shixiong
/
okd


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235
							---

- import_tasks: facts.yml

- import_tasks: upgrade.yml
  when: openshift_upgrade_target is defined

- include_tasks: generate_certs.yml

# Deployment of ansible-service-broker starts here
- name: create openshift-ansible-service-broker project
  oc_project:
    name: openshift-ansible-service-broker
    state: present

- name: create ansible-service-broker serviceaccount
  oc_serviceaccount:
    name: asb
    namespace: openshift-ansible-service-broker
    state: present

- name: create ansible-service-broker client serviceaccount
  oc_serviceaccount:
    name: asb-client
    namespace: openshift-ansible-service-broker
    state: present

- name: Create asb-auth cluster role
  oc_clusterrole:
    state: present
    name: asb-auth
    rules:
      - apiGroups: [""]
        resources: ["namespaces"]
        verbs: ["create", "delete"]
      - apiGroups: ["authorization.openshift.io"]
        resources: ["subjectrulesreview"]
        verbs: ["create"]
      - apiGroups: ["authorization.k8s.io"]
        resources: ["subjectaccessreviews"]
        verbs: ["create"]
      - apiGroups: ["authentication.k8s.io"]
        resources: ["tokenreviews"]
        verbs: ["create"]
      - apiGroups: ["image.openshift.io", ""]
        resources: ["images"]
        verbs: ["get", "list"]
      - apiGroups: ["network.openshift.io"]
        resources: ["clusternetworks", "netnamespaces"]
        verbs: ["get"]
      - apiGroups: ["network.openshift.io"]
        resources: ["netnamespaces"]
        verbs: ["update"]
      - apiGroups: ["networking.k8s.io"]
        resources: ["networkpolicies"]
        verbs: ["create", "delete"]
      - apiGroups: ["automationbroker.io"]
        resources: ["bundles", "bundlebindings", "bundleinstances"]
        verbs: ["*"]

- name: Create asb-access cluster role
  oc_clusterrole:
    state: present
    name: asb-access
    rules:
      - nonResourceURLs: ["/ansible-service-broker", "/ansible-service-broker/*"]
        verbs: ["get", "post", "put", "patch", "delete"]

- name: Bind admin cluster-role to asb serviceaccount
  oc_adm_policy_user:
    state: present
    resource_kind: cluster-role
    resource_name: admin
    user: "system:serviceaccount:openshift-ansible-service-broker:asb"

- name: Bind auth cluster role to asb service account
  oc_adm_policy_user:
    state: present
    resource_kind: cluster-role
    resource_name: asb-auth
    user: "system:serviceaccount:openshift-ansible-service-broker:asb"

- name: Bind asb-access role to asb-client service account
  oc_adm_policy_user:
    state: present
    resource_kind: cluster-role
    resource_name: asb-access
    user: "system:serviceaccount:openshift-ansible-service-broker:asb-client"

- name: create asb-client token secret
  oc_obj:
    name: asb-client
    namespace: openshift-ansible-service-broker
    state: present
    kind: Secret
    content:
      path: /tmp/asbclientsecretout
      data:
        apiVersion: v1
        kind: Secret
        metadata:
          name: asb-client
          namespace: openshift-ansible-service-broker
          annotations:
            kubernetes.io/service-account.name: asb-client
        type: kubernetes.io/service-account-token

- oc_secret:
    state: list
    namespace: openshift-ansible-service-broker
    name: asb-client
  register: asb_client_secret

- set_fact:
    service_ca_crt: "{{ asb_client_secret.results.results.0.data['service-ca.crt'] }}"

- name: Create custom resource definitions for asb
  oc_obj:
    name: '{{ crd.metadata.name }}'
    kind: CustomResourceDefinition
    state: present
    content:
      path: /tmp/{{ crd.metadata.name }}
      data: '{{ crd }}'
  vars:
    crd: "{{ lookup('file', item) | from_yaml }}"
  with_fileglob:
    - 'files/*.automationbroker.io.yaml'

- name: create ansible-service-broker service
  oc_service:
    name: asb
    namespace: openshift-ansible-service-broker
    labels:
      app: openshift-ansible-service-broker
      service: asb
    annotations:
      service.alpha.openshift.io/serving-cert-secret-name: asb-tls
    ports:
      - name: port-1338
        port: 1338
        targetPort: 1338
        protocol: TCP
      - name: port-1337
        port: 1337
        targetPort: 1337
        protocol: TCP
    selector:
      app: openshift-ansible-service-broker
      service: asb

- name: create route for ansible-service-broker service
  oc_route:
    name: asb-1338
    namespace: openshift-ansible-service-broker
    state: present
    labels:
      app: openshift-ansible-service-broker
      service: asb
    service_name: asb
    port: 1338
    tls_termination: Reencrypt

- name: create route for dashboard-redirector service
  oc_route:
    name: dr-1337
    namespace: openshift-ansible-service-broker
    state: present
    labels:
      app: openshift-ansible-service-broker
      service: asb
    service_name: asb
    port: 1337
  when: ansible_service_broker_enable_dashboard_redirector

- name: Set Ansible Service Broker deployment config
  oc_obj:
    force: yes
    name: asb
    namespace: openshift-ansible-service-broker
    state: present
    kind: DeploymentConfig
    content:
      path: /tmp/dcout
      data: "{{ lookup('template', 'asb_dc.yaml.j2') | from_yaml }}"

- name: set auth name and type facts if needed
  set_fact:
    ansible_service_broker_registry_auth_type: "secret"
    ansible_service_broker_registry_auth_name: "asb-registry-auth"
  when: ansible_service_broker_registry_user != "" and ansible_service_broker_registry_password != ""

# TODO: saw a oc_configmap in the library, but didn't understand how to get it to do the following:
- name: Create config map for ansible-service-broker
  oc_obj:
    name: broker-config
    namespace: openshift-ansible-service-broker
    state: present
    kind: ConfigMap
    content:
      path: /tmp/cmout
      data: "{{ lookup('template', 'configmap.yaml.j2') | from_yaml }}"

- oc_secret:
    name: asb-registry-auth
    namespace: openshift-ansible-service-broker
    state: present
    contents:
      - path: username
        data: "{{ ansible_service_broker_registry_user }}"
      - path: password
        data: "{{ ansible_service_broker_registry_password }}"
  when: ansible_service_broker_registry_user != "" and ansible_service_broker_registry_password != ""

- name: Create the Broker resource in the catalog
  oc_obj:
    name: ansible-service-broker
    state: present
    kind: ClusterServiceBroker
    content:
      path: /tmp/brokerout
      data:
        apiVersion: servicecatalog.k8s.io/v1beta1
        kind: ClusterServiceBroker
        metadata:
          name: ansible-service-broker
        spec:
          url: https://asb.openshift-ansible-service-broker.svc:1338/ansible-service-broker
          authInfo:
            bearer:
              secretRef:
                name: asb-client
                namespace: openshift-ansible-service-broker
                kind: Secret
          caBundle: "{{ service_ca_crt }}"