summaryrefslogtreecommitdiffstats
path: root/roles/ansible_service_broker/tasks/install.yml
diff options
context:
space:
mode:
Diffstat (limited to 'roles/ansible_service_broker/tasks/install.yml')
-rw-r--r--roles/ansible_service_broker/tasks/install.yml415
1 files changed, 307 insertions, 108 deletions
diff --git a/roles/ansible_service_broker/tasks/install.yml b/roles/ansible_service_broker/tasks/install.yml
index b3797ef96..ff90f59a3 100644
--- a/roles/ansible_service_broker/tasks/install.yml
+++ b/roles/ansible_service_broker/tasks/install.yml
@@ -17,10 +17,13 @@
ansible_service_broker_etcd_image_etcd_path: "{{ ansible_service_broker_etcd_image_etcd_path | default(__ansible_service_broker_etcd_image_etcd_path) }}"
ansible_service_broker_registry_type: "{{ ansible_service_broker_registry_type | default(__ansible_service_broker_registry_type) }}"
+ ansible_service_broker_registry_name: "{{ ansible_service_broker_registry_name | default(__ansible_service_broker_registry_name) }}"
ansible_service_broker_registry_url: "{{ ansible_service_broker_registry_url | default(__ansible_service_broker_registry_url) }}"
ansible_service_broker_registry_user: "{{ ansible_service_broker_registry_user | default(__ansible_service_broker_registry_user) }}"
ansible_service_broker_registry_password: "{{ ansible_service_broker_registry_password | default(__ansible_service_broker_registry_password) }}"
ansible_service_broker_registry_organization: "{{ ansible_service_broker_registry_organization | default(__ansible_service_broker_registry_organization) }}"
+ ansible_service_broker_registry_tag: "{{ ansible_service_broker_registry_tag | default(__ansible_service_broker_registry_tag) }}"
+ ansible_service_broker_registry_whitelist: "{{ ansible_service_broker_registry_whitelist | default(__ansible_service_broker_registry_whitelist) }}"
- name: set ansible-service-broker image facts using set prefix and tag
set_fact:
@@ -29,6 +32,7 @@
- include: validate_facts.yml
+- include: generate_certs.yml
# Deployment of ansible-service-broker starts here
- name: create openshift-ansible-service-broker project
@@ -42,53 +46,177 @@
namespace: openshift-ansible-service-broker
state: present
-- name: Set SA cluster-role
+- name: create ansible-service-broker client serviceaccount
+ oc_serviceaccount:
+ name: asb-client
+ namespace: openshift-ansible-service-broker
+ state: present
+
+- name: Create asb-auth cluster role
+ oc_clusterrole:
+ state: present
+ name: asb-auth
+ rules:
+ - apiGroups: [""]
+ resources: ["namespaces"]
+ verbs: ["create", "delete"]
+ - apiGroups: ["authorization.openshift.io"]
+ resources: ["subjectrulesreview"]
+ verbs: ["create"]
+ - apiGroups: ["authorization.k8s.io"]
+ resources: ["subjectaccessreviews"]
+ verbs: ["create"]
+ - apiGroups: ["authentication.k8s.io"]
+ resources: ["tokenreviews"]
+ verbs: ["create"]
+ - apiGroups: ["image.openshift.io", ""]
+ resources: ["images"]
+ verbs: ["get", "list"]
+
+- name: Create asb-access cluster role
+ oc_clusterrole:
+ state: present
+ name: asb-access
+ rules:
+ - nonResourceURLs: ["/ansible-service-broker", "/ansible-service-broker/*"]
+ verbs: ["get", "post", "put", "patch", "delete"]
+
+- name: Bind admin cluster-role to asb serviceaccount
oc_adm_policy_user:
state: present
- namespace: "openshift-ansible-service-broker"
resource_kind: cluster-role
resource_name: admin
user: "system:serviceaccount:openshift-ansible-service-broker:asb"
+- name: Bind auth cluster role to asb service account
+ oc_adm_policy_user:
+ state: present
+ resource_kind: cluster-role
+ resource_name: asb-auth
+ user: "system:serviceaccount:openshift-ansible-service-broker:asb"
+
+- name: Bind asb-access role to asb-client service account
+ oc_adm_policy_user:
+ state: present
+ resource_kind: cluster-role
+ resource_name: asb-access
