7 年前 · dace5169e0
--- a/files/origin-components/apiserver-config.yaml
+++ b/files/origin-components/apiserver-config.yaml
@@ -0,0 +1,4 @@
 
				+kind: TemplateServiceBrokerConfig
			
 
				+apiVersion: config.templateservicebroker.openshift.io/v1
			
 
				+templateNamespaces:
			
 
				+- openshift
			
--- a/files/origin-components/apiserver-template.yaml
+++ b/files/origin-components/apiserver-template.yaml
@@ -0,0 +1,122 @@
 
				+apiVersion: template.openshift.io/v1
			
 
				+kind: Template
			
 
				+metadata:
			
 
				+  name: template-service-broker-apiserver
			
 
				+parameters:
			
 
				+- name: IMAGE
			
 
				+  value: openshift/origin:latest
			
 
				+- name: NAMESPACE
			
 
				+  value: openshift-template-service-broker
			
 
				+- name: LOGLEVEL
			
 
				+  value: "0"
			
 
				+- name: API_SERVER_CONFIG
			
 
				+  value: |
			
 
				+   kind: TemplateServiceBrokerConfig
			
 
				+   apiVersion: config.templateservicebroker.openshift.io/v1
			
 
				+   templateNamespaces:
			
 
				+   - openshift
			
 
				+objects:
			
 
				+
			
 
				+# to create the tsb server
			
 
				+- apiVersion: extensions/v1beta1
			
 
				+  kind: DaemonSet
			
 
				+  metadata:
			
 
				+    namespace: ${NAMESPACE}
			
 
				+    name: apiserver
			
 
				+    labels:
			
 
				+      apiserver: "true"
			
 
				+  spec:
			
 
				+    template:
			
 
				+      metadata:
			
 
				+        name: apiserver
			
 
				+        labels:
			
 
				+          apiserver: "true"
			
 
				+      spec:
			
 
				+        serviceAccountName: apiserver
			
 
				+        containers:
			
 
				+        - name: c
			
 
				+          image: ${IMAGE}
			
 
				+          imagePullPolicy: IfNotPresent
			
 
				+          command:
			
 
				+          - "/usr/bin/openshift"
			
 
				+          - "start"
			
 
				+          - "template-service-broker"
			
 
				+          - "--secure-port=8443"
			
 
				+          - "--audit-log-path=-"
			
 
				+          - "--tls-cert-file=/var/serving-cert/tls.crt"
			
 
				+          - "--tls-private-key-file=/var/serving-cert/tls.key"
			
 
				+          - "--loglevel=${LOGLEVEL}"
			
 
				+          - "--config=/var/apiserver-config/apiserver-config.yaml"
			
 
				+          ports:
			
 
				+          - containerPort: 8443
			
 
				+          volumeMounts:
			
 
				+          - mountPath: /var/serving-cert
			
 
				+            name: serving-cert
			
 
				+          - mountPath: /var/apiserver-config
			
 
				+            name: apiserver-config
			
 
				+          readinessProbe:
			
 
				+            httpGet:
			
 
				+              path: /healthz
			
 
				+              port: 8443
			
 
				+              scheme: HTTPS
			
 
				+        volumes:
			
 
				+        - name: serving-cert
			
 
				+          secret:
			
 
				+            defaultMode: 420
			
 
				+            secretName: apiserver-serving-cert
			
 
				+        - name: apiserver-config
			
 
				+          configMap:
			
 
				+            defaultMode: 420
			
 
				+            name: apiserver-config
			
 
				+
			
 
				+# to create the config for the TSB
			
 
				+- apiVersion: v1
			
 
				+  kind: ConfigMap
			
 
				+  metadata:
			
 
				+    namespace: ${NAMESPACE}
			
 
				+    name: apiserver-config
			
 
				+  data:
			
 
				+    apiserver-config.yaml: ${API_SERVER_CONFIG}
			
 
				+
			
 
				+# to be able to assign powers to the process
			
 
				+- apiVersion: v1
			
 
				+  kind: ServiceAccount
			
 
				+  metadata:
			
