controller-manager",$(CONTROLLER_MANAGER_IMAGE),$(CONTROLLER_MANAGER_MUTABLE_IMAGE))
 
 # Push our Docker Images to a registry
 ######################################

README.md

@@ -1,6 +1,7 @@
 ## `service-catalog`
 
-[![Build Status](https://travis-ci.org/kubernetes-incubator/service-catalog.svg?branch=master)](https://travis-ci.org/kubernetes-incubator/service-catalog)
+[![Build Status](https://travis-ci.org/kubernetes-incubator/service-catalog.svg?branch=master)](https://travis-ci.org/kubernetes-incubator/service-catalog "Travis")
+[![Build Status](https://service-catalog-jenkins.appspot.com/buildStatus/icon?job=service-catalog-master-testing)](https://service-catalog-jenkins.appspot.com/job/service-catalog-master-testing/ "Jenkins")
 
 ### Introduction
 

charts/catalog/templates/apiserver-deployment.yaml

@@ -32,6 +32,10 @@ spec:
             cpu: 100m
             memory: 30Mi
         args:
+        {{ if .Values.apiserver.audit.activated -}}
+        - --audit-log-path
+        - {{ .Values.apiserver.audit.logPath }}
+        {{- end}}
         - --admission-control
         - "KubernetesNamespaceLifecycle"
         - --secure-port

charts/catalog/templates/controller-manager-deployment.yaml

@@ -31,9 +31,23 @@ spec:
           limits:
             cpu: 100m
             memory: 30Mi
+        env:
+        - name: K8S_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
         args:
         - --port
         - "8080"
+        {{ if .Values.controllerManager.leaderElectionNamespace.activated -}}
+        - "--leader-election-namespace=$(K8S_NAMESPACE)"
+        {{- end }}
+        {{ if .Values.controllerManager.profiling.disabled -}}
+        - "--profiling=false"
+        {{- end}}
+        {{ if .Values.controllerManager.profiling.contentionProfiling -}}
+        - "--contention-profiling=true"
+        {{- end}}
         {{- if not .Values.useAggregator }}
         - --service-catalog-api-server-url
         {{- if .Values.apiserver.insecure }}

charts/catalog/values.yaml

@@ -1,7 +1,7 @@
 # Default values for Service Catalog
 apiserver:
   # apiserver image to use
-  image: quay.io/kubernetes-service-catalog/apiserver:v0.0.7
+  image: quay.io/kubernetes-service-catalog/apiserver:v0.0.9
   # imagePullPolicy for the apiserver; valid values are "IfNotPresent",
   # "Never", and "Always"
   imagePullPolicy: Always
@@ -49,9 +49,14 @@ apiserver:
     # and authorization can be useful for quickly getting the walkthrough up and running,
     # but is not suitable for production.
     enabled: false
+  audit:
+    # If true, enables the use of audit features via this chart.
+    activated: false
+    # If specified, audit log goes to specified path.
+    logPath: "/tmp/service-catalog-apiserver-audit.log"
 controllerManager:
   # controller-manager image to use
-  image: quay.io/kubernetes-service-catalog/controller-manager:v0.0.7
+  image: quay.io/kubernetes-service-catalog/controller-manager:v0.0.9
   # imagePullPolicy for the controller-manager; valid values are
   # "IfNotPresent", "Never", and "Always"
   imagePullPolicy: Always
@@ -64,4 +69,13 @@ controllerManager:
   # Whether or not the controller supports a --broker-relist-interval flag. If this is 
   # set to true, brokerRelistInterval will be used as the value for that flag
   brokerRelistIntervalActivated: true
+  # enables profiling via web interface host:port/debug/pprof/
+  profiling:
+    # Disable profiling via web interface host:port/debug/pprof/
+    disabled: false
+    # Enables lock contention profiling, if profiling is enabled.
+    contentionProfiling: false
+  leaderElectionNamespace:
+    # Whether the controller has option to set leader election namespace.
+    activated: false
 useAggregator: false

charts/ups-broker/values.yaml

@@ -1,5 +1,5 @@
 # Default values for User-Provided Service Broker
 # Image to use
-image: quay.io/kubernetes-service-catalog/user-broker:v0.0.7
+image: quay.io/kubernetes-service-catalog/user-broker:v0.0.9
 # ImagePullPolicy; valid values are "IfNotPresent", "Never", and "Always"
 imagePullPolicy: Always

