diff options
| author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2017-09-21 20:21:52 -0700 | 
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-09-21 20:21:52 -0700 | 
| commit | 2adb0ebeb523daa5c3b1b8fd4bf77d679c5bd5d7 (patch) | |
| tree | 7ecff9c114cbbac05ee25939a17fabe679fbf17b /files/origin-components | |
| parent | ee8252d536c4204b9e0c4a88d0899297caf39423 (diff) | |
| parent | dace5169e0b5066a027746dd6f28f0268248043f (diff) | |
| download | openshift-2adb0ebeb523daa5c3b1b8fd4bf77d679c5bd5d7.tar.gz openshift-2adb0ebeb523daa5c3b1b8fd4bf77d679c5bd5d7.tar.bz2 openshift-2adb0ebeb523daa5c3b1b8fd4bf77d679c5bd5d7.tar.xz openshift-2adb0ebeb523daa5c3b1b8fd4bf77d679c5bd5d7.zip | |
Merge pull request #5226 from ewolinetz/template_service_broker
Automatic merge from submit-queue
Creating initial tsb role to consume and apply templates provided for…
… tsb
cc: @deads2k @sdodson 
Addresses:
https://bugzilla.redhat.com/show_bug.cgi?id=1486623
https://bugzilla.redhat.com/show_bug.cgi?id=1470623
https://bugzilla.redhat.com/show_bug.cgi?id=1491626
Diffstat (limited to 'files/origin-components')
| -rw-r--r-- | files/origin-components/apiserver-config.yaml | 4 | ||||
| -rw-r--r-- | files/origin-components/apiserver-template.yaml | 122 | ||||
| -rw-r--r-- | files/origin-components/rbac-template.yaml | 92 | 
3 files changed, 218 insertions, 0 deletions
| diff --git a/files/origin-components/apiserver-config.yaml b/files/origin-components/apiserver-config.yaml new file mode 100644 index 000000000..e4048d1da --- /dev/null +++ b/files/origin-components/apiserver-config.yaml @@ -0,0 +1,4 @@ +kind: TemplateServiceBrokerConfig +apiVersion: config.templateservicebroker.openshift.io/v1 +templateNamespaces: +- openshift diff --git a/files/origin-components/apiserver-template.yaml b/files/origin-components/apiserver-template.yaml new file mode 100644 index 000000000..1b42597af --- /dev/null +++ b/files/origin-components/apiserver-template.yaml @@ -0,0 +1,122 @@ +apiVersion: template.openshift.io/v1 +kind: Template +metadata: +  name: template-service-broker-apiserver +parameters: +- name: IMAGE +  value: openshift/origin:latest +- name: NAMESPACE +  value: openshift-template-service-broker +- name: LOGLEVEL +  value: "0" +- name: API_SERVER_CONFIG +  value: | +   kind: TemplateServiceBrokerConfig +   apiVersion: config.templateservicebroker.openshift.io/v1 +   templateNamespaces: +   - openshift +objects: + +# to create the tsb server +- apiVersion: extensions/v1beta1 +  kind: DaemonSet +  metadata: +    namespace: ${NAMESPACE} +    name: apiserver +    labels: +      apiserver: "true" +  spec: +    template: +      metadata: +        name: apiserver +        labels: +          apiserver: "true" +      spec: +        serviceAccountName: apiserver +        containers: +        - name: c +          image: ${IMAGE} +          imagePullPolicy: IfNotPresent +          command: +          - "/usr/bin/openshift" +          - "start" +          - "template-service-broker" +          - "--secure-port=8443" +          - "--audit-log-path=-" +          - "--tls-cert-file=/var/serving-cert/tls.crt" +          - "--tls-private-key-file=/var/serving-cert/tls.key" +          - "--loglevel=${LOGLEVEL}" +          - "--config=/var/apiserver-config/apiserver-config.yaml" +          ports: +          - containerPort: 8443 +          volumeMounts: +          - mountPath: /var/serving-cert +            name: serving-cert +          - mountPath: /var/apiserver-config +            name: apiserver-config +          readinessProbe: +            httpGet: +              path: /healthz +              port: 8443 +              scheme: HTTPS +        volumes: +        - name: serving-cert +          secret: +            defaultMode: 420 +            secretName: apiserver-serving-cert +        - name: apiserver-config +          configMap: +            defaultMode: 420 +            name: apiserver-config + +# to create the config for the TSB +- apiVersion: v1 +  kind: ConfigMap +  metadata: +    namespace: ${NAMESPACE} +    name: apiserver-config +  data: +    apiserver-config.yaml: ${API_SERVER_CONFIG} + +# to be able to assign powers to the process +- apiVersion: v1 +  kind: ServiceAccount +  metadata: +    namespace: ${NAMESPACE} +    name: apiserver + +# to be able to expose TSB inside the cluster +- apiVersion: v1 +  kind: Service +  metadata: +    namespace: ${NAMESPACE} +    name: apiserver +    annotations: +      service.alpha.openshift.io/serving-cert-secret-name: apiserver-serving-cert +  spec: +    selector: +      apiserver: "true" +    ports: +    - port: 443 +      targetPort: 8443 + +# This service account will be granted permission to call the TSB. +# The token for this SA will be provided to the service catalog for +# use when calling the TSB. +- apiVersion: v1 +  kind: ServiceAccount +  metadata: +    namespace: ${NAMESPACE} +    name: templateservicebroker-client + +# This secret will be populated with a copy of the templateservicebroker-client SA's +# auth token.  Since this secret has a static name, it can be referenced more +# easily than the auto-generated secret for the service account. +- apiVersion: v1 +  kind: Secret +  metadata: +    namespace: ${NAMESPACE} +    name: templateservicebroker-client +    annotations: +      kubernetes.io/service-account.name: templateservicebroker-client +  type: kubernetes.io/service-account-token diff --git a/files/origin-components/rbac-template.yaml b/files/origin-components/rbac-template.yaml new file mode 100644 index 000000000..0937a9065 --- /dev/null +++ b/files/origin-components/rbac-template.yaml @@ -0,0 +1,92 @@ +apiVersion: template.openshift.io/v1 +kind: Template +metadata: +  name: template-service-broker-rbac +parameters: +- name: NAMESPACE +  value: openshift-template-service-broker +- name: KUBE_SYSTEM +  value: kube-system +objects: + +# Grant the service account permission to call the TSB +- apiVersion: rbac.authorization.k8s.io/v1beta1 +  kind: ClusterRoleBinding +  metadata: +    name: templateservicebroker-client +  roleRef: +    kind: ClusterRole +    name: system:openshift:templateservicebroker-client +  subjects: +  - kind: ServiceAccount +    namespace: ${NAMESPACE} +    name: templateservicebroker-client + +# to delegate authentication and authorization +- apiVersion: rbac.authorization.k8s.io/v1beta1 +  kind: ClusterRoleBinding +  metadata: +    name: auth-delegator-${NAMESPACE} +  roleRef: +    kind: ClusterRole +    name: system:auth-delegator +  subjects: +  - kind: ServiceAccount +    namespace: ${NAMESPACE} +    name: apiserver + +# to have the template service broker powers +- apiVersion: rbac.authorization.k8s.io/v1beta1 +  kind: ClusterRoleBinding +  metadata: +    name: tsb-${NAMESPACE} +  roleRef: +    kind: ClusterRole +    name: system:openshift:controller:template-service-broker +  subjects: +  - kind: ServiceAccount +    namespace: ${NAMESPACE} +    name: apiserver + +# to read the config for terminating authentication +- apiVersion: rbac.authorization.k8s.io/v1beta1 +  kind: RoleBinding +  metadata: +    namespace: ${KUBE_SYSTEM} +    name: extension-apiserver-authentication-reader-${NAMESPACE} +  roleRef: +    kind: Role +    name: extension-apiserver-authentication-reader +  subjects: +  - kind: ServiceAccount +    namespace: ${NAMESPACE} +    name: apiserver + +# allow the kube service catalog's SA to read the static secret defined +# above, which will contain the token for the SA that can call the TSB. +- apiVersion: rbac.authorization.k8s.io/v1beta1 +  kind: Role +  metadata: +    name: templateservicebroker-auth-reader +    namespace: ${NAMESPACE} +  rules: +  - apiGroups: +    - "" +    resourceNames: +    - templateservicebroker-client +    resources: +    - secrets +    verbs: +    - get +- apiVersion: rbac.authorization.k8s.io/v1beta1 +  kind: RoleBinding +  metadata: +    namespace: ${NAMESPACE} +    name: templateservicebroker-auth-reader +  roleRef: +    kind: Role +    name: templateservicebroker-auth-reader +  subjects: +  - kind: ServiceAccount +    namespace: kube-service-catalog +    name: service-catalog-controller | 
