From 731b265e56920b776b38c66a23f7c83f5a6a0187 Mon Sep 17 00:00:00 2001 From: Scott Dodson Date: Tue, 15 Nov 2016 17:14:41 -0500 Subject: Add rolebinding-reader Fixes Bug 1390913 Fixes BZ1390913 --- roles/openshift_hosted_logging/tasks/deploy_logging.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/roles/openshift_hosted_logging/tasks/deploy_logging.yaml b/roles/openshift_hosted_logging/tasks/deploy_logging.yaml index 0162d1fb0..4feb5abcf 100644 --- a/roles/openshift_hosted_logging/tasks/deploy_logging.yaml +++ b/roles/openshift_hosted_logging/tasks/deploy_logging.yaml @@ -71,6 +71,13 @@ register: fluentd2_output failed_when: "fluentd2_output.rc == 1 and 'exists' not in fluentd2_output.stderr" + - name: "Add rolebinding-reader to aggregated-logging-elastic-search" + command: > + {{ openshift.common.client_binary }} adm policy add-cluster-role-to-user rolebinding-reader \ + system:serviceaccount:logging:aggregated-logging-elasticsearch + register: rolebinding_reader_output + failed_when: "rolebinding_reader_output == 1 and 'exists' not in rolebinding_reader_output.stderr" + - name: "Create ConfigMap for deployer parameters" command: > {{ openshift.common.client_binary}} --config={{ mktemp.stdout }}/admin.kubeconfig create configmap logging-deployer {{ deployer_cmap_params }} -- cgit v1.2.3 From 5f55d7c7e2ce19e2d01bc0b86d6d1194afe03c03 Mon Sep 17 00:00:00 2001 From: Scott Dodson Date: Tue, 15 Nov 2016 17:19:14 -0500 Subject: Fix a few places where we're not specifying the admin kubeconfig --- .../openshift_hosted_logging/tasks/deploy_logging.yaml | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/roles/openshift_hosted_logging/tasks/deploy_logging.yaml b/roles/openshift_hosted_logging/tasks/deploy_logging.yaml index 4feb5abcf..5e445cb37 100644 --- a/roles/openshift_hosted_logging/tasks/deploy_logging.yaml +++ b/roles/openshift_hosted_logging/tasks/deploy_logging.yaml @@ -40,7 +40,7 @@ - name: "Create templates for logging accounts and the deployer" command: > - {{ openshift.common.client_binary }} create + {{ openshift.common.client_binary }} create --config={{ mktemp.stdout }}/admin.kubeconfig -f {{ hosted_base }}/logging-deployer.yaml --config={{ mktemp.stdout }}/admin.kubeconfig -n logging @@ -49,31 +49,37 @@ changed_when: "'created' in logging_import_template.stdout" - name: "Process the logging accounts template" - shell: "{{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig process logging-deployer-account-template | {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create -f -" + shell: > + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig + process logging-deployer-account-template | {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create -f - register: process_deployer_accounts failed_when: process_deployer_accounts.rc == 1 and 'already exists' not in process_deployer_accounts.stderr - name: "Set permissions for logging-deployer service account" command: > - {{ openshift.common.client_binary }} adm --config={{ mktemp.stdout }}/admin.kubeconfig policy add-cluster-role-to-user oauth-editor system:serviceaccount:logging:logging-deployer + {{ openshift.common.client_binary }} adm --config={{ mktemp.stdout }}/admin.kubeconfig + policy add-cluster-role-to-user oauth-editor system:serviceaccount:logging:logging-deployer register: permiss_output failed_when: "permiss_output.rc == 1 and 'exists' not in permiss_output.stderr" - name: "Set permissions for fluentd" command: > - {{ openshift.common.client_binary }} adm policy add-scc-to-user privileged system:serviceaccount:logging:aggregated-logging-fluentd + {{ openshift.common.client_binary }} adm --config={{ mktemp.stdout }}/admin.kubeconfig + policy add-scc-to-user privileged system:serviceaccount:logging:aggregated-logging-fluentd register: fluentd_output failed_when: "fluentd_output.rc == 1 and 'exists' not in fluentd_output.stderr" - name: "Set additional permissions for fluentd" command: > - {{ openshift.common.client_binary }} adm policy add-cluster-role-to-user cluster-reader system:serviceaccount:logging:aggregated-logging-fluentd + {{ openshift.common.client_binary }} adm policy --config={{ mktemp.stdout }}/admin.kubeconfig + add-cluster-role-to-user cluster-reader system:serviceaccount:logging:aggregated-logging-fluentd register: fluentd2_output failed_when: "fluentd2_output.rc == 1 and 'exists' not in fluentd2_output.stderr" - name: "Add rolebinding-reader to aggregated-logging-elastic-search" command: > - {{ openshift.common.client_binary }} adm policy add-cluster-role-to-user rolebinding-reader \ + {{ openshift.common.client_binary }} adm --config={{ mktemp.stdout }}/admin.kubeconfig + policy add-cluster-role-to-user rolebinding-reader \ system:serviceaccount:logging:aggregated-logging-elasticsearch register: rolebinding_reader_output failed_when: "rolebinding_reader_output == 1 and 'exists' not in rolebinding_reader_output.stderr" -- cgit v1.2.3 From 84bf91fff6b506a23f5c9d1d8ac4f6f32d53e7a6 Mon Sep 17 00:00:00 2001 From: Scott Dodson Date: Tue, 15 Nov 2016 17:20:02 -0500 Subject: Fix typo --- roles/openshift_hosted_logging/tasks/deploy_logging.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/openshift_hosted_logging/tasks/deploy_logging.yaml b/roles/openshift_hosted_logging/tasks/deploy_logging.yaml index 5e445cb37..625af9acd 100644 --- a/roles/openshift_hosted_logging/tasks/deploy_logging.yaml +++ b/roles/openshift_hosted_logging/tasks/deploy_logging.yaml @@ -76,7 +76,7 @@ register: fluentd2_output failed_when: "fluentd2_output.rc == 1 and 'exists' not in fluentd2_output.stderr" - - name: "Add rolebinding-reader to aggregated-logging-elastic-search" + - name: "Add rolebinding-reader to aggregated-logging-elasticsearch" command: > {{ openshift.common.client_binary }} adm --config={{ mktemp.stdout }}/admin.kubeconfig policy add-cluster-role-to-user rolebinding-reader \ -- cgit v1.2.3