From dace5169e0b5066a027746dd6f28f0268248043f Mon Sep 17 00:00:00 2001
From: Eric Wolinetz <ewolinet@redhat.com>
Date: Fri, 25 Aug 2017 14:25:20 -0500
Subject: Creating initial tsb role to consume and apply templates provided for
tsb
---
files/origin-components/apiserver-config.yaml | 4 +
files/origin-components/apiserver-template.yaml | 122 +++++++++++++++++++++
files/origin-components/rbac-template.yaml | 92 ++++++++++++++++
.../common/openshift-cluster/service_catalog.yml | 1 +
roles/ansible_service_broker/defaults/main.yml | 1 +
roles/ansible_service_broker/tasks/main.yml | 4 +-
.../files/openshift-ansible-catalog-console.js | 3 +-
roles/openshift_service_catalog/tasks/install.yml | 9 --
roles/template_service_broker/defaults/main.yml | 4 +
.../files/openshift-ansible-catalog-console.js | 1 +
.../remove-openshift-ansible-catalog-console.js | 2 +
roles/template_service_broker/meta/main.yml | 13 +++
roles/template_service_broker/tasks/install.yml | 47 ++++++++
roles/template_service_broker/tasks/main.yml | 8 ++
roles/template_service_broker/tasks/remove.yml | 28 +++++
.../vars/default_images.yml | 2 +
roles/template_service_broker/vars/main.yml | 6 +
.../vars/openshift-enterprise.yml | 2 +
18 files changed, 337 insertions(+), 12 deletions(-)
create mode 100644 files/origin-components/apiserver-config.yaml
create mode 100644 files/origin-components/apiserver-template.yaml
create mode 100644 files/origin-components/rbac-template.yaml
create mode 100644 roles/template_service_broker/defaults/main.yml
create mode 100644 roles/template_service_broker/files/openshift-ansible-catalog-console.js
create mode 100644 roles/template_service_broker/files/remove-openshift-ansible-catalog-console.js
create mode 100644 roles/template_service_broker/meta/main.yml
create mode 100644 roles/template_service_broker/tasks/install.yml
create mode 100644 roles/template_service_broker/tasks/main.yml
create mode 100644 roles/template_service_broker/tasks/remove.yml
create mode 100644 roles/template_service_broker/vars/default_images.yml
create mode 100644 roles/template_service_broker/vars/main.yml
create mode 100644 roles/template_service_broker/vars/openshift-enterprise.yml
diff --git a/files/origin-components/apiserver-config.yaml b/files/origin-components/apiserver-config.yaml
new file mode 100644
index 000000000..e4048d1da
--- /dev/null
+++ b/files/origin-components/apiserver-config.yaml
@@ -0,0 +1,4 @@
+kind: TemplateServiceBrokerConfig
+apiVersion: config.templateservicebroker.openshift.io/v1
+templateNamespaces:
+- openshift
diff --git a/files/origin-components/apiserver-template.yaml b/files/origin-components/apiserver-template.yaml
new file mode 100644
index 000000000..1b42597af
--- /dev/null
+++ b/files/origin-components/apiserver-template.yaml
@@ -0,0 +1,122 @@
+apiVersion: template.openshift.io/v1
+kind: Template
+metadata:
+ name: template-service-broker-apiserver
+parameters:
+- name: IMAGE
+ value: openshift/origin:latest
+- name: NAMESPACE
+ value: openshift-template-service-broker
+- name: LOGLEVEL
+ value: "0"
+- name: API_SERVER_CONFIG
+ value: |
+ kind: TemplateServiceBrokerConfig
+ apiVersion: config.templateservicebroker.openshift.io/v1
