openshift_serviceaccounts updates

- make service account creation more flexible
- create service accounts near where they are consumed

4 files changed, 60 insertions, 41 deletions

diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml
index 648a63150..a4da68573 100644
--- a/playbooks/common/openshift-master/config.yml
+++ b/playbooks/common/openshift-master/config.yml
@@ -405,19 +405,11 @@
   - file: name={{ g_master_mktemp.stdout }} state=absent
     changed_when: False
 
-- name: Configure service accounts
-  hosts: oo_first_master
-  vars:
-  roles:
-  - openshift_serviceaccounts
-
-- name: Create persistent volumes and services
+- name: Create persistent volumes
   hosts: oo_first_master
   vars:
     persistent_volumes: "{{ hostvars[groups.oo_first_master.0] | oo_persistent_volumes(groups) }}"
     persistent_volume_claims: "{{ hostvars[groups.oo_first_master.0] | oo_persistent_volume_claims }}"
-    attach_registry_volume: "{{ openshift.hosted.registry.storage.kind != None }}"
-    deploy_infra: "{{ openshift.master.infra_nodes | default(0) | length > 0 }}"
   pre_tasks:
   - set_fact:
       nfs_host: "{{ groups.oo_nfs_to_config.0 }}"
@@ -426,6 +418,21 @@
   roles:
   - role: openshift_persistent_volumes
     when: persistent_volumes | length > 0 or persistent_volume_claims | length > 0
+
+- name: Create hosted infrastructure services
+  hosts: oo_first_master
+  vars:
+    accounts: ["router", "registry"]
+    attach_registry_volume: "{{ openshift.hosted.registry.storage.kind != None }}"
+    deploy_infra: "{{ openshift.master.infra_nodes | default(0) | length > 0 }}"
+  roles:
+  - role: openshift_serviceaccounts
+    openshift_serviceaccounts_names:
+    - router
+    - registry
+    openshift_serviceaccounts_namespace: default
+    openshift_serviceaccounts_sccs:
+    - privileged
   - role: openshift_router
     when: deploy_infra | bool
   - role: openshift_registry
diff --git a/roles/openshift_serviceaccounts/meta/main.yml b/roles/openshift_serviceaccounts/meta/main.yml
new file mode 100644
index 000000000..a2c9fee70
--- /dev/null
+++ b/roles/openshift_serviceaccounts/meta/main.yml
@@ -0,0 +1,15 @@
+---
+galaxy_info:
+  author: OpenShift Operations
+  description: OpenShift Service Accounts
+  company: Red Hat, Inc.
+  license: Apache License, Version 2.0
+  min_ansible_version: 1.9
+  platforms:
+  - name: EL
+    versions:
+    - 7
+  categories:
+  - cloud
+dependencies:
+- { role: openshift_facts }
diff --git a/roles/openshift_serviceaccounts/tasks/main.yml b/roles/openshift_serviceaccounts/tasks/main.yml
index 4c7faa6fe..5fe7d28f3 100644
--- a/roles/openshift_serviceaccounts/tasks/main.yml
+++ b/roles/openshift_serviceaccounts/tasks/main.yml
@@ -1,36 +1,33 @@
-- name: tmp dir for openshift
-  file:
-    path: /tmp/openshift
-    state: directory
-    owner: root
-    mode: 700
-
-- name: Create service account configs
-  template:
-    src: serviceaccount.j2
-    dest: "/tmp/openshift/{{ item }}-serviceaccount.yaml"
-  with_items: accounts
-
-- name: Create {{ item }} service account
+- name: test if service accounts exists
   command: >
-    {{ openshift.common.client_binary }} create -f "/tmp/openshift/{{ item }}-serviceaccount.yaml"
-  with_items: accounts
-  register: _sa_result
-  failed_when: "'serviceaccounts \"{{ item }}\" already exists' not in _sa_result.stderr and _sa_result.rc != 0"
-  changed_when: "'serviceaccounts \"{{ item }}\" already exists' not in _sa_result.stderr and _sa_result.rc == 0"
+      {{ openshift.common.client_binary }} get sa {{ item }} -n {{ openshift_serviceaccounts_namespace }}
+  with_items: openshift_serviceaccounts_names
+  failed_when: false
+  changed_when: false
+  register: account_test
 
-- name: Get current security context constraints
+- name: create the service account
   shell: >
-    {{ openshift.common.client_binary }} get scc privileged -o yaml
-    --output-version=v1 > /tmp/openshift/scc.yaml
-  changed_when: false
+       echo {{ lookup('template', '../templates/serviceaccount.j2')
+               | from_yaml | to_json | quote }} | {{ openshift.common.client_binary }}  create -f -
+  when: item.1.rc != 0
+  with_together:
+  - openshift_serviceaccounts_names
+  - account_test.results
 
-- name: Add security context constraint for {{ item }}
-  lineinfile:
-    dest: /tmp/openshift/scc.yaml
-    line: "- system:serviceaccount:default:{{ item }}"
-    insertafter: "^users:$"
-  with_items: accounts
+- name: test if scc needs to be updated
+  command: >
+      {{ openshift.common.client_binary }} get scc {{ item }} -o yaml
+  changed_when: false
+  failed_when: false
+  register: scc_test
+  with_items: openshift_serviceaccounts_sccs
 
-- name: Apply new scc rules for service accounts
-  command: "{{ openshift.common.client_binary }} update -f /tmp/openshift/scc.yaml --api-version=v1"
+- name: Grant the user access to the privileged scc
+  command: >
+      {{ openshift.common.admin_binary }} policy add-scc-to-user
+      privileged system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }}
+  when: "item.1.rc == 0 and 'system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }}' not in {{ (item.1.stdout | from_yaml).users }}"
+  with_nested:
+  - openshift_serviceaccounts_names
+  - scc_test.results
diff --git a/roles/openshift_serviceaccounts/templates/serviceaccount.j2 b/roles/openshift_serviceaccounts/templates/serviceaccount.j2
index 931e249f9..c5f12421f 100644
--- a/roles/openshift_serviceaccounts/templates/serviceaccount.j2
+++ b/roles/openshift_serviceaccounts/templates/serviceaccount.j2
@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ item }}
+  name: {{ item.0 }}