7 files changed, 77 insertions, 62 deletions

diff --git a/roles/ansible_service_broker/tasks/generate_certs.yml b/roles/ansible_service_broker/tasks/generate_certs.yml
index 50156a35c..85e67e00c 100644
--- a/roles/ansible_service_broker/tasks/generate_certs.yml
+++ b/roles/ansible_service_broker/tasks/generate_certs.yml
@@ -9,25 +9,25 @@
       mode: 0755
     check_mode: no
 
-  - set_fact:
-      ansible_service_broker_certs_dir: "{{ openshift.common.config_base }}/ansible-service-broker"
-
   - name: Create self signing ca cert
-    command: 'openssl req -nodes -x509 -newkey rsa:4096 -keyout {{ ansible_service_broker_certs_dir }}/key.pem -out {{ ansible_service_broker_certs_dir }}/cert.pem -days 365 -subj "/CN=asb-etcd.openshift-ansible-service-broker.svc"'
+    command: 'openssl req -nodes -x509 -newkey rsa:4096 -keyout {{ openshift.common.config_base }}/ansible-service-broker/key.pem -out {{ openshift.common.config_base }}/ansible-service-broker/cert.pem -days 365 -subj "/CN=asb-etcd.openshift-ansible-service-broker.svc"'
     args:
-      creates: '{{ ansible_service_broker_certs_dir }}/cert.pem'
+      creates: '{{ openshift.common.config_base }}/ansible-service-broker/cert.pem'
 
   - name: Create self signed client cert
     command: '{{ item.cmd }}'
     args:
       creates: '{{ item.creates }}'
     with_items:
-    - cmd: openssl genrsa -out {{ ansible_service_broker_certs_dir }}/client.key 2048
-      creates: '{{ ansible_service_broker_certs_dir }}/client.key'
-    - cmd: 'openssl req -new -key {{ ansible_service_broker_certs_dir }}/client.key -out {{ ansible_service_broker_certs_dir }}/client.csr -subj "/CN=client"'
-      creates: '{{ ansible_service_broker_certs_dir }}/client.csr'
-    - cmd: openssl x509 -req -in {{ ansible_service_broker_certs_dir }}/client.csr -CA {{ ansible_service_broker_certs_dir }}/cert.pem -CAkey {{ ansible_service_broker_certs_dir }}/key.pem -CAcreateserial -out {{ ansible_service_broker_certs_dir }}/client.pem -days 1024
-      creates: '{{ ansible_service_broker_certs_dir }}/client.pem'
+    - cmd: openssl genrsa -out {{ openshift.common.config_base }}/ansible-service-broker/client.key 2048
+      creates: '{{ openshift.common.config_base }}/ansible-service-broker/client.key'
+    - cmd: 'openssl req -new -key {{ openshift.common.config_base }}/ansible-service-broker/client.key -out {{ openshift.common.config_base }}/ansible-service-broker/client.csr -subj "/CN=client"'
+      creates: '{{ openshift.common.config_base }}/ansible-service-broker/client.csr'
+    - cmd: openssl x509 -req -in {{ openshift.common.config_base }}/ansible-service-broker/client.csr -CA {{ openshift.common.config_base }}/ansible-service-broker/cert.pem -CAkey {{ openshift.common.config_base }}/ansible-service-broker/key.pem -CAcreateserial -out {{ openshift.common.config_base }}/ansible-service-broker/client.pem -days 1024
+      creates: '{{ openshift.common.config_base }}/ansible-service-broker/client.pem'
+
+  - set_fact:
+      ansible_service_broker_certs_dir: "{{ openshift.common.config_base }}/ansible-service-broker"
 
 - set_fact:
     etcd_ca_cert: "{{ lookup('file', '{{ ansible_service_broker_certs_dir }}/cert.pem') }}"
diff --git a/roles/ansible_service_broker/tasks/install.yml b/roles/ansible_service_broker/tasks/install.yml
index 926ed344e..90a4418fb 100644
--- a/roles/ansible_service_broker/tasks/install.yml
+++ b/roles/ansible_service_broker/tasks/install.yml
@@ -69,6 +69,9 @@
       - apiGroups: ["authentication.k8s.io"]
         resources: ["tokenreviews"]
         verbs: ["create"]
+      - apiGroups: ["image.openshift.io", ""]
+        resources: ["images"]
+        verbs: ["get", "list"]
 
