Merge pull request #5761 from fabianvf/asb-client-secret-not-found

Bug 1496426 - Update ansible-service-broker configuration to use proper certs and permissions

roles/ansible_service_broker/defaults/main.yml

@@ -13,7 +13,4 @@ ansible_service_broker_launch_apb_on_bind: false
 
 ansible_service_broker_image_pull_policy: IfNotPresent
 ansible_service_broker_sandbox_role: edit
-ansible_service_broker_auto_escalate: true
-ansible_service_broker_registry_tag: latest
-ansible_service_broker_registry_whitelist:
-  - '.*-apb$'
+ansible_service_broker_auto_escalate: false

roles/ansible_service_broker/tasks/install.yml

@@ -22,23 +22,14 @@
     ansible_service_broker_registry_user: "{{ ansible_service_broker_registry_user | default(__ansible_service_broker_registry_user) }}"
     ansible_service_broker_registry_password: "{{ ansible_service_broker_registry_password | default(__ansible_service_broker_registry_password) }}"
     ansible_service_broker_registry_organization: "{{ ansible_service_broker_registry_organization | default(__ansible_service_broker_registry_organization) }}"
-
-    ansible_service_broker_certs_dir: "{{ openshift.common.config_base }}/service-catalog"
+    ansible_service_broker_registry_tag: "{{ ansible_service_broker_registry_tag | default(__ansible_service_broker_registry_tag) }}"
+    ansible_service_broker_registry_whitelist: "{{ ansible_service_broker_registry_whitelist | default(__ansible_service_broker_registry_whitelist) }}"
 
 - name: set ansible-service-broker image facts using set prefix and tag
   set_fact:
     ansible_service_broker_image: "{{ ansible_service_broker_image_prefix }}ansible-service-broker:{{ ansible_service_broker_image_tag }}"
     ansible_service_broker_etcd_image: "{{ ansible_service_broker_etcd_image_prefix }}etcd:{{ ansible_service_broker_etcd_image_tag }}"
 
-- set_fact:
-    openshift_master_config_dir: "{{ openshift.common.config_base }}/master"
-  when: openshift_master_config_dir is undefined
-
-- slurp:
-    src: "{{ openshift_master_config_dir }}/service-signer.crt"
-  register: catalog_ca
-
-
 - include: validate_facts.yml
 
 
@@ -83,13 +74,12 @@
     state: present
     name: asb-access
     rules:
-      - nonResourceURLs: ["/ansible-service-broker", "ansible-service-broker/*"]
+      - nonResourceURLs: ["/ansible-service-broker", "/ansible-service-broker/*"]
         verbs: ["get", "post", "put", "patch", "delete"]
 
 - name: Bind admin cluster-role to asb serviceaccount
   oc_adm_policy_user:
     state: present
-    namespace: openshift-ansible-service-broker
     resource_kind: cluster-role
     resource_name: admin
     user: "system:serviceaccount:openshift-ansible-service-broker:asb"
@@ -97,7 +87,6 @@
 - name: Bind auth cluster role to asb service account
   oc_adm_policy_user:
     state: present
-    namespace: openshift-ansible-service-broker
     resource_kind: cluster-role
     resource_name: asb-auth
     user: "system:serviceaccount:openshift-ansible-service-broker:asb"
@@ -105,7 +94,6 @@
 - name: Bind asb-access role to asb-client service account
   oc_adm_policy_user:
     state: present
-    namespace: openshift-ansible-service-broker
     resource_kind: cluster-role
     resource_name: asb-access
     user: "system:serviceaccount:openshift-ansible-service-broker:asb-client"
@@ -113,6 +101,7 @@
 - name: create asb-client token secret
   oc_obj:
     name: asb-client
+    namespace: openshift-ansible-service-broker
     state: present
     kind: Secret
     content:
@@ -122,10 +111,20 @@
         kind: Secret
         metadata:
           name: asb-client
+          namespace: openshift-ansible-service-broker
           annotations:
             kubernetes.io/service-account.name: asb-client
         type: kubernetes.io/service-account-token
 
+- oc_secret:
+    state: list
+    namespace: openshift-ansible-service-broker
+    name: asb-client
+  register: asb_client_secret
+
+- set_fact:
+    service_ca_crt: asb_client_secret.results.results.0.data['service-ca.crt']
+
 # Using oc_obj because oc_service doesn't seem to allow annotations
 # TODO: Extend oc_service to allow annotations
 - name: create ansible-service-broker service
@@ -141,6 +140,7 @@
         kind: Service
         metadata:
           name: asb
+          namespace: openshift-ansible-service-broker
           labels:
             app: openshift-ansible-service-broker
             service: asb
@@ -354,11 +354,11 @@
         metadata:
           name: ansible-service-broker
         spec:
-          url: http://asb.openshift-ansible-service-broker.svc:1338/ansible-service-broker
+          url: https://asb.openshift-ansible-service-broker.svc:1338/ansible-service-broker
           authInfo:
             bearer:
               secretRef:
                 name: asb-client
                 namespace: openshift-ansible-service-broker
                 kind: Secret
-          caBundle: "{{ catalog_ca.content }}"
+          caBundle: "{{ service_ca_crt }}"

roles/ansible_service_broker/vars/default_images.yml

@@ -13,3 +13,5 @@ __ansible_service_broker_registry_url: null
 __ansible_service_broker_registry_user: null
 __ansible_service_broker_registry_password: null
 __ansible_service_broker_registry_organization: null
+__ansible_service_broker_registry_tag: latest
+__ansible_service_broker_registry_whitelist: []

roles/ansible_service_broker/vars/openshift-enterprise.yml

@@ -1,7 +1,7 @@
 ---
 
 __ansible_service_broker_image_prefix: registry.access.redhat.com/openshift3/ose-
-__ansible_service_broker_image_tag: v3.6
+__ansible_service_broker_image_tag: v3.7
 
 __ansible_service_broker_etcd_image_prefix: rhel7/
 __ansible_service_broker_etcd_image_tag: latest
@@ -14,3 +14,6 @@ __ansible_service_broker_registry_url: "https://registry.access.redhat.com"
 __ansible_service_broker_registry_user: null
 __ansible_service_broker_registry_password: null
 __ansible_service_broker_registry_organization: null
+__ansible_service_broker_registry_tag: v3.7
+__ansible_service_broker_registry_whitelist:
+  - '.*-apb$'