首頁 探索 說明
註冊 登入
shixiong
/
okd
1
0
複刻 0
Files 問題管理 0 合併請求 0 Wiki
目錄樹: 5df7087bb4
分支列表 標籤列表
okd
/
roles
/
ansible_service_broker
/
tasks
/
install.yml

install.yml 7.1 KB
文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246 
  1. ---
    2. 

  2. 

  3. - import_tasks: facts.yml
    4. 

  4. 

  5. - import_tasks: upgrade.yml
    6. 

  6.   when: openshift_upgrade_target is defined
    7. 

  7. 

  8. - include_tasks: generate_certs.yml
    9. 

  9. 

  10. # Deployment of ansible-service-broker starts here
    11. 

  11. - name: create openshift-ansible-service-broker project
    12. 

  12.   oc_project:
    13. 

  13.     name: openshift-ansible-service-broker
    14. 

  14.     state: present
    15. 

  15.     node_selector:
    16. 

  16.       - ""
    17. 

  17. 

  18. - name: create ansible-service-broker serviceaccount
    19. 

  19.   oc_serviceaccount:
    20. 

  20.     name: asb
    21. 

  21.     namespace: openshift-ansible-service-broker
    22. 

  22.     state: present
    23. 

  23. 

  24. - name: create ansible-service-broker client serviceaccount
    25. 

  25.   oc_serviceaccount:
    26. 

  26.     name: asb-client
    27. 

  27.     namespace: openshift-ansible-service-broker
    28. 

  28.     state: present
    29. 

  29. 

  30. - name: Create asb-auth cluster role
    31. 

  31.   oc_clusterrole:
    32. 

  32.     state: present
    33. 

  33.     name: asb-auth
    34. 

  34.     rules:
    35. 

  35.       - apiGroups: [""]
    36. 

  36.         resources: ["namespaces"]
    37. 

  37.         verbs: ["create", "delete"]
    38. 

  38.       - apiGroups: ["authorization.openshift.io"]
    39. 

  39.         resources: ["subjectrulesreview"]
    40. 

  40.         verbs: ["create"]
    41. 

  41.       - apiGroups: ["authorization.k8s.io"]
    42. 

  42.         resources: ["subjectaccessreviews"]
    43. 

  43.         verbs: ["create"]
    44. 

  44.       - apiGroups: ["authentication.k8s.io"]
    45. 

  45.         resources: ["tokenreviews"]
    46. 

  46.         verbs: ["create"]
    47. 

  47.       - apiGroups: ["image.openshift.io", ""]
    48. 

  48.         resources: ["images"]
    49. 

  49.         verbs: ["get", "list"]
    50. 

  50.       - apiGroups: ["network.openshift.io"]
    51. 

  51.         resources: ["clusternetworks", "netnamespaces"]
    52. 

  52.         verbs: ["get"]
    53. 

  53.       - apiGroups: ["network.openshift.io"]
    54. 

  54.         resources: ["netnamespaces"]
    55. 

  55.         verbs: ["update"]
    56. 

  56.       - apiGroups: ["networking.k8s.io"]
    57. 

  57.         resources: ["networkpolicies"]
    58. 

  58.         verbs: ["create", "delete"]
    59. 

  59.       - apiGroups: ["automationbroker.io"]
    60. 

  60.         resources: ["bundles", "bundlebindings", "bundleinstances"]
    61. 

  61.         verbs: ["*"]
    62. 

  62. 

  63. - name: Create aggregate rule for user authorization
    64. 

  64.   oc_obj:
    65. 

  65.     name: asb-user-access
    66. 

  66.     state: present
    67. 

  67.     kind: ClusterRole
    68. 

  68.     content:
    69. 

  69.       path: /tmp/useraccessout
    70. 

  70.       data: "{{ lookup('template', 'broker-user-auth.clusterrole.yaml.j2') | from_yaml }}"
    71. 

  71. 

  72. - name: Create asb-access cluster role
    73. 

  73.   oc_clusterrole:
    74. 

  74.     state: present
    75. 

  75.     name: asb-access
    76. 

  76.     rules:
    77. 

  77.       - nonResourceURLs: ["/ansible-service-broker", "/ansible-service-broker/*"]
    78. 

