summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSamuel Padgett <spadgett@redhat.com>2018-01-11 15:24:37 -0500
committerSamuel Padgett <spadgett@redhat.com>2018-01-11 15:24:37 -0500
commit486b746324171edd691fd1682ef1221825157e62 (patch)
tree5f7ac31e5f14e0b6de9914320a3000efea8122d5
parentfdc5829d6ca252e1574278cd1dc50e932378d98d (diff)
downloadopenshift-486b746324171edd691fd1682ef1221825157e62.tar.gz
openshift-486b746324171edd691fd1682ef1221825157e62.tar.bz2
openshift-486b746324171edd691fd1682ef1221825157e62.tar.xz
openshift-486b746324171edd691fd1682ef1221825157e62.zip
Add console RBAC template
-rw-r--r--files/origin-components/console-rbac-template.yaml38
-rw-r--r--roles/openshift_web_console/tasks/install.yml13
-rw-r--r--roles/openshift_web_console/vars/main.yml1
3 files changed, 48 insertions, 4 deletions
diff --git a/files/origin-components/console-rbac-template.yaml b/files/origin-components/console-rbac-template.yaml
new file mode 100644
index 000000000..9ee117199
--- /dev/null
+++ b/files/origin-components/console-rbac-template.yaml
@@ -0,0 +1,38 @@
+apiVersion: template.openshift.io/v1
+kind: Template
+metadata:
+ name: web-console-server-rbac
+parameters:
+- name: NAMESPACE
+ # This namespace cannot be changed. Only `openshift-web-console` is supported.
+ value: openshift-web-console
+objects:
+
+
+# allow grant powers to the webconsole server for cluster inspection
+- apiVersion: rbac.authorization.k8s.io/v1beta1
+ kind: ClusterRole
+ metadata:
+ name: system:openshift:web-console-server
+ rules:
+ - apiGroups:
+ - "servicecatalog.k8s.io"
+ resources:
+ - clusterservicebrokers
+ verbs:
+ - get
+ - list
+ - watch
+
+# Grant the service account for the web console
+- apiVersion: rbac.authorization.k8s.io/v1beta1
+ kind: ClusterRoleBinding
+ metadata:
+ name: system:openshift:web-console-server
+ roleRef:
+ kind: ClusterRole
+ name: system:openshift:web-console-server
+ subjects:
+ - kind: ServiceAccount
+ namespace: ${NAMESPACE}
+ name: webconsole
diff --git a/roles/openshift_web_console/tasks/install.yml b/roles/openshift_web_console/tasks/install.yml
index 12916961b..287d8973d 100644
--- a/roles/openshift_web_console/tasks/install.yml
+++ b/roles/openshift_web_console/tasks/install.yml
@@ -21,20 +21,21 @@
node_selector:
- ""
-- name: Make temp directory for asset config files
+- name: Make temp directory for the web console config files
command: mktemp -d /tmp/console-ansible-XXXXXX
register: mktemp
changed_when: False
-- name: Copy asset config template to temp directory
+- name: Copy the web console config template to temp directory
copy:
src: "{{ __console_files_location }}/{{ item }}"
dest: "{{ mktemp.stdout }}/{{ item }}"
with_items:
- "{{ __console_template_file }}"
+ - "{{ __console_rbac_file }}"
- "{{ __console_config_file }}"
-- name: Update asset config properties
+- name: Update the web console config properties
yedit:
src: "{{ mktemp.stdout }}/{{ __console_config_file }}"
edits:
@@ -50,7 +51,11 @@
src: "{{ mktemp.stdout }}/{{ __console_config_file }}"
register: config
-- name: Apply template file
+- name: Reconcile with the web console RBAC file
+ shell: >
+ {{ openshift_client_binary }} process -f "{{ mktemp.stdout }}/{{ __console_rbac_file }}" | {{ openshift_client_binary }} auth reconcile -f -
+
+- name: Apply the web console template file
shell: >
{{ openshift_client_binary }} process -f "{{ mktemp.stdout }}/{{ __console_template_file }}"
--param API_SERVER_CONFIG="{{ config['content'] | b64decode }}"
diff --git a/roles/openshift_web_console/vars/main.yml b/roles/openshift_web_console/vars/main.yml
index 80bc56a17..e91048e38 100644
--- a/roles/openshift_web_console/vars/main.yml
+++ b/roles/openshift_web_console/vars/main.yml
@@ -2,4 +2,5 @@
__console_files_location: "../../../files/origin-components/"
__console_template_file: "console-template.yaml"
+__console_rbac_file: "console-rbac-template.yaml"
__console_config_file: "console-config.yaml"