Allow objects to request resolution, not just images

A lot of times, you want to be able to reuse a bit of config that works
fine elsewhere. By adding the `alpha.image.policy.openshift.io/resolve-names`
annotation with value `*` to the object you can request that resolution
attempt to match all image references to an image stream tag in the
current namespace, regardless of their own policy. This makes it easy to
transition to looking up image stream tags by name.

Extend `oc set image-lookup` to accept `deploy/foo` and to be able to
list and display non image stream resources.

Author: smarterclayton

pkg/api/meta/meta.go

@@ -3,6 +3,7 @@ package meta
 import (
 	"fmt"
 
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	kapi "k8s.io/kubernetes/pkg/api"
@@ -42,3 +43,56 @@ func GetImageReferenceMutator(obj runtime.Object) (ImageReferenceMutator, error)
 		return nil, errNoImageMutator
 	}
 }
+
+type AnnotationAccessor interface {
+	// Annotations returns a map representing annotations. Not mutable.
+	Annotations() map[string]string
+	// SetAnnotations sets representing annotations onto the object.
+	SetAnnotations(map[string]string)
+	// TemplateAnnotations returns a map representing annotations on a nested template in the object. Not mutable.
+	// If no template is present bool will be false.
+	TemplateAnnotations() (map[string]string, bool)
+	// SetTemplateAnnotations sets annotations on a nested template in the object.
+	// If no template is present bool will be false.
+	SetTemplateAnnotations(map[string]string) bool
+}
+
+type annotationsAccessor struct {
+	object   metav1.Object
+	template metav1.Object
+}
+
+func (a annotationsAccessor) Annotations() map[string]string {
+	return a.object.GetAnnotations()
+}
+
+func (a annotationsAccessor) TemplateAnnotations() (map[string]string, bool) {
+	if a.template == nil {
+		return nil, false
+	}
+	return a.template.GetAnnotations(), true
+}
+
+func (a annotationsAccessor) SetAnnotations(annotations map[string]string) {
+	a.object.SetAnnotations(annotations)
+}
+
+func (a annotationsAccessor) SetTemplateAnnotations(annotations map[string]string) bool {
+	if a.template == nil {
+		return false
+	}
+	a.template.SetAnnotations(annotations)
+	return true
+}
+
+// GetAnnotationAccessor returns an accessor for the provided object or false if the object
+// does not support accessing annotations.
+func GetAnnotationAccessor(obj runtime.Object) (AnnotationAccessor, bool) {
+	switch t := obj.(type) {
+	case metav1.Object:
+		templateObject, _ := GetTemplateMetaObject(obj)
+		return annotationsAccessor{object: t, template: templateObject}, true
+	default:
+		return nil, false
+	}
+}

pkg/api/meta/pods.go

@@ -3,6 +3,7 @@ package meta
 import (
 	"fmt"
 
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/validation/field"
@@ -158,6 +159,68 @@ func GetPodSpecV1(obj runtime.Object) (*kapiv1.PodSpec, *field.Path, error) {
 	return nil, nil, errNoPodSpec
 }
 
