From 9bca21bd873b774ca8a421bfc0f6d3755ebef02b Mon Sep 17 00:00:00 2001 From: Fabian von Feilitzsch Date: Thu, 12 Oct 2017 12:54:23 -0400 Subject: Bug 1496426 - add asb-client secret to openshift-ansible-service-broker namespace --- roles/ansible_service_broker/tasks/install.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/ansible_service_broker/tasks/install.yml b/roles/ansible_service_broker/tasks/install.yml index c0384b7c4..ffbd51c2b 100644 --- a/roles/ansible_service_broker/tasks/install.yml +++ b/roles/ansible_service_broker/tasks/install.yml @@ -113,6 +113,7 @@ - name: create asb-client token secret oc_obj: name: asb-client + namespace: openshift-ansible-service-broker state: present kind: Secret content: @@ -122,6 +123,7 @@ kind: Secret metadata: name: asb-client + namespace: openshift-ansible-service-broker annotations: kubernetes.io/service-account.name: asb-client type: kubernetes.io/service-account-token @@ -141,6 +143,7 @@ kind: Service metadata: name: asb + namespace: openshift-ansible-service-broker labels: app: openshift-ansible-service-broker service: asb @@ -340,7 +343,7 @@ metadata: name: ansible-service-broker spec: - url: http://asb.openshift-ansible-service-broker.svc:1338/ansible-service-broker + url: https://asb.openshift-ansible-service-broker.svc:1338/ansible-service-broker authInfo: bearer: secretRef: -- cgit v1.2.3 From ebb111da65ecfbdc322b66eebe63bdd612614365 Mon Sep 17 00:00:00 2001 From: Fabian von Feilitzsch Date: Thu, 12 Oct 2017 13:25:59 -0400 Subject: use master cert --- roles/ansible_service_broker/tasks/install.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/ansible_service_broker/tasks/install.yml b/roles/ansible_service_broker/tasks/install.yml index ffbd51c2b..c0be9896c 100644 --- a/roles/ansible_service_broker/tasks/install.yml +++ b/roles/ansible_service_broker/tasks/install.yml @@ -23,7 +23,7 @@ ansible_service_broker_registry_password: "{{ ansible_service_broker_registry_password | default(__ansible_service_broker_registry_password) }}" ansible_service_broker_registry_organization: "{{ ansible_service_broker_registry_organization | default(__ansible_service_broker_registry_organization) }}" - ansible_service_broker_certs_dir: "{{ openshift.common.config_base }}/service-catalog" + openshift_master_config_dir: "{{ openshift_master_config_dir | default(openshift.common.config_base + '/master') }}" - name: set ansible-service-broker image facts using set prefix and tag set_fact: @@ -35,7 +35,7 @@ when: openshift_master_config_dir is undefined - slurp: - src: "{{ openshift_master_config_dir }}/service-signer.crt" + src: "{{ openshift_master_config_dir }}/ca.crt" register: catalog_ca -- cgit v1.2.3 From 2097c725cd57d45125295685b669f4cc8a76efcd Mon Sep 17 00:00:00 2001 From: Fabian von Feilitzsch Date: Fri, 13 Oct 2017 14:08:56 -0400 Subject: Use service-ca.crt instead of master ca.crt --- roles/ansible_service_broker/tasks/install.yml | 27 +++++++++++--------------- 1 file changed, 11 insertions(+), 16 deletions(-) diff --git a/roles/ansible_service_broker/tasks/install.yml b/roles/ansible_service_broker/tasks/install.yml index c0be9896c..de62d11e8 100644 --- a/roles/ansible_service_broker/tasks/install.yml +++ b/roles/ansible_service_broker/tasks/install.yml @@ -23,22 +23,11 @@ ansible_service_broker_registry_password: "{{ ansible_service_broker_registry_password | default(__ansible_service_broker_registry_password) }}" ansible_service_broker_registry_organization: "{{ ansible_service_broker_registry_organization | default(__ansible_service_broker_registry_organization) }}" - openshift_master_config_dir: "{{ openshift_master_config_dir | default(openshift.common.config_base + '/master') }}" - - name: set ansible-service-broker image facts using set prefix and tag set_fact: ansible_service_broker_image: "{{ ansible_service_broker_image_prefix }}ansible-service-broker:{{ ansible_service_broker_image_tag }}" ansible_service_broker_etcd_image: "{{ ansible_service_broker_etcd_image_prefix }}etcd:{{ ansible_service_broker_etcd_image_tag }}" -- set_fact: - openshift_master_config_dir: "{{ openshift.common.config_base }}/master" - when: openshift_master_config_dir is undefined - -- slurp: - src: "{{ openshift_master_config_dir }}/ca.crt" - register: catalog_ca - - - include: validate_facts.yml @@ -83,13 +72,12 @@ state: present name: asb-access rules: - - nonResourceURLs: ["/ansible-service-broker", "ansible-service-broker/*"] + - nonResourceURLs: ["/ansible-service-broker", "/ansible-service-broker/*"] verbs: ["get", "post", "put", "patch", "delete"] - name: Bind admin cluster-role to asb serviceaccount oc_adm_policy_user: state: present - namespace: openshift-ansible-service-broker resource_kind: cluster-role resource_name: admin user: "system:serviceaccount:openshift-ansible-service-broker:asb" @@ -97,7 +85,6 @@ - name: