@@ -501,7 +501,19 @@ function install_router {

 	echo "[INFO] Installing the router"

 	echo '{"kind":"ServiceAccount","apiVersion":"v1","metadata":{"name":"router"}}' | oc create -f - --config="${ADMIN_KUBECONFIG}"

 	oc get scc privileged -o json --config="${ADMIN_KUBECONFIG}" | sed '/\"users\"/a \"system:serviceaccount:default:router\",' | oc replace scc privileged -f - --config="${ADMIN_KUBECONFIG}"

-	openshift admin router --create --credentials="${MASTER_CONFIG_DIR}/openshift-router.kubeconfig" --config="${ADMIN_KUBECONFIG}" --images="${USE_IMAGES}" --service-account=router

+        # Create a TLS certificate for the router

+        if [[ -n "${CREATE_ROUTER_CERT-}" ]]; then

+            echo "[INFO] Generating router TLS certificate"

+            oadm ca create-server-cert --signer-cert=${MASTER_CONFIG_DIR}/ca.crt \

+                 --signer-key=${MASTER_CONFIG_DIR}/ca.key \

+                 --signer-serial=${MASTER_CONFIG_DIR}/ca.serial.txt \

+                 --hostnames="*.${API_HOST}.xip.io" \

+                 --cert=${MASTER_CONFIG_DIR}/router.crt --key=${MASTER_CONFIG_DIR}/router.key

+            cat ${MASTER_CONFIG_DIR}/router.crt ${MASTER_CONFIG_DIR}/router.key \

+                ${MASTER_CONFIG_DIR}/ca.crt > ${MASTER_CONFIG_DIR}/router.pem

+            ROUTER_DEFAULT_CERT="--default-cert=${MASTER_CONFIG_DIR}/router.pem"

+        fi

+        openshift admin router --create --credentials="${MASTER_CONFIG_DIR}/openshift-router.kubeconfig" --config="${ADMIN_KUBECONFIG}" --images="${USE_IMAGES}" --service-account=router ${ROUTER_DEFAULT_CERT-}

 }

 # install registry for the extended tests

new file mode 100644

@@ -0,0 +1,95 @@

+package builds

+

+import (

+	"fmt"

+	"net"

+	"net/url"

+	"path/filepath"

+

+	g "github.com/onsi/ginkgo"

+	o "github.com/onsi/gomega"

+

+	exutil "github.com/openshift/origin/test/extended/util"

+	testutil "github.com/openshift/origin/test/util"

+)

+

+// hostname returns the hostname from a hostport specification

+func hostname(hostport string) (string, error) {

+	host, _, err := net.SplitHostPort(hostport)

+	return host, err

+}

+

+var _ = g.Describe("builds: parallel: gitauth: Check build for private source repository access", func() {

+	defer g.GinkgoRecover()

+

+	const (

+		gitServerDeploymentConfigName = "gitserver"

+		sourceSecretName              = "sourcesecret"

+		hostNameSuffix                = "xip.io"

+		gitUserName                   = "gituser"

+		gitPassword                   = "gituserpassword"

+		buildConfigName               = "gitauthtest"

+		sourceURLTemplate             = "https://gitserver.%s/ruby-hello-world"

+	)

+

+	var (

+		gitServerFixture = exutil.FixturePath("fixtures", "test-gitserver.yaml")

+		testBuildFixture = exutil.FixturePath("fixtures", "test-auth-build.yaml")

+		oc               = exutil.NewCLI("build-sti-env", exutil.KubeConfigPath())

+		caCertPath       = filepath.Join(filepath.Dir(exutil.KubeConfigPath()), "ca.crt")

+	)

+

+	g.JustBeforeEach(func() {

+		g.By("waiting for builder service account")

+		err := exutil.WaitForBuilderAccount(oc.KubeREST().ServiceAccounts(oc.Namespace()))

