| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485 |
- ---
- # Fact setting and validations
- - name: Set default image variables based on deployment type
- include_vars: "{{ item }}"
- with_first_found:
- - "{{ openshift_deployment_type }}.yml"
- - "default_images.yml"
- - name: set ansible_service_broker facts
- set_fact:
- ansible_service_broker_image_prefix: "{{ ansible_service_broker_image_prefix | default(__ansible_service_broker_image_prefix) }}"
- ansible_service_broker_image_tag: "{{ ansible_service_broker_image_tag | default(__ansible_service_broker_image_tag) }}"
- ansible_service_broker_etcd_image_prefix: "{{ ansible_service_broker_etcd_image_prefix | default(__ansible_service_broker_etcd_image_prefix) }}"
- ansible_service_broker_etcd_image_tag: "{{ ansible_service_broker_etcd_image_tag | default(__ansible_service_broker_etcd_image_tag) }}"
- ansible_service_broker_etcd_image_etcd_path: "{{ ansible_service_broker_etcd_image_etcd_path | default(__ansible_service_broker_etcd_image_etcd_path) }}"
- ansible_service_broker_registry_type: "{{ ansible_service_broker_registry_type | default(__ansible_service_broker_registry_type) }}"
- ansible_service_broker_registry_name: "{{ ansible_service_broker_registry_name | default(__ansible_service_broker_registry_name) }}"
- ansible_service_broker_registry_url: "{{ ansible_service_broker_registry_url | default(__ansible_service_broker_registry_url) }}"
- ansible_service_broker_registry_user: "{{ ansible_service_broker_registry_user | default(__ansible_service_broker_registry_user) }}"
- ansible_service_broker_registry_password: "{{ ansible_service_broker_registry_password | default(__ansible_service_broker_registry_password) }}"
- ansible_service_broker_registry_organization: "{{ ansible_service_broker_registry_organization | default(__ansible_service_broker_registry_organization) }}"
- ansible_service_broker_registry_tag: "{{ ansible_service_broker_registry_tag | default(__ansible_service_broker_registry_tag) }}"
- ansible_service_broker_registry_whitelist: "{{ ansible_service_broker_registry_whitelist | default(__ansible_service_broker_registry_whitelist) }}"
- - name: set ansible-service-broker image facts using set prefix and tag
- set_fact:
- ansible_service_broker_image: "{{ ansible_service_broker_image_prefix }}ansible-service-broker:{{ ansible_service_broker_image_tag }}"
- ansible_service_broker_etcd_image: "{{ ansible_service_broker_etcd_image_prefix }}etcd:{{ ansible_service_broker_etcd_image_tag }}"
- - include_tasks: validate_facts.yml
- - include_tasks: generate_certs.yml
- # Deployment of ansible-service-broker starts here
- - name: create openshift-ansible-service-broker project
- oc_project:
- name: openshift-ansible-service-broker
- state: present
- - name: create ansible-service-broker serviceaccount
- oc_serviceaccount:
- name: asb
- namespace: openshift-ansible-service-broker
- state: present
- - name: create ansible-service-broker client serviceaccount
- oc_serviceaccount:
- name: asb-client
- namespace: openshift-ansible-service-broker
- state: present
- - name: Create asb-auth cluster role
- oc_clusterrole:
- state: present
- name: asb-auth
- rules:
- - apiGroups: [""]
- resources: ["namespaces"]
- verbs: ["create", "delete"]
- - apiGroups: ["authorization.openshift.io"]
- resources: ["subjectrulesreview"]
- verbs: ["create"]
- - apiGroups: ["authorization.k8s.io"]
- resources: ["subjectaccessreviews"]
- verbs: ["create"]
- - apiGroups: ["authentication.k8s.io"]
- resources: ["tokenreviews"]
- verbs: ["create"]
- - apiGroups: ["image.openshift.io", ""]
- resources: ["images"]
- verbs: ["get", "list"]
