openshift · openshift-merge-robot · Feb 26, 2019 · Dec 11, 2018 · Feb 4, 2019 · Jan 29, 2019
diff --git a/auth/auth.go b/auth/auth.go
@@ -93,9 +93,9 @@ type Config struct {
 	ClientSecret string
 	Scope        []string
 
-	// DiscoveryCA is required for OpenShift OAuth metadata discovery. This is the CA
+	// K8sCA is required for OpenShift OAuth metadata discovery. This is the CA
 	// used to talk to the master, which might be different than the issuer CA.
-	DiscoveryCA string
+	K8sCA string
 
 	SuccessURL  string
 	ErrorURL    string
@@ -140,33 +140,37 @@ func newHTTPClient(issuerCA string, includeSystemRoots bool) (*http.Client, erro
 // NewAuthenticator initializes an Authenticator struct. It blocks until the authenticator is
 // able to contact the provider.
 func NewAuthenticator(ctx context.Context, c *Config) (*Authenticator, error) {
-	a, err := newUnstartedAuthenticator(c)
-	if err != nil {
-		return nil, err
-	}
-
 	// Retry connecting to the identity provider a few times
 	backoff := time.Second * 2
-	maxSteps := 5
+	maxSteps := 7
 	steps := 0
 
 	for {
 		var (
+			a        *Authenticator
 			lm       loginMethod
 			endpoint oauth2.Endpoint
 			err      error
 		)
+
+		a, err = newUnstartedAuthenticator(c)
+		if err != nil {
+			return nil, err
+		}
+
 		switch c.AuthSource {
 		case AuthSourceOpenShift:
 			// Use the k8s CA for OAuth metadata discovery.
-			var client *http.Client
-			client, err = newHTTPClient(c.DiscoveryCA, false)
+			var k8sClient *http.Client
+			// Don't include system roots when talking to the API server.
+			k8sClient, err = newHTTPClient(c.K8sCA, false)
 			if err != nil {
 				return nil, err
 			}
 
 			endpoint, lm, err = newOpenShiftAuth(ctx, &openShiftConfig{
-				client:        client,
+				k8sClient:     k8sClient,
+				oauthClient:   a.client,
 				issuerURL:     c.IssuerURL,
 				cookiePath:    c.CookiePath,
 				secureCookies: c.SecureCookies,
@@ -183,11 +187,11 @@ func NewAuthenticator(ctx context.Context, c *Config) (*Authenticator, error) {
 		if err != nil {
 			steps++
 			if steps > maxSteps {
-				log.Errorf("error contacting openid connect provider: %v", err)
+				log.Errorf("error contacting auth provider: %v", err)
 				return nil, err
 			}
 
-			log.Errorf("error contacting openid connect provider (retrying in %s): %v", backoff, err)
+			log.Errorf("error contacting auth provider (retrying in %s): %v", backoff, err)
 
 			time.Sleep(backoff)
 			backoff *= 2

diff --git a/auth/auth_openshift.go b/auth/auth_openshift.go
@@ -23,7 +23,8 @@ type openShiftAuth struct {
 }
 
 type openShiftConfig struct {
-	client        *http.Client
+	k8sClient     *http.Client
+	oauthClient   *http.Client
 	issuerURL     string
 	cookiePath    string
 	secureCookies bool
@@ -52,7 +53,7 @@ func newOpenShiftAuth(ctx context.Context, c *openShiftConfig) (oauth2.Endpoint,
 		return oauth2.Endpoint{}, nil, err
 	}
 
-	resp, err := c.client.Do(req.WithContext(ctx))
+	resp, err := c.k8sClient.Do(req.WithContext(ctx))
 	if err != nil {
 		return oauth2.Endpoint{}, nil, err
 	}
@@ -86,6 +87,19 @@ func newOpenShiftAuth(ctx context.Context, c *openShiftConfig) (oauth2.Endpoint,
 		return oauth2.Endpoint{}, nil, err
 	}
 
