From a0c02c3f3becf271952fe9aef182a5991fd099e7 Mon Sep 17 00:00:00 2001 From: "Krishnakumar R(KK)" <29471693+kkmsft@users.noreply.github.com> Date: Mon, 16 Mar 2020 03:13:09 -0700 Subject: [PATCH 1/7] Client-go update and type upgrade --- cmd/mic/main.go | 31 +++++- deploy/demo/aadpodidentity.yaml | 4 +- deploy/demo/aadpodidentitybinding.yaml | 4 +- deploy/infra/deployment-rbac.yaml | 13 ++- go.mod | 26 ++--- go.sum | 145 +++++++++++++++++------- pkg/apis/aadpodidentity/v1/types.go | 24 ++-- pkg/crd/crd.go | 78 ++++++++++++- pkg/k8s/client_test.go | 2 +- pkg/mic/mic.go | 146 +++++++++++++++++++++---- pkg/mic/mic_test.go | 4 + 11 files changed, 379 insertions(+), 98 deletions(-) diff --git a/cmd/mic/main.go b/cmd/mic/main.go index a9898d4f5..70ac40dd7 100644 --- a/cmd/mic/main.go +++ b/cmd/mic/main.go @@ -31,9 +31,12 @@ var ( clientQPS float64 prometheusPort string immutableUserMSIs string + cmConfig mic.CMConfig + typeUpgradeConfig mic.TypeUpgradeConfig ) func main() { + klog.InitFlags(nil) defer klog.Flush() hostName, err := os.Hostname() if err != nil { @@ -72,7 +75,20 @@ func main() { //Identities that should be never removed from Azure AD (used defined managed identities) flag.StringVar(&immutableUserMSIs, "immutable-user-msis", "", "prevent deletion of these IDs from the underlying VM/VMSS") + // Config map for aad-pod-identity + flag.StringVar(&cmConfig.Name, "cmName", "aad-pod-identity-cm", "Configmap name") + // Config map details for the type changes in the context of client-go upgrade. + flag.StringVar(&typeUpgradeConfig.CMTypeUpgradeKey, "typeUpgradeCMKey", "type-upgrade-status", "Configmap key for type upgrade status") + flag.BoolVar(&typeUpgradeConfig.EnableTypeUpgrade, "enableTypeUpgrade", true, "Enable type upgrade") + flag.Parse() + + podns := os.Getenv("MIC_POD_NAMESPACE") + if podns == "" { + klog.Fatalf("namespace not specified. Please add meta.namespace as env variable MIC_POD_NAMESPACE") + } + cmConfig.Namespace = podns + if versionInfo { version.PrintVersionAndExit() } @@ -113,7 +129,20 @@ func main() { immutableUserMSIsList = strings.Split(immutableUserMSIs, ",") } - micClient, err := mic.NewMICClient(cloudconfig, config, forceNamespaced, syncRetryDuration, &leaderElectionCfg, enableScaleFeatures, createDeleteBatch, immutableUserMSIsList) + micConfig := &mic.Config{ + CloudCfgPath: cloudconfig, + RestConfig: config, + IsNamespaced: forceNamespaced, + SyncRetryInterval: syncRetryDuration, + LeaderElectionCfg: &leaderElectionCfg, + EnableScaleFeatures: enableScaleFeatures, + CreateDeleteBatch: createDeleteBatch, + ImmutableUserMSIsList: immutableUserMSIsList, + CMcfg: &cmConfig, + TypeUpgradeCfg: &typeUpgradeConfig, + } + + micClient, err := mic.NewMICClient(micConfig) if err != nil { klog.Fatalf("Could not get the MIC client: %+v", err) } diff --git a/deploy/demo/aadpodidentity.yaml b/deploy/demo/aadpodidentity.yaml index e917d8fe7..4f1b52305 100644 --- a/deploy/demo/aadpodidentity.yaml +++ b/deploy/demo/aadpodidentity.yaml @@ -4,5 +4,5 @@ metadata: name: demo-aad1 spec: type: 0 - ResourceID: RESOURCE_ID - ClientID: CLIENT_ID + resourceID: RESOURCE_ID + clientID: CLIENT_ID diff --git a/deploy/demo/aadpodidentitybinding.yaml b/deploy/demo/aadpodidentitybinding.yaml index 60311f651..36d1a61f3 100644 --- a/deploy/demo/aadpodidentitybinding.yaml +++ b/deploy/demo/aadpodidentitybinding.yaml @@ -3,5 +3,5 @@ kind: AzureIdentityBinding metadata: name: demo-azure-id-binding spec: - AzureIdentity: "demo-aad1" - Selector: "demo" \ No newline at end of file + azureIdentity: "demo-aad1" + selector: "demo" \ No newline at end of file diff --git a/deploy/infra/deployment-rbac.yaml b/deploy/infra/deployment-rbac.yaml index fe2451842..9e8cc841c 100644 --- a/deploy/infra/deployment-rbac.yaml +++ b/deploy/infra/deployment-rbac.yaml @@ -179,12 +179,18 @@ rules: - apiGroups: [""] resources: ["events"] verbs: ["create", "patch"] +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "create", "update"] - apiGroups: [""] resources: ["endpoints"] verbs: ["create", "get","update"] - apiGroups: ["aadpodidentity.k8s.io"] resources: ["azureidentitybindings", "azureidentities"] - verbs: ["get", "list", "watch", "post"] + verbs: ["get", "list", "watch", "post", "update"] +- apiGroups: ["aadpodidentity.k8s.io"] + resources: ["azurepodidentityexceptions"] + verbs: ["list", "update"] - apiGroups: ["aadpodidentity.k8s.io"] resources: ["azureassignedidentities"] verbs: ["*"] @@ -232,6 +238,11 @@ spec: args: - "--cloudconfig=/etc/kubernetes/azure.json" - "--logtostderr" + env: + - name: MIC_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace resources: limits: cpu: 200m diff --git a/go.mod b/go.mod index 201180056..c71a219a4 100644 --- a/go.mod +++ b/go.mod @@ -11,30 +11,20 @@ require ( github.com/Azure/go-autorest/autorest/to v0.2.0 // indirect github.com/Azure/go-autorest/autorest/validation v0.1.0 // indirect github.com/coreos/go-iptables v0.3.0 - github.com/gogo/protobuf v1.2.1 // indirect github.com/golang/groupcache v0.0.0-20180513044358-24b0969c4cb7 // indirect github.com/google/go-cmp v0.3.0 - github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf // indirect github.com/googleapis/gnostic v0.1.0 // indirect - github.com/howeyc/gopass v0.0.0-20170109162249-bf9dde6d0d2c // indirect - github.com/imdario/mergo v0.3.4 // indirect - github.com/json-iterator/go v0.0.0-20180315132816-ca39e5af3ece // indirect github.com/kelseyhightower/envconfig v1.3.0 - github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect - github.com/modern-go/reflect2 v0.0.0-20180228065516-1df9eeb2bb81 // indirect - github.com/onsi/ginkgo v1.7.0 - github.com/onsi/gomega v1.4.3 + github.com/onsi/ginkgo v1.10.1 + github.com/onsi/gomega v1.7.0 github.com/pkg/errors v0.8.0 - github.com/spf13/pflag v1.0.1 - github.com/stretchr/testify v1.3.0 + github.com/spf13/pflag v1.0.5 + github.com/stretchr/testify v1.4.0 go.opencensus.io v0.22.0 golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6 - golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2 // indirect - gopkg.in/inf.v0 v0.9.1 // indirect - gopkg.in/yaml.v2 v2.2.1 - k8s.io/api v0.0.0-20180501062503-590a9173e3b6 - k8s.io/apimachinery v0.0.0-20180417142332-01bc873149a1 - k8s.io/client-go v0.0.0-20180424211516-33f2870a2b83 + gopkg.in/yaml.v2 v2.2.4 + k8s.io/api v0.17.2 + k8s.io/apimachinery v0.17.2 + k8s.io/client-go v0.17.2 k8s.io/klog v1.0.0 - k8s.io/kube-openapi v0.0.0-20190306001800-15615b16d372 // indirect ) diff --git a/go.sum b/go.sum index 13e72e809..8a25958a6 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,6 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= contrib.go.opencensus.io/exporter/ocagent v0.4.12/go.mod h1:450APlNTSR6FrvC3CTRqYosuDstRB9un7SOx2k/9ckA= contrib.go.opencensus.io/exporter/prometheus v0.1.0 h1:SByaIoWwNgMdPSgl5sMqM2KDE5H/ukPWBRo314xiDvg= contrib.go.opencensus.io/exporter/prometheus v0.1.0/go.mod h1:cGFniUXGZlKRjzOyuZJ6mgB+PgBcCIa79kEKR8YCW+A= @@ -33,11 +34,13 @@ github.com/Azure/go-autorest/autorest/validation v0.1.0 h1:ISSNzGUh+ZSzizJWOWzs8 github.com/Azure/go-autorest/autorest/validation v0.1.0/go.mod h1:Ha3z/SqBeaalWQvokg3NZAlQTalVMtOIAs1aGK7G6u8= github.com/Azure/go-autorest/logger v0.1.0 h1:ruG4BSDXONFRrZZJ2GUXDiUyVpayPmb1GnWeHDdaNKY= github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc= -github.com/Azure/go-autorest/tracing v0.1.0 h1:TRBxC5Pj/fIuh4Qob0ZpkggbfT8RC0SubHbpV3p4/Vc= github.com/Azure/go-autorest/tracing v0.1.0/go.mod h1:ROEEAFwXycQw7Sn3DXNtEedEvdeRAgDr0izn4z5Ij88= github.com/Azure/go-autorest/tracing v0.5.0 h1:TRn4WjSnkcSy5AEG3pnbtFSwNtwzjr4VYyQflFE619k= github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= +github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWXgklEdEo= github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= @@ -45,11 +48,11 @@ github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRF github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973 h1:xJ4a3vCFaGF/jqvzLMYoU8P317H5OQ+Via4RmuPwCS0= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= -github.com/census-instrumentation/opencensus-proto v0.2.0 h1:LzQXZOgg4CQfE6bFvXGM30YZL1WW/M337pXml+GrcZ4= github.com/census-instrumentation/opencensus-proto v0.2.