@@ -20,8 +20,11 @@ const (

 Start an F5 route synchronizer

 This command launches a process that will synchronize an F5 to the route configuration of your master.

-You may restrict the set of routes the F5 will expose by using the --labels, --fields, or --namespace

-arguments.`

+

+You may restrict the set of routes exposed to a single project (with --namespace), projects your client has

+access to with a set of labels (--project-labels), namespaces matching a label (--namespace-labels), or all

+namespaces (no argument). You can limit the routes to those matching a --labels or --fields selector. Note

+that you must have a cluster-wide administrative role to view all namespaces.`

 )

 // F5RouterOptions represent the complete structure needed to start an F5 router

@@ -10,30 +10,38 @@ import (

 	kclient "k8s.io/kubernetes/pkg/client"

 	"k8s.io/kubernetes/pkg/fields"

 	"k8s.io/kubernetes/pkg/labels"

+	"k8s.io/kubernetes/pkg/util"

 	oclient "github.com/openshift/origin/pkg/client"

-	"github.com/openshift/origin/pkg/cmd/util"

+	cmdutil "github.com/openshift/origin/pkg/cmd/util"

 	controllerfactory "github.com/openshift/origin/pkg/router/controller/factory"

 )

 // RouterSelection controls what routes and resources on the server are considered

 // part of this router.

 type RouterSelection struct {

+	ResyncInterval time.Duration

+

 	LabelSelector string

 	Labels        labels.Selector

 	FieldSelector string

 	Fields        fields.Selector

-	Namespace string

+	Namespace              string

+	NamespaceLabelSelector string

+	NamespaceLabels        labels.Selector

-	ResyncInterval time.Duration

+	ProjectLabelSelector string

+	ProjectLabels        labels.Selector

 }

 // Bind sets the appropriate labels

 func (o *RouterSelection) Bind(flag *pflag.FlagSet) {

-	flag.StringVar(&o.LabelSelector, "labels", util.Env("ROUTE_LABELS", ""), "A label selector to apply to the routes to watch")

-	flag.StringVar(&o.FieldSelector, "fields", util.Env("ROUTE_FIELDS", ""), "A field selector to apply to routes to watch")

 	flag.DurationVar(&o.ResyncInterval, "resync-interval", 10*time.Minute, "The interval at which the route list should be fully refreshed")

+	flag.StringVar(&o.LabelSelector, "labels", cmdutil.Env("ROUTE_LABELS", ""), "A label selector to apply to the routes to watch")

+	flag.StringVar(&o.FieldSelector, "fields", cmdutil.Env("ROUTE_FIELDS", ""), "A field selector to apply to routes to watch")

+	flag.StringVar(&o.ProjectLabelSelector, "project-labels", cmdutil.Env("PROJECT_LABELS", ""), "A label selector to apply to projects to watch; if '*' watches all projects the client can access")

+	flag.StringVar(&o.NamespaceLabelSelector, "namespace-labels", cmdutil.Env("NAMESPACE_LABELS", ""), "A label selector to apply to namespaces to watch")

 }

 // Complete converts string representations of field and label selectors to their parsed equivalent, or

@@ -58,6 +66,36 @@ func (o *RouterSelection) Complete() error {

 	} else {

 		o.Fields = fields.Everything()

 	}

+

+	if len(o.ProjectLabelSelector) > 0 {

+		if len(o.Namespace) > 0 {

+			return fmt.Errorf("only one of --project-labels and --namespace may be used")

+		}

+		if len(o.NamespaceLabelSelector) > 0 {

+			return fmt.Errorf("only one of --namespace-labels and --project-labels may be used")

+		}

+

+		if o.ProjectLabelSelector == "*" {

+			o.ProjectLabels = labels.Everything()

+		} else {

+			s, err := labels.Parse(o.ProjectLabelSelector)

+			if err != nil {

+				return fmt.Errorf("--project-labels selector is not valid: %v", err)

+			}

+			o.ProjectLabels = s

+		}

+	}

+

+	if len(o.NamespaceLabelSelector) > 0 {

+		if len(o.Namespace) > 0 {

+			return fmt.Errorf("only one of --namespace-labels and --namespace may be used")

