GABE: stop using kubectl based client for admission plugin

Author: deads2k

pkg/build/admission/jenkinsbootstrapper/admission.go

@@ -6,20 +6,19 @@ import (
 
 	"github.com/golang/glog"
 	kapierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	kutilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apiserver/pkg/admission"
+	"k8s.io/client-go/dynamic"
 	restclient "k8s.io/client-go/rest"
-	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	kclientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
 	coreclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/core/internalversion"
 	kadmission "k8s.io/kubernetes/pkg/kubeapiserver/admission"
-	"k8s.io/kubernetes/pkg/kubectl/genericclioptions/resource"
 
 	buildapi "github.com/openshift/origin/pkg/build/apis/build"
-	jenkinscontroller "github.com/openshift/origin/pkg/build/controller/jenkins"
-	"github.com/openshift/origin/pkg/bulk"
+	jenkinscontroller "github.com/openshift/origin/pkg/build/admission/jenkinsbootstrapper/jenkins"
 	authenticationclient "github.com/openshift/origin/pkg/client/impersonatingclient"
 	oadmission "github.com/openshift/origin/pkg/cmd/server/admission"
 	configapi "github.com/openshift/origin/pkg/cmd/server/apis/config"
@@ -39,6 +38,7 @@ type jenkinsBootstrapper struct {
 	privilegedRESTClientConfig restclient.Config
 	serviceClient              coreclient.ServicesGetter
 	templateClient             templateclient.Interface
+	restMapper                 meta.RESTMapper
 
 	jenkinsConfig configapi.JenkinsPipelineConfig
 }
@@ -47,6 +47,7 @@ var _ = oadmission.WantsJenkinsPipelineConfig(&jenkinsBootstrapper{})
 var _ = oadmission.WantsRESTClientConfig(&jenkinsBootstrapper{})
 var _ = oadmission.WantsOpenshiftInternalTemplateClient(&jenkinsBootstrapper{})
 var _ = kadmission.WantsInternalKubeClientSet(&jenkinsBootstrapper{})
+var _ = kadmission.WantsRESTMapper(&jenkinsBootstrapper{})
 
 // NewJenkinsBootstrapper returns an admission plugin that will create required jenkins resources as the user if they are needed.
 func NewJenkinsBootstrapper() admission.Interface {
@@ -99,35 +100,28 @@ func (a *jenkinsBootstrapper) Admit(attributes admission.Attributes) error {
 	}
 
 	impersonatingConfig := authenticationclient.NewImpersonatingConfig(attributes.GetUserInfo(), a.privilegedRESTClientConfig)
-
-	var bulkErr error
-
-	bulk := &bulk.Bulk{
-		Mapper: &resource.Mapper{
-			RESTMapper:   legacyscheme.Registry.RESTMapper(),
-			ObjectTyper:  legacyscheme.Scheme,
-			ClientMapper: bulk.ClientMapperFromConfig(&impersonatingConfig),
-		},
-		Op: bulk.Create,
-		After: func(info *resource.Info, err error) bool {
-			if kapierrors.IsAlreadyExists(err) {
-				return false
-			}
-			if err != nil {
-				bulkErr = err
-				return true
-			}
-			return false
-		},
+	dynamicClient, err := dynamic.NewForConfig(&impersonatingConfig)
+	if err != nil {
+		return err
 	}
-	// we're intercepting the error we care about using After
-	bulk.Run(objects, namespace)
-	if bulkErr != nil {
-		return bulkErr
+
+	for _, toCreate := range objects.Items {
+		restMapping, mappingErr := a.restMapper.RESTMapping(toCreate.GroupVersionKind().GroupKind(), toCreate.GroupVersionKind().Version)
+		if mappingErr != nil {
+			return kapierrors.NewInternalError(mappingErr)
+		}
+
+		_, createErr := dynamicClient.Resource(restMapping.Resource).Namespace(namespace).Create(&toCreate)
+		// it is safe to ignore all such errors since stopOnErr will only let these through for the default role bindings
+		if kapierrors.IsAlreadyExists(createErr) {
+			continue
+		}
+		if createErr != nil {
+			return kapierrors.NewInternalError(createErr)
+		}
 	}
 
 	glog.V(1).Infof("Jenkins Pipeline service %q created", svcName)
-
 	return nil
 
 }
@@ -159,12 +153,19 @@ func (a *jenkinsBootstrapper) SetOpenshiftInternalTemplateClient(c templateclien
 	a.templateClient = c
 }
 
+func (a *jenkinsBootstrapper) SetRESTMapper(restMapper meta.RESTMapper) {
+	a.restMapper = restMapper
+}
+
 func (a *jenkinsBootstrapper) ValidateInitialization() error {
 	if a.serviceClient == nil {
 		return fmt.Errorf("missing serviceClient")
 	}
 	if a.templateClient == nil {
 		return fmt.Errorf("missing templateClient")
 	}
+	if a.restMapper == nil {
+		return fmt.Errorf("missing restMapper")
+	}
 	return nil
 }

pkg/build/controller/jenkins/jenkins.go renamed to pkg/build/admission/jenkinsbootstrapper/jenkins/jenkins.go

