|
|
@@ -3,24 +3,13 @@
|
|
|
msg: "The openshift_manageiq role requires OpenShift Enterprise 3.1 or Origin 1.1."
|
|
|
when: not openshift.common.version_gte_3_1_or_1_1 | bool
|
|
|
|
|
|
-- name: Copy Configuration to temporary conf
|
|
|
- command: >
|
|
|
- cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{manage_iq_tmp_conf}}
|
|
|
- changed_when: false
|
|
|
-
|
|
|
- name: Add Management Infrastructure project
|
|
|
- command: >
|
|
|
- {{ openshift.common.client_binary }} adm new-project
|
|
|
- management-infra
|
|
|
- --description="Management Infrastructure"
|
|
|
- --config={{manage_iq_tmp_conf}}
|
|
|
- register: osmiq_create_mi_project
|
|
|
- failed_when: "'already exists' not in osmiq_create_mi_project.stderr and osmiq_create_mi_project.rc != 0"
|
|
|
- changed_when: osmiq_create_mi_project.rc == 0
|
|
|
+ oc_project:
|
|
|
+ name: management-infra
|
|
|
+ description: Management Infrastructure
|
|
|
|
|
|
- name: Create Admin and Image Inspector Service Account
|
|
|
oc_serviceaccount:
|
|
|
- kubeconfig: "{{ openshift_master_config_dir }}/admin.kubeconfig"
|
|
|
name: "{{ item }}"
|
|
|
namespace: management-infra
|
|
|
state: present
|
|
|
@@ -28,51 +17,42 @@
|
|
|
- management-admin
|
|
|
- inspector-admin
|
|
|
|
|
|
-- name: Create Cluster Role
|
|
|
- shell: >
|
|
|
- echo {{ manageiq_cluster_role | to_json | quote }} |
|
|
|
- {{ openshift.common.client_binary }} create
|
|
|
- --config={{manage_iq_tmp_conf}}
|
|
|
- -f -
|
|
|
- register: osmiq_create_cluster_role
|
|
|
- failed_when: "'already exists' not in osmiq_create_cluster_role.stderr and osmiq_create_cluster_role.rc != 0"
|
|
|
- changed_when: osmiq_create_cluster_role.rc == 0
|
|
|
+- name: Create manageiq cluster role
|
|
|
+ oc_clusterrole:
|
|
|
+ name: management-infra-admin
|
|
|
+ rules:
|
|
|
+ - apiGroups:
|
|
|
+ - ""
|
|
|
+ resources:
|
|
|
+ - pods/proxy
|
|
|
+ verbs:
|
|
|
+ - "*"
|
|
|
|
|
|
- name: Create Hawkular Metrics Admin Cluster Role
|
|
|
- shell: >
|
|
|
- echo {{ manageiq_metrics_admin_clusterrole | to_json | quote }} |
|
|
|
- {{ openshift.common.client_binary }}
|
|
|
- --config={{manage_iq_tmp_conf}}
|
|
|
- create -f -
|
|
|
- register: oshawkular_create_cluster_role
|
|
|
- failed_when: "'already exists' not in oshawkular_create_cluster_role.stderr and oshawkular_create_cluster_role.rc != 0"
|
|
|
- changed_when: oshawkular_create_cluster_role.rc == 0
|
|
|
- # AUDIT:changed_when_note: Checking the return code is insufficient
|
|
|
- # here. We really need to verify the if the role even exists before
|
|
|
- # we run this task.
|
|
|
+ oc_clusterrole:
|
|
|
+ name: hawkular-metrics-admin
|
|
|
+ rules:
|
|
|
+ - apiGroups:
|
|
|
+ - ""
|
|
|
+ resources:
|
|
|
+ - hawkular-alerts
|
|
|
+ - hawkular-metrics
|
|
|
+ verbs:
|
|
|
+ - "*"
|
|
|
|
|
|
- name: Configure role/user permissions
|
|
|
- command: >
|
|
|
- {{ openshift.common.client_binary }} adm {{item}}
|
|
|
- --config={{manage_iq_tmp_conf}}
|
|
|
- with_items: "{{manage_iq_tasks}}"
|
|
|
- register: osmiq_perm_task
|
|
|
- failed_when: "'already exists' not in osmiq_perm_task.stderr and osmiq_perm_task.rc != 0"
|
|
|
- changed_when: osmiq_perm_task.rc == 0
|
|
|
- # AUDIT:changed_when_note: Checking the return code is insufficient
|
|
|
- # here. We really need to compare the current role/user permissions
|
|
|
- # with their expected state. I think we may have a module for this?
|
|
|
-
|
|
|
+ oc_adm_policy_user:
|
|
|
+ namespace: management-infra
|
|
|
+ resource_name: "{{ item.resource_name }}"
|
|
|
+ resource_kind: "{{ item.resource_kind }}"
|
|
|
+ user: "{{ item.user }}"
|
|
|
+ with_items: "{{ manage_iq_tasks }}"
|
|
|
|
|
|
- name: Configure 3_2 role/user permissions
|
|
|
- command: >
|
|
|
- {{ openshift.common.client_binary }} adm {{item}}
|
|
|
- --config={{manage_iq_tmp_conf}}
|
|
|
+ oc_adm_policy_user:
|
|
|
+ namespace: management-infra
|
|
|
+ resource_name: "{{ item.resource_name }}"
|
|
|
+ resource_kind: "{{ item.resource_kind }}"
|
|
|
+ user: "{{ item.user }}"
|
|
|
with_items: "{{manage_iq_openshift_3_2_tasks}}"
|
|
|
- register: osmiq_perm_3_2_task
|
|
|
- failed_when: osmiq_perm_3_2_task.rc != 0
|
|
|
- changed_when: osmiq_perm_3_2_task.rc == 0
|
|
|
when: openshift.common.version_gte_3_2_or_1_2 | bool
|
|
|
-
|
|
|
-- name: Clean temporary configuration file
|
|
|
- file: path={{manage_iq_tmp_conf}} state=absent
|
Kenny Woodson