openshift
diff --git a/Diff for: ‎install/openshift-controller-manager/install-rbac.yaml
+119 b/Diff for: ‎install/openshift-controller-manager/install-rbac.yaml
+119
diff --git a/Diff for: ‎pkg/cmd/openshift-controller-manager/cmd.go
+13-4 b/Diff for: ‎pkg/cmd/openshift-controller-manager/cmd.go
+13-4
diff --git a/Diff for: ‎pkg/cmd/openshift-controller-manager/controller/apps.go
+51-15 b/Diff for: ‎pkg/cmd/openshift-controller-manager/controller/apps.go
+51-15
diff --git a/Diff for: ‎pkg/cmd/openshift-controller-manager/controller/autoscaling.go
+7-8 b/Diff for: ‎pkg/cmd/openshift-controller-manager/controller/autoscaling.go
+7-8
diff --git a/Diff for: ‎pkg/cmd/openshift-controller-manager/controller/build.go
+17-17 b/Diff for: ‎pkg/cmd/openshift-controller-manager/controller/build.go
+17-17
@@ -0,0 +1,119 @@
+apiVersion: template.openshift.io/v1
+kind: Template
+parameters:
+- name: NAMESPACE
+  value: openshift-controller-manager
+- name: KUBE_SYSTEM
+  value: kube-system
+- name: OPENSHIFT_INFRA
+  value: openshift-infra
+objects:
+
+- apiVersion: rbac.authorization.k8s.io/v1beta1
+  kind: ClusterRole
+  metadata:
+    name: system:openshift:openshift-controller-manager
+  rules:
+  # we run cluster resource quota, so we have to be able to see all resources
+  - apiGroups:
+    - "*"
+    resources:
+    - "*"
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - ""
+    - events.k8s.io
+    resources:
+    - events
+    verbs:
+    - create
+    - patch
+    - update
+
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: ClusterRoleBinding
+  metadata:
+    name: system:openshift:openshift-controller-manager
+  roleRef:
+    kind: ClusterRole
+    name: system:openshift:openshift-controller-manager
+  subjects:
+  - kind: ServiceAccount
+    namespace: openshift-controller-manager
+    name: openshift-controller-manager
+
+# needed to get the legacy lock that we used to use
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: Role
+  metadata:
+    name: system:openshift:leader-locking-openshift-controller-manager
+    namespace: ${KUBE_SYSTEM}
+  rules:
+  - apiGroups:
+    - ""
+    resources:
+    - configmaps
+    verbs:
+    - create
+  - apiGroups:
+    - ""
+    resourceNames:
+    - openshift-master-controllers
+    resources:
+    - configmaps
+    verbs:
+    - get
+    - create
+    - update
+    - patch
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: RoleBinding
+  metadata:
+    namespace: ${KUBE_SYSTEM}
+    name: system:openshift:leader-locking-openshift-controller-manager
+  roleRef:
+    kind: Role
+    name: system:openshift:leader-locking-openshift-controller-manager
+  subjects:
+  - kind: ServiceAccount
+    namespace: ${NAMESPACE}
+    name: openshift-controller-manager
+
+# needed to support the "use separate service accounts" feature.
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: Role
+  metadata:
+    name: system:openshift:sa-creating-openshift-controller-manager
+    namespace: ${OPENSHIFT_INFRA}
+  rules:
+  - apiGroups:
+    - ""
+    resources:
+    - serviceaccounts
+    verbs:
+    - get
+    - create
+    - update
+  - apiGroups:
+    - ""
+    resources:
+    - secrets
+    verbs:
+    - get
+    - list
+    - create
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: RoleBinding
+  metadata:
+    namespace: ${OPENSHIFT_INFRA}
+    name: system:openshift:sa-creating-openshift-controller-manager
+  roleRef:
+    kind: Role
+    name: system:openshift:sa-creating-openshift-controller-manager
+  subjects:
+  - kind: ServiceAccount
+    namespace: ${NAMESPACE}
+    name: openshift-controller-manager
@@ -23,8 +23,9 @@ import (
 const RecommendedStartControllerManagerName = "openshift-controller-manager"
 
 type OpenShiftControllerManager struct {
-	ConfigFile string
-	Output     io.Writer
+	ConfigFile     string
+	KubeConfigFile string
+	Output         io.Writer
 }
 
 var longDescription = templates.LongDesc(`
@@ -59,9 +60,11 @@ func NewOpenShiftControllerManagerCommand(name, basename string, out, errout io.
 
