Merge pull request #3640 from mtnbikenc/refactor-serviceaccount

Merged by openshift-bot

3 files changed, 29 insertions, 18 deletions

diff --git a/roles/openshift_hosted/meta/main.yml b/roles/openshift_hosted/meta/main.yml
index e9b590550..bbbb76414 100644
--- a/roles/openshift_hosted/meta/main.yml
+++ b/roles/openshift_hosted/meta/main.yml
@@ -17,19 +17,3 @@ dependencies:
 - role: lib_openshift
 - role: openshift_projects
   openshift_projects: "{{ openshift_additional_projects | default({}) | oo_merge_dicts({'default':{'default_node_selector':''},'openshift-infra':{'default_node_selector':''},'logging':{'default_node_selector':''}}) }}"
-- role: openshift_serviceaccounts
-  openshift_serviceaccounts_names:
-  - router
-  - registry
-  openshift_serviceaccounts_namespace: default
-  openshift_serviceaccounts_sccs:
-  - hostnetwork
-  when: openshift.common.version_gte_3_2_or_1_2
-- role: openshift_serviceaccounts
-  openshift_serviceaccounts_names:
-  - router
-  - registry
-  openshift_serviceaccounts_namespace: default
-  openshift_serviceaccounts_sccs:
-  - privileged
-  when: not openshift.common.version_gte_3_2_or_1_2
diff --git a/roles/openshift_hosted/tasks/registry/registry.yml b/roles/openshift_hosted/tasks/registry/registry.yml
index d89ce855a..0b8042473 100644
--- a/roles/openshift_hosted/tasks/registry/registry.yml
+++ b/roles/openshift_hosted/tasks/registry/registry.yml
@@ -56,12 +56,24 @@
     openshift_hosted_registry_force:
     - False
 
+- name: Create the registry service account
+  oc_serviceaccount:
+    name: "{{ openshift_hosted_registry_serviceaccount }}"
+    namespace: "{{ openshift_hosted_registry_namespace }}"
+
+- name: Grant the registry serivce account access to the appropriate scc
+  oc_adm_policy_user:
+    user: "system:serviceaccount:{{ openshift_hosted_registry_namespace }}:{{ openshift_hosted_registry_serviceaccount }}"
+    namespace: "{{ openshift_hosted_registry_namespace }}"
+    resource_kind: scc
+    resource_name: hostnetwork
+
 - name: oc adm policy add-cluster-role-to-user system:registry system:serviceaccount:default:registry
   oc_adm_policy_user:
-    user: system:serviceaccount:default:registry
+    user: "system:serviceaccount:{{ openshift_hosted_registry_namespace }}:{{ openshift_hosted_registry_serviceaccount }}"
+    namespace: "{{ openshift_hosted_registry_namespace }}"
     resource_kind: cluster-role
     resource_name: system:registry
-    state: present
 
 - name: create the default registry service
   oc_service:
diff --git a/roles/openshift_hosted/tasks/router/router.yml b/roles/openshift_hosted/tasks/router/router.yml
index 3b7021eae..969fb27a9 100644
--- a/roles/openshift_hosted/tasks/router/router.yml
+++ b/roles/openshift_hosted/tasks/router/router.yml
@@ -22,6 +22,21 @@
   with_items: "{{ openshift_hosted_routers | oo_collect(attribute='certificates') |
                   oo_select_keys_from_list(['keyfile', 'certfile', 'cafile']) }}"
 
+- name: Create the router service account(s)
+  oc_serviceaccount:
+    name: "{{ item.serviceaccount }}"
+    namespace: "{{ item.namespace }}"
+    state: present
+  with_items: "{{ openshift_hosted_routers }}"
+
+- name: Grant the router serivce account(s) access to the appropriate scc
+  oc_adm_policy_user:
+    user: "system:serviceaccount:{{ item.namespace }}:{{ item.serviceaccount }}"
+    namespace: "{{ item.namespace }}"
+    resource_kind: scc
+    resource_name: hostnetwork
+  with_items: "{{ openshift_hosted_routers }}"
+
 - name: Create OpenShift router
   oc_adm_router:
     name: "{{ item.name }}"