From e2d0ebb3bf2cc37f44af53dfad9e1789713fd3b9 Mon Sep 17 00:00:00 2001 From: ewolinetz Date: Mon, 3 Apr 2017 15:01:41 -0500 Subject: Creation of service_catalog and placeholder broker roles --- roles/openshift_service_catalog/defaults/main.yml | 3 + .../files/kubeservicecatalog_roles_bindings.yml | 161 ++++++++++++++++++ .../files/kubesystem_roles_bindings.yml | 38 +++++ roles/openshift_service_catalog/meta/main.yml | 17 ++ .../tasks/generate_certs.yml | 70 ++++++++ roles/openshift_service_catalog/tasks/install.yml | 180 +++++++++++++++++++++ roles/openshift_service_catalog/tasks/main.yml | 8 + roles/openshift_service_catalog/tasks/remove.yml | 56 +++++++ .../tasks/wire_aggregator.yml | 86 ++++++++++ .../templates/api_server.j2 | 80 +++++++++ .../templates/api_server_route.j2 | 14 ++ .../templates/api_server_service.j2 | 13 ++ .../templates/controller_manager.j2 | 46 ++++++ .../templates/controller_manager_service.j2 | 13 ++ .../vars/default_images.yml | 3 + .../vars/openshift-enterprise.yml | 3 + .../defaults/main.yml | 6 + .../openshift_service_catalog_broker/meta/main.yml | 16 ++ .../tasks/install.yml | 65 ++++++++ .../tasks/main.yml | 6 + .../tasks/remove.yml | 19 +++ .../templates/broker.j2 | 41 +++++ .../templates/broker_broker.j2 | 7 + .../templates/broker_service.j2 | 13 ++ .../vars/default_images.yml | 3 + .../vars/openshift-enterprise.yml | 3 + 26 files changed, 970 insertions(+) create mode 100644 roles/openshift_service_catalog/defaults/main.yml create mode 100644 roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml create mode 100644 roles/openshift_service_catalog/files/kubesystem_roles_bindings.yml create mode 100644 roles/openshift_service_catalog/meta/main.yml create mode 100644 roles/openshift_service_catalog/tasks/generate_certs.yml create mode 100644 roles/openshift_service_catalog/tasks/install.yml create mode 100644 roles/openshift_service_catalog/tasks/main.yml create mode 100644 roles/openshift_service_catalog/tasks/remove.yml create mode 100644 roles/openshift_service_catalog/tasks/wire_aggregator.yml create mode 100644 roles/openshift_service_catalog/templates/api_server.j2 create mode 100644 roles/openshift_service_catalog/templates/api_server_route.j2 create mode 100644 roles/openshift_service_catalog/templates/api_server_service.j2 create mode 100644 roles/openshift_service_catalog/templates/controller_manager.j2 create mode 100644 roles/openshift_service_catalog/templates/controller_manager_service.j2 create mode 100644 roles/openshift_service_catalog/vars/default_images.yml create mode 100644 roles/openshift_service_catalog/vars/openshift-enterprise.yml create mode 100644 roles/openshift_service_catalog_broker/defaults/main.yml create mode 100644 roles/openshift_service_catalog_broker/meta/main.yml create mode 100644 roles/openshift_service_catalog_broker/tasks/install.yml create mode 100644 roles/openshift_service_catalog_broker/tasks/main.yml create mode 100644 roles/openshift_service_catalog_broker/tasks/remove.yml create mode 100644 roles/openshift_service_catalog_broker/templates/broker.j2 create mode 100644 roles/openshift_service_catalog_broker/templates/broker_broker.j2 create mode 100644 roles/openshift_service_catalog_broker/templates/broker_service.j2 create mode 100644 roles/openshift_service_catalog_broker/vars/default_images.yml create mode 100644 roles/openshift_service_catalog_broker/vars/openshift-enterprise.yml (limited to 'roles') diff --git a/roles/openshift_service_catalog/defaults/main.yml b/roles/openshift_service_catalog/defaults/main.yml new file mode 100644 index 000000000..dc573e78a --- /dev/null +++ b/roles/openshift_service_catalog/defaults/main.yml @@ -0,0 +1,3 @@ +--- +openshift_service_catalog_remove: false +openshift_service_catalog_nodeselector: {} diff --git a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml new file mode 100644 index 000000000..880146ca4 --- /dev/null +++ b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml @@ -0,0 +1,161 @@ +apiVersion: v1 +kind: Template +metadata: + name: service-catalog +objects: + +- kind: ClusterRole + apiVersion: v1 + metadata: + name: servicecatalog-serviceclass-viewer + rules: + - apiGroups: + - servicecatalog.k8s.io + resources: + - serviceclasses + verbs: + - list + - watch + - get + +- kind: ClusterRoleBinding + apiVersion: v1 + metadata: + name: servicecatalog-serviceclass-viewer-binding + roleRef: + name: servicecatalog-serviceclass-viewer + groupNames: + - system:authenticated + +- kind: ServiceAccount + apiVersion: v1 + metadata: + name: service-catalog-controller + +- kind: ServiceAccount + apiVersion: v1 + metadata: + name: service-catalog-apiserver + +- kind: ClusterRole + apiVersion: v1 + metadata: + name: sar-creator + rules: + - apiGroups: + - "" + resources: + - subjectaccessreviews.authorization.k8s.io + verbs: + - create + +- kind: ClusterRoleBinding + apiVersion: v1 + metadata: + name: service-catalog-sar-creator-binding + roleRef: + name: sar-creator + userNames: + - system:serviceaccount:kube-service-catalog:service-catalog-apiserver + +- kind: ClusterRole + apiVersion: v1 + metadata: + name: namespace-viewer + rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - list + - watch + - get + +- kind: ClusterRoleBinding + apiVersion: v1 + metadata: + name: service-catalog-namespace-viewer-binding + roleRef: + name: namespace-viewer + userNames: + - system:serviceaccount:kube-service-catalog:service-catalog-apiserver + +- kind: ClusterRoleBinding + apiVersion: v1 + metadata: + name: service-catalog-controller-namespace-viewer-binding + roleRef: + name: namespace-viewer + userNames: + - system:serviceaccount:kube-service-catalog:service-catalog-controller + +- kind: ClusterRole + apiVersion: v1 + metadata: + name: service-catalog-controller + rules: + - apiGroups: + - "" + resources: + - secrets + - podpresets + verbs: + - create + - update + - delete + - get + - list + - watch + - apiGroups: + - servicecatalog.k8s.io + resources: + - brokers/status + - instances/status + - bindings/status + verbs: + - update + +- kind: ClusterRoleBinding + apiVersion: v1 + metadata: + name: service-catalog-controller-binding + roleRef: + name: service-catalog-controller + userNames: + - system:serviceaccount:kube-service-catalog:service-catalog-controller + +- kind: Role + apiVersion: v1 + metadata: + name: endpoint-accessor + rules: + - apiGroups: + - "" + resources: + - endpoints + verbs: + - list + - watch + - get + - create + - update + +- kind: RoleBinding + apiVersion: v1 + metadata: + name: endpoint-accessor-binding + roleRef: + name: endpoint-accessor + namespace: kube-service-catalog + userNames: + - system:serviceaccount:kube-service-catalog:service-catalog-controller + +- kind: ClusterRoleBinding + apiVersion: v1 + metadata: + name: system:auth-delegator-binding + roleRef: + name: system:auth-delegator + userNames: + - system:serviceaccount:kube-service-catalog:service-catalog-apiserver diff --git a/roles/openshift_service_catalog/files/kubesystem_roles_bindings.yml b/roles/openshift_service_catalog/files/kubesystem_roles_bindings.yml new file mode 100644 index 000000000..f6ee0955d --- /dev/null +++ b/roles/openshift_service_catalog/files/kubesystem_roles_bindings.yml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Template +metadata: + name: kube-system-service-catalog +objects: + +- kind: Role + apiVersion: v1 + metadata: + name: extension-apiserver-authentication-reader + namespace: ${KUBE_SYSTEM_NAMESPACE} + rules: + - apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + +- kind: RoleBinding + apiVersion: v1 + metadata: + name: extension-apiserver-authentication-reader-binding + namespace: ${KUBE_SYSTEM_NAMESPACE} + roleRef: + name: extension-apiserver-authentication-reader + namespace: kube-system + userNames: + - system:serviceaccount:kube-service-catalog:service-catalog-apiserver + +parameters: +- description: Do not change this value. + displayName: Name of the kube-system namespace + name: KUBE_SYSTEM_NAMESPACE + required: true + value: kube-system diff --git a/roles/openshift_service_catalog/meta/main.yml b/roles/openshift_service_catalog/meta/main.yml new file mode 100644 index 000000000..1e6b837cd --- /dev/null +++ b/roles/openshift_service_catalog/meta/main.yml @@ -0,0 +1,17 @@ +--- +galaxy_info: + author: OpenShift Red Hat + description: OpenShift Service Catalog + company: Red Hat, Inc. + license: Apache License, Version 2.0 + min_ansible_version: 2.2 + platforms: + - name: EL + versions: + - 7 + categories: + - cloud +dependencies: +- role: lib_openshift +- role: openshift_facts +- role: lib_utils diff --git a/roles/openshift_service_catalog/tasks/generate_certs.yml b/roles/openshift_service_catalog/tasks/generate_certs.yml new file mode 100644 index 000000000..cc897b032 --- /dev/null +++ b/roles/openshift_service_catalog/tasks/generate_certs.yml @@ -0,0 +1,70 @@ +--- +- name: Create service catalog cert directory + file: + path: "{{ openshift.common.config_base }}/service-catalog" + state: directory + mode: 0755 + changed_when: False + check_mode: no + +- set_fact: + generated_certs_dir: "{{ openshift.common.config_base }}/service-catalog" + +- name: Generate signing cert + command: > + {{ openshift.common.client_binary }} adm --config=/etc/origin/master/admin.kubeconfig ca create-signer-cert + --key={{ generated_certs_dir }}/ca.key --cert={{ generated_certs_dir }}/ca.crt + --serial={{ generated_certs_dir }}/apiserver.serial.txt --name=service-catalog-signer + +- name: Generating server keys + oc_adm_ca_server_cert: + cert: "{{ generated_certs_dir }}/apiserver.crt" + key: "{{ generated_certs_dir }}/apiserver.key" + hostnames: "apiserver.kube-service-catalog.svc,apiserver.kube-service-catalog.svc.cluster.local,apiserver.kube-service-catalog" + signer_cert: "{{ generated_certs_dir }}/ca.crt" + signer_key: "{{ generated_certs_dir }}/ca.key" + signer_serial: "{{ generated_certs_dir }}/apiserver.serial.txt" + +- name: Create apiserver-ssl secret + oc_secret: + state: present + name: apiserver-ssl + namespace: kube-service-catalog + files: + - name: tls.crt + path: "{{ generated_certs_dir }}/apiserver.crt" + - name: tls.key + path: "{{ generated_certs_dir }}/apiserver.key" + +- slurp: + src: "{{ generated_certs_dir }}/ca.crt" + register: apiserver_ca + +- shell: > + oc get apiservices.apiregistration.k8s.io/v1alpha1.servicecatalog.k8s.io -n kube-service-catalog || echo "not found" + register: get_apiservices + changed_when: no + +- name: Create api service + oc_obj: + state: present + name: v1alpha1.servicecatalog.k8s.io + kind: apiservices.apiregistration.k8s.io + namespace: "kube-service-catalog" + content: + path: /tmp/apisvcout + data: + apiVersion: apiregistration.k8s.io/v1beta1 + kind: APIService + metadata: + name: v1alpha1.servicecatalog.k8s.io + spec: + group: servicecatalog.k8s.io + version: v1alpha1 + service: + namespace: "kube-service-catalog" + name: apiserver + caBundle: "{{ apiserver_ca.content }}" + groupPriorityMinimum: 20 + versionPriority: 10 + when: "'not found' in get_apiservices.stdout" diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml new file mode 100644 index 000000000..a8d292f17 --- /dev/null +++ b/roles/openshift_service_catalog/tasks/install.yml @@ -0,0 +1,180 @@ +--- +# do any asserts here + +- name: Create temp directory for doing work in + command: mktemp -d /tmp/openshift-service-catalog-ansible-XXXXXX + register: mktemp + changed_when: False + + +- include: wire_aggregator.yml + +- name: Set default image variables based on deployment_type + include_vars: "{{ item }}" + with_first_found: + - "{{ openshift_deployment_type | default(deployment_type) }}.yml" + - "default_images.yml" + +- name: Set service_catalog image facts + set_fact: + openshift_service_catalog_image_prefix: "{{ openshift_service_catalog_image_prefix | default(__openshift_service_catalog_image_prefix) }}" + openshift_service_catalog_image_version: "{{ openshift_service_catalog_image_version | default(__openshift_service_catalog_image_version) }}" + +- name: Set Service Catalog namespace + oc_project: + state: present + name: "kube-service-catalog" +# node_selector: "{{ openshift_service_catalog_nodeselector | default(null) }}" + +- include: generate_certs.yml + +- copy: + src: kubeservicecatalog_roles_bindings.yml + dest: "{{ mktemp.stdout }}/kubeservicecatalog_roles_bindings.yml" + +- oc_obj: + name: service-catalog + kind: template + namespace: "kube-service-catalog" + files: + - "{{ mktemp.stdout }}/kubeservicecatalog_roles_bindings.yml" + delete_after: yes + +- oc_process: + create: True + template_name: service-catalog + namespace: "kube-service-catalog" + +- copy: + src: kubesystem_roles_bindings.yml + dest: "{{ mktemp.stdout }}/kubesystem_roles_bindings.yml" + +- oc_obj: + name: kube-system-service-catalog + kind: template + namespace: kube-system + files: + - "{{ mktemp.stdout }}/kubesystem_roles_bindings.yml" + delete_after: yes + +- oc_process: + create: True + template_name: kube-system-service-catalog + namespace: kube-system + +- shell: > + oc get policybindings/kube-system:default -n kube-system || echo "not found" + register: get_kube_system + changed_when: no + +- command: > + oc create policybinding kube-system -n kube-system + when: "'not found' in get_kube_system.stdout" + +- oc_adm_policy_user: + namespace: kube-service-catalog + resource_kind: scc + resource_name: hostmount-anyuid + state: present + user: "system:serviceaccount:kube-service-catalog:service-catalog-apiserver" + +- name: Set SA cluster-role + oc_adm_policy_user: + state: present + namespace: "kube-service-catalog" + resource_kind: cluster-role + resource_name: admin + user: "system:serviceaccount:kube-service-catalog:default" + +## api server +- template: + src: api_server.j2 + dest: "{{ mktemp.stdout }}/service_catalog_api_server.yml" + vars: + image: "" + namespace: "" + cpu_limit: none + memory_limit: none + cpu_requests: none + memory_request: none + cors_allowed_origin: localhost + node_selector: {"openshift-infra": "apiserver"} + +- name: Set Service Catalog API Server daemonset + oc_obj: + state: present + namespace: "kube-service-catalog" + kind: daemonset + name: apiserver + files: + - "{{ mktemp.stdout }}/service_catalog_api_server.yml" + delete_after: yes + +- template: + src: api_server_service.j2 + dest: "{{ mktemp.stdout }}/service_catalog_api_service.yml" + +- name: Set Service Catalog API Server service + oc_obj: + state: present + namespace: "kube-service-catalog" + kind: service + name: apiserver + files: + - "{{ mktemp.stdout }}/service_catalog_api_service.yml" + delete_after: yes + +- template: + src: api_server_route.j2 + dest: "{{ mktemp.stdout }}/service_catalog_api_route.yml" + +- name: Set Service Catalog API Server route + oc_obj: + state: present + namespace: "kube-service-catalog" + kind: route + name: apiserver + files: + - "{{ mktemp.stdout }}/service_catalog_api_route.yml" + delete_after: yes + +## controller manager +- template: + src: controller_manager.j2 + dest: "{{ mktemp.stdout }}/controller_manager.yml" + vars: + image: "" + node_selector: "" + cpu_limit: none + memory_limit: none + node_selector: {"openshift-infra": "apiserver"} + +- name: Set Controller Manager deployment + oc_obj: + state: present + namespace: "kube-service-catalog" + kind: daemonset + name: controller-manager + files: + - "{{ mktemp.stdout }}/controller_manager.yml" + delete_after: yes + +- template: + src: controller_manager_service.j2 + dest: "{{ mktemp.stdout }}/controller_manager_service.yml" + +- name: Set Controller Manager service + oc_obj: + state: present + namespace: "kube-service-catalog" + kind: service + name: controller-manager + files: + - "{{ mktemp.stdout }}/controller_manager_service.yml" + delete_after: yes + +- name: Delete temp directory + file: + name: "{{ mktemp.stdout }}" + state: absent + changed_when: False diff --git a/roles/openshift_service_catalog/tasks/main.yml b/roles/openshift_service_catalog/tasks/main.yml new file mode 100644 index 000000000..dc0d6a370 --- /dev/null +++ b/roles/openshift_service_catalog/tasks/main.yml @@ -0,0 +1,8 @@ +--- +# do any asserts here + +- include: install.yml + when: not openshift_service_catalog_remove | default(false) | bool + +- include: remove.yml + when: openshift_service_catalog_remove | default(false) | bool diff --git a/roles/openshift_service_catalog/tasks/remove.yml b/roles/openshift_service_catalog/tasks/remove.yml new file mode 100644 index 000000000..2fb1ec440 --- /dev/null +++ b/roles/openshift_service_catalog/tasks/remove.yml @@ -0,0 +1,56 @@ +--- +- name: Remove Service Catalog APIServer + command: > + oc delete apiservices.apiregistration.k8s.io/v1alpha1.servicecatalog.k8s.io --ignore-not-found -n kube-service-catalog + +- name: Remove Policy Binding + command: > + oc delete policybindings/kube-system:default -n kube-system --ignore-not-found + +# TODO: this module doesn't currently remove this +#- name: Remove service catalog api service +# oc_obj: +# state: absent +# namespace: "kube-service-catalog" +# kind: apiservices.apiregistration.k8s.io +# name: v1alpha1.servicecatalog.k8s.io + +- name: Remove Service Catalog API Server route + oc_obj: + state: absent + namespace: "kube-service-catalog" + kind: route + name: apiserver + +- name: Remove Service Catalog API Server service + oc_obj: + state: absent + namespace: "kube-service-catalog" + kind: service + name: apiserver + +- name: Remove Service Catalog API Server daemonset + oc_obj: + state: absent + namespace: "kube-service-catalog" + kind: daemonset + name: apiserver + +- name: Remove Controller Manager service + oc_obj: + state: absent + namespace: "kube-service-catalog" + kind: service + name: controller-manager + +- name: Remove Controller Manager deployment + oc_obj: + state: absent + namespace: "kube-service-catalog" + kind: deployment + name: controller-manager + +- name: Remove Service Catalog namespace + oc_project: + state: absent + name: "kube-service-catalog" diff --git a/roles/openshift_service_catalog/tasks/wire_aggregator.yml b/roles/openshift_service_catalog/tasks/wire_aggregator.yml new file mode 100644 index 000000000..3e5897ba4 --- /dev/null +++ b/roles/openshift_service_catalog/tasks/wire_aggregator.yml @@ -0,0 +1,86 @@ +--- +# TODO: this currently has a bug where hostnames are required +- name: Creating Aggregator signer certs + command: > + oc adm ca create-signer-cert + --cert=/etc/origin/master/front-proxy-ca.crt + --key=/etc/origin/master/front-proxy-ca.key + --serial=/etc/origin/master/ca.serial.txt +# oc_adm_ca_server_cert: +# cert: /etc/origin/master/front-proxy-ca.crt +# key: /etc/origin/master/front-proxy-ca.key + +- name: Create api-client config for Aggregator + command: > + oc adm create-api-client-config + --certificate-authority=/etc/origin/master/front-proxy-ca.crt + --signer-cert=/etc/origin/master/front-proxy-ca.crt + --signer-key=/etc/origin/master/front-proxy-ca.key + --user aggregator-front-proxy + --client-dir=/etc/origin/master + --signer-serial=/etc/origin/master/ca.serial.txt + +- name: Update master config + yedit: + state: present + src: /etc/origin/master/master-config.yaml + edits: + - key: aggregatorConfig.proxyClientInfo.certFile + value: aggregator-front-proxy.crt + - key: aggregatorConfig.proxyClientInfo.keyFile + value: aggregator-front-proxy.key + - key: authConfig.requestHeader.clientCA + value: front-proxy-ca.crt + - key: authConfig.requestHeader.clientCommonNames + value: [aggregator-front-proxy] + - key: authConfig.requestHeader.usernameHeaders + value: [X-Remote-User] + - key: authConfig.requestHeader.groupHeaders + value: [X-Remote-Group] + - key: authConfig.requestHeader.extraHeaderPrefixes + value: [X-Remote-Extra-] + register: yedit_output + +#restart master serially here +- name: restart master + systemd: name={{ openshift.common.service_type }}-master state=restarted + when: + - yedit_output.changed + - openshift.master.ha is not defined or not openshift.master.ha | bool + +- name: restart master api + systemd: name={{ openshift.common.service_type }}-master-api state=restarted + when: + - yedit_output.changed + - openshift.master.ha is defined and openshift.master.ha | bool + - openshift.master.cluster_method == 'native' + +- name: restart master controllers + systemd: name={{ openshift.common.service_type }}-master-controllers state=restarted + when: + - yedit_output.changed + - openshift.master.ha is defined and openshift.master.ha | bool + - openshift.master.cluster_method == 'native' + +- name: Verify API Server + # Using curl here since the uri module requires python-httplib2 and + # wait_for port doesn't provide health information. + command: > + curl --silent --tlsv1.2 + {% if openshift.common.version_gte_3_2_or_1_2 | bool %} + --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt + {% else %} + --cacert {{ openshift.common.config_base }}/master/ca.crt + {% endif %} + {{ openshift.master.api_url }}/healthz/ready + args: + # Disables the following warning: + # Consider using get_url or uri module rather than running curl + warn: no + register: api_available_output + until: api_available_output.stdout == 'ok' + retries: 120 + delay: 1 + changed_when: false + when: + - yedit_output.changed diff --git a/roles/openshift_service_catalog/templates/api_server.j2 