 	flags := cmd.Flags()
 	// This command only supports reading from config
-	flags.StringVar(&options.ConfigFile, "config", "", "Location of the master configuration file to run from.")
+	flags.StringVar(&options.ConfigFile, "config", options.ConfigFile, "Location of the master configuration file to run from.")
 	cmd.MarkFlagFilename("config", "yaml", "yml")
 	cmd.MarkFlagRequired("config")
+	flags.StringVar(&options.KubeConfigFile, "kubeconfig", options.KubeConfigFile, "Location of the master configuration file to run from.")
+	cmd.MarkFlagFilename("kubeconfig", "kubeconfig")
 
 	return cmd
 }
@@ -101,5 +104,11 @@ func (o *OpenShiftControllerManager) RunControllerManager() error {
 		return kerrors.NewInvalid(configapi.Kind("MasterConfig"), "master-config.yaml", validationResults.Errors)
 	}
 
-	return RunOpenShiftControllerManager(masterConfig)
+	config := ConvertMasterConfigToOpenshiftControllerConfig(masterConfig)
+	clientConfig, err := configapi.GetKubeConfigOrInClusterConfig(o.KubeConfigFile, config.ClientConnectionOverrides)
+	if err != nil {
+		return err
+	}
+
+	return RunOpenShiftControllerManager(config, clientConfig)
 }
@@ -1,58 +1,94 @@
 package controller
 
 import (
-	"k8s.io/apimachinery/pkg/runtime"
+	"path"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	kapi "k8s.io/kubernetes/pkg/apis/core"
+	serviceaccountadmission "k8s.io/kubernetes/plugin/pkg/admission/serviceaccount"
 
 	deployercontroller "github.com/openshift/origin/pkg/apps/controller/deployer"
 	deployconfigcontroller "github.com/openshift/origin/pkg/apps/controller/deploymentconfig"
 	"github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"
+	"github.com/openshift/origin/pkg/cmd/util/variable"
 )
 
-type DeployerControllerConfig struct {
-	ImageName     string
-	ClientEnvVars []kapi.EnvVar
+func envVars(host string, caData []byte, insecure bool, bearerTokenFile string) []kapi.EnvVar {
+	envvars := []kapi.EnvVar{
+		{Name: "KUBERNETES_MASTER", Value: host},
+		{Name: "OPENSHIFT_MASTER", Value: host},
+	}
 
-	Codec runtime.Codec
-}
+	if len(bearerTokenFile) > 0 {
+		envvars = append(envvars, kapi.EnvVar{Name: "BEARER_TOKEN_FILE", Value: bearerTokenFile})
+	}
 
-type DeploymentConfigControllerConfig struct {
-	Codec runtime.Codec
+	if len(caData) > 0 {
+		envvars = append(envvars, kapi.EnvVar{Name: "OPENSHIFT_CA_DATA", Value: string(caData)})
+	} else if insecure {
+		envvars = append(envvars, kapi.EnvVar{Name: "OPENSHIFT_INSECURE", Value: "true"})
+	}
+
+	return envvars
 }
 
-func (c *DeployerControllerConfig) RunController(ctx ControllerContext) (bool, error) {
-	kubeClient, err := ctx.ClientBuilder.Client(bootstrappolicy.InfraDeployerControllerServiceAccountName)
+func RunDeployerController(ctx ControllerContext) (bool, error) {
+	clientConfig, err := ctx.ClientBuilder.Config(bootstrappolicy.InfraDeployerControllerServiceAccountName)
+	if err != nil {
+		return true, err
+	}
+
+	kubeClient, err := kubernetes.NewForConfig(clientConfig)
 	if err != nil {
 		return true, err
 	}
 