+		}

+		s, err := labels.Parse(o.NamespaceLabelSelector)

+		if err != nil {

+			return fmt.Errorf("--namespace-labels selector is not valid: %v", err)

+		}

+		o.NamespaceLabels = s

+	}

 	return nil

 }

@@ -68,8 +106,53 @@ func (o *RouterSelection) NewFactory(oc oclient.Interface, kc kclient.Interface)

 	factory.Fields = o.Fields

 	factory.Namespace = o.Namespace

 	factory.ResyncInterval = o.ResyncInterval

-	if len(factory.Namespace) > 0 {

+	switch {

+	case o.NamespaceLabels != nil:

+		glog.Infof("Router is only using routes in namespaces matching %s", o.NamespaceLabels)

+		factory.Namespaces = namespaceNames{kc.Namespaces(), o.NamespaceLabels}

+	case o.ProjectLabels != nil:

+		glog.Infof("Router is only using routes in projects matching %s", o.ProjectLabels)

+		factory.Namespaces = projectNames{oc.Projects(), o.ProjectLabels}

+	case len(factory.Namespace) > 0:

 		glog.Infof("Router is only using resources in namespace %s", factory.Namespace)

+	default:

+		glog.Infof("Router is including routes in all namespaces")

 	}

 	return factory

 }

+

+// projectNames returns the names of projects matching the label selector

+type projectNames struct {

+	client   oclient.ProjectInterface

+	selector labels.Selector

+}

+

+func (n projectNames) NamespaceNames() (util.StringSet, error) {

+	all, err := n.client.List(n.selector, fields.Everything())

+	if err != nil {

+		return nil, err

+	}

+	names := make(util.StringSet, len(all.Items))

+	for i := range all.Items {

+		names.Insert(all.Items[i].Name)

+	}

+	return names, nil

+}

+

+// namespaceNames returns the names of namespaces matching the label selector

+type namespaceNames struct {

+	client   kclient.NamespaceInterface

+	selector labels.Selector

+}

+

+func (n namespaceNames) NamespaceNames() (util.StringSet, error) {

+	all, err := n.client.List(n.selector, fields.Everything())

+	if err != nil {

+		return nil, err

+	}

+	names := make(util.StringSet, len(all.Items))

+	for i := range all.Items {

+		names.Insert(all.Items[i].Name)

+	}

+	return names, nil

+}

@@ -27,7 +27,10 @@ created by users and keeps a local router configuration up to date with those ch

 You may customize the router by providing your own --template and --reload scripts.

-You may restrict the set of routes exposed by using the --labels, --fields, or --namespace arguments.`

+You may restrict the set of routes exposed to a single project (with --namespace), projects your client has

+access to with a set of labels (--project-labels), namespaces matching a label (--namespace-labels), or all

+namespaces (no argument). You can limit the routes to those matching a --labels or --fields selector. Note

+that you must have a cluster-wide administrative role to view all namespaces.`

 )

 type TemplateRouterOptions struct {

@@ -116,7 +119,6 @@ func (o *TemplateRouterOptions) Complete() error {

 		}

 		o.StatsPort = statsPort

 	}

-

 	return o.RouterSelection.Complete()

 }

@@ -101,6 +101,7 @@ func (cfg *Config) bindEnv() error {

 		if err != nil {

 			return err

 		}

+

 		if !cfg.MasterAddr.Provided {

 			cfg.MasterAddr.Set(cfg.CommonConfig.Host)

 		}

@@ -9,6 +9,8 @@ import (

 	kclient "k8s.io/kubernetes/pkg/client"

 	"k8s.io/kubernetes/pkg/fields"

 	"k8s.io/kubernetes/pkg/labels"

+	"k8s.io/kubernetes/pkg/registry/generic"

+	nsregistry "k8s.io/kubernetes/pkg/registry/namespace"

 	"k8s.io/kubernetes/pkg/runtime"

 	"github.com/openshift/origin/pkg/project/api"

