diff options
| -rw-r--r-- | filter_plugins/oo_filters.py | 18 | ||||
| -rw-r--r-- | inventory/byo/hosts.origin.example | 7 | ||||
| -rw-r--r-- | inventory/byo/hosts.ose.example | 7 | ||||
| -rw-r--r-- | roles/openshift_hosted/templates/registry_config.j2 | 5 | ||||
| -rw-r--r-- | roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml | 6 | ||||
| -rw-r--r-- | roles/openshift_service_catalog/tasks/install.yml | 16 |
6 files changed, 55 insertions, 4 deletions
diff --git a/filter_plugins/oo_filters.py b/filter_plugins/oo_filters.py index cff9f8a60..c6d0e69eb 100644 --- a/filter_plugins/oo_filters.py +++ b/filter_plugins/oo_filters.py @@ -1009,6 +1009,21 @@ def oo_random_word(length, source='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRS return ''.join(random.choice(source) for i in range(length)) +def oo_contains_rule(source, apiGroups, resources, verbs): + '''Return true if the specified rule is contained within the provided source''' + + rules = source['rules'] + + if rules: + for rule in rules: + if set(rule['apiGroups']) == set(apiGroups): + if set(rule['resources']) == set(resources): + if set(rule['verbs']) == set(verbs): + return True + + return False + + class FilterModule(object): """ Custom ansible filter mapping """ @@ -1049,5 +1064,6 @@ class FilterModule(object): "oo_openshift_loadbalancer_frontends": oo_openshift_loadbalancer_frontends, "oo_openshift_loadbalancer_backends": oo_openshift_loadbalancer_backends, "to_padded_yaml": to_padded_yaml, - "oo_random_word": oo_random_word + "oo_random_word": oo_random_word, + "oo_contains_rule": oo_contains_rule } diff --git a/inventory/byo/hosts.origin.example b/inventory/byo/hosts.origin.example index 7f005a931..474f2cc84 100644 --- a/inventory/byo/hosts.origin.example +++ b/inventory/byo/hosts.origin.example @@ -468,6 +468,8 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # S3 bucket must already exist. #openshift_hosted_registry_storage_kind=object #openshift_hosted_registry_storage_provider=s3 +#openshift_hosted_registry_storage_s3_encrypt=false +#openshift_hosted_registry_storage_s3_kmskeyid=aws_kms_key_id #openshift_hosted_registry_storage_s3_accesskey=aws_access_key_id #openshift_hosted_registry_storage_s3_secretkey=aws_secret_access_key #openshift_hosted_registry_storage_s3_bucket=bucket_name @@ -552,6 +554,11 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # Configure the prefix and version for the component images #openshift_hosted_metrics_deployer_prefix=docker.io/openshift/origin- #openshift_hosted_metrics_deployer_version=3.6.0 +# +# StorageClass +# openshift_storageclass_name=gp2 +# openshift_storageclass_parameters={'type': 'gp2', 'encrypted': false} +# # Logging deployment # diff --git a/inventory/byo/hosts.ose.example b/inventory/byo/hosts.ose.example index a6d2cbb41..cde35499a 100644 --- a/inventory/byo/hosts.ose.example +++ b/inventory/byo/hosts.ose.example @@ -468,6 +468,8 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # S3 bucket must already exist. #openshift_hosted_registry_storage_kind=object #openshift_hosted_registry_storage_provider=s3 +#openshift_hosted_registry_storage_s3_encrypt=false +#openshift_hosted_registry_storage_s3_kmskeyid=aws_kms_key_id #openshift_hosted_registry_storage_s3_accesskey=aws_access_key_id #openshift_hosted_registry_storage_s3_secretkey=aws_secret_access_key #openshift_hosted_registry_storage_s3_bucket=bucket_name @@ -552,6 +554,11 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # Configure the prefix and version for the component images #openshift_hosted_metrics_deployer_prefix=registry.example.com:8888/openshift3/ #openshift_hosted_metrics_deployer_version=3.6.0 +# +# StorageClass +# openshift_storageclass_name=gp2 +# openshift_storageclass_parameters={'type': 'gp2', 'encrypted': false} +# # Logging deployment # diff --git a/roles/openshift_hosted/templates/registry_config.j2 b/roles/openshift_hosted/templates/registry_config.j2 index dc8a9f089..9673841bf 100644 --- a/roles/openshift_hosted/templates/registry_config.j2 +++ b/roles/openshift_hosted/templates/registry_config.j2 @@ -21,7 +21,10 @@ storage: regionendpoint: {{ openshift_hosted_registry_storage_s3_regionendpoint }} {% endif %} bucket: {{ openshift_hosted_registry_storage_s3_bucket }} - encrypt: false + encrypt: {{ openshift_hosted_registry_storage_s3_encrypt | default(false) }} +{% if openshift_hosted_registry_storage_s3_kmskeyid %} + keyid: {{ openshift_hosted_registry_storage_s3_kmskeyid }} +{% endif %} secure: true v4auth: true rootdirectory: {{ openshift_hosted_registry_storage_s3_rootdirectory | default('/registry') }} diff --git a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml index 2e0dcfd97..bcc7fb590 100644 --- a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml +++ b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml @@ -137,6 +137,12 @@ objects: - serviceclasses verbs: - create + - apiGroups: + - settings.k8s.io + resources: + - podpresets + verbs: + - create - kind: ClusterRoleBinding apiVersion: v1 diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml index de7511f71..4d1a38e61 100644 --- a/roles/openshift_service_catalog/tasks/install.yml +++ b/roles/openshift_service_catalog/tasks/install.yml @@ -72,16 +72,22 @@ state: list register: edit_yaml +# only do this if we don't already have the updated role info - name: Generate apply template for clusterrole/edit template: src: sc_role_patching.j2 dest: "{{ mktemp.stdout }}/edit_sc_patch.yml" vars: original_content: "{{ edit_yaml.results.results[0] | to_yaml }}" + when: + - not edit_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not edit_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch']) +# only do this if we don't already have the updated role info - name: update edit role for service catalog and pod preset access command: > - oc apply -f {{ mktemp.stdout }}/edit_sc_patch.yml + oc replace -f {{ mktemp.stdout }}/edit_sc_patch.yml + when: + - not edit_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not edit_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch']) - oc_obj: name: admin @@ -89,16 +95,22 @@ state: list register: admin_yaml +# only do this if we don't already have the updated role info - name: Generate apply template for clusterrole/admin template: src: sc_role_patching.j2 dest: "{{ mktemp.stdout }}/admin_sc_patch.yml" vars: original_content: "{{ admin_yaml.results.results[0] | to_yaml }}" + when: + - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch']) +# only do this if we don't already have the updated role info - name: update admin role for service catalog and pod preset access command: > - oc apply -f {{ mktemp.stdout }}/admin_sc_patch.yml + oc replace -f {{ mktemp.stdout }}/admin_sc_patch.yml + when: + - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch']) - shell: > oc get policybindings/kube-system:default -n kube-system || echo "not found" |