Merge pull request #16863 from deads2k/server-49-validation

openshift-merge-robot · web-flow · commit 710fcf502d3d · 2017-10-20T07:16:08.000-07:00
Automatic merge from submit-queue (batch tested with PRs 16943, 16872, 16916, 16863, 16925). warn on missing service cert signer in oadm diagnostics Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1501952 Updates master-config.yaml validation to warn on missing service serving signer cert configuration. @mrobson ``` [deads@deads-02 origin]$ oc adm diagnostics --master-config=openshift.local.config/master/master-config.yaml MasterConfigCheck [Note] Determining if client configuration exists for client/cluster diagnostics Info: Successfully read a client config file at '/home/deads/.kube/config' [Note] Performing systemd discovery [Note] Running diagnostic: MasterConfigCheck Description: Check the master config file WARN: [DH0005 from diagnostic MasterConfigCheck@openshift/origin/pkg/diagnostics/host/check_master_config.go:52] Validation of master config file 'openshift.local.config/master/master-config.yaml' warned: assetConfig.loggingPublicURL: Invalid value: "": required to view aggregated container logs in the console assetConfig.metricsPublicURL: Invalid value: "": required to view cluster metrics in the console controllerConfig.serviceServingCert.signer: Required value: required for the service serving cert signer; automatic serving certificate signing will fail [Note] Summary of diagnostics execution (version v3.7.0-alpha.1+05f812f-1107-dirty): [Note] Warnings seen: 1 ```
diff --git a/pkg/cmd/server/api/validation/master.go b/pkg/cmd/server/api/validation/master.go
@@ -336,7 +336,9 @@ func ValidateControllerConfig(config api.ControllerConfig, fldPath *field.Path)
 			validationResults.AddErrors(field.Invalid(fldPath.Child("election", "lockResource", "resource"), election.LockResource.Resource, "may not be empty"))
 		}
 	}
-	if config.ServiceServingCert.Signer != nil {
+	if config.ServiceServingCert.Signer == nil {
+		validationResults.AddWarnings(field.Required(fldPath.Child("serviceServingCert", "signer"), "required for the service serving cert signer; automatic serving certificate signing will fail"))
+	} else {
 		validationResults.AddErrors(ValidateCertInfo(*config.ServiceServingCert.Signer, true, fldPath.Child("serviceServingCert.signer"))...)
 	}
 
diff --git a/pkg/cmd/server/api/validation/master_test.go b/pkg/cmd/server/api/validation/master_test.go
@@ -401,7 +401,7 @@ func TestValidateAdmissionPluginConfigConflicts(t *testing.T) {
 	// these fields have warnings in the empty case
 	defaultWarningFields := sets.NewString(
 		"serviceAccountConfig.managedNames", "serviceAccountConfig.publicKeyFiles", "serviceAccountConfig.privateKeyFile", "serviceAccountConfig.masterCA",
-		"projectConfig.securityAllocator", "kubernetesMasterConfig.proxyClientInfo", "auditConfig.auditFilePath", "aggregatorConfig.proxyClientInfo")
+		"projectConfig.securityAllocator", "kubernetesMasterConfig.proxyClientInfo", "auditConfig.auditFilePath", "aggregatorConfig.proxyClientInfo", "controllerConfig.serviceServingCert.signer")
 
 	for _, tc := range testCases {
 		results := ValidateMasterConfig(&tc.options, nil)

Original file line number	Diff line number	Diff line change
`@@ -336,7 +336,9 @@ func ValidateControllerConfig(config api.ControllerConfig, fldPath *field.Path)`
`336`	`336`	`validationResults.AddErrors(field.Invalid(fldPath.Child("election", "lockResource", "resource"), election.LockResource.Resource, "may not be empty"))`
`337`	`337`	`}`
`338`	`338`	`}`
`339`		`- if config.ServiceServingCert.Signer != nil {`
	`339`	`+ if config.ServiceServingCert.Signer == nil {`
	`340`	`+ validationResults.AddWarnings(field.Required(fldPath.Child("serviceServingCert", "signer"), "required for the service serving cert signer; automatic serving certificate signing will fail"))`
	`341`	`+ } else {`
`340`	`342`	`validationResults.AddErrors(ValidateCertInfo(*config.ServiceServingCert.Signer, true, fldPath.Child("serviceServingCert.signer"))...)`
`341`	`343`	`}`
`342`	`344`