@@ -189,6 +189,7 @@ func (o CreateMasterCertsOptions) CreateMasterCerts() error {

 		func() error { return o.createKubeletClientCerts(&getSignerCertOptions) },

 		func() error { return o.createProxyClientCerts(&getSignerCertOptions) },

 		func() error { return o.createServiceAccountKeys() },

+		func() error { return o.createServiceSigningCA(&getSignerCertOptions) },

 	)

 	return utilerrors.NewAggregate(errs)

 }

@@ -320,3 +321,24 @@ func (o CreateMasterCertsOptions) createServiceAccountKeys() error {

 	}

 	return nil

 }

+

+func (o CreateMasterCertsOptions) createServiceSigningCA(getSignerCertOptions *SignerCertOptions) error {

+	caInfo := DefaultServiceSignerCAInfo(o.CertDir)

+

+	caOptions := CreateSignerCertOptions{

+		CertFile:   caInfo.CertFile,

+		KeyFile:    caInfo.KeyFile,

+		SerialFile: "", // we want the random cert serial for this one

+		Name:       DefaultServiceServingCertSignerName(),

+		Output:     o.Output,

+

+		Overwrite: o.Overwrite,

+	}

+	if err := caOptions.Validate(nil); err != nil {

+		return err

+	}

+	if _, err := caOptions.CreateSignerCert(); err != nil {

+		return err

+	}

+	return nil

+}

@@ -250,7 +250,7 @@ func (o CreateNodeConfigOptions) CreateNodeFolder() error {

 		return err

 	}

 	if o.UseTLS() {

-		if err := o.MakeServerCert(serverCertFile, serverKeyFile); err != nil {

+		if err := o.MakeAndWriteServerCert(serverCertFile, serverKeyFile); err != nil {

 			return err

 		}

 		if o.UseNodeClientCA() {

@@ -309,7 +309,7 @@ func (o CreateNodeConfigOptions) MakeClientCert(clientCertFile, clientKeyFile st

 	return nil

 }

-func (o CreateNodeConfigOptions) MakeServerCert(serverCertFile, serverKeyFile string) error {

+func (o CreateNodeConfigOptions) MakeAndWriteServerCert(serverCertFile, serverKeyFile string) error {

 	if o.IsCreateServerCertificate() {

 		nodeServerCertOptions := CreateServerCertOptions{

 			SignerCertOptions: o.SignerCertOptions,

@@ -113,7 +113,7 @@ func (o CreateServerCertOptions) CreateServerCert() (*crypto.TLSCertificateConfi

 	var ca *crypto.TLSCertificateConfig

 	written := true

 	if o.Overwrite {

-		ca, err = signerCert.MakeServerCert(o.CertFile, o.KeyFile, sets.NewString([]string(o.Hostnames)...))

+		ca, err = signerCert.MakeAndWriteServerCert(o.CertFile, o.KeyFile, sets.NewString([]string(o.Hostnames)...))

 	} else {

 		ca, written, err = signerCert.EnsureServerCert(o.CertFile, o.KeyFile, sets.NewString([]string(o.Hostnames)...))

 	}

@@ -32,6 +32,10 @@ func DefaultCABundleFile(certDir string) string {

 	return DefaultCertFilename(certDir, CABundlePrefix)

 }

+func DefaultServiceServingCertSignerName() string {

+	return fmt.Sprintf("%s@%d", "openshift-service-serving-signer", time.Now().Unix())

+}

+

 func DefaultRootCAFile(certDir string) string {

 	return DefaultCertFilename(certDir, CAFilePrefix)

 }

@@ -207,6 +211,13 @@ func DefaultNodeKubeConfigFile(nodeDir string) string {

 	return path.Join(nodeDir, "node.kubeconfig")

 }

+func DefaultServiceSignerCAInfo(certDir string) configapi.CertInfo {

+	caInfo := configapi.CertInfo{}

+	caInfo.CertFile = DefaultCAFilename(certDir, "service-signer")

+	caInfo.KeyFile = DefaultKeyFilename(certDir, "service-signer")

+	return caInfo

+}

+

 func DefaultCAFilename(certDir, prefix string) string {

 	return path.Join(certDir, prefix+".crt")

 }

@@ -251,6 +251,11 @@ func GetMasterFileReferences(config *MasterConfig) []*string {

 	refs = append(refs, &config.PolicyConfig.BootstrapPolicyFile)

+	if config.ControllerConfig.ServiceServingCert.Signer != nil {

+		refs = append(refs, &config.ControllerConfig.ServiceServingCert.Signer.CertFile)

+		refs = append(refs, &config.ControllerConfig.ServiceServingCert.Signer.KeyFile)

+	}

+

 	return refs

 }

@@ -237,6 +237,8 @@ type MasterConfig struct {

 	// AdmissionConfig contains admission control plugin configuration.

