add oc adm prune role command to replace the existing reapear

Author: deads2k

pkg/authorization/reaper/role.go

@@ -1,4 +1,4 @@
-package reaper
+package authorizationreaper
 
 import (
 	"time"

pkg/authorization/reaper/cluster_role.go pkg/oc/admin/prune/authorizationreaper/cluster_role.go

@@ -1,4 +1,4 @@
-package reaper
+package authorizationreaper
 
 import (
 	"reflect"

pkg/authorization/reaper/cluster_role_test.go pkg/oc/admin/prune/authorizationreaper/cluster_role_test.go

@@ -0,0 +1,68 @@
+package authorizationreaper
+
+import (
+	"fmt"
+	"io"
+	"io/ioutil"
+	"time"
+
+	"github.com/golang/glog"
+	kerrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	rbacv1client "k8s.io/client-go/kubernetes/typed/rbac/v1"
+	"k8s.io/kubernetes/pkg/kubectl"
+
+	authclient "github.com/openshift/origin/pkg/authorization/generated/internalclientset/typed/authorization/internalversion"
+)
+
+func NewRoleReaper(roleClient authclient.RolesGetter, bindingClient rbacv1client.RoleBindingsGetter) kubectl.Reaper {
+	return &RoleReaper{
+		roleClient:    roleClient,
+		bindingClient: bindingClient,
+	}
+}
+
+type RoleReaper struct {
+	roleClient    authclient.RolesGetter
+	bindingClient rbacv1client.RoleBindingsGetter
+}
+
+// Stop on a reaper is actually used for deletion.  In this case, we'll delete referencing rolebindings
+// then delete the role.
+func (r *RoleReaper) Stop(namespace, name string, timeout time.Duration, gracePeriod *metav1.DeleteOptions) error {
+	err := reapForRole(r.bindingClient, namespace, name, ioutil.Discard)
+
+	if err != nil {
+		glog.Infof("Cannot prune for role/%s: %v", name, err)
+	}
+
+	if err := r.roleClient.Roles(namespace).Delete(name, &metav1.DeleteOptions{}); err != nil && !kerrors.IsNotFound(err) {
+		return err
+	}
+
+	return nil
+}
+
+// Stop on a reaper is actually used for deletion.  In this case, we'll delete referencing rolebindings
+// then delete the role.
+func reapForRole(bindingClient rbacv1client.RoleBindingsGetter, namespace, name string, out io.Writer) error {
+	bindings, err := bindingClient.RoleBindings(namespace).List(metav1.ListOptions{})
+	if err != nil {
+		return err
+	}
+
+	errors := []error{}
+	for _, binding := range bindings.Items {
+		if binding.RoleRef.Name == name {
+			foreground := metav1.DeletePropagationForeground
+			if err := bindingClient.RoleBindings(namespace).Delete(binding.Name, &metav1.DeleteOptions{PropagationPolicy: &foreground}); err != nil && !kerrors.IsNotFound(err) {
+				errors = append(errors, err)
+			} else {
+				fmt.Fprintf(out, "rolebinding.rbac.authorization.k8s.io/"+binding.Name+" deleted\n")
+			}
+		}
+	}
+
+	return utilerrors.NewAggregate(errors)
+}

