From 12cbf318aa178a998e56a6f6c76fea6fca585964 Mon Sep 17 00:00:00 2001
From: staebler <staebler@redhat.com>
Date: Wed, 1 Nov 2017 14:07:54 -0400
Subject: Give admin and edit roles permission to patch ServiceInstances and
 ServiceBindings

---
 roles/openshift_service_catalog/tasks/install.yml                 | 8 ++++----
 .../templates/sc_admin_edit_role_patching.j2                      | 1 +
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml
index d17468b5c..0641483cd 100644
--- a/roles/openshift_service_catalog/tasks/install.yml
+++ b/roles/openshift_service_catalog/tasks/install.yml
@@ -88,14 +88,14 @@
   vars:
     original_content: "{{ edit_yaml.results.results[0] | to_yaml }}"
   when:
-    - not edit_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not edit_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
+    - not edit_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch', 'patch']) or not edit_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
 
 # only do this if we don't already have the updated role info
 - name: update edit role for service catalog and pod preset access
   command: >
     oc replace -f {{ mktemp.stdout }}/edit_sc_patch.yml
   when:
-    - not edit_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not edit_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
+    - not edit_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch', 'patch']) or not edit_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
 
 - oc_obj:
     name: admin
@@ -111,14 +111,14 @@
   vars:
     original_content: "{{ admin_yaml.results.results[0] | to_yaml }}"
   when:
-    - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
+    - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch', 'patch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
 
 # only do this if we don't already have the updated role info
 - name: update admin role for service catalog and pod preset access
   command: >
     oc replace -f {{ mktemp.stdout }}/admin_sc_patch.yml
   when:
-    - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
+    - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['serviceinstances', 'servicebindings'], ['create', 'update', 'delete', 'get', 'list', 'watch', 'patch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
 
 - oc_obj:
     name: view
diff --git a/roles/openshift_service_catalog/templates/sc_admin_edit_role_patching.j2 b/roles/openshift_service_catalog/templates/sc_admin_edit_role_patching.j2
index 4629d5bb3..59cceafcf 100644
--- a/roles/openshift_service_catalog/templates/sc_admin_edit_role_patching.j2
+++ b/roles/openshift_service_catalog/templates/sc_admin_edit_role_patching.j2
@@ -12,6 +12,7 @@
   - get
   - list
   - watch
+  - patch
 - apiGroups:
   - "settings.k8s.io"
   attributeRestrictions: null
-- 
cgit v1.2.3