Refactor and remove openshift_serviceaccount

roles/openshift_hosted/meta/main.yml

@@ -17,19 +17,3 @@ dependencies:
 - role: lib_openshift
 - role: openshift_projects
   openshift_projects: "{{ openshift_additional_projects | default({}) | oo_merge_dicts({'default':{'default_node_selector':''},'openshift-infra':{'default_node_selector':''},'logging':{'default_node_selector':''}}) }}"
-- role: openshift_serviceaccounts
-  openshift_serviceaccounts_names:
-  - router
-  - registry
-  openshift_serviceaccounts_namespace: default
-  openshift_serviceaccounts_sccs:
-  - hostnetwork
-  when: openshift.common.version_gte_3_2_or_1_2
-- role: openshift_serviceaccounts
-  openshift_serviceaccounts_names:
-  - router
-  - registry
-  openshift_serviceaccounts_namespace: default
-  openshift_serviceaccounts_sccs:
-  - privileged
-  when: not openshift.common.version_gte_3_2_or_1_2

roles/openshift_hosted/tasks/registry/registry.yml

@@ -56,12 +56,24 @@
     openshift_hosted_registry_force:
     - False
 
+- name: Create the registry service account
+  oc_serviceaccount:
+    name: "{{ openshift_hosted_registry_serviceaccount }}"
+    namespace: "{{ openshift_hosted_registry_namespace }}"
+
+- name: Grant the registry serivce account access to the appropriate scc
+  oc_adm_policy_user:
+    user: "system:serviceaccount:{{ openshift_hosted_registry_namespace }}:{{ openshift_hosted_registry_serviceaccount }}"
+    namespace: "{{ openshift_hosted_registry_namespace }}"
+    resource_kind: scc
+    resource_name: hostnetwork
+
 - name: oc adm policy add-cluster-role-to-user system:registry system:serviceaccount:default:registry
   oc_adm_policy_user:
-    user: system:serviceaccount:default:registry
+    user: "system:serviceaccount:{{ openshift_hosted_registry_namespace }}:{{ openshift_hosted_registry_serviceaccount }}"
+    namespace: "{{ openshift_hosted_registry_namespace }}"
     resource_kind: cluster-role
     resource_name: system:registry
-    state: present
 
 - name: create the default registry service
   oc_service:

roles/openshift_hosted/tasks/router/router.yml

@@ -22,6 +22,21 @@
   with_items: "{{ openshift_hosted_routers | oo_collect(attribute='certificates') |
                   oo_select_keys_from_list(['keyfile', 'certfile', 'cafile']) }}"
 
+- name: Create the router service account(s)
+  oc_serviceaccount:
+    name: "{{ item.serviceaccount }}"
+    namespace: "{{ item.namespace }}"
+    state: present
+  with_items: "{{ openshift_hosted_routers }}"
+
+- name: Grant the router serivce account(s) access to the appropriate scc
+  oc_adm_policy_user:
+    user: "system:serviceaccount:{{ item.namespace }}:{{ item.serviceaccount }}"
+    namespace: "{{ item.namespace }}"
+    resource_kind: scc
+    resource_name: hostnetwork
+  with_items: "{{ openshift_hosted_routers }}"
+
 - name: Create OpenShift router
   oc_adm_router:
     name: "{{ item.name }}"

roles/openshift_serviceaccounts/meta/main.yml

@@ -1,16 +0,0 @@
----
-galaxy_info:
-  author: OpenShift Operations
-  description: OpenShift Service Accounts
-  company: Red Hat, Inc.
-  license: Apache License, Version 2.0
-  min_ansible_version: 1.9
-  platforms:
-  - name: EL
-    versions:
-    - 7
-  categories:
-  - cloud
-dependencies:
-- { role: openshift_facts }
-- { role: lib_openshift }

roles/openshift_serviceaccounts/tasks/legacy_add_scc_to_user.yml

@@ -1,38 +0,0 @@
----
-####
-#
-# OSE 3.0.z did not have 'oadm policy add-scc-to-user'.
-#
-####
-
-- name: tmp dir for openshift
-  file:
-    path: /tmp/openshift
-    state: directory
-    owner: root
-    mode: 0700
-
-- name: Create service account configs
-  template:
-    src: serviceaccount.j2
-    dest: "/tmp/openshift/{{ item }}-serviceaccount.yaml"
-  with_items: '{{ openshift_serviceaccounts_names }}'
-
-- name: Get current security context constraints
-  shell: >
-    {{ openshift.common.client_binary }} get scc privileged -o yaml
-    --output-version=v1 > /tmp/openshift/scc.yaml
-  changed_when: false
-
-- name: Add security context constraint for {{ item }}
-  lineinfile:
-    dest: /tmp/openshift/scc.yaml
-    line: "- system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }}"
-    insertafter: "^users:$"
-  when: "item.1.rc == 0 and 'system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }}' not in {{ (item.1.stdout | from_yaml).users }}"
-  with_nested:
-  - '{{ openshift_serviceaccounts_names }}'
-  - '{{ scc_test.results }}'
-
-- name: Apply new scc rules for service accounts
-  command: "{{ openshift.common.client_binary }} update -f /tmp/openshift/scc.yaml --api-version=v1"

roles/openshift_serviceaccounts/tasks/main.yml

@@ -1,28 +0,0 @@
----
-- name: create the service account
-  oc_serviceaccount:
-    name: "{{ item }}"
-    namespace: "{{ openshift_serviceaccounts_namespace }}"
-    state: present
-  with_items:
-  - "{{ openshift_serviceaccounts_names }}"
-
-- name: test if scc needs to be updated
-  command: >
-      {{ openshift.common.client_binary }} get scc {{ item }} -o yaml
-  changed_when: false
-  failed_when: false
-  register: scc_test
-  with_items: "{{ openshift_serviceaccounts_sccs }}"
-
-- name: Grant the user access to the appropriate scc
-  command: >
-      {{ openshift.common.client_binary }} adm policy add-scc-to-user
-      {{ item.1.item }} system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }}
-  when: "openshift.common.version_gte_3_1_or_1_1 and item.1.rc == 0 and 'system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }}' not in {{ (item.1.stdout | from_yaml).users | default([]) }}"
-  with_nested:
-  - "{{ openshift_serviceaccounts_names }}"
-  - "{{ scc_test.results }}"
-
-- include: legacy_add_scc_to_user.yml
-  when: not openshift.common.version_gte_3_1_or_1_1

roles/openshift_serviceaccounts/templates/serviceaccount.j2

@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ item.0 }}