From 6473004b66fc3ae3b185e38b0d167307a6497d1a Mon Sep 17 00:00:00 2001
From: Kenny Woodson <kwoodson@redhat.com>
Date: Mon, 10 Apr 2017 16:06:21 -0400
Subject: Adding module calls instead of command for idempotency.

---
 roles/openshift_manageiq/tasks/main.yaml | 88 ++++++++++++--------------------
 roles/openshift_manageiq/vars/main.yml   | 64 ++++++++++-------------
 2 files changed, 61 insertions(+), 91 deletions(-)

(limited to 'roles/openshift_manageiq')

diff --git a/roles/openshift_manageiq/tasks/main.yaml b/roles/openshift_manageiq/tasks/main.yaml
index f202486a5..cfc4e2722 100644
--- a/roles/openshift_manageiq/tasks/main.yaml
+++ b/roles/openshift_manageiq/tasks/main.yaml
@@ -3,24 +3,13 @@
     msg: "The openshift_manageiq role requires OpenShift Enterprise 3.1 or Origin 1.1."
   when: not openshift.common.version_gte_3_1_or_1_1 | bool
 
-- name: Copy Configuration to temporary conf
-  command: >
-    cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{manage_iq_tmp_conf}}
-  changed_when: false
-
 - name: Add Management Infrastructure project
-  command: >
-    {{ openshift.common.client_binary }} adm new-project
-    management-infra
-    --description="Management Infrastructure"
-    --config={{manage_iq_tmp_conf}}
-  register: osmiq_create_mi_project
-  failed_when: "'already exists' not in osmiq_create_mi_project.stderr and osmiq_create_mi_project.rc != 0"
-  changed_when: osmiq_create_mi_project.rc == 0
+  oc_project:
+    name: management-infra
+    description: Management Infrastructure
 
 - name: Create Admin and Image Inspector Service Account
   oc_serviceaccount:
-    kubeconfig: "{{ openshift_master_config_dir }}/admin.kubeconfig"
     name: "{{ item }}"
     namespace: management-infra
     state: present
@@ -28,51 +17,42 @@
   - management-admin
   - inspector-admin
 
-- name: Create Cluster Role
-  shell: >
-    echo {{ manageiq_cluster_role | to_json | quote }} |
-    {{ openshift.common.client_binary }} create
-    --config={{manage_iq_tmp_conf}}
-    -f -
-  register: osmiq_create_cluster_role
-  failed_when: "'already exists' not in osmiq_create_cluster_role.stderr and osmiq_create_cluster_role.rc != 0"
-  changed_when: osmiq_create_cluster_role.rc == 0
+- name: Create manageiq cluster role
+  oc_clusterrole:
+    name: management-infra-admin
+    rules:
+    - apiGroups:
+      - ""
+      resources:
+      - pods/proxy
+      verbs:
+      - "*"
 
 - name: Create Hawkular Metrics Admin Cluster Role
-  shell: >
-    echo {{ manageiq_metrics_admin_clusterrole | to_json | quote }} |
-    {{ openshift.common.client_binary }}
-    --config={{manage_iq_tmp_conf}}
-    create -f -
-  register: oshawkular_create_cluster_role
-  failed_when: "'already exists' not in oshawkular_create_cluster_role.stderr and oshawkular_create_cluster_role.rc != 0"
-  changed_when: oshawkular_create_cluster_role.rc == 0
-  # AUDIT:changed_when_note: Checking the return code is insufficient
-  # here. We really need to verify the if the role even exists before
-  # we run this task.
+  oc_clusterrole:
+    name: hawkular-metrics-admin
+    rules:
+    - apiGroups:
+      - ""
+      resources:
+      - hawkular-alerts
+      - hawkular-metrics
+      verbs:
+      - "*"
 
 - name: Configure role/user permissions
-  command: >
-    {{ openshift.common.client_binary }} adm {{item}}
-    --config={{manage_iq_tmp_conf}}
-  with_items: "{{manage_iq_tasks}}"
-  register: osmiq_perm_task
-  failed_when: "'already exists' not in osmiq_perm_task.stderr and osmiq_perm_task.rc != 0"
-  changed_when: osmiq_perm_task.rc == 0
-  # AUDIT:changed_when_note: Checking the return code is insufficient
-  # here. We really need to compare the current role/user permissions
-  # with their expected state. I think we may have a module for this?
-
+  oc_adm_policy_user:
+    namespace: management-infra
+    resource_name: "{{ item.resource_name }}"
+    resource_kind: "{{ item.resource_kind }}"
+    user: "{{ item.user }}"
+  with_items: "{{ manage_iq_tasks }}"
 