+	vars := envVars(
+		clientConfig.Host,
+		clientConfig.CAData,
+		clientConfig.Insecure,
+		path.Join(serviceaccountadmission.DefaultAPITokenMountPath, kapi.ServiceAccountTokenKey),
+	)
+
+	groupVersion := schema.GroupVersion{Group: "", Version: "v1"}
+	annotationCodec := legacyscheme.Codecs.LegacyCodec(groupVersion)
+
+	imageTemplate := variable.NewDefaultImageTemplate()
+	imageTemplate.Format = ctx.OpenshiftControllerConfig.Deployer.ImageTemplateFormat.Format
+	imageTemplate.Latest = ctx.OpenshiftControllerConfig.Deployer.ImageTemplateFormat.Latest
+
 	go deployercontroller.NewDeployerController(
 		ctx.ExternalKubeInformers.Core().V1().ReplicationControllers(),
 		ctx.ExternalKubeInformers.Core().V1().Pods(),
 		kubeClient,
 		bootstrappolicy.DeployerServiceAccountName,
-		c.ImageName,
-		c.ClientEnvVars,
-		c.Codec,
+		imageTemplate.ExpandOrDie("deployer"),
+		vars,
+		annotationCodec,
 	).Run(5, ctx.Stop)
 
 	return true, nil
 }
 
-func (c *DeploymentConfigControllerConfig) RunController(ctx ControllerContext) (bool, error) {
+func RunDeploymentConfigController(ctx ControllerContext) (bool, error) {
 	saName := bootstrappolicy.InfraDeploymentConfigControllerServiceAccountName
 
 	kubeClient, err := ctx.ClientBuilder.Client(saName)
 	if err != nil {
 		return true, err
 	}
 
+	groupVersion := schema.GroupVersion{Group: "", Version: "v1"}
+	annotationCodec := legacyscheme.Codecs.LegacyCodec(groupVersion)
+
 	go deployconfigcontroller.NewDeploymentConfigController(
 		ctx.AppInformers.Apps().InternalVersion().DeploymentConfigs(),
 		ctx.ExternalKubeInformers.Core().V1().ReplicationControllers(),
 		ctx.ClientBuilder.OpenshiftInternalAppsClientOrDie(saName),
 		kubeClient,
-		c.Codec,
+		annotationCodec,
 	).Run(5, ctx.Stop)
 
 	return true, nil
 
@@ -16,11 +16,10 @@ import (
 // NB: this is funky -- it's actually a Kubernetes controller, but we run it as an OpenShift controller in order
 // to get a handle on OpenShift clients, so that our delegating scales getter can work.
 
-type HorizontalPodAutoscalerControllerConfig struct {
-	HeapsterNamespace string
-}
+// TODO this goes away with a truly generic autoscaler
+func RunHorizontalPodAutoscalerController(originCtx ControllerContext) (bool, error) {
+	heapsterNamespace := bootstrappolicy.DefaultOpenShiftInfraNamespace
 
-func (c *HorizontalPodAutoscalerControllerConfig) RunController(originCtx ControllerContext) (bool, error) {
 	hpaClientConfig, err := originCtx.ClientBuilder.Config(bootstrappolicy.InfraHorizontalPodAutoscalerControllerServiceAccountName)
 	if err != nil {
 		return true, err
@@ -33,7 +32,7 @@ func (c *HorizontalPodAutoscalerControllerConfig) RunController(originCtx Contro
 
 	metricsClient := hpametrics.NewHeapsterMetricsClient(
 		hpaClient,
-		c.HeapsterNamespace,
+		heapsterNamespace,
 		"https",
 		"heapster",
 		"",
@@ -64,9 +63,9 @@ func (c *HorizontalPodAutoscalerControllerConfig) RunController(originCtx Contro
 		restMapper,
 		replicaCalc,
 		originCtx.ExternalKubeInformers.Autoscaling().V1().HorizontalPodAutoscalers(),
-		originCtx.OpenshiftControllerOptions.HPAControllerOptions.SyncPeriod.Duration,
-		originCtx.OpenshiftControllerOptions.HPAControllerOptions.UpscaleForbiddenWindow.Duration,
-		originCtx.OpenshiftControllerOptions.HPAControllerOptions.DownscaleForbiddenWindow.Duration,
+		originCtx.OpenshiftControllerConfig.HPA.SyncPeriod.Duration,
+		originCtx.OpenshiftControllerConfig.HPA.UpscaleForbiddenWindow.Duration,
+		originCtx.OpenshiftControllerConfig.HPA.DownscaleForbiddenWindow.Duration,
 	).Run(originCtx.Stop)
 