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/coreos/go-iptables v0.3.0 h1:UTQkjHl9rPwwtXZhXbY3T932cV9aUnKlSsZ7YGfJVXM= github.com/coreos/go-iptables v0.3.0/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU= +github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -57,56 +60,78 @@ github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumC github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dimchansky/utfbom v1.1.0 h1:FcM3g+nofKgUteL8dm/UpdRXNC9KmADgTpLKsu0TRo4= github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8= +github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs= github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU= github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I= +github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= +github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/evanphx/json-patch v4.2.0+incompatible h1:fUDGZCv/7iAN7u0puUVhvKCcsR6vRfwrJatElLBEf0I= +github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= -github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= +github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= +github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0= +github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg= +github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc= +github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= -github.com/gogo/protobuf v1.2.1 h1:/s5zKNz0uPFCZ5hddgPdo2TK2TVrUNMn0OOX8/aZMTE= -github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= -github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58= +github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d h1:3PaI8p3seN09VjbTYC/QWlUZdZ1qS1zGjy7LH2Wt07I= +github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20180513044358-24b0969c4cb7 h1:u4bArs140e9+AfE52mFHOXVFnOSBJBRlzTHrOPLOIhE= github.com/golang/groupcache v0.0.0-20180513044358-24b0969c4cb7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= -github.com/golang/protobuf v1.3.1 h1:YF8+flBXS5eO826T4nzqPrxfhQThhXl0YzfuUPu4SBg= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs= +github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= -github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf h1:+RRA9JqSOZFfKrOeqr2z77+8R2RKyh8PG66dcu1V0ck= -github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI= +github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI= +github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= +github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY= +github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= +github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= github.com/googleapis/gnostic v0.1.0 h1:rVsPeBmXbYv4If/cumu1AzZPwV58q433hvONV1UEZoI= github.com/googleapis/gnostic v0.1.0/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= +github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8= github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg= github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= -github.com/grpc-ecosystem/grpc-gateway v1.8.5 h1:2+KSC78XiO6Qy0hIjfc1OD9H+hsaJdJlb8Kqsd41CTE= +github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= github.com/grpc-ecosystem/grpc-gateway v1.8.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1 h1:0hERBMJE1eitiLkihrMvRVBYAkpHzc/J3QdDN+dAcgU= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= -github.com/howeyc/gopass v0.0.0-20170109162249-bf9dde6d0d2c h1:kQWxfPIHVLbgLzphqk3QUflDy9QdksZR4ygR807bpy0= -github.com/howeyc/gopass v0.0.0-20170109162249-bf9dde6d0d2c/go.mod h1:lADxMC39cJJqL93Duh1xhAs4I2Zs8mKS89XWXFGp9cs= github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= -github.com/imdario/mergo v0.3.4 h1:mKkfHkZWD8dC7WxKx3N9WCF0Y+dLau45704YQmY6H94= -github.com/imdario/mergo v0.3.4/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= -github.com/json-iterator/go v0.0.0-20180315132816-ca39e5af3ece h1:3HJXp/18JmMk5sjBP3LDUBtWjczCvynxaeAF6b6kWp8= -github.com/json-iterator/go v0.0.0-20180315132816-ca39e5af3ece/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/imdario/mergo v0.3.5 h1:JboBksRwiiAJWvIYJVo46AfV+IAIKZpfrSzVKj42R4Q= +github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.8 h1:QiWkFLKq0T7mpzwOTu6BzNDbfTE8OLrYhVKYMLF46Ok= +github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= github.com/kelseyhightower/envconfig v1.3.0 h1:IvRS4f2VcIQy6j4ORGIf9145T/AsUB+oY8LyvN8BXNM= github.com/kelseyhightower/envconfig v1.3.0/go.mod h1:cccZRl6mQpaq41TPp5QxidR+Sa3axMbJDNb//FQX6Gg= -github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= +github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= @@ -115,24 +140,36 @@ github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORN github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= -github.com/modern-go/reflect2 v0.0.0-20180228065516-1df9eeb2bb81 h1:ImOHKpmdLPXWX5KSYquUWXKaopEPuY7TPPUo18u9aOI= -github.com/modern-go/reflect2 v0.0.0-20180228065516-1df9eeb2bb81/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI= +github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= +github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/ginkgo v1.7.0 h1:WSHQ+IS43OoUrWtD1/bbclrwK8TTH5hzp+umCiuxHgs= github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= -github.com/onsi/gomega v1.4.3 h1:RE1xgDvH7imwFD45h+u2SgIfERHlS2yNG4DObb5BSKU= +github.com/onsi/ginkgo v1.10.1 h1:q/mM8GF/n0shIN8SaAZ0V+jnLPzen6WIVZdiwrRlMlo= +github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/onsi/gomega v1.7.0 h1:XPnZz8VVBHjVsy1vzJmRwIcSwiUO+JFfrv/xGiigmME= +github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw= +github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= github.com/pkg/errors v0.8.0 h1:WdK/asTD0HN+q6hsWO3/vpuAkAr+tw6aNJNDFFf0+qw= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= @@ -152,22 +189,28 @@ github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= -github.com/spf13/pflag v1.0.1 h1:aCvUg6QPl3ibpQUxyLkrEkCHtPqYJL4x9AuhqVqFis4= +github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= +github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= -github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk= +github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= go.opencensus.io v0.20.2/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0 h1:C9hSCOW830chIVkdja34wa6Ky+IzWllkUinR+BtRZd4= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20190418165655-df01cb2cc480 h1:O5YqonU5IWby+w98jVUG9h7zlCWCcH4RHyPVReBmhzk= golang.org/x/crypto v0.0.0-20190418165655-df01cb2cc480/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE= +golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413 h1:ULYEB3JvPRE/IfO+9uO7vKV/xzVTO7XPAwm8xbf4w2g= golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -175,6 +218,7 @@ golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTk golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -188,47 +232,61 @@ golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09 h1:KaQtG+aDELoNmXYas3TVkGNYRuq8JQ1aa7LJt8EXVyo= golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20191004110552-13f9640d40b9 h1:rjwSpXsdiK0dV8/Naq3kAw9ymfAeJIyd0upUIElB+lI= +golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 h1:SVwTIAaPC2U/AvvLNZ2a7OVsmBpC8L5BlwK1whH3hm0= +golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6 h1:bjcUS9ztw9kFmmIxJInhon/0Is3p+EHBKNgquIzo1OI= golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd h1:r7DufRZuZbWB7j439YfAzP8RPDa9unLkpwQKUYbIMPI= golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456 h1:ng0gs1AKnRRuEMZoTLLlbOd+C17zUDepwGQBb/n+JVg= +golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= -golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2 h1:+DCIGbF/swA92ohVg0//6X2IVY3KZs6p9mix0ziNYJM= -golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZenJ2O330aBsf7JfSUXmQ= +golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= google.golang.org/api v0.3.1/go.mod h1:6wY9I6uQWHQ8EM57III9mq/AjF+i8G65rmVagqKMtkk= +google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.5.0 h1:KxkO13IPW4Lslp2bz+KHP2E3gtFlrIGNThxkZQ3g+4c= +google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= -google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb h1:i1Ppqkc3WQXikh8bXiwHqAN5Rv3/qDCcRk0/Otx73BY= +google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.19.1/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= -google.golang.org/grpc v1.20.1 h1:Hz2g2wirWK7H0qIIhGIqRGTuMwTE8HEKFnDZZ7lm9NU= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -242,17 +300,28 @@ gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= -gopkg.in/yaml.v2 v2.2.1 h1:mUhvW9EsL+naU5Q3cakzfE91YhliOondGd6ZrsDBHQE= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I= +gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -k8s.io/api v0.0.0-20180501062503-590a9173e3b6 h1:tJuWruDiY2ZFCDrjN6vzSDFE1EMASampqUIjhC+lEBY= -k8s.io/api v0.0.0-20180501062503-590a9173e3b6/go.mod h1:iuAfoD4hCxJ8Onx9kaTIt30j7jUFS00AXQi6QMi99vA= -k8s.io/apimachinery v0.0.0-20180417142332-01bc873149a1 h1:lWAq9sN2fwiqI3Rnr3nDAScQY8JrtzDDCcRoid6EH0Q= -k8s.io/apimachinery v0.0.0-20180417142332-01bc873149a1/go.mod h1:ccL7Eh7zubPUSh9A3USN90/OzHNSVN6zxzde07TDCL0= -k8s.io/client-go v0.0.0-20180424211516-33f2870a2b83 h1:zFG4vdZo+7VePgo3YFfw+ZZURiwY0BGAzdt20E6X9M0= -k8s.io/client-go v0.0.0-20180424211516-33f2870a2b83/go.mod h1:7vJpHMYJwNQCWgzmNV+VYUl1zCObLyodBc8nIyt8L5s= +honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +k8s.io/api v0.17.2 h1:NF1UFXcKN7/OOv1uxdRz3qfra8AHsPav5M93hlV9+Dc= +k8s.io/api v0.17.2/go.mod h1:BS9fjjLc4CMuqfSO8vgbHPKMt5+SF0ET6u/RVDihTo4= +k8s.io/apimachinery v0.17.2 h1:hwDQQFbdRlpnnsR64Asdi55GyCaIP/3WQpMmbNBeWr4= +k8s.io/apimachinery v0.17.2/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg= +k8s.io/client-go v0.17.2 h1:ndIfkfXEGrNhLIgkr0+qhRguSD3u6DCmonepn1O6NYc= +k8s.io/client-go v0.17.2/go.mod h1:QAzRgsa0C2xl4/eVpeVAZMvikCn8Nm81yqVx3Kk9XYI= +k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= +k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8= k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= -k8s.io/kube-openapi v0.0.0-20190306001800-15615b16d372 h1:zia7dTzfEtdiSUxi9cXUDsSQH2xE6igmGKyFn2on/9A= -k8s.io/kube-openapi v0.0.0-20190306001800-15615b16d372/go.mod h1:BXM9ceUBTj2QnfH2MK1odQs778ajze1RxcmP6S8RVVc= +k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a h1:UcxjrRMyNx/i/y8G7kPvLyy7rfbeuf1PYyBf973pgyU= +k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E= +k8s.io/utils v0.0.0-20191114184206-e782cd3c129f h1:GiPwtSzdP43eI1hpPCbROQCCIgCuiMMNF8YUVLF3vJo= +k8s.io/utils v0.0.0-20191114184206-e782cd3c129f/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= +sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI= +sigs.k8s.io/yaml v1.1.0 h1:4A07+ZFc2wgJwo8YNlQpr1rVlgUDlxXHhPJciaPY5gs= +sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= diff --git a/pkg/apis/aadpodidentity/v1/types.go b/pkg/apis/aadpodidentity/v1/types.go