Update osbs-namespace role with latest upstream

Signed-off-by: Clement Verna <cverna@tutanota.com>

roles/osbs-namespace/README.md

@@ -1,5 +1,5 @@
-Role Name
-=========
+osbs-namespace
+==============
 
 Setup an OpenShift namespace as required by OSBS:
 - Create namespace, also referred to as project (`osbs_namespace`)
@@ -52,13 +52,26 @@ Role Variables
           max_concurrent_builds: 6
           openshift_url: https://my-ppc64le-cluster.fedoraproject.org:8443
 
+    # Reactor config maps to be created in orchestrator namespace
+    osbs_reactor_config_maps:
+    - name: reactor-config-map
+      # See config.json schema in atomic-reactor project for details:
+      # https://github.com/projectatomic/atomic-reactor/blob/master/atomic_reactor/schemas/config.json
+      data:
+        clusters:
+            x86_64:
+            -   enabled: true
+                max_concurrent_builds: 10
+                name: x86_64-on-premise
+        version: 1
+
     # Service accounts to be created - these accounts will also be bound to
     # edit clusterrole and osbs-custom-build role in specified namespace
     osbs_service_accounts:
     - bot
     - ci
 
-    # User and groups to be assigned view clusterrole in specified namespace
+    # Users and groups to be assigned view clusterrole in specified namespace
     osbs_readonly_groups:
     - group1
     - group2
@@ -84,6 +97,14 @@ Role Variables
     - user1
     - user2
 
+    # Users and groups to be assigned cluster-reader clusterrole cluster wide
+    osbs_cluster_reader_groups:
+    - group1
+    - group2
+    osbs_cluster_reader_users:
+    - user1
+    - user2
+
     # Koji integration
     osbs_koji_secret_name: kojisecret
     osbs_koji_hub: https://koji.fedoraproject.org  # Empty default value

roles/osbs-namespace/defaults/main.yml

@@ -14,6 +14,8 @@ osbs_cpu_limitrange: ''
 
 osbs_admin_groups: []
 osbs_admin_users: []
+osbs_cluster_reader_groups: []
+osbs_cluster_reader_users: []
 osbs_readonly_groups: []
 osbs_readonly_users: []
 osbs_readwrite_groups: []
@@ -32,7 +34,7 @@ osbs_pulp_secret_name: pulpsecret
 osbs_registry_api_versions:
 - v1
 - v2
-osbs_registry_secret_name: ''
+osbs_registry_secret_name: v2-registry-dockercfg
 osbs_registry_uri: ''
 osbs_source_registry_uri: ''
 osbs_build_json_dir: /usr/share/osbs
@@ -54,7 +56,7 @@ osbs_serviceaccount_pruner: ''
 osbs_odcs_enabled: false
 osbs_odcs_signing_intents: {}
 osbs_odcs_default_signing_intent: null
+osbs_odcs_api_url: ''
+osbs_odcs_auth_ssl_certs_dir: /usr/share/osbs
 
-koji_use_kerberos: false
-koji_kerberos_keytab: ''
-koji_kerberos_principal: ''
+osbs_reactor_config_maps: []

roles/osbs-namespace/filter_plugins/with_isolated_workers.py

@@ -0,0 +1,56 @@
+"""
+Copyright (c) 2018 Red Hat, Inc
+All rights reserved.
+
+This software may be modified and distributed under the terms
+of the BSD license. See the LICENSE file for details.
+"""
+from copy import deepcopy
+import re
+
+
+# Negative regex used to exclude characters that are not allowed
+# in naming a kubernetes resource
+INVALID_KUBERNETES_NAME_CHARS = re.compile(r'[^a-z0-9\.-]+')
+
+
+class FilterModule(object):
+    def filters(self):
+        return {'with_isolated_workers': do_with_isolated_workers}
+
+
+def do_with_isolated_workers(reactor_configs):
+    """Generate reactor configs for each worker cluster
+
+    :param reactor_configs: list<dict>, each dict should contain a name and
+    a data key. The value of name key is used to name the config map object
+    and the value of data key is a reactor config
+
+    :return: a new list of reactor configs that contains new reactor configs
+    for each worker cluster in addition to the original reactor configs
+    """
+    all_configs = list(reactor_configs)
+
+    for config in reactor_configs:
+        clusters = config.get('data', {}).get('clusters', {})
+        for arch, workers_info in clusters.items():
+            for worker_info in workers_info:
+                worker_info = deepcopy(worker_info)
+                worker_info['enabled'] = True
+
+                worker_config = deepcopy(config)
+
+                name = _clean_kubernetes_name(config['name'] + '-' + worker_info['name'])
+                worker_config['name'] = name
+
+                worker_config['data']['clusters'] = {arch: [worker_info]}
+
+                all_configs.append(worker_config)
+
+    return all_configs
+
+
+def _clean_kubernetes_name(name):
+    name = name.lower()
+    name = INVALID_KUBERNETES_NAME_CHARS.sub('-', name)
+    return name

roles/osbs-namespace/operations/README.md

@@ -35,6 +35,9 @@ Role Variables
     # Then to re-enable node:
     osbs_enable_node: true
 
