summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
Diffstat (limited to 'roles')
-rw-r--r--roles/container_runtime/defaults/main.yml4
-rw-r--r--roles/container_runtime/templates/docker_storage_setup.j24
-rw-r--r--roles/lib_openshift/library/oc_group.py2
-rw-r--r--roles/lib_openshift/src/class/oc_group.py2
-rw-r--r--roles/openshift_health_checker/openshift_checks/docker_image_availability.py21
-rw-r--r--roles/openshift_health_checker/test/docker_image_availability_test.py39
-rw-r--r--roles/openshift_hosted/tasks/registry.yml2
-rw-r--r--roles/openshift_logging/tasks/install_logging.yaml2
-rw-r--r--roles/openshift_master/templates/master.yaml.v1.j23
-rw-r--r--roles/openshift_metrics/tasks/install_metrics.yaml2
-rw-r--r--roles/openshift_sanitize_inventory/tasks/deprecations.yml9
-rw-r--r--roles/openshift_sanitize_inventory/vars/main.yml2
-rw-r--r--roles/openshift_version/defaults/main.yml1
-rw-r--r--roles/openshift_version/tasks/first_master.yml6
-rw-r--r--roles/openshift_web_console/defaults/main.yml2
-rw-r--r--roles/openshift_web_console/files/console-config.yaml24
-rw-r--r--roles/openshift_web_console/files/console-rbac-template.yaml38
-rw-r--r--roles/openshift_web_console/files/console-template.yaml127
-rw-r--r--roles/openshift_web_console/tasks/install.yml2
-rw-r--r--roles/openshift_web_console/tasks/remove_old_asset_config.yml19
-rw-r--r--roles/openshift_web_console/vars/main.yml2
-rw-r--r--roles/template_service_broker/files/apiserver-config.yaml4
-rw-r--r--roles/template_service_broker/files/apiserver-template.yaml125
-rw-r--r--roles/template_service_broker/files/rbac-template.yaml92
-rw-r--r--roles/template_service_broker/files/template-service-broker-registration.yaml25
-rw-r--r--roles/template_service_broker/tasks/install.yml2
-rw-r--r--roles/template_service_broker/tasks/remove.yml2
-rw-r--r--roles/template_service_broker/vars/main.yml2
28 files changed, 531 insertions, 34 deletions
diff --git a/roles/container_runtime/defaults/main.yml b/roles/container_runtime/defaults/main.yml
index 8203d15f5..7397e2bec 100644
--- a/roles/container_runtime/defaults/main.yml
+++ b/roles/container_runtime/defaults/main.yml
@@ -64,7 +64,7 @@ docker_storage_setup_options:
root_lv_mount_path: "{{ docker_storage_path }}"
docker_storage_extra_options:
- "--storage-opt overlay2.override_kernel_check=true"
-- "--storage-opt overlay2.size={{ docker_storage_size }}"
+- "{{ '--storage-opt overlay2.size=' ~ docker_storage_size if container_runtime_docker_storage_setup_device is defined and container_runtime_docker_storage_setup_device != '' else '' }}"
- "--graph={{ docker_storage_path}}"
@@ -117,7 +117,7 @@ l_crio_image: "{{ openshift_crio_systemcontainer_image_override | default(l_crio
# ----------------------- #
l_crt_docker_image_dict:
Fedora: "registry.fedoraproject.org/latest/docker"
- Centos: "registry.centos.org/projectatomic/docker"
+ CentOS: "registry.centos.org/projectatomic/docker"
RedHat: "registry.access.redhat.com/openshift3/container-engine"
openshift_docker_image_tag_default: "latest"
diff --git a/roles/container_runtime/templates/docker_storage_setup.j2 b/roles/container_runtime/templates/docker_storage_setup.j2