 
				+    namespace: ${NAMESPACE}
			
 
				+    name: apiserver
			
 
				+
			
 
				+# to be able to expose TSB inside the cluster
			
 
				+- apiVersion: v1
			
 
				+  kind: Service
			
 
				+  metadata:
			
 
				+    namespace: ${NAMESPACE}
			
 
				+    name: apiserver
			
 
				+    annotations:
			
 
				+      service.alpha.openshift.io/serving-cert-secret-name: apiserver-serving-cert
			
 
				+  spec:
			
 
				+    selector:
			
 
				+      apiserver: "true"
			
 
				+    ports:
			
 
				+    - port: 443
			
 
				+      targetPort: 8443
			
 
				+
			
 
				+# This service account will be granted permission to call the TSB.
			
 
				+# The token for this SA will be provided to the service catalog for
			
 
				+# use when calling the TSB.
			
 
				+- apiVersion: v1
			
 
				+  kind: ServiceAccount
			
 
				+  metadata:
			
 
				+    namespace: ${NAMESPACE}
			
 
				+    name: templateservicebroker-client
			
 
				+
			
 
				+# This secret will be populated with a copy of the templateservicebroker-client SA's
			
 
				+# auth token.  Since this secret has a static name, it can be referenced more
			
 
				+# easily than the auto-generated secret for the service account.
			
 
				+- apiVersion: v1
			
 
				+  kind: Secret
			
 
				+  metadata:
			
 
				+    namespace: ${NAMESPACE}
			
 
				+    name: templateservicebroker-client
			
 
				+    annotations:
			
 
				+      kubernetes.io/service-account.name: templateservicebroker-client
			
 
				+  type: kubernetes.io/service-account-token
			
--- a/files/origin-components/rbac-template.yaml
+++ b/files/origin-components/rbac-template.yaml
@@ -0,0 +1,92 @@
 
				+apiVersion: template.openshift.io/v1
			
 
				+kind: Template
			
 
				+metadata:
			
 
				+  name: template-service-broker-rbac
			
 
				+parameters:
			
 
				+- name: NAMESPACE
			
 
				+  value: openshift-template-service-broker
			
 
				+- name: KUBE_SYSTEM
			
 
				+  value: kube-system
			
 
				+objects:
			
 
				+
			
 
				+# Grant the service account permission to call the TSB
			
 
				+- apiVersion: rbac.authorization.k8s.io/v1beta1
			
 
				+  kind: ClusterRoleBinding
			
 
				+  metadata:
			
 
				+    name: templateservicebroker-client
			
 
				+  roleRef:
			
 
				+    kind: ClusterRole
			
 
				+    name: system:openshift:templateservicebroker-client
			
 
				+  subjects:
			
 
				+  - kind: ServiceAccount
			
 
				+    namespace: ${NAMESPACE}
			
 
				+    name: templateservicebroker-client
			
 
				+
			
 
				+# to delegate authentication and authorization
			
 
				+- apiVersion: rbac.authorization.k8s.io/v1beta1
			
 
				+  kind: ClusterRoleBinding
			
 
				+  metadata:
			
 
				+    name: auth-delegator-${NAMESPACE}
			
 
				+  roleRef:
			
 
				+    kind: ClusterRole
			
 
				+    name: system:auth-delegator
			
 
				+  subjects:
			
 
				+  - kind: ServiceAccount
			
 
				+    namespace: ${NAMESPACE}
			
 
				+    name: apiserver
			
 
				+
			
 
				+# to have the template service broker powers
			
 
				+- apiVersion: rbac.authorization.k8s.io/v1beta1
			
 
				+  kind: ClusterRoleBinding
			
 
				+  metadata:
			
 
				+    name: tsb-${NAMESPACE}
			
 
				+  roleRef:
			
 
				+    kind: ClusterRole
			
 
				+    name: system:openshift:controller:template-service-broker
			
 
				+  subjects:
			