- - apiGroups: ["network.openshift.io"]
- resources: ["clusternetworks", "netnamespaces"]
- verbs: ["get"]
- - apiGroups: ["network.openshift.io"]
- resources: ["netnamespaces"]
- verbs: ["update"]
- - apiGroups: ["networking.k8s.io"]
- resources: ["networkpolicies"]
- verbs: ["create", "delete"]
- - name: Create asb-access cluster role
- oc_clusterrole:
- state: present
- name: asb-access
- rules:
- - nonResourceURLs: ["/ansible-service-broker", "/ansible-service-broker/*"]
- verbs: ["get", "post", "put", "patch", "delete"]
- - name: Bind admin cluster-role to asb serviceaccount
- oc_adm_policy_user:
- state: present
- resource_kind: cluster-role
- resource_name: admin
- user: "system:serviceaccount:openshift-ansible-service-broker:asb"
- - name: Bind auth cluster role to asb service account
- oc_adm_policy_user:
- state: present
- resource_kind: cluster-role
- resource_name: asb-auth
- user: "system:serviceaccount:openshift-ansible-service-broker:asb"
- - name: Bind asb-access role to asb-client service account
- oc_adm_policy_user:
- state: present
- resource_kind: cluster-role
- resource_name: asb-access
- user: "system:serviceaccount:openshift-ansible-service-broker:asb-client"
- - name: create asb-client token secret
- oc_obj:
- name: asb-client
- namespace: openshift-ansible-service-broker
- state: present
- kind: Secret
- content:
- path: /tmp/asbclientsecretout
- data:
- apiVersion: v1
- kind: Secret
- metadata:
- name: asb-client
- namespace: openshift-ansible-service-broker
- annotations:
- kubernetes.io/service-account.name: asb-client
- type: kubernetes.io/service-account-token
- - name: Create etcd-auth secret
- oc_secret:
- name: etcd-auth-secret
- namespace: openshift-ansible-service-broker
- contents:
- - path: ca.crt
- data: '{{ etcd_ca_cert }}'
- - name: Create broker-etcd-auth secret
- oc_secret:
- name: broker-etcd-auth-secret
- namespace: openshift-ansible-service-broker
- contents:
- - path: client.crt
- data: '{{ etcd_client_cert }}'
- - path: client.key
- data: '{{ etcd_client_key }}'
- - oc_secret:
- state: list
- namespace: openshift-ansible-service-broker
- name: asb-client
- register: asb_client_secret
- - set_fact:
- service_ca_crt: "{{ asb_client_secret.results.results.0.data['service-ca.crt'] }}"
- - name: create ansible-service-broker service
- oc_service:
- name: asb
- namespace: openshift-ansible-service-broker
- labels:
- app: openshift-ansible-service-broker
- service: asb
- annotations:
- service.alpha.openshift.io/serving-cert-secret-name: asb-tls
- ports:
- - name: port-1338
- port: 1338
- targetPort: 1338
- protocol: TCP
- selector:
- app: openshift-ansible-service-broker
- service: asb
- - name: create asb-etcd service
- oc_service:
- name: asb-etcd
- namespace: openshift-ansible-service-broker
- labels:
- app: etcd
- service: asb-etcd
- annotations:
- service.alpha.openshift.io/serving-cert-secret-name: etcd-tls
- ports:
- - name: port-2379
- port: 2379
- targetPort: 2379
- protocol: TCP
- selector:
- app: etcd
- service: asb-etcd
- - name: create route for ansible-service-broker service
- oc_route:
- name: asb-1338
- namespace: openshift-ansible-service-broker
- state: present
- labels:
- app: openshift-ansible-service-broker
- service: asb
- service_name: asb
- port: 1338
- tls_termination: Reencrypt
- - name: create persistent volume claim for etcd
- oc_pvc:
- name: etcd
- namespace: openshift-ansible-service-broker
- access_modes:
- - ReadWriteOnce
- volume_capacity: 1G
- - name: Search for existing Ansible Service Broker deployment config
- oc_obj:
- name: asb
- namespace: openshift-ansible-service-broker
- kind: DeploymentConfig