index b056087e0..ec540ea44 100644
--- a/roles/container_runtime/templates/docker_storage_setup.j2
+++ b/roles/container_runtime/templates/docker_storage_setup.j2
@@ -2,6 +2,7 @@
# /usr/lib/docker-storage-setup/docker-storage-setup.
#
# For more details refer to "man docker-storage-setup"
+{% if container_runtime_docker_storage_setup_device is defined and container_runtime_docker_storage_setup_device != '' %}
DEVS={{ container_runtime_docker_storage_setup_device }}
VG={{ docker_storage_setup_options.vg }}
DATA_SIZE={{ docker_storage_setup_options.data_size }}
@@ -9,4 +10,7 @@ STORAGE_DRIVER="{{ docker_storage_setup_options.storage_driver }}"
CONTAINER_ROOT_LV_NAME="{{ docker_storage_setup_options.root_lv_name }}"
CONTAINER_ROOT_LV_SIZE="{{ docker_storage_setup_options.root_lv_size }}"
CONTAINER_ROOT_LV_MOUNT_PATH="{{ docker_storage_setup_options.root_lv_mount_path }}"
+{% else %}
+STORAGE_DRIVER="{{ docker_storage_setup_options.storage_driver }}"
+{% endif %}
EXTRA_STORAGE_OPTIONS="{{ docker_storage_extra_options | join(' ') }}"
diff --git a/roles/lib_openshift/library/oc_group.py b/roles/lib_openshift/library/oc_group.py
index 1b63a6c13..72023eaf7 100644
--- a/roles/lib_openshift/library/oc_group.py
+++ b/roles/lib_openshift/library/oc_group.py
@@ -1485,7 +1485,7 @@ class OCGroup(OpenShiftCLI):
def needs_update(self):
''' verify an update is needed '''
- return not Utils.check_def_equal(self.config.data, self.group.yaml_dict, skip_keys=[], debug=True)
+ return not Utils.check_def_equal(self.config.data, self.group.yaml_dict, skip_keys=['users'], debug=True)
# pylint: disable=too-many-return-statements,too-many-branches
@staticmethod
diff --git a/roles/lib_openshift/src/class/oc_group.py b/roles/lib_openshift/src/class/oc_group.py
index 89fb09ea4..53e6b6766 100644
--- a/roles/lib_openshift/src/class/oc_group.py
+++ b/roles/lib_openshift/src/class/oc_group.py
@@ -59,7 +59,7 @@ class OCGroup(OpenShiftCLI):
def needs_update(self):
''' verify an update is needed '''
- return not Utils.check_def_equal(self.config.data, self.group.yaml_dict, skip_keys=[], debug=True)
+ return not Utils.check_def_equal(self.config.data, self.group.yaml_dict, skip_keys=['users'], debug=True)
# pylint: disable=too-many-return-statements,too-many-branches
@staticmethod
diff --git a/roles/openshift_health_checker/openshift_checks/docker_image_availability.py b/roles/openshift_health_checker/openshift_checks/docker_image_availability.py
index d298fbab2..145b82491 100644
--- a/roles/openshift_health_checker/openshift_checks/docker_image_availability.py
+++ b/roles/openshift_health_checker/openshift_checks/docker_image_availability.py
@@ -171,16 +171,21 @@ class DockerImageAvailability(DockerHostMixin, OpenShiftCheck):
required.add(self._registry_console_image(image_tag, image_info))
# images for containerized components
- if self.get_var("openshift_is_containerized"):
- components = set()
+ def add_var_or_default_img(var_name, comp_name):
+ """Returns: default image from comp_name, overridden by var_name in task_vars"""
+ default = "{}/{}:{}".format(image_info["namespace"], comp_name, image_tag)
+ required.add(self.template_var(self.get_var(var_name, default=default)))
+
+ if self.get_var("openshift_is_containerized", convert=bool):
if 'oo_nodes_to_config' in host_groups:
- components.update(["node", "openvswitch"])
+ add_var_or_default_img("osn_image", "node")
+ add_var_or_default_img("osn_ovs_image", "openvswitch")
if 'oo_masters_to_config' in host_groups: # name is "origin" or "ose"
- components.add(image_info["name"])
- for component in components:
- required.add("{}/{}:{}".format(image_info["namespace"], component, image_tag))
- if 'oo_etcd_to_config' in host_groups: # special case, note it is the same for origin/enterprise
- required.add("registry.access.redhat.com/rhel7/etcd") # and no image tag
+ add_var_or_default_img("osm_image", image_info["name"])
+ if 'oo_etcd_to_config' in host_groups:
+ # special case, note default is the same for origin/enterprise and has no image tag
+ etcd_img = self.get_var("osm_etcd_image", default="registry.access.redhat.com/rhel7/etcd")
+ required.add(self.template_var(etcd_img))
return required
diff --git a/roles/openshift_health_checker/test/docker_image_availability_test.py b/roles/openshift_health_checker/test/docker_image_availability_test.py
index 9fd6e049d..d31f263dd 100644
--- a/roles/openshift_health_checker/test/docker_image_availability_test.py
+++ b/roles/openshift_health_checker/test/docker_image_availability_test.py
@@ -276,11 +276,40 @@ def test_registry_console_image(task_vars, expected):