 
				+  - kind: ServiceAccount
			
 
				+    namespace: ${NAMESPACE}
			
 
				+    name: apiserver
			
 
				+
			
 
				+# to read the config for terminating authentication
			
 
				+- apiVersion: rbac.authorization.k8s.io/v1beta1
			
 
				+  kind: RoleBinding
			
 
				+  metadata:
			
 
				+    namespace: ${KUBE_SYSTEM}
			
 
				+    name: extension-apiserver-authentication-reader-${NAMESPACE}
			
 
				+  roleRef:
			
 
				+    kind: Role
			
 
				+    name: extension-apiserver-authentication-reader
			
 
				+  subjects:
			
 
				+  - kind: ServiceAccount
			
 
				+    namespace: ${NAMESPACE}
			
 
				+    name: apiserver
			
 
				+
			
 
				+# allow the kube service catalog's SA to read the static secret defined
			
 
				+# above, which will contain the token for the SA that can call the TSB.
			
 
				+- apiVersion: rbac.authorization.k8s.io/v1beta1
			
 
				+  kind: Role
			
 
				+  metadata:
			
 
				+    name: templateservicebroker-auth-reader
			
 
				+    namespace: ${NAMESPACE}
			
 
				+  rules:
			
 
				+  - apiGroups:
			
 
				+    - ""
			
 
				+    resourceNames:
			
 
				+    - templateservicebroker-client
			
 
				+    resources:
			
 
				+    - secrets
			
 
				+    verbs:
			
 
				+    - get
			
 
				+- apiVersion: rbac.authorization.k8s.io/v1beta1
			
 
				+  kind: RoleBinding
			
 
				+  metadata:
			
 
				+    namespace: ${NAMESPACE}
			
 
				+    name: templateservicebroker-auth-reader
			
 
				+  roleRef:
			
 
				+    kind: Role
			
 
				+    name: templateservicebroker-auth-reader
			
 
				+  subjects:
			
 
				+  - kind: ServiceAccount
			
 
				+    namespace: kube-service-catalog
			
 
				+    name: service-catalog-controller
			
--- a/playbooks/common/openshift-cluster/service_catalog.yml
+++ b/playbooks/common/openshift-cluster/service_catalog.yml
@@ -16,5 +16,6 @@
 
				   roles:
			
 
				   - openshift_service_catalog
			
 
				   - ansible_service_broker
			
 
				+  - template_service_broker
			
 
				   vars:
			
 
				     first_master: "{{ groups.oo_first_master[0] }}"
			
--- a/roles/ansible_service_broker/defaults/main.yml
+++ b/roles/ansible_service_broker/defaults/main.yml
@@ -1,6 +1,7 @@
 
				 ---
			
 
				 
			
 
				 ansible_service_broker_remove: false
			
 
				+ansible_service_broker_install: false
			
 
				 ansible_service_broker_log_level: info
			
 
				 ansible_service_broker_output_request: false
			
 
				 ansible_service_broker_recovery: true
			
--- a/roles/ansible_service_broker/tasks/main.yml
+++ b/roles/ansible_service_broker/tasks/main.yml
@@ -2,7 +2,7 @@
 
				 # do any asserts here
			
 
				 
			
 
				 - include: install.yml
			
 
				-  when: not  ansible_service_broker_remove|default(false) | bool
			
 
				+  when: ansible_service_broker_install | default(false) | bool
			
 
				 
			
 
				 - include: remove.yml
			
 
				-  when: ansible_service_broker_remove|default(false) | bool
			
 
				+  when: ansible_service_broker_remove | default(false) | bool
			
--- a/roles/openshift_service_catalog/files/openshift-ansible-catalog-console.js
+++ b/roles/openshift_service_catalog/files/openshift-ansible-catalog-console.js
@@ -1 +1,2 @@
 
				-window.OPENSHIFT_CONSTANTS.ENABLE_TECH_PREVIEW_FEATURE.service_catalog_landing_page = true;
			
