7 files changed, 81 insertions, 103 deletions

diff --git a/roles/lib_openshift/library/oc_adm_policy_user.py b/roles/lib_openshift/library/oc_adm_policy_user.py
index 5f7e4b8fa..09b0561a7 100644
--- a/roles/lib_openshift/library/oc_adm_policy_user.py
+++ b/roles/lib_openshift/library/oc_adm_policy_user.py
@@ -1960,7 +1960,7 @@ class PolicyUser(OpenShiftCLI):
     @property
     def policybindings(self):
         if self._policy_bindings is None:
-            results = self._get('clusterpolicybindings', None)
+            results = self._get('policybindings', None)
             if results['returncode'] != 0:
                 raise OpenShiftCLIError('Could not retrieve policybindings')
             self._policy_bindings = results['results'][0]['items'][0]
diff --git a/roles/lib_openshift/library/oc_clusterrole.py b/roles/lib_openshift/library/oc_clusterrole.py
index a34ce351e..e2cbcfb81 100644
--- a/roles/lib_openshift/library/oc_clusterrole.py
+++ b/roles/lib_openshift/library/oc_clusterrole.py
@@ -1531,10 +1531,10 @@ class Rule(object):
 
         results = []
         for rule in inc_rules:
-            results.append(Rule(rule['apiGroups'],
-                                rule['attributeRestrictions'],
-                                rule['resources'],
-                                rule['verbs']))
+            results.append(Rule(rule.get('apiGroups', ['']),
+                                rule.get('attributeRestrictions', None),
+                                rule.get('resources', []),
+                                rule.get('verbs', [])))
 
         return results
 
@@ -1633,7 +1633,7 @@ class OCClusterRole(OpenShiftCLI):
     @property
     def clusterrole(self):
         ''' property for clusterrole'''
-        if not self._clusterrole:
+        if self._clusterrole is None:
             self.get()
         return self._clusterrole
 
@@ -1669,6 +1669,7 @@ class OCClusterRole(OpenShiftCLI):
 
         elif 'clusterrole "{}" not found'.format(self.name) in result['stderr']:
             result['returncode'] = 0
+            self.clusterrole = None
 
         return result
 
@@ -1738,6 +1739,9 @@ class OCClusterRole(OpenShiftCLI):
                 # Create it here
                 api_rval = oc_clusterrole.create()
 
+                if api_rval['returncode'] != 0:
+                    return {'failed': True, 'msg': api_rval}
+
                 # return the created object
                 api_rval = oc_clusterrole.get()
 
diff --git a/roles/lib_openshift/src/class/oc_adm_policy_user.py b/roles/lib_openshift/src/class/oc_adm_policy_user.py
index 88fcc1ddc..37a685ebb 100644
--- a/roles/lib_openshift/src/class/oc_adm_policy_user.py
+++ b/roles/lib_openshift/src/class/oc_adm_policy_user.py
@@ -46,7 +46,7 @@ class PolicyUser(OpenShiftCLI):
     @property
     def policybindings(self):
         if self._policy_bindings is None:
-            results = self._get('clusterpolicybindings', None)
+            results = self._get('policybindings', None)
             if results['returncode'] != 0:
                 raise OpenShiftCLIError('Could not retrieve policybindings')
             self._policy_bindings = results['results'][0]['items'][0]
diff --git a/roles/lib_openshift/src/class/oc_clusterrole.py b/roles/lib_openshift/src/class/oc_clusterrole.py
index 1d3d977db..ae6795446 100644
--- a/roles/lib_openshift/src/class/oc_clusterrole.py
+++ b/roles/lib_openshift/src/class/oc_clusterrole.py
@@ -22,7 +22,7 @@ class OCClusterRole(OpenShiftCLI):
     @property
     def clusterrole(self):
         ''' property for clusterrole'''
-        if not self._clusterrole:
+        if self._clusterrole is None:
             self.get()
         return self._clusterrole
 
@@ -58,6 +58,7 @@ class OCClusterRole(OpenShiftCLI):
 
         elif 'clusterrole "{}" not found'.format(self.name) in result['stderr']:
             result['returncode'] = 0
+            self.clusterrole = None
 
         return result
 
@@ -127,6 +128,9 @@ class OCClusterRole(OpenShiftCLI):
                 # Create it here
                 api_rval = oc_clusterrole.create()
 