 	AdmissionConfig AdmissionConfig

+	ControllerConfig ControllerConfig

+

 	// Allow to disable OpenShift components

 	DisabledFeatures FeatureList

@@ -1166,3 +1168,18 @@ type AdmissionConfig struct {

 	// on the master. Order is significant. If empty, a default list of plugins is used.

 	PluginOrderOverride []string

 }

+

+// ControllerConfig holds configuration values for controllers

+type ControllerConfig struct {

+	// ServiceServingCert holds configuration for service serving cert signer which creates cert/key pairs for

+	// pods fullfilling a service to serve with.

+	ServiceServingCert ServiceServingCert

+}

+

+// ServiceServingCert holds configuration for service serving cert signer which creates cert/key pairs for

+// pods fullfilling a service to serve with.

+type ServiceServingCert struct {

+	// Signer holds the signing information used to automatically sign serving certificates.

+	// If this value is nil, then certs are not signed automatically.

+	Signer *CertInfo

+}

@@ -105,6 +105,15 @@ func (CertInfo) SwaggerDoc() map[string]string {

 	return map_CertInfo

 }

+var map_ControllerConfig = map[string]string{

+	"":                   "ControllerConfig holds configuration values for controllers",

+	"serviceServingCert": "ServiceServingCert holds configuration for service serving cert signer which creates cert/key pairs for pods fullfilling a service to serve with.",

+}

+

+func (ControllerConfig) SwaggerDoc() map[string]string {

+	return map_ControllerConfig

+}

+

 var map_DNSConfig = map[string]string{

 	"":                      "DNSConfig holds the necessary configuration options for DNS",

 	"bindAddress":           "BindAddress is the ip:port to serve DNS on",

@@ -404,6 +413,7 @@ var map_MasterConfig = map[string]string{

 	"pauseControllers":       "PauseControllers instructs the master to not automatically start controllers, but instead to wait until a notification to the server is received before launching them.",

 	"controllerLeaseTTL":     "ControllerLeaseTTL enables controller election, instructing the master to attempt to acquire a lease before controllers start and renewing it within a number of seconds defined by this value. Setting this value non-negative forces pauseControllers=true. This value defaults off (0, or omitted) and controller election can be disabled with -1.",

 	"admissionConfig":        "AdmissionConfig contains admission control plugin configuration.",

+	"controllerConfig":       "ControllerConfig holds configuration values for controllers",

 	"disabledFeatures":       "DisabledFeatures is a list of features that should not be started.  We omitempty here because its very unlikely that anyone will want to manually disable features and we don't want to encourage it.",

 	"etcdStorageConfig":      "EtcdStorageConfig contains information about how API resources are stored in Etcd. These values are only relevant when etcd is the backing store for the cluster.",

 	"etcdClientInfo":         "EtcdClientInfo contains information about how to connect to etcd",

@@ -694,6 +704,15 @@ func (ServiceAccountConfig) SwaggerDoc() map[string]string {

 	return map_ServiceAccountConfig

 }

+var map_ServiceServingCert = map[string]string{

+	"":       "ServiceServingCert holds configuration for service serving cert signer which creates cert/key pairs for pods fullfilling a service to serve with.",

+	"signer": "Signer holds the signing information used to automatically sign serving certificates. If this value is nil, then certs are not signed automatically.",

+}

+

+func (ServiceServingCert) SwaggerDoc() map[string]string {

+	return map_ServiceServingCert

+}

+

 var map_ServingInfo = map[string]string{

 	"":                  "ServingInfo holds information about serving web pages",

 	"bindAddress":       "BindAddress is the ip:port to serve on",

@@ -176,6 +176,9 @@ type MasterConfig struct {

 	// AdmissionConfig contains admission control plugin configuration.

 	AdmissionConfig AdmissionConfig `json:"admissionConfig"`

+	// ControllerConfig holds configuration values for controllers

+	ControllerConfig ControllerConfig `json:"controllerConfig"`

+

 	// DisabledFeatures is a list of features that should not be started.  We

 	// omitempty here because its very unlikely that anyone will want to

 	// manually disable features and we don't want to encourage it.

@@ -1171,3 +1174,18 @@ type AdmissionConfig struct {

 	// on the master. Order is significant. If empty, a default list of plugins is used.

 	PluginOrderOverride []string `json:"pluginOrderOverride,omitempty"`

 }

+

+// ControllerConfig holds configuration values for controllers

+type ControllerConfig struct {

+	// ServiceServingCert holds configuration for service serving cert signer which creates cert/key pairs for

+	// pods fullfilling a service to serve with.

+	ServiceServingCert ServiceServingCert `json:"serviceServingCert"`

+}

+

+// ServiceServingCert holds configuration for service serving cert signer which creates cert/key pairs for

+// pods fullfilling a service to serve with.

+type ServiceServingCert struct {

+	// Signer holds the signing information used to automatically sign serving certificates.

+	// If this value is nil, then certs are not signed automatically.