+ templateNamespaces:
+ - openshift
+objects:
+
+# to create the tsb server
+- apiVersion: extensions/v1beta1
+ kind: DaemonSet
+ metadata:
+ namespace: ${NAMESPACE}
+ name: apiserver
+ labels:
+ apiserver: "true"
+ spec:
+ template:
+ metadata:
+ name: apiserver
+ labels:
+ apiserver: "true"
+ spec:
+ serviceAccountName: apiserver
+ containers:
+ - name: c
+ image: ${IMAGE}
+ imagePullPolicy: IfNotPresent
+ command:
+ - "/usr/bin/openshift"
+ - "start"
+ - "template-service-broker"
+ - "--secure-port=8443"
+ - "--audit-log-path=-"
+ - "--tls-cert-file=/var/serving-cert/tls.crt"
+ - "--tls-private-key-file=/var/serving-cert/tls.key"
+ - "--loglevel=${LOGLEVEL}"
+ - "--config=/var/apiserver-config/apiserver-config.yaml"
+ ports:
+ - containerPort: 8443
+ volumeMounts:
+ - mountPath: /var/serving-cert
+ name: serving-cert
+ - mountPath: /var/apiserver-config
+ name: apiserver-config
+ readinessProbe:
+ httpGet:
+ path: /healthz
+ port: 8443
+ scheme: HTTPS
+ volumes:
+ - name: serving-cert
+ secret:
+ defaultMode: 420
+ secretName: apiserver-serving-cert
+ - name: apiserver-config
+ configMap:
+ defaultMode: 420
+ name: apiserver-config
+
+# to create the config for the TSB
+- apiVersion: v1
+ kind: ConfigMap
+ metadata:
+ namespace: ${NAMESPACE}
+ name: apiserver-config
+ data:
+ apiserver-config.yaml: ${API_SERVER_CONFIG}
+
+# to be able to assign powers to the process
+- apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ namespace: ${NAMESPACE}
+ name: apiserver
+
+# to be able to expose TSB inside the cluster
+- apiVersion: v1
+ kind: Service
+ metadata:
+ namespace: ${NAMESPACE}
+ name: apiserver
+ annotations:
+ service.alpha.openshift.io/serving-cert-secret-name: apiserver-serving-cert
+ spec:
+ selector:
+ apiserver: "true"
+ ports:
+ - port: 443
+ targetPort: 8443
+
+# This service account will be granted permission to call the TSB.
+# The token for this SA will be provided to the service catalog for
+# use when calling the TSB.
+- apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ namespace: ${NAMESPACE}
+ name: templateservicebroker-client
+
+# This secret will be populated with a copy of the templateservicebroker-client SA's
+# auth token. Since this secret has a static name, it can be referenced more
+# easily than the auto-generated secret for the service account.
+- apiVersion: v1
+ kind: Secret
+ metadata:
+ namespace: ${NAMESPACE}
+ name: templateservicebroker-client
+ annotations:
+ kubernetes.io/service-account.name: templateservicebroker-client
+ type: kubernetes.io/service-account-token
diff --git a/files/origin-components/rbac-template.yaml b/files/origin-components/rbac-template.yaml
new file mode 100644
index 000000000..0937a9065
--- /dev/null
+++ b/files/origin-components/rbac-template.yaml
@@ -0,0 +1,92 @@
+apiVersion: template.openshift.io/v1
+kind: Template
+metadata:
+ name: template-service-broker-rbac
+parameters:
+- name: NAMESPACE
+ value: openshift-template-service-broker
+- name: KUBE_SYSTEM
+ value: kube-system
+objects:
+
+# Grant the service account permission to call the TSB
+- apiVersion: rbac.authorization.k8s.io/v1beta1
+ kind: ClusterRoleBinding