+		o.Expect(err).NotTo(o.HaveOccurred())

+	})

+

+	g.Describe("Build using a username, password, and CA certificate", func() {

+		g.It("should create a new build using the internal gitserver", func() {

+			oc.SetOutputDir(exutil.TestContext.OutputDir)

+

+			g.By("obtaining the configured API server host from config")

+			adminClientConfig, err := testutil.GetClusterAdminClientConfig(exutil.KubeConfigPath())

+			o.Expect(err).NotTo(o.HaveOccurred())

+			hostURL, err := url.Parse(adminClientConfig.Host)

+			o.Expect(err).NotTo(o.HaveOccurred())

+			host, err := hostname(hostURL.Host)

+			o.Expect(err).NotTo(o.HaveOccurred())

+			routeSuffix := fmt.Sprintf("%s.%s", host, hostNameSuffix)

+

+			g.By(fmt.Sprintf("calling oc new-app -f %q -p ROUTE_SUFFIX=%s", gitServerFixture, routeSuffix))

+			err = oc.Run("new-app").Args("-f", gitServerFixture, "-p", fmt.Sprintf("ROUTE_SUFFIX=%s", routeSuffix)).Execute()

+			o.Expect(err).NotTo(o.HaveOccurred())

+

+			g.By("expecting the deployment of the gitserver to be in the Complete phase")

+			err = exutil.WaitForADeployment(oc.KubeREST().ReplicationControllers(oc.Namespace()), gitServerDeploymentConfigName,

+				exutil.CheckDeploymentCompletedFunc, exutil.CheckDeploymentFailedFunc)

+			o.Expect(err).NotTo(o.HaveOccurred())

+

+			g.By(fmt.Sprintf("creating a new secret for the gitserver by calling oc secrets new-basicauth %s --username=%s --password=%s --cacert=%s",

+				sourceSecretName, gitUserName, gitPassword, caCertPath))

+			err = oc.Run("secrets").

+				Args("new-basicauth", sourceSecretName,

+				fmt.Sprintf("--username=%s", gitUserName),

+				fmt.Sprintf("--password=%s", gitPassword),

+				fmt.Sprintf("--ca-cert=%s", caCertPath)).Execute()

+			o.Expect(err).NotTo(o.HaveOccurred())

+

+			sourceURL := fmt.Sprintf(sourceURLTemplate, routeSuffix)

+			g.By(fmt.Sprintf("creating a new BuildConfig by calling oc new-app -f %q -p SOURCE_SECRET=%s,SOURCE_URL=%s",

+				testBuildFixture, sourceSecretName, sourceURL))

+			err = oc.Run("new-app").Args("-f", testBuildFixture, "-p", fmt.Sprintf("SOURCE_SECRET=%s,SOURCE_URL=%s",

+				sourceSecretName, sourceURL)).Execute()

+			o.Expect(err).NotTo(o.HaveOccurred())

+

+			g.By("starting a test build")

+			buildName, err := oc.Run("start-build").Args(buildConfigName).Output()

+			o.Expect(err).NotTo(o.HaveOccurred())

+

+			g.By(fmt.Sprintf("expecting build %s to complete successfully", buildName))

+			err = exutil.WaitForABuild(oc.REST().Builds(oc.Namespace()), buildName, exutil.CheckBuildSuccessFunc, exutil.CheckBuildFailedFunc)

+			o.Expect(err).NotTo(o.HaveOccurred())

+		})

+	})

+})

@@ -82,11 +82,18 @@ if [[ -z ${TEST_ONLY+x} ]]; then

   trap "exit" INT TERM

   trap "cleanup" EXIT

-

   echo "[INFO] Starting server"

   setup_env_vars

   reset_tmp_dir

+  # when selinux is enforcing, the volume dir selinux label needs to be

+  # svirt_sandbox_file_t

+  #

+  # TODO: fix the selinux policy to either allow openshift_var_lib_dir_t

+  # or to default the volume dir to svirt_sandbox_file_t.

