7 lat temu · 650149e1fa
--- a/filter_plugins/oo_filters.py
+++ b/filter_plugins/oo_filters.py
@@ -1008,6 +1008,19 @@ def oo_random_word(length, source='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRS
 
				     """
			
 
				     return ''.join(random.choice(source) for i in range(length))
			
 
				 
			
 
				+def oo_contains_rule(source, apiGroups, resources, verbs):
			
 
				+    '''Return true if the specified rule is contained within the provided source'''
			
 
				+
			
 
				+    rules=source['rules']
			
 
				+
			
 
				+    if rules:
			
 
				+        for rule in rules:
			
 
				+            if rule['apiGroups'].sort() == apiGroups.sort():
			
 
				+                if rule['resources'].sort() == resources.sort():
			
 
				+                    if rule['verbs'].sort() == verbs.sort():
			
 
				+                        return True
			
 
				+
			
 
				+    return False
			
 
				 
			
 
				 class FilterModule(object):
			
 
				     """ Custom ansible filter mapping """
			
@@ -1049,5 +1062,6 @@ class FilterModule(object):
 
				             "oo_openshift_loadbalancer_frontends": oo_openshift_loadbalancer_frontends,
			
 
				             "oo_openshift_loadbalancer_backends": oo_openshift_loadbalancer_backends,
			
 
				             "to_padded_yaml": to_padded_yaml,
			
 
				-            "oo_random_word": oo_random_word
			
 
				+            "oo_random_word": oo_random_word,
			
 
				+            "oo_contains_rule": oo_contains_rule
			
 
				         }
			
--- a/roles/openshift_service_catalog/tasks/install.yml
+++ b/roles/openshift_service_catalog/tasks/install.yml
@@ -72,16 +72,22 @@
 
				     state: list
			
 
				   register: edit_yaml
			
 
				 
			
 
				+# only do this if we don't already have the updated role info
			
 
				 - name: Generate apply template for clusterrole/edit
			
 
				   template:
			
 
				     src: sc_role_patching.j2
			
 
				     dest: "{{ mktemp.stdout }}/edit_sc_patch.yml"
			
 
				   vars:
			
 
				     original_content: "{{ edit_yaml.results.results[0] | to_yaml }}"
			
 
				+  when:
			
 
				+  - not edit_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not edit_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
			
 
				 
			
 
				+# only do this if we don't already have the updated role info
			
 
				 - name: update edit role for service catalog and pod preset access
			
 
				   command: >
			
 
				-    oc apply -f {{ mktemp.stdout }}/edit_sc_patch.yml
			
 
				+    oc replace -f {{ mktemp.stdout }}/edit_sc_patch.yml
			
 
				+  when:
			
 
				+  - not edit_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not edit_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
			
 
				 
			
 
				 - oc_obj:
			
 
				     name: admin
			
@@ -89,16 +95,22 @@
 
				     state: list
			
 
				   register: admin_yaml
			
 
				 
			
 
				+# only do this if we don't already have the updated role info
			
 
				 - name: Generate apply template for clusterrole/admin
			
 
				   template:
			
 
				     src: sc_role_patching.j2
			
 
				     dest: "{{ mktemp.stdout }}/admin_sc_patch.yml"
			
 
				   vars:
			
 
				     original_content: "{{ admin_yaml.results.results[0] | to_yaml }}"
			
 
				+  when:
			
 
				+  - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
			
 
				 
			
 
				+# only do this if we don't already have the updated role info
			
 
				 - name: update admin role for service catalog and pod preset access
			
 
				   command: >
			
 
				-    oc apply -f {{ mktemp.stdout }}/admin_sc_patch.yml
			
 
				+    oc replace -f {{ mktemp.stdout }}/admin_sc_patch.yml
			
 
				+  when:
			
 
				+  - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
			
 
				 
			
 
				 - shell: >
			
 
				     oc get policybindings/kube-system:default -n kube-system || echo "not found"