assert expected == DockerImageAvailability(task_vars=task_vars)._registry_console_image(tag, info)
-def test_containerized_etcd():
- task_vars = dict(
+@pytest.mark.parametrize("task_vars, expected", [
+ (
+ dict(
+ group_names=['oo_nodes_to_config'],
+ osn_ovs_image='spam/ovs',
+ openshift_image_tag="veggs",
+ ),
+ set([
+ 'spam/ovs', 'openshift/node:veggs', 'cockpit/kubernetes:latest',
+ 'openshift/origin-haproxy-router:veggs', 'openshift/origin-deployer:veggs',
+ 'openshift/origin-docker-registry:veggs', 'openshift/origin-pod:veggs',
+ ]),
+ ), (
+ dict(
+ group_names=['oo_masters_to_config'],
+ ),
+ set(['openshift/origin:latest']),
+ ), (
+ dict(
+ group_names=['oo_etcd_to_config'],
+ ),
+ set(['registry.access.redhat.com/rhel7/etcd']),
+ ), (
+ dict(
+ group_names=['oo_etcd_to_config'],
+ osm_etcd_image='spam/etcd',
+ ),
+ set(['spam/etcd']),
+ ),
+])
+def test_containerized(task_vars, expected):
+ task_vars.update(dict(
openshift_is_containerized=True,
openshift_deployment_type="origin",
- group_names=['oo_etcd_to_config'],
- )
- expected = set(['registry.access.redhat.com/rhel7/etcd'])
+ ))
+
assert expected == DockerImageAvailability(task_vars=task_vars).required_images()
diff --git a/roles/openshift_hosted/tasks/registry.yml b/roles/openshift_hosted/tasks/registry.yml
index bc4d81eb7..22294e3d4 100644
--- a/roles/openshift_hosted/tasks/registry.yml
+++ b/roles/openshift_hosted/tasks/registry.yml
@@ -43,7 +43,7 @@
- name: Update registry environment variables when pushing via dns
set_fact:
- openshift_hosted_registry_env_vars: "{{ openshift_hosted_registry_env_vars | combine({'REGISTRY_OPENSHIFT_SERVER_ADDR':'docker-registry.default.svc:5000'}) }}"
+ openshift_hosted_registry_env_vars: "{{ openshift_hosted_registry_env_vars | combine({'OPENSHIFT_DEFAULT_REGISTRY':'docker-registry.default.svc:5000'}) }}"
when: openshift_push_via_dns | bool
- name: Update registry proxy settings for dc/docker-registry
diff --git a/roles/openshift_logging/tasks/install_logging.yaml b/roles/openshift_logging/tasks/install_logging.yaml
index 3afd8680f..e4883bfa0 100644
--- a/roles/openshift_logging/tasks/install_logging.yaml
+++ b/roles/openshift_logging/tasks/install_logging.yaml
@@ -314,8 +314,8 @@
openshift_logging_install_eventrouter | default(false) | bool
-# TODO: Remove when asset config is removed from master-config.yaml
- include_tasks: update_master_config.yaml
+ when: not openshift.common.version_gte_3_9
# Update asset config in openshift-web-console namespace
- name: Add Kibana route information to web console asset config
diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2
index 14023ea73..4c9ab1864 100644
--- a/roles/openshift_master/templates/master.yaml.v1.j2
+++ b/roles/openshift_master/templates/master.yaml.v1.j2
@@ -5,6 +5,7 @@ admissionConfig:
apiLevels:
- v1
apiVersion: v1
+{% if not openshift.common.version_gte_3_9 %}
assetConfig:
logoutURL: "{{ openshift.master.logout_url | default('') }}"
masterPublicURL: {{ openshift.master.public_api_url }}
@@ -41,6 +42,8 @@ assetConfig:
- {{ cipher_suite }}
{% endfor %}
{% endif %}
+# assetconfig end
+{% endif %}
{% if openshift.master.audit_config | default(none) is not none %}
auditConfig:{{ openshift.master.audit_config | lib_utils_to_padded_yaml(level=1) }}
{% endif %}
diff --git a/roles/openshift_metrics/tasks/install_metrics.yaml b/roles/openshift_metrics/tasks/install_metrics.yaml
index 0dd5d1621..6b6c21d71 100644
--- a/roles/openshift_metrics/tasks/install_metrics.yaml
+++ b/roles/openshift_metrics/tasks/install_metrics.yaml
@@ -67,8 +67,8 @@
with_items: "{{ hawkular_agent_object_defs.results }}"
when: openshift_metrics_install_hawkular_agent | bool
-# TODO: Remove when asset config is removed from master-config.yaml
- include_tasks: update_master_config.yaml
+ when: not openshift.common.version_gte_3_9
# Update asset config in openshift-web-console namespace
- name: Add metrics route information to web console asset config
diff --git a/roles/openshift_sanitize_inventory/tasks/deprecations.yml b/roles/openshift_sanitize_inventory/tasks/deprecations.yml
index 795b8ee60..b1ddbc07a 100644
--- a/roles/openshift_sanitize_inventory/tasks/deprecations.yml
+++ b/roles/openshift_sanitize_inventory/tasks/deprecations.yml
@@ -2,15 +2,18 @@
- name: Check for usage of deprecated variables
set_fact:
- __deprecation_message: "{{ __deprecation_message | default([]) }} + ['{{ __deprecation_header }} {{ item }} is a deprecated variable and will be no longer be used in the next minor release. Please update your inventory accordingly.']"