+  if selinuxenabled; then

+         sudo chcon -t svirt_sandbox_file_t ${VOLUME_DIR}

+  fi

   configure_os_server

   start_os_server

@@ -94,6 +101,7 @@ if [[ -z ${TEST_ONLY+x} ]]; then

   install_registry

   wait_for_registry

+  CREATE_ROUTER_CERT=1 install_router

   echo "[INFO] Creating image streams"

   oc create -n openshift -f examples/image-streams/image-streams-centos7.json --config="${ADMIN_KUBECONFIG}"

new file mode 100644

@@ -0,0 +1,30 @@

+apiVersion: v1

+kind: Template

+labels:

+  template: gitserver

+metadata:

+  name: gitserver

+parameters:

+- name: SOURCE_URL

+  required: true

+- name: SOURCE_SECRET

+  required: true

+objects:

+- apiVersion: v1

+  kind: BuildConfig

+  metadata:

+    name: gitauthtest

+  spec:

+    source:

+      git:

+        uri: ${SOURCE_URL}

+      type: Git

+      sourceSecret:

+        name: ${SOURCE_SECRET}

+    strategy:

+      sourceStrategy:

+        from:

+          kind: ImageStreamTag

+          name: ruby:latest

+          namespace: openshift

+      type: Source

new file mode 100644

@@ -0,0 +1,183 @@

+apiVersion: v1

+kind: Template

+labels:

+  template: gitserver

+metadata:

+  name: gitserver

+parameters:

+- name: ROUTE_SUFFIX

+  required: true

+objects:

+# The gitserver is deployed as a singleton pod and uses a very small amount

+# of resources. It can host or transiently serve Git repositories, as well

+# as automatically integrate with builds in a namespace.

+- apiVersion: v1

+  kind: DeploymentConfig

+  metadata:

+    name: gitserver

+    labels:

+      app: gitserver

+  spec:

+    replicas: 1 # the gitserver is not HA and should not be scaled past 1

+    selector:

+      run-container: gitserver

+    template:

+      metadata:

+        labels:

+          run-container: gitserver

+      spec:

+        containers:

+        - name: gitserver

+          image: openshift/origin-gitserver

+          serviceAccountName: gitserver

+          readinessProbe:

+            tcpSocket:

+              port: 8080

+          ports:

+          - containerPort: 8080

+

+          env:

+          # Each environment variable matching GIT_INITIAL_CLONE_* will

+          # be cloned when the process starts; failures will be logged.

+          # <name> must be [A-Z0-9_\-\.], the cloned directory name will

+          # be lowercased. If the name is invalid the pod will halt. If

+          # the repository already exists on disk, it will be updated

+          # from the remote.

+          #

+          - name: GIT_INITIAL_CLONE_1

+            value: https://github.com/openshift/ruby-hello-world.git;ruby-hello-world

+

+

+          # The namespace of the pod is required for implicit config

+          # (passing '-' to AUTOLINK_KUBECONFIG or REQUIRE_SERVER_AUTH)

+          # and can also be used to target a specific namespace.

+          - name: POD_NAMESPACE

+            valueFrom:

+              fieldRef:

+                fieldPath: metadata.namespace

+

+          # The URL that builds must use to access the Git repositories

+          # stored in this app.

+          # TOOD: support HTTPS

+          - name: PUBLIC_URL

+            value: http://gitserver.$(POD_NAMESPACE).svc.cluster.local:8080

+          # The directory to store Git repositories in. If not backed

+          # by a persistent volume, repositories will be lost when

+          # deployments occur. Use INITIAL_GIT_CLONE and AUTOLINK_*

+          # to remove the need to use a persistent volume.

+          - name: GIT_HOME

+            value: /var/lib/git

+          # The directory to use as the default hook directory for any

+          # cloned or autolinked directories.