@@ -98,7 +100,12 @@ func (s *REST) List(ctx kapi.Context, label labels.Selector, field fields.Select

 	if err != nil {

 		return nil, err

 	}

-	return convertNamespaceList(namespaceList), nil

+	m := nsregistry.MatchNamespace(label, field)

+	list, err := generic.FilterList(namespaceList, m, nil)

+	if err != nil {

+		return nil, err

+	}

+	return convertNamespaceList(list.(*kapi.NamespaceList)), nil

 }

 // Get retrieves a Project by name

@@ -3,6 +3,7 @@ package controller

 import (

 	"fmt"

 	"sync"

+	"time"

 	"github.com/golang/glog"

 	kapi "k8s.io/kubernetes/pkg/api"

@@ -13,22 +14,56 @@ import (

 	"github.com/openshift/origin/pkg/router"

 )

+// NamespaceLister returns all the names that should be watched by the client

+type NamespaceLister interface {

+	NamespaceNames() (util.StringSet, error)

+}

+

 // RouterController abstracts the details of watching the Route and Endpoints

 // resources from the Plugin implementation being used.

 type RouterController struct {

-	lock          sync.Mutex

+	lock sync.Mutex

+

 	Plugin        router.Plugin

 	NextRoute     func() (watch.EventType, *routeapi.Route, error)

 	NextEndpoints func() (watch.EventType, *kapi.Endpoints, error)

+

+	Namespaces            NamespaceLister

+	NamespaceSyncInterval time.Duration

+	NamespaceWaitInterval time.Duration

+	NamespaceRetries      int

 }

 // Run begins watching and syncing.

 func (c *RouterController) Run() {

 	glog.V(4).Info("Running router controller")

+	if c.Namespaces != nil {

+		c.HandleNamespaces()

+		go util.Forever(c.HandleNamespaces, c.NamespaceSyncInterval)

+	}

 	go util.Forever(c.HandleRoute, 0)

 	go util.Forever(c.HandleEndpoints, 0)

 }

+func (c *RouterController) HandleNamespaces() {

+	for i := 0; i < c.NamespaceRetries; i++ {

+		namespaces, err := c.Namespaces.NamespaceNames()

+		if err == nil {

+			c.lock.Lock()

+			defer c.lock.Unlock()

+

+			glog.V(4).Infof("Updating watched namespaces: %v", namespaces)

+			if err := c.Plugin.HandleNamespaces(namespaces); err != nil {

+				util.HandleError(err)

+			}

+			return

+		}

+		util.HandleError(fmt.Errorf("unable to find namespaces for router: %v", err))

+		time.Sleep(c.NamespaceWaitInterval)

+	}

+	glog.V(4).Infof("Unable to update list of namespaces")

+}

+

 // HandleRoute handles a single Route event and synchronizes the router backend.

 func (c *RouterController) HandleRoute() {

 	eventType, route, err := c.NextRoute()

@@ -26,6 +26,7 @@ import (

 type RouterControllerFactory struct {

 	KClient        kclient.EndpointsNamespacer

 	OSClient       osclient.RoutesNamespacer

+	Namespaces     controller.NamespaceLister

 	ResyncInterval time.Duration

 	Namespace      string

 	Labels         labels.Selector

@@ -79,6 +80,13 @@ func (factory *RouterControllerFactory) Create(plugin router.Plugin) *controller

 			}

 			return eventType, obj.(*routeapi.Route), nil

 		},

+		Namespaces: factory.Namespaces,

+		// check namespaces a bit more often than we resync events, so that we aren't always waiting

+		// the maximum interval for new items to come into the list

+		// TODO: trigger a reflector resync after every namespace sync?

