shixiong
/
okd


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261
							---
# do any asserts here

- name: Create temp directory for doing work in
  command: mktemp -d /tmp/openshift-service-catalog-ansible-XXXXXX
  register: mktemp
  changed_when: False

- name: Set default image variables based on openshift_deployment_type
  include_vars: "{{ item }}"
  with_first_found:
    - "{{ openshift_deployment_type }}.yml"
    - "default_images.yml"

- name: Set service_catalog image facts
  set_fact:
    openshift_service_catalog_image_prefix: "{{ openshift_service_catalog_image_prefix | default(__openshift_service_catalog_image_prefix) }}"
    openshift_service_catalog_image_version: "{{ openshift_service_catalog_image_version | default(__openshift_service_catalog_image_version) }}"

- name: Set Service Catalog namespace
  oc_project:
    state: present
    name: "kube-service-catalog"
    node_selector: ""

- when: os_sdn_network_plugin_name == 'redhat/openshift-ovs-multitenant'
  block:
    - name: Waiting for netnamespace kube-service-catalog to be ready
      oc_obj:
        kind: netnamespace
        name: kube-service-catalog
        state: list
      register: get_output
      until: not get_output.results.stderr is defined
      retries: 30
      delay: 1
      changed_when: false

    - name: Make kube-service-catalog project network global
      command: >
        {{ openshift_client_binary }} --config=/etc/origin/master/admin.kubeconfig adm pod-network make-projects-global kube-service-catalog

- include_tasks: generate_certs.yml

- copy:
    src: kubeservicecatalog_roles_bindings.yml
    dest: "{{ mktemp.stdout }}/kubeservicecatalog_roles_bindings.yml"

- oc_obj:
    name: service-catalog-role-bindings
    kind: template
    namespace: "kube-service-catalog"
    files:
      - "{{ mktemp.stdout }}/kubeservicecatalog_roles_bindings.yml"

- oc_process:
    create: True
    template_name: service-catalog-role-bindings
    namespace: "kube-service-catalog"

- copy:
    src: kubesystem_roles_bindings.yml
    dest: "{{ mktemp.stdout }}/kubesystem_roles_bindings.yml"

- oc_obj:
    name: kube-system-service-catalog-role-bindings
    kind: template
    namespace: kube-system
    files:
      - "{{ mktemp.stdout }}/kubesystem_roles_bindings.yml"

- oc_process:
    create: True
    template_name: kube-system-service-catalog-role-bindings
    namespace: kube-system

- oc_obj:
    name: edit
    kind: clusterrole
    state: list
  register: edit_yaml

# only do this if we don't already have the updated role info
- name: Generate apply template for clusterrole/edit
  template:
    src: sc_admin_edit_role_patching.j2
    dest: "{{ mktemp.stdout }}/edit_sc_patch.yml"
  vars:
    original_content: "{{ edit_yaml.results.results[0] | to_yaml }}"
  when:
    - not edit_yaml.results.results[0] | lib_utils_oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch', 'patch']) or not edit_yaml.results.results[0] | lib_utils_oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])

# only do this if we don't already have the updated role info
- name: update edit role for service catalog and pod preset access
  command: >
    {{ openshift_client_binary }} --config=/etc/origin/master/admin.kubeconfig replace -f {{ mktemp.stdout }}/edit_sc_patch.yml
  when:
    - not edit_yaml.results.results[0] | lib_utils_oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch', 'patch']) or not edit_yaml.results.results[0] | lib_utils_oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])

- oc_obj:
    name: admin
    kind: clusterrole
    state: list
  register: admin_yaml

# only do this if we don't already have the updated role info
- name: Generate apply template for clusterrole/admin
  template:
    src: sc_admin_edit_role_patching.j2
    dest: "{{ mktemp.stdout }}/admin_sc_patch.yml"
  vars:
    original_content: "{{ admin_yaml.results.results[0] | to_yaml }}"
  when:
    - not admin_yaml.results.results[0] | lib_utils_oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch', 'patch']) or not admin_yaml.results.results[0] | lib_utils_oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])

# only do this if we don't already have the updated role info
- name: update admin role for service catalog and pod preset access
  command: >
    {{ openshift_client_binary }} --config=/etc/origin/master/admin.kubeconfig replace -f {{ mktemp.stdout }}/admin_sc_patch.yml
  when:
    - not admin_yaml.results.results[0] | lib_utils_oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch', 'patch']) or not admin_yaml.results.results[0] | lib_utils_oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])

