openshift
diff --git a/‎.travis.yml
+1 b/‎.travis.yml
+1
diff --git a/‎Jenkinsfile
+6-1 b/‎Jenkinsfile
+6-1
diff --git a/‎Makefile
+4-2 b/‎Makefile
+4-2
diff --git a/‎README.md
+1-8 b/‎README.md
+1-8
diff --git a/‎build/build-image/Dockerfile
+2-2 b/‎build/build-image/Dockerfile
+2-2
diff --git a/‎build/verify-errexit.sh
+1-1 b/‎build/verify-errexit.sh
+1-1
diff --git a/‎charts/catalog/README.md
+3-2 b/‎charts/catalog/README.md
+3-2
diff --git a/‎charts/catalog/templates/_helpers.tpl
+12 b/‎charts/catalog/templates/_helpers.tpl
+12
diff --git a/‎charts/catalog/templates/rbac.yaml
+11-11 b/‎charts/catalog/templates/rbac.yaml
+11-11
diff --git a/‎charts/catalog/values.yaml
+5-2 b/‎charts/catalog/values.yaml
+5-2
diff --git a/‎charts/ups-broker/README.md
+1-1 b/‎charts/ups-broker/README.md
+1-1
diff --git a/‎charts/ups-broker/values.yaml
+1-1 b/‎charts/ups-broker/values.yaml
+1-1
diff --git a/‎cmd/apiserver/app/server/server.go
+1-1 b/‎cmd/apiserver/app/server/server.go
+1-1
diff --git a/‎cmd/controller-manager/app/controller_manager.go
+1-1 b/‎cmd/controller-manager/app/controller_manager.go
+1-1
diff --git a/‎cmd/controller-manager/app/options/options.go
+2-2 b/‎cmd/controller-manager/app/options/options.go
+2-2
diff --git a/‎contrib/hack/start-server.sh
+2-2 b/‎contrib/hack/start-server.sh
+2-2
diff --git a/‎contrib/jenkins/init_cluster.sh
+8-9 b/‎contrib/jenkins/init_cluster.sh
+8-9
@@ -8,6 +8,7 @@ cache:
 script:
 - make verify build test images
 deploy:
+  skip_cleanup: true
   provider: script
   script: contrib/travis/deploy.sh
   on:
 
@@ -66,11 +66,13 @@ def test_zone    = params.TEST_ZONE ?: 'us-west1-b'
 def namespace    = 'catalog'
 def root_path    = 'src/github.com/kubernetes-incubator/service-catalog'
 def timeoutMin   = 30
+def certFolder   = '/tmp/sc-certs'
 
 node {
   echo "Service Catalog end-to-end test"
 
   sh "sudo rm -rf ${env.WORKSPACE}/*"
+  sh "rm -rf ${certFolder} && mkdir ${certFolder}"
 
   updatePullRequest('run')
 
@@ -120,6 +122,7 @@ node {
               --create-artifacts
         """
 
+	/*
         ansiColor('xterm-darker-gray') {
           // Run the e2e test framework
           sh """${env.ROOT}/contrib/jenkins/run_e2e.sh \
@@ -129,6 +132,7 @@ node {
                 --create-artifacts
           """
         }
+	*/
 
         echo 'Run succeeded.'
       }
@@ -137,8 +141,9 @@ node {
       currentBuild.result = 'FAILURE'
     } finally {
       archiveArtifacts artifacts: 'walkthrough*.txt', fingerprint: true
-      archiveArtifacts artifacts: 'e2e*.txt', fingerprint: true
+      // archiveArtifacts artifacts: 'e2e*.txt', fingerprint: true
       try {
+        sh "rm -rf ${certFolder}"
         sh """${env.ROOT}/contrib/jenkins/cleanup_cluster.sh --kubeconfig ${KUBECONFIG}"""
       } catch (Exception e) {
         echo 'Exception caught during cleanup.'
 
@@ -86,8 +86,8 @@ USER_BROKER_IMAGE                 = $(REGISTRY)user-broker-$(ARCH):$(VERSION)
 USER_BROKER_MUTABLE_IMAGE         = $(REGISTRY)user-broker-$(ARCH):$(MUTABLE_TAG)
 
 # precheck to avoid kubernetes-incubator/service-catalog#361
-$(if $(realpath vendor/k8s.io/kubernetes/vendor), \
-	$(error the vendor directory exists in the kubernetes \
+$(if $(realpath vendor/k8s.io/apimachinery/vendor), \
+	$(error the vendor directory exists in the apimachinery \
 		vendored source and must be flattened. \
 		run 'glide i -v'))
 