+	Signer *CertInfo `json:"signer"`

+}

@@ -102,6 +102,9 @@ assetConfig:

     maxRequestsInFlight: 0

     namedCertificates: null

     requestTimeoutSeconds: 0

+controllerConfig:

+  serviceServingCert:

+    signer: null

 controllerLeaseTTL: 0

 controllers: ""

 corsAllowedOrigins: null

@@ -183,6 +183,18 @@ func ValidateMasterConfig(config *api.MasterConfig, fldPath *field.Path) Validat

 		validationResults.AddErrors(ValidateAdmissionPluginConfig(config.AdmissionConfig.PluginConfig, fldPath.Child("admissionConfig", "pluginConfig"))...)

 	}

+	validationResults.Append(ValidateControllerConfig(config.ControllerConfig, fldPath.Child("controllerConfig")))

+

+	return validationResults

+}

+

+func ValidateControllerConfig(config api.ControllerConfig, fldPath *field.Path) ValidationResults {

+	validationResults := ValidationResults{}

+

+	if config.ServiceServingCert.Signer != nil {

+		validationResults.AddErrors(ValidateCertInfo(*config.ServiceServingCert.Signer, true, fldPath.Child("serviceServingCert.signer"))...)

+	}

+

 	return validationResults

 }

@@ -48,6 +48,9 @@ const (

 	InfraServiceLoadBalancerControllerServiceAccountName = "service-load-balancer-controller"

 	ServiceLoadBalancerControllerRoleName                = "system:service-load-balancer-controller"

+

+	ServiceServingCertServiceAccountName = "service-serving-cert-controller"

+	ServiceServingCertControllerRoleName = "system:service-serving-cert-controller"

 )

 type InfraServiceAccounts struct {

@@ -611,4 +614,29 @@ func init() {

 	if err != nil {

 		panic(err)

 	}

+

+	err = InfraSAs.addServiceAccount(

+		ServiceServingCertServiceAccountName,

+		authorizationapi.ClusterRole{

+			ObjectMeta: kapi.ObjectMeta{

+				Name: ServiceServingCertControllerRoleName,

+			},

+			Rules: []authorizationapi.PolicyRule{

+				{

+					APIGroups: []string{kapi.GroupName},

+					Verbs:     sets.NewString("list", "watch", "update"),

+					Resources: sets.NewString("services"),

+				},

+				{

+					APIGroups: []string{kapi.GroupName},

+					Verbs:     sets.NewString("get", "create"),

+					Resources: sets.NewString("secrets"),

+				},

+			},

+		},

+	)

+	if err != nil {

+		panic(err)

+	}

+

 }

@@ -77,6 +77,19 @@ func (c *TLSCertificateConfig) writeCertConfig(certFile, keyFile string) error {

 	}

 	return nil

 }

+func (c *TLSCertificateConfig) GetPEMBytes() ([]byte, []byte, error) {

+	certBytes, err := encodeCertificates(c.Certs...)

+	if err != nil {

+		return nil, nil, err

+	}

+	keyBytes, err := encodeKey(c.Key)

+	if err != nil {

+		return nil, nil, err

+	}

+

+	return certBytes, keyBytes, nil

+}

+

 func (c *TLSCARoots) writeCARoots(rootFile string) error {

 	if err := writeCertificates(rootFile, c.Roots...); err != nil {

 		return err

@@ -295,7 +308,7 @@ func MakeCA(certFile, keyFile, serialFile, name string) (*CA, error) {

 func (ca *CA) EnsureServerCert(certFile, keyFile string, hostnames sets.String) (*TLSCertificateConfig, bool, error) {

 	certConfig, err := GetServerCert(certFile, keyFile, hostnames)

 	if err != nil {

-		certConfig, err = ca.MakeServerCert(certFile, keyFile, hostnames)

+		certConfig, err = ca.MakeAndWriteServerCert(certFile, keyFile, hostnames)

 		return certConfig, true, err

 	}

@@ -320,9 +333,20 @@ func GetServerCert(certFile, keyFile string, hostnames sets.String) (*TLSCertifi

 	return nil, fmt.Errorf("Existing server certificate in %s was missing some hostnames (%v) or IP addresses (%v).", certFile, missingDns, missingIps)

 }

-func (ca *CA) MakeServerCert(certFile, keyFile string, hostnames sets.String) (*TLSCertificateConfig, error) {

+func (ca *CA) MakeAndWriteServerCert(certFile, keyFile string, hostnames sets.String) (*TLSCertificateConfig, error) {

 	glog.V(4).Infof("Generating server certificate in %s, key in %s", certFile, keyFile)

+	server, err := ca.MakeServerCert(hostnames)