+// GetTemplateMetaObject returns a mutable metav1.Object interface for the template
+// the object contains, or false if no such object is available.
+func GetTemplateMetaObject(obj runtime.Object) (metav1.Object, bool) {
+	switch r := obj.(type) {
+	case *kapiv1.PodTemplate:
+		return &r.Template.ObjectMeta, true
+	case *kapiv1.ReplicationController:
+		return &r.Spec.Template.ObjectMeta, true
+	case *extensionsv1beta1.DaemonSet:
+		return &r.Spec.Template.ObjectMeta, true
+	case *extensionsv1beta1.Deployment:
+		return &r.Spec.Template.ObjectMeta, true
+	case *extensionsv1beta1.ReplicaSet:
+		return &r.Spec.Template.ObjectMeta, true
+	case *batchv1.Job:
+		return &r.Spec.Template.ObjectMeta, true
+	case *batchv2alpha1.CronJob:
+		return &r.Spec.JobTemplate.Spec.Template.ObjectMeta, true
+	case *batchv2alpha1.JobTemplate:
+		return &r.Template.Spec.Template.ObjectMeta, true
+	case *appsv1beta1.StatefulSet:
+		return &r.Spec.Template.ObjectMeta, true
+	case *appsv1beta1.Deployment:
+		return &r.Spec.Template.ObjectMeta, true
+	case *securityapiv1.PodSecurityPolicySubjectReview:
+		return &r.Spec.Template.ObjectMeta, true
+	case *securityapiv1.PodSecurityPolicySelfSubjectReview:
+		return &r.Spec.Template.ObjectMeta, true
+	case *securityapiv1.PodSecurityPolicyReview:
+		return &r.Spec.Template.ObjectMeta, true
+	case *deployapiv1.DeploymentConfig:
+		return &r.Spec.Template.ObjectMeta, true
+	case *kapi.PodTemplate:
+		return &r.Template.ObjectMeta, true
+	case *kapi.ReplicationController:
+		return &r.Spec.Template.ObjectMeta, true
+	case *extensions.DaemonSet:
+		return &r.Spec.Template.ObjectMeta, true
+	case *extensions.Deployment:
+		return &r.Spec.Template.ObjectMeta, true
+	case *extensions.ReplicaSet:
+		return &r.Spec.Template.ObjectMeta, true
+	case *batch.Job:
+		return &r.Spec.Template.ObjectMeta, true
+	case *batch.CronJob:
+		return &r.Spec.JobTemplate.Spec.Template.ObjectMeta, true
+	case *batch.JobTemplate:
+		return &r.Template.Spec.Template.ObjectMeta, true
+	case *apps.StatefulSet:
+		return &r.Spec.Template.ObjectMeta, true
+	case *securityapi.PodSecurityPolicySubjectReview:
+		return &r.Spec.Template.ObjectMeta, true
+	case *securityapi.PodSecurityPolicySelfSubjectReview:
+		return &r.Spec.Template.ObjectMeta, true
+	case *securityapi.PodSecurityPolicyReview:
+		return &r.Spec.Template.ObjectMeta, true
+	case *deployapi.DeploymentConfig:
+		return &r.Spec.Template.ObjectMeta, true
+	}
+	return nil, false
+}
+
 type containerMutator struct {
 	*kapi.Container
 }

pkg/cmd/cli/cmd/set/imagelookup.go

@@ -16,6 +16,7 @@ import (
 	kcmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
 	"k8s.io/kubernetes/pkg/kubectl/resource"
 
+	ometa "github.com/openshift/origin/pkg/api/meta"
 	"github.com/openshift/origin/pkg/cmd/templates"
 	"github.com/openshift/origin/pkg/cmd/util/clientcmd"
 	imageapi "github.com/openshift/origin/pkg/image/api"
@@ -41,7 +42,20 @@ var (
 
 		will import the latest MySQL image from the DockerHub, set that image stream to handle the
 		"mysql" name within the project, and then launch a deployment that points to the image we
-		imported.`)
+		imported.
+		
+		You may also force image lookup for all of the images on a resource with this command. An
+		annotation is placed on the object which forces an image stream tag lookup in the current
+		namespace for any image that matches, regardless of whether the image stream has lookup
+		enabled.
+
+		    $ %[1]s run mysql --image=myregistry:5000/test/mysql:v1
+				$ %[1]s tag --source=docker myregistry:5000/test/mysql:v1 mysql:v1
+				$ %[1]s image-lookup deploy/mysql
+
+		Which should trigger a deployment pointing to the imported mysql:v1 tag.
+
+		Experimental: This feature is under active development and may change without notice.`)
 
 	imageLookupExample = templates.Examples(`
 		# Print all of the image streams and whether they resolve local names
@@ -50,13 +64,21 @@ var (
 		# Use local name lookup on image stream mysql
 		%[1]s image-lookup mysql
 
+		# Force a deployment to use local name lookup
+		%[1]s image-lookup deploy/mysql
+
+		# Show the current status of the deployment lookup
+		%[1]s image-lookup deploy/mysql
+
 		# Disable local name lookup on image stream mysql
 		%[1]s image-lookup mysql --enabled=false
 
 		# Set local name lookup on all image streams
 		%[1]s image-lookup --all`)
 )
 
+const alphaResolveNamesAnnotation = "alpha.image.policy.openshift.io/resolve-names"
+
 type ImageLookupOptions struct {
 	Out io.Writer
 	Err io.Writer
@@ -77,6 +99,7 @@ type ImageLookupOptions struct {
 	PrintTable  bool
 	PrintObject func(runtime.Object) error
 
