diff options
Diffstat (limited to 'roles/openshift_manageiq')
-rw-r--r-- | roles/openshift_manageiq/meta/main.yml | 15 | ||||
-rw-r--r-- | roles/openshift_manageiq/tasks/main.yaml | 37 | ||||
-rw-r--r-- | roles/openshift_manageiq/vars/main.yml | 13 |
3 files changed, 32 insertions, 33 deletions
diff --git a/roles/openshift_manageiq/meta/main.yml b/roles/openshift_manageiq/meta/main.yml new file mode 100644 index 000000000..6c96a91bf --- /dev/null +++ b/roles/openshift_manageiq/meta/main.yml @@ -0,0 +1,15 @@ +--- +galaxy_info: + author: Erez Freiberger + description: ManageIQ + company: Red Hat, Inc. + license: Apache License, Version 2.0 + min_ansible_version: 2.1 + platforms: + - name: EL + versions: + - 7 + categories: + - cloud +dependencies: +- role: lib_openshift diff --git a/roles/openshift_manageiq/tasks/main.yaml b/roles/openshift_manageiq/tasks/main.yaml index a7214482f..f202486a5 100644 --- a/roles/openshift_manageiq/tasks/main.yaml +++ b/roles/openshift_manageiq/tasks/main.yaml @@ -18,27 +18,15 @@ failed_when: "'already exists' not in osmiq_create_mi_project.stderr and osmiq_create_mi_project.rc != 0" changed_when: osmiq_create_mi_project.rc == 0 -- name: Create Admin Service Account - shell: > - echo {{ manageiq_service_account | to_json | quote }} | - {{ openshift.common.client_binary }} create - -n management-infra - --config={{manage_iq_tmp_conf}} - -f - - register: osmiq_create_service_account - failed_when: "'already exists' not in osmiq_create_service_account.stderr and osmiq_create_service_account.rc != 0" - changed_when: osmiq_create_service_account.rc == 0 - -- name: Create Image Inspector Service Account - shell: > - echo {{ manageiq_image_inspector_service_account | to_json | quote }} | - {{ openshift.common.client_binary }} create - -n management-infra - --config={{manage_iq_tmp_conf}} - -f - - register: osmiq_create_service_account - failed_when: "'already exists' not in osmiq_create_service_account.stderr and osmiq_create_service_account.rc != 0" - changed_when: osmiq_create_service_account.rc == 0 +- name: Create Admin and Image Inspector Service Account + oc_serviceaccount: + kubeconfig: "{{ openshift_master_config_dir }}/admin.kubeconfig" + name: "{{ item }}" + namespace: management-infra + state: present + with_items: + - management-admin + - inspector-admin - name: Create Cluster Role shell: > @@ -59,6 +47,9 @@ register: oshawkular_create_cluster_role failed_when: "'already exists' not in oshawkular_create_cluster_role.stderr and oshawkular_create_cluster_role.rc != 0" changed_when: oshawkular_create_cluster_role.rc == 0 + # AUDIT:changed_when_note: Checking the return code is insufficient + # here. We really need to verify the if the role even exists before + # we run this task. - name: Configure role/user permissions command: > @@ -68,6 +59,10 @@ register: osmiq_perm_task failed_when: "'already exists' not in osmiq_perm_task.stderr and osmiq_perm_task.rc != 0" changed_when: osmiq_perm_task.rc == 0 + # AUDIT:changed_when_note: Checking the return code is insufficient + # here. We really need to compare the current role/user permissions + # with their expected state. I think we may have a module for this? + - name: Configure 3_2 role/user permissions command: > diff --git a/roles/openshift_manageiq/vars/main.yml b/roles/openshift_manageiq/vars/main.yml index 3f24fd6be..9936bb126 100644 --- a/roles/openshift_manageiq/vars/main.yml +++ b/roles/openshift_manageiq/vars/main.yml @@ -1,4 +1,5 @@ --- +openshift_master_config_dir: "{{ openshift.common.config_base }}/master" manageiq_cluster_role: apiVersion: v1 kind: ClusterRole @@ -24,18 +25,6 @@ manageiq_metrics_admin_clusterrole: verbs: - '*' -manageiq_service_account: - apiVersion: v1 - kind: ServiceAccount - metadata: - name: management-admin - -manageiq_image_inspector_service_account: - apiVersion: v1 - kind: ServiceAccount - metadata: - name: inspector-admin - manage_iq_tmp_conf: /tmp/manageiq_admin.kubeconfig manage_iq_tasks: |