Merge pull request #6860 from jpeeler/aggregate-name-change

Update catalog role patching to use new names

4 files changed, 97 insertions, 106 deletions

diff --git a/roles/openshift_service_catalog/files/openshift_catalog_clusterroles.yml b/roles/openshift_service_catalog/files/openshift_catalog_clusterroles.yml
new file mode 100644
index 000000000..28abcbcfc
--- /dev/null
+++ b/roles/openshift_service_catalog/files/openshift_catalog_clusterroles.yml
@@ -0,0 +1,86 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+  name: system:service-catalog:aggregate-to-admin
+rules:
+- apiGroups:
+  - "servicecatalog.k8s.io"
+  attributeRestrictions: null
+  resources:
+  - serviceinstances
+  - servicebindings
+  verbs:
+  - create
+  - update
+  - delete
+  - get
+  - list
+  - watch
+  - patch
+- apiGroups:
+  - "settings.k8s.io"
+  attributeRestrictions: null
+  resources:
+  - podpresets
+  verbs:
+  - create
+  - update
+  - delete
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+  name: system:service-catalog:aggregate-to-edit
+rules:
+- apiGroups:
+  - "servicecatalog.k8s.io"
+  attributeRestrictions: null
+  resources:
+  - serviceinstances
+  - servicebindings
+  verbs:
+  - create
+  - update
+  - delete
+  - get
+  - list
+  - watch
+  - patch
+- apiGroups:
+  - "settings.k8s.io"
+  attributeRestrictions: null
+  resources:
+  - podpresets
+  verbs:
+  - create
+  - update
+  - delete
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+  name: system:service-catalog:aggregate-to-view
+rules:
+- apiGroups:
+  - "servicecatalog.k8s.io"
+  attributeRestrictions: null
+  resources:
+  - serviceinstances
+  - servicebindings
+  verbs:
+  - get
+  - list
+  - watch
diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml
index 9b38a85c4..4d06c1872 100644
--- a/roles/openshift_service_catalog/tasks/install.yml
+++ b/roles/openshift_service_catalog/tasks/install.yml
@@ -74,74 +74,17 @@
     template_name: kube-system-service-catalog-role-bindings
     namespace: kube-system
 
-- oc_obj:
-    name: edit
-    kind: clusterrole
-    state: list
-  register: edit_yaml
-
-# only do this if we don't already have the updated role info
-- name: Generate apply template for clusterrole/edit
-  template:
-    src: sc_admin_edit_role_patching.j2
-    dest: "{{ mktemp.stdout }}/edit_sc_patch.yml"
-  vars:
-    original_content: "{{ edit_yaml.results.results[0] | to_yaml }}"
-  when:
-    - not edit_yaml.results.results[0] | lib_utils_oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch', 'patch']) or not edit_yaml.results.results[0] | lib_utils_oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
-
-# only do this if we don't already have the updated role info
-- name: update edit role for service catalog and pod preset access
-  command: >
-    {{ openshift_client_binary }} --config=/etc/origin/master/admin.kubeconfig replace -f {{ mktemp.stdout }}/edit_sc_patch.yml
-  when:
-    - not edit_yaml.results.results[0] | lib_utils_oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch', 'patch']) or not edit_yaml.results.results[0] | lib_utils_oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
-
-- oc_obj:
-    name: admin
-    kind: clusterrole
-    state: list
-  register: admin_yaml
-
-# only do this if we don't already have the updated role info
-- name: Generate apply template for clusterrole/admin
-  template:
-    src: sc_admin_edit_role_patching.j2
-    dest: "{{ mktemp.stdout }}/admin_sc_patch.yml"
-  vars:
-    original_content: "{{ admin_yaml.results.results[0] | to_yaml }}"
-  when:
-    - not admin_yaml.results.results[0] | lib_utils_oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch', 'patch']) or not admin_yaml.results.results[0] | lib_utils_oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
-
-# only do this if we don't already have the updated role info
-- name: update admin role for service catalog and pod preset access
-  command: >
-    {{ openshift_client_binary }} --config=/etc/origin/master/admin.kubeconfig replace -f {{ mktemp.stdout }}/admin_sc_patch.yml
-  when:
-    - not admin_yaml.results.results[0] | lib_utils_oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch', 'patch']) or not admin_yaml.results.results[0] | lib_utils_oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
-
-- oc_obj:
-    name: view
-    kind: clusterrole
-    state: list
-  register: view_yaml
-
-# only do this if we don't already have the updated role info
-- name: Generate apply template for clusterrole/view
-  template:
-    src: sc_view_role_patching.j2
-    dest: "{{ mktemp.stdout }}/view_sc_patch.yml"
-  vars:
-    original_content: "{{ view_yaml.results.results[0] | to_yaml }}"
-  when:
-    - not view_yaml.results.results[0] | lib_utils_oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['get', 'list', 'watch'])
-
-# only do this if we don't already have the updated role info
-- name: update view role for service catalog access
-  command: >
-    {{ openshift_client_binary }} --config=/etc/origin/master/admin.kubeconfig replace -f {{ mktemp.stdout }}/view_sc_patch.yml
-  when:
-    - not view_yaml.results.results[0] | lib_utils_oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['get', 'list', 'watch'])
+- copy:
+    src: openshift_catalog_clusterroles.yml
+    dest: "{{ mktemp.stdout }}/openshift_catalog_clusterroles.yml"
+
+- name: Apply Service Catalog cluster roles
+  retries: 5
+  delay: 2
+  register: task_result
+  until: task_result.rc == 0
+  shell: >
+    {{ openshift_client_binary }} auth reconcile --config={{ openshift.common.config_base }}/master/admin.kubeconfig -f {{ mktemp.stdout}}/openshift_catalog_clusterroles.yml
 
 - oc_adm_policy_user:
     namespace: kube-service-catalog
diff --git a/roles/openshift_service_catalog/templates/sc_admin_edit_role_patching.j2 b/roles/openshift_service_catalog/templates/sc_admin_edit_role_patching.j2
deleted file mode 100644
index 59cceafcf..000000000
--- a/roles/openshift_service_catalog/templates/sc_admin_edit_role_patching.j2
+++ /dev/null
@@ -1,27 +0,0 @@
-{{ original_content }}
-- apiGroups:
-  - "servicecatalog.k8s.io"
-  attributeRestrictions: null
-  resources:
-  - serviceinstances
-  - servicebindings
-  verbs:
-  - create
-  - update
-  - delete
-  - get
-  - list
-  - watch
-  - patch
-- apiGroups:
-  - "settings.k8s.io"
-  attributeRestrictions: null
-  resources:
-  - podpresets
-  verbs:
-  - create
-  - update
-  - delete
-  - get
-  - list
-  - watch
diff --git a/roles/openshift_service_catalog/templates/sc_view_role_patching.j2 b/roles/openshift_service_catalog/templates/sc_view_role_patching.j2
deleted file mode 100644
index 838993854..000000000
--- a/roles/openshift_service_catalog/templates/sc_view_role_patching.j2
+++ /dev/null
@@ -1,11 +0,0 @@
-{{ original_content }}
-- apiGroups:
-  - "servicecatalog.k8s.io"
-  attributeRestrictions: null
-  resources:
-  - serviceinstances
-  - servicebindings
-  verbs:
-  - get
-  - list
-  - watch