+ __deprecation_message: "{{ __deprecation_message | default( __deprecation_header ) }} \n\t{{ item }}"
when:
- hostvars[inventory_hostname][item] is defined
with_items: "{{ __warn_deprecated_vars }}"
- block:
- debug: msg="{{__deprecation_message}}"
- - pause:
- seconds: "{{ 10 }}"
+ - run_once: true
+ set_stats:
+ data:
+ installer_phase_initialize:
+ message: "{{ __deprecation_message }}"
when:
- __deprecation_message | default ('') | length > 0
diff --git a/roles/openshift_sanitize_inventory/vars/main.yml b/roles/openshift_sanitize_inventory/vars/main.yml
index df15948d2..51c6e0a64 100644
--- a/roles/openshift_sanitize_inventory/vars/main.yml
+++ b/roles/openshift_sanitize_inventory/vars/main.yml
@@ -1,6 +1,6 @@
---
-__deprecation_header: "[DEPRECATION WARNING]:"
+__deprecation_header: "[DEPRECATION WARNING]: The following are deprecated variables and will be no longer be used in the next minor release. Please update your inventory accordingly."
# this is a list of variables that we will be deprecating within the next minor release, this list should be expected to change from release to release
__warn_deprecated_vars:
diff --git a/roles/openshift_version/defaults/main.yml b/roles/openshift_version/defaults/main.yml
index e2e6538c9..513dff045 100644
--- a/roles/openshift_version/defaults/main.yml
+++ b/roles/openshift_version/defaults/main.yml
@@ -10,3 +10,4 @@ openshift_service_type: "{{ openshift_service_type_dict[openshift_deployment_typ
openshift_use_crio_only: False
l_first_master_version_task_file: "{{ openshift_is_containerized | ternary('first_master_containerized_version.yml', 'first_master_rpm_version.yml') }}"
+l_force_image_tag_to_version: False
diff --git a/roles/openshift_version/tasks/first_master.yml b/roles/openshift_version/tasks/first_master.yml
index 374725086..e01a56dc1 100644
--- a/roles/openshift_version/tasks/first_master.yml
+++ b/roles/openshift_version/tasks/first_master.yml
@@ -24,7 +24,9 @@
- block:
- debug:
- msg: "openshift_image_tag was not defined. Falling back to v{{ openshift_version }}"
+ msg: "openshift_image_tag set to v{{ openshift_version }}"
- set_fact:
openshift_image_tag: v{{ openshift_version }}
- when: openshift_image_tag is not defined
+ when: >
+ openshift_image_tag is not defined
+ or l_force_image_tag_to_version | bool
diff --git a/roles/openshift_web_console/defaults/main.yml b/roles/openshift_web_console/defaults/main.yml
index c747f73a8..627db393a 100644
--- a/roles/openshift_web_console/defaults/main.yml
+++ b/roles/openshift_web_console/defaults/main.yml
@@ -1,2 +1,2 @@
---
-openshift_web_console_nodeselector: "{{ openshift_hosted_infra_selector | default('region=infra') | map_from_pairs }}"
+openshift_web_console_nodeselector: {"node-role.kubernetes.io/master":"true"}
diff --git a/roles/openshift_web_console/files/console-config.yaml b/roles/openshift_web_console/files/console-config.yaml
new file mode 100644
index 000000000..55c650fbe
--- /dev/null
+++ b/roles/openshift_web_console/files/console-config.yaml
@@ -0,0 +1,24 @@
+apiVersion: webconsole.config.openshift.io/v1
+kind: WebConsoleConfiguration
+clusterInfo:
+ consolePublicURL: https://127.0.0.1:8443/console/
+ loggingPublicURL: ""
+ logoutPublicURL: ""
+ masterPublicURL: https://127.0.0.1:8443
+ metricsPublicURL: ""
+extensions:
+ scriptURLs: []
+ stylesheetURLs: []
+ properties: null
+features:
+ inactivityTimeoutMinutes: 0
+ clusterResourceOverridesEnabled: false
+servingInfo:
+ bindAddress: 0.0.0.0:8443
+ bindNetwork: tcp4
+ certFile: /var/serving-cert/tls.crt
+ clientCA: ""
+ keyFile: /var/serving-cert/tls.key
+ maxRequestsInFlight: 0
+ namedCertificates: null
+ requestTimeoutSeconds: 0
diff --git a/roles/openshift_web_console/files/console-rbac-template.yaml b/roles/openshift_web_console/files/console-rbac-template.yaml
new file mode 100644
index 000000000..9ee117199
--- /dev/null
+++ b/roles/openshift_web_console/files/console-rbac-template.yaml
@@ -0,0 +1,38 @@
+apiVersion: template.openshift.io/v1
+kind: Template
+metadata:
+ name: web-console-server-rbac
+parameters:
+- name: NAMESPACE
+ # This namespace cannot be changed. Only `openshift-web-console` is supported.