 - name: Create asb-access cluster role
   oc_clusterrole:
@@ -404,8 +407,6 @@
               - type: {{ ansible_service_broker_registry_type }}
                 name: {{ ansible_service_broker_registry_name }}
                 url:  {{ ansible_service_broker_registry_url }}
-                user: {{ ansible_service_broker_registry_user }}
-                pass: {{ ansible_service_broker_registry_password }}
                 org:  {{ ansible_service_broker_registry_organization }}
                 tag:  {{ ansible_service_broker_registry_tag }}
                 white_list: {{ ansible_service_broker_registry_whitelist }}
@@ -442,6 +443,15 @@
                 - type: basic
                   enabled: false
 
+- oc_secret:
+    name: asb-registry-auth
+    namespace: openshift-ansible-service-broker
+    state: present
+    contents:
+      - path: username
+        data: "{{ ansible_service_broker_registry_user }}"
+      - path: password
+        data: "{{ ansible_service_broker_registry_password }}"
 
 - name: Create the Broker resource in the catalog
   oc_obj:
diff --git a/roles/ansible_service_broker/tasks/remove.yml b/roles/ansible_service_broker/tasks/remove.yml
index 28dc967a0..a1ac740e0 100644
--- a/roles/ansible_service_broker/tasks/remove.yml
+++ b/roles/ansible_service_broker/tasks/remove.yml
@@ -46,6 +46,12 @@
     resource_name: asb-access
     user: "system:serviceaccount:openshift-ansible-service-broker:asb-client"
 
+- name: remove asb-registry auth secret
+  oc_secret:
+    state: absent
+    name: asb-registry-auth
+    namespace: openshift-ansible-service-broker
+
 - name: remove asb-client token secret
   oc_secret:
     state: absent
diff --git a/roles/openshift_prometheus/tasks/main.yaml b/roles/openshift_prometheus/tasks/main.yaml
index 332104d77..5cc9a67eb 100644
--- a/roles/openshift_prometheus/tasks/main.yaml
+++ b/roles/openshift_prometheus/tasks/main.yaml
@@ -2,20 +2,9 @@
 - name: Set default image variables based on deployment_type
   include_vars: "{{ item }}"
   with_first_found:
-    - "{{ openshift_deployment_type | default(deployment_type) }}.yml"
+    - "{{ openshift_deployment_type }}.yml"
     - "default_images.yml"
 
