okd/roles/ansible_service_broker/tasks/install.yml

---

# Fact setting and validations
- name: Set default image variables based on deployment type
  include_vars: "{{ item }}"
  with_first_found:
    - "{{ openshift_deployment_type }}.yml"
    - "default_images.yml"

- name: set ansible_service_broker facts
  set_fact:
    ansible_service_broker_image_prefix: "{{ ansible_service_broker_image_prefix | default(__ansible_service_broker_image_prefix) }}"
    ansible_service_broker_image_tag: "{{ ansible_service_broker_image_tag | default(__ansible_service_broker_image_tag) }}"

    ansible_service_broker_etcd_image_prefix: "{{ ansible_service_broker_etcd_image_prefix | default(__ansible_service_broker_etcd_image_prefix) }}"
    ansible_service_broker_etcd_image_tag: "{{ ansible_service_broker_etcd_image_tag | default(__ansible_service_broker_etcd_image_tag) }}"
    ansible_service_broker_etcd_image_etcd_path: "{{ ansible_service_broker_etcd_image_etcd_path | default(__ansible_service_broker_etcd_image_etcd_path) }}"

    ansible_service_broker_registry_type: "{{ ansible_service_broker_registry_type | default(__ansible_service_broker_registry_type) }}"
    ansible_service_broker_registry_name: "{{ ansible_service_broker_registry_name | default(__ansible_service_broker_registry_name) }}"
    ansible_service_broker_registry_url: "{{ ansible_service_broker_registry_url | default(__ansible_service_broker_registry_url) }}"
    ansible_service_broker_registry_user: "{{ ansible_service_broker_registry_user | default(__ansible_service_broker_registry_user) }}"
    ansible_service_broker_registry_password: "{{ ansible_service_broker_registry_password | default(__ansible_service_broker_registry_password) }}"
    ansible_service_broker_registry_organization: "{{ ansible_service_broker_registry_organization | default(__ansible_service_broker_registry_organization) }}"
    ansible_service_broker_registry_tag: "{{ ansible_service_broker_registry_tag | default(__ansible_service_broker_registry_tag) }}"
    ansible_service_broker_registry_whitelist: "{{ ansible_service_broker_registry_whitelist | default(__ansible_service_broker_registry_whitelist) }}"

- name: set ansible-service-broker image facts using set prefix and tag
  set_fact:
    ansible_service_broker_image: "{{ ansible_service_broker_image_prefix }}ansible-service-broker:{{ ansible_service_broker_image_tag }}"
    ansible_service_broker_etcd_image: "{{ ansible_service_broker_etcd_image_prefix }}etcd:{{ ansible_service_broker_etcd_image_tag }}"

- include_tasks: validate_facts.yml

- include_tasks: generate_certs.yml

# Deployment of ansible-service-broker starts here
- name: create openshift-ansible-service-broker project
  oc_project:
    name: openshift-ansible-service-broker
    state: present

- name: create ansible-service-broker serviceaccount
  oc_serviceaccount:
    name: asb
    namespace: openshift-ansible-service-broker
    state: present

- name: create ansible-service-broker client serviceaccount
  oc_serviceaccount:
    name: asb-client
    namespace: openshift-ansible-service-broker
    state: present

- name: Create asb-auth cluster role
  oc_clusterrole:
    state: present
    name: asb-auth
    rules:
      - apiGroups: [""]
        resources: ["namespaces"]
        verbs: ["create", "delete"]
      - apiGroups: ["authorization.openshift.io"]
        resources: ["subjectrulesreview"]
        verbs: ["create"]
      - apiGroups: ["authorization.k8s.io"]
        resources: ["subjectaccessreviews"]
        verbs: ["create"]
      - apiGroups: ["authentication.k8s.io"]
        resources: ["tokenreviews"]
        verbs: ["create"]
      - apiGroups: ["image.openshift.io", ""]
        resources: ["images"]
        verbs: ["get", "list"]
      - apiGroups: ["network.openshift.io"]
        resources: ["clusternetworks", "netnamespaces"]
        verbs: ["get"]
      - apiGroups: ["network.openshift.io"]
        resources: ["netnamespaces"]
        verbs: ["update"]
      - apiGroups: ["networking.k8s.io"]
        resources: ["networkpolicies"]
        verbs: ["create", "delete"]