@@ -188,6 +188,7 @@ $(BINDIR)/e2e.test: .init $(NEWEST_E2ETEST_SOURCE) $(NEWEST_GO_FILE)
 	# Generate conversions
 	$(DOCKER_CMD) $(BINDIR)/conversion-gen \
 		--v 1 --logtostderr \
+		--extra-peer-dirs k8s.io/api/core/v1,k8s.io/apimachinery/pkg/apis/meta/v1,k8s.io/apimachinery/pkg/conversion,k8s.io/apimachinery/pkg/runtime \
 		--go-header-file "vendor/github.com/kubernetes/repo-infra/verify/boilerplate/boilerplate.go.txt" \
 		--input-dirs "$(SC_PKG)/pkg/apis/servicecatalog" \
 		--input-dirs "$(SC_PKG)/pkg/apis/servicecatalog/v1beta1" \
@@ -228,6 +229,7 @@ verify: .init .generate_files verify-client-gen
 	@# observes conventions from upstream that will not pass lint checks).
 	@$(DOCKER_CMD) sh -c \
 	  'for i in $$(find $(TOP_SRC_DIRS) -name *.go \
+	    | grep -v ^pkg/kubernetes/ \
 	    | grep -v generated \
 	    | grep -v ^pkg/client/ \
 	    | grep -v v1beta1/defaults.go); \
 
@@ -32,7 +32,7 @@ _somewhere_ in a simple way:
     cluster as the consumer or a different cluster, or even creating a new
     tenant in a multi-tenant SaaS system.  The point is that the
     consumer doesn't have to be aware of or care at all about the details.
-3.  The user requests a _credential_ to use the service instance in their application
+3.  The user requests a _binding_ to use the service instance in their application
 
     Credentials are delivered to users in normal Kubernetes secrets and
     contain information necessary to connect to and authenticate to the
@@ -59,13 +59,6 @@ Kubernetes 1.8. See the
 [milestones list](https://github.com/kubernetes-incubator/service-catalog/milestones?direction=desc&sort=due_date&state=open) 
 for information about the issues and PRs in current and future milestones.
 
-**NOTE**: Some fields in our API may still be considered **ALPHA** after the
-API graduates to **BETA**.  These fields are prefixed with `alpha` in
-JSON/YAML.  Alpha fields are provided for use at your own risk, may not work
-correctly, may be subject to change or removal at any time, and will not have
-data migration provided for them when they graduate past alpha.  When an alpha
-field graduates past alpha, the `alpha` prefix will be removed.
-
 The project [roadmap](https://github.com/kubernetes-incubator/service-catalog/wiki/Roadmap)
 contains information about our high-level goals for future milestones.
 
 
@@ -24,8 +24,8 @@ RUN curl -sSL https://github.com/Masterminds/glide/releases/download/$GLIDE_VERS
     | tar -vxz -C /usr/local/bin --strip=1
 
 # Install etcd
-RUN curl -sSL https://github.com/coreos/etcd/releases/download/v3.1.0/etcd-v3.1.0-linux-amd64.tar.gz \
-    | tar -vxz -C /usr/local/bin --strip=1 etcd-v3.1.0-linux-amd64/etcd
+RUN curl -sSL https://github.com/coreos/etcd/releases/download/v3.1.10/etcd-v3.1.10-linux-amd64.tar.gz \
+    | tar -vxz -C /usr/local/bin --strip=1 etcd-v3.1.10-linux-amd64/etcd
 
 # Install the golint, use this to check our source for niceness
 RUN go get -u github.com/golang/lint/golint
 
@@ -33,7 +33,7 @@ fi
 
 # Gather the list of files that appear to be shell scripts.
 # Meaning they have some form of "#!...sh" as a line in them.
-shFiles=$(grep -rl '^#!.*sh$' $args)
+shFiles=$(grep -rl '^#!.*sh$' $args | grep -v ^pkg/kubernetes/)
 
 tmp=/tmp/out$RANDOM
 for file in ${shFiles}; do
 
@@ -40,7 +40,7 @@ chart and their default values.
 