-- name: Set image facts
-  set_fact:
-    openshift_prometheus_image_prefix: "{{ openshift_prometheus_image_prefix | default(__openshift_prometheus_image_prefix) }}"
-    openshift_prometheus_image_version: "{{ openshift_prometheus_image_version | default(__openshift_prometheus_image_version) }}"
-    openshift_prometheus_proxy_image_prefix: "{{ openshift_prometheus_proxy_image_prefix | default(openshift_prometheus_image_prefix) }}"
-    openshift_prometheus_proxy_image_version: "{{ openshift_prometheus_proxy_image_version | default(__openshift_prometheus_proxy_image_version) }}"
-    openshift_prometheus_alertmanager_image_prefix: "{{ openshift_prometheus_altermanager_image_prefix | default(openshift_prometheus_image_prefix) }}"
-    openshift_prometheus_alertmanager_image_version: "{{ openshift_prometheus_alertmanager_image_version | default(__openshift_prometheus_alertmanager_image_version) }}"
-    openshift_prometheus_alertbuffer_image_prefix: "{{ openshift_prometheus_alertbuffer_image_prefix | default(openshift_prometheus_image_prefix) }}"
-    openshift_prometheus_alertbuffer_image_version: "{{ openshift_prometheus_alertbuffer_image_version | default(__openshift_prometheus_alertbuffer_image_version) }}"
-
 - name: Create temp directory for doing work in on target
   command: mktemp -td openshift-prometheus-ansible-XXXXXX
   register: mktemp
diff --git a/roles/openshift_prometheus/templates/prometheus.j2 b/roles/openshift_prometheus/templates/prometheus.j2
index 916c57aa2..456db3a57 100644
--- a/roles/openshift_prometheus/templates/prometheus.j2
+++ b/roles/openshift_prometheus/templates/prometheus.j2
@@ -23,28 +23,28 @@ spec:
 {% if openshift_prometheus_node_selector is iterable and openshift_prometheus_node_selector | length > 0 %}
       nodeSelector:
 {% for key, value in openshift_prometheus_node_selector.iteritems() %}
-        {{key}}: "{{value}}"
+        {{ key }}: "{{ value }}"
 {% endfor %}
 {% endif %}
       containers:
       # Deploy Prometheus behind an oauth proxy
       - name: prom-proxy
-        image: "{{openshift_prometheus_proxy_image_prefix}}oauth-proxy:{{openshift_prometheus_proxy_image_version}}"
+        image: "{{ l_openshift_prometheus_proxy_image_prefix }}oauth-proxy:{{ l_openshift_prometheus_proxy_image_version }}"
         imagePullPolicy: IfNotPresent
         resources:
           requests:
 {% if openshift_prometheus_oauth_proxy_memory_requests is defined and openshift_prometheus_oauth_proxy_memory_requests is not none %}
-            memory: "{{openshift_prometheus_oauth_proxy_memory_requests}}"
+            memory: "{{ openshift_prometheus_oauth_proxy_memory_requests }}"
 {% endif %}
 {% if openshift_prometheus_oauth_proxy_cpu_requests is defined and openshift_prometheus_oauth_proxy_cpu_requests is not none %}
-            cpu: "{{openshift_prometheus_oauth_proxy_cpu_requests}}"
+            cpu: "{{ openshift_prometheus_oauth_proxy_cpu_requests }}"
 {% endif %}
           limits:
 {% if openshift_prometheus_oauth_proxy_memory_limit is defined and openshift_prometheus_oauth_proxy_memory_limit is not none %}
-            memory: "{{openshift_prometheus_oauth_proxy_memory_limit}}"
+            memory: "{{ openshift_prometheus_oauth_proxy_memory_limit }}"
 {% endif %}
 {% if openshift_prometheus_oauth_proxy_cpu_limit is defined and openshift_prometheus_oauth_proxy_cpu_limit is not none %}
-            cpu: "{{openshift_prometheus_oauth_proxy_cpu_limit}}"
+            cpu: "{{ openshift_prometheus_oauth_proxy_cpu_limit }}"
 {% endif %}
         ports:
         - containerPort: 8443
@@ -79,22 +79,22 @@ spec:
         - --storage.tsdb.min-block-duration=2m
         - --config.file=/etc/prometheus/prometheus.yml
         - --web.listen-address=localhost:9090
-        image: "{{openshift_prometheus_image_prefix}}prometheus:{{openshift_prometheus_image_version}}"
+        image: "{{ l_openshift_prometheus_image_prefix }}prometheus:{{ l_openshift_prometheus_image_version }}"
         imagePullPolicy: IfNotPresent
         resources:
           requests:
 {% if openshift_prometheus_memory_requests is defined and openshift_prometheus_memory_requests is not none %}
-            memory: "{{openshift_prometheus_memory_requests}}"
+            memory: "{{ openshift_prometheus_memory_requests }}"
 {% endif %}
 {% if openshift_prometheus_cpu_requests is defined and openshift_prometheus_cpu_requests is not none %}
-            cpu: "{{openshift_prometheus_cpu_requests}}"
+            cpu: "{{ openshift_prometheus_cpu_requests }}"
 {% endif %}
           limits:
 {% if openshift_prometheus_memory_limit is defined and openshift_prometheus_memory_limit is not none %}
             memory: "{{ openshift_prometheus_memory_limit }}"
 {% endif %}
 {% if openshift_prometheus_cpu_limit is defined and openshift_prometheus_cpu_limit is not none %}
-            cpu: "{{openshift_prometheus_cpu_limit}}"
+            cpu: "{{ openshift_prometheus_cpu_limit }}"
 {% endif %}
 
         volumeMounts:
@@ -105,22 +105,22 @@ spec:
 
