2 files changed, 27 insertions, 10 deletions

diff --git a/roles/openshift_hosted_logging/tasks/cleanup_logging.yaml b/roles/openshift_hosted_logging/tasks/cleanup_logging.yaml
index 8331f0389..8754616d9 100644
--- a/roles/openshift_hosted_logging/tasks/cleanup_logging.yaml
+++ b/roles/openshift_hosted_logging/tasks/cleanup_logging.yaml
@@ -46,8 +46,8 @@
 
   - name: "Remove deployer template"
     command: "{{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig delete template logging-deployer-template -n openshift"
-    register: delete_ouput
-    failed_when: delete_ouput.rc == 1 and 'exists' not in delete_ouput.stderr
+    register: delete_output
+    failed_when: delete_output.rc == 1 and 'exists' not in delete_output.stderr
 
 
   - name: Delete temp directory
diff --git a/roles/openshift_hosted_logging/tasks/deploy_logging.yaml b/roles/openshift_hosted_logging/tasks/deploy_logging.yaml
index c8d376194..625af9acd 100644
--- a/roles/openshift_hosted_logging/tasks/deploy_logging.yaml
+++ b/roles/openshift_hosted_logging/tasks/deploy_logging.yaml
@@ -17,7 +17,7 @@
       cp {{ openshift_master_config_dir }}/admin.kubeconfig {{ mktemp.stdout }}/admin.kubeconfig
     changed_when: False
 
-  - name: Check for logging project already exists
+  - name: "Check for logging project already exists"
     command: >
       {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get project logging -o jsonpath='{.metadata.name}'
     register: logging_project_result
@@ -40,33 +40,50 @@
 
   - name: "Create templates for logging accounts and the deployer"
     command: >
-      {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create -f {{ examples_base }}/infrastructure-templates/{{ 'enterprise' if openshift_deployment_type == 'openshift-enterprise' else 'origin' }}/logging-deployer.yaml
-    register: template_output
-    failed_when: "template_output.rc == 1 and 'exists' not in template_output.stderr"
+      {{ openshift.common.client_binary }} create --config={{ mktemp.stdout }}/admin.kubeconfig
+      -f {{ hosted_base }}/logging-deployer.yaml
+      --config={{ mktemp.stdout }}/admin.kubeconfig
+      -n logging
+    register: logging_import_template
+    failed_when: "'already exists' not in logging_import_template.stderr and logging_import_template.rc != 0"
+    changed_when: "'created' in logging_import_template.stdout"
 
   - name: "Process the logging accounts template"
-    shell:  "{{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig process logging-deployer-account-template |  {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create -f -"
+    shell: >
+      {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig
+      process logging-deployer-account-template |  {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create -f -
     register: process_deployer_accounts
     failed_when: process_deployer_accounts.rc == 1 and 'already exists' not in process_deployer_accounts.stderr
 
   - name: "Set permissions for logging-deployer service account"
     command: >
-      {{ openshift.common.client_binary }} adm --config={{ mktemp.stdout }}/admin.kubeconfig policy add-cluster-role-to-user oauth-editor system:serviceaccount:logging:logging-deployer
+      {{ openshift.common.client_binary }} adm --config={{ mktemp.stdout }}/admin.kubeconfig
+      policy add-cluster-role-to-user oauth-editor system:serviceaccount:logging:logging-deployer
     register: permiss_output
     failed_when: "permiss_output.rc == 1 and 'exists' not in permiss_output.stderr"
 
   - name: "Set permissions for fluentd"
     command: >
-      {{ openshift.common.client_binary }} adm policy add-scc-to-user privileged system:serviceaccount:logging:aggregated-logging-fluentd
+      {{ openshift.common.client_binary }} adm --config={{ mktemp.stdout }}/admin.kubeconfig
+      policy add-scc-to-user privileged system:serviceaccount:logging:aggregated-logging-fluentd
     register: fluentd_output
     failed_when: "fluentd_output.rc == 1 and 'exists' not in fluentd_output.stderr"
 
   - name: "Set additional permissions for fluentd"
     command: >
-      {{ openshift.common.client_binary }} adm policy add-cluster-role-to-user cluster-reader system:serviceaccount:logging:aggregated-logging-fluentd
+      {{ openshift.common.client_binary }} adm policy --config={{ mktemp.stdout }}/admin.kubeconfig
+      add-cluster-role-to-user cluster-reader system:serviceaccount:logging:aggregated-logging-fluentd
     register: fluentd2_output
     failed_when: "fluentd2_output.rc == 1 and 'exists' not in fluentd2_output.stderr"
 
+  - name: "Add rolebinding-reader to aggregated-logging-elasticsearch"
+    command: >
+      {{ openshift.common.client_binary }} adm --config={{ mktemp.stdout }}/admin.kubeconfig
+      policy add-cluster-role-to-user rolebinding-reader \
+      system:serviceaccount:logging:aggregated-logging-elasticsearch
+    register: rolebinding_reader_output
+    failed_when: "rolebinding_reader_output == 1 and 'exists' not in rolebinding_reader_output.stderr"
+
   - name: "Create ConfigMap for deployer parameters"
     command: >
       {{ openshift.common.client_binary}} --config={{ mktemp.stdout }}/admin.kubeconfig create configmap logging-deployer {{ deployer_cmap_params }}