+                if api_rval['returncode'] != 0:
+                    return {'failed': True, 'msg': api_rval}
+
                 # return the created object
                 api_rval = oc_clusterrole.get()
 
diff --git a/roles/lib_openshift/src/lib/rule.py b/roles/lib_openshift/src/lib/rule.py
index 4590dcf90..fe5ed9723 100644
--- a/roles/lib_openshift/src/lib/rule.py
+++ b/roles/lib_openshift/src/lib/rule.py
@@ -136,9 +136,9 @@ class Rule(object):
 
         results = []
         for rule in inc_rules:
-            results.append(Rule(rule['apiGroups'],
-                                rule['attributeRestrictions'],
-                                rule['resources'],
-                                rule['verbs']))
+            results.append(Rule(rule.get('apiGroups', ['']),
+                                rule.get('attributeRestrictions', None),
+                                rule.get('resources', []),
+                                rule.get('verbs', [])))
 
         return results
diff --git a/roles/openshift_manageiq/tasks/main.yaml b/roles/openshift_manageiq/tasks/main.yaml
index f202486a5..cfc4e2722 100644
--- a/roles/openshift_manageiq/tasks/main.yaml
+++ b/roles/openshift_manageiq/tasks/main.yaml
@@ -3,24 +3,13 @@
     msg: "The openshift_manageiq role requires OpenShift Enterprise 3.1 or Origin 1.1."
   when: not openshift.common.version_gte_3_1_or_1_1 | bool
 
-- name: Copy Configuration to temporary conf
-  command: >
-    cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{manage_iq_tmp_conf}}
-  changed_when: false
-
 - name: Add Management Infrastructure project
-  command: >
-    {{ openshift.common.client_binary }} adm new-project
-    management-infra
-    --description="Management Infrastructure"
-    --config={{manage_iq_tmp_conf}}
-  register: osmiq_create_mi_project
-  failed_when: "'already exists' not in osmiq_create_mi_project.stderr and osmiq_create_mi_project.rc != 0"
-  changed_when: osmiq_create_mi_project.rc == 0
+  oc_project:
+    name: management-infra
+    description: Management Infrastructure
 
 - name: Create Admin and Image Inspector Service Account
   oc_serviceaccount:
-    kubeconfig: "{{ openshift_master_config_dir }}/admin.kubeconfig"
     name: "{{ item }}"
     namespace: management-infra
     state: present
@@ -28,51 +17,42 @@
   - management-admin
   - inspector-admin
 
-- name: Create Cluster Role
-  shell: >
-    echo {{ manageiq_cluster_role | to_json | quote }} |
-    {{ openshift.common.client_binary }} create
-    --config={{manage_iq_tmp_conf}}
-    -f -
-  register: osmiq_create_cluster_role
-  failed_when: "'already exists' not in osmiq_create_cluster_role.stderr and osmiq_create_cluster_role.rc != 0"
-  changed_when: osmiq_create_cluster_role.rc == 0
+- name: Create manageiq cluster role
+  oc_clusterrole:
+    name: management-infra-admin
+    rules:
+    - apiGroups:
+      - ""
+      resources:
+      - pods/proxy
+      verbs:
+      - "*"
 
 - name: Create Hawkular Metrics Admin Cluster Role
-  shell: >
-    echo {{ manageiq_metrics_admin_clusterrole | to_json | quote }} |
-    {{ openshift.common.client_binary }}
-    --config={{manage_iq_tmp_conf}}
-    create -f -
-  register: oshawkular_create_cluster_role
-  failed_when: "'already exists' not in oshawkular_create_cluster_role.stderr and oshawkular_create_cluster_role.rc != 0"
-  changed_when: oshawkular_create_cluster_role.rc == 0
-  # AUDIT:changed_when_note: Checking the return code is insufficient
-  # here. We really need to verify the if the role even exists before
-  # we run this task.
+  oc_clusterrole:
+    name: hawkular-metrics-admin
+    rules:
+    - apiGroups:
+      - ""
+      resources:
+      - hawkular-alerts
+      - hawkular-metrics
+      verbs:
+      - "*"
 