+	if err != nil {

+		return nil, err

+	}

+	if err := server.writeCertConfig(certFile, keyFile); err != nil {

+		return server, err

+	}

+	return server, nil

+}

+

+func (ca *CA) MakeServerCert(hostnames sets.String) (*TLSCertificateConfig, error) {

 	serverPublicKey, serverPrivateKey, _ := NewKeyPair()

 	serverTemplate, _ := newServerCertificateTemplate(pkix.Name{CommonName: hostnames.List()[0]}, hostnames.List())

 	serverCrt, err := ca.signCertificate(serverTemplate, serverPublicKey)

@@ -333,9 +357,6 @@ func (ca *CA) MakeServerCert(certFile, keyFile string, hostnames sets.String) (*

 		Certs: append([]*x509.Certificate{serverCrt}, ca.Config.Certs...),

 		Key:   serverPrivateKey,

 	}

-	if err := server.writeCertConfig(certFile, keyFile); err != nil {

-		return server, err

-	}

 	return server, nil

 }

@@ -13,6 +13,7 @@ import (

 	"k8s.io/kubernetes/pkg/admission"

 	kapi "k8s.io/kubernetes/pkg/api"

 	"k8s.io/kubernetes/pkg/api/unversioned"

+	kclient "k8s.io/kubernetes/pkg/client/unversioned"

 	clientadapter "k8s.io/kubernetes/pkg/client/unversioned/adapters/internalclientset"

 	"k8s.io/kubernetes/pkg/controller"

 	kresourcequota "k8s.io/kubernetes/pkg/controller/resourcequota"

@@ -28,6 +29,7 @@ import (

 	buildclient "github.com/openshift/origin/pkg/build/client"

 	buildcontrollerfactory "github.com/openshift/origin/pkg/build/controller/factory"

 	buildstrategy "github.com/openshift/origin/pkg/build/controller/strategy"

+	"github.com/openshift/origin/pkg/cmd/server/crypto"

 	"github.com/openshift/origin/pkg/cmd/server/etcd"

 	cmdutil "github.com/openshift/origin/pkg/cmd/util"

 	"github.com/openshift/origin/pkg/cmd/util/clientcmd"

@@ -43,6 +45,7 @@ import (

 	"github.com/openshift/origin/pkg/security/mcs"

 	"github.com/openshift/origin/pkg/security/uid"

 	"github.com/openshift/origin/pkg/security/uidallocator"

+	servingcertcontroller "github.com/openshift/origin/pkg/service/controller/servingcert"

 	"github.com/openshift/openshift-sdn/plugins/osdn/factory"

 	configapi "github.com/openshift/origin/pkg/cmd/server/api"

@@ -371,6 +374,19 @@ func (c *MasterConfig) RunSDNController() {

 	}

 }

+func (c *MasterConfig) RunServiceServingCertController(client *kclient.Client) {

+	if c.Options.ControllerConfig.ServiceServingCert.Signer == nil {

+		return

+	}

+	ca, err := crypto.GetCA(c.Options.ControllerConfig.ServiceServingCert.Signer.CertFile, c.Options.ControllerConfig.ServiceServingCert.Signer.KeyFile, "")

+	if err != nil {

+		glog.Fatalf("service serving cert controller failed: %v", err)

+	}

+

+	servingCertController := servingcertcontroller.NewServiceServingCertController(client, client, ca, "cluster.local", 2*time.Minute)

+	go servingCertController.Run(1, make(chan struct{}))

+}

+

 // RunImageImportController starts the image import trigger controller process.

 func (c *MasterConfig) RunImageImportController() {

 	osclient := c.ImageImportControllerClient()

@@ -180,6 +180,8 @@ func (args MasterArgs) BuildSerializeableMasterConfig() (*configapi.MasterConfig

 	etcdClientInfo := admin.DefaultMasterEtcdClientCertInfo(args.ConfigDir.Value())

+	serviceServingCertSigner := admin.DefaultServiceSignerCAInfo(args.ConfigDir.Value())

+

 	dnsServingInfo := servingInfoForAddr(&dnsBindAddr)

 	config := &configapi.MasterConfig{

@@ -255,6 +257,12 @@ func (args MasterArgs) BuildSerializeableMasterConfig() (*configapi.MasterConfig

 		VolumeConfig: configapi.MasterVolumeConfig{

 			DynamicProvisioningEnabled: true,

 		},

+

+		ControllerConfig: configapi.ControllerConfig{

+			ServiceServingCert: configapi.ServiceServingCert{

+				Signer: &serviceServingCertSigner,

+			},

+		},

 	}

 	if args.ListenArg.UseTLS() {

@@ -641,6 +641,12 @@ func startControllers(oc *origin.MasterConfig, kc *kubernetes.MasterConfig) erro

 	oc.RunOriginNamespaceController()

 	oc.RunSDNController()

+	_, _, serviceServingCertClient, err := oc.GetServiceAccountClients(bootstrappolicy.ServiceServingCertServiceAccountName)

+	if err != nil {

+		glog.Fatalf("Could not get client: %v", err)

+	}

+	oc.RunServiceServingCertController(serviceServingCertClient)