+ user: "system:serviceaccount:openshift-ansible-service-broker:asb-client"
+
+- name: create asb-client token secret
+ oc_obj:
+ name: asb-client
+ namespace: openshift-ansible-service-broker
+ state: present
+ kind: Secret
+ content:
+ path: /tmp/asbclientsecretout
+ data:
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ name: asb-client
+ namespace: openshift-ansible-service-broker
+ annotations:
+ kubernetes.io/service-account.name: asb-client
+ type: kubernetes.io/service-account-token
+
+- name: Create etcd-auth secret
+ oc_secret:
+ name: etcd-auth-secret
+ namespace: openshift-ansible-service-broker
+ contents:
+ - path: ca.crt
+ data: '{{ etcd_ca_cert }}'
+
+- name: Create broker-etcd-auth secret
+ oc_secret:
+ name: broker-etcd-auth-secret
+ namespace: openshift-ansible-service-broker
+ contents:
+ - path: client.crt
+ data: '{{ etcd_client_cert }}'
+ - path: client.key
+ data: '{{ etcd_client_key }}'
+
+- oc_secret:
+ state: list
+ namespace: openshift-ansible-service-broker
+ name: asb-client
+ register: asb_client_secret
+
+- set_fact:
+ service_ca_crt: "{{ asb_client_secret.results.results.0.data['service-ca.crt'] }}"
+
+# Using oc_obj because oc_service doesn't seem to allow annotations
+# TODO: Extend oc_service to allow annotations
- name: create ansible-service-broker service
- oc_service:
+ oc_obj:
name: asb
namespace: openshift-ansible-service-broker
state: present
- labels:
- app: openshift-ansible-service-broker
- service: asb
- ports:
- - name: port-1338
- port: 1338
- selector:
- app: openshift-ansible-service-broker
- service: asb
+ kind: Service
+ content:
+ path: /tmp/asbsvcout
+ data:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ name: asb
+ namespace: openshift-ansible-service-broker
+ labels:
+ app: openshift-ansible-service-broker
+ service: asb
+ annotations:
+ service.alpha.openshift.io/serving-cert-secret-name: asb-tls
+ spec:
+ ports:
+ - name: port-1338
+ port: 1338
+ targetPort: 1338
+ protocol: TCP
+ selector:
+ app: openshift-ansible-service-broker
+ service: asb
-- name: create etcd service
- oc_service:
- name: etcd
+- name: create asb-etcd service
+ oc_obj:
+ name: asb-etcd
namespace: openshift-ansible-service-broker
state: present
- ports:
- - name: etcd-advertise
- port: 2379
- selector:
- app: openshift-ansible-service-broker
- service: etcd
+ kind: Service
+ content:
+ path: /tmp/asbetcdsvcout
+ data:
+ apiVersion: v1
+ kind: Service
+ metadata:
+ name: asb-etcd
+ labels:
+ app: etcd
+ service: asb-etcd
+ annotations:
+ service.alpha.openshift.io/serving-cert-secret-name: etcd-tls
+ spec:
+ ports:
+ - name: port-2379
+ port: 2379
+ targetPort: 2379
+ protocol: TCP
+ selector:
+ app: etcd
+ service: asb-etcd
- name: create route for ansible-service-broker service
oc_route:
name: asb-1338
namespace: openshift-ansible-service-broker
state: present
+ labels:
+ app: openshift-ansible-service-broker
+ service: asb
service_name: asb
port: 1338
- register: asb_route_out
-
-- name: get ansible-service-broker route name
- set_fact:
- ansible_service_broker_route: "{{ asb_route_out.results.results[0].spec.host }}"
+ tls_termination: Reencrypt
- name: create persistent volume claim for etcd
oc_obj:
@@ -97,7 +225,7 @@
state: present
kind: PersistentVolumeClaim
content:
- path: /tmp/dcout
+ path: /tmp/pvcout
data:
apiVersion: v1
kind: PersistentVolumeClaim
@@ -111,116 +239,149 @@
requests:
storage: 1Gi
-- name: create etcd deployment
+- name: Create Ansible Service Broker deployment config
oc_obj:
- name: etcd
+ name: asb
namespace: openshift-ansible-service-broker
state: present
- kind: Deployment
+ kind: DeploymentConfig
content:
path: /tmp/dcout
data:
- apiVersion: extensions/v1beta1
- kind: Deployment
+ apiVersion: v1
+ kind: DeploymentConfig
metadata:
- name: etcd
- namespace: openshift-ansible-service-broker
+ name: asb
labels:
app: openshift-ansible-service-broker