b/roles/openshift_service_catalog/templates/api_server.j2 new file mode 100644 index 000000000..8ae6b6c8d --- /dev/null +++ b/roles/openshift_service_catalog/templates/api_server.j2 @@ -0,0 +1,80 @@ +apiVersion: extensions/v1beta1 +kind: DaemonSet +metadata: + labels: + app: apiserver + name: apiserver +spec: + selector: + matchLabels: + app: apiserver + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + labels: + app: apiserver + spec: + serviceAccountName: service-catalog-apiserver + nodeSelector: +{% for key, value in node_selector.iteritems() %} + {{key}}: "{{value}}" +{% endfor %} + containers: + - args: + - --storage-type + - etcd + - --secure-port + - "6443" + - --etcd-servers +# TODO: come back and get openshift.common.hostname to work + - https://{{ openshift.common.ip }}:{{ openshift.master.etcd_port }} + - --etcd-cafile + - /etc/origin/master/master.etcd-ca.crt + - --etcd-certfile + - /etc/origin/master/master.etcd-client.crt + - --etcd-keyfile + - /etc/origin/master/master.etcd-client.key + - -v + - "10" + - --cors-allowed-origins + - {{ cors_allowed_origin }} + - --admission-control + - "KubernetesNamespaceLifecycle" + image: {{ openshift_service_catalog_image_prefix }}service-catalog:{{ openshift_service_catalog_image_version }} + command: ["/usr/bin/apiserver"] + imagePullPolicy: Always + name: apiserver + ports: + - containerPort: 6443 + protocol: TCP + resources: {} + terminationMessagePath: /dev/termination-log + volumeMounts: + - mountPath: /var/run/kubernetes-service-catalog + name: apiserver-ssl + readOnly: true + - mountPath: /etc/origin/master + name: etcd-host-cert + readOnly: true + dnsPolicy: ClusterFirst + restartPolicy: Always + securityContext: {} + terminationGracePeriodSeconds: 30 + volumes: + - name: apiserver-ssl + secret: + defaultMode: 420 + secretName: apiserver-ssl + items: + - key: tls.crt + path: apiserver.crt + - key: tls.key + path: apiserver.key + - hostPath: + path: /etc/origin/master + name: etcd-host-cert + - emptyDir: {} + name: data-dir diff --git a/roles/openshift_service_catalog/templates/api_server_route.j2 b/roles/openshift_service_catalog/templates/api_server_route.j2 new file mode 100644 index 000000000..3c3da254d --- /dev/null +++ b/roles/openshift_service_catalog/templates/api_server_route.j2 @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Route +metadata: + name: apiserver +spec: + port: + targetPort: secure + tls: + termination: passthrough + to: + kind: Service + name: apiserver + weight: 100 + wildcardPolicy: None diff --git a/roles/openshift_service_catalog/templates/api_server_service.j2 b/roles/openshift_service_catalog/templates/api_server_service.j2 new file mode 100644 index 000000000..bae337201 --- /dev/null +++ b/roles/openshift_service_catalog/templates/api_server_service.j2 @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: apiserver +spec: + ports: + - name: secure + port: 443 + protocol: TCP + targetPort: 6443 + selector: + app: apiserver + sessionAffinity: None diff --git a/roles/openshift_service_catalog/templates/controller_manager.j2 b/roles/openshift_service_catalog/templates/controller_manager.j2 new file mode 100644 index 000000000..33932eeb7 --- /dev/null +++ b/roles/openshift_service_catalog/templates/controller_manager.j2 @@ -0,0 +1,46 @@ +apiVersion: extensions/v1beta1 +kind: DaemonSet +metadata: + labels: + app: controller-manager + name: controller-manager +spec: + selector: + matchLabels: + app: controller-manager + strategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + labels: + app: controller-manager + spec: + nodeSelector: +{% for key, value in node_selector.iteritems() %} + {{key}}: "{{value}}" +{% endfor %} + containers: + - env: + - name: K8S_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + args: + - -v + - "5" + - "--leader-election-namespace=$(K8S_NAMESPACE)" + image: {{ openshift_service_catalog_image_prefix }}service-catalog:{{ openshift_service_catalog_image_version }} + command: ["/usr/bin/controller-manager"] + imagePullPolicy: Always + name: controller-manager + ports: + - containerPort: 8080 + protocol: TCP + resources: {} + terminationMessagePath: /dev/termination-log + dnsPolicy: ClusterFirst + restartPolicy: Always + securityContext: {} + terminationGracePeriodSeconds: 