index 6ffd9ca01..8b5861641 100644 --- a/pkg/apis/aadpodidentity/v1/types.go +++ b/pkg/apis/aadpodidentity/v1/types.go @@ -52,7 +52,7 @@ type AzureAssignedIdentity struct { metav1.ObjectMeta `json:"metadata,omitempty"` Spec AzureAssignedIdentitySpec `json:"spec"` - Status AzureAssignedIdentityStatus `json:"Status"` + Status AzureAssignedIdentityStatus `json:"status"` } //AzurePodIdentityException contains the pod selectors for all pods that don't require @@ -64,7 +64,7 @@ type AzurePodIdentityException struct { metav1.ObjectMeta `json:"metadata,omitempty"` Spec AzurePodIdentityExceptionSpec `json:"spec"` - Status AzurePodIdentityExceptionStatus `json:"Status"` + Status AzurePodIdentityExceptionStatus `json:"status"` } /*** Lists ***/ @@ -115,17 +115,17 @@ type AzureIdentitySpec struct { Type IdentityType `json:"type"` // User assigned MSI resource id. - ResourceID string `json:"resourceid"` + ResourceID string `json:"resourceID"` //Both User Assigned MSI and SP can use this field. - ClientID string `json:"clientid"` + ClientID string `json:"clientID"` //Used for service principal - ClientPassword api.SecretReference `json:"clientpassword"` + ClientPassword api.SecretReference `json:"clientPassword"` // Service principal tenant id. - TenantID string `json:"tenantid"` + TenantID string `json:"tenantID"` // For service principal. Option param for specifying the AD details. - ADResourceID string `json:"adresourceid"` - ADEndpoint string `json:"adendpoint"` + ADResourceID string `json:"adResourceID"` + ADEndpoint string `json:"adEndpoint"` Replicas *int32 `json:"replicas"` } @@ -166,7 +166,7 @@ const ( // and the identities present.. type AzureIdentityBindingSpec struct { metav1.ObjectMeta `json:"metadata,omitempty"` - AzureIdentity string `json:"azureidentity"` + AzureIdentity string `json:"azureIdentity"` Selector string `json:"selector"` // Weight is used to figure out which of the matching identities would be selected. Weight int `json:"weight"` @@ -182,10 +182,10 @@ type AzureIdentityBindingStatus struct { //AzureAssignedIdentitySpec has the contents of Azure identity<->POD type AzureAssignedIdentitySpec struct { metav1.ObjectMeta `json:"metadata,omitempty"` - AzureIdentityRef *AzureIdentity `json:"azureidentityref"` - AzureBindingRef *AzureIdentityBinding `json:"azurebindingref"` + AzureIdentityRef *AzureIdentity `json:"azureIdentityRef"` + AzureBindingRef *AzureIdentityBinding `json:"azureBindingRef"` Pod string `json:"pod"` - PodNamespace string `json:"podnamespace"` + PodNamespace string `json:"podNamespace"` NodeName string `json:"nodename"` Replicas *int32 `json:"replicas"` diff --git a/pkg/crd/crd.go b/pkg/crd/crd.go index 499a912dc..b0b4d34a6 100644 --- a/pkg/crd/crd.go +++ b/pkg/crd/crd.go @@ -10,6 +10,7 @@ import ( aadpodv1 "github.com/Azure/aad-pod-identity/pkg/apis/aadpodidentity/v1" "github.com/Azure/aad-pod-identity/pkg/metrics" "github.com/Azure/aad-pod-identity/pkg/stats" + "k8s.io/apimachinery/pkg/api/meta" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/fields" "k8s.io/apimachinery/pkg/runtime" @@ -36,9 +37,11 @@ type Client struct { type ClientInt interface { Start(exit <-chan struct{}) SyncCache(exit <-chan struct{}, initial bool, cacheSyncs ...cache.InformerSynced) + SyncCacheAll(exit <-chan struct{}, initial bool) RemoveAssignedIdentity(assignedIdentity *aadpodid.AzureAssignedIdentity) error CreateAssignedIdentity(assignedIdentity *aadpodid.AzureAssignedIdentity) error UpdateAzureAssignedIdentityStatus(assignedIdentity *aadpodid.AzureAssignedIdentity, status string) error + UpgradeAll() error ListBindings() (res *[]aadpodid.AzureIdentityBinding, err error) ListAssignedIDs() (res *[]aadpodid.AzureAssignedIdentity, err error) ListAssignedIDsInMap() (res map[string]aadpodid.AzureAssignedIdentity, err error) @@ -163,7 +166,7 @@ func newRestClient(config *rest.Config) (r *rest.RESTClient, err error) { &aadpodv1.AzurePodIdentityException{}, &aadpodv1.AzurePodIdentityExceptionList{}, ) - crdconfig.NegotiatedSerializer = serializer.DirectCodecFactory{ + crdconfig.NegotiatedSerializer = serializer.WithoutConversionCodecFactory{ CodecFactory: serializer.NewCodecFactory(s)} //Client interacting with our CRDs @@ -299,6 +302,69 @@ func newPodIdentityExceptionInformer(lw *cache.ListWatch) (cache.SharedInformer, return azPodIDExceptionInformer, nil } +func (c *Client) getObjectList(resource string, i runtime.Object) (runtime.Object, error) { + options := v1.ListOptions{} + do := c.rest.Get().Namespace(v1.NamespaceAll).Resource(resource).VersionedParams(&options, v1.ParameterCodec).Do() + body, err := do.Raw() + if err != nil { + return nil, fmt.Errorf("get failed for %s with error: %v", resource, err) + } + err = json.Unmarshal(body, &i) + if err != nil { + return nil, fmt.Errorf("unmarshal to object: %T, error: %v", i, err) + } + return i, err +} + +func (c *Client) setObject(resource, ns, name string, i interface{}) error { + err := c.rest.Put().Namespace(ns).Resource(resource).Name(name).Body(i).Do().Into(nil) + if err != nil { + return fmt.Errorf("set object for resource: %s, error: %v", resource, err) + } + return nil +} + +func (c *Client) Upgrade(resource string, i runtime.Object) error { + i, err := c.getObjectList(resource, i) + if err != nil { + return err + } + + list, err := meta.ExtractList(i) + if err != nil { + return fmt.Errorf("extract list error for resource: %s, err: %v", resource, err) + } + + for _, item := range list { + o, err := meta.Accessor(item) + if err != nil { + return fmt.Errorf("get object for resource: %s, error: %v", resource, err) + } + err = c.setObject(resource, o.GetNamespace(), o.GetName(), o) + if err != nil { + return err + } + } + return nil +} + +func (c *Client) UpgradeAll() error { + resourceList := map[string]runtime.Object{ + aadpodv1.AzureIDResource: &aadpodv1.AzureIdentityList{}, + aadpodv1.AzureIDBindingResource: &aadpodv1.AzureIdentityBindingList{}, + aadpodv1.AzureAssignedIDResource: &aadpodv1.AzureAssignedIdentityList{}, + aadpodv1.AzureIdentityExceptionResource: &aadpodv1.AzurePodIdentityExceptionList{}, + } + + for k, v := range resourceList { + err := c.Upgrade(k, v) + if err != nil { + return err + } + } + return nil +} + // StartLite to be used only case of lite client func (c *Client) StartLite(exit <-chan struct{}) { var cacheHasSynced []cache.InformerSynced @@ -343,6 +409,11 @@ func (c *Client) SyncCache(exit <-chan struct{}, initial bool, cacheSyncs ...cac } } +// SyncCacheAll - sync all caches related to the client. +func (c *Client) SyncCacheAll(exit <-chan struct{}, initial bool) { + c.SyncCache(exit, initial, c.BindingInformer.HasSynced, c.IDInformer.HasSynced, c.AssignedIDInformer.HasSynced) +} + // RemoveAssignedIdentity removes the assigned identity func (c *Client) RemoveAssignedIdentity(assignedIdentity *aadpodid.AzureAssignedIdentity) (err error) { klog.V(6).Infof("Deletion of assigned id named: %s", assignedIdentity.Name) @@ -463,7 +534,6 @@ func (c *Client) ListAssignedIDsInMap() (map[string]aadpodid.AzureAssignedIdenti result := make(map[string]aadpodid.AzureAssignedIdentity) list := c.AssignedIDInformer.GetStore().List() - for _, assignedID := range list { o, ok := assignedID.(*aadpodv1.AzureAssignedIdentity) @@ -480,9 +550,9 @@ func (c *Client) ListAssignedIDsInMap() (map[string]aadpodid.AzureAssignedIdenti Kind: reflect.TypeOf(*o).String()}) out := aadpodv1.ConvertV1AssignedIdentityToInternalAssignedIdentity(*o) - // assigned identities names are unique across namespaces as we use pod name-- result[o.Name] = out + klog.V(6).Infof("Added to map with key: %s", o.Name) } stats.Update(stats.AssignedIDList, time.Since(begin)) @@ -624,7 +694,7 @@ func (c *Client) UpdateAzureAssignedIdentityStatus(assignedIdentity *aadpodid.Az ops := make([]patchStatusOps, 1) ops[0].Op = "replace" - ops[0].Path = "/Status/status" + ops[0].Path = "/status/status" ops[0].Value = status patchBytes, err := json.Marshal(ops) diff --git a/pkg/k8s/client_test.go b/pkg/k8s/client_test.go index c0d52182a..b0f9bfd86 100644 --- a/pkg/k8s/client_test.go +++ b/pkg/k8s/client_test.go @@ -57,7 +57,7 @@ func (t *TestClientSet) GetTestClientSet() (kubernetes.Interface, *fakerest.REST scheme.AddKnownTypes(TestGroupVersion, &v1.PodList{}) fakeRestClient := &fakerest.RESTClient{ - NegotiatedSerializer: serializer.DirectCodecFactory{ + NegotiatedSerializer: serializer.WithoutConversionCodecFactory{ CodecFactory: serializer.NewCodecFactory(scheme)}, Resp: &http.Response{ StatusCode: http.StatusOK, diff --git a/pkg/mic/mic.go b/pkg/mic/mic.go index 1feba5ab5..68fef1fe1 100644 --- a/pkg/mic/mic.go +++ b/pkg/mic/mic.go @@ -18,6 +18,7 @@ import ( "github.com/Azure/aad-pod-identity/version" "golang.org/x/sync/semaphore" corev1 "k8s.io/api/core/v1" + kubeErrors "k8s.io/apimachinery/pkg/api/errors" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/informers" "k8s.io/client-go/kubernetes" @@ -41,6 +42,18 @@ type NodeGetter interface { Start(<-chan struct{}) } +// TypeUpgradeConfig - configuration aspects of type related changes required for client-go upgrade. +type TypeUpgradeConfig struct { + CMTypeUpgradeKey string + EnableTypeUpgrade bool +} + +// CMConfig - config map for aad-pod-identity +type CMConfig struct { + Namespace string + Name string +} + // LeaderElectionConfig - used to keep track of leader election config. type LeaderElectionConfig struct { Namespace string @@ -69,7 +82,24 @@ type Client struct { leaderElector *leaderelection.LeaderElector *LeaderElectionConfig - Reporter *metrics.Reporter + Reporter *metrics.Reporter + TypeUpgradeCfg *TypeUpgradeConfig + CMCfg *CMConfig + CMClient typedcorev1.ConfigMapInterface +} + +// Config - MIC Config +type Config struct { + CloudCfgPath string + RestConfig *rest.Config + IsNamespaced bool + SyncRetryInterval time.Duration + LeaderElectionCfg *LeaderElectionConfig + EnableScaleFeatures bool + CreateDeleteBatch int64 + ImmutableUserMSIsList []string + CMcfg *CMConfig + TypeUpgradeCfg *TypeUpgradeConfig } // ClientInt ... @@ -87,11 +117,10 @@ type trackUserAssignedMSIIds struct { } // NewMICClient returnes new mic client -func NewMICClient(cloudconfig string, config *rest.Config, isNamespaced bool, syncRetryInterval time.Duration, - leaderElectionConfig *LeaderElectionConfig, enableScaleFeatures bool, createDeleteBatch int64, immutableUserMSIsList []string) (*Client, error) { +func NewMICClient(cfg *Config) (*Client, error) { klog.Infof("Starting to create the pod identity client. Version: %v. Build date: %v", version.MICVersion, version.BuildDate) - clientSet := kubernetes.NewForConfigOrDie(config) + clientSet := kubernetes.NewForConfigOrDie(cfg.RestConfig) k8sVersion, err := clientSet.ServerVersion() if err == nil { @@ -100,14 +129,15 @@ func NewMICClient(cloudconfig string, config *rest.Config, isNamespaced bool, sy informer := informers.NewSharedInformerFactory(clientSet, 30*time.Second) - cloudClient, err := cloudprovider.NewCloudProvider(cloudconfig) + cloudClient, err := cloudprovider.NewCloudProvider(cfg.CloudCfgPath) if err != nil { return nil, err } klog.V(1).Infof("Cloud provider initialized") eventCh := make(chan aadpodid.EventType, 100) - crdClient, err := crd.NewCRDClient(config, eventCh) + + crdClient, err := crd.NewCRDClient(cfg.RestConfig, eventCh) if err != nil { return nil, err } @@ -122,14 +152,19 @@ func NewMICClient(cloudconfig string, config *rest.Config, isNamespaced bool, sy var immutableUserMSIsMap map[string]bool - if len(immutableUserMSIsList) > 0 { + if len(cfg.ImmutableUserMSIsList) > 0 { // this map contains list of identities that are configured by user as immutable. immutableUserMSIsMap = make(map[string]bool) - for _, item := range immutableUserMSIsList { + for _, item := range cfg.ImmutableUserMSIsList { immutableUserMSIsMap[strings.ToLower(item)] = true } } + var cmClient typedcorev1.ConfigMapInterface + if cfg.TypeUpgradeCfg.EnableTypeUpgrade { + cmClient = clientSet.CoreV1().ConfigMaps(cfg.CMcfg.Namespace) + } + c := &Client{ CRDClient: crdClient, CloudClient: cloudClient, @@ -137,13 +172,17 @@ func NewMICClient(cloudconfig string, config *rest.Config, isNamespaced bool, sy EventRecorder: recorder, EventChannel: eventCh, NodeClient: &NodeClient{informer.Core().V1().Nodes()}, - IsNamespaced: isNamespaced, - syncRetryInterval: syncRetryInterval, - enableScaleFeatures: enableScaleFeatures, - createDeleteBatch: createDeleteBatch, + IsNamespaced: cfg.IsNamespaced, + syncRetryInterval: cfg.SyncRetryInterval, + enableScaleFeatures: cfg.EnableScaleFeatures, + createDeleteBatch: cfg.CreateDeleteBatch, ImmutableUserMSIsMap: immutableUserMSIsMap, + TypeUpgradeCfg: cfg.TypeUpgradeCfg, + CMCfg: cfg.CMcfg, + CMClient: cmClient, } - leaderElector, err := c.NewLeaderElector(clientSet, recorder, leaderElectionConfig) + + leaderElector, err := c.NewLeaderElector(clientSet, recorder, cfg.LeaderElectionCfg) if err != nil { klog.Errorf("New leader elector failure. Error: %+v", err) return nil, err @@ -164,7 +203,7 @@ func (c *Client) Run() { klog.Info("Initiating MIC Leader election") // counter to track number of mic election c.Reporter.Report(metrics.MICNewLeaderElectionCountM.M(1)) - c.leaderElector.Run() + c.leaderElector.Run(context.Background()) } // NewLeaderElector - does the required leader election initialization @@ -174,6 +213,7 @@ func (c *Client) NewLeaderElector(clientSet *kubernetes.Clientset, recorder reco c.Namespace, c.Name, clientSet.CoreV1(), + clientSet.CoordinationV1(), resourcelock.ResourceLockConfig{ Identity: c.Instance, EventRecorder: recorder}) @@ -186,8 +226,8 @@ func (c *Client) NewLeaderElector(clientSet *kubernetes.Clientset, recorder reco RenewDeadline: c.Duration / 2, RetryPeriod: c.Duration / 4, Callbacks: leaderelection.LeaderCallbacks{ - OnStartedLeading: func(exit <-chan struct{}) { - c.Start(exit) + OnStartedLeading: func(ctx context.Context) { + c.Start(ctx.Done()) }, OnStoppedLeading: func() { klog.Errorf("Lost leader lease") @@ -205,10 +245,64 @@ func (c *Client) NewLeaderElector(clientSet *kubernetes.Clientset, recorder reco return leaderElector, nil } +func (c *Client) UpgradeTypeIfRequired() error { + if c.TypeUpgradeCfg.EnableTypeUpgrade { + cm, err := c.CMClient.Get(c.CMCfg.Name, v1.GetOptions{}) + // If we get an error and its not NotFound then return, because we cannot proceed. + if err != nil && !kubeErrors.IsNotFound(err) { + return fmt.Errorf("config map get for %s failed with error: %v", c.CMCfg.Name, err) + } + + // Now either the configmap is not there or we successfully got the configmap + // Handle the case where the configmap is not found. + if err != nil && kubeErrors.IsNotFound(err) { + // Create the configmap + newCfgMap := &corev1.ConfigMap{ + ObjectMeta: v1.ObjectMeta{ + Namespace: c.CMCfg.Namespace, + Name: c.CMCfg.Name, + }, + } + if cm, err = c.CMClient.Create(newCfgMap); err != nil { + return fmt.Errorf("create configmap %s/%s failed with error: %v", c.CMCfg.Namespace, c.CMCfg.Name, err) + } + } + + // We reach here only if the configmap is present or we created new one. + // Check if the key for type upgrade is present. If the key is present, + // then the upgrade is already performed. If not then go through the type upgrade + // process. + if v, ok := cm.Data[c.TypeUpgradeCfg.CMTypeUpgradeKey]; !ok { + klog.Infof("Upgrading the types to work with case sensitive go-client") + if err := c.CRDClient.UpgradeAll(); err != nil { + return fmt.Errorf("type upgrade failed. error: %+v", err) + } + klog.Infof("Type upgrade completed !!") + // Upgrade completed so update the data with the upgrade key. + if cm.Data == nil { + cm.Data = make(map[string]string) + } + cm.Data[c.TypeUpgradeCfg.CMTypeUpgradeKey] = version.MICVersion + _, err = c.CMClient.Update(cm) + if err != nil { + return fmt.Errorf("type upgrade annotation update on %s failed. error: %+v", c.TypeUpgradeCfg.CMTypeUpgradeKey, err) + } + } else { + klog.Infof("Type upgrade status configmap found from version: %s. Proceeding without type upgrade !", v) + } + } + return nil +} + // Start ... func (c *Client) Start(exit <-chan struct{}) { klog.V(6).Infof("MIC client starting..") + if err := c.UpgradeTypeIfRequired(); err != nil { + klog.Fatalf("Upgrade failed with error: %v", err) + return + } + var wg sync.WaitGroup wg.Add(1) @@ -275,6 +369,13 @@ func (c *Client) Sync(exit <-chan struct{}) { begin := time.Now() workDone := false + cacheTime := time.Now() + + // There is a delay in data propogation to cache. It's possible that the creates performed in the previous sync cycle + // are not propogated before this sync cycle began. In order to avoid redoing the cycle, we sync cache again. + c.CRDClient.SyncCacheAll(exit, false) + stats.Put(stats.CacheSync, time.Since(cacheTime)) + // List all pods in all namespaces systemTime := time.Now() listPods, err := c.PodClient.GetPods() @@ -286,10 +387,12 @@ func (c *Client) Sync(exit <-chan struct{}) { if err != nil { continue } + klog.V(6).Infof("Number of bindings: %d", len(*listBindings)) listIDs, err := c.CRDClient.ListIds() if err != nil { continue } + klog.V(6).Infof("Number of identities: %d", len(*listIDs)) idMap, err := c.convertIDListToMap(*listIDs) if err != nil { klog.Error(err) @@ -300,6 +403,7 @@ func (c *Client) Sync(exit <-chan struct{}) { if err != nil { continue } + klog.V(6).Infof("Number of assigned identities: %d", len(currentAssignedIDs)) stats.Put(stats.System, time.Since(systemTime)) beginNewListTime := time.Now() @@ -374,9 +478,10 @@ func (c *Client) Sync(exit <-chan struct{}) { stats.PrintSync() if workDone { - // We need to synchronize the cache inorder to get the latest updates. Sync cache has a bug in the current go client which caused thread leak. - // Updating of go client has issues with case sensitivity. Avoid this issue by sleping for 500 milliseconds to reduce the chance - // of cache misses for assignedidentities updated in the previous cycle. + // We need to synchronize the cache inorder to get the latest updates. + // Even though we sync at the beginning of every cycle, we are still seeing + // conflicts indicating the assigned identities are not reflecting in + // the cache. Continue to use the sleep workaround. time.Sleep(time.Millisecond * 200) } } @@ -417,12 +522,14 @@ func (c *Client) createDesiredAssignedIdentityList( newAssignedIDs := make(map[string]aadpodid.AzureAssignedIdentity) for _, pod := range listPods { + klog.V(6).Infof("checking pod: %s", pod.Name) if pod.Spec.NodeName == "" { //Node is not yet allocated. In that case skip the pod klog.V(2).Infof("Pod %s/%s has no assigned node yet. it will be ignored", pod.Namespace, pod.Name) continue } crdPodLabelVal := pod.Labels[aadpodid.CRDLabelKey] + klog.V(6).Infof("Label value: %v", crdPodLabelVal) if crdPodLabelVal == "" { //No binding mentioned in the label. Just continue to the next pod klog.V(2).Infof("Pod %s/%s has correct %s label but with no value. it will be ignored", pod.Namespace, pod.Name, aadpodid.CRDLabelKey) @@ -430,6 +537,7 @@ func (c *Client) createDesiredAssignedIdentityList( } var matchedBindings []aadpodid.AzureIdentityBinding