status to indicate resources with broken secret/SA refs

Author: deads2k

pkg/api/graph/graph.go

@@ -25,6 +25,10 @@ type ExistenceChecker interface {
 	Found() bool
 }
 
+type ResourceNode interface {
+	ResourceString() string
+}
+
 type UniqueName string
 
 type UniqueNameFunc func(obj interface{}) UniqueName
@@ -158,7 +162,7 @@ func (g Graph) SyntheticNodes() []graph.Node {
 	sort.Sort(SortedNodeList(nodeList))
 	for _, node := range nodeList {
 		if potentiallySyntheticNode, ok := node.(ExistenceChecker); ok {
-			if potentiallySyntheticNode.Found() {
+			if !potentiallySyntheticNode.Found() {
 				ret = append(ret, node)
 			}
 		}

pkg/api/kubegraph/nodes/types.go

@@ -37,6 +37,10 @@ func (n ServiceNode) String() string {
 	return string(ServiceNodeName(n.Service))
 }
 
+func (n ServiceNode) ResourceString() string {
+	return "svc/" + n.Name
+}
+
 func (*ServiceNode) Kind() string {
 	return ServiceNodeKind
 }
@@ -58,6 +62,10 @@ func (n PodNode) String() string {
 	return string(PodNodeName(n.Pod))
 }
 
+func (n PodNode) ResourceString() string {
+	return "pod/" + n.Name
+}
+
 func (n PodNode) UniqueName() osgraph.UniqueName {
 	return PodNodeName(n.Pod)
 }
@@ -110,6 +118,10 @@ func (n ReplicationControllerNode) String() string {
 	return string(ReplicationControllerNodeName(n.ReplicationController))
 }
 
+func (n ReplicationControllerNode) ResourceString() string {
+	return "rc/" + n.Name
+}
+
 func (n ReplicationControllerNode) UniqueName() osgraph.UniqueName {
 	return ReplicationControllerNodeName(n.ReplicationController)
 }
@@ -195,6 +207,10 @@ func (n ServiceAccountNode) String() string {
 	return string(ServiceAccountNodeName(n.ServiceAccount))
 }
 
+func (n ServiceAccountNode) ResourceString() string {
+	return "sa/" + n.Name
+}
+
 func (*ServiceAccountNode) Kind() string {
 	return ServiceAccountNodeKind
 }
@@ -222,6 +238,10 @@ func (n SecretNode) String() string {
 	return string(SecretNodeName(n.Secret))
 }
 
+func (n SecretNode) ResourceString() string {
+	return "secret/" + n.Name
+}
+
 func (*SecretNode) Kind() string {
 	return SecretNodeKind
 }

pkg/build/graph/nodes/types.go

@@ -33,6 +33,10 @@ func (n BuildConfigNode) String() string {
 	return string(BuildConfigNodeName(n.BuildConfig))
 }
 
+func (n BuildConfigNode) ResourceString() string {
+	return "bc/" + n.Name
+}
+
 func (*BuildConfigNode) Kind() string {
 	return BuildConfigNodeKind
 }
@@ -77,6 +81,10 @@ func (n BuildNode) String() string {
 	return string(BuildNodeName(n.Build))
 }
 
+func (n BuildNode) ResourceString() string {
+	return "build/" + n.Build.Name
+}
+
 func (*BuildNode) Kind() string {
 	return BuildNodeKind
 }

pkg/cmd/cli/describe/projectstatus.go

@@ -16,6 +16,7 @@ import (
 	osgraph "github.com/openshift/origin/pkg/api/graph"
 	"github.com/openshift/origin/pkg/api/graph/graphview"
 	kubeedges "github.com/openshift/origin/pkg/api/kubegraph"
+	kubeanalysis "github.com/openshift/origin/pkg/api/kubegraph/analysis"
 	kubegraph "github.com/openshift/origin/pkg/api/kubegraph/nodes"
 	buildapi "github.com/openshift/origin/pkg/build/api"
 	buildedges "github.com/openshift/origin/pkg/build/graph"
@@ -43,6 +44,8 @@ func (d *ProjectStatusDescriber) MakeGraph(namespace string) (osgraph.Graph, err
 