pkg/oc/admin/prune/authorizationreaper/role.go

@@ -0,0 +1,106 @@
+package authorizationreaper
+
+import (
+	"io"
+
+	"github.com/spf13/cobra"
+
+	rbacv1client "k8s.io/client-go/kubernetes/typed/rbac/v1"
+	kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
+	"k8s.io/kubernetes/pkg/kubectl/resource"
+)
+
+// PruneRolesOptions holds all the required options for pruning roles.
+type PruneRolesOptions struct {
+	FilenameOptions resource.FilenameOptions
+	Selector        string
+	All             bool
+
+	Builder           *resource.Builder
+	RoleBindingClient rbacv1client.RoleBindingsGetter
+
+	Out io.Writer
+}
+
+// NewCmdPruneRoles implements the OpenShift cli prune roles command.
+func NewCmdPruneRoles(f kcmdutil.Factory, name string, out io.Writer) *cobra.Command {
+	o := &PruneRolesOptions{
+		Out: out,
+	}
+
+	cmd := &cobra.Command{
+		Use:   name,
+		Short: "Deletes all rolebindings references the specified roles.",
+		Long:  "Deletes all rolebindings references the specified roles.",
+
+		Run: func(cmd *cobra.Command, args []string) {
+			kcmdutil.CheckErr(o.Complete(f, cmd, args))
+			kcmdutil.CheckErr(o.RunPrune())
+		},
+	}
+
+	kcmdutil.AddFilenameOptionFlags(cmd, &o.FilenameOptions, "containing the resource to delete.")
+
+	cmd.Flags().StringVarP(&o.Selector, "selector", "l", "", "Selector (label query) to filter on.")
+	cmd.Flags().BoolVar(&o.All, "all", o.All, "Prune all roles in the namespace.")
+
+	return cmd
+}
+
+func (o *PruneRolesOptions) Complete(f kcmdutil.Factory, cmd *cobra.Command, args []string) error {
+	var err error
+
+	clientConfig, err := f.ClientConfig()
+	if err != nil {
+		return nil
+	}
+	o.RoleBindingClient, err = rbacv1client.NewForConfig(clientConfig)
+	if err != nil {
+		return nil
+	}
+
+	cmdNamespace, enforceNamespace, err := f.DefaultNamespace()
+	if err != nil {
+		return err
+	}
+
+	o.Builder = f.NewBuilder().
+		Unstructured().
+		ContinueOnError().
+		NamespaceParam(cmdNamespace).DefaultNamespace().
+		FilenameParam(enforceNamespace, &o.FilenameOptions).
+		LabelSelectorParam(o.Selector).
+		SelectAllParam(o.All).
+		ResourceTypeOrNameArgs(false, args...).
+		RequireObject(false).
+		Flatten()
+
+	return nil
+}
+
+func (o *PruneRolesOptions) RunPrune() error {
+	r := o.Builder.Do()
+	if r.Err() != nil {
+		return r.Err()
+	}
+
+	// this is weird, but we do this here for easy compatibility with existing reapers.  This command doesn't make sense
+	// without a server connection.  Still.  Don't do this at home.
+	err := r.Visit(func(info *resource.Info, err error) error {
+		if err != nil {
+			return err
+		}
+		if info.Mapping.GroupVersionKind.Group != "rbac.authorization.k8s.io" && info.Mapping.GroupVersionKind.Group != "authorization.openshift.io" {
+			return nil
+		}
+		if info.Mapping.Resource != "roles" {
+			return nil
+		}
+
+		reapForRole(o.RoleBindingClient, info.Namespace, info.Name, o.Out)
+
+		return nil
+	})
+
+	return err
+}

pkg/oc/admin/prune/authorizationreaper/role_command.go

@@ -1,4 +1,4 @@
-package reaper
+package authorizationreaper
 
 import (
 	"reflect"

pkg/authorization/reaper/role_test.go pkg/oc/admin/prune/authorizationreaper/role_test.go

@@ -8,6 +8,7 @@ import (
 	cmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
 
 	groups "github.com/openshift/origin/pkg/oc/admin/groups/sync/cli"
+	"github.com/openshift/origin/pkg/oc/admin/prune/authorizationreaper"
 	"github.com/openshift/origin/pkg/oc/cli/util/clientcmd"
 )
 
@@ -35,5 +36,6 @@ func NewCommandPrune(name, fullName string, f *clientcmd.Factory, out, errOut io
 	cmds.AddCommand(NewCmdPruneDeployments(f, fullName, PruneDeploymentsRecommendedName, out))
 	cmds.AddCommand(NewCmdPruneImages(f, fullName, PruneImagesRecommendedName, out))
 	cmds.AddCommand(groups.NewCmdPrune(PruneGroupsRecommendedName, fullName+" "+PruneGroupsRecommendedName, f, out))
+	cmds.AddCommand(authorizationreaper.NewCmdPruneRoles(f, "roles", out))
 	return cmds
 }

pkg/oc/admin/prune/prune.go

@@ -12,7 +12,7 @@ import (
 	appsclient "github.com/openshift/origin/pkg/apps/generated/internalclientset"
 	authorizationapi "github.com/openshift/origin/pkg/authorization/apis/authorization"
 	authorizationclientinternal "github.com/openshift/origin/pkg/authorization/generated/internalclientset"
-	authorizationreaper "github.com/openshift/origin/pkg/authorization/reaper"
+	authorizationreaper "github.com/openshift/origin/pkg/oc/admin/prune/authorizationreaper"
 	buildapi "github.com/openshift/origin/pkg/build/apis/build"
 	buildclientinternal "github.com/openshift/origin/pkg/build/generated/internalclientset"
 	oauthclientinternal "github.com/openshift/origin/pkg/oauth/generated/internalclientset"
@@ -91,7 +91,11 @@ func (f *ring2Factory) Reaper(mapping *meta.RESTMapping) (kubectl.Reaper, error)
 		if err != nil {
 			return nil, err
 		}
-		return authorizationreaper.NewRoleReaper(authClient.Authorization(), authClient.Authorization()), nil
+		kubeClient, err := f.clientAccessFactory.KubernetesClientSet()
+		if err != nil {
+			return nil, err
+		}
+		return authorizationreaper.NewRoleReaper(authClient.Authorization(), kubeClient.RbacV1()), nil
 	case authorizationapi.IsKindOrLegacy("ClusterRole", gk):
 		authClient, err := authorizationclientinternal.NewForConfig(clientConfig)
 		if err != nil {