+	List  bool
 	Local bool
 
 	Enabled bool
@@ -91,7 +114,7 @@ func NewCmdImageLookup(fullName string, f *clientcmd.Factory, out, errOut io.Wri
 	}
 	cmd := &cobra.Command{
 		Use:     "image-lookup STREAMNAME [...]",
-		Short:   "Use an image stream when short image names are provided",
+		Short:   "Change how images are resolved when deploying applications",
 		Long:    fmt.Sprintf(imageLookupLong, fullName),
 		Example: fmt.Sprintf(imageLookupExample, fullName),
 		Run: func(cmd *cobra.Command, args []string) {
@@ -102,11 +125,12 @@ func NewCmdImageLookup(fullName string, f *clientcmd.Factory, out, errOut io.Wri
 	}
 
 	kcmdutil.AddPrinterFlags(cmd)
-	cmd.Flags().StringVarP(&options.Selector, "selector", "l", options.Selector, "Selector (label query) to filter on")
-	cmd.Flags().BoolVar(&options.All, "all", options.All, "If true, select all resources in the namespace of the specified resource types")
+	cmd.Flags().StringVarP(&options.Selector, "selector", "l", options.Selector, "Selector (label query) to filter on.")
+	cmd.Flags().BoolVar(&options.All, "all", options.All, "If true, select all resources in the namespace of the specified resource types.")
 	cmd.Flags().StringSliceVarP(&options.Filenames, "filename", "f", options.Filenames, "Filename, directory, or URL to file to use to edit the resource.")
 
-	cmd.Flags().BoolVar(&options.Enabled, "enabled", options.Enabled, "Mark the image stream as resolving tagged images in this namespace")
+	cmd.Flags().BoolVar(&options.List, "list", false, "Display the current states of the requested resources.")
+	cmd.Flags().BoolVar(&options.Enabled, "enabled", options.Enabled, "Mark the image stream as resolving tagged images in this namespace.")
 
 	cmd.Flags().BoolVar(&options.Local, "local", false, "If true, operations will be performed locally.")
 	kcmdutil.AddDryRunFlag(cmd)
@@ -137,7 +161,7 @@ func (o *ImageLookupOptions) Complete(f *clientcmd.Factory, cmd *cobra.Command,
 		}
 	}
 
-	o.PrintTable = len(args) == 0 && !o.All
+	o.PrintTable = (len(args) == 0 && !o.All) || o.List
 
 	mapper, typer := f.Object()
 	o.Builder = resource.NewBuilder(mapper, typer, resource.ClientMapperFunc(f.ClientForMapping), kapi.Codecs.UniversalDecoder()).
@@ -157,6 +181,11 @@ func (o *ImageLookupOptions) Complete(f *clientcmd.Factory, cmd *cobra.Command,
 			SelectorParam(o.Selector).
 			SelectAllParam(true).
 			ResourceTypes("imagestreams")
+	case o.List:
+		o.Builder = o.Builder.
+			SelectorParam(o.Selector).
+			SelectAllParam(o.All).
+			ResourceTypeOrNameArgs(true, args...)
 	default:
 		o.Builder = o.Builder.
 			SelectorParam(o.Selector).
@@ -198,11 +227,43 @@ func (o *ImageLookupOptions) Run() error {
 	}
 
 	patches := CalculatePatches(infos, o.Encoder, func(info *resource.Info) (bool, error) {
-		info.Object.(*imageapi.ImageStream).Spec.LookupPolicy.Local = o.Enabled
-		return true, nil
+		switch t := info.Object.(type) {
+		case *imageapi.ImageStream:
+			t.Spec.LookupPolicy.Local = o.Enabled
+			return true, nil
+		default:
+			accessor, ok := ometa.GetAnnotationAccessor(info.Object)
+			if !ok {
+				return true, fmt.Errorf("the resource %s/%s does not support altering image lookup", info.Mapping.Resource, info.Name)
+			}
+			templateAnnotations, ok := accessor.TemplateAnnotations()
+			if ok {
+				if o.Enabled {
+					if templateAnnotations == nil {
+						templateAnnotations = make(map[string]string)
+					}
+					templateAnnotations[alphaResolveNamesAnnotation] = "*"
+				} else {
+					delete(templateAnnotations, alphaResolveNamesAnnotation)
+				}
+				accessor.SetTemplateAnnotations(templateAnnotations)
+				return true, nil
+			}
+			annotations := accessor.Annotations()
+			if o.Enabled {
+				if annotations == nil {
+					annotations = make(map[string]string)
+				}
+				annotations[alphaResolveNamesAnnotation] = "*"
+			} else {
+				delete(annotations, alphaResolveNamesAnnotation)
+			}
+			accessor.SetAnnotations(annotations)
+			return true, nil
+		}
 	})
 	if singleItemImplied && len(patches) == 0 {
-		return fmt.Errorf("%s no changes", infos[0].Name)
+		return fmt.Errorf("%s/%s no changes", infos[0].Mapping.Resource, infos[0].Name)
 	}
 	if o.PrintObject != nil {
 		object, err := resource.AsVersionedObject(infos, !singleItemImplied, o.OutputVersion, kapi.Codecs.LegacyCodec(o.OutputVersion))
@@ -250,7 +311,24 @@ func (o *ImageLookupOptions) printImageLookup(infos []*resource.Info) error {
 	defer w.Flush()
 	fmt.Fprintf(w, "NAME\tLOCAL\n")
 	for _, info := range infos {
-		fmt.Fprintf(w, "%s\t%t\n", info.Name, info.Object.(*imageapi.ImageStream).Spec.LookupPolicy.Local)
+		switch t := info.Object.(type) {
+		case *imageapi.ImageStream:
+			fmt.Fprintf(w, "%s\t%t\n", info.Name, t.Spec.LookupPolicy.Local)
+		default:
+			accessor, ok := ometa.GetAnnotationAccessor(info.Object)
+			if !ok {
+				fmt.Fprintf(w, "%s/%s\tUNKNOWN\n", info.Mapping.Resource, info.Name)
+				break
+			}
+			var enabled bool
+			if a, ok := accessor.TemplateAnnotations(); ok {
+				enabled = a[alphaResolveNamesAnnotation] == "*"
+			}
+			if !enabled {
+				enabled = accessor.Annotations()[alphaResolveNamesAnnotation] == "*"
+			}
+			fmt.Fprintf(w, "%s/%s\t%t\n", info.Mapping.Resource, info.Name, enabled)
+		}
 	}
 	return nil
 }