+ value: openshift-web-console
+objects:
+
+
+# allow grant powers to the webconsole server for cluster inspection
+- apiVersion: rbac.authorization.k8s.io/v1beta1
+ kind: ClusterRole
+ metadata:
+ name: system:openshift:web-console-server
+ rules:
+ - apiGroups:
+ - "servicecatalog.k8s.io"
+ resources:
+ - clusterservicebrokers
+ verbs:
+ - get
+ - list
+ - watch
+
+# Grant the service account for the web console
+- apiVersion: rbac.authorization.k8s.io/v1beta1
+ kind: ClusterRoleBinding
+ metadata:
+ name: system:openshift:web-console-server
+ roleRef:
+ kind: ClusterRole
+ name: system:openshift:web-console-server
+ subjects:
+ - kind: ServiceAccount
+ namespace: ${NAMESPACE}
+ name: webconsole
diff --git a/roles/openshift_web_console/files/console-template.yaml b/roles/openshift_web_console/files/console-template.yaml
new file mode 100644
index 000000000..547e7a265
--- /dev/null
+++ b/roles/openshift_web_console/files/console-template.yaml
@@ -0,0 +1,127 @@
+apiVersion: template.openshift.io/v1
+kind: Template
+metadata:
+ name: openshift-web-console
+ annotations:
+ openshift.io/display-name: OpenShift Web Console
+ description: The server for the OpenShift web console.
+ iconClass: icon-openshift
+ tags: openshift,infra
+ openshift.io/documentation-url: https://github.com/openshift/origin-web-console-server
+ openshift.io/support-url: https://access.redhat.com
+ openshift.io/provider-display-name: Red Hat, Inc.
+parameters:
+- name: IMAGE
+ value: openshift/origin-web-console:latest
+- name: NAMESPACE
+ # This namespace cannot be changed. Only `openshift-web-console` is supported.
+ value: openshift-web-console
+- name: LOGLEVEL
+ value: "0"
+- name: API_SERVER_CONFIG
+- name: NODE_SELECTOR
+ value: "{}"
+- name: REPLICA_COUNT
+ value: "1"
+objects:
+
+# to create the web console server
+- apiVersion: apps/v1beta1
+ kind: Deployment
+ metadata:
+ namespace: ${NAMESPACE}
+ name: webconsole
+ labels:
+ app: openshift-web-console
+ webconsole: "true"
+ spec:
+ replicas: "${{REPLICA_COUNT}}"
+ strategy:
+ type: Recreate
+ template:
+ metadata:
+ name: webconsole
+ labels:
+ webconsole: "true"
+ spec:
+ serviceAccountName: webconsole
+ containers:
+ - name: webconsole
+ image: ${IMAGE}
+ imagePullPolicy: IfNotPresent
+ command:
+ - "/usr/bin/origin-web-console"
+ - "--audit-log-path=-"
+ - "-v=${LOGLEVEL}"
+ - "--config=/var/webconsole-config/webconsole-config.yaml"
+ ports:
+ - containerPort: 8443
+ volumeMounts:
+ - mountPath: /var/serving-cert
+ name: serving-cert
+ - mountPath: /var/webconsole-config
+ name: webconsole-config
+ readinessProbe:
+ httpGet:
+ path: /healthz
+ port: 8443
+ scheme: HTTPS
+ livenessProbe:
+ httpGet:
+ path: /
+ port: 8443
+ scheme: HTTPS
+ resources:
+ requests:
+ cpu: 100m
+ memory: 100Mi
+ nodeSelector: "${{NODE_SELECTOR}}"
+ volumes:
+ - name: serving-cert
+ secret:
+ defaultMode: 400
+ secretName: webconsole-serving-cert
+ - name: webconsole-config
+ configMap:
+ defaultMode: 440
+ name: webconsole-config
+
+# to create the config for the web console
+- apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ namespace: ${NAMESPACE}
+ name: webconsole-config
+ labels:
+ app: openshift-web-console
+ data:
+ webconsole-config.yaml: ${API_SERVER_CONFIG}
+
+# to be able to assign powers to the process
+- apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ namespace: ${NAMESPACE}
+ name: webconsole
+ labels:
+ app: openshift-web-console
+
+# to be able to expose web console inside the cluster
+- apiVersion: v1
+ kind: Service
+ metadata:
+ namespace: ${NAMESPACE}
+ name: webconsole
+ labels:
+ app: openshift-web-console
+ annotations:
+ service.alpha.openshift.io/serving-cert-secret-name: webconsole-serving-cert
+ prometheus.io/scrape: "true"
+ prometheus.io/scheme: https
+ spec:
+ selector:
+ webconsole: "true"
+ ports:
+ - name: https
+ port: 443
+ targetPort: 8443