+ metadata:
+ name: templateservicebroker-client
+ roleRef:
+ kind: ClusterRole
+ name: system:openshift:templateservicebroker-client
+ subjects:
+ - kind: ServiceAccount
+ namespace: ${NAMESPACE}
+ name: templateservicebroker-client
+
+# to delegate authentication and authorization
+- apiVersion: rbac.authorization.k8s.io/v1beta1
+ kind: ClusterRoleBinding
+ metadata:
+ name: auth-delegator-${NAMESPACE}
+ roleRef:
+ kind: ClusterRole
+ name: system:auth-delegator
+ subjects:
+ - kind: ServiceAccount
+ namespace: ${NAMESPACE}
+ name: apiserver
+
+# to have the template service broker powers
+- apiVersion: rbac.authorization.k8s.io/v1beta1
+ kind: ClusterRoleBinding
+ metadata:
+ name: tsb-${NAMESPACE}
+ roleRef:
+ kind: ClusterRole
+ name: system:openshift:controller:template-service-broker
+ subjects:
+ - kind: ServiceAccount
+ namespace: ${NAMESPACE}
+ name: apiserver
+
+# to read the config for terminating authentication
+- apiVersion: rbac.authorization.k8s.io/v1beta1
+ kind: RoleBinding
+ metadata:
+ namespace: ${KUBE_SYSTEM}
+ name: extension-apiserver-authentication-reader-${NAMESPACE}
+ roleRef:
+ kind: Role
+ name: extension-apiserver-authentication-reader
+ subjects:
+ - kind: ServiceAccount
+ namespace: ${NAMESPACE}
+ name: apiserver
+
+# allow the kube service catalog's SA to read the static secret defined
+# above, which will contain the token for the SA that can call the TSB.
+- apiVersion: rbac.authorization.k8s.io/v1beta1
+ kind: Role
+ metadata:
+ name: templateservicebroker-auth-reader
+ namespace: ${NAMESPACE}
+ rules:
+ - apiGroups:
+ - ""
+ resourceNames:
+ - templateservicebroker-client
+ resources:
+ - secrets
+ verbs:
+ - get
+- apiVersion: rbac.authorization.k8s.io/v1beta1
+ kind: RoleBinding
+ metadata:
+ namespace: ${NAMESPACE}
+ name: templateservicebroker-auth-reader
+ roleRef:
+ kind: Role
+ name: templateservicebroker-auth-reader
+ subjects:
+ - kind: ServiceAccount
+ namespace: kube-service-catalog
+ name: service-catalog-controller
diff --git a/playbooks/common/openshift-cluster/service_catalog.yml b/playbooks/common/openshift-cluster/service_catalog.yml
index 599350258..60bc28e43 100644
--- a/playbooks/common/openshift-cluster/service_catalog.yml
+++ b/playbooks/common/openshift-cluster/service_catalog.yml
@@ -16,5 +16,6 @@
roles:
- openshift_service_catalog
- ansible_service_broker
+ - template_service_broker
vars:
first_master: "{{ groups.oo_first_master[0] }}"
diff --git a/roles/ansible_service_broker/defaults/main.yml b/roles/ansible_service_broker/defaults/main.yml
index 12929b354..9eb9db316 100644
--- a/roles/ansible_service_broker/defaults/main.yml
+++ b/roles/ansible_service_broker/defaults/main.yml
@@ -1,6 +1,7 @@
---
ansible_service_broker_remove: false
+ansible_service_broker_install: false
ansible_service_broker_log_level: info
ansible_service_broker_output_request: false
ansible_service_broker_recovery: true
diff --git a/roles/ansible_service_broker/tasks/main.yml b/roles/ansible_service_broker/tasks/main.yml
index b46ce8233..d8695bd3a 100644
--- a/roles/ansible_service_broker/tasks/main.yml
+++ b/roles/ansible_service_broker/tasks/main.yml
@@ -2,7 +2,7 @@