+	// Make sure we can talk to the issuer endpoint.
+	req, err = http.NewRequest(http.MethodHead, metadata.Issuer, nil)
+	if err != nil {
+		return oauth2.Endpoint{}, nil, err
+	}
+
+	resp, err = c.oauthClient.Do(req.WithContext(ctx))
+	if err != nil {
+		return oauth2.Endpoint{}, nil, fmt.Errorf("request to OAuth issuer endpoint %s failed: %v",
+			metadata.Token, err)
+	}
+	defer resp.Body.Close()
+
 	kubeAdminLogoutURL := proxy.SingleJoiningSlash(metadata.Issuer, "/logout")
 	return oauth2.Endpoint{
 		AuthURL:  metadata.Auth,

diff --git a/cmd/bridge/main.go b/cmd/bridge/main.go
@@ -143,10 +143,6 @@ func main() {
 	if branding == "origin" {
 		branding = "okd"
 	}
-	// Temporarily default okd to openshift
-	if branding == "okd" {
-		branding = "openshift"
-	}
 	switch branding {
 	case "okd":
 	case "openshift":
@@ -366,7 +362,7 @@ func main() {
 
 			// Use the k8s CA file for OpenShift OAuth metadata discovery.
 			// This might be different than IssuerCA.
-			DiscoveryCA: caCertFilePath,
+			K8sCA: caCertFilePath,
 
 			ErrorURL:   authLoginErrorEndpoint,
 			SuccessURL: authLoginSuccessEndpoint,
@@ -394,7 +390,7 @@ func main() {
 		}
 
 		if srv.Auther, err = auth.NewAuthenticator(context.Background(), oidcClientConfig); err != nil {
-			log.Fatalf("Error initializing OIDC authenticator: %v", err)
+			log.Fatalf("Error initializing authenticator: %v", err)
 		}
 	case "disabled":
 		log.Warningf("running with AUTHENTICATION DISABLED!")

diff --git a/frontend/__mocks__/k8sResourcesMocks.ts b/frontend/__mocks__/k8sResourcesMocks.ts
@@ -58,6 +58,7 @@ export const testClusterServiceVersion: ClusterServiceVersionKind = {
         'alm-owner-testapp': 'testapp.clusterserviceversions.operators.coreos.com.v1alpha1',
       },
     },
+    installModes: [],
     install: {
       strategy: 'Deployment',
       spec: {
@@ -129,6 +130,7 @@ export const localClusterServiceVersion: ClusterServiceVersionKind = {
         'alm-owner-local-testapp': 'local-testapp.clusterserviceversions.operators.coreos.com.v1alpha1',
       },
     },
+    installModes: [],
     install: {
       strategy: 'Deployment',
       spec: {
@@ -268,6 +270,7 @@ export const testPackageManifest: PackageManifestKind = {
         provider: {
           name: 'CoreOS, Inc',
         },
+        installModes: [],
       },
     }],
     defaultChannel: 'alpha',