+

 	glog.Infof("Started Origin Controllers")

 	return nil

new file mode 100644

@@ -0,0 +1,293 @@

+package servingcert

+

+import (

+	"errors"

+	"fmt"

+	"strconv"

+	"time"

+

+	"github.com/golang/glog"

+

+	kapi "k8s.io/kubernetes/pkg/api"

+	kapierrors "k8s.io/kubernetes/pkg/api/errors"

+	"k8s.io/kubernetes/pkg/client/cache"

+	kclient "k8s.io/kubernetes/pkg/client/unversioned"

+	"k8s.io/kubernetes/pkg/controller"

+	"k8s.io/kubernetes/pkg/controller/framework"

+	"k8s.io/kubernetes/pkg/runtime"

+	utilruntime "k8s.io/kubernetes/pkg/util/runtime"

+	"k8s.io/kubernetes/pkg/util/sets"

+	"k8s.io/kubernetes/pkg/util/wait"

+	"k8s.io/kubernetes/pkg/util/workqueue"

+	"k8s.io/kubernetes/pkg/watch"

+

+	"github.com/openshift/origin/pkg/cmd/server/crypto"

+)

+

+const (

+	// ServingCertSecretAnnotation stores the name of the secret to generate into.

+	ServingCertSecretAnnotation = "service.alpha.openshift.io/serving-cert-secret-name"

+	// ServingCertCreatedByAnnotation stores the of the signer common name.  This could be used later to see if the

+	// services need to have the the serving certs regenerated.  The presence and matching of this annotation prevents

+	// regeneration

+	ServingCertCreatedByAnnotation = "service.alpha.openshift.io/serving-cert-signed-by"

+	// ServingCertErrorAnnotation stores the error that caused cert generation failures.

+	ServingCertErrorAnnotation = "service.alpha.openshift.io/serving-cert-generation-error"

+	// ServingCertErrorNumAnnotation stores how many consecutive errors we've hit.  A value of the maxRetries will prevent

+	// the controller from reattempting until it is cleared.

+	ServingCertErrorNumAnnotation = "service.alpha.openshift.io/serving-cert-generation-error-num"

+	// ServiceUIDAnnotation is an annotation on a secret that indicates which service created it, by UID

+	ServiceUIDAnnotation = "service.alpha.openshift.io/originating-service-uid"

+	// ServiceNameAnnotation is an annotation on a secret that indicates which service created it, by Name to allow reverse lookups on services

+	// for comparison against UIDs

+	ServiceNameAnnotation = "service.alpha.openshift.io/originating-service-name"

+)

+

+// ServiceServingCertController is responsible for synchronizing Service objects stored

+// in the system with actual running replica sets and pods.

+type ServiceServingCertController struct {

+	serviceClient kclient.ServicesNamespacer

+	secretClient  kclient.SecretsNamespacer

+

+	// Services that need to be checked

+	queue      workqueue.RateLimitingInterface

+	maxRetries int

+

+	serviceCache      cache.Store

+	serviceController *framework.Controller

+

+	ca         *crypto.CA

+	publicCert string

+	dnsSuffix  string

+

+	// syncHandler does the work. It's factored out for unit testing

+	syncHandler func(serviceKey string) error

+}

+

+// NewServiceServingCertController creates a new ServiceServingCertController.

+// TODO this should accept a shared informer

+func NewServiceServingCertController(serviceClient kclient.ServicesNamespacer, secretClient kclient.SecretsNamespacer, ca *crypto.CA, dnsSuffix string, resyncInterval time.Duration) *ServiceServingCertController {

+	sc := &ServiceServingCertController{

+		serviceClient: serviceClient,

+		secretClient:  secretClient,

+

+		queue:      workqueue.NewRateLimitingQueue(workqueue.DefaultControllerRateLimiter()),

+		maxRetries: 10,

+

+		ca:        ca,

+		dnsSuffix: dnsSuffix,

+	}

+

+	sc.serviceCache, sc.serviceController = framework.NewInformer(

+		&cache.ListWatch{

+			ListFunc: func(options kapi.ListOptions) (runtime.Object, error) {

+				return sc.serviceClient.Services(kapi.NamespaceAll).List(options)

+			},

+			WatchFunc: func(options kapi.ListOptions) (watch.Interface, error) {

+				return sc.serviceClient.Services(kapi.NamespaceAll).Watch(options)

+			},

+		},

+		&kapi.Service{},

+		resyncInterval,

+		framework.ResourceEventHandlerFuncs{

+			AddFunc: func(obj interface{}) {

+				service := obj.(*kapi.Service)

+				glog.V(4).Infof("Adding service %s", service.Name)

+				sc.enqueueService(obj)

+			},

+			UpdateFunc: func(old, cur interface{}) {

+				service := cur.(*kapi.Service)

+				glog.V(4).Infof("Updating service %s", service.Name)

+				// Resync on service object relist.