@@ -5,10 +5,10 @@ import (
 
 	"github.com/golang/glog"
 	"github.com/openshift/origin/pkg/template/templateprocessing"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
 
 	kerrs "k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	kapi "k8s.io/kubernetes/pkg/apis/core"
@@ -38,7 +38,7 @@ func NewPipelineTemplate(ns string, conf serverapi.JenkinsPipelineConfig, templa
 }
 
 // Process processes the Jenkins template. If an error occurs
-func (t *PipelineTemplate) Process() (*kapi.List, []error) {
+func (t *PipelineTemplate) Process() (*unstructured.UnstructuredList, []error) {
 	var errors []error
 	jenkinsTemplate, err := t.templateClient.Template().Templates(t.Config.TemplateNamespace).Get(t.Config.TemplateName, metav1.GetOptions{})
 	if err != nil {
@@ -56,41 +56,37 @@ func (t *PipelineTemplate) Process() (*kapi.List, []error) {
 		errors = append(errors, fmt.Errorf("processing Jenkins template %s/%s failed: %v", t.Config.TemplateNamespace, t.Config.TemplateName, err))
 		return nil, errors
 	}
-	var items []runtime.Object
-	for _, obj := range pTemplate.Objects {
-		if unknownObj, ok := obj.(*runtime.Unknown); ok {
-			decodedObj, err := runtime.Decode(legacyscheme.Codecs.UniversalDecoder(), unknownObj.Raw)
-			if err != nil {
-				errors = append(errors, err)
-			}
-			items = append(items, decodedObj)
-		}
+
+	objectsToCreate := &kapi.List{}
+	for i := range pTemplate.Objects {
+		// use .Objects[i] in append to avoid range memory address reuse
+		objectsToCreate.Items = append(objectsToCreate.Items, pTemplate.Objects[i])
+	}
+
+	// TODO, stop doing this crazy thing, but for now it's a very simple way to get the unstructured objects we need
+	jsonBytes, err := runtime.Encode(legacyscheme.Codecs.LegacyCodec(legacyscheme.Scheme.PrioritizedVersionsAllGroups()...), objectsToCreate)
+	if err != nil {
+		errors = append(errors, err)
+		return nil, errors
 	}
+	uncastList, err := runtime.Decode(unstructured.UnstructuredJSONScheme, jsonBytes)
+	if err != nil {
+		errors = append(errors, err)
+		return nil, errors
+	}
+
 	glog.V(4).Infof("Processed Jenkins pipeline jenkinsTemplate %s/%s", pTemplate.Namespace, pTemplate.Namespace)
-	return &kapi.List{ListMeta: metav1.ListMeta{}, Items: items}, errors
+	return uncastList.(*unstructured.UnstructuredList), errors
 }
 
 // HasJenkinsService searches the template items and return true if the expected
 // Jenkins service is contained in template.
-func (t *PipelineTemplate) HasJenkinsService(items *kapi.List) bool {
-	accessor := meta.NewAccessor()
+func (t *PipelineTemplate) HasJenkinsService(items *unstructured.UnstructuredList) bool {
 	for _, item := range items.Items {
-		kinds, _, err := legacyscheme.Scheme.ObjectKinds(item)
-		if err != nil {
-			glog.Infof("Error checking Jenkins service kind: %v", err)
-			return false
-		}
-		name, err := accessor.Name(item)
-		if err != nil {
-			glog.Infof("Error checking Jenkins service name: %v", err)
-			return false
-		}
-		glog.Infof("Jenkins Pipeline template object %q with name %q", name, kinds[0].Kind)
+		glog.Infof("Jenkins Pipeline template object %q with name %q", item.GetName(), item.GetObjectKind().GroupVersionKind())
 
-		for _, kind := range kinds {
-			if name == t.Config.ServiceName && kind.GroupKind() == kapi.Kind("Service") {
-				return true
-			}
+		if item.GetName() == t.Config.ServiceName && item.GetObjectKind().GroupVersionKind().GroupKind() == kapi.Kind("Service") {
+			return true
 		}
 	}
 	return false

pkg/build/controller/jenkins/jenkins_test.go renamed to pkg/build/admission/jenkinsbootstrapper/jenkins/jenkins_test.go

@@ -58,6 +58,7 @@ var recommendedCreatableResources = map[schema.GroupResource]bool{
 }
 var _ = oadmission.WantsProjectCache(&lifecycle{})
 var _ = kadmission.WantsInternalKubeClientSet(&lifecycle{})
+var _ = kadmission.WantsRESTMapper(&lifecycle{})
 
 // Admit enforces that a namespace must have the openshift finalizer associated with it in order to create origin API objects within it
 func (e *lifecycle) Admit(a admission.Attributes) (err error) {