+		NamespaceSyncInterval: factory.ResyncInterval - 10*time.Second,

+		NamespaceWaitInterval: 10 * time.Second,

+		NamespaceRetries:      5,

 	}

 }

@@ -2,6 +2,7 @@ package router

 import (

 	kapi "k8s.io/kubernetes/pkg/api"

+	"k8s.io/kubernetes/pkg/util"

 	"k8s.io/kubernetes/pkg/watch"

 	routeapi "github.com/openshift/origin/pkg/route/api"

@@ -12,4 +13,6 @@ import (

 type Plugin interface {

 	HandleRoute(watch.EventType, *routeapi.Route) error

 	HandleEndpoints(watch.EventType, *kapi.Endpoints) error

+	// If sent, filter the list of accepted routes and endpoints to this set

+	HandleNamespaces(namespaces util.StringSet) error

 }

@@ -5,6 +5,7 @@ import (

 	"github.com/golang/glog"

 	kapi "k8s.io/kubernetes/pkg/api"

+	"k8s.io/kubernetes/pkg/util"

 	"k8s.io/kubernetes/pkg/watch"

 	routeapi "github.com/openshift/origin/pkg/route/api"

@@ -448,6 +449,10 @@ func (p *F5Plugin) deleteRoute(routename string) error {

 	return nil

 }

+func (p *F5Plugin) HandleNamespaces(namespaces util.StringSet) error {

+	return fmt.Errorf("namespace limiting for F5 is not implemented")

+}

+

 // HandleRoute processes watch events on the Route resource and

 // creates and deletes policy rules in response.

 func (p *F5Plugin) HandleRoute(eventType watch.EventType,

@@ -9,6 +9,7 @@ import (

 	"github.com/golang/glog"

 	kapi "k8s.io/kubernetes/pkg/api"

 	ktypes "k8s.io/kubernetes/pkg/types"

+	"k8s.io/kubernetes/pkg/util"

 	"k8s.io/kubernetes/pkg/watch"

 	routeapi "github.com/openshift/origin/pkg/route/api"

@@ -19,16 +20,20 @@ import (

 type TemplatePlugin struct {

 	Router       router

 	HostForRoute func(*routeapi.Route) string

-	hostToRoute  HostToRouteMap

-	routeToHost  RouteToHostMap

+

+	hostToRoute HostToRouteMap

+	routeToHost RouteToHostMap

+	// nil means different than empty

+	allowedNamespaces util.StringSet

 }

 func newDefaultTemplatePlugin(router router) *TemplatePlugin {

 	return &TemplatePlugin{

 		Router:       router,

 		HostForRoute: defaultHostForRoute,

-		hostToRoute:  make(HostToRouteMap),

-		routeToHost:  make(RouteToHostMap),

+

+		hostToRoute: make(HostToRouteMap),

+		routeToHost: make(RouteToHostMap),

 	}

 }

@@ -69,7 +74,8 @@ type router interface {

 	AddRoute(id string, route *routeapi.Route, host string) bool

 	// RemoveRoute removes the given route for the given id.

 	RemoveRoute(id string, route *routeapi.Route)

-

+	// Reduce the list of routes to only these namespaces

+	FilterNamespaces(namespaces util.StringSet)

 	// Commit refreshes the backend and persists the router state.

 	Commit() error

 }

@@ -112,6 +118,10 @@ func NewTemplatePlugin(cfg TemplatePluginConfig) (*TemplatePlugin, error) {

 // HandleEndpoints processes watch events on the Endpoints resource.

 func (p *TemplatePlugin) HandleEndpoints(eventType watch.EventType, endpoints *kapi.Endpoints) error {

+	if p.allowedNamespaces != nil && !p.allowedNamespaces.Has(endpoints.Namespace) {

+		return nil

+	}

+

 	key := endpointsKey(endpoints)

 	glog.V(4).Infof("Processing %d Endpoints for Name: %v (%v)", len(endpoints.Subsets), endpoints.Name, eventType)

@@ -139,7 +149,15 @@ func (p *TemplatePlugin) HandleEndpoints(eventType watch.EventType, endpoints *k

 }

 // HandleRoute processes watch events on the Route resource.

+// TODO: this function can probably be collapsed with the router itself, as a function that

+//   determines which component needs to be recalculated (which template) and then does so

+//   on demand.

 func (p *TemplatePlugin) HandleRoute(eventType watch.EventType, route *routeapi.Route) error {

+	// TODO: refactor so this is handled at the cache reflector level

+	if p.allowedNamespaces != nil && !p.allowedNamespaces.Has(route.Namespace) {

+		return nil

+	}

+

 	key := routeKey(route)

 	routeName := routeNameKey(route)

@@ -195,7 +213,7 @@ func (p *TemplatePlugin) HandleRoute(eventType watch.EventType, route *routeapi.

 	switch eventType {

 	case watch.Added, watch.Modified:

-		// TODO: this could be abstracted above this layer?