       # Deploy alertmanager behind prometheus-alert-buffer behind an oauth proxy
       - name: alerts-proxy
-        image: "{{openshift_prometheus_proxy_image_prefix}}oauth-proxy:{{openshift_prometheus_proxy_image_version}}"
+        image: "{{ l_openshift_prometheus_proxy_image_prefix }}oauth-proxy:{{ l_openshift_prometheus_proxy_image_version }}"
         imagePullPolicy: IfNotPresent
         resources:
           requests:
 {% if openshift_prometheus_oauth_proxy_memory_requests is defined and openshift_prometheus_oauth_proxy_memory_requests is not none %}
-            memory: "{{openshift_prometheus_oauth_proxy_memory_requests}}"
+            memory: "{{ openshift_prometheus_oauth_proxy_memory_requests }}"
 {% endif %}
 {% if openshift_prometheus_oauth_proxy_cpu_requests is defined and openshift_prometheus_oauth_proxy_cpu_requests is not none %}
-            cpu: "{{openshift_prometheus_oauth_proxy_cpu_requests}}"
+            cpu: "{{ openshift_prometheus_oauth_proxy_cpu_requests }}"
 {% endif %}
           limits:
 {% if openshift_prometheus_oauth_proxy_memory_limit is defined and openshift_prometheus_oauth_proxy_memory_limit is not none %}
-            memory: "{{openshift_prometheus_oauth_proxy_memory_limit}}"
+            memory: "{{ openshift_prometheus_oauth_proxy_memory_limit }}"
 {% endif %}
 {% if openshift_prometheus_oauth_proxy_cpu_limit is defined and openshift_prometheus_oauth_proxy_cpu_limit is not none %}
-            cpu: "{{openshift_prometheus_oauth_proxy_cpu_limit}}"
+            cpu: "{{ openshift_prometheus_oauth_proxy_cpu_limit }}"
 {% endif %}
         ports:
         - containerPort: 9443
@@ -149,22 +149,22 @@ spec:
       - name: alert-buffer
         args:
         - --storage-path=/alert-buffer/messages.db
-        image: "{{openshift_prometheus_alertbuffer_image_prefix}}prometheus-alert-buffer:{{openshift_prometheus_alertbuffer_image_version}}"
+        image: "{{ l_openshift_prometheus_alertbuffer_image_prefix }}prometheus-alert-buffer:{{ l_openshift_prometheus_alertbuffer_image_version }}"
         imagePullPolicy: IfNotPresent
         resources:
           requests:
 {% if openshift_prometheus_alertbuffer_memory_requests is defined and openshift_prometheus_alertbuffer_memory_requests is not none %}
-            memory: "{{openshift_prometheus_alertbuffer_memory_requests}}"
+            memory: "{{ openshift_prometheus_alertbuffer_memory_requests }}"
 {% endif %}
 {% if openshift_prometheus_alertbuffer_cpu_requests is defined and openshift_prometheus_alertbuffer_cpu_requests is not none %}
-            cpu: "{{openshift_prometheus_alertbuffer_cpu_requests}}"
+            cpu: "{{ openshift_prometheus_alertbuffer_cpu_requests }}"
 {% endif %}
           limits:
 {% if openshift_prometheus_alertbuffer_memory_limit is defined and openshift_prometheus_alertbuffer_memory_limit is not none %}
-            memory: "{{openshift_prometheus_alertbuffer_memory_limit}}"
+            memory: "{{ openshift_prometheus_alertbuffer_memory_limit }}"
 {% endif %}
 {% if openshift_prometheus_alertbuffer_cpu_limit is defined and openshift_prometheus_alertbuffer_cpu_limit is not none %}
-            cpu: "{{openshift_prometheus_alertbuffer_cpu_limit}}"
+            cpu: "{{ openshift_prometheus_alertbuffer_cpu_limit }}"
 {% endif %}
         volumeMounts:
         - mountPath: /alert-buffer
@@ -176,22 +176,22 @@ spec:
       - name: alertmanager
         args:
         - -config.file=/etc/alertmanager/alertmanager.yml
-        image: "{{openshift_prometheus_alertmanager_image_prefix}}prometheus-alertmanager:{{openshift_prometheus_alertmanager_image_version}}"
+        image: "{{ l_openshift_prometheus_alertmanager_image_prefix }}prometheus-alertmanager:{{ l_openshift_prometheus_alertmanager_image_version }}"
         imagePullPolicy: IfNotPresent
         resources:
           requests:
 {% if openshift_prometheus_alertmanager_memory_requests is defined and openshift_prometheus_alertmanager_memory_requests is not none %}
-            memory: "{{openshift_prometheus_alertmanager_memory_requests}}"
+            memory: "{{ openshift_prometheus_alertmanager_memory_requests }}"
 {% endif %}