 
				+// empty file so that the master-config can still point to a file that exists
			
 
				+// this file will be replaced by the template service broker role if enabled
			
--- a/roles/openshift_service_catalog/tasks/install.yml
+++ b/roles/openshift_service_catalog/tasks/install.yml
@@ -112,15 +112,6 @@
 
				   when:
			
 
				     - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
			
 
				 
			
 
				-- shell: >
			
 
				-    oc get policybindings/kube-system:default -n kube-system || echo "not found"
			
 
				-  register: get_kube_system
			
 
				-  changed_when: no
			
 
				-
			
 
				-- command: >
			
 
				-    oc create policybinding kube-system -n kube-system
			
 
				-  when: "'not found' in get_kube_system.stdout"
			
 
				-
			
 
				 - oc_adm_policy_user:
			
 
				     namespace: kube-service-catalog
			
 
				     resource_kind: scc
			
--- a/roles/template_service_broker/defaults/main.yml
+++ b/roles/template_service_broker/defaults/main.yml
@@ -0,0 +1,4 @@
 
				+---
			
 
				+# placeholder file?
			
 
				+template_service_broker_remove: False
			
 
				+template_service_broker_install: False
			
--- a/roles/template_service_broker/files/openshift-ansible-catalog-console.js
+++ b/roles/template_service_broker/files/openshift-ansible-catalog-console.js
@@ -0,0 +1 @@
 
				+window.OPENSHIFT_CONSTANTS.ENABLE_TECH_PREVIEW_FEATURE.template_service_broker = true;
			
--- a/roles/template_service_broker/files/remove-openshift-ansible-catalog-console.js
+++ b/roles/template_service_broker/files/remove-openshift-ansible-catalog-console.js
@@ -0,0 +1,2 @@
 
				+// empty file so that the master-config can still point to a file that exists
			
 
				+// this file will be replaced by the template service broker role if enabled
			
--- a/roles/template_service_broker/meta/main.yml
+++ b/roles/template_service_broker/meta/main.yml
@@ -0,0 +1,13 @@
 
				+---
			
 
				+galaxy_info:
			
 
				+  author: OpenShift Red Hat
			
 
				+  description: OpenShift Template Service Broker
			
 
				+  company: Red Hat, Inc.
			
 
				+  license: Apache License, Version 2.0
			
 
				+  min_ansible_version: 2.1
			
 
				+  platforms:
			
 
				+  - name: EL
			
 
				+    versions:
			
 
				+    - 7
			
 
				+  categories:
			
 
				+  - cloud
			
--- a/roles/template_service_broker/tasks/install.yml
+++ b/roles/template_service_broker/tasks/install.yml
@@ -0,0 +1,47 @@
 
				+---
			
 
				+# Fact setting
			
 
				+- name: Set default image variables based on deployment type
			
 
				+  include_vars: "{{ item }}"
			
 
				+  with_first_found:
			
 
				+    - "{{ openshift_deployment_type | default(deployment_type) }}.yml"
			
 
				+    - "default_images.yml"
			
 
				+
			
 
				+- name: set ansible_service_broker facts
			
 
				+  set_fact:
			
 
				+    template_service_broker_image: "{{ template_service_broker_image | default(__template_service_broker_image) }}"
			
 
				+
			
 
				+- oc_project:
			
 
				+    name: openshift-template-service-broker
			
 
				+    state: present
			
 
				+
			
 
				+- command: mktemp -d /tmp/tsb-ansible-XXXXXX
			
 
				+  register: mktemp
			
 
				+  changed_when: False
			
 
				+  become: no
			
 
				+
			
 
				+- copy:
			
 
				+    src: "{{ __tsb_files_location }}/{{ item }}"
			
 
				+    dest: "{{ mktemp.stdout }}/{{ item }}"
			
 
				+  with_items:
			
 
				+    - "{{ __tsb_template_file }}"
			
 
				+    - "{{ __tsb_rbac_file }}"
			