+    # Override default systemd unit files
+    osbs_systemd_override: true
+
 See `operations/defaults/main.yml` for a comprehensive list of all
 available variables.
 

roles/osbs-namespace/operations/defaults/main.yml

@@ -19,6 +19,10 @@ osbs_wait_active_pods_delay: 30 # seconds
 osbs_wait_node_ready_retries: 30
 osbs_wait_node_ready_delay: 10
 
+osbs_buildroot_do_tag: false
 osbs_buildroot_imagestream_live_tag: ''
 osbs_buildroot_imagestream: ''
 osbs_buildroot_imagestream_post_build_tag: ''
+
+osbs_systemd_override: false
+osbs_systemd_limit_nofile: 131072

roles/osbs-namespace/operations/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: restart atomic-openshift-node
+  service:
+    name: atomic-openshift-node
+    state: restarted
+    daemon_reload: yes

roles/osbs-namespace/operations/tasks/main.yml

@@ -9,7 +9,10 @@
   when: osbs_update_node_labels
 
 - include: tag-buildroot.yml
-  when: osbs_buildroot_imagestream_live_tag != ''
+  when: osbs_buildroot_do_tag
 
 - include: enable-node.yml
   when: osbs_enable_node
+
+- include: override-systemd.yml
+  when: osbs_systemd_override

roles/osbs-namespace/operations/tasks/override-systemd.yml

@@ -0,0 +1,11 @@
+---
+- name: Set LimitNOFILE in atomic-openshift-node
+  lineinfile:
+    path: /etc/systemd/system/atomic-openshift-node.service
+    regexp: '^LimitNOFILE='
+    line: 'LimitNOFILE={{ osbs_systemd_limit_nofile }}'
+    backup: yes
+  notify:
+  - restart atomic-openshift-node
+
+- meta: flush_handlers

roles/osbs-namespace/operations/tasks/tag-buildroot.yml

@@ -2,8 +2,13 @@
 # Tag the desired build image with the post build tag (“staged” for stage, “released” for prod)
 - name: tag buildroot imagestream
   command: >
-    oc tag {{ osbs_buildroot_imagestream }}:{{ osbs_buildroot_imagestream_live_tag }} {{ osbs_buildroot_imagestream }}:{{ osbs_buildroot_imagestream_post_build_tag }}
+    oc tag --namespace={{ osbs_namespace }}
+    {{ osbs_buildroot_imagestream }}:{{ osbs_buildroot_imagestream_live_tag }}
+    {{ osbs_buildroot_imagestream }}:{{ osbs_buildroot_imagestream_post_build_tag }}
   environment: "{{ osbs_environment }}"
-  when: osbs_buildroot_imagestream != '' and osbs_buildroot_imagestream_live_tag != '' and osbs_buildroot_imagestream_post_build_tag != ''
+  when:
+  - osbs_buildroot_imagestream != ''
+  - osbs_buildroot_imagestream_live_tag != ''
+  - osbs_buildroot_imagestream_post_build_tag != ''
   tags:
   - oc

roles/osbs-namespace/tasks/main.yml

@@ -69,11 +69,13 @@
 
   - name: osbs-custom-build-readwrite
     role: system:build-strategy-custom
+    yaml_version: v1
     users: "{{ osbs_readwrite_users }}"
     groups: "{{ osbs_readwrite_groups }}"
 
   - name: osbs-custom-build-admin
     role: system:build-strategy-custom
+    yaml_version: v1
     users: "{{ osbs_admin_users }}"
     groups: "{{ osbs_admin_groups }}"
 
@@ -85,6 +87,13 @@
     role: system:build-strategy-custom
     serviceaccounts: "{{ osbs_service_accounts }}"
 
+  - name: osbs-cluster-reader
+    role: cluster-reader
+    yaml_version: v1
+    type: ClusterRoleBinding
+    users: "{{ osbs_cluster_reader_users }}"
+    groups: "{{ osbs_cluster_reader_groups }}"
+
   register: yaml_rolebindings
   when: osbs_is_admin
   tags:

roles/osbs-namespace/tasks/orchestrator.yml

@@ -17,6 +17,25 @@
   tags:
   - oc
 
+- name: generate reactor config maps
+  template:
+    src: reactor-config-map.yml.j2
+    dest: "{{ osbs_openshift_home }}/{{ inventory_hostname }}-{{ osbs_namespace }}-{{ item.name }}.yml"
+  with_items: "{{ osbs_reactor_config_maps | with_isolated_workers }}"
+  register: yaml_reactor_config_maps
+  tags:
+  - oc
+
+- name: create reactor config maps
+  shell: >
+    oc --namespace={{ osbs_namespace }} create configmap {{ item.item.name }} \
+    --from-file='config.yaml'={{ item.dest }} --dry-run -o yaml | \
+    oc --namespace={{ osbs_namespace }} replace --force -f -
+  when: item.changed
+  with_items: "{{ yaml_reactor_config_maps.results }}"
+  tags:
+  - oc
+
 # Setup imagestream
 - name: copy imagestream
   template:
@@ -42,6 +61,7 @@
 - name: update imagestream tag
   command: >
     oc import-image {{ osbs_buildroot_imagestream }}:{{ osbs_buildroot_imagestream_live_tag }}
+    --namespace={{ osbs_namespace }}
     --from {{ osbs_buildroot_repository }}:{{ osbs_buildroot_imagestream_live_tag }}
     {{ " --insecure" if osbs_insecure_repository else ''}}
   environment: "{{ osbs_environment }}"