 	loaders := []GraphLoader{
 		&serviceLoader{namespace: namespace, lister: d.K},
+		&serviceAccountLoader{namespace: namespace, lister: d.K},
+		&secretLoader{namespace: namespace, lister: d.K},
 		&rcLoader{namespace: namespace, lister: d.K},
 		&podLoader{namespace: namespace, lister: d.K},
 		&bcLoader{namespace: namespace, lister: d.C},
@@ -71,6 +74,9 @@ func (d *ProjectStatusDescriber) MakeGraph(namespace string) (osgraph.Graph, err
 	deployedges.AddAllTriggerEdges(g)
 	deployedges.AddAllDeploymentEdges(g)
 	imageedges.AddAllImageStreamRefEdges(g)
+	kubeedges.AddAllRequestedServiceAccountEdges(g)
+	kubeedges.AddAllMountableSecretEdges(g)
+	kubeedges.AddAllMountedSecretEdges(g)
 
 	return g, nil
 }
@@ -154,6 +160,9 @@ func (d *ProjectStatusDescriber) Describe(namespace, name string) (string, error
 			if hasUnresolvedImageStreamTag(g) {
 				fmt.Fprintln(out, "Warning: Some of your builds are pointing to image streams, but the administrator has not configured the integrated Docker registry (oadm registry).")
 			}
+			if lines, _ := describeBadPodSpecs(out, g); len(lines) > 0 {
+				fmt.Fprintln(out, strings.Join(lines, "\n"))
+			}
 
 			fmt.Fprintln(out, "To see more, use 'oc describe service <name>' or 'oc describe dc <name>'.")
 			fmt.Fprintln(out, "You can use 'oc get all' to see a list of other objects.")
@@ -179,6 +188,50 @@ func hasUnresolvedImageStreamTag(g osgraph.Graph) bool {
 	return false
 }
 
+func describeBadPodSpecs(out io.Writer, g osgraph.Graph) ([]string, []*kubegraph.SecretNode) {
+	allMissingSecrets := []*kubegraph.SecretNode{}
+	lines := []string{}
+
+	for _, uncastPodSpec := range g.NodesByKind(kubegraph.PodSpecNodeKind) {
+		podSpecNode := uncastPodSpec.(*kubegraph.PodSpecNode)
+		unmountableSecrets, missingSecrets := kubeanalysis.CheckMountedSecrets(g, podSpecNode)
+		containingNode := osgraph.GetTopLevelContainerNode(g, podSpecNode)
+
+		allMissingSecrets = append(allMissingSecrets, missingSecrets...)
+
+		unmountableNames := []string{}
+		for _, secret := range unmountableSecrets {
+			unmountableNames = append(unmountableNames, secret.ResourceString())
+		}
+
+		missingNames := []string{}
+		for _, secret := range missingSecrets {
+			missingNames = append(missingNames, secret.ResourceString())
+		}
+
+		containingNodeName := g.GraphDescriber.Name(containingNode)
+		if resourceNode, ok := containingNode.(osgraph.ResourceNode); ok {
+			containingNodeName = resourceNode.ResourceString()
+		}
+
+		switch {
+		case len(unmountableSecrets) > 0 && len(missingSecrets) > 0:
+			lines = append(lines, fmt.Sprintf("\t%s is not allowed to mount %s and wants to mount these missing secrets %s", containingNodeName, strings.Join(unmountableNames, ","), strings.Join(missingNames, ",")))
+		case len(unmountableSecrets) > 0:
+			lines = append(lines, fmt.Sprintf("\t%s is not allowed to mount %s", containingNodeName, strings.Join(unmountableNames, ",")))
+		case len(unmountableSecrets) > 0 && len(missingSecrets) > 0:
+			lines = append(lines, fmt.Sprintf("\t%s wants to mount these missing secrets %s", containingNodeName, strings.Join(missingNames, ",")))
+		}
+	}
+
+	// if we had any failures, prepend the warning line
+	if len(lines) > 0 {
+		return append([]string{"Warning: some requested secrets are not allowed:"}, lines...), allMissingSecrets
+	}
+
+	return []string{}, allMissingSecrets
+}
+
 func printLines(out io.Writer, indent string, depth int, lines ...string) {
 	for i, s := range lines {
 		fmt.Fprintf(out, strings.Repeat(indent, depth))
@@ -625,14 +678,14 @@ type GraphLoader interface {
 	AddToGraph(g osgraph.Graph) error
 }
 
-type serviceLoader struct {
+type rcLoader struct {
 	namespace string
-	lister    kclient.ServicesNamespacer
-	items     []kapi.Service
+	lister    kclient.ReplicationControllersNamespacer
+	items     []kapi.ReplicationController
 }
 
-func (l *serviceLoader) Load() error {
-	list, err := l.lister.Services(l.namespace).List(labels.Everything())
+func (l *rcLoader) Load() error {
+	list, err := l.lister.ReplicationControllers(l.namespace).List(labels.Everything())
 	if err != nil {
 		return err
 	}
@@ -641,22 +694,22 @@ func (l *serviceLoader) Load() error {
 	return nil
 }
 
