summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorScott Dodson <sdodson@redhat.com>2017-07-05 21:10:37 -0400
committerGitHub <noreply@github.com>2017-07-05 21:10:37 -0400
commit8334fef76beb800784085472a48aeaaae2d73470 (patch)
treedd87ad2276d90efb8e63163842d0bd6f6e3abae4
parent01f91dfe6257dc1df73df4e12ccd8db899369d27 (diff)
parent96dea4b4a63e550248eeb404360514fed6cb08b0 (diff)
downloadopenshift-8334fef76beb800784085472a48aeaaae2d73470.tar.gz
openshift-8334fef76beb800784085472a48aeaaae2d73470.tar.bz2
openshift-8334fef76beb800784085472a48aeaaae2d73470.tar.xz
openshift-8334fef76beb800784085472a48aeaaae2d73470.zip
Merge pull request #4684 from ewolinetz/service_catalog_multimaster
Addressing servicecatalog doesnt have enough permissions and multimas…
-rw-r--r--playbooks/common/openshift-cluster/service_catalog.yml12
-rw-r--r--roles/ansible_service_broker/tasks/install.yml14
-rw-r--r--roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml16
-rw-r--r--roles/openshift_service_catalog/tasks/install.yml1
-rw-r--r--roles/openshift_service_catalog/tasks/wire_aggregator.yml107
-rw-r--r--roles/openshift_service_catalog/templates/controller_manager.j21
6 files changed, 141 insertions, 10 deletions
diff --git a/playbooks/common/openshift-cluster/service_catalog.yml b/playbooks/common/openshift-cluster/service_catalog.yml
index c42e8781a..68ca6cdbf 100644
--- a/playbooks/common/openshift-cluster/service_catalog.yml
+++ b/playbooks/common/openshift-cluster/service_catalog.yml
@@ -1,8 +1,20 @@
---
- include: evaluate_groups.yml
+- name: Update Master configs
+ hosts: oo_masters
+ tasks:
+ - block:
+ - include_role:
+ name: openshift_service_catalog
+ tasks_from: wire_aggregator
+ vars:
+ first_master: "{{ groups.oo_first_master[0] }}"
+
- name: Service Catalog
hosts: oo_first_master
roles:
- openshift_service_catalog
- ansible_service_broker
+ vars:
+ first_master: "{{ groups.oo_first_master[0] }}"
diff --git a/roles/ansible_service_broker/tasks/install.yml b/roles/ansible_service_broker/tasks/install.yml
index 81c3f8e5b..9c3379291 100644
--- a/roles/ansible_service_broker/tasks/install.yml
+++ b/roles/ansible_service_broker/tasks/install.yml
@@ -48,13 +48,13 @@
namespace: openshift-ansible-service-broker
state: present
labels:
- app: ansible-service-broker
+ app: openshift-ansible-service-broker
service: asb
ports:
- name: port-1338
port: 1338
selector:
- app: ansible-service-broker
+ app: openshift-ansible-service-broker
service: asb
- name: create etcd service
@@ -66,7 +66,7 @@
- name: etcd-advertise
port: 2379
selector:
- app: ansible-service-broker
+ app: openshift-ansible-service-broker
service: etcd
- name: create route for ansible-service-broker service
@@ -118,12 +118,12 @@
name: etcd
namespace: openshift-ansible-service-broker
labels:
- app: ansible-service-broker
+ app: openshift-ansible-service-broker
service: etcd
spec:
selector:
matchLabels:
- app: ansible-service-broker
+ app: openshift-ansible-service-broker
service: etcd
strategy:
type: RollingUpdate
@@ -134,7 +134,7 @@
template:
metadata:
labels:
- app: ansible-service-broker
+ app: openshift-ansible-service-broker
service: etcd
spec:
restartPolicy: Always
@@ -266,4 +266,4 @@
metadata:
name: ansible-service-broker
spec:
- url: http://{{ ansible_service_broker_route }}
+ url: http://asb.openshift-ansible-service-broker.svc:1338
diff --git a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml
index 880146ca4..ebefaeaba 100644
--- a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml
+++ b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml
@@ -115,6 +115,22 @@ objects:
- bindings/status
verbs:
- update
+ - apiGroups:
+ - servicecatalog.k8s.io
+ resources:
+ - brokers
+ - instances
+ - bindings
+ verbs:
+ - list
+ - watch
+ - apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - patch
+ - create
- kind: ClusterRoleBinding
apiVersion: v1
diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml
index 6e8301ffe..1342c3d30 100644
--- a/roles/openshift_service_catalog/tasks/install.yml
+++ b/roles/openshift_service_catalog/tasks/install.yml
@@ -6,7 +6,6 @@
register: mktemp
changed_when: False
-
- include: wire_aggregator.yml
- name: Set default image variables based on deployment_type
diff --git a/roles/openshift_service_catalog/tasks/wire_aggregator.yml b/roles/openshift_service_catalog/tasks/wire_aggregator.yml
