Add system:image-auditor role to ManageIQ SA

playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/post.yml

@@ -10,6 +10,7 @@
     router_image: "{{ openshift.master.registry_url | replace( '${component}', 'haproxy-router' ) | replace ( '${version}', 'v' + g_new_version ) }}"
     oc_cmd: "{{ openshift.common.client_binary }} --config={{ openshift.common.config_base }}/master/admin.kubeconfig"
   roles:
+  - openshift_manageiq
   # Create the new templates shipped in 3.2, existing templates are left
   # unmodified. This prevents the subsequent role definition for
   # openshift_examples from failing when trying to replace templates that do

roles/openshift_manageiq/tasks/main.yaml

@@ -59,6 +59,16 @@
   failed_when: "'already exists' not in osmiq_perm_task.stderr and osmiq_perm_task.rc != 0"
   changed_when: osmiq_perm_task.rc == 0
 
+- name: Configure 3_2 role/user permissions
+  command: >
+    {{ openshift.common.admin_binary }} {{item}}
+    --config={{manage_iq_tmp_conf}}
+  with_items: "{{manage_iq_openshift_3_2_tasks}}"
+  register: osmiq_perm_3_2_task
+  failed_when: osmiq_perm_3_2_task.rc != 0
+  changed_when: osmiq_perm_3_2_task.rc == 0
+  when: openshift.common.version_gte_3_2_or_1_2 | bool
+
 - name: Clean temporary configuration file
   command: >
     rm -f {{manage_iq_tmp_conf}}

roles/openshift_manageiq/vars/main.yml

@@ -30,3 +30,6 @@ manage_iq_tasks:
     - policy add-scc-to-user privileged system:serviceaccount:management-infra:management-admin
     - policy add-cluster-role-to-user system:image-puller system:serviceaccount:management-infra:inspector-admin
     - policy add-scc-to-user privileged system:serviceaccount:management-infra:inspector-admin
+
+manage_iq_openshift_3_2_tasks:
+    - policy add-cluster-role-to-user system:image-auditor system:serviceaccount:management-infra:management-admin