Merge pull request #9199 from shawn-hurley/broker-user-auth

Adding aggregate rule for new user authorization

roles/ansible_service_broker/tasks/install.yml

@@ -60,6 +60,15 @@
         resources: ["bundles", "bundlebindings", "bundleinstances"]
         verbs: ["*"]
 
+- name: Create aggregate rule for user authorization
+  oc_obj:
+    name: asb-user-access
+    state: present
+    kind: ClusterRole
+    content:
+      path: /tmp/useraccessout
+      data: "{{ lookup('template', 'broker-user-auth.clusterrole.yaml.j2') | from_yaml }}"
+
 - name: Create asb-access cluster role
   oc_clusterrole:
     state: present

roles/ansible_service_broker/templates/broker-user-auth.clusterrole.yaml.j2

@@ -0,0 +1,15 @@
+---
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: asb-user-access
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+{% if ansible_service_broker_sandbox_role != 'admin' %}
+    rbac.authorization.k8s.io/aggregate-to-{{ ansible_service_broker_sandbox_role }}: "true"
+{% endif %}
+rules:
+- apiGroups: ["automationbroker.io"]
+  resources: ["access"]
+  verbs: ["create"]