+          - name: HOOK_PATH

+            value: /var/lib/git-hooks

+

+          # Authentication and authorization

+

+          # If 'yes', clients may push to the server with git push.

+          - name: ALLOW_GIT_PUSH

+            value: "yes"

+          # If 'yes', clients may set hooks via the API. However, unless

+          # the Git home is backed by a persistent volume, any deployment

+          # will result in the hooks being lost.

+          - name: ALLOW_GIT_HOOKS

+            value: "yes"

+          # If 'yes', clients can create new git repositories on demand

+          # by pushing. If the data on disk is not backed by a persistent

+          # volume, the Git repo will be deleted if the deployment is

+          # updated.

+          - name: ALLOW_LAZY_CREATE

+            value: "yes"

+          # If 'yes', clients can pull without being authenticated.

+          - name: ALLOW_ANON_GIT_PULL

+

+          # Provides the path to a kubeconfig file in the image that

+          # should be used to authorize against the server. The value

+          # '-' will use the pod's service account.

+          # May not be used in combination with REQUIRE_GIT_AUTH

+          #- name: REQUIRE_SERVER_AUTH

+          #  value: "-"

+          

+          # The namespace to check authorization against when

+          # REQUIRE_SERVICE_AUTH is used. Users must have 'get' on

+          # 'pods' to pull and 'create' on 'pods' to push.

+          - name: AUTH_NAMESPACE

+            value: $(POD_NAMESPACE)

+          # Require BASIC authentication with a username and password

+          # to push or pull.

+          # May not be used in combination with REQUIRE_SERVER_AUTH

+          - name: REQUIRE_GIT_AUTH

+            value: gituser:gituserpassword

+

+          # Autolinking:

+          #

+          # The gitserver can automatically clone Git repositories

+          # associated with a build config and replace the URL with

+          # a link to the repo on PUBLIC_URL. The default post-receive

+          # hook on the cloned repo will then trigger a build. You

+          # may customize the hook with AUTOLINK_HOOK (path to hook).

+          # To autolink, the account the pod runs under must have 'edit'

+          # on the AUTOLINK_NAMESPACE:

+          #

+          #    oc policy add-role-to-user \

+          #      system:serviceaccount:${namespace}:gitserver edit

+          #

+          # Links are checked every time the pod starts.

+

+          # The location to read auth configuration from for autolinking.

+          # If '-', use the service account token to link. The account

+          # represented by this config must have the edit role on the

+          # namespace.

+          #- name: AUTOLINK_KUBECONFIG

+          #  value: "-"

+

+          # The namespace to autolink

+          #- name: AUTOLINK_NAMESPACE

+          #  value: $(POD_NAMESPACE)

+

+          # The path to a script in the image to use as the default

+          # post-receive hook - only set during link, so has no effect

+          # on cloned repositories. See the "hooks" directory in the

+          # image for examples.

+          #- name: AUTOLINK_HOOK

+

+          # The master service host is not signed with the service IP

+          # so we override with the consistent DNS name. Required for

+          # connections to the server.

+          - name: KUBERNETES_SERVICE_HOST

+            value: kubernetes.default

+

+          volumeMounts:

+          - mountPath: /var/lib/git/

+            name: git

+        volumes:

+        - name: git

+    triggers:

+    - type: ConfigChange

+

+# The gitserver service is required for DNS resolution

+- apiVersion: v1

+  kind: Service

+  metadata:

+    name: gitserver

+    labels:

+      app: gitserver

+  spec:

+    ports:

+    - port: 8080

+      targetPort: 8080

+    selector:

+      run-container: gitserver

+- apiVersion: v1

+  kind: Route

+  metadata:

+    name: gitserver

+    labels:

+      app: gitserver

+  spec:

+    host: gitserver.${ROUTE_SUFFIX}

+    tls:

+      termination: edge

+    to:

+      kind: Service

+      name: gitserver