From 650149e1fa1e631775aac5ced9b22e03b3090f33 Mon Sep 17 00:00:00 2001
From: ewolinetz <ewolinet@redhat.com>
Date: Mon, 17 Jul 2017 10:02:32 -0500
Subject: Updating to use oc replace and conditionally update edit and admin
roles
---
filter_plugins/oo_filters.py | 16 +++++++++++++++-
roles/openshift_service_catalog/tasks/install.yml | 16 ++++++++++++++--
2 files changed, 29 insertions(+), 3 deletions(-)
diff --git a/filter_plugins/oo_filters.py b/filter_plugins/oo_filters.py
index cff9f8a60..399e83bec 100644
--- a/filter_plugins/oo_filters.py
+++ b/filter_plugins/oo_filters.py
@@ -1008,6 +1008,19 @@ def oo_random_word(length, source='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRS
"""
return ''.join(random.choice(source) for i in range(length))
+def oo_contains_rule(source, apiGroups, resources, verbs):
+ '''Return true if the specified rule is contained within the provided source'''
+
+ rules=source['rules']
+
+ if rules:
+ for rule in rules:
+ if rule['apiGroups'].sort() == apiGroups.sort():
+ if rule['resources'].sort() == resources.sort():
+ if rule['verbs'].sort() == verbs.sort():
+ return True
+
+ return False
class FilterModule(object):
""" Custom ansible filter mapping """
@@ -1049,5 +1062,6 @@ class FilterModule(object):
"oo_openshift_loadbalancer_frontends": oo_openshift_loadbalancer_frontends,
"oo_openshift_loadbalancer_backends": oo_openshift_loadbalancer_backends,
"to_padded_yaml": to_padded_yaml,
- "oo_random_word": oo_random_word
+ "oo_random_word": oo_random_word,
+ "oo_contains_rule": oo_contains_rule
}
diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml
index de7511f71..98a13a462 100644
--- a/roles/openshift_service_catalog/tasks/install.yml
+++ b/roles/openshift_service_catalog/tasks/install.yml
@@ -72,16 +72,22 @@
state: list
register: edit_yaml
+# only do this if we don't already have the updated role info
- name: Generate apply template for clusterrole/edit
template:
src: sc_role_patching.j2
dest: "{{ mktemp.stdout }}/edit_sc_patch.yml"
vars:
original_content: "{{ edit_yaml.results.results[0] | to_yaml }}"
+ when:
+ - not edit_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not edit_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
+# only do this if we don't already have the updated role info
- name: update edit role for service catalog and pod preset access
command: >
- oc apply -f {{ mktemp.stdout }}/edit_sc_patch.yml
+ oc replace -f {{ mktemp.stdout }}/edit_sc_patch.yml
+ when:
+ - not edit_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not edit_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
- oc_obj:
name: admin
@@ -89,16 +95,22 @@
state: list
register: admin_yaml
+# only do this if we don't already have the updated role info
- name: Generate apply template for clusterrole/admin
template:
src: sc_role_patching.j2
dest: "{{ mktemp.stdout }}/admin_sc_patch.yml"
vars:
original_content: "{{ admin_yaml.results.results[0] | to_yaml }}"
+ when:
+ - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
+# only do this if we don't already have the updated role info
- name: update admin role for service catalog and pod preset access
command: >
- oc apply -f {{ mktemp.stdout }}/admin_sc_patch.yml
+ oc replace -f {{ mktemp.stdout }}/admin_sc_patch.yml
+ when:
+ - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
- shell: >
oc get policybindings/kube-system:default -n kube-system || echo "not found"
--
cgit v1.2.3
From 9d041fddeed79b3af9eb2a76a93598c902eebbda Mon Sep 17 00:00:00 2001
From: ewolinetz <ewolinet@redhat.com>
Date: Mon, 17 Jul 2017 14:07:19 -0500
Subject: Adding ability to create podpreset for service-catalog-controller for
bz1471881
---
.../files/kubeservicecatalog_roles_bindings.yml | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml
index 2e0dcfd97..bcc7fb590 100644
--- a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml
+++ b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml
@@ -137,6 +137,12 @@ objects:
- serviceclasses
verbs:
- create
+ - apiGroups:
+ - settings.k8s.io
+ resources:
+ - podpresets
+ verbs:
+ - create
- kind: ClusterRoleBinding
apiVersion: v1
--
cgit v1.2.3
From 4c5554f1b84e00f110fbecab740df028916cfb64 Mon Sep 17 00:00:00 2001
From: ewolinetz <ewolinet@redhat.com>
Date: Mon, 17 Jul 2017 16:40:25 -0500
Subject: Updating to compare sets instead of sorted lists
---
filter_plugins/oo_filters.py | 10 ++++++----
roles/openshift_service_catalog/tasks/install.yml | 8 ++++----
2 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/filter_plugins/oo_filters.py b/filter_plugins/oo_filters.py
index 399e83bec..c6d0e69eb 100644
--- a/filter_plugins/oo_filters.py
+++ b/filter_plugins/oo_filters.py
@@ -1008,20 +1008,22 @@ def oo_random_word(length, source='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRS
"""
return ''.join(random.choice(source) for i in range(length))
+
def oo_contains_rule(source, apiGroups, resources, verbs):
'''Return true if the specified rule is contained within the provided source'''
- rules=source['rules']
+ rules = source['rules']
if rules:
for rule in rules:
- if rule['apiGroups'].sort() == apiGroups.sort():
- if rule['resources'].sort() == resources.sort():
- if rule['verbs'].sort() == verbs.sort():
+ if set(rule['apiGroups']) == set(apiGroups):
+ if set(rule['resources']) == set(resources):
+ if set(rule['verbs']) == set(verbs):
return True
return False
+
class FilterModule(object):
""" Custom ansible filter mapping """
diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml
index 98a13a462..4d1a38e61 100644
--- a/roles/openshift_service_catalog/tasks/install.yml
+++ b/roles/openshift_service_catalog/tasks/install.yml
@@ -80,14 +80,14 @@
vars:
original_content: "{{ edit_yaml.results.results[0] | to_yaml }}"
when:
- - not edit_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not edit_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
+ - not edit_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not edit_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
# only do this if we don't already have the updated role info
- name: update edit role for service catalog and pod preset access
command: >
oc replace -f {{ mktemp.stdout }}/edit_sc_patch.yml
when:
- - not edit_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not edit_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
+ - not edit_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not edit_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
- oc_obj:
name: admin
@@ -103,14 +103,14 @@
vars:
original_content: "{{ admin_yaml.results.results[0] | to_yaml }}"
when:
- - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
+ - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
# only do this if we don't already have the updated role info
- name: update admin role for service catalog and pod preset access
command: >
oc replace -f {{ mktemp.stdout }}/admin_sc_patch.yml
when:
- - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
+ - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
- shell: >
oc get policybindings/kube-system:default -n kube-system || echo "not found"
--
cgit v1.2.3