- state: list
- register: asb_dc
- - name: Create Ansible Service Broker deployment config
- when: asb_dc.results.results.0 | length == 0
- oc_obj:
- force: yes
- name: asb
- namespace: openshift-ansible-service-broker
- state: present
- kind: DeploymentConfig
- content:
- path: /tmp/dcout
- data:
- apiVersion: v1
- kind: DeploymentConfig
- metadata:
- name: asb
- labels:
- app: openshift-ansible-service-broker
- service: asb
- spec:
- replicas: 1
- selector:
- app: openshift-ansible-service-broker
- strategy:
- type: Rolling
- template:
- metadata:
- labels:
- app: openshift-ansible-service-broker
- service: asb
- spec:
- serviceAccount: asb
- containers:
- - image: "{{ ansible_service_broker_image }}"
- name: asb
- imagePullPolicy: IfNotPresent
- volumeMounts:
- - name: config-volume
- mountPath: /etc/ansible-service-broker
- - name: asb-tls
- mountPath: /etc/tls/private
- - name: asb-etcd-auth
- mountPath: /var/run/asb-etcd-auth
- ports:
- - containerPort: 1338
- protocol: TCP
- env:
- - name: BROKER_CONFIG
- value: /etc/ansible-service-broker/config.yaml
- - name: HTTP_PROXY
- value: "{{ openshift.common.http_proxy | default('') }}"
- - name: HTTPS_PROXY
- value: "{{ openshift.common.https_proxy | default('') }}"
- - name: NO_PROXY
- value: "{{ openshift.common.no_proxy | default('') }}"
- resources: {}
- terminationMessagePath: /tmp/termination-log
- readinessProbe:
- httpGet:
- port: 1338
- path: /healthz
- scheme: HTTPS
- initialDelaySeconds: 15
- timeoutSeconds: 1
- livenessProbe:
- httpGet:
- port: 1338
- path: /healthz
- scheme: HTTPS
- initialDelaySeconds: 15
- timeoutSeconds: 1
- volumes:
- - name: config-volume
- configMap:
- name: broker-config
- items:
- - key: broker-config
- path: config.yaml
- - name: asb-tls
- secret:
- secretName: asb-tls
- - name: asb-etcd-auth
- secret:
- secretName: broker-etcd-auth-secret
- - name: Search for existing Ansible Service Broker etcd deployment config
- oc_obj:
- name: asb-etcd
- namespace: openshift-ansible-service-broker
- kind: DeploymentConfig
- state: list
- register: asb_etcd_dc
- - name: Create asb-etcd deployment config
- when: asb_etcd_dc.results.results.0 | length == 0
- oc_obj:
- name: asb-etcd
- namespace: openshift-ansible-service-broker
- state: present
- kind: DeploymentConfig
- content:
- path: /tmp/dcout
- data:
- apiVersion: v1
- kind: DeploymentConfig
- metadata:
- name: asb-etcd
- labels:
- app: etcd
- service: asb-etcd
- spec:
- replicas: 1
- selector:
- app: etcd
- strategy:
- type: Rolling
- template:
- metadata:
- labels:
- app: etcd
- service: asb-etcd
- spec:
- serviceAccount: asb
- containers:
- - image: "{{ ansible_service_broker_etcd_image }}"
- name: etcd
- imagePullPolicy: IfNotPresent
- terminationMessagePath: /tmp/termination-log
- workingDir: /etcd
- args:
- - "{{ ansible_service_broker_etcd_image_etcd_path }}"
- - "--data-dir=/data"
- - "--listen-client-urls=https://0.0.0.0:2379"
- - "--advertise-client-urls=https://asb-etcd.openshift-ansible-service-broker.svc:2379"
- - "--client-cert-auth"
- - "--trusted-ca-file=/var/run/etcd-auth-secret/ca.crt"
- - "--cert-file=/etc/tls/private/tls.crt"
- - "--key-file=/etc/tls/private/tls.key"
- ports:
- - containerPort: 2379
- protocol: TCP
- env:
- - name: ETCDCTL_API
- value: "3"
- volumeMounts:
- - name: etcd
- mountPath: /data
- - name: etcd-tls
- mountPath: /etc/tls/private
- - name: etcd-auth
- mountPath: /var/run/etcd-auth-secret
- volumes:
- - name: etcd
- persistentVolumeClaim:
- claimName: etcd
- - name: etcd-tls
- secret:
- secretName: etcd-tls
- - name: etcd-auth
- secret:
- secretName: etcd-auth-secret
- - name: set auth name and type facts if needed
