diff options
Diffstat (limited to 'roles/ansible_service_broker')
| -rw-r--r-- | roles/ansible_service_broker/defaults/main.yml | 19 | ||||
| -rw-r--r-- | roles/ansible_service_broker/meta/main.yml | 15 | ||||
| -rw-r--r-- | roles/ansible_service_broker/tasks/install.yml | 346 | ||||
| -rw-r--r-- | roles/ansible_service_broker/tasks/main.yml | 8 | ||||
| -rw-r--r-- | roles/ansible_service_broker/tasks/remove.yml | 111 | ||||
| -rw-r--r-- | roles/ansible_service_broker/tasks/validate_facts.yml | 15 | ||||
| -rw-r--r-- | roles/ansible_service_broker/vars/default_images.yml | 15 | ||||
| -rw-r--r-- | roles/ansible_service_broker/vars/openshift-enterprise.yml | 16 |
8 files changed, 545 insertions, 0 deletions
diff --git a/roles/ansible_service_broker/defaults/main.yml b/roles/ansible_service_broker/defaults/main.yml new file mode 100644 index 000000000..fa982d533 --- /dev/null +++ b/roles/ansible_service_broker/defaults/main.yml @@ -0,0 +1,19 @@ +--- + +ansible_service_broker_remove: false +ansible_service_broker_install: false +ansible_service_broker_log_level: info +ansible_service_broker_output_request: false +ansible_service_broker_recovery: true +ansible_service_broker_bootstrap_on_startup: true +ansible_service_broker_dev_broker: false +ansible_service_broker_refresh_interval: 600s +# Recommended you do not enable this for now +ansible_service_broker_launch_apb_on_bind: false + +ansible_service_broker_image_pull_policy: IfNotPresent +ansible_service_broker_sandbox_role: edit +ansible_service_broker_auto_escalate: true +ansible_service_broker_registry_tag: latest +ansible_service_broker_registry_whitelist: + - '.*-apb$' diff --git a/roles/ansible_service_broker/meta/main.yml b/roles/ansible_service_broker/meta/main.yml new file mode 100644 index 000000000..ec4aafb79 --- /dev/null +++ b/roles/ansible_service_broker/meta/main.yml @@ -0,0 +1,15 @@ +--- +galaxy_info: + author: Fabian von Feilitzsch + description: OpenShift Ansible Service Broker + company: Red Hat, Inc. + license: Apache License, Version 2.0 + min_ansible_version: 2.1 + platforms: + - name: EL + versions: + - 7 + categories: + - cloud +dependencies: +- role: lib_openshift diff --git a/roles/ansible_service_broker/tasks/install.yml b/roles/ansible_service_broker/tasks/install.yml new file mode 100644 index 000000000..0f4b71124 --- /dev/null +++ b/roles/ansible_service_broker/tasks/install.yml @@ -0,0 +1,346 @@ +--- + +# Fact setting and validations +- name: Set default image variables based on deployment type + include_vars: "{{ item }}" + with_first_found: + - "{{ openshift_deployment_type | default(deployment_type) }}.yml" + - "default_images.yml" + +- name: set ansible_service_broker facts + set_fact: + ansible_service_broker_image_prefix: "{{ ansible_service_broker_image_prefix | default(__ansible_service_broker_image_prefix) }}" + ansible_service_broker_image_tag: "{{ ansible_service_broker_image_tag | default(__ansible_service_broker_image_tag) }}" + + ansible_service_broker_etcd_image_prefix: "{{ ansible_service_broker_etcd_image_prefix | default(__ansible_service_broker_etcd_image_prefix) }}" + ansible_service_broker_etcd_image_tag: "{{ ansible_service_broker_etcd_image_tag | default(__ansible_service_broker_etcd_image_tag) }}" + ansible_service_broker_etcd_image_etcd_path: "{{ ansible_service_broker_etcd_image_etcd_path | default(__ansible_service_broker_etcd_image_etcd_path) }}" + + ansible_service_broker_registry_type: "{{ ansible_service_broker_registry_type | default(__ansible_service_broker_registry_type) }}" + ansible_service_broker_registry_name: "{{ ansible_service_broker_registry_name | default(__ansible_service_broker_registry_name) }}" + ansible_service_broker_registry_url: "{{ ansible_service_broker_registry_url | default(__ansible_service_broker_registry_url) }}" + ansible_service_broker_registry_user: "{{ ansible_service_broker_registry_user | default(__ansible_service_broker_registry_user) }}" + ansible_service_broker_registry_password: "{{ ansible_service_broker_registry_password | default(__ansible_service_broker_registry_password) }}" + ansible_service_broker_registry_organization: "{{ ansible_service_broker_registry_organization | default(__ansible_service_broker_registry_organization) }}" + + ansible_service_broker_certs_dir: "{{ openshift.common.config_base }}/service-catalog" + +- name: set ansible-service-broker image facts using set prefix and tag + set_fact: + ansible_service_broker_image: "{{ ansible_service_broker_image_prefix }}ansible-service-broker:{{ ansible_service_broker_image_tag }}" + ansible_service_broker_etcd_image: "{{ ansible_service_broker_etcd_image_prefix }}etcd:{{ ansible_service_broker_etcd_image_tag }}" + +- slurp: + src: "{{ ansible_service_broker_certs_dir }}/ca.crt" + register: catalog_ca + + +- include: validate_facts.yml + + +# Deployment of ansible-service-broker starts here +- name: create openshift-ansible-service-broker project + oc_project: + name: openshift-ansible-service-broker + state: present + +- name: create ansible-service-broker serviceaccount + oc_serviceaccount: + name: asb + namespace: openshift-ansible-service-broker + state: present + +- name: create ansible-service-broker client serviceaccount + oc_serviceaccount: + name: asb-client + namespace: openshift-ansible-service-broker + state: present + +- name: Create asb-auth cluster role + oc_clusterrole: + state: present + name: asb-auth + rules: + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["create", "delete"] + - apiGroups: ["authorization.openshift.io"] + resources: ["subjectrulesreview"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + +- name: Create asb-access cluster role + oc_clusterrole: + state: present + name: asb-access + rules: + - nonResourceURLs: ["/ansible-service-broker", "ansible-service-broker/*"] + verbs: ["get", "post", "put", "patch", "delete"] + +- name: Bind admin cluster-role to asb serviceaccount + oc_adm_policy_user: + state: present + namespace: openshift-ansible-service-broker + resource_kind: cluster-role + resource_name: admin + user: "system:serviceaccount:openshift-ansible-service-broker:asb" + +- name: Bind auth cluster role to asb service account + oc_adm_policy_user: + state: present + namespace: openshift-ansible-service-broker + resource_kind: cluster-role + resource_name: asb-auth + user: "system:serviceaccount:openshift-ansible-service-broker:asb" + +- name: Bind asb-access role to asb-client service account + oc_adm_policy_user: + state: present + namespace: openshift-ansible-service-broker + resource_kind: cluster-role + resource_name: asb-access + user: "system:serviceaccount:openshift-ansible-service-broker:asb-client" + +- name: create asb-client token secret + oc_obj: + name: asb-client + state: present + kind: Secret + content: + path: /tmp/asbclientsecretout + data: + apiVersion: v1 + kind: Secret + metadata: + name: asb-client + annotations: + kubernetes.io/service-account.name: asb-client + type: kubernetes.io/service-account-token + +# Using oc_obj because oc_service doesn't seem to allow annotations +# TODO: Extend oc_service to allow annotations +- name: create ansible-service-broker service + oc_obj: + name: asb + namespace: openshift-ansible-service-broker + state: present + kind: Service + content: + path: /tmp/asbsvcout + data: + apiVersion: v1 + kind: Service + metadata: + name: asb + labels: + app: openshift-ansible-service-broker + service: asb + annotations: + service.alpha.openshift.io/serving-cert-secret-name: asb-tls + spec: + ports: + - name: port-1338 + port: 1338 + targetPort: 1338 + protocol: TCP + selector: + app: openshift-ansible-service-broker + service: asb + +- name: create route for ansible-service-broker service + oc_route: + name: asb-1338 + namespace: openshift-ansible-service-broker + state: present + labels: + app: openshift-ansible-service-broker + service: asb + service_name: asb + port: 1338 + tls_termination: Reencrypt + +- name: create persistent volume claim for etcd + oc_obj: + name: etcd + namespace: openshift-ansible-service-broker + state: present + kind: PersistentVolumeClaim + content: + path: /tmp/pvcout + data: + apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: etcd + namespace: openshift-ansible-service-broker + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + +- name: Create Ansible Service Broker deployment config + oc_obj: + name: asb + namespace: openshift-ansible-service-broker + state: present + kind: DeploymentConfig + content: + path: /tmp/dcout + data: + apiVersion: v1 + kind: DeploymentConfig + metadata: + name: asb + labels: + app: openshift-ansible-service-broker + service: asb + spec: + replicas: 1 + selector: + app: openshift-ansible-service-broker + strategy: + type: Rolling + template: + metadata: + labels: + app: openshift-ansible-service-broker + service: asb + spec: + serviceAccount: asb + containers: + - image: "{{ ansible_service_broker_image }}" + name: asb + imagePullPolicy: IfNotPresent + volumeMounts: + - name: config-volume + mountPath: /etc/ansible-service-broker + - name: asb-tls + mountPath: /etc/tls/private + ports: + - containerPort: 1338 + protocol: TCP + env: + - name: BROKER_CONFIG + value: /etc/ansible-service-broker/config.yaml + resources: {} + terminationMessagePath: /tmp/termination-log + + - image: "{{ ansible_service_broker_etcd_image }}" + name: etcd + imagePullPolicy: IfNotPresent + terminationMessagePath: /tmp/termination-log + workingDir: /etcd + args: + - "{{ ansible_service_broker_etcd_image_etcd_path }}" + - "--data-dir=/data" + - "--listen-client-urls=http://0.0.0.0:2379" + - "--advertise-client-urls=http://0.0.0.0:2379" + ports: + - containerPort: 2379 + protocol: TCP + env: + - name: ETCDCTL_API + value: "3" + volumeMounts: + - mountPath: /data + name: etcd + volumes: + - name: etcd + persistentVolumeClaim: + claimName: etcd + - name: config-volume + configMap: + name: broker-config + items: + - key: broker-config + path: config.yaml + - name: asb-tls + secret: + secretName: asb-tls + + +# TODO: saw a oc_configmap in the library, but didn't understand how to get it to do the following: +- name: Create config map for ansible-service-broker + oc_obj: + name: broker-config + namespace: openshift-ansible-service-broker + state: present + kind: ConfigMap + content: + path: /tmp/cmout + data: + apiVersion: v1 + kind: ConfigMap + metadata: + name: broker-config + namespace: openshift-ansible-service-broker + labels: + app: openshift-ansible-service-broker + data: + broker-config: | + registry: + - type: {{ ansible_service_broker_registry_type }} + name: {{ ansible_service_broker_registry_name }} + url: {{ ansible_service_broker_registry_url }} + user: {{ ansible_service_broker_registry_user }} + pass: {{ ansible_service_broker_registry_password }} + org: {{ ansible_service_broker_registry_organization }} + tag: {{ ansible_service_broker_registry_tag }} + white_list: {{ ansible_service_broker_registry_whitelist }} + dao: + etcd_host: 0.0.0.0 + etcd_port: 2379 + log: + logfile: /var/log/ansible-service-broker/asb.log + stdout: true + level: {{ ansible_service_broker_log_level }} + color: true + openshift: + host: "" + ca_file: "" + bearer_token_file: "" + sandbox_role: {{ ansible_service_broker_sandbox_role }} + image_pull_policy: {{ ansible_service_broker_image_pull_policy }} + broker: + dev_broker: {{ ansible_service_broker_dev_broker | bool | lower }} + bootstrap_on_startup: {{ ansible_service_broker_bootstrap_on_startup | bool | lower }} + refresh_interval: {{ ansible_service_broker_refresh_interval }} + launch_apb_on_bind: {{ ansible_service_broker_launch_apb_on_bind | bool | lower }} + output_request: {{ ansible_service_broker_output_request | bool | lower }} + recovery: {{ ansible_service_broker_recovery | bool | lower }} + ssl_cert_key: /etc/tls/private/tls.key + ssl_cert: /etc/tls/private/tls.crt + auto_escalate: {{ ansible_service_broker_auto_escalate }} + auth: + - type: basic + enabled: false + + +- name: Create the Broker resource in the catalog + oc_obj: + name: ansible-service-broker + state: present + kind: ServiceBroker + content: + path: /tmp/brokerout + data: + apiVersion: servicecatalog.k8s.io/v1alpha1 + kind: ServiceBroker + metadata: + name: ansible-service-broker + spec: + url: http://asb.openshift-ansible-service-broker.svc:1338/ansible-service-broker + authInfo: + bearer: + secretRef: + name: asb-client + namespace: openshift-ansible-service-broker + kind: Secret + caBundle: "{{ catalog_ca.content }}" diff --git a/roles/ansible_service_broker/tasks/main.yml b/roles/ansible_service_broker/tasks/main.yml new file mode 100644 index 000000000..d8695bd3a --- /dev/null +++ b/roles/ansible_service_broker/tasks/main.yml @@ -0,0 +1,8 @@ +--- +# do any asserts here + +- include: install.yml + when: ansible_service_broker_install | default(false) | bool + +- include: remove.yml + when: ansible_service_broker_remove | default(false) | bool diff --git a/roles/ansible_service_broker/tasks/remove.yml b/roles/ansible_service_broker/tasks/remove.yml new file mode 100644 index 000000000..f0a6be226 --- /dev/null +++ b/roles/ansible_service_broker/tasks/remove.yml @@ -0,0 +1,111 @@ +--- + +- name: remove ansible-service-broker serviceaccount + oc_serviceaccount: + name: asb + namespace: openshift-ansible-service-broker + state: absent + +- name: remove ansible-service-broker client serviceaccount + oc_serviceaccount: + name: asb-client + namespace: openshift-ansible-service-broker + state: absent + +- name: remove asb-auth cluster role + oc_clusterrole: + state: absent + name: asb-auth + +- name: remove asb-access cluster role + oc_clusterrole: + state: absent + name: asb-access + +- name: Unbind admin cluster-role to asb serviceaccount + oc_adm_policy_user: + state: absent + namespace: openshift-ansible-service-broker + resource_kind: cluster-role + resource_name: admin + user: "system:serviceaccount:openshift-ansible-service-broker:asb" + +- name: Unbind auth cluster role to asb service account + oc_adm_policy_user: + state: absent + namespace: openshift-ansible-service-broker + resource_kind: cluster-role + resource_name: asb-auth + user: "system:serviceaccount:openshift-ansible-service-broker:asb" + +- name: Unbind asb-access role to asb-client service account + oc_adm_policy_user: + state: absent + namespace: openshift-ansible-service-broker + resource_kind: cluster-role + resource_name: asb-access + user: "system:serviceaccount:openshift-ansible-service-broker:asb-client" + +- name: remove asb-client token secret + oc_secret: + state: absent + name: asb-client + namespace: openshift-ansible-service-broker + +- name: remove ansible-service-broker service + oc_service: + name: asb + namespace: openshift-ansible-service-broker + state: absent + +- name: remove etcd service + oc_service: + name: etcd + namespace: openshift-ansible-service-broker + state: absent + +- name: remove route for ansible-service-broker service + oc_route: + name: asb-1338 + namespace: openshift-ansible-service-broker + state: absent + +- name: remove persistent volume claim for etcd + oc_pvc: + name: etcd + namespace: openshift-ansible-service-broker + state: absent + +- name: remove Ansible Service Broker deployment config + oc_obj: + name: asb + namespace: openshift-ansible-service-broker + kind: DeploymentConfig + state: absent + +- name: remove secret for broker auth + oc_obj: + name: asb-auth-secret + namespace: openshift-ansible-service-broker + kind: Broker + state: absent + +# TODO: saw a oc_configmap in the library, but didn't understand how to get it to do the following: +- name: remove config map for ansible-service-broker + oc_obj: + name: broker-config + namespace: openshift-ansible-service-broker + state: absent + kind: ConfigMap + +# TODO: Is this going to work? +- name: remove broker object from the catalog + oc_obj: + name: ansible-service-broker + state: absent + kind: ServiceBroker + +- name: remove openshift-ansible-service-broker project + oc_project: + name: openshift-ansible-service-broker + state: absent diff --git a/roles/ansible_service_broker/tasks/validate_facts.yml b/roles/ansible_service_broker/tasks/validate_facts.yml new file mode 100644 index 000000000..604d24e1d --- /dev/null +++ b/roles/ansible_service_broker/tasks/validate_facts.yml @@ -0,0 +1,15 @@ +--- +- name: validate Dockerhub registry settings + fail: msg="To use the dockerhub registry, you must provide the ansible_service_broker_registry_user. ansible_service_broker_registry_password, and ansible_service_broker_registry_organization parameters" + when: + - ansible_service_broker_registry_type == 'dockerhub' + - not (ansible_service_broker_registry_user and + ansible_service_broker_registry_password and + ansible_service_broker_registry_organization) + + +- name: validate RHCC registry settings + fail: msg="To use the Red Hat Container Catalog registry, you must provide the ansible_service_broker_registry_url" + when: + - ansible_service_broker_registry_type == 'rhcc' + - not ansible_service_broker_registry_url diff --git a/roles/ansible_service_broker/vars/default_images.yml b/roles/ansible_service_broker/vars/default_images.yml new file mode 100644 index 000000000..3e9639adf --- /dev/null +++ b/roles/ansible_service_broker/vars/default_images.yml @@ -0,0 +1,15 @@ +--- + +__ansible_service_broker_image_prefix: ansibleplaybookbundle/ +__ansible_service_broker_image_tag: latest + +__ansible_service_broker_etcd_image_prefix: quay.io/coreos/ +__ansible_service_broker_etcd_image_tag: latest +__ansible_service_broker_etcd_image_etcd_path: /usr/local/bin/etcd + +__ansible_service_broker_registry_type: dockerhub +__ansible_service_broker_registry_name: dh +__ansible_service_broker_registry_url: null +__ansible_service_broker_registry_user: null +__ansible_service_broker_registry_password: null +__ansible_service_broker_registry_organization: null diff --git a/roles/ansible_service_broker/vars/openshift-enterprise.yml b/roles/ansible_service_broker/vars/openshift-enterprise.yml new file mode 100644 index 000000000..9c576cb76 --- /dev/null +++ b/roles/ansible_service_broker/vars/openshift-enterprise.yml @@ -0,0 +1,16 @@ +--- + +__ansible_service_broker_image_prefix: registry.access.redhat.com/openshift3/ose- +__ansible_service_broker_image_tag: v3.6 + +__ansible_service_broker_etcd_image_prefix: rhel7/ +__ansible_service_broker_etcd_image_tag: latest +__ansible_service_broker_etcd_image_etcd_path: /bin/etcd + + +__ansible_service_broker_registry_type: rhcc +__ansible_service_broker_registry_name: rh +__ansible_service_broker_registry_url: "https://registry.access.redhat.com" +__ansible_service_broker_registry_user: null +__ansible_service_broker_registry_password: null +__ansible_service_broker_registry_organization: null |