diff --git a/roles/openshift_web_console/tasks/install.yml b/roles/openshift_web_console/tasks/install.yml
index cc5eef47d..ff33338a6 100644
--- a/roles/openshift_web_console/tasks/install.yml
+++ b/roles/openshift_web_console/tasks/install.yml
@@ -33,7 +33,7 @@
- name: Copy web console templates to temp directory
copy:
- src: "{{ __console_files_location }}/{{ item }}"
+ src: "{{ item }}"
dest: "{{ mktemp.stdout }}/{{ item }}"
with_items:
- "{{ __console_template_file }}"
diff --git a/roles/openshift_web_console/tasks/remove_old_asset_config.yml b/roles/openshift_web_console/tasks/remove_old_asset_config.yml
new file mode 100644
index 000000000..34158150c
--- /dev/null
+++ b/roles/openshift_web_console/tasks/remove_old_asset_config.yml
@@ -0,0 +1,19 @@
+---
+# Remove the obsolete assetConfig stanza from master-config.yaml. Since the
+# web console has been split out into a separate deployment, those settings
+# are no longer used.
+- name: Remove assetConfig from master-config.yaml
+ yedit:
+ state: absent
+ src: "{{ openshift.common.config_base }}/master/master-config.yaml"
+ key: assetConfig
+
+# This file was written by wire_aggregator.yml. It is no longer needed since
+# the web console now discovers if the template service broker is running on
+# startup. Remove the file if it exists.
+- name: Remove obsolete web console / service catalog extension file
+ file:
+ state: absent
+ # Hard-code the path instead of using `openshift.common.config_base` since
+ # the path is hard-coded in wire_aggregator.yml.
+ path: /etc/origin/master/openshift-ansible-catalog-console.js
diff --git a/roles/openshift_web_console/vars/main.yml b/roles/openshift_web_console/vars/main.yml
index e91048e38..72bff5d01 100644
--- a/roles/openshift_web_console/vars/main.yml
+++ b/roles/openshift_web_console/vars/main.yml
@@ -1,6 +1,4 @@
---
-__console_files_location: "../../../files/origin-components/"
-
__console_template_file: "console-template.yaml"
__console_rbac_file: "console-rbac-template.yaml"
__console_config_file: "console-config.yaml"
diff --git a/roles/template_service_broker/files/apiserver-config.yaml b/roles/template_service_broker/files/apiserver-config.yaml
new file mode 100644
index 000000000..e4048d1da
--- /dev/null
+++ b/roles/template_service_broker/files/apiserver-config.yaml
@@ -0,0 +1,4 @@
+kind: TemplateServiceBrokerConfig
+apiVersion: config.templateservicebroker.openshift.io/v1
+templateNamespaces:
+- openshift
diff --git a/roles/template_service_broker/files/apiserver-template.yaml b/roles/template_service_broker/files/apiserver-template.yaml
new file mode 100644
index 000000000..4dd9395d0
--- /dev/null
+++ b/roles/template_service_broker/files/apiserver-template.yaml
@@ -0,0 +1,125 @@
+apiVersion: template.openshift.io/v1
+kind: Template
+metadata:
+ name: template-service-broker-apiserver
+parameters:
+- name: IMAGE
+ value: openshift/origin-template-service-broker:latest
+- name: NAMESPACE
+ value: openshift-template-service-broker
+- name: LOGLEVEL
+ value: "0"
+- name: API_SERVER_CONFIG
+ value: |
+ kind: TemplateServiceBrokerConfig
+ apiVersion: config.templateservicebroker.openshift.io/v1
+ templateNamespaces:
+ - openshift
+- name: NODE_SELECTOR
+ value: "{}"
+objects:
+
+# to create the tsb server
+- apiVersion: extensions/v1beta1
+ kind: DaemonSet
+ metadata:
+ namespace: ${NAMESPACE}
+ name: apiserver
+ labels:
+ apiserver: "true"
+ spec:
+ template:
+ metadata:
+ name: apiserver
+ labels:
+ apiserver: "true"
+ spec:
+ serviceAccountName: apiserver
+ containers:
+ - name: c
+ image: ${IMAGE}
+ imagePullPolicy: IfNotPresent
+ command:
+ - "/usr/bin/template-service-broker"
+ - "start"
+ - "template-service-broker"
+ - "--secure-port=8443"
+ - "--audit-log-path=-"
+ - "--tls-cert-file=/var/serving-cert/tls.crt"
+ - "--tls-private-key-file=/var/serving-cert/tls.key"
+ - "--v=${LOGLEVEL}"
+ - "--config=/var/apiserver-config/apiserver-config.yaml"
+ ports:
