okd/roles/ansible_service_broker/tasks/migrate.yml

---

- block:
    - name: scale down asb deploymentconfig
      oc_scale:
        name: asb
        namespace: openshift-ansible-service-broker
        kind: dc
        replicas: 0

    - name: Add required permissions to asb-auth clusterrole
      oc_clusterrole:
        state: present
        name: asb-auth
        rules:
          - apiGroups: [""]
            resources: ["namespaces"]
            verbs: ["create", "delete"]
          - apiGroups: ["authorization.openshift.io"]
            resources: ["subjectrulesreview"]
            verbs: ["create"]
          - apiGroups: ["authorization.k8s.io"]
            resources: ["subjectaccessreviews"]
            verbs: ["create"]
          - apiGroups: ["authentication.k8s.io"]
            resources: ["tokenreviews"]
            verbs: ["create"]
          - apiGroups: ["image.openshift.io", ""]
            resources: ["images"]
            verbs: ["get", "list"]
          - apiGroups: ["network.openshift.io"]
            resources: ["clusternetworks", "netnamespaces"]
            verbs: ["get"]
          - apiGroups: ["network.openshift.io"]
            resources: ["netnamespaces"]
            verbs: ["update"]
          - apiGroups: ["networking.k8s.io"]
            resources: ["networkpolicies"]
            verbs: ["create", "delete"]
          - apiGroups: ["automationbroker.io"]
            resources: ["bundles", "jobstates", "servicebindings", "serviceinstances"]
            verbs: ["*"]

    - name: Create custom resource definitions for asb
      oc_obj:
        name: '{{ crd.metadata.name }}'
        kind: CustomResourceDefinition
        state: present
        content:
          path: /tmp/{{ crd.metadata.name }}
          data: '{{ crd }}'
      vars:
        crd: "{{ lookup('file', item) | from_yaml }}"
      with_fileglob:
        - 'files/*.automationbroker.io.yaml'


    - name: Migrate from etcd to CustomResources
      oc_obj:
        force: yes
        name: asb-etcd-migration
        namespace: openshift-ansible-service-broker
        kind: Job
        state: present
        content:
          path: /tmp/asb_migrate_out
          data:
            apiVersion: batch/v1
            kind: Job
            metadata:
              name: asb-etcd-migration
            spec:
              parallelism: 1
              completions: 1
              backoffLimit: 3
              template:
                metadata:
                  name: asb-etcd-migration
                spec:
                  containers:
                    - name: asb
                      image: '{{ ansible_service_broker_image }}'
                      imagePullPolicy: IfNotPresent
                      command:
                        - '/usr/bin/migration'
                      args:
                        - '-host=asb-etcd.openshift-ansible-service-broker.svc'
                        - '-ca-file=/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt'
                        - '-client-cert=/var/run/asb-etcd-auth/client.crt'
                        - '-client-key=/var/run/asb-etcd-auth/client.key'
                        - '-namespace=openshift-ansible-service-broker'
                      volumeMounts:
                        - name: config-volume
                          mountPath: /etc/ansible-service-broker
                        - name: asb-tls
                          mountPath: /etc/tls/private
                        - name: asb-etcd-auth
                          mountPath: /var/run/asb-etcd-auth
                      env:
                        - name: BROKER_CONFIG
                          value: /etc/ansible-service-broker/config.yaml
                        - name: HTTP_PROXY
                          value: "{{ openshift.common.http_proxy  | default('') }}"
                        - name: HTTPS_PROXY
                          value: "{{ openshift.common.https_proxy  | default('') }}"
                        - name: NO_PROXY
                          value: "{{ ([openshift.common.no_proxy, '.default'] | join(',')) if openshift.get('common', {}).get('no_proxy') else '' }}"
                  volumes:
                    - name: config-volume
                      configMap:
                        name: broker-config
                        items:
                          - key: broker-config
                            path: config.yaml
                    - name: asb-tls
                      secret:
                        secretName: asb-tls
                    - name: asb-etcd-auth
                      secret:
                        secretName: broker-etcd-auth-secret
                  restartPolicy: Never
                  serviceAccount: asb
                  serviceAccountName: asb

    - name: wait for migration to complete
      oc_obj:
        namespace: openshift-ansible-service-broker
        kind: Job
        state: list
        name: asb-etcd-migration
      register: migration_status
      ignore_errors: true
      until:
        - "'results' in migration_status.results and migration_status.results.results | count > 0"
        # Pod's 'Complete' status must be True
        - "migration_status.results.results | lib_utils_oo_collect(attribute='status.conditions') | lib_utils_oo_collect(attribute='status', filters={'type': 'Complete'}) | map('bool') | select | list | count == 1"
      delay: 10
      retries: "{{ (asb_migration_timeout|default(600) | int / 10) | int }}"
      failed_when:
        - "'results' in migration_status.results"
        - "migration_status.results.results | count > 0"
        # Fail when pod's 'Failed' status is True
        - "migration_status.results.results | lib_utils_oo_collect(attribute='status.conditions') | lib_utils_oo_collect(attribute='status', filters={'type': 'Failed'}) | map('bool') | select | list | count == 1"

    - when: not (migration_status is failed)
      block:
        - name: Update broker configmap to use CRD backend
          oc_obj:
            name: broker-config
            namespace: openshift-ansible-service-broker
            state: present
            kind: ConfigMap
            content:
              path: /tmp/cmout
              data: "{{ lookup('template', 'configmap.yaml.j2') | from_yaml }}"
          register: updated_configmap

        - name: Update broker deploymentconfig
          oc_obj:
            force: yes
            name: asb
            namespace: openshift-ansible-service-broker
            state: present
            kind: DeploymentConfig
            content:
              path: /tmp/dcout
              data: "{{ lookup('template', 'asb_dc.yaml.j2') | from_yaml }}"

        - name: delete etcd service
          oc_service:
            name: asb-etcd
            namespace: openshift-ansible-service-broker
            state: absent

        - name: delete etcd deploymentconfig
          oc_obj:
            name: asb-etcd
            namespace: openshift-ansible-service-broker
            kind: DeploymentConfig
            state: absent

        - name: delete broker etcd secret
          oc_secret:
            name: broker-etcd-auth-secret
            namespace: openshift_ansible_service_broker
            state: absent
  always:
    - name: scale up asb deploymentconfig
      oc_scale:
        name: asb
        namespace: openshift-ansible-service-broker
        kind: dc
        replicas: 1

- name: Fail out because the ASB etcd to CRD migration was unsuccessful
  fail:
    msg: >
      The migration from etcd to CustomResourceDefinitions was not
      successful, aborting upgrade of the ansible service broker.
  when: migration_status is not defined or migration_status is failed or updated_configmap is not defined or updated_configmap is failed