Merge pull request #1782 from vishpat/serviceaccount_review

Changed service account creation to ansible

roles/nuage_master/files/serviceaccount.sh

@@ -1,63 +0,0 @@
-#!/bin/bash
-# Parse CLI options
-for i in "$@"; do
-    case $i in
-        --master-cert-dir=*)
-            MASTER_DIR="${i#*=}"
-            CA_CERT=${MASTER_DIR}/ca.crt
-            CA_KEY=${MASTER_DIR}/ca.key
-            CA_SERIAL=${MASTER_DIR}/ca.serial.txt
-            ADMIN_FILE=${MASTER_DIR}/admin.kubeconfig
-        ;;
-        --server=*)
-            SERVER="${i#*=}"
-        ;;
-        --output-cert-dir=*)
-            OUTDIR="${i#*=}"
-            CONFIG_FILE=${OUTDIR}/nuage.kubeconfig
-        ;;
-    esac
-done
-
-# If any are missing, print the usage and exit
-if [ -z $SERVER ] || [ -z $OUTDIR ] || [ -z $MASTER_DIR ]; then
-    echo "Invalid syntax: $@"
-    echo "Usage:"
-    echo "  $0 --server=<address>:<port> --output-cert-dir=/path/to/output/dir/ --master-cert-dir=/path/to/master/"
-    echo "--master-cert-dir:  Directory where the master's configuration is held"
-    echo "--server:           Address of Kubernetes API server (default port is 8443)"
-    echo "--output-cert-dir:  Directory to put artifacts in"
-    echo ""
-    echo "All options are required"
-    exit 1
-fi
-
-# Login as admin so that we can create the service account
-oc login -u system:admin --config=$ADMIN_FILE || exit 1
-oc project default --config=$ADMIN_FILE
-
-ACCOUNT_CONFIG='
-{
-  "apiVersion": "v1",
-  "kind": "ServiceAccount",
-  "metadata": {
-    "name": "nuage"
-  }
-}
-'
-
-# Create the account with the included info
-echo $ACCOUNT_CONFIG|oc create --config=$ADMIN_FILE -f -
-
-# Add the cluser-reader role, which allows this service account read access to
-# everything in the cluster except secrets
-oadm policy add-cluster-role-to-user cluster-reader system:serviceaccounts:default:nuage --config=$ADMIN_FILE
-
-# Generate certificates and a kubeconfig for the service account
-oadm create-api-client-config --certificate-authority=${CA_CERT} --client-dir=${OUTDIR} --signer-cert=${CA_CERT} --signer-key=${CA_KEY} --signer-serial=${CA_SERIAL} --user=system:serviceaccounts:default:nuage --master=${SERVER} --public-master=${SERVER} --basename='nuage'
-
-# Verify the finalized kubeconfig
-if ! [ $(oc whoami --config=$CONFIG_FILE) == 'system:serviceaccounts:default:nuage' ]; then
-    echo "Service account creation failed!"
-    exit 1
-fi

roles/nuage_master/tasks/main.yaml

@@ -11,9 +11,7 @@
   sudo: true
   yum: name={{ nuage_openshift_rpm }} state=present
 
-- name: Run the service account creation script
-  sudo: true
-  script: serviceaccount.sh --server={{ openshift.master.api_url }} --output-cert-dir={{ cert_output_dir }} --master-cert-dir={{ openshift_master_config_dir }}
+- include: serviceaccount.yml
 
 - name: Download the certs and keys
   sudo: true

roles/nuage_master/tasks/serviceaccount.yml

@@ -0,0 +1,51 @@
+---
+- name: Create temporary directory for admin kubeconfig
+  command: mktemp -u /tmp/openshift-ansible-XXXXXXX.kubeconfig
+  register: nuage_tmp_conf_mktemp
+  changed_when: False
+
+- set_fact:
+    nuage_tmp_conf: "{{ nuage_tmp_conf_mktemp.stdout }}"
+
+- name: Copy Configuration to temporary conf
+  command: >
+    cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{nuage_tmp_conf}}
+  changed_when: false
+
+- name: Create Admin Service Account
+  shell: >
+    echo {{ nuage_service_account_config | to_json | quote }} |
+    {{ openshift.common.client_binary }} create
+    -n default 
+    --config={{nuage_tmp_conf}}
+    -f -
+  register: osnuage_create_service_account
+  failed_when: "'already exists' not in osnuage_create_service_account.stderr and osnuage_create_service_account.rc != 0"
+  changed_when: osnuage_create_service_account.rc == 0
+
+- name: Configure role/user permissions
+  command: >
+    {{ openshift.common.admin_binary }} {{item}}
+    --config={{nuage_tmp_conf}}
+  with_items: "{{nuage_tasks}}"
+  register: osnuage_perm_task
+  failed_when: "'already exists' not in osnuage_perm_task.stderr and osnuage_perm_task.rc != 0"
+  changed_when: osnuage_perm_task.rc == 0
+
+- name: Generate the node client config
+  command: >
+    {{ openshift.common.admin_binary }} create-api-client-config
+      --certificate-authority={{ openshift_master_ca_cert }}
+      --client-dir={{ cert_output_dir }}
+      --master={{ openshift.master.api_url }}
+      --public-master={{ openshift.master.api_url }}
+      --signer-cert={{ openshift_master_ca_cert }}
+      --signer-key={{ openshift_master_ca_key }}
+      --signer-serial={{ openshift_master_ca_serial }}
+      --basename='nuage'
+      --user={{ nuage_service_account }}
+
+- name: Clean temporary configuration file
+  command: >
+    rm -f {{nuage_tmp_conf}}
+  changed_when: false

roles/nuage_master/vars/main.yaml

@@ -1,4 +1,7 @@
 openshift_master_config_dir: "{{ openshift.common.config_base }}/master"
+openshift_master_ca_cert: "{{ openshift_master_config_dir }}/ca.crt"
+openshift_master_ca_key: "{{ openshift_master_config_dir }}/ca.key"
+openshift_master_ca_serial: "{{ openshift_master_config_dir }}/ca.serial.txt"
 ca_cert: "{{ openshift_master_config_dir }}/ca.crt"
 admin_config: "{{ openshift.common.config_base }}/master/admin.kubeconfig"
 cert_output_dir: /usr/share/nuage-openshift-monitor
@@ -15,6 +18,17 @@ nuage_ca_master_rest_server_key: "{{ nuage_mon_rest_server_crt_dir }}/nuageMonSe
 nuage_ca_master_rest_server_crt: "{{ nuage_mon_rest_server_crt_dir }}/nuageMonServer.crt" 
 
 nuage_master_crt_dir : /usr/share/nuage-openshift-monitor
+nuage_service_account: system:serviceaccount:default:nuage
+
+nuage_service_account_config:
+    apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      name: nuage 
+
+nuage_tasks:
+    - policy add-cluster-role-to-user cluster-reader {{ nuage_service_account }} 
+
 nuage_master_cspadminpasswd: ''
-nuage_master_adminsusername: 'admin'
+nuage_master_adminusername: 'admin'
 nuage_master_adminuserpasswd: 'admin'