From c2de775c80b8daa629af514f24118f704c521c18 Mon Sep 17 00:00:00 2001 From: Dan Yocum Date: Tue, 23 Jan 2018 13:17:06 -0500 Subject: moving files to their correct /files dir for the openshift_web_console and template_service_broker roles --- files/origin-components/apiserver-config.yaml | 4 - files/origin-components/apiserver-template.yaml | 125 --------------------- files/origin-components/console-config.yaml | 23 ---- files/origin-components/console-rbac-template.yaml | 38 ------- files/origin-components/console-template.yaml | 121 -------------------- files/origin-components/rbac-template.yaml | 92 --------------- .../template-service-broker-registration.yaml | 25 ----- .../files/console-config.yaml | 23 ++++ .../files/console-rbac-template.yaml | 38 +++++++ .../files/console-template.yaml | 121 ++++++++++++++++++++ roles/openshift_web_console/vars/main.yml | 2 +- .../files/apiserver-config.yaml | 4 + .../files/apiserver-template.yaml | 125 +++++++++++++++++++++ .../files/rbac-template.yaml | 92 +++++++++++++++ .../template-service-broker-registration.yaml | 25 +++++ roles/template_service_broker/vars/main.yml | 2 +- 16 files changed, 430 insertions(+), 430 deletions(-) delete mode 100644 files/origin-components/apiserver-config.yaml delete mode 100644 files/origin-components/apiserver-template.yaml delete mode 100644 files/origin-components/console-config.yaml delete mode 100644 files/origin-components/console-rbac-template.yaml delete mode 100644 files/origin-components/console-template.yaml delete mode 100644 files/origin-components/rbac-template.yaml delete mode 100644 files/origin-components/template-service-broker-registration.yaml create mode 100644 roles/openshift_web_console/files/console-config.yaml create mode 100644 roles/openshift_web_console/files/console-rbac-template.yaml create mode 100644 roles/openshift_web_console/files/console-template.yaml create mode 100644 roles/template_service_broker/files/apiserver-config.yaml create mode 100644 roles/template_service_broker/files/apiserver-template.yaml create mode 100644 roles/template_service_broker/files/rbac-template.yaml create mode 100644 roles/template_service_broker/files/template-service-broker-registration.yaml diff --git a/files/origin-components/apiserver-config.yaml b/files/origin-components/apiserver-config.yaml deleted file mode 100644 index e4048d1da..000000000 --- a/files/origin-components/apiserver-config.yaml +++ /dev/null @@ -1,4 +0,0 @@ -kind: TemplateServiceBrokerConfig -apiVersion: config.templateservicebroker.openshift.io/v1 -templateNamespaces: -- openshift diff --git a/files/origin-components/apiserver-template.yaml b/files/origin-components/apiserver-template.yaml deleted file mode 100644 index 4dd9395d0..000000000 --- a/files/origin-components/apiserver-template.yaml +++ /dev/null @@ -1,125 +0,0 @@ -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: template-service-broker-apiserver -parameters: -- name: IMAGE - value: openshift/origin-template-service-broker:latest -- name: NAMESPACE - value: openshift-template-service-broker -- name: LOGLEVEL - value: "0" -- name: API_SERVER_CONFIG - value: | - kind: TemplateServiceBrokerConfig - apiVersion: config.templateservicebroker.openshift.io/v1 - templateNamespaces: - - openshift -- name: NODE_SELECTOR - value: "{}" -objects: - -# to create the tsb server -- apiVersion: extensions/v1beta1 - kind: DaemonSet - metadata: - namespace: ${NAMESPACE} - name: apiserver - labels: - apiserver: "true" - spec: - template: - metadata: - name: apiserver - labels: - apiserver: "true" - spec: - serviceAccountName: apiserver - containers: - - name: c - image: ${IMAGE} - imagePullPolicy: IfNotPresent - command: - - "/usr/bin/template-service-broker" - - "start" - - "template-service-broker" - - "--secure-port=8443" - - "--audit-log-path=-" - - "--tls-cert-file=/var/serving-cert/tls.crt" - - "--tls-private-key-file=/var/serving-cert/tls.key" - - "--v=${LOGLEVEL}" - - "--config=/var/apiserver-config/apiserver-config.yaml" - ports: - - containerPort: 8443 - volumeMounts: - - mountPath: /var/serving-cert - name: serving-cert - - mountPath: /var/apiserver-config - name: apiserver-config - readinessProbe: - httpGet: - path: /healthz - port: 8443 - scheme: HTTPS - nodeSelector: "${{NODE_SELECTOR}}" - volumes: - - name: serving-cert - secret: - defaultMode: 420 - secretName: apiserver-serving-cert - - name: apiserver-config - configMap: - defaultMode: 420 - name: apiserver-config - -# to create the config for the TSB -- apiVersion: v1 - kind: ConfigMap - metadata: - namespace: ${NAMESPACE} - name: apiserver-config - data: - apiserver-config.yaml: ${API_SERVER_CONFIG} - -# to be able to assign powers to the process -- apiVersion: v1 - kind: ServiceAccount - metadata: - namespace: ${NAMESPACE} - name: apiserver - -# to be able to expose TSB inside the cluster -- apiVersion: v1 - kind: Service - metadata: - namespace: ${NAMESPACE} - name: apiserver - annotations: - service.alpha.openshift.io/serving-cert-secret-name: apiserver-serving-cert - spec: - selector: - apiserver: "true" - ports: - - port: 443 - targetPort: 8443 - -# This service account will be granted permission to call the TSB. -# The token for this SA will be provided to the service catalog for -# use when calling the TSB. -- apiVersion: v1 - kind: ServiceAccount - metadata: - namespace: ${NAMESPACE} - name: templateservicebroker-client - -# This secret will be populated with a copy of the templateservicebroker-client SA's -# auth token. Since this secret has a static name, it can be referenced more -# easily than the auto-generated secret for the service account. -- apiVersion: v1 - kind: Secret - metadata: - namespace: ${NAMESPACE} - name: templateservicebroker-client - annotations: - kubernetes.io/service-account.name: templateservicebroker-client - type: kubernetes.io/service-account-token diff --git a/files/origin-components/console-config.yaml b/files/origin-components/console-config.yaml deleted file mode 100644 index 32a28775f..000000000 --- a/files/origin-components/console-config.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: webconsole.config.openshift.io/v1 -kind: WebConsoleConfiguration -clusterInfo: - consolePublicURL: https://127.0.0.1:8443/console/ - loggingPublicURL: "" - logoutPublicURL: "" - masterPublicURL: https://127.0.0.1:8443 - metricsPublicURL: "" -extensions: - scriptURLs: [] - stylesheetURLs: [] - properties: null -features: - inactivityTimeoutMinutes: 0 -servingInfo: - bindAddress: 0.0.0.0:8443 - bindNetwork: tcp4 - certFile: /var/serving-cert/tls.crt - clientCA: "" - keyFile: /var/serving-cert/tls.key - maxRequestsInFlight: 0 - namedCertificates: null - requestTimeoutSeconds: 0 diff --git a/files/origin-components/console-rbac-template.yaml b/files/origin-components/console-rbac-template.yaml deleted file mode 100644 index 9ee117199..000000000 --- a/files/origin-components/console-rbac-template.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: web-console-server-rbac -parameters: -- name: NAMESPACE - # This namespace cannot be changed. Only `openshift-web-console` is supported. - value: openshift-web-console -objects: - - -# allow grant powers to the webconsole server for cluster inspection -- apiVersion: rbac.authorization.k8s.io/v1beta1 - kind: ClusterRole - metadata: - name: system:openshift:web-console-server - rules: - - apiGroups: - - "servicecatalog.k8s.io" - resources: - - clusterservicebrokers - verbs: - - get - - list - - watch - -# Grant the service account for the web console -- apiVersion: rbac.authorization.k8s.io/v1beta1 - kind: ClusterRoleBinding - metadata: - name: system:openshift:web-console-server - roleRef: - kind: ClusterRole - name: system:openshift:web-console-server - subjects: - - kind: ServiceAccount - namespace: ${NAMESPACE} - name: webconsole diff --git a/files/origin-components/console-template.yaml b/files/origin-components/console-template.yaml