+				sc.enqueueService(cur)

+			},

+		},

+	)

+

+	sc.syncHandler = sc.syncService

+

+	return sc

+}

+

+// Run begins watching and syncing.

+func (sc *ServiceServingCertController) Run(workers int, stopCh <-chan struct{}) {

+	defer utilruntime.HandleCrash()

+	go sc.serviceController.Run(stopCh)

+	for i := 0; i < workers; i++ {

+		go wait.Until(sc.worker, time.Second, stopCh)

+	}

+

+	<-stopCh

+	glog.Infof("Shutting down service signing cert controller")

+	sc.queue.ShutDown()

+}

+

+func (sc *ServiceServingCertController) enqueueService(obj interface{}) {

+	key, err := controller.KeyFunc(obj)

+	if err != nil {

+		glog.Errorf("Couldn't get key for object %+v: %v", obj, err)

+		return

+	}

+

+	sc.queue.Add(key)

+}

+

+// worker runs a worker thread that just dequeues items, processes them, and marks them done.

+// It enforces that the syncHandler is never invoked concurrently with the same key.

+func (sc *ServiceServingCertController) worker() {

+	for {

+		if !sc.worker_inner() {

+			return

+		}

+	}

+}

+

+// worker_inner returns true if the worker thread should continue

+func (sc *ServiceServingCertController) worker_inner() bool {

+	key, quit := sc.queue.Get()

+	if quit {

+		return false

+	}

+	defer sc.queue.Done(key)

+

+	if err := sc.syncHandler(key.(string)); err == nil {

+		// this means the request was successfully handled.  We should "forget" the item so that any retry

+		// later on is reset

+		sc.queue.Forget(key)

+

+	} else {

+		// if we had an error it means that we didn't handle it, which means that we want to requeue the work

+		utilruntime.HandleError(fmt.Errorf("error syncing service, it will be retried: %v", err))

+		sc.queue.AddRateLimited(key)

+	}

+

+	return true

+}

+

+// syncService will sync the service with the given key.

+// This function is not meant to be invoked concurrently with the same key.

+func (sc *ServiceServingCertController) syncService(key string) error {

+	obj, exists, err := sc.serviceCache.GetByKey(key)

+	if err != nil {

+		glog.V(4).Infof("Unable to retrieve service %v from store: %v", key, err)

+		return err

+	}

+	if !exists {

+		glog.V(4).Infof("Service has been deleted %v", key)

+		return nil

+	}

+

+	// make a copy to avoid mutating cache state

+	t := *obj.(*kapi.Service)

+	service := &t

+	if !sc.requiresCertGeneration(service) {

+		return nil

+	}

+	if service.Annotations == nil {

+		service.Annotations = map[string]string{}

+	}

+

+	dnsName := service.Name + "." + service.Namespace + ".svc"

+	fqDNSName := dnsName + "." + sc.dnsSuffix

+	servingCert, err := sc.ca.MakeServerCert(sets.NewString(dnsName, fqDNSName))

+	if err != nil {

+		return err

+	}

+	certBytes, keyBytes, err := servingCert.GetPEMBytes()

+	if err != nil {

+		return err

+	}

+

+	secret := &kapi.Secret{

+		ObjectMeta: kapi.ObjectMeta{

+			Namespace: service.Namespace,

+			Name:      service.Annotations[ServingCertSecretAnnotation],

+			Annotations: map[string]string{

+				ServiceUIDAnnotation:  string(service.UID),

+				ServiceNameAnnotation: service.Name,

+			},

+		},

+		Type: kapi.SecretTypeTLS,

+		Data: map[string][]byte{

+			kapi.TLSCertKey:       certBytes,

+			kapi.TLSPrivateKeyKey: keyBytes,

+		},

+	}

+

+	_, err = sc.secretClient.Secrets(service.Namespace).Create(secret)

+	if err != nil && !kapierrors.IsAlreadyExists(err) {

+		// if we have an error creating the secret, then try to update the service with that information.  If it fails,

+		// then we'll just try again later on  re-list or because the service had already been updated and we'll get triggered again.

+		service.Annotations[ServingCertErrorAnnotation] = err.Error()

+		service.Annotations[ServingCertErrorNumAnnotation] = strconv.Itoa(getNumFailures(service) + 1)

+		_, updateErr := sc.serviceClient.Services(service.Namespace).Update(service)

+

+		// if we're past the max retries and we successfully updated, then the sync loop successfully handled this service and we want to forget it

+		if updateErr == nil && getNumFailures(service) >= sc.maxRetries {

+			return nil

+		}

+		return err

+	}

+	if kapierrors.IsAlreadyExists(err) {

+		actualSecret, err := sc.secretClient.Secrets(service.Namespace).Get(secret.Name)

+		if err != nil {

+			// if we have an error creating the secret, then try to update the service with that information.  If it fails,

+			// then we'll just try again later on  re-list or because the service had already been updated and we'll get triggered again.