+ - containerPort: 8443
+ volumeMounts:
+ - mountPath: /var/serving-cert
+ name: serving-cert
+ - mountPath: /var/apiserver-config
+ name: apiserver-config
+ readinessProbe:
+ httpGet:
+ path: /healthz
+ port: 8443
+ scheme: HTTPS
+ nodeSelector: "${{NODE_SELECTOR}}"
+ volumes:
+ - name: serving-cert
+ secret:
+ defaultMode: 420
+ secretName: apiserver-serving-cert
+ - name: apiserver-config
+ configMap:
+ defaultMode: 420
+ name: apiserver-config
+
+# to create the config for the TSB
+- apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ namespace: ${NAMESPACE}
+ name: apiserver-config
+ data:
+ apiserver-config.yaml: ${API_SERVER_CONFIG}
+
+# to be able to assign powers to the process
+- apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ namespace: ${NAMESPACE}
+ name: apiserver
+
+# to be able to expose TSB inside the cluster
+- apiVersion: v1
+ kind: Service
+ metadata:
+ namespace: ${NAMESPACE}
+ name: apiserver
+ annotations:
+ service.alpha.openshift.io/serving-cert-secret-name: apiserver-serving-cert
+ spec:
+ selector:
+ apiserver: "true"
+ ports:
+ - port: 443
+ targetPort: 8443
+
+# This service account will be granted permission to call the TSB.
+# The token for this SA will be provided to the service catalog for
+# use when calling the TSB.
+- apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ namespace: ${NAMESPACE}
+ name: templateservicebroker-client
+
+# This secret will be populated with a copy of the templateservicebroker-client SA's
+# auth token. Since this secret has a static name, it can be referenced more
+# easily than the auto-generated secret for the service account.
+- apiVersion: v1
+ kind: Secret
+ metadata:
+ namespace: ${NAMESPACE}
+ name: templateservicebroker-client
+ annotations:
+ kubernetes.io/service-account.name: templateservicebroker-client
+ type: kubernetes.io/service-account-token
diff --git a/roles/template_service_broker/files/rbac-template.yaml b/roles/template_service_broker/files/rbac-template.yaml
new file mode 100644
index 000000000..0937a9065
--- /dev/null
+++ b/roles/template_service_broker/files/rbac-template.yaml
@@ -0,0 +1,92 @@
+apiVersion: template.openshift.io/v1
+kind: Template
+metadata:
+ name: template-service-broker-rbac
+parameters:
+- name: NAMESPACE
+ value: openshift-template-service-broker
+- name: KUBE_SYSTEM
+ value: kube-system
+objects:
+
+# Grant the service account permission to call the TSB
+- apiVersion: rbac.authorization.k8s.io/v1beta1
+ kind: ClusterRoleBinding
+ metadata:
+ name: templateservicebroker-client
+ roleRef:
+ kind: ClusterRole
+ name: system:openshift:templateservicebroker-client
+ subjects:
+ - kind: ServiceAccount
+ namespace: ${NAMESPACE}
+ name: templateservicebroker-client
+
+# to delegate authentication and authorization
+- apiVersion: rbac.authorization.k8s.io/v1beta1
+ kind: ClusterRoleBinding
+ metadata:
+ name: auth-delegator-${NAMESPACE}
+ roleRef:
+ kind: ClusterRole
+ name: system:auth-delegator
+ subjects:
+ - kind: ServiceAccount
+ namespace: ${NAMESPACE}
+ name: apiserver
+
+# to have the template service broker powers
+- apiVersion: rbac.authorization.k8s.io/v1beta1
+ kind: ClusterRoleBinding
+ metadata:
+ name: tsb-${NAMESPACE}
+ roleRef:
+ kind: ClusterRole
+ name: system:openshift:controller:template-service-broker
+ subjects:
+ - kind: ServiceAccount
+ namespace: ${NAMESPACE}
+ name: apiserver
+
+# to read the config for terminating authentication
+- apiVersion: rbac.authorization.k8s.io/v1beta1
+ kind: RoleBinding
+ metadata:
+ namespace: ${KUBE_SYSTEM}
+ name: extension-apiserver-authentication-reader-${NAMESPACE}
+ roleRef:
+ kind: Role
+ name: extension-apiserver-authentication-reader
+ subjects:
+ - kind: ServiceAccount
+ namespace: ${NAMESPACE}
+ name: apiserver
+
+# allow the kube service catalog's SA to read the static secret defined
+# above, which will contain the token for the SA that can call the TSB.