- service: etcd
+ service: asb
spec:
+ replicas: 1
selector:
- matchLabels:
- app: openshift-ansible-service-broker
- service: etcd
+ app: openshift-ansible-service-broker
strategy:
- type: RollingUpdate
- rollingUpdate:
- maxSurge: 1
- maxUnavailable: 1
- replicas: 1
+ type: Rolling
template:
metadata:
labels:
app: openshift-ansible-service-broker
- service: etcd
+ service: asb
spec:
- restartPolicy: Always
+ serviceAccount: asb
containers:
- - image: "{{ ansible_service_broker_etcd_image }}"
- name: etcd
+ - image: "{{ ansible_service_broker_image }}"
+ name: asb
imagePullPolicy: IfNotPresent
- terminationMessagePath: /tmp/termination-log
- workingDir: /etcd
- args:
- - '{{ ansible_service_broker_etcd_image_etcd_path }}'
- - --data-dir=/data
- - "--listen-client-urls=http://0.0.0.0:2379"
- - "--advertise-client-urls=http://0.0.0.0:2379"
+ volumeMounts:
+ - name: config-volume
+ mountPath: /etc/ansible-service-broker
+ - name: asb-tls
+ mountPath: /etc/tls/private
+ - name: asb-etcd-auth
+ mountPath: /var/run/asb-etcd-auth
ports:
- - containerPort: 2379
+ - containerPort: 1338
protocol: TCP
env:
- - name: ETCDCTL_API
- value: "3"
- volumeMounts:
- - mountPath: /data
- name: etcd
+ - name: BROKER_CONFIG
+ value: /etc/ansible-service-broker/config.yaml
+ resources: {}
+ terminationMessagePath: /tmp/termination-log
+ readinessProbe:
+ httpGet:
+ port: 1338
+ path: /healthz
+ scheme: HTTPS
+ initialDelaySeconds: 15
+ timeoutSeconds: 1
+ livenessProbe:
+ httpGet:
+ port: 1338
+ path: /healthz
+ scheme: HTTPS
+ initialDelaySeconds: 15
+ timeoutSeconds: 1
volumes:
- - name: etcd
- persistentVolumeClaim:
- claimName: etcd
+ - name: config-volume
+ configMap:
+ name: broker-config
+ items:
+ - key: broker-config
+ path: config.yaml
+ - name: asb-tls
+ secret:
+ secretName: asb-tls
+ - name: asb-etcd-auth
+ secret:
+ secretName: broker-etcd-auth-secret
-- name: create ansible-service-broker deployment
+- name: Create asb-etcd deployment config
oc_obj:
- name: asb
+ name: etcd
namespace: openshift-ansible-service-broker
state: present
- kind: Deployment
+ kind: DeploymentConfig
content:
path: /tmp/dcout
data:
- apiVersion: extensions/v1beta1
- kind: Deployment
+ apiVersion: v1
+ kind: DeploymentConfig
metadata:
- name: asb
- namespace: openshift-ansible-service-broker
+ name: asb-etcd
labels:
- app: openshift-ansible-service-broker
- service: asb
+ app: etcd
+ service: asb-etcd
spec:
- strategy:
- type: Recreate
replicas: 1
+ selector:
+ app: etcd
+ strategy:
+ type: Rolling
template:
metadata:
labels:
- app: openshift-ansible-service-broker
- service: asb
+ app: etcd
+ service: asb-etcd
spec:
serviceAccount: asb
- restartPolicy: Always
containers:
- - image: "{{ ansible_service_broker_image }}"
- name: asb
+ - image: "{{ ansible_service_broker_etcd_image }}"
+ name: etcd
imagePullPolicy: IfNotPresent
- volumeMounts:
- - name: config-volume
- mountPath: /etc/ansible-service-broker
+ terminationMessagePath: /tmp/termination-log
+ workingDir: /etcd
+ args:
+ - "{{ ansible_service_broker_etcd_image_etcd_path }}"
+ - "--data-dir=/data"
+ - "--listen-client-urls=https://0.0.0.0:2379"
+ - "--advertise-client-urls=https://0.0.0.0:2379"
+ - "--client-cert-auth"
+ - "--trusted-ca-file=/var/run/etcd-auth-secret/ca.crt"
+ - "--cert-file=/etc/tls/private/tls.crt"
+ - "--key-file=/etc/tls/private/tls.key"
ports:
- - containerPort: 1338
+ - containerPort: 2379
protocol: TCP
env:
- - name: BROKER_CONFIG
- value: /etc/ansible-service-broker/config.yaml
- terminationMessagePath: /tmp/termination-log
+ - name: ETCDCTL_API
+ value: "3"
+ volumeMounts:
+ - name: etcd
+ mountPath: /data
+ - name: etcd-tls
+ mountPath: /etc/tls/private
+ - name: etcd-auth
+ mountPath: /var/run/etcd-auth-secret
volumes:
- - name: config-volume
- configMap:
- name: broker-config
- items:
- - key: broker-config
