Merge pull request #16979 from jim-minter/issue16775-2

openshift-merge-robot · web-flow · commit 8e73380b526a · 2017-10-23T14:33:18.000-07:00
Automatic merge from submit-queue. delete templateinstances in foreground where necessary in extended tests fixes #16775 (2nd attempt) Proposing to comment out the previous "fix" in case it's superstition
diff --git a/pkg/template/registry/templateinstance/strategy.go b/pkg/template/registry/templateinstance/strategy.go
@@ -3,7 +3,9 @@ package templateinstance
 import (
 	"errors"
 
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
+	kutilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/apiserver/pkg/authentication/user"
 	apirequest "k8s.io/apiserver/pkg/endpoints/request"
@@ -96,8 +98,34 @@ func (s *templateInstanceStrategy) ValidateUpdate(ctx apirequest.Context, obj, o
 		return field.ErrorList{field.InternalError(field.NewPath(""), errors.New("user not found in context"))}
 	}
 
-	templateInstance := obj.(*templateapi.TemplateInstance)
-	oldTemplateInstance := old.(*templateapi.TemplateInstance)
+	// Decode Spec.Template.Objects on both obj and old to Unstructureds.  This
+	// allows detectection of at least some cases where the Objects are
+	// semantically identical, but the serialisations have been jumbled up.  One
+	// place where this happens is in the garbage collector, which uses
+	// Unstructureds via the dynamic client.
+
+	objcopy, err := kapi.Scheme.DeepCopy(obj)
+	if err != nil {
+		return field.ErrorList{field.InternalError(field.NewPath(""), err)}
+	}
+	templateInstance := objcopy.(*templateapi.TemplateInstance)
+
+	errs := runtime.DecodeList(templateInstance.Spec.Template.Objects, unstructured.UnstructuredJSONScheme)
+	if len(errs) != 0 {
+		return field.ErrorList{field.InternalError(field.NewPath(""), kutilerrors.NewAggregate(errs))}
+	}
+
+	oldcopy, err := kapi.Scheme.DeepCopy(old)
+	if err != nil {
+		return field.ErrorList{field.InternalError(field.NewPath(""), err)}
+	}
+	oldTemplateInstance := oldcopy.(*templateapi.TemplateInstance)
+
+	errs = runtime.DecodeList(oldTemplateInstance.Spec.Template.Objects, unstructured.UnstructuredJSONScheme)
+	if len(errs) != 0 {
+		return field.ErrorList{field.InternalError(field.NewPath(""), kutilerrors.NewAggregate(errs))}
+	}
+
 	allErrs := validation.ValidateTemplateInstanceUpdate(templateInstance, oldTemplateInstance)
 	allErrs = append(allErrs, s.validateImpersonationUpdate(templateInstance, oldTemplateInstance, user)...)
 
diff --git a/test/extended/templates/templateinstance_cross_namespace.go b/test/extended/templates/templateinstance_cross_namespace.go
@@ -112,28 +112,24 @@ var _ = g.Describe("[Conformance][templates] templateinstance cross-namespace te
 		o.Expect(err).NotTo(o.HaveOccurred())
 
 		g.By("deleting the templateinstance")
-		err = cli.TemplateClient().Template().TemplateInstances(cli.Namespace()).Delete(templateinstance.Name, nil)
+		foreground := metav1.DeletePropagationForeground
+		err = cli.TemplateClient().Template().TemplateInstances(cli.Namespace()).Delete(templateinstance.Name, &metav1.DeleteOptions{PropagationPolicy: &foreground})
 		o.Expect(err).NotTo(o.HaveOccurred())
 
