Merge pull request #4772 from ewolinetz/fix_additive_clusterrole

Updating to use oc replace and conditionally update edit and admin roles

2 files changed, 20 insertions, 2 deletions

diff --git a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml
index 2e0dcfd97..bcc7fb590 100644
--- a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml
+++ b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml
@@ -137,6 +137,12 @@ objects:
     - serviceclasses
     verbs:
     - create
+  - apiGroups:
+    - settings.k8s.io
+    resources:
+    - podpresets
+    verbs:
+    - create
 
 - kind: ClusterRoleBinding
   apiVersion: v1
diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml
index de7511f71..4d1a38e61 100644
--- a/roles/openshift_service_catalog/tasks/install.yml
+++ b/roles/openshift_service_catalog/tasks/install.yml
@@ -72,16 +72,22 @@
     state: list
   register: edit_yaml
 
+# only do this if we don't already have the updated role info
 - name: Generate apply template for clusterrole/edit
   template:
     src: sc_role_patching.j2
     dest: "{{ mktemp.stdout }}/edit_sc_patch.yml"
   vars:
     original_content: "{{ edit_yaml.results.results[0] | to_yaml }}"
+  when:
+    - not edit_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not edit_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
 
+# only do this if we don't already have the updated role info
 - name: update edit role for service catalog and pod preset access
   command: >
-    oc apply -f {{ mktemp.stdout }}/edit_sc_patch.yml
+    oc replace -f {{ mktemp.stdout }}/edit_sc_patch.yml
+  when:
+    - not edit_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not edit_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
 
 - oc_obj:
     name: admin
@@ -89,16 +95,22 @@
     state: list
   register: admin_yaml
 
+# only do this if we don't already have the updated role info
 - name: Generate apply template for clusterrole/admin
   template:
     src: sc_role_patching.j2
     dest: "{{ mktemp.stdout }}/admin_sc_patch.yml"
   vars:
     original_content: "{{ admin_yaml.results.results[0] | to_yaml }}"
+  when:
+    - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
 
+# only do this if we don't already have the updated role info
 - name: update admin role for service catalog and pod preset access
   command: >
-    oc apply -f {{ mktemp.stdout }}/admin_sc_patch.yml
+    oc replace -f {{ mktemp.stdout }}/admin_sc_patch.yml
+  when:
+    - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch'])
 
 - shell: >
     oc get policybindings/kube-system:default -n kube-system || echo "not found"