diff options
author | Scott Dodson <sdodson@redhat.com> | 2017-07-05 21:10:37 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-07-05 21:10:37 -0400 |
commit | 8334fef76beb800784085472a48aeaaae2d73470 (patch) | |
tree | dd87ad2276d90efb8e63163842d0bd6f6e3abae4 | |
parent | 01f91dfe6257dc1df73df4e12ccd8db899369d27 (diff) | |
parent | 96dea4b4a63e550248eeb404360514fed6cb08b0 (diff) | |
download | openshift-8334fef76beb800784085472a48aeaaae2d73470.tar.gz openshift-8334fef76beb800784085472a48aeaaae2d73470.tar.bz2 openshift-8334fef76beb800784085472a48aeaaae2d73470.tar.xz openshift-8334fef76beb800784085472a48aeaaae2d73470.zip |
Merge pull request #4684 from ewolinetz/service_catalog_multimaster
Addressing servicecatalog doesnt have enough permissions and multimas…
6 files changed, 141 insertions, 10 deletions
diff --git a/playbooks/common/openshift-cluster/service_catalog.yml b/playbooks/common/openshift-cluster/service_catalog.yml index c42e8781a..68ca6cdbf 100644 --- a/playbooks/common/openshift-cluster/service_catalog.yml +++ b/playbooks/common/openshift-cluster/service_catalog.yml @@ -1,8 +1,20 @@ --- - include: evaluate_groups.yml +- name: Update Master configs + hosts: oo_masters + tasks: + - block: + - include_role: + name: openshift_service_catalog + tasks_from: wire_aggregator + vars: + first_master: "{{ groups.oo_first_master[0] }}" + - name: Service Catalog hosts: oo_first_master roles: - openshift_service_catalog - ansible_service_broker + vars: + first_master: "{{ groups.oo_first_master[0] }}" diff --git a/roles/ansible_service_broker/tasks/install.yml b/roles/ansible_service_broker/tasks/install.yml index 81c3f8e5b..9c3379291 100644 --- a/roles/ansible_service_broker/tasks/install.yml +++ b/roles/ansible_service_broker/tasks/install.yml @@ -48,13 +48,13 @@ namespace: openshift-ansible-service-broker state: present labels: - app: ansible-service-broker + app: openshift-ansible-service-broker service: asb ports: - name: port-1338 port: 1338 selector: - app: ansible-service-broker + app: openshift-ansible-service-broker service: asb - name: create etcd service @@ -66,7 +66,7 @@ - name: etcd-advertise port: 2379 selector: - app: ansible-service-broker + app: openshift-ansible-service-broker service: etcd - name: create route for ansible-service-broker service @@ -118,12 +118,12 @@ name: etcd namespace: openshift-ansible-service-broker labels: - app: ansible-service-broker + app: openshift-ansible-service-broker service: etcd spec: selector: matchLabels: - app: ansible-service-broker + app: openshift-ansible-service-broker service: etcd strategy: type: RollingUpdate @@ -134,7 +134,7 @@ template: metadata: labels: - app: ansible-service-broker + app: openshift-ansible-service-broker service: etcd spec: restartPolicy: Always @@ -266,4 +266,4 @@ metadata: name: ansible-service-broker spec: - url: http://{{ ansible_service_broker_route }} + url: http://asb.openshift-ansible-service-broker.svc:1338 diff --git a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml index 880146ca4..ebefaeaba 100644 --- a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml +++ b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml @@ -115,6 +115,22 @@ objects: - bindings/status verbs: - update + - apiGroups: + - servicecatalog.k8s.io + resources: + - brokers + - instances + - bindings + verbs: + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - patch + - create - kind: ClusterRoleBinding apiVersion: v1 diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml index 6e8301ffe..1342c3d30 100644 --- a/roles/openshift_service_catalog/tasks/install.yml +++ b/roles/openshift_service_catalog/tasks/install.yml @@ -6,7 +6,6 @@ register: mktemp changed_when: False - - include: wire_aggregator.yml - name: Set default image variables based on deployment_type diff --git a/roles/openshift_service_catalog/tasks/wire_aggregator.yml b/roles/openshift_service_catalog/tasks/wire_aggregator.yml index 3e5897ba4..b8b8d0863 100644 --- a/roles/openshift_service_catalog/tasks/wire_aggregator.yml +++ b/roles/openshift_service_catalog/tasks/wire_aggregator.yml @@ -1,16 +1,82 @@ --- +- name: Make temp cert dir + command: mktemp -d /tmp/openshift-service-catalog-ansible-XXXXXX + register: certtemp + changed_when: False + +- name: Check for First Master Aggregator Signer cert + stat: + path: /etc/origin/master/front-proxy-ca.crt + register: first_proxy_ca_crt + changed_when: false + delegate_to: "{{ first_master }}" + +- name: Check for First Master Aggregator Signer key + stat: + path: /etc/origin/master/front-proxy-ca.crt + register: first_proxy_ca_key + changed_when: false + delegate_to: "{{ first_master }}" + + # TODO: this currently has a bug where hostnames are required -- name: Creating Aggregator signer certs +- name: Creating First Master Aggregator signer certs command: > oc adm ca create-signer-cert --cert=/etc/origin/master/front-proxy-ca.crt --key=/etc/origin/master/front-proxy-ca.key --serial=/etc/origin/master/ca.serial.txt + delegate_to: "{{ first_master }}" + when: + - not first_proxy_ca_crt.stat.exists + - not first_proxy_ca_key.stat.exists + +- name: Check for Aggregator Signer cert + stat: + path: /etc/origin/master/front-proxy-ca.crt + register: proxy_ca_crt + changed_when: false + +- name: Check for Aggregator Signer key + stat: + path: /etc/origin/master/front-proxy-ca.crt + register: proxy_ca_key + changed_when: false + +- name: Copy Aggregator Signer certs from first master + fetch: + src: "/etc/origin/master/{{ item }}" + dest: "{{ certtemp.stdout }}/{{ item }}" + with_items: + - front-proxy-ca.crt + - front-proxy-ca.key + delegate_to: "{{ first_master }}" + when: + - not proxy_ca_key.stat.exists + - not proxy_ca_crt.stat.exists + +- name: Copy Aggregator Signer certs to host + copy: + src: "{{ certtemp.stdout }}/{{ item }}" + dest: "/etc/origin/master/{{ item }}" + with_items: + - front-proxy-ca.crt + - front-proxy-ca.key + when: + - not proxy_ca_key.stat.exists + - not proxy_ca_crt.stat.exists + # oc_adm_ca_server_cert: # cert: /etc/origin/master/front-proxy-ca.crt # key: /etc/origin/master/front-proxy-ca.key -- name: Create api-client config for Aggregator +- name: Check for first master api-client config + stat: + path: /etc/origin/master/aggregator-front-proxy.kubeconfig + register: first_front_proxy_kubeconfig + delegate_to: "{{ first_master }}" + +- name: Create first master api-client config for Aggregator command: > oc adm create-api-client-config --certificate-authority=/etc/origin/master/front-proxy-ca.crt @@ -19,6 +85,37 @@ --user aggregator-front-proxy --client-dir=/etc/origin/master --signer-serial=/etc/origin/master/ca.serial.txt + delegate_to: "{{ first_master }}" + when: + - not first_front_proxy_kubeconfig.stat.exists + +- name: Check for api-client config + stat: + path: /etc/origin/master/aggregator-front-proxy.kubeconfig + register: front_proxy_kubeconfig + +- name: Copy api-client config from first master + fetch: + src: "/etc/origin/master/{{ item }}" + dest: "{{ certtemp.stdout }}/{{ item }}" + delegate_to: "{{ first_master }}" + with_items: + - aggregator-front-proxy.crt + - aggregator-front-proxy.key + - aggregator-front-proxy.kubeconfig + when: + - not front_proxy_kubeconfig.stat.exists + +- name: Copy api-client config to host + copy: + src: "{{ certtemp.stdout }}/{{ item }}" + dest: "/etc/origin/master/{{ item }}" + with_items: + - aggregator-front-proxy.crt + - aggregator-front-proxy.key + - aggregator-front-proxy.kubeconfig + when: + - not front_proxy_kubeconfig.stat.exists - name: Update master config yedit: @@ -84,3 +181,9 @@ changed_when: false when: - yedit_output.changed + +- name: Delete temp directory + file: + name: "{{ certtemp.stdout }}" + state: absent + changed_when: False diff --git a/roles/openshift_service_catalog/templates/controller_manager.j2 b/roles/openshift_service_catalog/templates/controller_manager.j2 index 33932eeb7..1bbc0fa2c 100644 --- a/roles/openshift_service_catalog/templates/controller_manager.j2 +++ b/roles/openshift_service_catalog/templates/controller_manager.j2 @@ -17,6 +17,7 @@ spec: labels: app: controller-manager spec: + serviceAccountName: service-catalog-controller nodeSelector: {% for key, value in node_selector.iteritems() %} {{key}}: "{{value}}" |