30 diff --git a/roles/openshift_service_catalog/templates/controller_manager_service.j2 b/roles/openshift_service_catalog/templates/controller_manager_service.j2 new file mode 100644 index 000000000..2bac645fc --- /dev/null +++ b/roles/openshift_service_catalog/templates/controller_manager_service.j2 @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: controller-manager +spec: + ports: + - port: 6443 + protocol: TCP + targetPort: 6443 + selector: + app: controller-manager + sessionAffinity: None + type: ClusterIP diff --git a/roles/openshift_service_catalog/vars/default_images.yml b/roles/openshift_service_catalog/vars/default_images.yml new file mode 100644 index 000000000..6fb9d1b86 --- /dev/null +++ b/roles/openshift_service_catalog/vars/default_images.yml @@ -0,0 +1,3 @@ +--- +__openshift_service_catalog_image_prefix: "docker.io/openshift/origin-" +__openshift_service_catalog_image_version: "latest" diff --git a/roles/openshift_service_catalog/vars/openshift-enterprise.yml b/roles/openshift_service_catalog/vars/openshift-enterprise.yml new file mode 100644 index 000000000..8c3f14485 --- /dev/null +++ b/roles/openshift_service_catalog/vars/openshift-enterprise.yml @@ -0,0 +1,3 @@ +--- +__openshift_service_catalog_image_prefix: "registry.access.redhat.com/openshift3/" +__openshift_service_catalog_image_version: "3.6.0" diff --git a/roles/openshift_service_catalog_broker/defaults/main.yml b/roles/openshift_service_catalog_broker/defaults/main.yml new file mode 100644 index 000000000..c2f77b2db --- /dev/null +++ b/roles/openshift_service_catalog_broker/defaults/main.yml @@ -0,0 +1,6 @@ +--- +openshift_service_catalog_broker_remove: false +openshift_service_catalog_broker_replicas: 1 + +openshift_service_catalog_broker_namespace: openshift-ansible-service-broker +openshift_service_catalog_broker_nodeselector: {} diff --git a/roles/openshift_service_catalog_broker/meta/main.yml b/roles/openshift_service_catalog_broker/meta/main.yml new file mode 100644 index 000000000..f22c4e2b6 --- /dev/null +++ b/roles/openshift_service_catalog_broker/meta/main.yml @@ -0,0 +1,16 @@ +--- +galaxy_info: + author: OpenShift Red Hat + description: OpenShift Service Catalog Broker + company: Red Hat, Inc. + license: Apache License, Version 2.0 + min_ansible_version: 2.2 + platforms: + - name: EL + versions: + - 7 + categories: + - cloud +dependencies: +- role: lib_openshift +- role: openshift_facts diff --git a/roles/openshift_service_catalog_broker/tasks/install.yml b/roles/openshift_service_catalog_broker/tasks/install.yml new file mode 100644 index 000000000..c9dad678a --- /dev/null +++ b/roles/openshift_service_catalog_broker/tasks/install.yml @@ -0,0 +1,65 @@ +--- +# do any asserts here + +- name: Set default image variables based on deployment_type + include_vars: "{{ item }}" + with_first_found: + - "{{ openshift_deployment_type | default(deployment_type) }}.yml" + - "default_images.yml" + +- name: Set service_catalog image facts + set_fact: + openshift_service_catalog_broker_image_prefix: "{{ openshift_service_catalog_broker_image_prefix | default(__openshift_service_catalog_broker_image_prefix) }}" + openshift_service_catalog_broker_image_version: "{{ openshift_service_catalog_broker_image_version | default(__openshift_service_catalog_broker_image_version) }}" + +- name: Set Service Catalog Broker namespace + oc_project: + state: present + name: "{{ openshift_service_catalog_broker_namespace }}" +# node_selector: "{{ openshift_service_catalog_broker_nodeselector | default(null) }}" + +- name: Create temp directory for doing work in + command: mktemp -d /tmp/openshift-broker-ansible-XXXXXX + register: mktemp + changed_when: False + +## broker process deployment +- template: + src: broker.j2 + dest: "{{ mktemp.stdout }}/broker.yml" + vars: + image: "" + replicas: 1 + node_selector: "" + cpu_limit: none + memory_limit: none + +- name: Set Service Catalog Broker deployment + oc_obj: + state: present + namespace: "{{ openshift_service_catalog_broker_namespace }}" + kind: deployment + name: ups-broker + files: + - "{{ mktemp.stdout }}/broker.yml" + delete_after: yes + +- template: + src: broker_service.j2 + dest: "{{ mktemp.stdout }}/broker_service.yml" + +- name: Set Service Catalog Broker service + oc_obj: + state: present + namespace: "{{ openshift_service_catalog_broker_namespace }}" + kind: service + name: ups-broker + files: + - "{{ mktemp.stdout }}/broker_service.yml" + delete_after: yes + +- name: Delete temp directory + file: + name: "{{ mktemp.stdout }}" + state: absent + changed_when: False diff --git a/roles/openshift_service_catalog_broker/tasks/main.yml b/roles/openshift_service_catalog_broker/tasks/main.yml new file mode 100644 index 000000000..4d776f543 --- /dev/null +++ b/roles/openshift_service_catalog_broker/tasks/main.yml @@ -0,0 +1,6 @@ +--- +- include: install.yml + when: not openshift_service_catalog_broker_remove | default(false) | bool + +- include: remove.yml + when: openshift_service_catalog_broker_remove | default(false) | bool diff --git a/roles/openshift_service_catalog_broker/tasks/remove.yml b/roles/openshift_service_catalog_broker/tasks/remove.yml new file mode 100644 index 000000000..a0574fd55 --- /dev/null +++ b/roles/openshift_service_catalog_broker/tasks/remove.yml @@ -0,0 +1,19 @@ +--- +- name: Remove Service Catalog Broker service + oc_obj: + state: absent + namespace: "{{ openshift_service_catalog_broker_namespace }}" + kind: service + name: ups-broker + +- name: Remove Service Catalog Broker deployment + oc_obj: + state: absent + namespace: "{{ openshift_service_catalog_broker_namespace }}" + kind: deployment + name: ups-broker + +- name: Remove Service Catalog Broker namespace + oc_project: + state: absent + name: "{{ openshift_service_catalog_broker_namespace }}" diff --git a/roles/openshift_service_catalog_broker/templates/broker.j2 b/roles/openshift_service_catalog_broker/templates/broker.j2 new file mode 100644 index 000000000..d6e3c4194 --- /dev/null +++ b/roles/openshift_service_catalog_broker/templates/broker.j2 @@ -0,0 +1,41 @@ +kind: Deployment +apiVersion: extensions/v1beta1 +metadata: + name: ups-broker + labels: + app: ups-broker +spec: + replicas: 1 + selector: + matchLabels: + app: ups-broker + template: + metadata: + labels: + app: ups-broker + spec: + containers: + - name: ups-broker + image: quay.io/kubernetes-service-catalog/user-broker:canary + imagePullPolicy: Always + args: + - --port + - "8080" + ports: + - containerPort: 8080 + readinessProbe: + tcpSocket: + port: 8080 + failureThreshold: 1 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + tcpSocket: + port: 8080 + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 diff --git a/roles/openshift_service_catalog_broker/templates/broker_broker.j2 b/roles/openshift_service_catalog_broker/templates/broker_broker.j2 new file mode 100644 index 000000000..1dd50a2c1 --- /dev/null +++ b/roles/openshift_service_catalog_broker/templates/broker_broker.j2 @@ -0,0 +1,7 @@ + +apiVersion: servicecatalog.k8s.io/v1alpha1 +kind: Broker +metadata: + name: ups-broker +spec: + url: http://ups-broker.ups-broker.svc.cluster.local diff --git a/roles/openshift_service_catalog_broker/templates/broker_service.j2 b/roles/openshift_service_catalog_broker/templates/broker_service.j2 new file mode 100644 index 000000000..5beecea09 --- /dev/null +++ b/roles/openshift_service_catalog_broker/templates/broker_service.j2 @@ -0,0 +1,13 @@ +kind: Service +apiVersion: v1 +metadata: + name: ups-broker + labels: + app: ups-broker +spec: + selector: + app: ups-broker + ports: + - protocol: TCP + port: 80 + targetPort: 8080 diff --git a/roles/openshift_service_catalog_broker/vars/default_images.yml b/roles/openshift_service_catalog_broker/vars/default_images.yml new file mode 100644 index 000000000..7b03e4f60 --- /dev/null +++ b/roles/openshift_service_catalog_broker/vars/default_images.yml @@ -0,0 +1,3 @@ +--- +__openshift_service_catalog_broker_image_prefix: "docker.io/openshift/origin-" +__openshift_service_catalog_broker_image_version: "latest" diff --git a/roles/openshift_service_catalog_broker/vars/openshift-enterprise.yml b/roles/openshift_service_catalog_broker/vars/openshift-enterprise.yml new file mode 100644 index 000000000..a8154774c --- /dev/null +++ b/roles/openshift_service_catalog_broker/vars/openshift-enterprise.yml @@ -0,0 +1,3 @@ +--- +__openshift_service_catalog_broker_image_prefix: "registry.access.redhat.com/openshift3/" +__openshift_service_catalog_broker_image_version: "3.6.0" -- cgit v1.2.3