diff --git a/frontend/__mocks__/operatorHubItemsMocks.ts b/frontend/__mocks__/operatorHubItemsMocks.ts
@@ -40,6 +40,7 @@ const amqPackageManifest = {
         provider: {
           name: 'Red Hat',
         },
+        installModes: [],
         annotations: {
           'alm-examples': '[{"apiVersion":"kafka.strimzi.io/v1alpha1","kind":"Kafka","metadata":{"name":"my-cluster"},"spec":{"kafka":{"replicas":3,"listeners":{"plain":{},"tls":{}},"config":{"offsets.topic.replication.factor":3,"transaction.state.log.replication.factor":3,"transaction.state.log.min.isr":2},"storage":{"type":"ephemeral"}},"zookeeper":{"replicas":3,"storage":{"type":"ephemeral"}},"entityOperator":{"topicOperator":{},"userOperator":{}}}}, {"apiVersion":"kafka.strimzi.io/v1alpha1","kind":"KafkaConnect","metadata":{"name":"my-connect-cluster"},"spec":{"replicas":1,"bootstrapServers":"my-cluster-kafka-bootstrap:9093","tls":{"trustedCertificates":[{"secretName":"my-cluster-cluster-ca-cert","certificate":"ca.crt"}]}}}, {"apiVersion":"kafka.strimzi.io/v1alpha1","kind":"KafkaConnectS2I","metadata":{"name":"my-connect-cluster"},"spec":{"replicas":1,"bootstrapServers":"my-cluster-kafka-bootstrap:9093","tls":{"trustedCertificates":[{"secretName":"my-cluster-cluster-ca-cert","certificate":"ca.crt"}]}}}, {"apiVersion":"kafka.strimzi.io/v1alpha1","kind":"KafkaTopic","metadata":{"name":"my-topic","labels":{"strimzi.io/cluster":"my-cluster"}},"spec":{"partitions":10,"replicas":3,"config":{"retention.ms":604800000,"segment.bytes":1073741824}}}, {"apiVersion":"kafka.strimzi.io/v1alpha1","kind":"KafkaUser","metadata":{"name":"my-user","labels":{"strimzi.io/cluster":"my-cluster"}},"spec":{"authentication":{"type":"tls"},"authorization":{"type":"simple","acls":[{"resource":{"type":"topic","name":"my-topic","patternType":"literal"},"operation":"Read","host":"*"},{"resource":{"type":"topic","name":"my-topic","patternType":"literal"},"operation":"Describe","host":"*"},{"resource":{"type":"group","name":"my-group","patternType":"literal"},"operation":"Read","host":"*"},{"resource":{"type":"topic","name":"my-topic","patternType":"literal"},"operation":"Write","host":"*"},{"resource":{"type":"topic","name":"my-topic","patternType":"literal"},"operation":"Create","host":"*"},{"resource":{"type":"topic","name":"my-topic","patternType":"literal"},"operation":"Describe","host":"*"}]}}}]',
           description: '**Red Hat AMQ Streams** is a massively scalable, distributed, and high performance data streaming platform based on the Apache Kafka project. \nAMQ Streams provides an event streaming backbone that allows microservices and other application components to exchange data with extremely high throughput and low latency.\n\n**The core capabilities include**\n* A pub/sub messaging model, similar to a traditional enterprise messaging system, in which application components publish and consume events to/from an ordered stream\n* The long term, fault-tolerant storage of events\n* The ability for a consumer to replay streams of events\n* The ability to partition topics for horizontal scalability\n\n# Before you start\n\n1. Create AMQ Streams Cluster Roles\n```\n$ oc apply -f http://amq.io/amqstreams/rbac.yaml\n```\n2. Create following bindings\n```\n$ oc adm policy add-cluster-role-to-user strimzi-cluster-operator -z strimzi-cluster-operator --namespace <namespace>\n$ oc adm policy add-cluster-role-to-user strimzi-kafka-broker -z strimzi-cluster-operator --namespace <namespace>\n```',
@@ -89,6 +90,7 @@ const etcdPackageManifest = {
         provider: {
           name: 'CoreOS, Inc',
         },
+        installModes: [],
         annotations: {
           'alm-examples': '[{"apiVersion":"etcd.database.coreos.com/v1beta2","kind":"EtcdCluster","metadata":{"name":"example","namespace":"default"},"spec":{"size":3,"version":"3.2.13"}},{"apiVersion":"etcd.database.coreos.com/v1beta2","kind":"EtcdRestore","metadata":{"name":"example-etcd-cluster"},"spec":{"etcdCluster":{"name":"example-etcd-cluster"},"backupStorageType":"S3","s3":{"path":"<full-s3-path>","awsSecret":"<aws-secret>"}}},{"apiVersion":"etcd.database.coreos.com/v1beta2","kind":"EtcdBackup","metadata":{"name":"example-etcd-cluster-backup"},"spec":{"etcdEndpoints":["<etcd-cluster-endpoints>"],"storageType":"S3","s3":{"path":"<full-s3-path>","awsSecret":"<aws-secret>"}}}]',
           'tectonic-visibility': 'ocs',
@@ -136,6 +138,7 @@ const federationv2PackageManifest = {
         provider: {
           name: 'Red Hat',
         },
+        installModes: [],
         annotations: {
           description: 'Kubernetes Federation V2 namespace-scoped installation',
           categories: '',
@@ -184,6 +187,7 @@ const prometheusPackageManifest = {
         provider: {
           name: 'Red Hat',
         },
+        installModes: [],
         annotations: {
           'alm-examples': '[{"apiVersion":"monitoring.coreos.com/v1","kind":"Prometheus","metadata":{"name":"example","labels":{"prometheus":"k8s"}},"spec":{"replicas":2,"version":"v2.3.2","serviceAccountName":"prometheus-k8s","securityContext": {}, "serviceMonitorSelector":{"matchExpressions":[{"key":"k8s-app","operator":"Exists"}]},"ruleSelector":{"matchLabels":{"role":"prometheus-rulefiles","prometheus":"k8s"}},"alerting":{"alertmanagers":[{"namespace":"monitoring","name":"alertmanager-main","port":"web"}]}}},{"apiVersion":"monitoring.coreos.com/v1","kind":"ServiceMonitor","metadata":{"name":"example","labels":{"k8s-app":"prometheus"}},"spec":{"selector":{"matchLabels":{"k8s-app":"prometheus"}},"endpoints":[{"port":"web","interval":"30s"}]}},{"apiVersion":"monitoring.coreos.com/v1","kind":"Alertmanager","metadata":{"name":"alertmanager-main"},"spec":{"replicas":3, "securityContext": {}}}]',
           description: 'The Prometheus Operator for Kubernetes provides easy monitoring definitions for Kubernetes services and deployment and management of Prometheus instances.',
@@ -230,6 +234,7 @@ const svcatPackageManifest = {
         provider: {
           name: 'Red Hat',
         },
+        installModes: [],
         annotations: {
           description: 'Service Catalog lets you provision cloud services directly from the comfort of native Kubernetes tooling.',
           categories: 'catalog',
@@ -276,6 +281,7 @@ const dummyPackageManifest = {
         provider: {
           name: 'Dummy',
         },
+        installModes: [],
         annotations: {
           description: 'Dummy is not a real operator',
           categories: 'dummy',