 {% if openshift_prometheus_alertmanager_cpu_requests is defined and openshift_prometheus_alertmanager_cpu_requests is not none %}
-            cpu: "{{openshift_prometheus_alertmanager_cpu_requests}}"
+            cpu: "{{ openshift_prometheus_alertmanager_cpu_requests }}"
 {% endif %}
           limits:
 {% if openshift_prometheus_alertmanager_memory_limit is defined and openshift_prometheus_alertmanager_memory_limit is not none %}
-            memory: "{{openshift_prometheus_alertmanager_memory_limit}}"
+            memory: "{{ openshift_prometheus_alertmanager_memory_limit }}"
 {% endif %}
 {% if openshift_prometheus_alertmanager_cpu_limit is defined and openshift_prometheus_alertmanager_cpu_limit is not none %}
-            cpu: "{{openshift_prometheus_alertmanager_cpu_limit}}"
+            cpu: "{{ openshift_prometheus_alertmanager_cpu_limit }}"
 {% endif %}
         ports:
         - containerPort: 9093
diff --git a/roles/openshift_prometheus/vars/default_images.yml b/roles/openshift_prometheus/vars/default_images.yml
index 4092eb2d4..ad52a3125 100644
--- a/roles/openshift_prometheus/vars/default_images.yml
+++ b/roles/openshift_prometheus/vars/default_images.yml
@@ -1,7 +1,12 @@
 ---
-# image defaults
-__openshift_prometheus_image_prefix: "openshift/"
-__openshift_prometheus_image_version: "v2.0.0-dev.3"
-__openshift_prometheus_proxy_image_version: "v1.0.0"
-__openshift_prometheus_alertmanager_image_version: "v0.9.1"
-__openshift_prometheus_alertbuffer_image_version: "v0.0.2"
+# image prefix defaults
+l_openshift_prometheus_image_prefix: "{{ openshift_prometheus_image_prefix | default('openshift/') }}"
+l_openshift_prometheus_proxy_image_prefix: "{{ openshift_prometheus_proxy_image_prefix | default(l_openshift_prometheus_image_prefix) }}"
+l_openshift_prometheus_alertmanager_image_prefix: "{{ openshift_prometheus_altermanager_image_prefix | default(l_openshift_prometheus_image_prefix) }}"
+l_openshift_prometheus_alertbuffer_image_prefix: "{{ openshift_prometheus_alertbuffer_image_prefix | default(l_openshift_prometheus_image_prefix) }}"
+
+# image version defaults
+l_openshift_prometheus_image_version: "{{ openshift_prometheus_image_version | default('v2.0.0-dev.3') }}"
+l_openshift_prometheus_proxy_image_version: "{{ openshift_prometheus_proxy_image_version | default('v1.0.0') }}"
+l_openshift_prometheus_alertmanager_image_version: "{{ openshift_prometheus_alertmanager_image_version | default('v0.9.1') }}"
+l_openshift_prometheus_alertbuffer_image_version: "{{ openshift_prometheus_alertbuffer_image_version | default('v0.0.2') }}"
diff --git a/roles/openshift_prometheus/vars/openshift-enterprise.yml b/roles/openshift_prometheus/vars/openshift-enterprise.yml
index 0b45e03d3..9bb4c99bb 100644
--- a/roles/openshift_prometheus/vars/openshift-enterprise.yml
+++ b/roles/openshift_prometheus/vars/openshift-enterprise.yml
@@ -1,7 +1,12 @@
 ---
-# image defaults
-__openshift_prometheus_image_prefix: "registry.access.redhat.com/openshift3/"
-__openshift_prometheus_image_version: "v3.7"
-__openshift_prometheus_proxy_image_version: "v3.7"
-__openshift_prometheus_alertmanager_image_version: "v3.7"
-__openshift_prometheus_alertbuffer_image_version: "v3.7"
+# image prefix defaults
+l_openshift_prometheus_image_prefix: "{{ openshift_prometheus_image_prefix | default('registry.access.redhat.com/openshift3/') }}"
+l_openshift_prometheus_proxy_image_prefix: "{{ openshift_prometheus_proxy_image_prefix | default(l_openshift_prometheus_image_prefix) }}"
+l_openshift_prometheus_alertmanager_image_prefix: "{{ openshift_prometheus_altermanager_image_prefix | default(l_openshift_prometheus_image_prefix) }}"
+l_openshift_prometheus_alertbuffer_image_prefix: "{{ openshift_prometheus_alertbuffer_image_prefix | default(l_openshift_prometheus_image_prefix) }}"
+
+# image version defaults
+l_openshift_prometheus_image_version: "{{ openshift_prometheus_image_version | default('v3.7') }}"
+l_openshift_prometheus_proxy_image_version: "{{ openshift_prometheus_proxy_image_version | default('v3.7') }}"
+l_openshift_prometheus_alertmanager_image_version: "{{ openshift_prometheus_alertmanager_image_version | default('v3.7') }}"
+l_openshift_prometheus_alertbuffer_image_version: "{{ openshift_prometheus_alertbuffer_image_version | default('v3.7') }}"