for _, allBinding := range *listBindings { + klog.V(6).Infof("Check the binding: %s", allBinding.Spec.Selector) if allBinding.Spec.Selector == crdPodLabelVal { klog.V(5).Infof("Found binding match for pod %s/%s with binding %s/%s", pod.Namespace, pod.Name, allBinding.Namespace, allBinding.Name) matchedBindings = append(matchedBindings, allBinding) diff --git a/pkg/mic/mic_test.go b/pkg/mic/mic_test.go index 1f674f8ef..99666eead 100644 --- a/pkg/mic/mic_test.go +++ b/pkg/mic/mic_test.go @@ -424,6 +424,10 @@ func (c *TestCrdClient) SyncCache(exit <-chan struct{}, initial bool, cacheSyncs } +func (c *TestCrdClient) SyncCacheAll(exit<-chan struct{}, initial bool) { + +} + func (c *TestCrdClient) CreateCrdWatchers(eventCh chan internalaadpodid.EventType) (err error) { return nil } From 153a14399839714f94f914278337450bf8f764a8 Mon Sep 17 00:00:00 2001 From: "Krishnakumar R(KK)" <29471693+kkmsft@users.noreply.github.com> Date: Mon, 16 Mar 2020 03:13:39 -0700 Subject: [PATCH 2/7] Add simple tool to list the CRDs --- Makefile | 17 ++++++-- cmd/simple/main.go | 104 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 118 insertions(+), 3 deletions(-) create mode 100644 cmd/simple/main.go diff --git a/Makefile b/Makefile index 81e662204..4c222e507 100644 --- a/Makefile +++ b/Makefile @@ -7,6 +7,9 @@ REPO_PATH="$(ORG_PATH)/$(PROJECT_NAME)" NMI_BINARY_NAME := nmi MIC_BINARY_NAME := mic DEMO_BINARY_NAME := demo +SIMPLE_CMD_BINARY_NAME := simple +GOOS ?= linux +TEST_GOOS ?= linux IDENTITY_VALIDATOR_BINARY_NAME := identityvalidator DEFAULT_VERSION := 0.0.0-dev @@ -62,6 +65,10 @@ clean-demo: clean-identity-validator: rm -rf bin/$(PROJECT_NAME)/$(IDENTITY_VALIDATOR_BINARY_NAME) +.PHONY: clean-simple +clean-simple: + rm -rf bin/$(PROJECT_NAME)/$(SIMPLE_CMD_BINARY_NAME) + .PHONY: clean clean: rm -rf bin/$(PROJECT_NAME) @@ -74,13 +81,17 @@ build-nmi: clean-nmi build-mic: clean-mic CGO_ENABLED=0 PKG_NAME=github.com/Azure/$(PROJECT_NAME)/cmd/$(MIC_BINARY_NAME) $(MAKE) bin/$(PROJECT_NAME)/$(MIC_BINARY_NAME) +.PHONY: build-simple +build-simple: + CGO_ENABLED=0 PKG_NAME=github.com/Azure/$(PROJECT_NAME)/cmd/$(SIMPLE_CMD_BINARY_NAME) $(MAKE) bin/$(PROJECT_NAME)/$(SIMPLE_CMD_BINARY_NAME) + .PHONY: build-demo build-demo: build_tags := netgo osusergo build-demo: clean-demo PKG_NAME=github.com/Azure/$(PROJECT_NAME)/cmd/$(DEMO_BINARY_NAME) ${MAKE} bin/$(PROJECT_NAME)/$(DEMO_BINARY_NAME) bin/%: - GOOS=linux GOARCH=amd64 go build $(GO_BUILD_OPTIONS) -o "$(@)" "$(PKG_NAME)" + GOOS=$(GOOS) GOARCH=amd64 go build $(GO_BUILD_OPTIONS) -o "$(@)" "$(PKG_NAME)" .PHONY: build-identity-validator build-identity-validator: clean-identity-validator @@ -137,11 +148,11 @@ push: push-nmi push-mic push-demo push-identity-validator .PHONY: e2e e2e: - go test github.com/Azure/$(PROJECT_NAME)/test/e2e $(E2E_TEST_OPTIONS) + GOOS=$(TEST_GOOS) go test github.com/Azure/$(PROJECT_NAME)/test/e2e $(E2E_TEST_OPTIONS) .PHONY: unit-test unit-test: - go test -race -count=1 $(shell go list ./... | grep -v /test/e2e) -v + GOOS=$(TEST_GOOS) go test -race -count=1 $(shell go list ./... | grep -v /test/e2e) -v .PHONY: validate-version validate-version: validate-version-NMI validate-version-MIC validate-version-IDENTITY_VALIDATOR validate-version-DEMO diff --git a/cmd/simple/main.go b/cmd/simple/main.go new file mode 100644 index 000000000..49b38c20a --- /dev/null +++ b/cmd/simple/main.go @@ -0,0 +1,104 @@ +package main + +import ( + "flag" + + "github.com/Azure/aad-pod-identity/version" + + "encoding/json" + "os" + + aadpodid "github.com/Azure/aad-pod-identity/pkg/apis/aadpodidentity" + "github.com/Azure/aad-pod-identity/pkg/crd" + "k8s.io/client-go/rest" + "k8s.io/client-go/tools/clientcmd" + "k8s.io/klog" + //"context" +) + +var ( + kubeconfig string +) + +func main() { + defer klog.Flush() + flag.StringVar(&kubeconfig, "kubeconfig", "", "Path to the kube config") + + flag.Set("logtostderr", "true") + flag.Set("v", "10") + + flag.Parse() + + klog.V(2).Infof("Starting simple process. Version: %v. Build date: %v", version.MICVersion, version.BuildDate) + if kubeconfig == "" { + klog.Warningf("--kubeconfig not passed will use InClusterConfig") + } + + klog.V(2).Infof("kubeconfig (%s)", kubeconfig) + config, err := buildConfig(kubeconfig) + if err != nil { + klog.Fatalf("Could not read config properly. Check the k8s config file, %+v", err) + } + + eventCh := make(chan aadpodid.EventType, 100) + crdClient, err := crd.NewCRDClient(config, eventCh) + if err != nil { + klog.Fatalf("%+v", err) + } + + // Starts the leader election loop + var exit <-chan struct{} + crdClient.Start(exit) + crdClient.SyncCacheAll(exit, true) + + ids, err := crdClient.ListIds() + if err != nil { + klog.Fatalf("Could not get the identities: %+v", err) + } + klog.Infof("Identities len: %d", len(*ids)) + for _, v := range *ids { + buf, err := json.MarshalIndent(v, "", " ") + if err != nil { + klog.Errorf("Error in marshalling: %+v", err) + os.Exit(1) + } + klog.Infof("\n%s", string(buf)) + } + + bindings, err := crdClient.ListBindings() + if err != nil { + klog.Fatalf("Could not get the bindings: %+v", err) + } + klog.Infof("Bindings len: %d", len(*bindings)) + for _, v := range *bindings { + buf, err := json.MarshalIndent(v, "", " ") + if err != nil { + klog.Errorf("Error in marshalling: %+v", err) + os.Exit(1) + } + klog.Infof("\n%s", string(buf)) + } + + assignedIDs, err := crdClient.ListAssignedIDs() + if err != nil { + klog.Fatalf("Could not get assigned ID") + } + + for _, a := range *assignedIDs { + buf, err := json.MarshalIndent(a, "", " ") + if err != nil { + klog.Errorf("Error in marshalling: %+v", err) + os.Exit(1) + } + klog.Infof("\n%s", string(buf)) + } + klog.Info("\nDone !") +} + +// Create the client config. Use kubeconfig if given, otherwise assume in-cluster. +func buildConfig(kubeconfigPath string) (*rest.Config, error) { + if kubeconfigPath != "" { + return clientcmd.BuildConfigFromFlags("", kubeconfigPath) + } + return rest.InClusterConfig() +} From 28ff5f938d6df3416cf49fd1f810b813f7fd9873 Mon Sep 17 00:00:00 2001 From: "Krishnakumar R(KK)" <29471693+kkmsft@users.noreply.github.com> Date: Mon, 16 Mar 2020 03:15:11 -0700 Subject: [PATCH 3/7] Test changes for type update --- .../common/k8s/azureidentity/azureidentity.go | 12 ++++++- .../azureidentitybinding.go | 12 ++++++- test/e2e/aadpodidentity_test.go | 36 ++++++++++++++++--- test/e2e/template/aadpodidentity-old.yaml | 8 +++++ test/e2e/template/aadpodidentity.yaml | 4 +-- .../aadpodidentity_test_immutable.yaml | 4 +-- .../template/aadpodidentity_test_invalid.yaml | 4 +-- .../template/aadpodidentity_test_valid.yaml | 4 +-- .../template/aadpodidentitybinding-old.yaml | 7 ++++ test/e2e/template/aadpodidentitybinding.yaml | 4 +-- test/e2e/template/deployment-rbac.yaml | 16 +++++++-- 11 files changed, 92 insertions(+), 19 deletions(-) create mode 100644 test/e2e/template/aadpodidentity-old.yaml create mode 100644 test/e2e/template/aadpodidentitybinding-old.yaml diff --git a/test/common/k8s/azureidentity/azureidentity.go b/test/common/k8s/azureidentity/azureidentity.go index c310d7342..a95f06db8 100644 --- a/test/common/k8s/azureidentity/azureidentity.go +++ b/test/common/k8s/azureidentity/azureidentity.go @@ -16,14 +16,24 @@ import ( "github.com/pkg/errors" ) +// CreateOnClusterOld will create an Azure Identity on a Kubernetes cluster +func CreateOnClusterOld(subscriptionID, resourceGroup, name, templateOutputPath string) error { + return CreateOnClusterInternal(subscriptionID, resourceGroup, name, "aadpodidentity-old.yaml", templateOutputPath) +} + // CreateOnCluster will create an Azure Identity on a Kubernetes cluster func CreateOnCluster(subscriptionID, resourceGroup, name, templateOutputPath string) error { + return CreateOnClusterInternal(subscriptionID, resourceGroup, name, "aadpodidentity.yaml", templateOutputPath) +} + +// CreateOnClusterInternal will create an Azure Identity on a Kubernetes cluster +func CreateOnClusterInternal(subscriptionID, resourceGroup, name, templateInputFile, templateOutputPath string) error { clientID, err := GetClientID(resourceGroup, name) if err != nil { return err } - t, err := template.New("aadpodidentity.yaml").ParseFiles(path.Join("template", "aadpodidentity.yaml")) + t, err := template.New(templateInputFile).ParseFiles(path.Join("template", templateInputFile)) if err != nil { return errors.Wrap(err, "Failed to parse aadpodidentity.yaml") } diff --git a/test/common/k8s/azureidentitybinding/azureidentitybinding.go b/test/common/k8s/azureidentitybinding/azureidentitybinding.go index 085667cb1..7d08f4ae8 100644 --- a/test/common/k8s/azureidentitybinding/azureidentitybinding.go +++ b/test/common/k8s/azureidentitybinding/azureidentitybinding.go @@ -12,9 +12,19 @@ import ( "github.com/pkg/errors" ) +// CreateOld will create an Azure Identity Binding on a Kubernetes cluster +func CreateOld(name, selector, templateOutputPath string) error { + return CreateInternal(name, selector, "aadpodidentitybinding-old.yaml", templateOutputPath) +} + // Create will create an Azure Identity Binding on a Kubernetes cluster func Create(name, selector, templateOutputPath string) error { - t, err := template.New("aadpodidentitybinding.yaml").ParseFiles(path.Join("template", "aadpodidentitybinding.yaml")) + return CreateInternal(name, selector, "aadpodidentitybinding.yaml", templateOutputPath) +} + +// CreateInternal will create an Azure Identity Binding on a Kubernetes cluster +func CreateInternal(name, selector, templateInternalFile, templateOutputPath string) error { + t, err := template.New(templateInternalFile).ParseFiles(path.Join("template", templateInternalFile)) if err != nil { return errors.Wrap(err, "Failed to parse aadpodidentitybinding.yaml") } diff --git a/test/e2e/aadpodidentity_test.go b/test/e2e/aadpodidentity_test.go index 3cead7f7e..3ee81cd8e 100644 --- a/test/e2e/aadpodidentity_test.go +++ b/test/e2e/aadpodidentity_test.go @@ -489,14 +489,22 @@ var _ = Describe("Kubernetes cluster using aad-pod-identity", func() { Expect(err).NotTo(HaveOccurred()) Expect(ok).To(Equal(true)) + // Remove the configmap to ensure that the type conversion happens. + cmd := exec.Command("kubectl", "delete", "cm", "aad-pod-identity-cm", "--ignore-not-found=true") + util.PrintCommand(cmd) + output, err := cmd.CombinedOutput() + fmt.Printf("%s", output) + Expect(err).NotTo(HaveOccurred()) + // setup mic and nmi with old releases setupInfraOld("mcr.microsoft.com/k8s/aad-pod-identity", "1.4", "1.3", "") - setUpIdentityAndDeployment(keyvaultIdentity, "", "1") + setUpIdentityAndDeploymentOld(keyvaultIdentity, "", "1") ok, err = azureassignedidentity.WaitOnLengthMatched(1, false) Expect(err).NotTo(HaveOccurred()) Expect(ok).To(Equal(true)) + time.Sleep(60 * time.Second) // update the infra to use latest mic and nmi images setupInfra(cfg.Registry, cfg.NMIVersion, cfg.MICVersion, cfg.EnableScaleFeatures, cfg.ImmutableUserMSIs) @@ -1120,21 +1128,39 @@ func setupInfra(registry, nmiVersion, micVersion string, enableScaleFeatures boo checkInfra() } -// setUpIdentityAndDeployment will deploy AzureIdentity, AzureIdentityBinding, and an identity validator +func setUpIdentityAndDeploymentOld(azureIdentityName, suffix, replicas string, tmplOpts ...func(*infra.IdentityValidatorTemplateData)) { + setUpIdentityAndDeploymentInternal(azureIdentityName, suffix, replicas, true, tmplOpts...) +} + +func setUpIdentityAndDeployment(azureIdentityName, suffix, replicas string, tmplOpts ...func(*infra.IdentityValidatorTemplateData)) { + setUpIdentityAndDeploymentInternal(azureIdentityName, suffix, replicas, false, tmplOpts...) +} + +// setUpIdentityAndDeploymentInternal will deploy AzureIdentity, AzureIdentityBinding, and an identity validator // Suffix will give the tests the option to add a suffix to the end of the identity name, useful for scale tests // replicas to indicate the number of replicas for the deployment -func setUpIdentityAndDeployment(azureIdentityName, suffix, replicas string, tmplOpts ...func(*infra.IdentityValidatorTemplateData)) { +func setUpIdentityAndDeploymentInternal(azureIdentityName, suffix, replicas string, old bool, tmplOpts ...func(*infra.IdentityValidatorTemplateData)) { identityValidatorName := identityValidator if suffix != "" { azureIdentityName += "-" + suffix identityValidatorName += "-" + suffix } + var err error - err := azureidentity.CreateOnCluster(cfg.SubscriptionID, cfg.ResourceGroup, azureIdentityName, templateOutputPath) + if old { + err = azureidentity.CreateOnClusterOld(cfg.SubscriptionID, cfg.ResourceGroup, azureIdentityName, templateOutputPath) + } else { + err = azureidentity.CreateOnCluster(cfg.SubscriptionID, cfg.ResourceGroup, azureIdentityName, templateOutputPath) + } Expect(err).NotTo(HaveOccurred()) - err = azureidentitybinding.Create(azureIdentityName, azureIdentityName, templateOutputPath) + if old { + err = azureidentitybinding.CreateOld(azureIdentityName, azureIdentityName, templateOutputPath) + } else { + err = azureidentitybinding.Create(azureIdentityName, azureIdentityName, templateOutputPath) + } + Expect(err).NotTo(HaveOccurred()) data := infra.IdentityValidatorTemplateData{ diff --git a/test/e2e/template/aadpodidentity-old.yaml b/test/e2e/template/aadpodidentity-old.yaml new file mode 100644 index 000000000..59bbbb790 --- /dev/null +++ b/test/e2e/template/aadpodidentity-old.yaml @@ -0,0 +1,8 @@ +apiVersion: "aadpodidentity.k8s.io/v1" +kind: AzureIdentity +metadata: + name: {{.Name}} +spec: + type: 0 + ResourceID: /subscriptions/{{.SubscriptionID}}/resourceGroups/{{.ResourceGroup}}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{{.Name}} + ClientID: {{.ClientID}} diff --git a/test/e2e/template/aadpodidentity.yaml b/test/e2e/template/aadpodidentity.yaml index 59bbbb790..274c776e9 100644 --- a/test/e2e/template/aadpodidentity.yaml +++ b/test/e2e/template/aadpodidentity.yaml @@ -4,5 +4,5 @@ metadata: name: {{.Name}} spec: type: 0 - ResourceID: /subscriptions/{{.SubscriptionID}}/resourceGroups/{{.ResourceGroup}}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{{.Name}} - ClientID: {{.ClientID}} + resourceID: /subscriptions/{{.SubscriptionID}}/resourceGroups/{{.ResourceGroup}}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{{.Name}} + clientID: {{.ClientID}} diff --git a/test/e2e/template/aadpodidentity_test_immutable.yaml b/test/e2e/template/aadpodidentity_test_immutable.yaml index 6a74af5cb..70382be6e 100644 --- a/test/e2e/template/aadpodidentity_test_immutable.yaml +++ b/test/e2e/template/aadpodidentity_test_immutable.yaml @@ -4,5 +4,5 @@ metadata: name: testidentityimmutable spec: type: 0 - ResourceID: /subscriptions/11111111-1111-1111-1111-111111111111/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testidentity - ClientID: 11111111-1111-1111-1111-111111111111 \ No newline at end of file + resourceID: /subscriptions/11111111-1111-1111-1111-111111111111/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testidentity + clientID: 11111111-1111-1111-1111-111111111111 \ No newline at end of file diff --git a/test/e2e/template/aadpodidentity_test_invalid.yaml b/test/e2e/template/aadpodidentity_test_invalid.yaml index db5e22da0..9bcdf1959 100644 --- a/test/e2e/template/aadpodidentity_test_invalid.yaml +++ b/test/e2e/template/aadpodidentity_test_invalid.yaml @@ -4,5 +4,5 @@ metadata: name: testidentityinvalid spec: type: 0 - ResourceID: /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myidentity - ClientID: 00000000-0000-0000-0000-000000000000 \ No newline at end of file + resourceID: /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myidentity + clientID: 00000000-0000-0000-0000-000000000000 \ No newline at end of file diff --git a/test/e2e/template/aadpodidentity_test_valid.yaml b/test/e2e/template/aadpodidentity_test_valid.yaml index af0326a66..f68ace43c 100644 --- a/test/e2e/template/aadpodidentity_test_valid.yaml +++ b/test/e2e/template/aadpodidentity_test_valid.yaml @@ -4,5 +4,5 @@ metadata: name: testidentityvalid spec: type: 0 - ResourceID: /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testidentity - ClientID: 00000000-0000-0000-0000-000000000000 \ No newline at end of file + resourceID: /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testidentity + clientID: 00000000-0000-0000-0000-000000000000 \ No newline at end of file diff --git a/test/e2e/template/aadpodidentitybinding-old.yaml b/test/e2e/template/aadpodidentitybinding-old.yaml new file mode 100644 index 000000000..35e334f2c --- /dev/null +++ b/test/e2e/template/aadpodidentitybinding-old.yaml @@ -0,0 +1,7 @@ +apiVersion: "aadpodidentity.k8s.io/v1" +kind: AzureIdentityBinding +metadata: + name: {{.Name}}-binding +spec: + AzureIdentity: {{.Name}} + Selector: {{.Selector}} diff --git a/test/e2e/template/aadpodidentitybinding.yaml b/test/e2e/template/aadpodidentitybinding.yaml index 35e334f2c..a36a7f7be 100644 --- a/test/e2e/template/aadpodidentitybinding.yaml +++ b/test/e2e/template/aadpodidentitybinding.yaml @@ -3,5 +3,5 @@ kind: AzureIdentityBinding metadata: name: {{.Name}}-binding spec: - AzureIdentity: {{.Name}} - Selector: {{.Selector}} + azureIdentity: {{.Name}} + selector: {{.Selector}} diff --git a/test/e2e/template/deployment-rbac.yaml b/test/e2e/template/deployment-rbac.yaml index 619a830eb..3c81f9b78 100644 --- a/test/e2e/template/deployment-rbac.yaml +++ b/test/e2e/template/deployment-rbac.yaml @@ -174,9 +174,15 @@ rules: - apiGroups: [""] resources: ["endpoints"] verbs: [ "create", "get", "update"] +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "create", "update"] - apiGroups: ["aadpodidentity.k8s.io"] resources: ["azureidentitybindings", "azureidentities"] - verbs: ["get", "list", "watch", "post"] + verbs: ["get", "list", "watch", "post", "update"] +- apiGroups: ["aadpodidentity.k8s.io"] + resources: ["azurepodidentityexceptions"] + verbs: ["list", "update"] - apiGroups: ["aadpodidentity.k8s.io"] resources: ["azureassignedidentities"] verbs: ["*"] @@ -224,7 +230,13 @@ spec: - "--cloudconfig=/etc/kubernetes/azure.json" {{if .ImmutableUserMSIs}}- "--immutable-user-msis={{.ImmutableUserMSIs}}" {{end}} - "--logtostderr" - {{if .EnableScaleFeatures}}- "--enableScaleFeatures=true" {{end}} + {{if .EnableScaleFeatures}}- "--enableScaleFeatures=true" {{end}} + - "--v=7" + env: + - name: MIC_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace resources: limits: cpu: 200m From e31a2380ecd490fc0430c19ceca644a851e67300 Mon Sep 17 00:00:00 2001 From: "Krishnakumar R(KK)" <29471693+kkmsft@users.noreply.github.com> Date: Mon, 16 Mar 2020 03:15:31 -0700 Subject: [PATCH 4/7] Remove unused rc deployment files --- deploy/infra/rc/deployment-rbac.yaml | 249 --------------------------- deploy/infra/rc/deployment.yaml | 170 ------------------ 2 files changed, 419 deletions(-) delete mode 100644 deploy/infra/rc/deployment-rbac.yaml delete mode 100644 deploy/infra/rc/deployment.yaml diff --git a/deploy/infra/rc/deployment-rbac.yaml b/deploy/infra/rc/deployment-rbac.yaml deleted file mode 100644 index 1d106adfe..000000000 --- a/deploy/infra/rc/deployment-rbac.yaml +++ /dev/null @@ -1,249 