pkg/image/admission/imagepolicy/accept.go

@@ -12,6 +12,7 @@ import (
 	kapi "k8s.io/kubernetes/pkg/api"
 
 	"github.com/openshift/origin/pkg/api/meta"
+	"github.com/openshift/origin/pkg/image/admission/imagepolicy/api"
 	"github.com/openshift/origin/pkg/image/admission/imagepolicy/rules"
 	imageapi "github.com/openshift/origin/pkg/image/api"
 )
@@ -26,18 +27,28 @@ type policyDecision struct {
 	err    error
 }
 
-func accept(accepter rules.Accepter, policy imageResolutionPolicy, resolver imageResolver, m meta.ImageReferenceMutator, attr admission.Attributes, excludedRules sets.String) error {
+func accept(accepter rules.Accepter, policy imageResolutionPolicy, resolver imageResolver, m meta.ImageReferenceMutator, annotations meta.AnnotationAccessor, attr admission.Attributes, excludedRules sets.String) error {
 	decisions := policyDecisions{}
 
 	gr := attr.GetResource().GroupResource()
 
+	var resolveAllNames bool
+	if annotations != nil {
+		if a, ok := annotations.TemplateAnnotations(); ok {
+			resolveAllNames = a[api.ResolveNamesAnnotation] == "*"
+		}
+		if !resolveAllNames {
+			resolveAllNames = annotations.Annotations()[api.ResolveNamesAnnotation] == "*"
+		}
+	}
+
 	errs := m.Mutate(func(ref *kapi.ObjectReference) error {
 		// create the attribute set for this particular reference, if we have never seen the reference
 		// before
 		decision, ok := decisions[*ref]
 		if !ok {
 			if policy.RequestsResolution(gr) {
-				resolvedAttrs, err := resolver.ResolveObjectReference(ref, attr.GetNamespace())
+				resolvedAttrs, err := resolver.ResolveObjectReference(ref, attr.GetNamespace(), resolveAllNames)
 
 				switch {
 				case err != nil && policy.FailOnResolutionFailure(gr):

pkg/image/admission/imagepolicy/api/types.go

@@ -6,9 +6,16 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 )
 
-// IgnorePolicyRulesAnnotation is a comma delimited list of rule names to omit from consideration
-// in a given namespace. Loaded from the namespace.
-const IgnorePolicyRulesAnnotation = "alpha.image.policy.openshift.io/ignore-rules"
+const (
+	// IgnorePolicyRulesAnnotation is a comma delimited list of rule names to omit from consideration
+	// in a given namespace. Loaded from the namespace.
+	IgnorePolicyRulesAnnotation = "alpha.image.policy.openshift.io/ignore-rules"
+	// ResolveNamesAnnotation when placed on an object template or object requests that all relevant
+	// image names be resolved by taking the name and tag and attempting to resolve a local image stream.
+	// This overrides the imageLookupPolicy on the image stream. If the object is not namespaced the
+	// annotation is ignored. The only valid value is '*'.
+	ResolveNamesAnnotation = "alpha.image.policy.openshift.io/resolve-names"
+)
 
 // ImagePolicyConfig is the configuration for controlling how images are used in the cluster.
 type ImagePolicyConfig struct {