-func (l *serviceLoader) AddToGraph(g osgraph.Graph) error {
+func (l *rcLoader) AddToGraph(g osgraph.Graph) error {
 	for i := range l.items {
-		kubegraph.EnsureServiceNode(g, &l.items[i])
+		kubegraph.EnsureReplicationControllerNode(g, &l.items[i])
 	}
 
 	return nil
 }
 
-type rcLoader struct {
+type serviceLoader struct {
 	namespace string
-	lister    kclient.ReplicationControllersNamespacer
-	items     []kapi.ReplicationController
+	lister    kclient.ServicesNamespacer
+	items     []kapi.Service
 }
 
-func (l *rcLoader) Load() error {
-	list, err := l.lister.ReplicationControllers(l.namespace).List(labels.Everything())
+func (l *serviceLoader) Load() error {
+	list, err := l.lister.Services(l.namespace).List(labels.Everything())
 	if err != nil {
 		return err
 	}
@@ -665,9 +718,9 @@ func (l *rcLoader) Load() error {
 	return nil
 }
 
-func (l *rcLoader) AddToGraph(g osgraph.Graph) error {
+func (l *serviceLoader) AddToGraph(g osgraph.Graph) error {
 	for i := range l.items {
-		kubegraph.EnsureReplicationControllerNode(g, &l.items[i])
+		kubegraph.EnsureServiceNode(g, &l.items[i])
 	}
 
 	return nil
@@ -697,6 +750,54 @@ func (l *podLoader) AddToGraph(g osgraph.Graph) error {
 	return nil
 }
 
+type serviceAccountLoader struct {
+	namespace string
+	lister    kclient.ServiceAccountsNamespacer
+	items     []kapi.ServiceAccount
+}
+
+func (l *serviceAccountLoader) Load() error {
+	list, err := l.lister.ServiceAccounts(l.namespace).List(labels.Everything(), fields.Everything())
+	if err != nil {
+		return err
+	}
+
+	l.items = list.Items
+	return nil
+}
+
+func (l *serviceAccountLoader) AddToGraph(g osgraph.Graph) error {
+	for i := range l.items {
+		kubegraph.EnsureServiceAccountNode(g, &l.items[i])
+	}
+
+	return nil
+}
+
+type secretLoader struct {
+	namespace string
+	lister    kclient.SecretsNamespacer
+	items     []kapi.Secret
+}
+
+func (l *secretLoader) Load() error {
+	list, err := l.lister.Secrets(l.namespace).List(labels.Everything(), fields.Everything())
+	if err != nil {
+		return err
+	}
+
+	l.items = list.Items
+	return nil
+}
+
+func (l *secretLoader) AddToGraph(g osgraph.Graph) error {
+	for i := range l.items {
+		kubegraph.EnsureSecretNode(g, &l.items[i])
+	}
+
+	return nil
+}
+
 type isLoader struct {
 	namespace string
 	lister    client.ImageStreamsNamespacer

pkg/deploy/graph/nodes/types.go

@@ -28,6 +28,10 @@ func (n DeploymentConfigNode) String() string {
 	return string(DeploymentConfigNodeName(n.DeploymentConfig))
 }
 
+func (n DeploymentConfigNode) ResourceString() string {
+	return "dc/" + n.Name
+}
+
 func (*DeploymentConfigNode) Kind() string {
 	return DeploymentConfigNodeKind
 }

pkg/image/graph/nodes/types.go

@@ -42,6 +42,10 @@ func (n ImageStreamNode) String() string {
 	return string(ImageStreamNodeName(n.ImageStream))
 }
 
+func (n ImageStreamNode) ResourceString() string {
+	return "is/" + n.Name
+}
+
 func (*ImageStreamNode) Kind() string {
 	return ImageStreamNodeKind
 }
@@ -79,6 +83,10 @@ func (n ImageStreamTagNode) String() string {
 	return string(ImageStreamTagNodeName(n.ImageStreamTag))
 }
 
+func (n ImageStreamTagNode) ResourceString() string {
+	return "imagestreamtag/" + n.Name
+}
+
 func (*ImageStreamTagNode) Kind() string {
 	return ImageStreamTagNodeKind
 }
@@ -148,6 +156,10 @@ func (n ImageNode) String() string {
 	return string(ImageNodeName(n.Image))
 }
 
+func (n ImageNode) ResourceString() string {
+	return "image/" + n.Image.Name
+}
+
 func (*ImageNode) Kind() string {
 	return ImageNodeKind
 }