  78.         verbs: ["get", "post", "put", "patch", "delete"]
    79. 

  79. 

  80. - name: Bind admin cluster-role to asb serviceaccount
    81. 

  81.   oc_adm_policy_user:
    82. 

  82.     state: present
    83. 

  83.     resource_kind: cluster-role
    84. 

  84.     resource_name: admin
    85. 

  85.     user: "system:serviceaccount:openshift-ansible-service-broker:asb"
    86. 

  86. 

  87. - name: Bind auth cluster role to asb service account
    88. 

  88.   oc_adm_policy_user:
    89. 

  89.     state: present
    90. 

  90.     resource_kind: cluster-role
    91. 

  91.     resource_name: asb-auth
    92. 

  92.     user: "system:serviceaccount:openshift-ansible-service-broker:asb"
    93. 

  93. 

  94. - name: Bind asb-access role to asb-client service account
    95. 

  95.   oc_adm_policy_user:
    96. 

  96.     state: present
    97. 

  97.     resource_kind: cluster-role
    98. 

  98.     resource_name: asb-access
    99. 

  99.     user: "system:serviceaccount:openshift-ansible-service-broker:asb-client"
    100. 

  100. 

  101. - name: create asb-client token secret
    102. 

  102.   oc_obj:
    103. 

  103.     name: asb-client
    104. 

  104.     namespace: openshift-ansible-service-broker
    105. 

  105.     state: present
    106. 

  106.     kind: Secret
    107. 

  107.     content:
    108. 

  108.       path: /tmp/asbclientsecretout
    109. 

  109.       data:
    110. 

  110.         apiVersion: v1
    111. 

  111.         kind: Secret
    112. 

  112.         metadata:
    113. 

  113.           name: asb-client
    114. 

  114.           namespace: openshift-ansible-service-broker
    115. 

  115.           annotations:
    116. 

  116.             kubernetes.io/service-account.name: asb-client
    117. 

  117.         type: kubernetes.io/service-account-token
    118. 

  118. 

  119. - oc_secret:
    120. 

  120.     state: list
    121. 

  121.     namespace: openshift-ansible-service-broker
    122. 

  122.     name: asb-client
    123. 

  123.   register: asb_client_secret
    124. 

  124. 

  125. - set_fact:
    126. 

  126.     service_ca_crt: "{{ asb_client_secret.results.results.0.data['service-ca.crt'] }}"
    127. 

  127. 

  128. - name: Create custom resource definitions for asb
    129. 

  129.   oc_obj:
    130. 

  130.     name: '{{ asb_crd.metadata.name }}'
    131. 

  131.     kind: CustomResourceDefinition
    132. 

  132.     state: present
    133. 

  133.     content:
    134. 

  134.       path: /tmp/{{ asb_crd.metadata.name }}
    135. 

  135.       data: '{{ asb_crd }}'
    136. 

  136.   vars:
    137. 

  137.     asb_crd: "{{ lookup('file', item) | from_yaml }}"
    138. 

  138.   with_fileglob:
    139. 

  139.     - 'files/*.automationbroker.io.yaml'
    140. 

  140. 

  141. - name: create ansible-service-broker service
    142. 

  142.   oc_service:
    143. 

  143.     name: asb
    144. 

  144.     namespace: openshift-ansible-service-broker
    145. 

  145.     labels:
    146. 

  146.       app: openshift-ansible-service-broker
    147. 

  147.       service: asb
    148. 

  148.     annotations:
    149. 

  149.       service.alpha.openshift.io/serving-cert-secret-name: asb-tls
    150. 

  150.     ports:
    151. 

  151.       - name: port-1338
    152. 

  152.         port: 1338
    153. 

  153.         targetPort: 1338
    154. 

  154.         protocol: TCP
    155. 

  155.       - name: port-1337
    156. 

  156.         port: 1337
    157. 

  157.         targetPort: 1337
    158. 

  158.         protocol: TCP
    159. 

  159.     selector:
    160. 

  160.       app: openshift-ansible-service-broker
    161. 

  161.       service: asb
    162. 

  162. 

  163. - name: create route for ansible-service-broker service
    164. 