+- apiVersion: rbac.authorization.k8s.io/v1beta1
+ kind: Role
+ metadata:
+ name: templateservicebroker-auth-reader
+ namespace: ${NAMESPACE}
+ rules:
+ - apiGroups:
+ - ""
+ resourceNames:
+ - templateservicebroker-client
+ resources:
+ - secrets
+ verbs:
+ - get
+- apiVersion: rbac.authorization.k8s.io/v1beta1
+ kind: RoleBinding
+ metadata:
+ namespace: ${NAMESPACE}
+ name: templateservicebroker-auth-reader
+ roleRef:
+ kind: Role
+ name: templateservicebroker-auth-reader
+ subjects:
+ - kind: ServiceAccount
+ namespace: kube-service-catalog
+ name: service-catalog-controller
diff --git a/roles/template_service_broker/files/template-service-broker-registration.yaml b/roles/template_service_broker/files/template-service-broker-registration.yaml
new file mode 100644
index 000000000..95fb72924
--- /dev/null
+++ b/roles/template_service_broker/files/template-service-broker-registration.yaml
@@ -0,0 +1,25 @@
+apiVersion: template.openshift.io/v1
+kind: Template
+metadata:
+ name: template-service-broker-registration
+parameters:
+- name: TSB_NAMESPACE
+ value: openshift-template-service-broker
+- name: CA_BUNDLE
+ required: true
+objects:
+# register the tsb with the service catalog
+- apiVersion: servicecatalog.k8s.io/v1beta1
+ kind: ClusterServiceBroker
+ metadata:
+ name: template-service-broker
+ spec:
+ url: https://apiserver.${TSB_NAMESPACE}.svc:443/brokers/template.openshift.io
+ insecureSkipTLSVerify: false
+ caBundle: ${CA_BUNDLE}
+ authInfo:
+ bearer:
+ secretRef:
+ kind: Secret
+ name: templateservicebroker-client
+ namespace: ${TSB_NAMESPACE}
diff --git a/roles/template_service_broker/tasks/install.yml b/roles/template_service_broker/tasks/install.yml
index 4e6ad2ae5..d0a07c48d 100644
--- a/roles/template_service_broker/tasks/install.yml
+++ b/roles/template_service_broker/tasks/install.yml
@@ -28,7 +28,7 @@
changed_when: false
- copy:
- src: "{{ __tsb_files_location }}/{{ item }}"
+ src: "{{ item }}"
dest: "{{ mktemp.stdout }}/{{ item }}"
with_items:
- "{{ __tsb_template_file }}"
diff --git a/roles/template_service_broker/tasks/remove.yml b/roles/template_service_broker/tasks/remove.yml
index 48dc1327e..b46dd4771 100644
--- a/roles/template_service_broker/tasks/remove.yml
+++ b/roles/template_service_broker/tasks/remove.yml
@@ -9,7 +9,7 @@
changed_when: false
- copy:
- src: "{{ __tsb_files_location }}/{{ item }}"
+ src: "{{ item }}"
dest: "{{ mktemp.stdout }}/{{ item }}"
with_items:
- "{{ __tsb_template_file }}"
diff --git a/roles/template_service_broker/vars/main.yml b/roles/template_service_broker/vars/main.yml
index a65340f16..7dec24a79 100644
--- a/roles/template_service_broker/vars/main.yml
+++ b/roles/template_service_broker/vars/main.yml
@@ -1,6 +1,4 @@
---
-__tsb_files_location: "../../../files/origin-components/"
-
__tsb_template_file: "apiserver-template.yaml"
__tsb_config_file: "apiserver-config.yaml"
__tsb_rbac_file: "rbac-template.yaml"