diff options
author | Scott Dodson <sdodson@redhat.com> | 2017-10-23 08:55:00 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-10-23 08:55:00 -0400 |
commit | d7cfb9e1a33d1637946aa10af5329290784ab41f (patch) | |
tree | dd5b25dd752e01dbaa88fb9d0f8e2ddbabf5ea30 /roles | |
parent | 75fc5ef69b792d9595918383286b0d9e45eda848 (diff) | |
parent | 1aa2a93f564e279bc6362281c067fd93599a9666 (diff) | |
download | openshift-d7cfb9e1a33d1637946aa10af5329290784ab41f.tar.gz openshift-d7cfb9e1a33d1637946aa10af5329290784ab41f.tar.bz2 openshift-d7cfb9e1a33d1637946aa10af5329290784ab41f.tar.xz openshift-d7cfb9e1a33d1637946aa10af5329290784ab41f.zip |
Merge pull request #5761 from fabianvf/asb-client-secret-not-found
Bug 1496426 - Update ansible-service-broker configuration to use proper certs and permissions
Diffstat (limited to 'roles')
4 files changed, 24 insertions, 22 deletions
diff --git a/roles/ansible_service_broker/defaults/main.yml b/roles/ansible_service_broker/defaults/main.yml index fa982d533..dc05b03b5 100644 --- a/roles/ansible_service_broker/defaults/main.yml +++ b/roles/ansible_service_broker/defaults/main.yml @@ -13,7 +13,4 @@ ansible_service_broker_launch_apb_on_bind: false ansible_service_broker_image_pull_policy: IfNotPresent ansible_service_broker_sandbox_role: edit -ansible_service_broker_auto_escalate: true -ansible_service_broker_registry_tag: latest -ansible_service_broker_registry_whitelist: - - '.*-apb$' +ansible_service_broker_auto_escalate: false diff --git a/roles/ansible_service_broker/tasks/install.yml b/roles/ansible_service_broker/tasks/install.yml index 9a91927b8..66c3d9cc4 100644 --- a/roles/ansible_service_broker/tasks/install.yml +++ b/roles/ansible_service_broker/tasks/install.yml @@ -22,23 +22,14 @@ ansible_service_broker_registry_user: "{{ ansible_service_broker_registry_user | default(__ansible_service_broker_registry_user) }}" ansible_service_broker_registry_password: "{{ ansible_service_broker_registry_password | default(__ansible_service_broker_registry_password) }}" ansible_service_broker_registry_organization: "{{ ansible_service_broker_registry_organization | default(__ansible_service_broker_registry_organization) }}" - - ansible_service_broker_certs_dir: "{{ openshift.common.config_base }}/service-catalog" + ansible_service_broker_registry_tag: "{{ ansible_service_broker_registry_tag | default(__ansible_service_broker_registry_tag) }}" + ansible_service_broker_registry_whitelist: "{{ ansible_service_broker_registry_whitelist | default(__ansible_service_broker_registry_whitelist) }}" - name: set ansible-service-broker image facts using set prefix and tag set_fact: ansible_service_broker_image: "{{ ansible_service_broker_image_prefix }}ansible-service-broker:{{ ansible_service_broker_image_tag }}" ansible_service_broker_etcd_image: "{{ ansible_service_broker_etcd_image_prefix }}etcd:{{ ansible_service_broker_etcd_image_tag }}" -- set_fact: - openshift_master_config_dir: "{{ openshift.common.config_base }}/master" - when: openshift_master_config_dir is undefined - -- slurp: - src: "{{ openshift_master_config_dir }}/service-signer.crt" - register: catalog_ca - - - include: validate_facts.yml @@ -83,13 +74,12 @@ state: present name: asb-access rules: - - nonResourceURLs: ["/ansible-service-broker", "ansible-service-broker/*"] + - nonResourceURLs: ["/ansible-service-broker", "/ansible-service-broker/*"] verbs: ["get", "post", "put", "patch", "delete"] - name: Bind admin cluster-role to asb serviceaccount oc_adm_policy_user: state: present - namespace: openshift-ansible-service-broker resource_kind: cluster-role resource_name: admin user: "system:serviceaccount:openshift-ansible-service-broker:asb" @@ -97,7 +87,6 @@ - name: Bind auth cluster role to asb service account oc_adm_policy_user: state: present - namespace: openshift-ansible-service-broker resource_kind: cluster-role resource_name: asb-auth user: "system:serviceaccount:openshift-ansible-service-broker:asb" @@ -105,7 +94,6 @@ - name: Bind asb-access role to asb-client service account oc_adm_policy_user: state: present - namespace: openshift-ansible-service-broker resource_kind: cluster-role resource_name: asb-access user: "system:serviceaccount:openshift-ansible-service-broker:asb-client" @@ -113,6 +101,7 @@ - name: create asb-client token secret oc_obj: name: asb-client + namespace: openshift-ansible-service-broker state: present kind: Secret content: @@ -122,10 +111,20 @@ kind: Secret metadata: name: asb-client + namespace: openshift-ansible-service-broker annotations: kubernetes.io/service-account.name: asb-client type: kubernetes.io/service-account-token +- oc_secret: + state: list + namespace: openshift-ansible-service-broker + name: asb-client + register: asb_client_secret + +- set_fact: + service_ca_crt: asb_client_secret.results.results.0.data['service-ca.crt'] + # Using oc_obj because oc_service doesn't seem to allow annotations # TODO: Extend oc_service to allow annotations - name: create ansible-service-broker service @@ -141,6 +140,7 @@ kind: Service metadata: name: asb + namespace: openshift-ansible-service-broker labels: app: openshift-ansible-service-broker service: asb @@ -354,11 +354,11 @@ metadata: name: ansible-service-broker spec: - url: http://asb.openshift-ansible-service-broker.svc:1338/ansible-service-broker + url: https://asb.openshift-ansible-service-broker.svc:1338/ansible-service-broker authInfo: bearer: secretRef: name: asb-client namespace: openshift-ansible-service-broker kind: Secret - caBundle: "{{ catalog_ca.content }}" + caBundle: "{{ service_ca_crt }}" diff --git a/roles/ansible_service_broker/vars/default_images.yml b/roles/ansible_service_broker/vars/default_images.yml index 3e9639adf..8438e993f 100644 --- a/roles/ansible_service_broker/vars/default_images.yml +++ b/roles/ansible_service_broker/vars/default_images.yml @@ -13,3 +13,5 @@ __ansible_service_broker_registry_url: null __ansible_service_broker_registry_user: null __ansible_service_broker_registry_password: null __ansible_service_broker_registry_organization: null +__ansible_service_broker_registry_tag: latest +__ansible_service_broker_registry_whitelist: [] diff --git a/roles/ansible_service_broker/vars/openshift-enterprise.yml b/roles/ansible_service_broker/vars/openshift-enterprise.yml index 9c576cb76..fc58b4fd8 100644 --- a/roles/ansible_service_broker/vars/openshift-enterprise.yml +++ b/roles/ansible_service_broker/vars/openshift-enterprise.yml @@ -1,7 +1,7 @@ --- __ansible_service_broker_image_prefix: registry.access.redhat.com/openshift3/ose- -__ansible_service_broker_image_tag: v3.6 +__ansible_service_broker_image_tag: v3.7 __ansible_service_broker_etcd_image_prefix: rhel7/ __ansible_service_broker_etcd_image_tag: latest @@ -14,3 +14,6 @@ __ansible_service_broker_registry_url: "https://registry.access.redhat.com" __ansible_service_broker_registry_user: null __ansible_service_broker_registry_password: null __ansible_service_broker_registry_organization: null +__ansible_service_broker_registry_tag: v3.7 +__ansible_service_broker_registry_whitelist: + - '.*-apb$' |