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: aad-pod-id-nmi-service-account - namespace: default ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: azureassignedidentities.aadpodidentity.k8s.io -spec: - group: aadpodidentity.k8s.io - version: v1 - names: - kind: AzureAssignedIdentity - plural: azureassignedidentities - scope: Namespaced ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: azureidentitybindings.aadpodidentity.k8s.io -spec: - group: aadpodidentity.k8s.io - version: v1 - names: - kind: AzureIdentityBinding - plural: azureidentitybindings - scope: Namespaced ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: azureidentities.aadpodidentity.k8s.io -spec: - group: aadpodidentity.k8s.io - version: v1 - names: - kind: AzureIdentity - singular: azureidentity - plural: azureidentities - scope: Namespaced ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: azurepodidentityexceptions.aadpodidentity.k8s.io -spec: - group: aadpodidentity.k8s.io - version: v1 - names: - kind: AzurePodIdentityException - singular: azurepodidentityexception - plural: azurepodidentityexceptions - scope: Namespaced ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: aad-pod-id-nmi-role -rules: -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list"] -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get"] -- apiGroups: ["aadpodidentity.k8s.io"] - resources: ["azureidentitybindings", "azureidentities", "azurepodidentityexceptions"] - verbs: ["get", "list", "watch"] -- apiGroups: ["aadpodidentity.k8s.io"] - resources: ["azureassignedidentities"] - verbs: ["get", "list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: aad-pod-id-nmi-binding - labels: - k8s-app: aad-pod-id-nmi-binding -subjects: -- kind: ServiceAccount - name: aad-pod-id-nmi-service-account - namespace: default -roleRef: - kind: ClusterRole - name: aad-pod-id-nmi-role - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: extensions/v1beta1 -kind: DaemonSet -metadata: - labels: - component: nmi - tier: node - k8s-app: aad-pod-id - name: nmi - namespace: default -spec: - updateStrategy: - type: RollingUpdate - template: - metadata: - labels: - component: nmi - tier: node - spec: - serviceAccountName: aad-pod-id-nmi-service-account - hostNetwork: true - volumes: - - hostPath: - path: /run/xtables.lock - type: FileOrCreate - name: iptableslock - containers: - - name: nmi - image: "mcr.microsoft.com/k8s/aad-pod-identity/nmi:1.5.4-rc5" - imagePullPolicy: Always - args: - - "--host-ip=$(HOST_IP)" - - "--node=$(NODE_NAME)" - env: - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - resources: - limits: - cpu: 200m - memory: 512Mi - requests: - cpu: 100m - memory: 256Mi - securityContext: - privileged: true - capabilities: - add: - - NET_ADMIN - volumeMounts: - - mountPath: /run/xtables.lock - name: iptableslock - livenessProbe: - httpGet: - path: /healthz - port: 8080 - initialDelaySeconds: 10 - periodSeconds: 5 - nodeSelector: - beta.kubernetes.io/os: linux ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: aad-pod-id-mic-service-account - namespace: default ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: aad-pod-id-mic-role -rules: -- apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["*"] -- apiGroups: [""] - resources: ["pods", "nodes"] - verbs: [ "list", "watch" ] -- apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] -- apiGroups: [""] - resources: ["endpoints"] - verbs: ["create", "get","update"] -- apiGroups: ["aadpodidentity.k8s.io"] - resources: ["azureidentitybindings", "azureidentities"] - verbs: ["get", "list", "watch", "post"] -- apiGroups: ["aadpodidentity.k8s.io"] - resources: ["azureassignedidentities"] - verbs: ["*"] ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: aad-pod-id-mic-binding - labels: - k8s-app: aad-pod-id-mic-binding -subjects: -- kind: ServiceAccount - name: aad-pod-id-mic-service-account - namespace: default -roleRef: - kind: ClusterRole - name: aad-pod-id-mic-role - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - labels: - component: mic - k8s-app: aad-pod-id - name: mic - namespace: default -spec: - replicas: 2 - template: - metadata: - labels: - component: mic - app: mic - spec: - serviceAccountName: aad-pod-id-mic-service-account - containers: - - name: mic - image: "mcr.microsoft.com/k8s/aad-pod-identity/mic:1.5.4-rc5" - imagePullPolicy: Always - args: - - "--cloudconfig=/etc/kubernetes/azure.json" - - "--logtostderr" - resources: - limits: - cpu: 200m - memory: 1024Mi - requests: - cpu: 100m - memory: 256Mi - volumeMounts: - - name: k8s-azure-file - mountPath: /etc/kubernetes/azure.json - readOnly: true - livenessProbe: - httpGet: - path: /healthz - port: 8080 - initialDelaySeconds: 10 - periodSeconds: 5 - volumes: - - name: k8s-azure-file - hostPath: - path: /etc/kubernetes/azure.json - nodeSelector: - beta.kubernetes.io/os: linux diff --git a/deploy/infra/rc/deployment.yaml b/deploy/infra/rc/deployment.yaml deleted file mode 100644 index 37de2d202..000000000 --- a/deploy/infra/rc/deployment.yaml +++ /dev/null @@ -1,170 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: azureassignedidentities.aadpodidentity.k8s.io -spec: - group: aadpodidentity.k8s.io - version: v1 - names: - kind: AzureAssignedIdentity - plural: azureassignedidentities - scope: Namespaced ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: azureidentitybindings.aadpodidentity.k8s.io -spec: - group: aadpodidentity.k8s.io - version: v1 - names: - kind: AzureIdentityBinding - plural: azureidentitybindings - scope: Namespaced ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: azureidentities.aadpodidentity.k8s.io -spec: - group: aadpodidentity.k8s.io - version: v1 - names: - kind: AzureIdentity - singular: azureidentity - plural: azureidentities - scope: Namespaced ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: azurepodidentityexceptions.aadpodidentity.k8s.io -spec: - group: aadpodidentity.k8s.io - version: v1 - names: - kind: AzurePodIdentityException - singular: azurepodidentityexception - plural: azurepodidentityexceptions - scope: Namespaced ---- -apiVersion: extensions/v1beta1 -kind: DaemonSet -metadata: - labels: - component: nmi - tier: node - name: nmi - namespace: default -spec: - updateStrategy: - type: RollingUpdate - template: - metadata: - labels: - component: nmi - tier: node - spec: - hostNetwork: true - volumes: - - hostPath: - path: /run/xtables.lock - type: FileOrCreate - name: iptableslock - containers: - - name: nmi - image: "mcr.microsoft.com/k8s/aad-pod-identity/nmi:1.5.4-rc5" - imagePullPolicy: Always - args: - - "--host-ip=$(HOST_IP)" - - "--node=$(NODE_NAME)" - env: - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - resources: - limits: - cpu: 200m - memory: 512Mi - requests: - cpu: 100m - memory: 256Mi - securityContext: - privileged: true - capabilities: - add: - - NET_ADMIN - volumeMounts: - - mountPath: /run/xtables.lock - name: iptableslock - livenessProbe: - httpGet: - path: /healthz - port: 8080 - initialDelaySeconds: 10 - periodSeconds: 5 - nodeSelector: - beta.kubernetes.io/os: linux ---- -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - labels: - component: mic - name: mic - namespace: default -spec: - replicas: 2 - template: - metadata: - labels: - component: mic - spec: - containers: - - name: mic - image: "mcr.microsoft.com/k8s/aad-pod-identity/mic:1.5.4-rc5" - imagePullPolicy: Always - args: - - "--kubeconfig=/etc/kubernetes/kubeconfig/kubeconfig" - - "--cloudconfig=/etc/kubernetes/azure.json" - - "--logtostderr" - resources: - limits: - cpu: 200m - memory: 1024Mi - requests: - cpu: 100m - memory: 256Mi - volumeMounts: - - name: kubeconfig - mountPath: /etc/kubernetes/kubeconfig - readOnly: true - - name: certificates - mountPath: /etc/kubernetes/certs - readOnly: true - - name: k8s-azure-file - mountPath: /etc/kubernetes/azure.json - readOnly: true - livenessProbe: - httpGet: - path: /healthz - port: 8080 - initialDelaySeconds: 10 - periodSeconds: 5 - volumes: - - name: kubeconfig - hostPath: - path: /var/lib/kubelet - - name: certificates - hostPath: - path: /etc/kubernetes/certs - - name: k8s-azure-file - hostPath: - path: /etc/kubernetes/azure.json - nodeSelector: - beta.kubernetes.io/os: linux From d75fdfbe394f95a0c4206586266685207c4050c4 Mon Sep 17 00:00:00 2001 From: "Krishnakumar R(KK)" <29471693+kkmsft@users.noreply.github.com> Date: Mon, 16 Mar 2020 12:31:15 -0700 Subject: [PATCH 5/7] Fixes from testing --- test/e2e/template/aadpodidentityexception.yaml | 2 +- test/e2e/template/deployment-rbac.yaml | 3 +-- validation/gatekeeper/azureidentityformat_template.yaml | 2 +- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/test/e2e/template/aadpodidentityexception.yaml b/test/e2e/template/aadpodidentityexception.yaml index 8cbd810ff..7c87ad11a 100644 --- a/test/e2e/template/aadpodidentityexception.yaml +++ b/test/e2e/template/aadpodidentityexception.yaml @@ -3,7 +3,7 @@ kind: AzurePodIdentityException metadata: name: {{.Name}}-exception spec: - PodLabels: + podLabels: {{- range $key, $value := $.PodLabels }} {{ $key }}: {{ $value -}} {{ end }} \ No newline at end of file diff --git a/test/e2e/template/deployment-rbac.yaml b/test/e2e/template/deployment-rbac.yaml index 3c81f9b78..1c85996d0 100644 --- a/test/e2e/template/deployment-rbac.yaml +++ b/test/e2e/template/deployment-rbac.yaml @@ -230,8 +230,7 @@ spec: - "--cloudconfig=/etc/kubernetes/azure.json" {{if .ImmutableUserMSIs}}- "--immutable-user-msis={{.ImmutableUserMSIs}}" {{end}} - "--logtostderr" - {{if .EnableScaleFeatures}}- "--enableScaleFeatures=true" {{end}} - - "--v=7" + {{if .EnableScaleFeatures}}- "--enableScaleFeatures=true" {{end}} env: - name: MIC_POD_NAMESPACE valueFrom: diff --git a/validation/gatekeeper/azureidentityformat_template.yaml b/validation/gatekeeper/azureidentityformat_template.yaml index 1ddaaa367..6bf4bc93e 100644 --- a/validation/gatekeeper/azureidentityformat_template.yaml +++ b/validation/gatekeeper/azureidentityformat_template.yaml @@ -18,7 +18,7 @@ spec: input.review.kind.kind == "AzureIdentity" # format of resourceId is checked only for user-assigned MSI input.review.object.spec.type == 0 - resourceId := input.review.object.spec.ResourceID + resourceId := input.review.object.spec.resourceID result := re_match(`(?i)/subscriptions/(.