# do any asserts here
- include: install.yml
- when: not ansible_service_broker_remove|default(false) | bool
+ when: ansible_service_broker_install | default(false) | bool
- include: remove.yml
- when: ansible_service_broker_remove|default(false) | bool
+ when: ansible_service_broker_remove | default(false) | bool
diff --git a/roles/openshift_service_catalog/files/openshift-ansible-catalog-console.js b/roles/openshift_service_catalog/files/openshift-ansible-catalog-console.js
index 16a307c06..d0a9f11dc 100644
--- a/roles/openshift_service_catalog/files/openshift-ansible-catalog-console.js
+++ b/roles/openshift_service_catalog/files/openshift-ansible-catalog-console.js
@@ -1 +1,2 @@
-window.OPENSHIFT_CONSTANTS.ENABLE_TECH_PREVIEW_FEATURE.service_catalog_landing_page = true;
+// empty file so that the master-config can still point to a file that exists
+// this file will be replaced by the template service broker role if enabled
diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml
index 746c73eaf..751275c91 100644
--- a/roles/openshift_service_catalog/tasks/install.yml
+++ b/roles/openshift_service_catalog/tasks/install.yml
@@ -112,15 +112,6 @@
when:
- not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
-- shell: >
- oc get policybindings/kube-system:default -n kube-system || echo "not found"
- register: get_kube_system
- changed_when: no
-
-- command: >
- oc create policybinding kube-system -n kube-system
- when: "'not found' in get_kube_system.stdout"
-
- oc_adm_policy_user:
namespace: kube-service-catalog
resource_kind: scc
diff --git a/roles/template_service_broker/defaults/main.yml b/roles/template_service_broker/defaults/main.yml
new file mode 100644
index 000000000..fb407c4a2
--- /dev/null
+++ b/roles/template_service_broker/defaults/main.yml
@@ -0,0 +1,4 @@
+---
+# placeholder file?
+template_service_broker_remove: False
+template_service_broker_install: False
diff --git a/roles/template_service_broker/files/openshift-ansible-catalog-console.js b/roles/template_service_broker/files/openshift-ansible-catalog-console.js
new file mode 100644
index 000000000..b3a3d3428
--- /dev/null
+++ b/roles/template_service_broker/files/openshift-ansible-catalog-console.js
@@ -0,0 +1 @@
+window.OPENSHIFT_CONSTANTS.ENABLE_TECH_PREVIEW_FEATURE.template_service_broker = true;
diff --git a/roles/template_service_broker/files/remove-openshift-ansible-catalog-console.js b/roles/template_service_broker/files/remove-openshift-ansible-catalog-console.js
new file mode 100644
index 000000000..d0a9f11dc
--- /dev/null
+++ b/roles/template_service_broker/files/remove-openshift-ansible-catalog-console.js
@@ -0,0 +1,2 @@
+// empty file so that the master-config can still point to a file that exists
+// this file will be replaced by the template service broker role if enabled
diff --git a/roles/template_service_broker/meta/main.yml b/roles/template_service_broker/meta/main.yml
new file mode 100644
index 000000000..ab5a0cf08
--- /dev/null
+++ b/roles/template_service_broker/meta/main.yml
@@ -0,0 +1,13 @@
+---
+galaxy_info:
+ author: OpenShift Red Hat
+ description: OpenShift Template Service Broker
+ company: Red Hat, Inc.