+		// TODO: this could be abstracted above this layer

 		if old, ok := p.routeToHost[routeName]; ok {

 			if old != host {

 				glog.V(4).Infof("Route %s changed from serving host %s to host %s", key, old, host)

@@ -237,6 +255,28 @@ func (p *TemplatePlugin) HandleRoute(eventType watch.EventType, route *routeapi.

 	return nil

 }

+// HandleAllowedNamespaces limits the scope of valid routes to only those that match

+// the provided namespace list.

+func (p *TemplatePlugin) HandleNamespaces(namespaces util.StringSet) error {

+	p.allowedNamespaces = namespaces

+	changed := false

+	for k, v := range p.hostToRoute {

+		if namespaces.Has(v[0].Namespace) {

+			continue

+		}

+		delete(p.hostToRoute, k)

+		for i := range v {

+			delete(p.routeToHost, routeNameKey(v[i]))

+		}

+		changed = true

+	}

+	if !changed && len(namespaces) > 0 {

+		return nil

+	}

+	p.Router.FilterNamespaces(namespaces)

+	return p.Router.Commit()

+}

+

 // defaultHostForRoute return the host based on the string value on a route.

 func defaultHostForRoute(route *routeapi.Route) string {

 	return route.Host

@@ -3,6 +3,7 @@ package templaterouter

 import (

 	"fmt"

 	"reflect"

+	"strings"

 	"testing"

 	"time"

@@ -97,6 +98,21 @@ func (r *TestRouter) RemoveRoute(id string, route *routeapi.Route) {

 	}

 }

+func (r *TestRouter) FilterNamespaces(namespaces util.StringSet) {

+	if len(namespaces) == 0 {

+		r.State = make(map[string]ServiceUnit)

+	}

+	for k := range r.State {

+		// TODO: the id of a service unit should be defined inside this class, not passed in from the outside

+		//   remove the leak of the abstraction when we refactor this code

+		ns := strings.SplitN(k, "/", 2)[0]

+		if namespaces.Has(ns) {

+			continue

+		}

+		delete(r.State, k)

+	}

+}

+

 // routeKey create an identifier for the route consisting of host-path

 func (r *TestRouter) routeKey(route *routeapi.Route) string {

 	return route.Host + "-" + route.Path

@@ -347,7 +363,59 @@ func TestHandleRoute(t *testing.T) {

 	if len(plugin.hostToRoute) != 0 {

 		t.Errorf("did not clear claimed route: %#v", plugin.hostToRoute)

 	}

+}

+

+func TestNamespaceScopingFromEmpty(t *testing.T) {

+	router := newTestRouter(make(map[string]ServiceUnit))

+	plugin := newDefaultTemplatePlugin(router)

+

+	// no namespaces allowed

+	plugin.HandleNamespaces(util.StringSet{})

+

+	//add

+	route := &routeapi.Route{

+		ObjectMeta:  kapi.ObjectMeta{Namespace: "foo", Name: "test"},

+		Host:        "www.example.com",

+		ServiceName: "TestService",

+	}

+

+	// ignores all events for namespace that doesn't match

+	for _, s := range []watch.EventType{watch.Added, watch.Modified, watch.Deleted} {

+		plugin.HandleRoute(s, route)

+		if _, ok := router.FindServiceUnit("foo/TestService"); ok || len(plugin.hostToRoute) != 0 {

+			t.Errorf("unexpected router state %#v", router)

+		}

+	}

+

+	// allow non matching

+	plugin.HandleNamespaces(util.NewStringSet("bar"))

+	for _, s := range []watch.EventType{watch.Added, watch.Modified, watch.Deleted} {

+		plugin.HandleRoute(s, route)

+		if _, ok := router.FindServiceUnit("foo/TestService"); ok || len(plugin.hostToRoute) != 0 {