+			service.Annotations[ServingCertErrorAnnotation] = err.Error()

+			service.Annotations[ServingCertErrorNumAnnotation] = strconv.Itoa(getNumFailures(service) + 1)

+			_, updateErr := sc.serviceClient.Services(service.Namespace).Update(service)

+

+			// if we're past the max retries and we successfully updated, then the sync loop successfully handled this service and we want to forget it

+			if updateErr == nil && getNumFailures(service) >= sc.maxRetries {

+				return nil

+			}

+			return err

+		}

+

+		if actualSecret.Annotations[ServiceUIDAnnotation] != string(service.UID) {

+			service.Annotations[ServingCertErrorAnnotation] = fmt.Sprintf("secret/%v references serviceUID %v, which does not match %v", actualSecret.Name, actualSecret.Annotations[ServiceUIDAnnotation], service.UID)

+			service.Annotations[ServingCertErrorNumAnnotation] = strconv.Itoa(getNumFailures(service) + 1)

+			_, updateErr := sc.serviceClient.Services(service.Namespace).Update(service)

+

+			// if we're past the max retries and we successfully updated, then the sync loop successfully handled this service and we want to forget it

+			if updateErr == nil && getNumFailures(service) >= sc.maxRetries {

+				return nil

+			}

+			return errors.New(service.Annotations[ServingCertErrorAnnotation])

+		}

+	}

+

+	service.Annotations[ServingCertCreatedByAnnotation] = sc.ca.Config.Certs[0].Subject.CommonName

+	delete(service.Annotations, ServingCertErrorAnnotation)

+	delete(service.Annotations, ServingCertErrorNumAnnotation)

+	_, err = sc.serviceClient.Services(service.Namespace).Update(service)

+

+	return err

+}

+

+func getNumFailures(service *kapi.Service) int {

+	numFailuresString := service.Annotations[ServingCertErrorNumAnnotation]

+	if len(numFailuresString) == 0 {

+		return 0

+	}

+

+	numFailures, err := strconv.Atoi(numFailuresString)

+	if err != nil {

+		return 0

+	}

+	return numFailures

+}

+

+func (sc *ServiceServingCertController) requiresCertGeneration(service *kapi.Service) bool {

+	if secretName := service.Annotations[ServingCertSecretAnnotation]; len(secretName) == 0 {

+		return false

+	}

+	if getNumFailures(service) >= sc.maxRetries {

+		return false

+	}

+	if service.Annotations[ServingCertCreatedByAnnotation] == sc.ca.Config.Certs[0].Subject.CommonName {

+		return false

+	}

+

+	return true

+}

new file mode 100644

@@ -0,0 +1,419 @@

+package servingcert

+

+import (

+	"fmt"

+	"io/ioutil"

+	"reflect"

+	"testing"

+	"time"

+

+	kapi "k8s.io/kubernetes/pkg/api"

+	kapierrors "k8s.io/kubernetes/pkg/api/errors"

+	ktestclient "k8s.io/kubernetes/pkg/client/unversioned/testclient"

+	"k8s.io/kubernetes/pkg/runtime"

+	"k8s.io/kubernetes/pkg/types"

+	"k8s.io/kubernetes/pkg/watch"

+

+	"github.com/openshift/origin/pkg/cmd/server/admin"

+)

+

+func controllerSetup(startingObjects []runtime.Object, stopChannel chan struct{}, t *testing.T) ( /*caName*/ string, *ktestclient.Fake, *watch.FakeWatcher, *ServiceServingCertController) {

+	certDir, err := ioutil.TempDir("", "serving-cert-unit-")

+	if err != nil {

+		t.Fatalf("unexpected error: %v", err)

+	}

+	caInfo := admin.DefaultServiceSignerCAInfo(certDir)

+

+	caOptions := admin.CreateSignerCertOptions{

+		CertFile: caInfo.CertFile,

+		KeyFile:  caInfo.KeyFile,

+		Name:     admin.DefaultServiceServingCertSignerName(),

+		Output:   ioutil.Discard,

+	}

+	ca, err := caOptions.CreateSignerCert()

+	if err != nil {

+		t.Fatalf("unexpected error: %v", err)

+	}

+

+	kubeclient := ktestclient.NewSimpleFake(startingObjects...)