+ license: Apache License, Version 2.0
+ min_ansible_version: 2.1
+ platforms:
+ - name: EL
+ versions:
+ - 7
+ categories:
+ - cloud
diff --git a/roles/template_service_broker/tasks/install.yml b/roles/template_service_broker/tasks/install.yml
new file mode 100644
index 000000000..199df83c2
--- /dev/null
+++ b/roles/template_service_broker/tasks/install.yml
@@ -0,0 +1,47 @@
+---
+# Fact setting
+- name: Set default image variables based on deployment type
+ include_vars: "{{ item }}"
+ with_first_found:
+ - "{{ openshift_deployment_type | default(deployment_type) }}.yml"
+ - "default_images.yml"
+
+- name: set ansible_service_broker facts
+ set_fact:
+ template_service_broker_image: "{{ template_service_broker_image | default(__template_service_broker_image) }}"
+
+- oc_project:
+ name: openshift-template-service-broker
+ state: present
+
+- command: mktemp -d /tmp/tsb-ansible-XXXXXX
+ register: mktemp
+ changed_when: False
+ become: no
+
+- copy:
+ src: "{{ __tsb_files_location }}/{{ item }}"
+ dest: "{{ mktemp.stdout }}/{{ item }}"
+ with_items:
+ - "{{ __tsb_template_file }}"
+ - "{{ __tsb_rbac_file }}"
+
+- name: Apply template file
+ shell: >
+ oc process -f "{{ mktemp.stdout }}/{{ __tsb_template_file }}" --param API_SERVER_CONFIG="{{ lookup('file', __tsb_files_location ~ '/' ~ __tsb_config_file) }}" | kubectl apply -f -
+
+# reconcile with rbac
+- name: Reconcile with RBAC file
+ shell: >
+ oc process -f "{{ mktemp.stdout }}/{{ __tsb_rbac_file }}" | oc auth reconcile -f -
+
+- name: copy tech preview extension file for service console UI
+ copy:
+ src: openshift-ansible-catalog-console.js
+ dest: /etc/origin/master/openshift-ansible-catalog-console.js
+
+- file:
+ state: absent
+ name: "{{ mktemp.stdout }}"
+ changed_when: False
+ become: no
diff --git a/roles/template_service_broker/tasks/main.yml b/roles/template_service_broker/tasks/main.yml
new file mode 100644
index 000000000..d7ca970c7
--- /dev/null
+++ b/roles/template_service_broker/tasks/main.yml
@@ -0,0 +1,8 @@
+---
+# do any asserts here
+
+- include: install.yml
+ when: template_service_broker_install | default(false) | bool
+
+- include: remove.yml
+ when: template_service_broker_remove | default(false) | bool
diff --git a/roles/template_service_broker/tasks/remove.yml b/roles/template_service_broker/tasks/remove.yml
new file mode 100644
index 000000000..207dd9bdb
--- /dev/null
+++ b/roles/template_service_broker/tasks/remove.yml
@@ -0,0 +1,28 @@
+---
+- command: mktemp -d /tmp/tsb-ansible-XXXXXX
+ register: mktemp
+ changed_when: False
+ become: no
+
+- copy:
+ src: "{{ __tsb_files_location }}/{{ item }}"
+ dest: "{{ mktemp.stdout }}/{{ __tsb_template_file }}"
+
+- name: Delete TSB objects
+ shell: >
+ oc process -f "{{ __tsb_files_location }}/{{ __tsb_template_file }}" | kubectl delete -f -
+
+- name: empty out tech preview extension file for service console UI
+ copy:
+ src: remove-openshift-ansible-catalog-console.js
+ dest: /etc/origin/master/openshift-ansible-catalog-console.js
+
+- oc_project:
+ name: openshift-template-service-broker
+ state: absent
+
+- file:
+ state: absent
+ name: "{{ mktemp.stdout }}"
+ changed_when: False
+ become: no
diff --git a/roles/template_service_broker/vars/default_images.yml b/roles/template_service_broker/vars/default_images.yml
new file mode 100644
index 000000000..807f2822c
--- /dev/null
+++ b/roles/template_service_broker/vars/default_images.yml
@@ -0,0 +1,2 @@
+---
+__template_service_broker_image: ""
diff --git a/roles/template_service_broker/vars/main.yml b/roles/template_service_broker/vars/main.yml
new file mode 100644
index 000000000..372ab8f6f
--- /dev/null
+++ b/roles/template_service_broker/vars/main.yml
@@ -0,0 +1,6 @@
+---
+__tsb_files_location: "../../../files/origin-components/"
+
+__tsb_template_file: "apiserver-template.yaml"
+__tsb_config_file: "apiserver-config.yaml"
+__tsb_rbac_file: "rbac-template.yaml"
diff --git a/roles/template_service_broker/vars/openshift-enterprise.yml b/roles/template_service_broker/vars/openshift-enterprise.yml
new file mode 100644
index 000000000..807f2822c
--- /dev/null
+++ b/roles/template_service_broker/vars/openshift-enterprise.yml
@@ -0,0 +1,2 @@
+---
+__template_service_broker_image: ""
--
cgit v1.2.3