- set_fact:
- ansible_service_broker_registry_auth_type: "secret"
- ansible_service_broker_registry_auth_name: "asb-registry-auth"
- when: ansible_service_broker_registry_user != "" and ansible_service_broker_registry_password != ""
- # TODO: saw a oc_configmap in the library, but didn't understand how to get it to do the following:
- - name: Create config map for ansible-service-broker
- oc_obj:
- name: broker-config
- namespace: openshift-ansible-service-broker
- state: present
- kind: ConfigMap
- content:
- path: /tmp/cmout
- data:
- apiVersion: v1
- kind: ConfigMap
- metadata:
- name: broker-config
- namespace: openshift-ansible-service-broker
- labels:
- app: openshift-ansible-service-broker
- data:
- broker-config: |
- registry:
- - type: {{ ansible_service_broker_registry_type }}
- name: {{ ansible_service_broker_registry_name }}
- url: {{ ansible_service_broker_registry_url }}
- org: {{ ansible_service_broker_registry_organization }}
- tag: {{ ansible_service_broker_registry_tag }}
- white_list: {{ ansible_service_broker_registry_whitelist | to_yaml }}
- auth_type: "{{ ansible_service_broker_registry_auth_type | default("") }}"
- auth_name: "{{ ansible_service_broker_registry_auth_name | default("") }}"
- - type: local_openshift
- name: localregistry
- namespaces: ['openshift']
- white_list: {{ ansible_service_broker_local_registry_whitelist | to_yaml }}
- dao:
- etcd_host: asb-etcd.openshift-ansible-service-broker.svc
- etcd_port: 2379
- etcd_ca_file: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
- etcd_client_cert: /var/run/asb-etcd-auth/client.crt
- etcd_client_key: /var/run/asb-etcd-auth/client.key
- log:
- stdout: true
- level: {{ ansible_service_broker_log_level }}
- color: true
- openshift:
- host: ""
- ca_file: ""
- bearer_token_file: ""
- sandbox_role: {{ ansible_service_broker_sandbox_role }}
- image_pull_policy: {{ ansible_service_broker_image_pull_policy }}
- keep_namespace: {{ ansible_service_broker_keep_namespace | bool | lower }}
- keep_namespace_on_error: {{ ansible_service_broker_keep_namespace_on_error | bool | lower }}
- broker:
- dev_broker: {{ ansible_service_broker_dev_broker | bool | lower }}
- bootstrap_on_startup: {{ ansible_service_broker_bootstrap_on_startup | bool | lower }}
- refresh_interval: {{ ansible_service_broker_refresh_interval }}
- launch_apb_on_bind: {{ ansible_service_broker_launch_apb_on_bind | bool | lower }}
- output_request: {{ ansible_service_broker_output_request | bool | lower }}
- recovery: {{ ansible_service_broker_recovery | bool | lower }}
- ssl_cert_key: /etc/tls/private/tls.key
- ssl_cert: /etc/tls/private/tls.crt
- auto_escalate: {{ ansible_service_broker_auto_escalate }}
- auth:
- - type: basic
- enabled: false
- - oc_secret:
- name: asb-registry-auth
- namespace: openshift-ansible-service-broker
- state: present
- contents:
- - path: username
- data: "{{ ansible_service_broker_registry_user }}"
- - path: password
- data: "{{ ansible_service_broker_registry_password }}"
- when: ansible_service_broker_registry_user != "" and ansible_service_broker_registry_password != ""
- - name: Create the Broker resource in the catalog
- oc_obj:
- name: ansible-service-broker
- state: present
- kind: ClusterServiceBroker
- content:
- path: /tmp/brokerout
- data:
- apiVersion: servicecatalog.k8s.io/v1beta1
- kind: ClusterServiceBroker
- metadata:
- name: ansible-service-broker
- spec:
- url: https://asb.openshift-ansible-service-broker.svc:1338/ansible-service-broker
- authInfo:
- bearer:
- secretRef:
- name: asb-client
- namespace: openshift-ansible-service-broker
- kind: Secret
- caBundle: "{{ service_ca_crt }}"
|