- name: Create asb-access cluster role
  oc_clusterrole:
    state: present
    name: asb-access
    rules:
      - nonResourceURLs: ["/ansible-service-broker", "/ansible-service-broker/*"]
        verbs: ["get", "post", "put", "patch", "delete"]

- name: Bind admin cluster-role to asb serviceaccount
  oc_adm_policy_user:
    state: present
    resource_kind: cluster-role
    resource_name: admin
    user: "system:serviceaccount:openshift-ansible-service-broker:asb"

- name: Bind auth cluster role to asb service account
  oc_adm_policy_user:
    state: present
    resource_kind: cluster-role
    resource_name: asb-auth
    user: "system:serviceaccount:openshift-ansible-service-broker:asb"

- name: Bind asb-access role to asb-client service account
  oc_adm_policy_user:
    state: present
    resource_kind: cluster-role
    resource_name: asb-access
    user: "system:serviceaccount:openshift-ansible-service-broker:asb-client"

- name: create asb-client token secret
  oc_obj:
    name: asb-client
    namespace: openshift-ansible-service-broker
    state: present
    kind: Secret
    content:
      path: /tmp/asbclientsecretout
      data:
        apiVersion: v1
        kind: Secret
        metadata:
          name: asb-client
          namespace: openshift-ansible-service-broker
          annotations:
            kubernetes.io/service-account.name: asb-client
        type: kubernetes.io/service-account-token

- name: Create etcd-auth secret
  oc_secret:
    name: etcd-auth-secret
    namespace: openshift-ansible-service-broker
    contents:
      - path: ca.crt
        data: '{{ etcd_ca_cert }}'

- name: Create broker-etcd-auth secret
  oc_secret:
    name: broker-etcd-auth-secret
    namespace: openshift-ansible-service-broker
    contents:
      - path: client.crt
        data: '{{ etcd_client_cert }}'
      - path: client.key
        data: '{{ etcd_client_key }}'

- oc_secret:
    state: list
    namespace: openshift-ansible-service-broker
    name: asb-client
  register: asb_client_secret

- set_fact:
    service_ca_crt: "{{ asb_client_secret.results.results.0.data['service-ca.crt'] }}"

- name: create ansible-service-broker service
  oc_service:
    name: asb
    namespace: openshift-ansible-service-broker
    labels:
      app: openshift-ansible-service-broker
      service: asb
    annotations:
      service.alpha.openshift.io/serving-cert-secret-name: asb-tls
    ports:
      - name: port-1338
        port: 1338
        targetPort: 1338
        protocol: TCP
    selector:
      app: openshift-ansible-service-broker
      service: asb

- name: create asb-etcd service
  oc_service:
    name: asb-etcd
    namespace: openshift-ansible-service-broker
    labels:
      app: etcd
      service: asb-etcd
    annotations:
      service.alpha.openshift.io/serving-cert-secret-name: etcd-tls
    ports:
      - name: port-2379
        port: 2379
        targetPort: 2379
        protocol: TCP
    selector:
      app: etcd
      service: asb-etcd

- name: create route for ansible-service-broker service
  oc_route:
    name: asb-1338
    namespace: openshift-ansible-service-broker
    state: present
    labels:
      app: openshift-ansible-service-broker
      service: asb
    service_name: asb
    port: 1338
    tls_termination: Reencrypt

- name: create persistent volume claim for etcd
  oc_pvc:
    name: etcd
    namespace: openshift-ansible-service-broker
    access_modes:
      - ReadWriteOnce
    volume_capacity: 1G

