From 00ea18e1fd612d0c72b952e746932e6f16eeab90 Mon Sep 17 00:00:00 2001
From: Jim Minter <jminter@redhat.com>
Date: Mon, 31 Jul 2017 18:12:42 -0500
Subject: [PATCH] create template-service-broker SA during API server startup

---
 pkg/openservicebroker/server/apiserver.go | 41 ++++++++++++++++++++---
 1 file changed, 37 insertions(+), 4 deletions(-)

diff --git a/pkg/openservicebroker/server/apiserver.go b/pkg/openservicebroker/server/apiserver.go
index 0ff063974fc5..6694ed5ef0a8 100644
--- a/pkg/openservicebroker/server/apiserver.go
+++ b/pkg/openservicebroker/server/apiserver.go
@@ -1,15 +1,27 @@
 package server
 
 import (
+	"fmt"
+	"time"
+
+	kapierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/apimachinery/pkg/util/wait"
+	genericapiserver "k8s.io/apiserver/pkg/server"
+	"k8s.io/kubernetes/pkg/api"
 	kclientsetinternal "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
 
 	"github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"
 	templateapi "github.com/openshift/origin/pkg/template/apis/template"
 	templateinformer "github.com/openshift/origin/pkg/template/generated/informers/internalversion"
 	templateservicebroker "github.com/openshift/origin/pkg/template/servicebroker"
-	genericapiserver "k8s.io/apiserver/pkg/server"
 )
 
+// TODO: this file breaks the layering of pkg/openservicebroker and
+// pkg/template/servicebroker; assuming that the latter will move out of origin
+// in 3.7, will leave as is for now.
+
 type TemplateServiceBrokerConfig struct {
 	GenericConfig *genericapiserver.Config
 
@@ -62,9 +74,30 @@ func (c completedTemplateServiceBrokerConfig) New(delegationTarget genericapiser
 
 	// TODO, when/if the TSB becomes a separate entity, this should stop creating the SA and instead die if it cannot find it
 	s.GenericAPIServer.AddPostStartHook("template-service-broker-ensure-service-account", func(context genericapiserver.PostStartHookContext) error {
-		// TODO jim-minter - this is the spot to create the namespace if needed and create the SA if needed.
-		// be tolerant of failures and retry a few times.
-		return nil
+		kc, err := kclientsetinternal.NewForConfig(context.LoopbackClientConfig)
+		if err != nil {
+			utilruntime.HandleError(fmt.Errorf("template service broker: failed to get client: %v", err))
+			return err
+		}
+
+		err = wait.PollImmediate(time.Second, 30*time.Second, func() (done bool, err error) {
+			kc.Namespaces().Create(&api.Namespace{ObjectMeta: metav1.ObjectMeta{Name: bootstrappolicy.DefaultOpenShiftInfraNamespace}})
+
+			_, err = kc.ServiceAccounts(bootstrappolicy.DefaultOpenShiftInfraNamespace).Create(&api.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: bootstrappolicy.InfraTemplateServiceBrokerServiceAccountName}})
+			switch {
+			case err == nil || kapierrors.IsAlreadyExists(err):
+				done, err = true, nil
+			case kapierrors.IsNotFound(err):
+				err = nil
+			}
+
+			return
+		})
+
+		if err != nil {
+			utilruntime.HandleError(fmt.Errorf("creation of template-service-broker SA failed: %v", err))
+		}
+		return err
 	})
 
 	return s, nil