 	return true, nil
 
@@ -1,32 +1,32 @@
 package controller
 
 import (
-	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/kubernetes/pkg/api/legacyscheme"
 
 	buildcontroller "github.com/openshift/origin/pkg/build/controller/build"
 	builddefaults "github.com/openshift/origin/pkg/build/controller/build/defaults"
 	buildoverrides "github.com/openshift/origin/pkg/build/controller/build/overrides"
 	buildconfigcontroller "github.com/openshift/origin/pkg/build/controller/buildconfig"
 	buildstrategy "github.com/openshift/origin/pkg/build/controller/strategy"
-	configapi "github.com/openshift/origin/pkg/cmd/server/apis/config"
 	"github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"
+	"github.com/openshift/origin/pkg/cmd/util/variable"
 )
 
-type BuildControllerConfig struct {
-	DockerImage           string
-	S2IImage              string
-	AdmissionPluginConfig map[string]*configapi.AdmissionPluginConfig
+// RunController starts the build sync loop for builds and buildConfig processing.
+func RunBuildController(ctx ControllerContext) (bool, error) {
+	groupVersion := schema.GroupVersion{Group: "", Version: "v1"}
+	annotationCodec := legacyscheme.Codecs.LegacyCodec(groupVersion)
 
-	Codec runtime.Codec
-}
+	imageTemplate := variable.NewDefaultImageTemplate()
+	imageTemplate.Format = ctx.OpenshiftControllerConfig.Build.ImageTemplateFormat.Format
+	imageTemplate.Latest = ctx.OpenshiftControllerConfig.Build.ImageTemplateFormat.Latest
 
-// RunController starts the build sync loop for builds and buildConfig processing.
-func (c *BuildControllerConfig) RunController(ctx ControllerContext) (bool, error) {
-	buildDefaults, err := builddefaults.NewBuildDefaults(c.AdmissionPluginConfig)
+	buildDefaults, err := builddefaults.NewBuildDefaults(ctx.OpenshiftControllerConfig.Build.AdmissionPluginConfig)
 	if err != nil {
 		return true, err
 	}
-	buildOverrides, err := buildoverrides.NewBuildOverrides(c.AdmissionPluginConfig)
+	buildOverrides, err := buildoverrides.NewBuildOverrides(ctx.OpenshiftControllerConfig.Build.AdmissionPluginConfig)
 	if err != nil {
 		return true, err
 	}
@@ -52,19 +52,19 @@ func (c *BuildControllerConfig) RunController(ctx ControllerContext) (bool, erro
 		KubeClientExternal:  externalKubeClient,
 		BuildClientInternal: buildClient,
 		DockerBuildStrategy: &buildstrategy.DockerBuildStrategy{
-			Image: c.DockerImage,
+			Image: imageTemplate.ExpandOrDie("docker-builder"),
 			// TODO: this will be set to --storage-version (the internal schema we use)
-			Codec: c.Codec,
+			Codec: annotationCodec,
 		},
 		SourceBuildStrategy: &buildstrategy.SourceBuildStrategy{
-			Image: c.S2IImage,
+			Image: imageTemplate.ExpandOrDie("sti-builder"),
 			// TODO: this will be set to --storage-version (the internal schema we use)
-			Codec:          c.Codec,
+			Codec:          annotationCodec,
 			SecurityClient: securityClient.Security(),
 		},
 		CustomBuildStrategy: &buildstrategy.CustomBuildStrategy{
 			// TODO: this will be set to --storage-version (the internal schema we use)
-			Codec: c.Codec,
+			Codec: annotationCodec,
 		},
 		BuildDefaults:  buildDefaults,
 		BuildOverrides: buildOverrides,