- name: Set Ansible Service Broker deployment config
  oc_obj:
    force: yes
    name: asb
    namespace: openshift-ansible-service-broker
    state: present
    kind: DeploymentConfig
    content:
      path: /tmp/dcout
      data:
        apiVersion: v1
        kind: DeploymentConfig
        metadata:
          name: asb
          labels:
            app: openshift-ansible-service-broker
            service: asb
        spec:
          replicas: 1
          selector:
            app: openshift-ansible-service-broker
          strategy:
            type: Rolling
          template:
            metadata:
              labels:
                app: openshift-ansible-service-broker
                service: asb
            spec:
              serviceAccount: asb
              containers:
                - image: "{{ ansible_service_broker_image }}"
                  name: asb
                  imagePullPolicy: IfNotPresent
                  volumeMounts:
                    - name: config-volume
                      mountPath: /etc/ansible-service-broker
                    - name: asb-tls
                      mountPath: /etc/tls/private
                    - name: asb-etcd-auth
                      mountPath: /var/run/asb-etcd-auth
                  ports:
                    - containerPort: 1338
                      protocol: TCP
                  env:
                    - name: BROKER_CONFIG
                      value: /etc/ansible-service-broker/config.yaml
                    - name: HTTP_PROXY
                      value: "{{ openshift.common.http_proxy  | default('') }}"
                    - name: HTTPS_PROXY
                      value: "{{ openshift.common.https_proxy  | default('') }}"
                    - name: NO_PROXY
                      value: "{{ ([openshift.common.no_proxy, '.default'] | join(',')) if openshift.get('common', {}).get('no_proxy') else '' }}"
                  resources: {}
                  terminationMessagePath: /tmp/termination-log
                  readinessProbe:
                    httpGet:
                      port: 1338
                      path: /healthz
                      scheme: HTTPS
                    initialDelaySeconds: 15
                    timeoutSeconds: 1
                  livenessProbe:
                    httpGet:
                      port: 1338
                      path: /healthz
                      scheme: HTTPS
                    initialDelaySeconds: 15
                    timeoutSeconds: 1
              volumes:
                - name: config-volume
                  configMap:
                    name: broker-config
                    items:
                      - key: broker-config
                        path: config.yaml
                - name: asb-tls
                  secret:
                    secretName: asb-tls
                - name: asb-etcd-auth
                  secret:
                    secretName: broker-etcd-auth-secret

- name: Search for existing Ansible Service Broker etcd deployment config
  oc_obj:
    name: asb-etcd
    namespace: openshift-ansible-service-broker
    kind: DeploymentConfig
    state: list
  register: asb_etcd_dc

- name: Create asb-etcd deployment config
  when: asb_etcd_dc.results.results.0 | length == 0
  oc_obj:
    name: asb-etcd
    namespace: openshift-ansible-service-broker
    state: present
    kind: DeploymentConfig
    content:
      path: /tmp/dcout
      data:
        apiVersion: v1
        kind: DeploymentConfig
        metadata:
          name: asb-etcd
          labels:
            app: etcd
            service: asb-etcd
        spec:
          replicas: 1
          selector:
            app: etcd
          strategy:
            type: Rolling
          template:
            metadata:
              labels:
                app: etcd
                service: asb-etcd
            spec:
              serviceAccount: asb
              containers:
                - image: "{{ ansible_service_broker_etcd_image }}"
                  name: etcd
                  imagePullPolicy: IfNotPresent
                  terminationMessagePath: /tmp/termination-log
                  workingDir: /etcd
                  args:
                    - "{{ ansible_service_broker_etcd_image_etcd_path }}"
                    - "--data-dir=/data"
                    - "--listen-client-urls=https://0.0.0.0:2379"
                    - "--advertise-client-urls=https://asb-etcd.openshift-ansible-service-broker.svc:2379"
                    - "--client-cert-auth"
                    - "--trusted-ca-file=/var/run/etcd-auth-secret/ca.crt"
                    - "--cert-file=/etc/tls/private/tls.crt"
                    - "--key-file=/etc/tls/private/tls.key"
                  ports:
                    - containerPort: 2379
                      protocol: TCP
                  env:
                    - name: ETCDCTL_API
                      value: "3"
                  volumeMounts:
                    - name: etcd
                      mountPath: /data
                    - name: etcd-tls
                      mountPath: /etc/tls/private
                    - name: etcd-auth
                      mountPath: /var/run/etcd-auth-secret
              volumes:
                - name: etcd
                  persistentVolumeClaim:
                    claimName: etcd
                - name: etcd-tls
                  secret:
                    secretName: etcd-tls
                - name: etcd-auth
                  secret:
                    secretName: etcd-auth-secret