index 3e5897ba4..b8b8d0863 100644
--- a/roles/openshift_service_catalog/tasks/wire_aggregator.yml
+++ b/roles/openshift_service_catalog/tasks/wire_aggregator.yml
@@ -1,16 +1,82 @@
---
+- name: Make temp cert dir
+ command: mktemp -d /tmp/openshift-service-catalog-ansible-XXXXXX
+ register: certtemp
+ changed_when: False
+
+- name: Check for First Master Aggregator Signer cert
+ stat:
+ path: /etc/origin/master/front-proxy-ca.crt
+ register: first_proxy_ca_crt
+ changed_when: false
+ delegate_to: "{{ first_master }}"
+
+- name: Check for First Master Aggregator Signer key
+ stat:
+ path: /etc/origin/master/front-proxy-ca.crt
+ register: first_proxy_ca_key
+ changed_when: false
+ delegate_to: "{{ first_master }}"
+
+
# TODO: this currently has a bug where hostnames are required
-- name: Creating Aggregator signer certs
+- name: Creating First Master Aggregator signer certs
command: >
oc adm ca create-signer-cert
--cert=/etc/origin/master/front-proxy-ca.crt
--key=/etc/origin/master/front-proxy-ca.key
--serial=/etc/origin/master/ca.serial.txt
+ delegate_to: "{{ first_master }}"
+ when:
+ - not first_proxy_ca_crt.stat.exists
+ - not first_proxy_ca_key.stat.exists
+
+- name: Check for Aggregator Signer cert
+ stat:
+ path: /etc/origin/master/front-proxy-ca.crt
+ register: proxy_ca_crt
+ changed_when: false
+
+- name: Check for Aggregator Signer key
+ stat:
+ path: /etc/origin/master/front-proxy-ca.crt
+ register: proxy_ca_key
+ changed_when: false
+
+- name: Copy Aggregator Signer certs from first master
+ fetch:
+ src: "/etc/origin/master/{{ item }}"
+ dest: "{{ certtemp.stdout }}/{{ item }}"
+ with_items:
+ - front-proxy-ca.crt
+ - front-proxy-ca.key
+ delegate_to: "{{ first_master }}"
+ when:
+ - not proxy_ca_key.stat.exists
+ - not proxy_ca_crt.stat.exists
+
+- name: Copy Aggregator Signer certs to host
+ copy:
+ src: "{{ certtemp.stdout }}/{{ item }}"
+ dest: "/etc/origin/master/{{ item }}"
+ with_items:
+ - front-proxy-ca.crt
+ - front-proxy-ca.key
+ when:
+ - not proxy_ca_key.stat.exists
+ - not proxy_ca_crt.stat.exists
+
# oc_adm_ca_server_cert:
# cert: /etc/origin/master/front-proxy-ca.crt
# key: /etc/origin/master/front-proxy-ca.key
-- name: Create api-client config for Aggregator
+- name: Check for first master api-client config
+ stat:
+ path: /etc/origin/master/aggregator-front-proxy.kubeconfig
+ register: first_front_proxy_kubeconfig
+ delegate_to: "{{ first_master }}"
+
+- name: Create first master api-client config for Aggregator
command: >
oc adm create-api-client-config
--certificate-authority=/etc/origin/master/front-proxy-ca.crt
@@ -19,6 +85,37 @@
--user aggregator-front-proxy
--client-dir=/etc/origin/master
--signer-serial=/etc/origin/master/ca.serial.txt
+ delegate_to: "{{ first_master }}"
+ when:
+ - not first_front_proxy_kubeconfig.stat.exists
+
+- name: Check for api-client config
+ stat:
+ path: /etc/origin/master/aggregator-front-proxy.kubeconfig
+ register: front_proxy_kubeconfig
+
+- name: Copy api-client config from first master
+ fetch:
+ src: "/etc/origin/master/{{ item }}"
+ dest: "{{ certtemp.stdout }}/{{ item }}"
+ delegate_to: "{{ first_master }}"
+ with_items:
+ - aggregator-front-proxy.crt
+ - aggregator-front-proxy.key
+ - aggregator-front-proxy.kubeconfig
+ when:
+ - not front_proxy_kubeconfig.stat.exists
+
+- name: Copy api-client config to host
+ copy:
+ src: "{{ certtemp.stdout }}/{{ item }}"
+ dest: "/etc/origin/master/{{ item }}"
+ with_items:
+ - aggregator-front-proxy.crt
+ - aggregator-front-proxy.key
+ - aggregator-front-proxy.kubeconfig
+ when:
+ - not front_proxy_kubeconfig.stat.exists
- name: Update master config
yedit:
@@ -84,3 +181,9 @@
changed_when: false
when:
- yedit_output.changed
+
+- name: Delete temp directory
+ file:
+ name: "{{ certtemp.stdout }}"
+ state: absent
+ changed_when: False
diff --git a/roles/openshift_service_catalog/templates/controller_manager.j2 b/roles/openshift_service_catalog/templates/controller_manager.j2
index 33932eeb7..1bbc0fa2c 100644
--- a/roles/openshift_service_catalog/templates/controller_manager.j2
+++ b/roles/openshift_service_catalog/templates/controller_manager.j2
@@ -17,6 +17,7 @@ spec:
labels:
app: controller-manager
spec:
+ serviceAccountName: service-catalog-controller
nodeSelector:
{% for key, value in node_selector.iteritems() %}
{{key}}: "{{value}}"