deleted file mode 100644 index 7bf2d0cf4..000000000 --- a/files/origin-components/console-template.yaml +++ /dev/null @@ -1,121 +0,0 @@ -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: openshift-web-console - annotations: - openshift.io/display-name: OpenShift Web Console - description: The server for the OpenShift web console. - iconClass: icon-openshift - tags: openshift,infra - openshift.io/documentation-url: https://github.com/openshift/origin-web-console-server - openshift.io/support-url: https://access.redhat.com - openshift.io/provider-display-name: Red Hat, Inc. -parameters: -- name: IMAGE - value: openshift/origin-web-console:latest -- name: NAMESPACE - # This namespace cannot be changed. Only `openshift-web-console` is supported. - value: openshift-web-console -- name: LOGLEVEL - value: "0" -- name: API_SERVER_CONFIG -- name: NODE_SELECTOR - value: "{}" -- name: REPLICA_COUNT - value: "1" -objects: - -# to create the web console server -- apiVersion: apps/v1beta1 - kind: Deployment - metadata: - namespace: ${NAMESPACE} - name: webconsole - labels: - app: openshift-web-console - webconsole: "true" - spec: - replicas: "${{REPLICA_COUNT}}" - strategy: - type: Recreate - template: - metadata: - name: webconsole - labels: - webconsole: "true" - spec: - serviceAccountName: webconsole - containers: - - name: webconsole - image: ${IMAGE} - imagePullPolicy: IfNotPresent - command: - - "/usr/bin/origin-web-console" - - "--audit-log-path=-" - - "-v=${LOGLEVEL}" - - "--config=/var/webconsole-config/webconsole-config.yaml" - ports: - - containerPort: 8443 - volumeMounts: - - mountPath: /var/serving-cert - name: serving-cert - - mountPath: /var/webconsole-config - name: webconsole-config - readinessProbe: - httpGet: - path: /healthz - port: 8443 - scheme: HTTPS - livenessProbe: - httpGet: - path: / - port: 8443 - scheme: HTTPS - nodeSelector: "${{NODE_SELECTOR}}" - volumes: - - name: serving-cert - secret: - defaultMode: 400 - secretName: webconsole-serving-cert - - name: webconsole-config - configMap: - defaultMode: 440 - name: webconsole-config - -# to create the config for the web console -- apiVersion: v1 - kind: ConfigMap - metadata: - namespace: ${NAMESPACE} - name: webconsole-config - labels: - app: openshift-web-console - data: - webconsole-config.yaml: ${API_SERVER_CONFIG} - -# to be able to assign powers to the process -- apiVersion: v1 - kind: ServiceAccount - metadata: - namespace: ${NAMESPACE} - name: webconsole - labels: - app: openshift-web-console - -# to be able to expose web console inside the cluster -- apiVersion: v1 - kind: Service - metadata: - namespace: ${NAMESPACE} - name: webconsole - labels: - app: openshift-web-console - annotations: - service.alpha.openshift.io/serving-cert-secret-name: webconsole-serving-cert - spec: - selector: - webconsole: "true" - ports: - - name: https - port: 443 - targetPort: 8443 diff --git a/files/origin-components/rbac-template.yaml b/files/origin-components/rbac-template.yaml deleted file mode 100644 index 0937a9065..000000000 --- a/files/origin-components/rbac-template.yaml +++ /dev/null @@ -1,92 +0,0 @@ -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: template-service-broker-rbac -parameters: -- name: NAMESPACE - value: openshift-template-service-broker -- name: KUBE_SYSTEM - value: kube-system -objects: - -# Grant the service account permission to call the TSB -- apiVersion: rbac.authorization.k8s.io/v1beta1 - kind: ClusterRoleBinding - metadata: - name: templateservicebroker-client - roleRef: - kind: ClusterRole - name: system:openshift:templateservicebroker-client - subjects: - - kind: ServiceAccount - namespace: ${NAMESPACE} - name: templateservicebroker-client - -# to delegate authentication and authorization -- apiVersion: rbac.authorization.k8s.io/v1beta1 - kind: ClusterRoleBinding - metadata: - name: auth-delegator-${NAMESPACE} - roleRef: - kind: ClusterRole - name: system:auth-delegator - subjects: - - kind: ServiceAccount - namespace: ${NAMESPACE} - name: apiserver - -# to have the template service broker powers -- apiVersion: rbac.authorization.k8s.io/v1beta1 - kind: ClusterRoleBinding - metadata: - name: tsb-${NAMESPACE} - roleRef: - kind: ClusterRole - name: system:openshift:controller:template-service-broker - subjects: - - kind: ServiceAccount - namespace: ${NAMESPACE} - name: apiserver - -# to read the config for terminating authentication -- apiVersion: rbac.authorization.k8s.io/v1beta1 - kind: RoleBinding - metadata: - namespace: ${KUBE_SYSTEM} - name: extension-apiserver-authentication-reader-${NAMESPACE} - roleRef: - kind: Role - name: extension-apiserver-authentication-reader - subjects: - - kind: ServiceAccount - namespace: ${NAMESPACE} - name: apiserver - -# allow the kube service catalog's SA to read the static secret defined -# above, which will contain the token for the SA that can call the TSB. -- apiVersion: rbac.authorization.k8s.io/v1beta1 - kind: Role - metadata: - name: templateservicebroker-auth-reader - namespace: ${NAMESPACE} - rules: - - apiGroups: - - "" - resourceNames: - - templateservicebroker-client - resources: - - secrets - verbs: - - get -- apiVersion: rbac.authorization.k8s.io/v1beta1 - kind: RoleBinding - metadata: - namespace: ${NAMESPACE} - name: templateservicebroker-auth-reader - roleRef: - kind: Role - name: templateservicebroker-auth-reader - subjects: - - kind: ServiceAccount - namespace: kube-service-catalog - name: service-catalog-controller diff --git a/files/origin-components/template-service-broker-registration.yaml b/files/origin-components/template-service-broker-registration.yaml deleted file mode 100644 index 95fb72924..000000000 --- a/files/origin-components/template-service-broker-registration.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: template.openshift.io/v1 -kind: Template -metadata: - name: template-service-broker-registration -parameters: -- name: TSB_NAMESPACE - value: openshift-template-service-broker -- name: CA_BUNDLE - required: true -objects: -# register the tsb with the service catalog -- apiVersion: servicecatalog.k8s.io/v1beta1 - kind: ClusterServiceBroker - metadata: - name: template-service-broker - spec: - url: https://apiserver.${TSB_NAMESPACE}.svc:443/brokers/template.openshift.io - insecureSkipTLSVerify: false - caBundle: ${CA_BUNDLE} - authInfo: - bearer: - secretRef: - kind: Secret - name: templateservicebroker-client - namespace: ${TSB_NAMESPACE} diff --git a/roles/openshift_web_console/files/console-config.yaml b/roles/openshift_web_console/files/console-config.yaml new file mode 100644 index 000000000..32a28775f --- /dev/null +++ b/roles/openshift_web_console/files/console-config.yaml @@ -0,0 +1,23 @@ +apiVersion: webconsole.config.openshift.io/v1 +kind: WebConsoleConfiguration +clusterInfo: + consolePublicURL: https://127.0.0.1:8443/console/ + loggingPublicURL: "" + logoutPublicURL: "" + masterPublicURL: https://127.0.0.1:8443 + metricsPublicURL: "" +extensions: + scriptURLs: [] + stylesheetURLs: [] + properties: null +features: + inactivityTimeoutMinutes: 0 +servingInfo: + bindAddress: 0.0.0.0:8443 + bindNetwork: tcp4 + certFile: /var/serving-cert/tls.crt + clientCA: "" + keyFile: /var/serving-cert/tls.key + maxRequestsInFlight: 0 + namedCertificates: null + requestTimeoutSeconds: 0 diff --git a/roles/openshift_web_console/files/console-rbac-template.yaml b/roles/openshift_web_console/files/console-rbac-template.yaml new file mode 100644 index 000000000..9ee117199 --- /dev/null +++ b/roles/openshift_web_console/files/console-rbac-template.yaml @@ -0,0 +1,38 @@ +apiVersion: template.openshift.io/v1 +kind: Template +metadata: + name: web-console-server-rbac +parameters: +- name: NAMESPACE + # This namespace cannot be changed. Only `openshift-web-console` is supported. + value: openshift-web-console +objects: + + +# allow grant powers to the webconsole server for cluster inspection +- apiVersion: rbac.authorization.k8s.io/v1beta1 + kind: ClusterRole + metadata: + name: system:openshift:web-console-server + rules: + - apiGroups: + - "servicecatalog.k8s.io" + resources: + - clusterservicebrokers + verbs: + - get + - list + - watch + +# Grant the service account for the web console +- apiVersion: rbac.authorization.k8s.io/v1beta1 + kind: ClusterRoleBinding + metadata: + name: system:openshift:web-console-server + roleRef: + kind: ClusterRole + name: system:openshift:web-console-server + subjects: + - kind: ServiceAccount + namespace: ${NAMESPACE} + name: webconsole diff --git a/roles/openshift_web_console/files/console-template.yaml b/roles/openshift_web_console/files/console-template.yaml new file mode 100644 index 000000000..7bf2d0cf4 --- /dev/null +++ b/roles/openshift_web_console/files/console-template.yaml @@ -0,0 +1,121 @@ +apiVersion: template.openshift.io/v1 +kind: Template +metadata: + name: openshift-web-console + annotations: + openshift.io/display-name: OpenShift Web Console + description: The server for the OpenShift web console. + iconClass: icon-openshift + tags: openshift,infra + openshift.io/documentation-url: https://github.com/openshift/origin-web-console-server + openshift.io/support-url: https://access.redhat.com + openshift.io/provider-display-name: Red Hat, Inc. +parameters: +- name: IMAGE + value: openshift/origin-web-console:latest +- name: NAMESPACE + # This namespace cannot be changed. Only `openshift-web-console` is supported. + value: openshift-web-console +- name: LOGLEVEL + value: "0" +- name: API_SERVER_CONFIG +- name: NODE_SELECTOR + value: "{}" +- name: REPLICA_COUNT + value: "1" +objects: + +# to create the web console server +- apiVersion: apps/v1beta1 + kind: Deployment + metadata: + namespace: ${NAMESPACE} + name: webconsole + labels: + app: openshift-web-console + webconsole: "true" + spec: + replicas: "${{REPLICA_COUNT}}" + strategy: + type: Recreate + template: + metadata: + name: webconsole + labels: + webconsole: "true" + spec: + serviceAccountName: webconsole + containers: + - name: webconsole + image: ${IMAGE} + imagePullPolicy: IfNotPresent + command: + - "/usr/bin/origin-web-console" + - "--audit-log-path=-" + - "-v=${LOGLEVEL}" + - "--config=/var/webconsole-config/webconsole-config.yaml" + ports: + - containerPort: 8443 + volumeMounts: + - mountPath: /var/serving-cert + name: serving-cert + - mountPath: /var/webconsole-config + name: webconsole-config + readinessProbe: + httpGet: + path: /healthz + port: 8443 + scheme: HTTPS + livenessProbe: + httpGet: + path: / + port: 8443 + scheme: HTTPS + nodeSelector: "${{NODE_SELECTOR}}" + volumes: + - name: serving-cert + secret: + defaultMode: 400 + secretName: webconsole-serving-cert + - name: webconsole-config + configMap: + defaultMode: 440 + name: webconsole-config + +# to create the config for the web console +- apiVersion: v1 + kind: ConfigMap + metadata: + namespace: ${NAMESPACE} + name: webconsole-config + labels: + app: openshift-web-console + data: + webconsole-config.yaml: ${API_SERVER_CONFIG} + +# to be able to assign powers to the process +- apiVersion: v1 + kind: ServiceAccount + metadata: + namespace: ${NAMESPACE} + name: webconsole + labels: + app: openshift-web-console + +# to be able to expose web console inside the cluster +- apiVersion: v1 + kind: Service + metadata: + namespace: ${NAMESPACE} + name: webconsole + labels: + app: openshift-web-console + annotations: + service.alpha.openshift.io/serving-cert-secret-name: webconsole-serving-cert + spec: + selector: + webconsole: "true" + ports: + - name: https + port: 443 + targetPort: 8443 diff --git a/roles/openshift_web_console/vars/main.yml b/roles/openshift_web_console/vars/main.yml index e91048e38..a3e6b8d80 100644 --- a/roles/openshift_web_console/vars/main.yml +++ b/roles/openshift_web_console/vars/main.yml @@ -1,5 +1,5 @@ --- -__console_files_location: "../../../files/origin-components/" +__console_files_location: "../files/" __console_template_file: "console-template.yaml" __console_rbac_file: "console-rbac-template.yaml" diff --git a/roles/template_service_broker/files/apiserver-config.yaml b/roles/template_service_broker/files/apiserver-config.yaml new file mode 100644 index 000000000..e4048d1da --- /dev/null +++ b/roles/template_service_broker/files/apiserver-config.yaml @@ -0,0 +1,4 @@ +kind: TemplateServiceBrokerConfig +apiVersion: config.templateservicebroker.openshift.io/v1 +templateNamespaces: +- openshift diff --git a/roles/template_service_broker/files/apiserver-template.yaml b/roles/template_service_broker/files/apiserver-template.yaml new file mode 100644 index 000000000..4dd9395d0 --- /dev/null +++ b/roles/template_service_broker/files/apiserver-template.yaml @@ -0,0 +1,125 @@ +apiVersion: template.openshift.io/v1 +kind: Template +metadata: + name: template-service-broker-apiserver +parameters: +- name: IMAGE + value: openshift/origin-template-service-broker:latest +- name: NAMESPACE + value: openshift-template-service-broker +- name: LOGLEVEL + value: "0" +- name: API_SERVER_CONFIG + value: | + kind: TemplateServiceBrokerConfig + apiVersion: config.templateservicebroker.openshift.io/v1 + templateNamespaces: + - openshift +- name: NODE_SELECTOR + value: "{}" +objects: + +# to create the tsb server +- apiVersion: extensions/v1beta1 + kind: DaemonSet + metadata: + namespace: ${NAMESPACE} + name: apiserver + labels: + apiserver: "true" + spec: + template: + metadata: + name: apiserver + labels: + apiserver: "true" + spec: + serviceAccountName: apiserver + containers: + - name: c + image: ${IMAGE} + imagePullPolicy: IfNotPresent + command: + - "/usr/bin/template-service-broker" + - "start" + - "template-service-broker" + - "--secure-port=8443" + - "--audit-log-path=-" + - "--tls-cert-file=/var/serving-cert/tls.crt" + - "--tls-private-key-file=/var/serving-cert/tls.key" + - "--v=${LOGLEVEL}" + - "--config=/var/apiserver-config/apiserver-config.yaml" + ports: + - containerPort: 8443 + volumeMounts: + - mountPath: /var/serving-cert + name: serving-cert + - mountPath: /var/apiserver-config + name: apiserver-config + readinessProbe: + httpGet: + path: /healthz + port: 8443 + scheme: HTTPS + nodeSelector: "${{NODE_SELECTOR}}" + volumes: + - name: serving-cert + secret: + defaultMode: 420 + secretName: apiserver-serving-cert + - name: apiserver-config + configMap: + defaultMode: 420 + name: apiserver-config + +# to create the config for the TSB +- apiVersion: v1 + kind: ConfigMap + metadata: + namespace: ${NAMESPACE} + name: apiserver-config + data: + apiserver-config.yaml: ${API_SERVER_CONFIG} + +# to be able to assign powers to the process +- apiVersion: v1 + kind: ServiceAccount + metadata: + namespace: ${NAMESPACE} + name: apiserver + +# to be able to expose TSB inside the cluster +- apiVersion: v1 + kind: Service + metadata: + namespace: ${NAMESPACE} + name: apiserver + annotations: + service.alpha.openshift.io/serving-cert-secret-name: apiserver-serving-cert + spec: + selector: + apiserver: "true" + ports: + - port: 443 + targetPort: 8443 + +# This service account will be granted permission to call the TSB. +# The token for this SA will be provided to the service catalog for +# use when calling the TSB. +- apiVersion: v1 + kind: ServiceAccount + metadata: + namespace: ${NAMESPACE} + name: templateservicebroker-client + +# This secret will be populated with a copy of the templateservicebroker-client SA's +# auth token. Since this secret has a static name, it can be referenced more +# easily than the auto-generated secret for the service account. +- apiVersion: v1 + kind: Secret + metadata: + namespace: ${NAMESPACE} + name: templateservicebroker-client + annotations: + kubernetes.io/service-account.name: templateservicebroker-client + type: kubernetes.io/service-account-token diff --git a/roles/template_service_broker/files/rbac-template.yaml b/roles/template_service_broker/files/rbac-template.yaml