Bind auth cluster role to asb service account oc_adm_policy_user: state: present - namespace: openshift-ansible-service-broker resource_kind: cluster-role resource_name: asb-auth user: "system:serviceaccount:openshift-ansible-service-broker:asb" @@ -105,7 +92,6 @@ - name: Bind asb-access role to asb-client service account oc_adm_policy_user: state: present - namespace: openshift-ansible-service-broker resource_kind: cluster-role resource_name: asb-access user: "system:serviceaccount:openshift-ansible-service-broker:asb-client" @@ -128,6 +114,15 @@ kubernetes.io/service-account.name: asb-client type: kubernetes.io/service-account-token +- oc_secret: + state: list + namespace: openshift-ansible-service-broker + name: asb-client + register: asb_client_secret + +- set_fact: + service_ca_crt: asb_client_secret.results.results.0.data['service-ca.crt'] + # Using oc_obj because oc_service doesn't seem to allow annotations # TODO: Extend oc_service to allow annotations - name: create ansible-service-broker service @@ -350,4 +345,4 @@ name: asb-client namespace: openshift-ansible-service-broker kind: Secret - caBundle: "{{ catalog_ca.content }}" + caBundle: "{{ service_ca_crt }}" -- cgit v1.2.3 From 1aa2a93f564e279bc6362281c067fd93599a9666 Mon Sep 17 00:00:00 2001 From: Fabian von Feilitzsch Date: Thu, 19 Oct 2017 14:12:10 -0400 Subject: Update defaults --- roles/ansible_service_broker/defaults/main.yml | 5 +---- roles/ansible_service_broker/tasks/install.yml | 2 ++ roles/ansible_service_broker/vars/default_images.yml | 2 ++ roles/ansible_service_broker/vars/openshift-enterprise.yml | 5 ++++- 4 files changed, 9 insertions(+), 5 deletions(-) diff --git a/roles/ansible_service_broker/defaults/main.yml b/roles/ansible_service_broker/defaults/main.yml index fa982d533..dc05b03b5 100644 --- a/roles/ansible_service_broker/defaults/main.yml +++ b/roles/ansible_service_broker/defaults/main.yml @@ -13,7 +13,4 @@ ansible_service_broker_launch_apb_on_bind: false ansible_service_broker_image_pull_policy: IfNotPresent ansible_service_broker_sandbox_role: edit -ansible_service_broker_auto_escalate: true -ansible_service_broker_registry_tag: latest -ansible_service_broker_registry_whitelist: - - '.*-apb$' +ansible_service_broker_auto_escalate: false diff --git a/roles/ansible_service_broker/tasks/install.yml b/roles/ansible_service_broker/tasks/install.yml index de62d11e8..420d73881 100644 --- a/roles/ansible_service_broker/tasks/install.yml +++ b/roles/ansible_service_broker/tasks/install.yml @@ -22,6 +22,8 @@ ansible_service_broker_registry_user: "{{ ansible_service_broker_registry_user | default(__ansible_service_broker_registry_user) }}" ansible_service_broker_registry_password: "{{ ansible_service_broker_registry_password | default(__ansible_service_broker_registry_password) }}" ansible_service_broker_registry_organization: "{{ ansible_service_broker_registry_organization | default(__ansible_service_broker_registry_organization) }}" + ansible_service_broker_registry_tag: "{{ ansible_service_broker_registry_tag | default(__ansible_service_broker_registry_tag) }}" + ansible_service_broker_registry_whitelist: "{{ ansible_service_broker_registry_whitelist | default(__ansible_service_broker_registry_whitelist) }}" - name: set ansible-service-broker image facts using set prefix and tag set_fact: diff --git a/roles/ansible_service_broker/vars/default_images.yml b/roles/ansible_service_broker/vars/default_images.yml index 3e9639adf..8438e993f 100644 --- a/roles/ansible_service_broker/vars/default_images.yml +++ b/roles/ansible_service_broker/vars/default_images.yml @@ -13,3 +13,5 @@ __ansible_service_broker_registry_url: null __ansible_service_broker_registry_user: null __ansible_service_broker_registry_password: null __ansible_service_broker_registry_organization: null +__ansible_service_broker_registry_tag: latest +__ansible_service_broker_registry_whitelist: [] diff --git a/roles/ansible_service_broker/vars/openshift-enterprise.yml b/roles/ansible_service_broker/vars/openshift-enterprise.yml index 9c576cb76..fc58b4fd8 100644 --- a/roles/ansible_service_broker/vars/openshift-enterprise.yml +++ b/roles/ansible_service_broker/vars/openshift-enterprise.yml @@ -1,7 +1,7 @@ --- __ansible_service_broker_image_prefix: registry.access.redhat.com/openshift3/ose- -__ansible_service_broker_image_tag: v3.6 +__ansible_service_broker_image_tag: v3.7 __ansible_service_broker_etcd_image_prefix: rhel7/ __ansible_service_broker_etcd_image_tag: latest @@ -14,3 +14,6 @@ __ansible_service_broker_registry_url: "https://registry.access.redhat.com" __ansible_service_broker_registry_user: null __ansible_service_broker_registry_password: null __ansible_service_broker_registry_organization: null +__ansible_service_broker_registry_tag: v3.7 +__ansible_service_broker_registry_whitelist: + - '.*-apb$' -- cgit v1.2.3