diff --git a/frontend/__tests__/components/modals/subscription-channel-modal.spec.tsx b/frontend/__tests__/components/modals/subscription-channel-modal.spec.tsx
@@ -37,6 +37,7 @@ describe(SubscriptionChannelModal.name, () => {
         provider: {
           name: 'CoreOS, Inc',
         },
+        installModes: [],
       },
     }, {
       name: 'nightly',
@@ -48,6 +49,7 @@ describe(SubscriptionChannelModal.name, () => {
         provider: {
           name: 'CoreOS, Inc',
         },
+        installModes: [],
       },
     }];
 

diff --git a/frontend/__tests__/components/operator-lifecycle-manager/operator-group.spec.tsx b/frontend/__tests__/components/operator-lifecycle-manager/operator-group.spec.tsx
@@ -1,10 +1,12 @@
 /* eslint-disable no-undef, no-unused-vars */
 
 import * as React from 'react';
+import * as _ from 'lodash-es';
 import { shallow } from 'enzyme';
 
-import { requireOperatorGroup, NoOperatorGroupMsg } from '../../../public/components/operator-lifecycle-manager/operator-group';
-import { testOperatorGroup } from '../../../__mocks__/k8sResourcesMocks';
+import { requireOperatorGroup, NoOperatorGroupMsg, supports, InstallModeSet, InstallModeType, installedFor } from '../../../public/components/operator-lifecycle-manager/operator-group';
+import { OperatorGroupKind, SubscriptionKind } from '../../../public/components/operator-lifecycle-manager';
+import { testOperatorGroup, testSubscription } from '../../../__mocks__/k8sResourcesMocks';
 