 		// wait for garbage collector to do its thing
-		err = wait.Poll(time.Second, time.Minute, func() (bool, error) {
+		err = wait.Poll(100*time.Millisecond, 30*time.Second, func() (bool, error) {
 			_, err = cli.TemplateClient().Template().TemplateInstances(cli.Namespace()).Get(templateinstance.Name, metav1.GetOptions{})
-			if err == nil || !kerrors.IsNotFound(err) {
-				return false, err
+			if kerrors.IsNotFound(err) {
+				return true, nil
 			}
-
-			_, err = cli.KubeClient().CoreV1().Secrets(cli.Namespace()).Get("secret1", metav1.GetOptions{})
-			if err == nil || !kerrors.IsNotFound(err) {
-				return false, err
-			}
-
-			_, err = cli.KubeClient().CoreV1().Secrets(cli2.Namespace()).Get("secret2", metav1.GetOptions{})
-			if err == nil || !kerrors.IsNotFound(err) {
-				return false, err
-			}
-
-			return true, nil
+			return false, err
 		})
 		o.Expect(err).NotTo(o.HaveOccurred())
+
+		_, err = cli.KubeClient().CoreV1().Secrets(cli.Namespace()).Get("secret1", metav1.GetOptions{})
+		o.Expect(kerrors.IsNotFound(err)).To(o.BeTrue())
+
+		_, err = cli.KubeClient().CoreV1().Secrets(cli2.Namespace()).Get("secret2", metav1.GetOptions{})
+		o.Expect(kerrors.IsNotFound(err)).To(o.BeTrue())
 	})
 })
diff --git a/test/extended/templates/templateinstance_security.go b/test/extended/templates/templateinstance_security.go
@@ -77,28 +77,32 @@ var _ = g.Describe("[Conformance][templates] templateinstance security tests", f
 			editgroup = createGroup(cli, "editgroup", bootstrappolicy.EditRoleName)
 			addUserToGroup(cli, editbygroupuser.Name, editgroup.Name)
 
-			// I think we get flakes when the group cache hasn't yet noticed the
-			// new group membership made above.  Wait until all it looks like
-			// all the users above have access to the namespace as expected.
-			err := wait.PollImmediate(time.Second, 30*time.Second, func() (done bool, err error) {
-				for _, user := range []*userapi.User{adminuser, edituser, editbygroupuser} {
-					cli.ChangeUser(user.Name)
-					sar, err := cli.AuthorizationClient().Authorization().LocalSubjectAccessReviews(cli.Namespace()).Create(&authorizationapi.LocalSubjectAccessReview{
-						Action: authorizationapi.Action{
-							Verb:     "get",
-							Resource: "pods",
-						},
-					})
-					if err != nil {
-						return false, err
-					}
-					if !sar.Allowed {
-						return false, nil
+			/*
+				// jminter: commenting this out for now in case it turns out to be superstition
+
+				// I think we get flakes when the group cache hasn't yet noticed the
+				// new group membership made above.  Wait until all it looks like
+				// all the users above have access to the namespace as expected.
+				err := wait.PollImmediate(time.Second, 30*time.Second, func() (done bool, err error) {
+					for _, user := range []*userapi.User{adminuser, edituser, editbygroupuser} {
+						cli.ChangeUser(user.Name)
+						sar, err := cli.AuthorizationClient().Authorization().LocalSubjectAccessReviews(cli.Namespace()).Create(&authorizationapi.LocalSubjectAccessReview{
+							Action: authorizationapi.Action{
+								Verb:     "get",
+								Resource: "pods",
+							},
+						})
+						if err != nil {
+							return false, err
+						}
+						if !sar.Allowed {
+							return false, nil
+						}
 					}
-				}
-				return true, nil
-			})
-			o.Expect(err).NotTo(o.HaveOccurred())
+					return true, nil
+				})
+				o.Expect(err).NotTo(o.HaveOccurred())
+			*/
 		})
 
 		g.AfterEach(func() {
@@ -273,8 +277,20 @@ var _ = g.Describe("[Conformance][templates] templateinstance security tests", f
 				o.Expect(templateinstance.HasCondition(test.expectCondition, kapi.ConditionTrue)).To(o.Equal(true))
 				o.Expect(test.checkOK(test.namespace)).To(o.BeTrue())
 
-				err = cli.TemplateClient().Template().TemplateInstances(cli.Namespace()).Delete(templateinstance.Name, nil)
+				foreground := metav1.DeletePropagationForeground
+				err = cli.TemplateClient().Template().TemplateInstances(cli.Namespace()).Delete(templateinstance.Name, &metav1.DeleteOptions{PropagationPolicy: &foreground})
 				o.Expect(err).NotTo(o.HaveOccurred())
+
+				// wait for garbage collector to do its thing
+				err = wait.Poll(100*time.Millisecond, 30*time.Second, func() (bool, error) {
+					_, err = cli.TemplateClient().Template().TemplateInstances(cli.Namespace()).Get(templateinstance.Name, metav1.GetOptions{})
+					if kerrors.IsNotFound(err) {
+						return true, nil
+					}
+					return false, err
+				})
+				o.Expect(err).NotTo(o.HaveOccurred())
+
 				err = cli.KubeClient().CoreV1().Secrets(cli.Namespace()).Delete(secret.Name, nil)
 				o.Expect(err).NotTo(o.HaveOccurred())
 			}
