Change catalog roles install to use aggregation

Recently it was changed for openshift cluster roles to be reconciled via
the aggregate-to* label, so this is now updated. Rather than generating
portions of the file, simply use the auth reconciler and let it handle
any necessary role updates. Also, since it is theoretically possible for
conflicts to occur, retry reconciliation several times.

roles/openshift_service_catalog/files/openshift_catalog_clusterroles.yml

@@ -0,0 +1,86 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+  name: system:service-catalog:aggregate-to-admin
+rules:
+- apiGroups:
+  - "servicecatalog.k8s.io"
+  attributeRestrictions: null
+  resources:
+  - serviceinstances
+  - servicebindings
+  verbs:
+  - create
+  - update
+  - delete
+  - get
+  - list
+  - watch
+  - patch
+- apiGroups:
+  - "settings.k8s.io"
+  attributeRestrictions: null
+  resources:
+  - podpresets
+  verbs:
+  - create
+  - update
+  - delete
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+  name: system:service-catalog:aggregate-to-edit
+rules:
+- apiGroups:
+  - "servicecatalog.k8s.io"
+  attributeRestrictions: null
+  resources:
+  - serviceinstances
+  - servicebindings
+  verbs:
+  - create
+  - update
+  - delete
+  - get
+  - list
+  - watch
+  - patch
+- apiGroups:
+  - "settings.k8s.io"
+  attributeRestrictions: null
+  resources:
+  - podpresets
+  verbs:
+  - create
+  - update
+  - delete
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+  name: system:service-catalog:aggregate-to-view
+rules:
+- apiGroups:
+  - "servicecatalog.k8s.io"
+  attributeRestrictions: null
+  resources:
+  - serviceinstances
+  - servicebindings
+  verbs:
+  - get
+  - list
+  - watch

roles/openshift_service_catalog/tasks/install.yml

@@ -74,74 +74,17 @@
     template_name: kube-system-service-catalog-role-bindings
     namespace: kube-system
 
-- oc_obj:
-    name: edit
-    kind: clusterrole
-    state: list
-  register: edit_yaml
-
-# only do this if we don't already have the updated role info
-- name: Generate apply template for clusterrole/edit
-  template:
-    src: sc_admin_edit_role_patching.j2
-    dest: "{{ mktemp.stdout }}/edit_sc_patch.yml"
-  vars:
-    original_content: "{{ edit_yaml.results.results[0] | to_yaml }}"
-  when:
-    - not edit_yaml.results.results[0] | lib_utils_oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch', 'patch']) or not edit_yaml.results.results[0] | lib_utils_oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
-
-# only do this if we don't already have the updated role info
-- name: update edit role for service catalog and pod preset access
-  command: >
-    {{ openshift_client_binary }} --config=/etc/origin/master/admin.kubeconfig replace -f {{ mktemp.stdout }}/edit_sc_patch.yml
-  when:
-    - not edit_yaml.results.results[0] | lib_utils_oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch', 'patch']) or not edit_yaml.results.results[0] | lib_utils_oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
-
-- oc_obj:
-    name: admin
-    kind: clusterrole
-    state: list
-  register: admin_yaml
-
-# only do this if we don't already have the updated role info
-- name: Generate apply template for clusterrole/admin
-  template:
-    src: sc_admin_edit_role_patching.j2
-    dest: "{{ mktemp.stdout }}/admin_sc_patch.yml"
-  vars:
-    original_content: "{{ admin_yaml.results.results[0] | to_yaml }}"
-  when:
-    - not admin_yaml.results.results[0] | lib_utils_oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch', 'patch']) or not admin_yaml.results.results[0] | lib_utils_oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
-
-# only do this if we don't already have the updated role info
-- name: update admin role for service catalog and pod preset access
-  command: >
-    {{ openshift_client_binary }} --config=/etc/origin/master/admin.kubeconfig replace -f {{ mktemp.stdout }}/admin_sc_patch.yml
-  when:
-    - not admin_yaml.results.results[0] | lib_utils_oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch', 'patch']) or not admin_yaml.results.results[0] | lib_utils_oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
-
-- oc_obj:
-    name: view
-    kind: clusterrole
-    state: list
-  register: view_yaml
-
-# only do this if we don't already have the updated role info
-- name: Generate apply template for clusterrole/view
-  template:
-    src: sc_view_role_patching.j2
-    dest: "{{ mktemp.stdout }}/view_sc_patch.yml"
-  vars:
-    original_content: "{{ view_yaml.results.results[0] | to_yaml }}"
-  when:
-    - not view_yaml.results.results[0] | lib_utils_oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['get', 'list', 'watch'])
-
-# only do this if we don't already have the updated role info
-- name: update view role for service catalog access
-  command: >
-    {{ openshift_client_binary }} --config=/etc/origin/master/admin.kubeconfig replace -f {{ mktemp.stdout }}/view_sc_patch.yml
-  when:
-    - not view_yaml.results.results[0] | lib_utils_oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['get', 'list', 'watch'])
+- copy:
+    src: openshift_catalog_clusterroles.yml
+    dest: "{{ mktemp.stdout }}/openshift_catalog_clusterroles.yml"
+
+- name: Apply Service Catalog cluster roles
+  retries: 5
+  delay: 2
+  register: task_result
+  until: task_result.rc == 0
+  shell: >
+    {{ openshift_client_binary }} auth reconcile --config={{ openshift.common.config_base }}/master/admin.kubeconfig -f {{ mktemp.stdout}}/openshift_catalog_clusterroles.yml
 
 - oc_adm_policy_user:
     namespace: kube-service-catalog

roles/openshift_service_catalog/templates/sc_admin_edit_role_patching.j2

@@ -1,27 +0,0 @@
-{{ original_content }}
-- apiGroups:
-  - "servicecatalog.k8s.io"
-  attributeRestrictions: null
-  resources:
-  - serviceinstances
-  - servicebindings
-  verbs:
-  - create
-  - update
-  - delete
-  - get
-  - list
-  - watch
-  - patch
-- apiGroups:
-  - "settings.k8s.io"
-  attributeRestrictions: null
-  resources:
-  - podpresets
-  verbs:
-  - create
-  - update
-  - delete
-  - get
-  - list
-  - watch

roles/openshift_service_catalog/templates/sc_view_role_patching.j2

@@ -1,11 +0,0 @@
-{{ original_content }}
-- apiGroups:
-  - "servicecatalog.k8s.io"
-  attributeRestrictions: null
-  resources:
-  - serviceinstances
-  - servicebindings
-  verbs:
-  - get
-  - list
-  - watch