cmd/apiserver/app/server/options.go

@@ -39,6 +39,8 @@ type ServiceCatalogServerOptions struct {
 	AuthorizationOptions *genericserveroptions.DelegatingAuthorizationOptions
 	// InsecureOptions are options for serving insecurely.
 	InsecureServingOptions *genericserveroptions.ServingOptions
+	// audit options for api server
+	AuditOptions *genericserveroptions.AuditLogOptions
 	// EtcdOptions are options for serving with etcd as the backing store
 	EtcdOptions *EtcdOptions
 	// TPROptions are options for serving with TPR as the backing store
@@ -72,6 +74,7 @@ func (s *ServiceCatalogServerOptions) addFlags(flags *pflag.FlagSet) {
 	s.InsecureServingOptions.AddFlags(flags)
 	s.EtcdOptions.addFlags(flags)
 	s.TPROptions.addFlags(flags)
+	s.AuditOptions.AddFlags(flags)
 }
 
 // StorageType returns the storage type configured on s, or a non-nil error if s holds an

cmd/apiserver/app/server/server.go

@@ -70,6 +70,7 @@ func NewCommandServer(
 		AuthenticationOptions:   genericserveroptions.NewDelegatingAuthenticationOptions(),
 		AuthorizationOptions:    genericserveroptions.NewDelegatingAuthorizationOptions(),
 		InsecureServingOptions:  genericserveroptions.NewInsecureServingOptions(),
+		AuditOptions:            genericserveroptions.NewAuditLogOptions(),
 		EtcdOptions:             NewEtcdOptions(),
 		TPROptions:              NewTPROptions(),
 		StopCh:                  stopCh,

cmd/apiserver/app/server/util.go

@@ -86,8 +86,10 @@ func buildGenericConfig(s *ServiceCatalogServerOptions) (*genericapiserver.Confi
 		glog.Infof("Authentication and authorization disabled for testing purposes")
 	}
 
-	// TODO: add support for audit log options
-	// see https://github.com/kubernetes-incubator/service-catalog/issues/678
+	if err := s.AuditOptions.ApplyTo(genericConfig); err != nil {
+		return nil, nil, err
+	}
+
 	// TODO: add support for OpenAPI config
 	// see https://github.com/kubernetes-incubator/service-catalog/issues/721
 	genericConfig.SwaggerConfig = genericapiserver.DefaultSwaggerConfig()

cmd/controller-manager/app/controller_manager.go

@@ -21,7 +21,9 @@ import (
 	"fmt"
 	"net"
 	"net/http"
+	"net/http/pprof"
 	"os"
+	goruntime "runtime"
 	"strconv"
 	"time"
 
@@ -149,6 +151,15 @@ func Run(controllerManagerOptions *options.ControllerManagerServer) error {
 		healthz.InstallHandler(mux)
 		configz.InstallHandler(mux)
 
+		if controllerManagerOptions.EnableProfiling {
+			mux.HandleFunc("/debug/pprof/", pprof.Index)
+			mux.HandleFunc("/debug/pprof/profile", pprof.Profile)
+			mux.HandleFunc("/debug/pprof/symbol", pprof.Symbol)
+			mux.HandleFunc("/debug/pprof/trace", pprof.Trace)
+			if controllerManagerOptions.EnableContentionProfiling {
+				goruntime.SetBlockProfileRate(1)
+			}
+		}
 		server := &http.Server{
 			Addr:    net.JoinHostPort(controllerManagerOptions.Address, strconv.Itoa(int(controllerManagerOptions.Port))),
 			Handler: mux,
@@ -197,10 +208,12 @@ func Run(controllerManagerOptions *options.ControllerManagerServer) error {
 		return err
 	}
 
+	glog.V(5).Infof("Using namespace %v for leader election lock", controllerManagerOptions.LeaderElectionNamespace)
+
 	// Lock required for leader election
 	rl := resourcelock.EndpointsLock{
 		EndpointsMeta: metav1.ObjectMeta{
-			Namespace: "kube-system",
+			Namespace: controllerManagerOptions.LeaderElectionNamespace,
 			Name:      "service-catalog-controller-manager",
 		},
 		Client: leaderElectionClient,

cmd/controller-manager/app/options/options.go

@@ -36,15 +36,18 @@ type ControllerManagerServer struct {
 	componentconfig.ControllerManagerConfiguration
 }
 
