Home Explore Help
Register Sign In
shixiong
/
okd
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 42d330a1cf
Branches Tags
okd
/
roles
/
openshift_cfme
/
tasks
/
accounts.yml

accounts.yml 2.1 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465 
  1. ---
    2. 

  2. # This role task file is responsible for user/system account creation,
    3. 

  3. # and ensuring correct access is provided as required.
    4. 

  4. 

  5. # TODO: This is currently not idempotent, bug report will be filed
    6. 

  6. # after this. Currently this task will return 'changed' if it just
    7. 

  7. # created a user, updated a user, or doesn't modify a user at
    8. 

  8. # all. Seems to be failing some kind of 'does it need updating' test
    9. 

  9. # condition and running the replace command regardless.
    10. 

  10. - name: Check if the miq-httpd scc exists
    11. 

  11.   oc_obj:
    12. 

  12.     namespace: "{{ openshift_cfme_project }}"
    13. 

  13.     state: list
    14. 

  14.     kind: scc
    15. 

  15.     name: miq-httpd
    16. 

  16.   register: miq_httpd_scc_exists
    17. 

  17. 

  18. # TODO: Cleanup when conditions
    19. 

  19. - name: Copy the miq-httpd SCC to the cluster
    20. 

  20.   copy:
    21. 

  21.     src: miq-scc-httpd.yaml
    22. 

  22.     dest: "{{ template_dir }}"
    23. 

  23.   when:
    24. 

  24.     - miq_httpd_scc_exists.results.results | length == 1
    25. 

  25.     - miq_httpd_scc_exists.results.results[0] == {}
    26. 

  26. 

  27. - name: Ensure the CFME miq-httpd SCC exists
    28. 

  28.   oc_obj:
    29. 

  29.     state: present
    30. 

  30.     name: miq-httpd
    31. 

  31.     namespace: "{{ openshift_cfme_project }}"
    32. 

  32.     kind: scc
    33. 

  33.     files:
    34. 

  34.       - "{{ template_dir }}/miq-scc-httpd.yaml"
    35. 

  35.     delete_after: True
    36. 

  36.   run_once: True
    37. 

  37.   when:
    38. 

  38.     - miq_httpd_scc_exists.results.results | length == 1
    39. 

  39.     - miq_httpd_scc_exists.results.results[0] == {}
    40. 

  40. 

  41. - name: Ensure the CFME system users exist
    42. 

  42.   oc_serviceaccount:
    43. 

  43.     namespace: "{{ openshift_cfme_project }}"
    44. 

  44.     state: present
    45. 

  45.     name: "{{ item.name }}"
    46. 

  46.   with_items:
    47. 

  47.     - "{{ openshift_system_account_sccs }}"
    48. 

  48. 

  49. - name: Ensure the CFME system accounts have all the required SCCs
    50. 

  50.   oc_adm_policy_user:
    51. 

  51.     namespace: "{{ openshift_cfme_project }}"
    52. 

  52.     user: "system:serviceaccount:{{ openshift_cfme_project }}:{{ item.name }}"
    53. 

  53.     resource_kind: scc
    54. 

  54.     resource_name: "{{ item.resource_name }}"
    55. 

  55.   with_items:
    56. 

  56.     - "{{ openshift_system_account_sccs }}"
    57. 

  57. 

  58. - name: Ensure the CFME system accounts have the required roles
    59. 

  59.   oc_adm_policy_user:
    60. 

  60.     namespace: "{{ openshift_cfme_project }}"
    61. 

  61.     user: "system:serviceaccount:{{ openshift_cfme_project }}:{{ item.name }}"
    62. 

  62.     resource_kind: role
    63. 

  63.     resource_name: "{{ item.resource_name }}"
    64. 

  64.   with_items:
    65. 

  65.     - "{{ openshift_cfme_system_account_roles }}"
    66.