  164.   oc_route:
    165. 

  165.     name: asb-1338
    166. 

  166.     namespace: openshift-ansible-service-broker
    167. 

  167.     state: present
    168. 

  168.     labels:
    169. 

  169.       app: openshift-ansible-service-broker
    170. 

  170.       service: asb
    171. 

  171.     service_name: asb
    172. 

  172.     port: 1338
    173. 

  173.     tls_termination: Reencrypt
    174. 

  174. 

  175. - name: create route for dashboard-redirector service
    176. 

  176.   oc_route:
    177. 

  177.     name: dr-1337
    178. 

  178.     namespace: openshift-ansible-service-broker
    179. 

  179.     state: present
    180. 

  180.     labels:
    181. 

  181.       app: openshift-ansible-service-broker
    182. 

  182.       service: asb
    183. 

  183.     service_name: asb
    184. 

  184.     port: 1337
    185. 

  185.   when: ansible_service_broker_enable_dashboard_redirector
    186. 

  186. 

  187. - name: Set Ansible Service Broker deployment config
    188. 

  188.   oc_obj:
    189. 

  189.     force: yes
    190. 

  190.     name: asb
    191. 

  191.     namespace: openshift-ansible-service-broker
    192. 

  192.     state: present
    193. 

  193.     kind: DeploymentConfig
    194. 

  194.     content:
    195. 

  195.       path: /tmp/dcout
    196. 

  196.       data: "{{ lookup('template', 'asb_dc.yaml.j2') | from_yaml }}"
    197. 

  197. 

  198. - name: set auth name and type facts if needed
    199. 

  199.   set_fact:
    200. 

  200.     ansible_service_broker_registry_auth_type: "secret"
    201. 

  201.     ansible_service_broker_registry_auth_name: "asb-registry-auth"
    202. 

  202.   when: ansible_service_broker_registry_user != "" and ansible_service_broker_registry_password != ""
    203. 

  203. 

  204. # TODO: saw a oc_configmap in the library, but didn't understand how to get it to do the following:
    205. 

  205. - name: Create config map for ansible-service-broker
    206. 

  206.   oc_obj:
    207. 

  207.     name: broker-config
    208. 

  208.     namespace: openshift-ansible-service-broker
    209. 

  209.     state: present
    210. 

  210.     kind: ConfigMap
    211. 

  211.     content:
    212. 

  212.       path: /tmp/cmout
    213. 

  213.       data: "{{ ansible_service_broker_full_broker_config_map }}"
    214. 

  214. 

  215. - oc_secret:
    216. 

  216.     name: asb-registry-auth
    217. 

  217.     namespace: openshift-ansible-service-broker
    218. 

  218.     state: present
    219. 

  219.     contents:
    220. 

  220.       - path: username
    221. 

  221.         data: "{{ ansible_service_broker_registry_user }}"
    222. 

  222.       - path: password
    223. 

  223.         data: "{{ ansible_service_broker_registry_password }}"
    224. 

  224.   when: ansible_service_broker_registry_user != "" and ansible_service_broker_registry_password != ""
    225. 

  225. 

  226. - name: Create the Broker resource in the catalog
    227. 

  227.   oc_obj:
    228. 

  228.     name: ansible-service-broker
    229. 

  229.     state: present
    230. 

  230.     kind: ClusterServiceBroker
    231. 

  231.     content:
    232. 

  232.       path: /tmp/brokerout
    233. 

  233.       data:
    234. 

  234.         apiVersion: servicecatalog.k8s.io/v1beta1
    235. 

  235.         kind: ClusterServiceBroker
    236. 

  236.         metadata:
    237. 

  237.           name: ansible-service-broker
    238. 

  238.         spec:
    239. 

  239.           url: https://asb.openshift-ansible-service-broker.svc:1338/ansible-service-broker
    240. 

  240.           authInfo:
    241. 

  241.             bearer:
    242. 

  242.               secretRef:
    243. 

  243.                 name: asb-client
    244. 

  244.                 namespace: openshift-ansible-service-broker
    245. 

  245.                 kind: Secret
    246. 

  246.           caBundle: "{{ service_ca_crt }}"
    247.