Merge pull request #4684 from ewolinetz/service_catalog_multimaster

Addressing servicecatalog doesnt have enough permissions and multimas…

playbooks/common/openshift-cluster/service_catalog.yml

@@ -1,8 +1,20 @@
 ---
 - include: evaluate_groups.yml
 
+- name: Update Master configs
+  hosts: oo_masters
+  tasks:
+  - block:
+    - include_role:
+        name: openshift_service_catalog
+        tasks_from: wire_aggregator
+      vars:
+        first_master: "{{ groups.oo_first_master[0] }}"
+
 - name: Service Catalog
   hosts: oo_first_master
   roles:
   - openshift_service_catalog
   - ansible_service_broker
+  vars:
+    first_master: "{{ groups.oo_first_master[0] }}"

roles/ansible_service_broker/tasks/install.yml

@@ -48,13 +48,13 @@
     namespace: openshift-ansible-service-broker
     state: present
     labels:
-      app: ansible-service-broker
+      app: openshift-ansible-service-broker
       service: asb
     ports:
       - name: port-1338
         port: 1338
     selector:
-      app: ansible-service-broker
+      app: openshift-ansible-service-broker
       service: asb
 
 - name: create etcd service
@@ -66,7 +66,7 @@
       - name: etcd-advertise
         port: 2379
     selector:
-      app: ansible-service-broker
+      app: openshift-ansible-service-broker
       service: etcd
 
 - name: create route for ansible-service-broker service
@@ -118,12 +118,12 @@
           name: etcd
           namespace: openshift-ansible-service-broker
           labels:
-            app: ansible-service-broker
+            app: openshift-ansible-service-broker
             service: etcd
         spec:
           selector:
             matchLabels:
-              app: ansible-service-broker
+              app: openshift-ansible-service-broker
               service: etcd
           strategy:
             type: RollingUpdate
@@ -134,7 +134,7 @@
           template:
             metadata:
               labels:
-                app: ansible-service-broker
+                app: openshift-ansible-service-broker
                 service: etcd
             spec:
               restartPolicy: Always
@@ -266,4 +266,4 @@
         metadata:
           name: ansible-service-broker
         spec:
-          url: http://{{ ansible_service_broker_route }}
+          url: http://asb.openshift-ansible-service-broker.svc:1338

roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml

@@ -115,6 +115,22 @@ objects:
     - bindings/status
     verbs:
     - update
+  - apiGroups:
+    - servicecatalog.k8s.io
+    resources:
+    - brokers
+    - instances
+    - bindings
+    verbs:
+    - list
+    - watch
+  - apiGroups:
+    - ""
+    resources:
+    - events
+    verbs:
+    - patch
+    - create
 