- oc_obj:
    name: view
    kind: clusterrole
    state: list
  register: view_yaml

# only do this if we don't already have the updated role info
- name: Generate apply template for clusterrole/view
  template:
    src: sc_view_role_patching.j2
    dest: "{{ mktemp.stdout }}/view_sc_patch.yml"
  vars:
    original_content: "{{ view_yaml.results.results[0] | to_yaml }}"
  when:
    - not view_yaml.results.results[0] | lib_utils_oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['get', 'list', 'watch'])

# only do this if we don't already have the updated role info
- name: update view role for service catalog access
  command: >
    {{ openshift_client_binary }} --config=/etc/origin/master/admin.kubeconfig replace -f {{ mktemp.stdout }}/view_sc_patch.yml
  when:
    - not view_yaml.results.results[0] | lib_utils_oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['get', 'list', 'watch'])

- oc_adm_policy_user:
    namespace: kube-service-catalog
    resource_kind: scc
    resource_name: hostmount-anyuid
    state: present
    user: "system:serviceaccount:kube-service-catalog:service-catalog-apiserver"

- name: Set SA cluster-role
  oc_adm_policy_user:
    state: present
    namespace: "kube-service-catalog"
    resource_kind: cluster-role
    resource_name: admin
    user: "system:serviceaccount:kube-service-catalog:default"

- name: Checking for master.etcd-ca.crt
  stat:
    path: /etc/origin/master/master.etcd-ca.crt
  register: etcd_ca_crt
  check_mode: no

## api server
- template:
    src: api_server.j2
    dest: "{{ mktemp.stdout }}/service_catalog_api_server.yml"
  vars:
    image: ""
    namespace: ""
    cpu_limit: none
    memory_limit: none
    cpu_requests: none
    memory_request: none
    cors_allowed_origin: localhost
    etcd_servers: "{{ openshift.master.etcd_urls | join(',') }}"
    etcd_cafile: "{{ '/etc/origin/master/master.etcd-ca.crt' if etcd_ca_crt.stat.exists else '/etc/origin/master/ca-bundle.crt' }}"
    node_selector: "{{ openshift_service_catalog_nodeselector | default ({'openshift-infra': 'apiserver'}) }}"

- name: Set Service Catalog API Server daemonset
  oc_obj:
    state: present
    namespace: "kube-service-catalog"
    kind: daemonset
    name: apiserver
    files:
      - "{{ mktemp.stdout }}/service_catalog_api_server.yml"
    delete_after: yes

- name: Set Service Catalog API Server service
  oc_service:
    name: apiserver
    namespace: kube-service-catalog
    state: present
    ports:
      - name: secure
        port: 443
        protocol: TCP
        targetPort: 6443
    selector:
      app: apiserver
    session_affinity: None

- template:
    src: api_server_route.j2
    dest: "{{ mktemp.stdout }}/service_catalog_api_route.yml"

- name: Set Service Catalog API Server route
  oc_obj:
    state: present
    namespace: "kube-service-catalog"
    kind: route
    name: apiserver
    files:
      - "{{ mktemp.stdout }}/service_catalog_api_route.yml"
    delete_after: yes

## controller manager
- template:
    src: controller_manager.j2
    dest: "{{ mktemp.stdout }}/controller_manager.yml"
  vars:
    image: ""
    cpu_limit: none
    memory_limit: none
    node_selector: "{{ openshift_service_catalog_nodeselector | default ({'openshift-infra': 'apiserver'}) }}"

- name: Set Controller Manager deployment
  oc_obj:
    state: present
    namespace: "kube-service-catalog"
    kind: daemonset
    name: controller-manager
    files:
      - "{{ mktemp.stdout }}/controller_manager.yml"
    delete_after: yes

- name: Set Controller Manager service
  oc_service:
    name: controller-manager
    namespace: kube-service-catalog
    state: present
    ports:
      - port: 6443
        protocol: TCP
        targetPort: 6443
    selector:
      app: controller-manager
    session_affinity: None
    service_type: ClusterIP

- include_tasks: start_api_server.yml

- name: Delete temp directory
  file:
    name: "{{ mktemp.stdout }}"
    state: absent
  changed_when: False