new file mode 100644 index 000000000..0937a9065 --- /dev/null +++ b/roles/template_service_broker/files/rbac-template.yaml @@ -0,0 +1,92 @@ +apiVersion: template.openshift.io/v1 +kind: Template +metadata: + name: template-service-broker-rbac +parameters: +- name: NAMESPACE + value: openshift-template-service-broker +- name: KUBE_SYSTEM + value: kube-system +objects: + +# Grant the service account permission to call the TSB +- apiVersion: rbac.authorization.k8s.io/v1beta1 + kind: ClusterRoleBinding + metadata: + name: templateservicebroker-client + roleRef: + kind: ClusterRole + name: system:openshift:templateservicebroker-client + subjects: + - kind: ServiceAccount + namespace: ${NAMESPACE} + name: templateservicebroker-client + +# to delegate authentication and authorization +- apiVersion: rbac.authorization.k8s.io/v1beta1 + kind: ClusterRoleBinding + metadata: + name: auth-delegator-${NAMESPACE} + roleRef: + kind: ClusterRole + name: system:auth-delegator + subjects: + - kind: ServiceAccount + namespace: ${NAMESPACE} + name: apiserver + +# to have the template service broker powers +- apiVersion: rbac.authorization.k8s.io/v1beta1 + kind: ClusterRoleBinding + metadata: + name: tsb-${NAMESPACE} + roleRef: + kind: ClusterRole + name: system:openshift:controller:template-service-broker + subjects: + - kind: ServiceAccount + namespace: ${NAMESPACE} + name: apiserver + +# to read the config for terminating authentication +- apiVersion: rbac.authorization.k8s.io/v1beta1 + kind: RoleBinding + metadata: + namespace: ${KUBE_SYSTEM} + name: extension-apiserver-authentication-reader-${NAMESPACE} + roleRef: + kind: Role + name: extension-apiserver-authentication-reader + subjects: + - kind: ServiceAccount + namespace: ${NAMESPACE} + name: apiserver + +# allow the kube service catalog's SA to read the static secret defined +# above, which will contain the token for the SA that can call the TSB. +- apiVersion: rbac.authorization.k8s.io/v1beta1 + kind: Role + metadata: + name: templateservicebroker-auth-reader + namespace: ${NAMESPACE} + rules: + - apiGroups: + - "" + resourceNames: + - templateservicebroker-client + resources: + - secrets + verbs: + - get +- apiVersion: rbac.authorization.k8s.io/v1beta1 + kind: RoleBinding + metadata: + namespace: ${NAMESPACE} + name: templateservicebroker-auth-reader + roleRef: + kind: Role + name: templateservicebroker-auth-reader + subjects: + - kind: ServiceAccount + namespace: kube-service-catalog + name: service-catalog-controller diff --git a/roles/template_service_broker/files/template-service-broker-registration.yaml b/roles/template_service_broker/files/template-service-broker-registration.yaml new file mode 100644 index 000000000..95fb72924 --- /dev/null +++ b/roles/template_service_broker/files/template-service-broker-registration.yaml @@ -0,0 +1,25 @@ +apiVersion: template.openshift.io/v1 +kind: Template +metadata: + name: template-service-broker-registration +parameters: +- name: TSB_NAMESPACE + value: openshift-template-service-broker +- name: CA_BUNDLE + required: true +objects: +# register the tsb with the service catalog +- apiVersion: servicecatalog.k8s.io/v1beta1 + kind: ClusterServiceBroker + metadata: + name: template-service-broker + spec: + url: https://apiserver.${TSB_NAMESPACE}.svc:443/brokers/template.openshift.io + insecureSkipTLSVerify: false + caBundle: ${CA_BUNDLE} + authInfo: + bearer: + secretRef: + kind: Secret + name: templateservicebroker-client + namespace: ${TSB_NAMESPACE} diff --git a/roles/template_service_broker/vars/main.yml b/roles/template_service_broker/vars/main.yml index a65340f16..2512f8b6b 100644 --- a/roles/template_service_broker/vars/main.yml +++ b/roles/template_service_broker/vars/main.yml @@ -1,5 +1,5 @@ --- -__tsb_files_location: "../../../files/origin-components/" +__tsb_files_location: "../files/" __tsb_template_file: "apiserver-template.yaml" __tsb_config_file: "apiserver-config.yaml" -- cgit v1.2.3