diff options
Diffstat (limited to 'roles/openshift_service_catalog')
5 files changed, 120 insertions, 2 deletions
diff --git a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml index ebefaeaba..71e21a269 100644 --- a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml +++ b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml @@ -99,7 +99,6 @@ objects: - "" resources: - secrets - - podpresets verbs: - create - update @@ -131,6 +130,29 @@ objects: verbs: - patch - create + - apiGroups: + - servicecatalog.k8s.io + resources: + - serviceclasses + verbs: + - create + - delete + - update + - patch + - get + - list + - watch + - apiGroups: + - settings.k8s.io + resources: + - podpresets + verbs: + - create + - update + - delete + - get + - list + - watch - kind: ClusterRoleBinding apiVersion: v1 diff --git a/roles/openshift_service_catalog/files/openshift-ansible-catalog-console.js b/roles/openshift_service_catalog/files/openshift-ansible-catalog-console.js new file mode 100644 index 000000000..1f25cc39f --- /dev/null +++ b/roles/openshift_service_catalog/files/openshift-ansible-catalog-console.js @@ -0,0 +1,2 @@ +window.OPENSHIFT_CONSTANTS.ENABLE_TECH_PREVIEW_FEATURE.service_catalog_landing_page = true; +window.OPENSHIFT_CONSTANTS.ENABLE_TECH_PREVIEW_FEATURE.pod_presets = true; diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml index 1342c3d30..686857d94 100644 --- a/roles/openshift_service_catalog/tasks/install.yml +++ b/roles/openshift_service_catalog/tasks/install.yml @@ -23,7 +23,12 @@ oc_project: state: present name: "kube-service-catalog" -# node_selector: "{{ openshift_service_catalog_nodeselector | default(null) }}" + node_selector: "" + +- name: Make kube-service-catalog project network global + command: > + oc adm pod-network make-projects-global kube-service-catalog + when: os_sdn_network_plugin_name | default('') == 'redhat/openshift-ovs-multitenant' - include: generate_certs.yml @@ -61,6 +66,52 @@ template_name: kube-system-service-catalog namespace: kube-system +- oc_obj: + name: edit + kind: clusterrole + state: list + register: edit_yaml + +# only do this if we don't already have the updated role info +- name: Generate apply template for clusterrole/edit + template: + src: sc_role_patching.j2 + dest: "{{ mktemp.stdout }}/edit_sc_patch.yml" + vars: + original_content: "{{ edit_yaml.results.results[0] | to_yaml }}" + when: + - not edit_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not edit_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch']) + +# only do this if we don't already have the updated role info +- name: update edit role for service catalog and pod preset access + command: > + oc replace -f {{ mktemp.stdout }}/edit_sc_patch.yml + when: + - not edit_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not edit_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch']) + +- oc_obj: + name: admin + kind: clusterrole + state: list + register: admin_yaml + +# only do this if we don't already have the updated role info +- name: Generate apply template for clusterrole/admin + template: + src: sc_role_patching.j2 + dest: "{{ mktemp.stdout }}/admin_sc_patch.yml" + vars: + original_content: "{{ admin_yaml.results.results[0] | to_yaml }}" + when: + - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch']) + +# only do this if we don't already have the updated role info +- name: update admin role for service catalog and pod preset access + command: > + oc replace -f {{ mktemp.stdout }}/admin_sc_patch.yml + when: + - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch']) + - shell: > oc get policybindings/kube-system:default -n kube-system || echo "not found" register: get_kube_system diff --git a/roles/openshift_service_catalog/tasks/wire_aggregator.yml b/roles/openshift_service_catalog/tasks/wire_aggregator.yml index b8b8d0863..d5291a99a 100644 --- a/roles/openshift_service_catalog/tasks/wire_aggregator.yml +++ b/roles/openshift_service_catalog/tasks/wire_aggregator.yml @@ -47,6 +47,7 @@ fetch: src: "/etc/origin/master/{{ item }}" dest: "{{ certtemp.stdout }}/{{ item }}" + flat: yes with_items: - front-proxy-ca.crt - front-proxy-ca.key @@ -98,6 +99,7 @@ fetch: src: "/etc/origin/master/{{ item }}" dest: "{{ certtemp.stdout }}/{{ item }}" + flat: yes delegate_to: "{{ first_master }}" with_items: - aggregator-front-proxy.crt @@ -117,6 +119,11 @@ when: - not front_proxy_kubeconfig.stat.exists +- name: copy tech preview extension file for service console UI + copy: + src: openshift-ansible-catalog-console.js + dest: /etc/origin/master/openshift-ansible-catalog-console.js + - name: Update master config yedit: state: present @@ -136,6 +143,16 @@ value: [X-Remote-Group] - key: authConfig.requestHeader.extraHeaderPrefixes value: [X-Remote-Extra-] + - key: assetConfig.extensionScripts + value: [/etc/origin/master/openshift-ansible-catalog-console.js] + - key: kubernetesMasterConfig.apiServerArguments.runtime-config + value: [apis/settings.k8s.io/v1alpha1=true] + - key: admissionConfig.pluginConfig.PodPreset.configuration.kind + value: DefaultAdmissionConfig + - key: admissionConfig.pluginConfig.PodPreset.configuration.apiVersion + value: v1 + - key: admissionConfig.pluginConfig.PodPreset.configuration.disable + value: false register: yedit_output #restart master serially here diff --git a/roles/openshift_service_catalog/templates/sc_role_patching.j2 b/roles/openshift_service_catalog/templates/sc_role_patching.j2 new file mode 100644 index 000000000..69b062b3f --- /dev/null +++ b/roles/openshift_service_catalog/templates/sc_role_patching.j2 @@ -0,0 +1,26 @@ +{{ original_content }} +- apiGroups: + - "servicecatalog.k8s.io" + attributeRestrictions: null + resources: + - instances + - bindings + verbs: + - create + - update + - delete + - get + - list + - watch +- apiGroups: + - "settings.k8s.io" + attributeRestrictions: null + resources: + - podpresets + verbs: + - create + - update + - delete + - get + - list + - watch |