 - kind: ClusterRoleBinding
   apiVersion: v1

roles/openshift_service_catalog/tasks/install.yml

@@ -6,7 +6,6 @@
   register: mktemp
   changed_when: False
 
-
 - include: wire_aggregator.yml
 
 - name: Set default image variables based on deployment_type

roles/openshift_service_catalog/tasks/wire_aggregator.yml

@@ -1,16 +1,82 @@
 ---
+- name: Make temp cert dir
+  command: mktemp -d /tmp/openshift-service-catalog-ansible-XXXXXX
+  register: certtemp
+  changed_when: False
+
+- name: Check for First Master Aggregator Signer cert
+  stat:
+    path: /etc/origin/master/front-proxy-ca.crt
+  register: first_proxy_ca_crt
+  changed_when: false
+  delegate_to: "{{ first_master }}"
+
+- name: Check for First Master Aggregator Signer key
+  stat:
+    path: /etc/origin/master/front-proxy-ca.crt
+  register: first_proxy_ca_key
+  changed_when: false
+  delegate_to: "{{ first_master }}"
+
+
 # TODO: this currently has a bug where hostnames are required
-- name: Creating Aggregator signer certs
+- name: Creating First Master Aggregator signer certs
   command: >
     oc adm ca create-signer-cert
     --cert=/etc/origin/master/front-proxy-ca.crt
     --key=/etc/origin/master/front-proxy-ca.key
     --serial=/etc/origin/master/ca.serial.txt
+  delegate_to: "{{ first_master }}"
+  when:
+  - not first_proxy_ca_crt.stat.exists
+  - not first_proxy_ca_key.stat.exists
+
+- name: Check for Aggregator Signer cert
+  stat:
+    path: /etc/origin/master/front-proxy-ca.crt
+  register: proxy_ca_crt
+  changed_when: false
+
+- name: Check for Aggregator Signer key
+  stat:
+    path: /etc/origin/master/front-proxy-ca.crt
+  register: proxy_ca_key
+  changed_when: false
+
+- name: Copy Aggregator Signer certs from first master
+  fetch:
+    src: "/etc/origin/master/{{ item }}"
+    dest: "{{ certtemp.stdout }}/{{ item }}"
+  with_items:
+  - front-proxy-ca.crt
+  - front-proxy-ca.key
+  delegate_to: "{{ first_master }}"
+  when:
+  - not proxy_ca_key.stat.exists
+  - not proxy_ca_crt.stat.exists
+
+- name: Copy Aggregator Signer certs to host
+  copy:
+    src: "{{ certtemp.stdout }}/{{ item }}"
+    dest: "/etc/origin/master/{{ item }}"
+  with_items:
+  - front-proxy-ca.crt
+  - front-proxy-ca.key
+  when:
+  - not proxy_ca_key.stat.exists
+  - not proxy_ca_crt.stat.exists
+
 #  oc_adm_ca_server_cert:
 #    cert: /etc/origin/master/front-proxy-ca.crt
 #    key: /etc/origin/master/front-proxy-ca.key
 
-- name: Create api-client config for Aggregator
+- name: Check for first master api-client config
+  stat:
+    path: /etc/origin/master/aggregator-front-proxy.kubeconfig
+  register: first_front_proxy_kubeconfig
+  delegate_to: "{{ first_master }}"
+
+- name: Create first master api-client config for Aggregator
   command: >
     oc adm create-api-client-config
     --certificate-authority=/etc/origin/master/front-proxy-ca.crt
@@ -19,6 +85,37 @@
     --user aggregator-front-proxy
     --client-dir=/etc/origin/master
     --signer-serial=/etc/origin/master/ca.serial.txt
+  delegate_to: "{{ first_master }}"
+  when:
+  - not first_front_proxy_kubeconfig.stat.exists
+
+- name: Check for api-client config
+  stat:
+    path: /etc/origin/master/aggregator-front-proxy.kubeconfig
+  register: front_proxy_kubeconfig
+
+- name: Copy api-client config from first master
+  fetch:
+    src: "/etc/origin/master/{{ item }}"
+    dest: "{{ certtemp.stdout }}/{{ item }}"
+  delegate_to: "{{ first_master }}"
+  with_items:
+  - aggregator-front-proxy.crt
+  - aggregator-front-proxy.key
+  - aggregator-front-proxy.kubeconfig
+  when:
+  - not front_proxy_kubeconfig.stat.exists
+
+- name: Copy api-client config to host
+  copy:
+    src: "{{ certtemp.stdout }}/{{ item }}"
+    dest: "/etc/origin/master/{{ item }}"
+  with_items:
+  - aggregator-front-proxy.crt
+  - aggregator-front-proxy.key
+  - aggregator-front-proxy.kubeconfig
+  when:
+  - not front_proxy_kubeconfig.stat.exists
 
 - name: Update master config
   yedit:
@@ -84,3 +181,9 @@
   changed_when: false
   when:
   - yedit_output.changed
+
+- name: Delete temp directory
+  file:
+    name: "{{ certtemp.stdout }}"
+    state: absent
+  changed_when: False

roles/openshift_service_catalog/templates/controller_manager.j2

@@ -17,6 +17,7 @@ spec:
       labels:
         app: controller-manager
     spec:
+      serviceAccountName: service-catalog-controller
       nodeSelector:
 {% for key, value in node_selector.iteritems() %}
         {{key}}: "{{value}}"