 | Parameter | Description | Default |
 |-----------|-------------|---------|
-| `apiserver.image` | apiserver image to use | `quay.io/kubernetes-service-catalog/apiserver:v0.1.0-rc1` |
+| `apiserver.image` | apiserver image to use | `quay.io/kubernetes-service-catalog/apiserver:v0.1.0-rc2` |
 | `apiserver.imagePullPolicy` | `imagePullPolicy` for the apiserver | `Always` |
 | `apiserver.tls.cert` | Base64-encoded x509 certificate | A self-signed certificate |
 | `apiserver.tls.key` | Base64-encoded private key | The private key for the certificate above |
@@ -53,12 +53,13 @@ chart and their default values.
 | `apiserver.storage.etcd.servers` | If storage type is `etcd`: etcd URL(s); override this if NOT using embedded etcd | `http://localhost:2379` |
 | `apiserver.verbosity` | Log level; valid values are in the range 0 - 10 | `10` |
 | `apiserver.auth.enabled` | Enable authentication and authorization | `false` |
-| `controllerManager.image` | controller-manager image to use | `quay.io/kubernetes-service-catalog/controller-manager:v0.1.0-rc1` |
+| `controllerManager.image` | controller-manager image to use | `quay.io/kubernetes-service-catalog/controller-manager:v0.1.0-rc2` |
 | `controllerManager.imagePullPolicy` | `imagePullPolicy` for the controller-manager | `Always` |
 | `controllerManager.verbosity` | Log level; valid values are in the range 0 - 10 | `10` |
 | `controllerManager.resyncInterval` | How often the controller should resync informers; duration format (`20m`, `1h`, etc) | `5m` |
 | `controllerManager.brokerRelistInterval` | How often the controller should relist the catalogs of ready brokers; duration format (`20m`, `1h`, etc) | `24h` |
 | `useAggregator` | whether or not to set up the controller-manager to go through the main Kubernetes API server's API aggregator (requires setting `apiserver.tls.ca` to work) | `false` |
+| `rbacEnable` | If true, create & use RBAC resources | `true` |
 
 Specify each parameter using the `--set key=value[,key=value]` argument to
 `helm install`.
 
@@ -7,3 +7,15 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- define "fullname" -}}
 {{- printf "%s-%s" .Release.Name .Chart.Name | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
+
+{{/*
+Conditionally print out rbac api verison.
+This will select v1 before v1beta1 if both are available.
+*/}}
+{{- define "rbacApiVersion" -}}
+{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
+rbac.authorization.k8s.io/v1
+{{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1beta1" -}}
+rbac.authorization.k8s.io/v1beta1
+{{- end -}}
+{{- end -}}
@@ -1,13 +1,13 @@
-{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1beta1" }}
+{{- if .Values.rbacEnable }}
 apiVersion: v1
 kind: List
 items:
 
 ### API Server ###
-  
+
 # TODO: if this is just for namespace lifecycle admission, move to a generic role
 # the role for the apiserver 
-- apiVersion: rbac.authorization.k8s.io/v1beta1
+- apiVersion: {{template "rbacApiVersion" . }}
   kind: ClusterRole
   metadata:
     name: "servicecatalog.k8s.io:apiserver"
@@ -18,7 +18,7 @@ items:
     resources: ["namespaces"]
     verbs:     ["get", "list", "watch"]
 # API-server service-account gets its own role
-- apiVersion: rbac.authorization.k8s.io/v1beta1
+- apiVersion: {{template "rbacApiVersion" . }}
   kind: ClusterRoleBinding
   metadata:
     name: "servicecatalog.k8s.io:apiserver"
@@ -33,7 +33,7 @@ items:
     namespace: "{{ .Release.Namespace }}"
 # apiserver gets the auth-delegator role to delegate auth decisions to
 # the core apiserver
-- apiVersion: rbac.authorization.k8s.io/v1beta1
+- apiVersion: {{template "rbacApiVersion" . }}
   kind: ClusterRoleBinding
   metadata:
     name: "servicecatalog.k8s.io:apiserver-auth-delegator"
@@ -49,7 +49,7 @@ items:
 # apiserver gets the ability to read authentication. This allows it to
 # read the specific configmap that has the requestheader-* entries to
 # enable api aggregation
-- apiVersion: rbac.authorization.k8s.io/v1beta1
+- apiVersion: {{template "rbacApiVersion" . }}
   kind: RoleBinding
   metadata:
     name: "servicecatalog.k8s.io:apiserver-authentication-reader"
@@ -69,7 +69,7 @@ items:
 # controller-manager role defines what access the service-catalog
 # controller-manager needs to manage the resources of the
 # service-catalog
-- apiVersion: rbac.authorization.k8s.io/v1beta1
+- apiVersion: {{template "rbacApiVersion" . }}
   kind: ClusterRole
   metadata:
     name: "servicecatalog.k8s.io:controller-manager"
@@ -98,7 +98,7 @@ items:
     resources: ["clusterservicebrokers/status","serviceinstances/status","serviceinstances/reference","servicebindings/status"]
     verbs:     ["update"]
 # give the controller-manager service account access to whats defined in its role.
-- apiVersion: rbac.authorization.k8s.io/v1beta1
+- apiVersion: {{template "rbacApiVersion" . }}
   kind: ClusterRoleBinding
   metadata:
     name: "servicecatalog.k8s.io:controller-manager"
@@ -114,7 +114,7 @@ items:
 