- name: set auth name and type facts if needed
  set_fact:
    ansible_service_broker_registry_auth_type: "secret"
    ansible_service_broker_registry_auth_name: "asb-registry-auth"
  when: ansible_service_broker_registry_user != "" and ansible_service_broker_registry_password != ""

# TODO: saw a oc_configmap in the library, but didn't understand how to get it to do the following:
- name: Create config map for ansible-service-broker
  oc_obj:
    name: broker-config
    namespace: openshift-ansible-service-broker
    state: present
    kind: ConfigMap
    content:
      path: /tmp/cmout
      data:
        apiVersion: v1
        kind: ConfigMap
        metadata:
          name: broker-config
          namespace: openshift-ansible-service-broker
          labels:
            app: openshift-ansible-service-broker
        data:
          broker-config: |
            registry:
              - type: {{ ansible_service_broker_registry_type }}
                name: {{ ansible_service_broker_registry_name }}
                url:  {{ ansible_service_broker_registry_url }}
                org:  {{ ansible_service_broker_registry_organization }}
                tag:  {{ ansible_service_broker_registry_tag }}
                white_list: {{  ansible_service_broker_registry_whitelist | to_yaml }}
                auth_type: "{{ ansible_service_broker_registry_auth_type | default("") }}"
                auth_name: "{{ ansible_service_broker_registry_auth_name | default("") }}"
              - type: local_openshift
                name: localregistry
                namespaces: ['openshift']
                white_list: {{ ansible_service_broker_local_registry_whitelist | to_yaml }}
            dao:
              etcd_host: asb-etcd.openshift-ansible-service-broker.svc
              etcd_port: 2379
              etcd_ca_file: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
              etcd_client_cert: /var/run/asb-etcd-auth/client.crt
              etcd_client_key: /var/run/asb-etcd-auth/client.key
            log:
              stdout: true
              level: {{ ansible_service_broker_log_level }}
              color: true
            openshift:
              host: ""
              ca_file: ""
              bearer_token_file: ""
              sandbox_role: {{ ansible_service_broker_sandbox_role }}
              image_pull_policy: {{ ansible_service_broker_image_pull_policy }}
              keep_namespace: {{ ansible_service_broker_keep_namespace | bool | lower }}
              keep_namespace_on_error: {{ ansible_service_broker_keep_namespace_on_error | bool | lower }}
            broker:
              dev_broker: {{ ansible_service_broker_dev_broker | bool | lower }}
              bootstrap_on_startup: {{ ansible_service_broker_bootstrap_on_startup | bool | lower }}
              refresh_interval: {{ ansible_service_broker_refresh_interval }}
              launch_apb_on_bind: {{ ansible_service_broker_launch_apb_on_bind | bool | lower }}
              output_request: {{ ansible_service_broker_output_request | bool | lower }}
              recovery: {{ ansible_service_broker_recovery | bool | lower }}
              ssl_cert_key: /etc/tls/private/tls.key
              ssl_cert: /etc/tls/private/tls.crt
              auto_escalate: {{ ansible_service_broker_auto_escalate }}
              auth:
                - type: basic
                  enabled: false

- oc_secret:
    name: asb-registry-auth
    namespace: openshift-ansible-service-broker
    state: present
    contents:
      - path: username
        data: "{{ ansible_service_broker_registry_user }}"
      - path: password
        data: "{{ ansible_service_broker_registry_password }}"
  when: ansible_service_broker_registry_user != "" and ansible_service_broker_registry_password != ""

- name: Create the Broker resource in the catalog
  oc_obj:
    name: ansible-service-broker
    state: present
    kind: ClusterServiceBroker
    content:
      path: /tmp/brokerout
      data:
        apiVersion: servicecatalog.k8s.io/v1beta1
        kind: ClusterServiceBroker
        metadata:
          name: ansible-service-broker
        spec:
          url: https://asb.openshift-ansible-service-broker.svc:1338/ansible-service-broker
          authInfo:
            bearer:
              secretRef:
                name: asb-client
                namespace: openshift-ansible-service-broker
                kind: Secret
          caBundle: "{{ service_ca_crt }}"