 - name: Configure role/user permissions
-  command: >
-    {{ openshift.common.client_binary }} adm {{item}}
-    --config={{manage_iq_tmp_conf}}
-  with_items: "{{manage_iq_tasks}}"
-  register: osmiq_perm_task
-  failed_when: "'already exists' not in osmiq_perm_task.stderr and osmiq_perm_task.rc != 0"
-  changed_when: osmiq_perm_task.rc == 0
-  # AUDIT:changed_when_note: Checking the return code is insufficient
-  # here. We really need to compare the current role/user permissions
-  # with their expected state. I think we may have a module for this?
-
+  oc_adm_policy_user:
+    namespace: management-infra
+    resource_name: "{{ item.resource_name }}"
+    resource_kind: "{{ item.resource_kind }}"
+    user: "{{ item.user }}"
+  with_items: "{{ manage_iq_tasks }}"
 
 - name: Configure 3_2 role/user permissions
-  command: >
-    {{ openshift.common.client_binary }} adm {{item}}
-    --config={{manage_iq_tmp_conf}}
+  oc_adm_policy_user:
+    namespace: management-infra
+    resource_name: "{{ item.resource_name }}"
+    resource_kind: "{{ item.resource_kind }}"
+    user: "{{ item.user }}"
   with_items: "{{manage_iq_openshift_3_2_tasks}}"
-  register: osmiq_perm_3_2_task
-  failed_when: osmiq_perm_3_2_task.rc != 0
-  changed_when: osmiq_perm_3_2_task.rc == 0
   when: openshift.common.version_gte_3_2_or_1_2 | bool
-
-- name: Clean temporary configuration file
-  file: path={{manage_iq_tmp_conf}} state=absent
diff --git a/roles/openshift_manageiq/vars/main.yml b/roles/openshift_manageiq/vars/main.yml
index 9936bb126..15d667628 100644
--- a/roles/openshift_manageiq/vars/main.yml
+++ b/roles/openshift_manageiq/vars/main.yml
@@ -1,41 +1,31 @@
 ---
-openshift_master_config_dir: "{{ openshift.common.config_base }}/master"
-manageiq_cluster_role:
-  apiVersion: v1
-  kind: ClusterRole
-  metadata:
-    name: management-infra-admin
-  rules:
-  - resources:
-    - pods/proxy
-    verbs:
-    - '*'
-
-manageiq_metrics_admin_clusterrole:
-  apiVersion: v1
-  kind: ClusterRole
-  metadata:
-    name: hawkular-metrics-admin
-  rules:
-  - apiGroups:
-    - ""
-    resources:
-    - hawkular-metrics
-    - hawkular-alerts
-    verbs:
-    - '*'
-
-manage_iq_tmp_conf: /tmp/manageiq_admin.kubeconfig
-
 manage_iq_tasks:
-- policy add-role-to-user -n management-infra admin -z management-admin
-- policy add-role-to-user -n management-infra management-infra-admin -z management-admin
-- policy add-cluster-role-to-user cluster-reader system:serviceaccount:management-infra:management-admin
-- policy add-scc-to-user privileged system:serviceaccount:management-infra:management-admin
-- policy add-cluster-role-to-user system:image-puller system:serviceaccount:management-infra:inspector-admin
-- policy add-scc-to-user privileged system:serviceaccount:management-infra:inspector-admin
-- policy add-cluster-role-to-user self-provisioner system:serviceaccount:management-infra:management-admin
-- policy add-cluster-role-to-user hawkular-metrics-admin system:serviceaccount:management-infra:management-admin
+- resource_kind: role
+  resource_name: admin
+  user: management-admin
+- resource_kind: role
+  resource_name: management-infra-admin
+  user: management-admin
+- resource_kind: cluster-role
+  resource_name: cluster-reader
+  user: system:serviceaccount:management-infra:management-admin
+- resource_kind: scc
+  resource_name: privileged
+  user: system:serviceaccount:management-infra:management-admin
+- resource_kind: cluster-role
+  resource_name: system:image-puller
+  user: system:serviceaccount:management-infra:inspector-admin
+- resource_kind: scc
+  resource_name: privileged
+  user: system:serviceaccount:management-infra:inspector-admin
+- resource_kind: cluster-role
+  resource_name: self-provisioner
+  user: system:serviceaccount:management-infra:management-admin
+- resource_kind: cluster-role
+  resource_name: hawkular-metrics-admin
+  user: system:serviceaccount:management-infra:management-admin
 
 manage_iq_openshift_3_2_tasks:
-- policy add-cluster-role-to-user system:image-auditor system:serviceaccount:management-infra:management-admin
+- resource_kind: cluster-role
+  resource_name: system:image-auditor
+  user: system:serviceaccount:management-infra:management-admin