+	fakeWatch := watch.NewFake()

+	kubeclient.PrependReactor("create", "*", func(action ktestclient.Action) (handled bool, ret runtime.Object, err error) {

+		return true, action.(ktestclient.CreateAction).GetObject(), nil

+	})

+	kubeclient.PrependReactor("update", "*", func(action ktestclient.Action) (handled bool, ret runtime.Object, err error) {

+		return true, action.(ktestclient.UpdateAction).GetObject(), nil

+	})

+	kubeclient.PrependWatchReactor("*", ktestclient.DefaultWatchReactor(fakeWatch, nil))

+

+	controller := NewServiceServingCertController(kubeclient, kubeclient, ca, "cluster.local", 10*time.Minute)

+

+	return caOptions.Name, kubeclient, fakeWatch, controller

+}

+

+func TestBasicControllerFlow(t *testing.T) {

+	stopChannel := make(chan struct{})

+	defer close(stopChannel)

+	received := make(chan bool)

+

+	caName, kubeclient, fakeWatch, controller := controllerSetup([]runtime.Object{}, stopChannel, t)

+	controller.syncHandler = func(serviceKey string) error {

+		defer func() { received <- true }()

+

+		err := controller.syncService(serviceKey)

+		if err != nil {

+			t.Errorf("unexpected error: %v", err)

+		}

+

+		return err

+	}

+	go controller.Run(1, stopChannel)

+

+	expectedSecretName := "new-secret"

+	serviceName := "svc-name"

+	serviceUID := "some-uid"

+	expectedServiceAnnotations := map[string]string{ServingCertSecretAnnotation: expectedSecretName, ServingCertCreatedByAnnotation: caName}

+	expectedSecretAnnotations := map[string]string{ServiceUIDAnnotation: serviceUID, ServiceNameAnnotation: serviceName}

+	namespace := "ns"

+

+	serviceToAdd := &kapi.Service{}

+	serviceToAdd.Name = serviceName

+	serviceToAdd.Namespace = namespace

+	serviceToAdd.UID = types.UID(serviceUID)

+	serviceToAdd.Annotations = map[string]string{ServingCertSecretAnnotation: expectedSecretName}

+	fakeWatch.Add(serviceToAdd)

+

+	t.Log("waiting to reach syncHandler")

+	select {

+	case <-received:

+	case <-time.After(time.Duration(10 * time.Second)):

+		t.Fatalf("failed to call into syncService")

+	}

+

+	foundSecret := false

+	foundServiceUpdate := false

+	for _, action := range kubeclient.Actions() {

+		switch {

+		case action.Matches("create", "secrets"):

+			createSecret := action.(ktestclient.CreateAction)

+			newSecret := createSecret.GetObject().(*kapi.Secret)

+			if newSecret.Name != expectedSecretName {

+				t.Errorf("expected %v, got %v", expectedSecretName, newSecret.Name)

+				continue

+			}

+			if newSecret.Namespace != namespace {

+				t.Errorf("expected %v, got %v", namespace, newSecret.Namespace)

+				continue

+			}

+			if !reflect.DeepEqual(newSecret.Annotations, expectedSecretAnnotations) {

+				t.Errorf("expected %v, got %v", expectedSecretAnnotations, newSecret.Annotations)

+				continue

+			}

+			foundSecret = true

+

+		case action.Matches("update", "services"):

+			updateService := action.(ktestclient.UpdateAction)

+			service := updateService.GetObject().(*kapi.Service)

+			if !reflect.DeepEqual(service.Annotations, expectedServiceAnnotations) {

+				t.Errorf("expected %v, got %v", expectedServiceAnnotations, service.Annotations)

+				continue

+			}

+			foundServiceUpdate = true

+

+		}

+	}

+

+	if !foundSecret {

+		t.Errorf("secret wasn't created.  Got %v\n", kubeclient.Actions())

+	}

+	if !foundServiceUpdate {

+		t.Errorf("service wasn't updated.  Got %v\n", kubeclient.Actions())

+	}

+}

+

+func TestAlreadyExistingSecretControllerFlow(t *testing.T) {

+	stopChannel := make(chan struct{})

+	defer close(stopChannel)

+	received := make(chan bool)

+

+	expectedSecretName := "new-secret"

+	serviceName := "svc-name"

+	serviceUID := "some-uid"

+	expectedSecretAnnotations := map[string]string{ServiceUIDAnnotation: serviceUID, ServiceNameAnnotation: serviceName}

+	namespace := "ns"

+

+	existingSecret := &kapi.Secret{}

+	existingSecret.Name = expectedSecretName

+	existingSecret.Namespace = namespace

+	existingSecret.Type = kapi.SecretTypeTLS

+	existingSecret.Annotations = expectedSecretAnnotations

+

+	caName, kubeclient, fakeWatch, controller := controllerSetup([]runtime.Object{existingSecret}, stopChannel, t)

+	kubeclient.PrependReactor("create", "secrets", func(action ktestclient.Action) (handled bool, ret runtime.Object, err error) {

+		return true, &kapi.Secret{}, kapierrors.NewAlreadyExists(kapi.Resource("secrets"), "new-secret")

+	})

+	controller.syncHandler = func(serviceKey string) error {

+		defer func() { received <- true }()

+

+		err := controller.syncService(serviceKey)

+		if err != nil {

+			t.Errorf("unexpected error: %v", err)

+		}

+

+		return err

+	}

+	go controller.Run(1, stopChannel)