7 tahun lalu · a786acd3e6
--- a/filter_plugins/oo_filters.py
+++ b/filter_plugins/oo_filters.py
@@ -1009,6 +1009,21 @@ def oo_random_word(length, source='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRS
 
				     return ''.join(random.choice(source) for i in range(length))
			
 
				 
			
 
				 
			
 
				+def oo_contains_rule(source, apiGroups, resources, verbs):
			
 
				+    '''Return true if the specified rule is contained within the provided source'''
			
 
				+
			
 
				+    rules = source['rules']
			
 
				+
			
 
				+    if rules:
			
 
				+        for rule in rules:
			
 
				+            if set(rule['apiGroups']) == set(apiGroups):
			
 
				+                if set(rule['resources']) == set(resources):
			
 
				+                    if set(rule['verbs']) == set(verbs):
			
 
				+                        return True
			
 
				+
			
 
				+    return False
			
 
				+
			
 
				+
			
 
				 class FilterModule(object):
			
 
				     """ Custom ansible filter mapping """
			
 
				 
			
@@ -1049,5 +1064,6 @@ class FilterModule(object):
 
				             "oo_openshift_loadbalancer_frontends": oo_openshift_loadbalancer_frontends,
			
 
				             "oo_openshift_loadbalancer_backends": oo_openshift_loadbalancer_backends,
			
 
				             "to_padded_yaml": to_padded_yaml,
			
 
				-            "oo_random_word": oo_random_word
			
 
				+            "oo_random_word": oo_random_word,
			
 
				+            "oo_contains_rule": oo_contains_rule
			
 
				         }
			
--- a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml
+++ b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml
@@ -137,6 +137,12 @@ objects:
 
				     - serviceclasses
			
 
				     verbs:
			
 
				     - create
			
 
				+  - apiGroups:
			
 
				+    - settings.k8s.io
			
 
				+    resources:
			
 
				+    - podpresets
			
 
				+    verbs:
			
 
				+    - create
			
 
				 
			
 
				 - kind: ClusterRoleBinding
			
 
				   apiVersion: v1
			
--- a/roles/openshift_service_catalog/tasks/install.yml
+++ b/roles/openshift_service_catalog/tasks/install.yml
@@ -72,16 +72,22 @@
 
				     state: list
			
 
				   register: edit_yaml
			
 
				 
			
 
				+# only do this if we don't already have the updated role info
			
 
				 - name: Generate apply template for clusterrole/edit
			
 
				   template:
			
 
				     src: sc_role_patching.j2
			
 
				     dest: "{{ mktemp.stdout }}/edit_sc_patch.yml"
			
 
				   vars:
			
 
				     original_content: "{{ edit_yaml.results.results[0] | to_yaml }}"
			
 
				+  when:
			
 
				+    - not edit_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not edit_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
			
 
				 
			
 
				+# only do this if we don't already have the updated role info
			
 
				 - name: update edit role for service catalog and pod preset access
			
 
				   command: >
			
 
				-    oc apply -f {{ mktemp.stdout }}/edit_sc_patch.yml
			
 
				+    oc replace -f {{ mktemp.stdout }}/edit_sc_patch.yml
			
 
				+  when:
			
 
				+    - not edit_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not edit_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
			
 
				 
			
 
				 - oc_obj:
			
 
				     name: admin
			
@@ -89,16 +95,22 @@
 
				     state: list
			
 
				   register: admin_yaml
			
 
				 
			
 
				+# only do this if we don't already have the updated role info
			
 
				 - name: Generate apply template for clusterrole/admin
			
 
				   template:
			
 
				     src: sc_role_patching.j2
			
 
				     dest: "{{ mktemp.stdout }}/admin_sc_patch.yml"
			
 
				   vars:
			
 
				     original_content: "{{ admin_yaml.results.results[0] | to_yaml }}"
			
 
				+  when:
			
 
				+    - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
			
 
				 
			
 
				+# only do this if we don't already have the updated role info
			
 
				 - name: update admin role for service catalog and pod preset access
			
 
				   command: >
			
 
				-    oc apply -f {{ mktemp.stdout }}/admin_sc_patch.yml
			
 
				+    oc replace -f {{ mktemp.stdout }}/admin_sc_patch.yml
			
 
				+  when:
			
 
				+    - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
			
 
				 
			
 
				 - shell: >
			
 
				     oc get policybindings/kube-system:default -n kube-system || echo "not found"