 describe('requireOperatorGroup', () => {
   const SomeComponent = () => <div>Requires OperatorGroup</div>;
@@ -33,3 +35,111 @@ describe('requireOperatorGroup', () => {
     expect(wrapper.find(NoOperatorGroupMsg).exists()).toBe(false);
   });
 });
+
+describe('installedFor', () => {
+  const pkgName = testSubscription.spec.name;
+  const ns = testSubscription.metadata.namespace;
+  let subscriptions: SubscriptionKind[];
+  let operatorGroups: OperatorGroupKind[];
+
+  beforeEach(() => {
+    subscriptions = [];
+    operatorGroups = [];
+  });
+
+  it('returns false if no `Subscriptions` exist for the given package', () => {
+    subscriptions = [testSubscription];
+    operatorGroups = [{...testOperatorGroup, status: {namespaces: [ns], lastUpdated: null}}];
+
+    expect(installedFor(subscriptions)(operatorGroups)('new-operator')(ns)).toBe(false);
+  });
+
+  it('returns false if no `OperatorGroups` target the given namespace', () => {
+    subscriptions = [testSubscription];
+    operatorGroups = [{...testOperatorGroup, status: {namespaces: ['prod-a', 'prod-b'], lastUpdated: null}}];
+
+    expect(installedFor(subscriptions)(operatorGroups)(pkgName)(ns)).toBe(false);
+  });
+
+  it('returns false if checking for `all-namespaces`', () => {
+    subscriptions = [testSubscription];
+    operatorGroups = [{...testOperatorGroup, status: {namespaces: [ns], lastUpdated: null}}];
+
+    expect(installedFor(subscriptions)(operatorGroups)(pkgName)('')).toBe(false);
+  });
+
+  it('returns true if `Subscription` exists in the "global" `OperatorGroup`', () => {
+    subscriptions = [testSubscription];
+    operatorGroups = [{...testOperatorGroup, status: {namespaces: [''], lastUpdated: null}}];
+
+    expect(installedFor(subscriptions)(operatorGroups)(pkgName)(ns)).toBe(true);
+  });
+
+  it('returns true if `Subscription` exists in an `OperatorGroup` that targets given namespace', () => {
+    subscriptions = [testSubscription];
+    operatorGroups = [{...testOperatorGroup, status: {namespaces: [ns], lastUpdated: null}}];
+
+    expect(installedFor(subscriptions)(operatorGroups)(pkgName)(ns)).toBe(true);
+  });
+});
+
+describe('supports', () => {
+  let set: InstallModeSet;
+  let ownNamespaceGroup: OperatorGroupKind;
+  let singleNamespaceGroup: OperatorGroupKind;
+  let multiNamespaceGroup: OperatorGroupKind;
+  let allNamespacesGroup: OperatorGroupKind;
+
+  beforeEach(() => {
+    ownNamespaceGroup = _.cloneDeep(testOperatorGroup);
+    ownNamespaceGroup.status = {namespaces: [ownNamespaceGroup.metadata.namespace], lastUpdated: null};
+    singleNamespaceGroup = _.cloneDeep(testOperatorGroup);
+    singleNamespaceGroup.status = {namespaces: ['test-ns'], lastUpdated: null};
+    multiNamespaceGroup = _.cloneDeep(testOperatorGroup);
+    multiNamespaceGroup.status = {namespaces: ['test-ns', 'default'], lastUpdated: null};
+    allNamespacesGroup = _.cloneDeep(testOperatorGroup);
+    allNamespacesGroup.status = {namespaces: [''], lastUpdated: null};
+  });
+
+  it('correctly returns for an Operator that can only run in its own namespace', () => {
+    set = [
+      {type: InstallModeType.InstallModeTypeOwnNamespace, supported: true},
+      {type: InstallModeType.InstallModeTypeSingleNamespace, supported: true},
+      {type: InstallModeType.InstallModeTypeMultiNamespace, supported: false},
+      {type: InstallModeType.InstallModeTypeAllNamespaces, supported: false},
+    ];
+
+    expect(supports(set)(ownNamespaceGroup)).toBe(true);
+    expect(supports(set)(singleNamespaceGroup)).toBe(true);
+    expect(supports(set)(multiNamespaceGroup)).toBe(false);
+    expect(supports(set)(allNamespacesGroup)).toBe(false);
+  });
+
+  it('correctly returns for an Operator which can run in several namespaces', () => {
+    set = [
+      {type: InstallModeType.InstallModeTypeOwnNamespace, supported: true},
+      {type: InstallModeType.InstallModeTypeSingleNamespace, supported: true},
+      {type: InstallModeType.InstallModeTypeMultiNamespace, supported: true},
+      {type: InstallModeType.InstallModeTypeAllNamespaces, supported: false},
+    ];
+
+    expect(supports(set)(ownNamespaceGroup)).toBe(true);
+    expect(supports(set)(singleNamespaceGroup)).toBe(true);
+    expect(supports(set)(multiNamespaceGroup)).toBe(true);
+    expect(supports(set)(allNamespacesGroup)).toBe(false);
+  });
+
+  it('correctly returns for an Operator which can only run in all namespaces', () => {
+    set = [
+      {type: InstallModeType.InstallModeTypeOwnNamespace, supported: true},
+      {type: InstallModeType.InstallModeTypeSingleNamespace, supported: false},
+      {type: InstallModeType.InstallModeTypeMultiNamespace, supported: false},
+      {type: InstallModeType.InstallModeTypeAllNamespaces, supported: true},
+    ];
+
+    expect(supports(set)(ownNamespaceGroup)).toBe(false);
+    expect(supports(set)(singleNamespaceGroup)).toBe(false);
+    expect(supports(set)(multiNamespaceGroup)).toBe(false);
+    expect(supports(set)(allNamespacesGroup)).toBe(true);
+  });
+});