 - name: Configure 3_2 role/user permissions
-  command: >
-    {{ openshift.common.client_binary }} adm {{item}}
-    --config={{manage_iq_tmp_conf}}
+  oc_adm_policy_user:
+    namespace: management-infra
+    resource_name: "{{ item.resource_name }}"
+    resource_kind: "{{ item.resource_kind }}"
+    user: "{{ item.user }}"
   with_items: "{{manage_iq_openshift_3_2_tasks}}"
-  register: osmiq_perm_3_2_task
-  failed_when: osmiq_perm_3_2_task.rc != 0
-  changed_when: osmiq_perm_3_2_task.rc == 0
   when: openshift.common.version_gte_3_2_or_1_2 | bool
-
-- name: Clean temporary configuration file
-  file: path={{manage_iq_tmp_conf}} state=absent
diff --git a/roles/openshift_manageiq/vars/main.yml b/roles/openshift_manageiq/vars/main.yml
index 9936bb126..15d667628 100644
--- a/roles/openshift_manageiq/vars/main.yml
+++ b/roles/openshift_manageiq/vars/main.yml
@@ -1,41 +1,31 @@
 ---
-openshift_master_config_dir: "{{ openshift.common.config_base }}/master"
-manageiq_cluster_role:
-  apiVersion: v1
-  kind: ClusterRole
-  metadata:
-    name: management-infra-admin
-  rules:
-  - resources:
-    - pods/proxy
-    verbs:
-    - '*'
-
-manageiq_metrics_admin_clusterrole:
-  apiVersion: v1
-  kind: ClusterRole
-  metadata:
-    name: hawkular-metrics-admin
-  rules:
-  - apiGroups:
-    - ""
-    resources:
-    - hawkular-metrics
-    - hawkular-alerts
-    verbs:
-    - '*'
-
-manage_iq_tmp_conf: /tmp/manageiq_admin.kubeconfig
-
 manage_iq_tasks:
-- policy add-role-to-user -n management-infra admin -z management-admin
-- policy add-role-to-user -n management-infra management-infra-admin -z management-admin
-- policy add-cluster-role-to-user cluster-reader system:serviceaccount:management-infra:management-admin
-- policy add-scc-to-user privileged system:serviceaccount:management-infra:management-admin
-- policy add-cluster-role-to-user system:image-puller system:serviceaccount:management-infra:inspector-admin
-- policy add-scc-to-user privileged system:serviceaccount:management-infra:inspector-admin
-- policy add-cluster-role-to-user self-provisioner system:serviceaccount:management-infra:management-admin
-- policy add-cluster-role-to-user hawkular-metrics-admin system:serviceaccount:management-infra:management-admin
+- resource_kind: role
+  resource_name: admin
+  user: management-admin
+- resource_kind: role
+  resource_name: management-infra-admin
+  user: management-admin
+- resource_kind: cluster-role
+  resource_name: cluster-reader
+  user: system:serviceaccount:management-infra:management-admin
+- resource_kind: scc
+  resource_name: privileged
+  user: system:serviceaccount:management-infra:management-admin
+- resource_kind: cluster-role
+  resource_name: system:image-puller
+  user: system:serviceaccount:management-infra:inspector-admin
+- resource_kind: scc
+  resource_name: privileged
+  user: system:serviceaccount:management-infra:inspector-admin
+- resource_kind: cluster-role
+  resource_name: self-provisioner
+  user: system:serviceaccount:management-infra:management-admin
+- resource_kind: cluster-role
+  resource_name: hawkular-metrics-admin
+  user: system:serviceaccount:management-infra:management-admin
 
 manage_iq_openshift_3_2_tasks:
-- policy add-cluster-role-to-user system:image-auditor system:serviceaccount:management-infra:management-admin
+- resource_kind: cluster-role
+  resource_name: system:image-auditor
+  user: system:serviceaccount:management-infra:management-admin
-- 
cgit v1.2.3