+?)/resourcegroups/(.+?)/providers/Microsoft.ManagedIdentity/(.+?)/(.+)`,resourceId) result == false msg := sprintf(`The identity resourceId '%v' is invalid.It must be of the following format: '/subscriptions//resourcegroups//providers/Microsoft.ManagedIdentity/userAssignedIdentities/'`,[resourceId]) From f65e05bbebe06dc9f8e1816483eb01989eac7899 Mon Sep 17 00:00:00 2001 From: "Krishnakumar R(KK)" <29471693+kkmsft@users.noreply.github.com> Date: Fri, 20 Mar 2020 16:53:42 -0700 Subject: [PATCH 6/7] Address review comments --- cmd/mic/main.go | 6 +++--- cmd/simple/main.go | 1 - deploy/demo/aadpodidentity.yaml | 4 ++-- deploy/demo/aadpodidentitybinding.yaml | 4 ++-- pkg/mic/mic.go | 27 +++++++++++++------------- test/e2e/aadpodidentity_test.go | 2 +- 6 files changed, 22 insertions(+), 22 deletions(-) diff --git a/cmd/mic/main.go b/cmd/mic/main.go index 70ac40dd7..1fcc3359a 100644 --- a/cmd/mic/main.go +++ b/cmd/mic/main.go @@ -76,10 +76,10 @@ func main() { flag.StringVar(&immutableUserMSIs, "immutable-user-msis", "", "prevent deletion of these IDs from the underlying VM/VMSS") // Config map for aad-pod-identity - flag.StringVar(&cmConfig.Name, "cmName", "aad-pod-identity-cm", "Configmap name") + flag.StringVar(&cmConfig.Name, "config-map-name", "aad-pod-identity-config", "Configmap name") // Config map details for the type changes in the context of client-go upgrade. - flag.StringVar(&typeUpgradeConfig.CMTypeUpgradeKey, "typeUpgradeCMKey", "type-upgrade-status", "Configmap key for type upgrade status") - flag.BoolVar(&typeUpgradeConfig.EnableTypeUpgrade, "enableTypeUpgrade", true, "Enable type upgrade") + flag.StringVar(&typeUpgradeConfig.TypeUpgradeStatusKey, "type-upgrade-status-key", "type-upgrade-status", "Configmap key for type upgrade status") + flag.BoolVar(&typeUpgradeConfig.EnableTypeUpgrade, "enable-type-upgrade", true, "Enable type upgrade") flag.Parse() diff --git a/cmd/simple/main.go b/cmd/simple/main.go index 49b38c20a..5d686418b 100644 --- a/cmd/simple/main.go +++ b/cmd/simple/main.go @@ -13,7 +13,6 @@ import ( "k8s.io/client-go/rest" "k8s.io/client-go/tools/clientcmd" "k8s.io/klog" - //"context" ) var ( diff --git a/deploy/demo/aadpodidentity.yaml b/deploy/demo/aadpodidentity.yaml index 4f1b52305..e917d8fe7 100644 --- a/deploy/demo/aadpodidentity.yaml +++ b/deploy/demo/aadpodidentity.yaml @@ -4,5 +4,5 @@ metadata: name: demo-aad1 spec: type: 0 - resourceID: RESOURCE_ID - clientID: CLIENT_ID + ResourceID: RESOURCE_ID + ClientID: CLIENT_ID diff --git a/deploy/demo/aadpodidentitybinding.yaml b/deploy/demo/aadpodidentitybinding.yaml index 36d1a61f3..60311f651 100644 --- a/deploy/demo/aadpodidentitybinding.yaml +++ b/deploy/demo/aadpodidentitybinding.yaml @@ -3,5 +3,5 @@ kind: AzureIdentityBinding metadata: name: demo-azure-id-binding spec: - azureIdentity: "demo-aad1" - selector: "demo" \ No newline at end of file + AzureIdentity: "demo-aad1" + Selector: "demo" \ No newline at end of file diff --git a/pkg/mic/mic.go b/pkg/mic/mic.go index 68fef1fe1..ba1ac58e8 100644 --- a/pkg/mic/mic.go +++ b/pkg/mic/mic.go @@ -18,7 +18,7 @@ import ( "github.com/Azure/aad-pod-identity/version" "golang.org/x/sync/semaphore" corev1 "k8s.io/api/core/v1" - kubeErrors "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/informers" "k8s.io/client-go/kubernetes" @@ -44,8 +44,9 @@ type NodeGetter interface { // TypeUpgradeConfig - configuration aspects of type related changes required for client-go upgrade. type TypeUpgradeConfig struct { - CMTypeUpgradeKey string - EnableTypeUpgrade bool + // Key in the config map which indicates if a type upgrade has been performed. + TypeUpgradeStatusKey string + EnableTypeUpgrade bool } // CMConfig - config map for aad-pod-identity @@ -249,13 +250,13 @@ func (c *Client) UpgradeTypeIfRequired() error { if c.TypeUpgradeCfg.EnableTypeUpgrade { cm, err := c.CMClient.Get(c.CMCfg.Name, v1.GetOptions{}) // If we get an error and its not NotFound then return, because we cannot proceed. - if err != nil && !kubeErrors.IsNotFound(err) { + if err != nil && !apierrors.IsNotFound(err) { return fmt.Errorf("config map get for %s failed with error: %v", c.CMCfg.Name, err) } // Now either the configmap is not there or we successfully got the configmap // Handle the case where the configmap is not found. - if err != nil && kubeErrors.IsNotFound(err) { + if err != nil && apierrors.IsNotFound(err) { // Create the configmap newCfgMap := &corev1.ConfigMap{ ObjectMeta: v1.ObjectMeta{ @@ -272,7 +273,7 @@ func (c *Client) UpgradeTypeIfRequired() error { // Check if the key for type upgrade is present. If the key is present, // then the upgrade is already performed. If not then go through the type upgrade // process. - if v, ok := cm.Data[c.TypeUpgradeCfg.CMTypeUpgradeKey]; !ok { + if v, ok := cm.Data[c.TypeUpgradeCfg.TypeUpgradeStatusKey]; !ok { klog.Infof("Upgrading the types to work with case sensitive go-client") if err := c.CRDClient.UpgradeAll(); err != nil { return fmt.Errorf("type upgrade failed. error: %+v", err) @@ -282,13 +283,13 @@ func (c *Client) UpgradeTypeIfRequired() error { if cm.Data == nil { cm.Data = make(map[string]string) } - cm.Data[c.TypeUpgradeCfg.CMTypeUpgradeKey] = version.MICVersion + cm.Data[c.TypeUpgradeCfg.TypeUpgradeStatusKey] = version.MICVersion _, err = c.CMClient.Update(cm) if err != nil { - return fmt.Errorf("type upgrade annotation update on %s failed. error: %+v", c.TypeUpgradeCfg.CMTypeUpgradeKey, err) + return fmt.Errorf("updating config map key for %s failed. error: %+v", c.TypeUpgradeCfg.TypeUpgradeStatusKey, err) } } else { - klog.Infof("Type upgrade status configmap found from version: %s. Proceeding without type upgrade !", v) + klog.Infof("Type upgrade status configmap found from version: %s. Skipping type upgrade!", v) } } return nil @@ -299,7 +300,7 @@ func (c *Client) Start(exit <-chan struct{}) { klog.V(6).Infof("MIC client starting..") if err := c.UpgradeTypeIfRequired(); err != nil { - klog.Fatalf("Upgrade failed with error: %v", err) + klog.Fatalf("Type upgrade failed with error: %v", err) return } @@ -522,14 +523,14 @@ func (c *Client) createDesiredAssignedIdentityList( newAssignedIDs := make(map[string]aadpodid.AzureAssignedIdentity) for _, pod := range listPods { - klog.V(6).Infof("checking pod: %s", pod.Name) + klog.V(6).Infof("Checking pod %s/%s", pod.Namespace, pod.Name) if pod.Spec.NodeName == "" { //Node is not yet allocated. In that case skip the pod klog.V(2).Infof("Pod %s/%s has no assigned node yet. it will be ignored", pod.Namespace, pod.Name) continue } crdPodLabelVal := pod.Labels[aadpodid.CRDLabelKey] - klog.V(6).Infof("Label value: %v", crdPodLabelVal) + klog.V(6).Infof("Pod: %s/%s. Label value: %v", pod.Namespace, pod.Name, crdPodLabelVal) if crdPodLabelVal == "" { //No binding mentioned in the label. Just continue to the next pod klog.V(2).Infof("Pod %s/%s has correct %s label but with no value. it will be ignored", pod.Namespace, pod.Name, aadpodid.CRDLabelKey) @@ -537,7 +538,7 @@ func (c *Client) createDesiredAssignedIdentityList( } var matchedBindings []aadpodid.AzureIdentityBinding for _, allBinding := range *listBindings { - klog.V(6).Infof("Check the binding: %s", allBinding.Spec.Selector) + klog.V(6).Infof("Check the binding (pod - %s/%s): %s", pod.Namespace, pod.Name, allBinding.Spec.Selector) if allBinding.Spec.Selector == crdPodLabelVal { klog.V(5).Infof("Found binding match for pod %s/%s with binding %s/%s", pod.Namespace, pod.Name, allBinding.Namespace, allBinding.Name) matchedBindings = append(matchedBindings, allBinding) diff --git a/test/e2e/aadpodidentity_test.go b/test/e2e/aadpodidentity_test.go index 3ee81cd8e..015f4a58c 100644 --- a/test/e2e/aadpodidentity_test.go +++ b/test/e2e/aadpodidentity_test.go @@ -490,7 +490,7 @@ var _ = Describe("Kubernetes cluster using aad-pod-identity", func() { Expect(ok).To(Equal(true)) // Remove the configmap to ensure that the type conversion happens. - cmd := exec.Command("kubectl", "delete", "cm", "aad-pod-identity-cm", "--ignore-not-found=true") + cmd := exec.Command("kubectl", "delete", "cm", "aad-pod-identity-config", "--ignore-not-found=true") util.PrintCommand(cmd) output, err := cmd.CombinedOutput() fmt.Printf("%s", output) From 31e0422372cbc204e923a22b20056ea98a6c9d0e Mon Sep 17 00:00:00 2001 From: "Krishnakumar R(KK)" <29471693+kkmsft@users.noreply.github.com> Date: Fri, 20 Mar 2020 18:15:09 -0700 Subject: [PATCH 7/7] Quick go mod tidy --- go.sum | 1 - 1 file changed, 1 deletion(-) diff --git a/go.sum b/go.sum index 8a25958a6..d61df5b8b 100644 --- a/go.sum +++ b/go.sum @@ -191,7 +191,6 @@ github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6So github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= -github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=