 
				+
			
 
				+- name: Apply template file
			
 
				+  shell: >
			
 
				+    oc process -f "{{ mktemp.stdout }}/{{ __tsb_template_file }}" --param API_SERVER_CONFIG="{{ lookup('file', __tsb_files_location ~ '/' ~ __tsb_config_file) }}" | kubectl apply -f -
			
 
				+
			
 
				+# reconcile with rbac
			
 
				+- name: Reconcile with RBAC file
			
 
				+  shell: >
			
 
				+    oc process -f "{{ mktemp.stdout }}/{{ __tsb_rbac_file }}" | oc auth reconcile -f -
			
 
				+
			
 
				+- name: copy tech preview extension file for service console UI
			
 
				+  copy:
			
 
				+    src: openshift-ansible-catalog-console.js
			
 
				+    dest: /etc/origin/master/openshift-ansible-catalog-console.js
			
 
				+
			
 
				+- file:
			
 
				+    state: absent
			
 
				+    name: "{{ mktemp.stdout }}"
			
 
				+  changed_when: False
			
 
				+  become: no
			
--- a/roles/template_service_broker/tasks/main.yml
+++ b/roles/template_service_broker/tasks/main.yml
@@ -0,0 +1,8 @@
 
				+---
			
 
				+# do any asserts here
			
 
				+
			
 
				+- include: install.yml
			
 
				+  when: template_service_broker_install | default(false) | bool
			
 
				+
			
 
				+- include: remove.yml
			
 
				+  when: template_service_broker_remove | default(false) | bool
			
--- a/roles/template_service_broker/tasks/remove.yml
+++ b/roles/template_service_broker/tasks/remove.yml
@@ -0,0 +1,28 @@
 
				+---
			
 
				+- command: mktemp -d /tmp/tsb-ansible-XXXXXX
			
 
				+  register: mktemp
			
 
				+  changed_when: False
			
 
				+  become: no
			
 
				+
			
 
				+- copy:
			
 
				+    src: "{{ __tsb_files_location }}/{{ item }}"
			
 
				+    dest: "{{ mktemp.stdout }}/{{ __tsb_template_file }}"
			
 
				+
			
 
				+- name: Delete TSB objects
			
 
				+  shell: >
			
 
				+    oc process -f "{{ __tsb_files_location }}/{{ __tsb_template_file }}" | kubectl delete -f -
			
 
				+
			
 
				+- name: empty out tech preview extension file for service console UI
			
 
				+  copy:
			
 
				+    src: remove-openshift-ansible-catalog-console.js
			
 
				+    dest: /etc/origin/master/openshift-ansible-catalog-console.js
			
 
				+
			
 
				+- oc_project:
			
 
				+    name: openshift-template-service-broker
			
 
				+    state: absent
			
 
				+
			
 
				+- file:
			
 
				+    state: absent
			
 
				+    name: "{{ mktemp.stdout }}"
			
 
				+  changed_when: False
			
 
				+  become: no
			
--- a/roles/template_service_broker/vars/default_images.yml
+++ b/roles/template_service_broker/vars/default_images.yml
@@ -0,0 +1,2 @@
 
				+---
			
 
				+__template_service_broker_image: ""
			
--- a/roles/template_service_broker/vars/main.yml
+++ b/roles/template_service_broker/vars/main.yml
@@ -0,0 +1,6 @@
 
				+---
			
 
				+__tsb_files_location: "../../../files/origin-components/"
			
 
				+
			
 
				+__tsb_template_file: "apiserver-template.yaml"
			
 
				+__tsb_config_file: "apiserver-config.yaml"
			
 
				+__tsb_rbac_file: "rbac-template.yaml"
			
--- a/roles/template_service_broker/vars/openshift-enterprise.yml
+++ b/roles/template_service_broker/vars/openshift-enterprise.yml
@@ -0,0 +1,2 @@
 
				+---
			
 
				+__template_service_broker_image: ""
		`@@ -0,0 +1 @@`
		`+window.OPENSHIFT_CONSTANTS.ENABLE_TECH_PREVIEW_FEATURE.template_service_broker = true;`