Home Explore Help
Register Sign In
shixiong
/
okd
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

openshift_serviceaccounts updates

- make service account creation more flexible
- create service accounts near where they are consumed
Jason DeTiberus 9 years ago
parent
34455e0f4f
commit
d30acfb236
4 changed files with 60 additions and 41 deletions
Split View Show Diff Stats
  1. 16 9
      playbooks/common/openshift-master/config.yml
  2. 15 0
      roles/openshift_serviceaccounts/meta/main.yml
  3. 28 31
      roles/openshift_serviceaccounts/tasks/main.yml
  4. 1 1
      roles/openshift_serviceaccounts/templates/serviceaccount.j2

+ 16 - 9
playbooks/common/openshift-master/config.yml
View File 

@@ -405,19 +405,11 @@
 
   - file: name={{ g_master_mktemp.stdout }} state=absent
 
     changed_when: False
 
 
-- name: Configure service accounts
 
-  hosts: oo_first_master
 
-  vars:
 
-  roles:
 
-  - openshift_serviceaccounts
 
-
 
-- name: Create persistent volumes and services
 
+- name: Create persistent volumes
 
   hosts: oo_first_master
 
   vars:
 
     persistent_volumes: "{{ hostvars[groups.oo_first_master.0] | oo_persistent_volumes(groups) }}"
 
     persistent_volume_claims: "{{ hostvars[groups.oo_first_master.0] | oo_persistent_volume_claims }}"
 
-    attach_registry_volume: "{{ openshift.hosted.registry.storage.kind != None }}"
 
-    deploy_infra: "{{ openshift.master.infra_nodes | default(0) | length > 0 }}"
 
   pre_tasks:
 
   - set_fact:
 
       nfs_host: "{{ groups.oo_nfs_to_config.0 }}"
 
@@ -426,6 +418,21 @@
 
   roles:
 
   - role: openshift_persistent_volumes
 
     when: persistent_volumes | length > 0 or persistent_volume_claims | length > 0
 
+
 
+- name: Create hosted infrastructure services
 
+  hosts: oo_first_master
 
+  vars:
 
+    accounts: ["router", "registry"]
 
+    attach_registry_volume: "{{ openshift.hosted.registry.storage.kind != None }}"
 
+    deploy_infra: "{{ openshift.master.infra_nodes | default(0) | length > 0 }}"
 
+  roles:
 
+  - role: openshift_serviceaccounts
 
+    openshift_serviceaccounts_names:
 
+    - router
 
+    - registry
 
+    openshift_serviceaccounts_namespace: default
 
+    openshift_serviceaccounts_sccs:
 
+    - privileged
 
   - role: openshift_router
 
     when: deploy_infra | bool
 
   - role: openshift_registry

+ 15 - 0
roles/openshift_serviceaccounts/meta/main.yml
View File 

@@ -0,0 +1,15 @@
 
+---
 
+galaxy_info:
 
+  author: OpenShift Operations
 
+  description: OpenShift Service Accounts
 
+  company: Red Hat, Inc.
 
+  license: Apache License, Version 2.0
 
+  min_ansible_version: 1.9
 
+  platforms:
 
+  - name: EL
 
+    versions:
 
+    - 7
 
+  categories:
 
+  - cloud
 
+dependencies:
 
+- { role: openshift_facts }

+ 28 - 31
roles/openshift_serviceaccounts/tasks/main.yml
View File 

@@ -1,36 +1,33 @@
 
-- name: tmp dir for openshift
 
-  file:
 
-    path: /tmp/openshift
 
-    state: directory
 
-    owner: root
 
-    mode: 700
 
-
 
-- name: Create service account configs
 
-  template:
 
-    src: serviceaccount.j2
 
-    dest: "/tmp/openshift/{{ item }}-serviceaccount.yaml"
 
-  with_items: accounts
 
-
 
-- name: Create {{ item }} service account
 
+- name: test if service accounts exists
 
   command: >
 
-    {{ openshift.common.client_binary }} create -f "/tmp/openshift/{{ item }}-serviceaccount.yaml"
 
-  with_items: accounts
 
-  register: _sa_result
 
-  failed_when: "'serviceaccounts \"{{ item }}\" already exists' not in _sa_result.stderr and _sa_result.rc != 0"
 
-  changed_when: "'serviceaccounts \"{{ item }}\" already exists' not in _sa_result.stderr and _sa_result.rc == 0"
 
+      {{ openshift.common.client_binary }} get sa {{ item }} -n {{ openshift_serviceaccounts_namespace }}
 
+  with_items: openshift_serviceaccounts_names
 
+  failed_when: false
 
+  changed_when: false
 
+  register: account_test
 
 
-- name: Get current security context constraints
 
+- name: create the service account
 
   shell: >
 
-    {{ openshift.common.client_binary }} get scc privileged -o yaml
 
-    --output-version=v1 > /tmp/openshift/scc.yaml
 
-  changed_when: false
 
+       echo {{ lookup('template', '../templates/serviceaccount.j2')
 
+               | from_yaml | to_json | quote }} | {{ openshift.common.client_binary }}  create -f -
 
+  when: item.1.rc != 0
 
+  with_together:
 
+  - openshift_serviceaccounts_names
 
+  - account_test.results
 
 
-- name: Add security context constraint for {{ item }}
 
-  lineinfile:
 
-    dest: /tmp/openshift/scc.yaml
 
-    line: "- system:serviceaccount:default:{{ item }}"
 
-    insertafter: "^users:$"
 
-  with_items: accounts
 
+- name: test if scc needs to be updated
 
+  command: >
 
+      {{ openshift.common.client_binary }} get scc {{ item }} -o yaml
 
+  changed_when: false
 
+  failed_when: false
 
+  register: scc_test
 
+  with_items: openshift_serviceaccounts_sccs
 
 
-- name: Apply new scc rules for service accounts
 
-  command: "{{ openshift.common.client_binary }} update -f /tmp/openshift/scc.yaml --api-version=v1"
 
+- name: Grant the user access to the privileged scc
 
+  command: >
 
+      {{ openshift.common.admin_binary }} policy add-scc-to-user
 
+      privileged system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }}
 
+  when: "item.1.rc == 0 and 'system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }}' not in {{ (item.1.stdout | from_yaml).users }}"
 
+  with_nested:
 
+  - openshift_serviceaccounts_names
 
+  - scc_test.results

+ 1 - 1
roles/openshift_serviceaccounts/templates/serviceaccount.j2
View File 

@@ -1,4 +1,4 @@
 
 apiVersion: v1
 
 kind: ServiceAccount
 
 metadata:
 
-  name: {{ item }}
 
+  name: {{ item.0 }}