+			t.Errorf("unexpected router state %#v", router)

+		}

+	}

+	// allow foo

+	plugin.HandleNamespaces(util.NewStringSet("foo", "bar"))

+	plugin.HandleRoute(watch.Added, route)

+	if _, ok := router.FindServiceUnit("foo/TestService"); !ok || len(plugin.hostToRoute) != 1 {

+		t.Errorf("unexpected router state %#v", router)

+	}

+

+	// forbid foo, and make sure it's cleared

+	plugin.HandleNamespaces(util.NewStringSet("bar"))

+	if _, ok := router.FindServiceUnit("foo/TestService"); ok || len(plugin.hostToRoute) != 0 {

+		t.Errorf("unexpected router state %#v", router)

+	}

+	plugin.HandleRoute(watch.Modified, route)

+	if _, ok := router.FindServiceUnit("foo/TestService"); ok || len(plugin.hostToRoute) != 0 {

+		t.Errorf("unexpected router state %#v", router)

+	}

+	plugin.HandleRoute(watch.Added, route)

+	if _, ok := router.FindServiceUnit("foo/TestService"); ok || len(plugin.hostToRoute) != 0 {

+		t.Errorf("unexpected router state %#v", router)

+	}

 }

 func TestUnchangingEndpointsDoesNotCommit(t *testing.T) {

@@ -8,10 +8,13 @@ import (

 	"os/exec"

 	"path/filepath"

 	"reflect"

+	"strings"

 	"text/template"

 	"github.com/golang/glog"

+	"k8s.io/kubernetes/pkg/util"

+

 	routeapi "github.com/openshift/origin/pkg/route/api"

 )

@@ -253,6 +256,21 @@ func (r *templateRouter) reloadRouter() error {

 	return nil

 }

+func (r *templateRouter) FilterNamespaces(namespaces util.StringSet) {

+	if len(namespaces) == 0 {

+		r.state = make(map[string]ServiceUnit)

+	}

+	for k := range r.state {

+		// TODO: the id of a service unit should be defined inside this class, not passed in from the outside

+		//   remove the leak of the abstraction when we refactor this code

+		ns := strings.SplitN(k, "/", 2)[0]

+		if namespaces.Has(ns) {

+			continue

+		}

+		delete(r.state, k)

+	}

+}

+

 // CreateServiceUnit creates a new service named with the given id.

 func (r *templateRouter) CreateServiceUnit(id string) {

 	service := ServiceUnit{

@@ -265,9 +283,9 @@ func (r *templateRouter) CreateServiceUnit(id string) {

 }

 // FindServiceUnit finds the service with the given id.

-func (r *templateRouter) FindServiceUnit(id string) (v ServiceUnit, ok bool) {

-	v, ok = r.state[id]

-	return

+func (r *templateRouter) FindServiceUnit(id string) (ServiceUnit, bool) {

+	v, ok := r.state[id]

+	return v, ok

 }

 // DeleteServiceUnit deletes the service with the given id.

@@ -293,6 +311,8 @@ func (r *templateRouter) DeleteEndpoints(id string) {

 	r.state[id] = service

+	// TODO: this is not safe (assuming that the subset of elements we are watching includes the peer endpoints)

+	// should be a DNS lookup for endpoints of our service name.

 	if id == r.peerEndpointsKey {

 		r.peerEndpoints = []Endpoint{}

 		glog.V(4).Infof("Peer endpoint table has been cleared")

@@ -4577,6 +4577,8 @@ _openshift_infra_router()

     flags+=("--master=")

     flags+=("--namespace=")

     two_word_flags+=("-n")

+    flags+=("--namespace-labels=")

+    flags+=("--project-labels=")

     flags+=("--reload=")

     flags+=("--resync-interval=")

     flags+=("--server=")

@@ -4633,6 +4635,8 @@ _openshift_infra_f5-router()

     flags+=("--master=")

     flags+=("--namespace=")

     two_word_flags+=("-n")

+    flags+=("--namespace-labels=")

+    flags+=("--project-labels=")

     flags+=("--resync-interval=")

     flags+=("--server=")

     flags+=("--token=")