From 486b746324171edd691fd1682ef1221825157e62 Mon Sep 17 00:00:00 2001
From: Samuel Padgett <spadgett@redhat.com>
Date: Thu, 11 Jan 2018 15:24:37 -0500
Subject: Add console RBAC template

---
 files/origin-components/console-rbac-template.yaml | 38 ++++++++++++++++++++++
 roles/openshift_web_console/tasks/install.yml      | 13 +++++---
 roles/openshift_web_console/vars/main.yml          |  1 +
 3 files changed, 48 insertions(+), 4 deletions(-)
 create mode 100644 files/origin-components/console-rbac-template.yaml

diff --git a/files/origin-components/console-rbac-template.yaml b/files/origin-components/console-rbac-template.yaml
new file mode 100644
index 000000000..9ee117199
--- /dev/null
+++ b/files/origin-components/console-rbac-template.yaml
@@ -0,0 +1,38 @@
+apiVersion: template.openshift.io/v1
+kind: Template
+metadata:
+  name: web-console-server-rbac
+parameters:
+- name: NAMESPACE
+  # This namespace cannot be changed. Only `openshift-web-console` is supported.
+  value: openshift-web-console
+objects:
+
+
+# allow grant powers to the webconsole server for cluster inspection
+- apiVersion: rbac.authorization.k8s.io/v1beta1
+  kind: ClusterRole
+  metadata:
+    name: system:openshift:web-console-server
+  rules:
+  - apiGroups:
+    - "servicecatalog.k8s.io"
+    resources:
+    - clusterservicebrokers
+    verbs:
+    - get
+    - list
+    - watch
+
+# Grant the service account for the web console
+- apiVersion: rbac.authorization.k8s.io/v1beta1
+  kind: ClusterRoleBinding
+  metadata:
+    name: system:openshift:web-console-server
+  roleRef:
+    kind: ClusterRole
+    name: system:openshift:web-console-server
+  subjects:
+  - kind: ServiceAccount
+    namespace: ${NAMESPACE}
+    name: webconsole
diff --git a/roles/openshift_web_console/tasks/install.yml b/roles/openshift_web_console/tasks/install.yml
index 12916961b..287d8973d 100644
--- a/roles/openshift_web_console/tasks/install.yml
+++ b/roles/openshift_web_console/tasks/install.yml
@@ -21,20 +21,21 @@
     node_selector:
       - ""
 
-- name: Make temp directory for asset config files
+- name: Make temp directory for the web console config files
   command: mktemp -d /tmp/console-ansible-XXXXXX
   register: mktemp
   changed_when: False
 
-- name: Copy asset config template to temp directory
+- name: Copy the web console config template to temp directory
   copy:
     src: "{{ __console_files_location }}/{{ item }}"
     dest: "{{ mktemp.stdout }}/{{ item }}"
   with_items:
     - "{{ __console_template_file }}"
+    - "{{ __console_rbac_file }}"
     - "{{ __console_config_file }}"
 
-- name: Update asset config properties
+- name: Update the web console config properties
   yedit:
     src: "{{ mktemp.stdout }}/{{ __console_config_file }}"
     edits:
@@ -50,7 +51,11 @@
     src: "{{ mktemp.stdout }}/{{ __console_config_file }}"
   register: config
 
-- name: Apply template file
+- name: Reconcile with the web console RBAC file
+  shell: >
+    {{ openshift_client_binary }} process -f "{{ mktemp.stdout }}/{{ __console_rbac_file }}" | {{ openshift_client_binary }} auth reconcile -f -
+
+- name: Apply the web console template file
   shell: >
     {{ openshift_client_binary }} process -f "{{ mktemp.stdout }}/{{ __console_template_file }}"
     --param API_SERVER_CONFIG="{{ config['content'] | b64decode }}"
diff --git a/roles/openshift_web_console/vars/main.yml b/roles/openshift_web_console/vars/main.yml
index 80bc56a17..e91048e38 100644
--- a/roles/openshift_web_console/vars/main.yml
+++ b/roles/openshift_web_console/vars/main.yml
@@ -2,4 +2,5 @@
 __console_files_location: "../../../files/origin-components/"
 
 __console_template_file: "console-template.yaml"
+__console_rbac_file: "console-rbac-template.yaml"
 __console_config_file: "console-config.yaml"
-- 
cgit v1.2.3