- path: config.yaml
+ - name: etcd
+ persistentVolumeClaim:
+ claimName: etcd
+ - name: etcd-tls
+ secret:
+ secretName: etcd-tls
+ - name: etcd-auth
+ secret:
+ secretName: etcd-auth-secret
# TODO: saw a oc_configmap in the library, but didn't understand how to get it to do the following:
@@ -239,42 +400,80 @@
name: broker-config
namespace: openshift-ansible-service-broker
labels:
- app: ansible-service-broker
+ app: openshift-ansible-service-broker
data:
broker-config: |
registry:
- name: "{{ ansible_service_broker_registry_type }}"
- url: "{{ ansible_service_broker_registry_url }}"
- user: "{{ ansible_service_broker_registry_user }}"
- pass: "{{ ansible_service_broker_registry_password }}"
- org: "{{ ansible_service_broker_registry_organization }}"
+ - type: {{ ansible_service_broker_registry_type }}
+ name: {{ ansible_service_broker_registry_name }}
+ url: {{ ansible_service_broker_registry_url }}
+ org: {{ ansible_service_broker_registry_organization }}
+ tag: {{ ansible_service_broker_registry_tag }}
+ white_list: {{ ansible_service_broker_registry_whitelist | to_yaml }}
+ - type: local_openshift
+ name: localregistry
+ namespaces: ['openshift']
+ white_list: {{ ansible_service_broker_local_registry_whitelist | to_yaml }}
dao:
- etcd_host: etcd
+ etcd_host: asb-etcd.openshift-ansible-service-broker.svc
etcd_port: 2379
+ etcd_ca_file: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
+ etcd_client_cert: /var/run/asb-etcd-auth/client.crt
+ etcd_client_key: /var/run/asb-etcd-auth/client.key
log:
- logfile: /var/log/ansible-service-broker/asb.log
stdout: true
- level: "{{ ansible_service_broker_log_level }}"
+ level: {{ ansible_service_broker_log_level }}
color: true
- openshift: {}
+ openshift:
+ host: ""
+ ca_file: ""
+ bearer_token_file: ""
+ sandbox_role: {{ ansible_service_broker_sandbox_role }}
+ image_pull_policy: {{ ansible_service_broker_image_pull_policy }}
+ keep_namespace: {{ ansible_service_broker_keep_namespace | bool | lower }}
+ keep_namespace_on_error: {{ ansible_service_broker_keep_namespace_on_error | bool | lower }}
broker:
dev_broker: {{ ansible_service_broker_dev_broker | bool | lower }}
+ bootstrap_on_startup: {{ ansible_service_broker_bootstrap_on_startup | bool | lower }}
+ refresh_interval: {{ ansible_service_broker_refresh_interval }}
launch_apb_on_bind: {{ ansible_service_broker_launch_apb_on_bind | bool | lower }}
- recovery: {{ ansible_service_broker_recovery | bool | lower }}
output_request: {{ ansible_service_broker_output_request | bool | lower }}
- bootstrap_on_startup: {{ ansible_service_broker_bootstrap_on_startup | bool | lower }}
+ recovery: {{ ansible_service_broker_recovery | bool | lower }}
+ ssl_cert_key: /etc/tls/private/tls.key
+ ssl_cert: /etc/tls/private/tls.crt
+ auto_escalate: {{ ansible_service_broker_auto_escalate }}
+ auth:
+ - type: basic
+ enabled: false
+
+- oc_secret:
+ name: asb-registry-auth
+ namespace: openshift-ansible-service-broker
+ state: present
+ contents:
+ - path: username
+ data: "{{ ansible_service_broker_registry_user }}"
+ - path: password
+ data: "{{ ansible_service_broker_registry_password }}"
- name: Create the Broker resource in the catalog
oc_obj:
name: ansible-service-broker
state: present
- kind: Broker
+ kind: ClusterServiceBroker
content:
path: /tmp/brokerout
data:
- apiVersion: servicecatalog.k8s.io/v1alpha1
- kind: Broker
+ apiVersion: servicecatalog.k8s.io/v1beta1
+ kind: ClusterServiceBroker
metadata:
name: ansible-service-broker
spec:
- url: http://asb.openshift-ansible-service-broker.svc:1338
+ url: https://asb.openshift-ansible-service-broker.svc:1338/ansible-service-broker
+ authInfo:
+ bearer:
+ secretRef:
+ name: asb-client
+ namespace: openshift-ansible-service-broker
+ kind: Secret
+ caBundle: "{{ service_ca_crt }}"
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-22 05:45:09 +0000