 # This gives create/update access to an endpoint in kube-system for leader election
 # TODO: use an object other than endpoints, and in the same namespace as the service catalog, not in kube-system
-- apiVersion: rbac.authorization.k8s.io/v1beta1
+- apiVersion: {{template "rbacApiVersion" . }}
   kind: Role
   metadata:
     name: "servicecatalog.k8s.io:leader-locking-controller-manager"
@@ -127,7 +127,7 @@ items:
     resources:     ["endpoints"]
     resourceNames: ["service-catalog-controller-manager"]
     verbs:         ["get","update"]
-- apiVersion: rbac.authorization.k8s.io/v1beta1
+- apiVersion: {{template "rbacApiVersion" . }}
   kind: RoleBinding
   metadata:
     name: service-catalog-controller-manager
@@ -141,4 +141,4 @@ items:
     kind: ServiceAccount
     name: "{{ .Values.controllerManager.serviceAccount }}"
     namespace: "{{ .Release.Namespace }}"
-{{ end }}
+{{end}}
@@ -1,9 +1,12 @@
 # Default values for Service Catalog
 # determines whether the API server should be registered with the kube-aggregator
 useAggregator: false
+## If true, create & use RBAC resources
+##
+rbacEnable: true
 apiserver:
   # apiserver image to use
-  image: quay.io/kubernetes-service-catalog/apiserver:v0.1.0-rc1
+  image: quay.io/kubernetes-service-catalog/apiserver:v0.1.0-rc2
   # imagePullPolicy for the apiserver; valid values are "IfNotPresent",
   # "Never", and "Always"
   imagePullPolicy: Always
@@ -68,7 +71,7 @@ apiserver:
   serviceAccount: service-catalog-apiserver
 controllerManager:
   # controller-manager image to use
-  image: quay.io/kubernetes-service-catalog/controller-manager:v0.1.0-rc1
+  image: quay.io/kubernetes-service-catalog/controller-manager:v0.1.0-rc2
   # imagePullPolicy for the controller-manager; valid values are
   # "IfNotPresent", "Never", and "Always"
   imagePullPolicy: Always
 
@@ -34,7 +34,7 @@ Service Broker
 
 | Parameter | Description | Default |
 |-----------|-------------|---------|
-| `image` | Image to use | `quay.io/kubernetes-service-catalog/user-broker:v0.1.0-rc1` |
+| `image` | Image to use | `quay.io/kubernetes-service-catalog/user-broker:v0.1.0-rc2` |
 | `imagePullPolicy` | `imagePullPolicy` for the ups-broker | `Always` |
 
 Specify each parameter using the `--set key=value[,key=value]` argument to
 
@@ -1,6 +1,6 @@
 # Default values for User-Provided Service Broker
 # Image to use
-image: quay.io/kubernetes-service-catalog/user-broker:v0.1.0-rc1
+image: quay.io/kubernetes-service-catalog/user-broker:v0.1.0-rc2
 # ImagePullPolicy; valid values are "IfNotPresent", "Never", and "Always"
 imagePullPolicy: Always
 # Certificate details to use for TLS. Leave blank to not use TLS
 
@@ -23,6 +23,7 @@ import (
 
 	"github.com/golang/glog"
 	"github.com/kubernetes-incubator/service-catalog/pkg"
+	"github.com/kubernetes-incubator/service-catalog/pkg/kubernetes/pkg/util/interrupt"
 	"github.com/kubernetes-incubator/service-catalog/pkg/registry/servicecatalog/server"
 	"github.com/kubernetes-incubator/service-catalog/plugin/pkg/admission/broker/authsarcheck"
 	"github.com/kubernetes-incubator/service-catalog/plugin/pkg/admission/namespace/lifecycle"
@@ -32,7 +33,6 @@ import (
 	"github.com/spf13/cobra"
 	"k8s.io/apiserver/pkg/admission"
 	genericserveroptions "k8s.io/apiserver/pkg/server/options"
-	"k8s.io/kubernetes/pkg/util/interrupt"
 )
 
 const (
 
@@ -37,13 +37,13 @@ import (
 	"k8s.io/client-go/tools/clientcmd"
 	"k8s.io/client-go/tools/record"
 