-const defaultResyncInterval = 5 * time.Minute
-const defaultBrokerRelistInterval = 24 * time.Hour
-const defaultContentType = "application/json"
-const defaultBindAddress = "0.0.0.0"
-const defaultPort = 10000
-const defaultK8sKubeconfigPath = "./kubeconfig"
-const defaultServiceCatalogKubeconfigPath = "./service-catalog-kubeconfig"
-const defaultOSBAPIContextProfile = true
-const defaultConcurrentSyncs = 5
+const (
+	defaultResyncInterval               = 5 * time.Minute
+	defaultBrokerRelistInterval         = 24 * time.Hour
+	defaultContentType                  = "application/json"
+	defaultBindAddress                  = "0.0.0.0"
+	defaultPort                         = 10000
+	defaultK8sKubeconfigPath            = "./kubeconfig"
+	defaultServiceCatalogKubeconfigPath = "./service-catalog-kubeconfig"
+	defaultOSBAPIContextProfile         = true
+	defaultConcurrentSyncs              = 5
+	defaultLeaderElectionNamespace      = "kube-system"
+)
 
 // NewControllerManagerServer creates a new ControllerManagerServer with a
 // default config.
@@ -61,6 +64,9 @@ func NewControllerManagerServer() *ControllerManagerServer {
 			OSBAPIContextProfile:         defaultOSBAPIContextProfile,
 			ConcurrentSyncs:              defaultConcurrentSyncs,
 			LeaderElection:               leaderelection.DefaultLeaderElectionConfiguration(),
+			LeaderElectionNamespace:      defaultLeaderElectionNamespace,
+			EnableProfiling:              true,
+			EnableContentionProfiling:    false,
 		},
 	}
 	s.LeaderElection.LeaderElect = true
@@ -79,5 +85,8 @@ func (s *ControllerManagerServer) AddFlags(fs *pflag.FlagSet) {
 	fs.DurationVar(&s.ResyncInterval, "resync-interval", s.ResyncInterval, "The interval on which the controller will resync its informers")
 	fs.DurationVar(&s.BrokerRelistInterval, "broker-relist-interval", s.BrokerRelistInterval, "The interval on which a broker's catalog is relisted after the broker becomes ready")
 	fs.BoolVar(&s.OSBAPIContextProfile, "enable-osb-api-context-profile", s.OSBAPIContextProfile, "Whether or not to send the proposed optional OpenServiceBroker API Context Profile field")
+	fs.BoolVar(&s.EnableProfiling, "profiling", s.EnableProfiling, "Enable profiling via web interface host:port/debug/pprof/")
+	fs.BoolVar(&s.EnableContentionProfiling, "contention-profiling", s.EnableContentionProfiling, "Enable lock contention profiling, if profiling is enabled")
 	leaderelection.BindFlags(&s.LeaderElection, fs)
+	fs.StringVar(&s.LeaderElectionNamespace, "leader-election-namespace", s.LeaderElectionNamespace, "Namespace to use for leader election lock")
 }

contrib/examples/apiserver/broker.yaml

@@ -7,6 +7,7 @@ spec:
   # put the basic auth for the broker in a secret, and reference the secret here.
   # service-catalog will use the contents of the secret. The secret should have "username"
   # and "password" keys
-  authSecret:
-    namespace: some-namespace
-    name: secret-name
+  authInfo:
+    basicAuthSecret:
+      namespace: some-namespace
+      name: secret-name

contrib/examples/walkthrough/ups-binding-pp.yaml

@@ -0,0 +1,14 @@
+apiVersion: servicecatalog.k8s.io/v1alpha1
+kind: Binding
+metadata:
+  name: ups-binding
+  namespace: test-ns
+spec:
+  instanceRef:
+    name: ups-instance
+  secretName: my-secret
+  alphaPodPresetTemplate:
+    name: my-pod-preset
+    selector:
+      matchLabels:
+        app: my-app

docs/auth.md

@@ -136,13 +136,19 @@ use the following commands:
 
 ```shell
 export SERVICE_NAME=<service>
-export ALT_NAMES="<service>.<namespace>,<service>.<namespace>.svc"
+export ALT_NAMES='"<service>.<namespace>","<service>.<namespace>.svc"'
 echo '{"CN":"'${SERVICE_NAME}'","hosts":['${ALT_NAMES}'],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=server-ca.crt -ca-key=server-ca.key -config=server-ca-config.json - | cfssljson -bare apiserver
 ```
 
 `<service>` should be the name of the Service for service
 catalog API server (e.g. `<release>-<chart>` when using Helm).
 
+This will create a pair of files named `apiserver-key.pem` and
+`apiserver.pem`.  These are the private key and public certificate,
+respectively.  The private key and certificate are commonly referred to
+with `.key ` and `.crt` extensions, respectively: `apiserver.key` and
+`apiserver.crt`.
+
 To base64 encode these files for passing to the Helm charts, run `base64
 --wrap=0 <file>`.  The resulting output may be passed to the Helm charts
 for the `apiserver.tls.*` series of options.