+	"github.com/kubernetes-incubator/service-catalog/pkg/kubernetes/pkg/util/configz"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apiserver/pkg/server/healthz"
 	"k8s.io/client-go/tools/leaderelection"
 	"k8s.io/client-go/tools/leaderelection/resourcelock"
-	"k8s.io/kubernetes/pkg/util/configz"
 
 	// The API groups for our API must be installed before we can use the
 	// client to work with them.  This needs to be done once per process; this
 
@@ -27,9 +27,9 @@ import (
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 
 	"github.com/kubernetes-incubator/service-catalog/pkg/apis/componentconfig"
+	k8scomponentconfig "github.com/kubernetes-incubator/service-catalog/pkg/kubernetes/pkg/apis/componentconfig"
+	"github.com/kubernetes-incubator/service-catalog/pkg/kubernetes/pkg/client/leaderelectionconfig"
 	osb "github.com/pmorie/go-open-service-broker-client/v2"
-	k8scomponentconfig "k8s.io/kubernetes/pkg/apis/componentconfig"
-	"k8s.io/kubernetes/pkg/client/leaderelectionconfig"
 )
 
 // ControllerManagerServer is the main context object for the controller
 
@@ -52,12 +52,12 @@ count=0
 D_HOST=${DOCKER_HOST:-localhost}
 D_HOST=${D_HOST#*//}   # remove leading proto://
 D_HOST=${D_HOST%:*}    # remove trailing port #
-while ! curl --cacert ${ROOT}/.var/run/kubernetes-service-catalog/apiserver.crt https://${D_HOST}:${PORT} > /dev/null 2>&1 ; do
+while ! wget --ca-certificate ${ROOT}/.var/run/kubernetes-service-catalog/apiserver.crt https://${D_HOST}:${PORT} > /dev/null 2>&1 ; do
 	sleep 1
 	(( count++ )) || true
 	if [ "${count}" == "30" ]; then
 		echo "Timed-out waiting for API Server"
-		(set -x ; curl --cacert ${ROOT}/.var/run/kubernetes-service-catalog/apiserver.crt https://${D_HOST}:${PORT})
+		(set -x ; wget --ca-certificate ${ROOT}/.var/run/kubernetes-service-catalog/apiserver.crt https://${D_HOST}:${PORT})
 		(set -x ; docker ps)
 		(set -x ; docker logs apiserver)
 		exit 1
 
@@ -48,34 +48,33 @@ gcloud auth activate-service-account \
 
 echo "Creating cluster ${CLUSTERNAME}"
 
-# Use the latest 1.6.X version that GKE offers.
+# Use the latest 1.7.X version that GKE offers.
 CLUSTER_VERSION="$(gcloud container get-server-config --zone "${ZONE}" \
   | awk '
     BEGIN {p=0};
     /validMasterVersions:/ {p=1; next};
     /validNodeVersions:/ {exit};
-    p && /1.6/ {print $2; exit}
+    p && /1.7/ {print $2; exit}
   ')"
 
 [[ -n "${CLUSTER_VERSION}" ]] \
-  || { echo 'Could not find valid 1.6.X cluster version on Google Container Engine.'; exit 1; }
+  || { echo 'Could not find valid 1.7.X cluster version on Google Container Engine.'; exit 1; }
 
 echo "Using cluster version ${CLUSTER_VERSION}"
 
 gcloud container clusters create "${CLUSTERNAME}" --project="${PROJECT}" --zone="${ZONE}" \
-  --cluster-version "${CLUSTER_VERSION}" \
+  --cluster-version "${CLUSTER_VERSION}" --no-enable-legacy-authorization \
   || { echo 'Cannot create cluster.'; exit 1; }
 
 echo "Using cluster ${CLUSTERNAME}."
 
 gcloud container clusters get-credentials "${CLUSTERNAME}" --project="${PROJECT}" --zone="${ZONE}" \
   || { echo 'Cannot get credentials for cluster.'; exit 1; }
 
-# On GKE you need to give your user proper permissions in order to create new
-# cluster roles. Needed for RBAC setup.
-ACCOUNT_NAME="$(gcloud info | grep Account | sed 's/.*\[\(.*\)\]/\1/')"
-kubectl create clusterrolebinding jenkins-cluster-admin-binding \
-    --clusterrole=cluster-admin --user="${ACCOUNT_NAME}" \
+# Need to give tiller proper permissions in order to create RBAC roles.
+kubectl create clusterrolebinding tiller-cluster-admin \
+  --clusterrole=cluster-admin \
+  --serviceaccount=kube-system:default \
   || { echo 'Cannot not create cluster-admin role for service account.'; exit 1; }
 
 helm init \