roles/osbs-namespace/templates/client-config-secret.conf.j2

@@ -18,7 +18,7 @@ distribution_scope = {{ osbs_distribution_scope }}
 
 # Koji integration
 {% if osbs_koji_secret_name %}
-# koji_certs_secret = {{ osbs_koji_secret_name }}
+koji_certs_secret = {{ osbs_koji_secret_name }}
 {% endif %}
 {% if osbs_koji_hub %}
 koji_hub = {{ osbs_koji_hub }}
@@ -26,15 +26,6 @@ koji_hub = {{ osbs_koji_hub }}
 {% if osbs_koji_root %}
 koji_root = {{ osbs_koji_root }}
 {% endif %}
-{% if koji_use_kerberos %}
-koji_use_kerberos = {{ koji_use_kerberos }}
-{% endif %}
-{% if koji_kerberos_keytab %}
-koji_kerberos_keytab = {{ koji_kerberos_keytab }}
-{% endif %}
-{% if koji_kerberos_principal %}
-koji_kerberos_principal = {{ koji_kerberos_principal }}
-{% endif %}
 
 # Pulp integration
 {% if osbs_pulp_registry_name %}

roles/osbs-namespace/templates/openshift-rolebinding.v1.yml.j2

@@ -1,5 +1,5 @@
 apiVersion: v1
-kind: RoleBinding
+kind: {{ item.type | default("RoleBinding") }}
 metadata:
   name: {{ item.name }}
   namespace: {{ osbs_namespace }}

roles/osbs-namespace/templates/reactor-config-map.yml.j2

@@ -0,0 +1,3 @@
+# {{ item.name }}
+---
+{{ item.data | to_nice_yaml }}

roles/osbs-namespace/templates/reactor-config-secret.yml.j2

@@ -14,6 +14,9 @@ clusters:
 
 {% if osbs_odcs_enabled %}
 odcs:
+    api_url: {{ osbs_odcs_api_url }}
+    auth:
+        ssl_certs_dir: {{ osbs_odcs_auth_ssl_certs_dir }}
     signing_intents:
     {{ osbs_odcs_signing_intents | to_yaml | indent(4) }}
     default_signing_intent: {{ osbs_odcs_default_signing_intent }}

roles/osbs-namespace/tests/files/expected-reactor-config-map-ppc64le-on-premise.yml

@@ -0,0 +1,15 @@
+# reactor-config-map-ppc64le-on-premise
+---
+artifacts_allowed_domains:
+- example.com/beta
+- example.com/released
+clusters:
+    ppc64le:
+    -   enabled: true
+        max_concurrent_builds: 11
+        name: ppc64le-on-premise
+image_labels:
+    authoritative-source-url: registry.example.com
+    distribution-scope: public
+    vendor: Example, Inc.
+version: 1

roles/osbs-namespace/tests/files/expected-reactor-config-map-scratch-ppc64le-on-premise.yml

@@ -0,0 +1,13 @@
+# reactor-config-map-scratch-ppc64le-on-premise
+---
+artifacts_allowed_domains: []
+clusters:
+    ppc64le:
+    -   enabled: true
+        max_concurrent_builds: 11
+        name: ppc64le-on-premise
+image_labels:
+    authoritative-source-url: registry.example.com
+    distribution-scope: private
+    vendor: Example, Inc.
+version: 1

roles/osbs-namespace/tests/files/expected-reactor-config-map-scratch-x86-64-aws.yml

@@ -0,0 +1,13 @@
+# reactor-config-map-scratch-x86-64-aws
+---
+artifacts_allowed_domains: []
+clusters:
+    x86_64:
+    -   enabled: true
+        max_concurrent_builds: 20
+        name: x86_64-aws
+image_labels:
+    authoritative-source-url: registry.example.com
+    distribution-scope: private
+    vendor: Example, Inc.
+version: 1

roles/osbs-namespace/tests/files/expected-reactor-config-map-scratch-x86-64-azure.yml

@@ -0,0 +1,13 @@
+# reactor-config-map-scratch-x86-64-azure
+---
+artifacts_allowed_domains: []
+clusters:
+    x86_64:
+    -   enabled: true
+        max_concurrent_builds: 30
+        name: x86_64-azure
+image_labels:
+    authoritative-source-url: registry.example.com
+    distribution-scope: private
+    vendor: Example, Inc.
+version: 1

roles/osbs-namespace/tests/files/expected-reactor-config-map-scratch-x86-64-on-premise.yml

@@ -0,0 +1,13 @@
+# reactor-config-map-scratch-x86-64-on-premise
+---
+artifacts_allowed_domains: []
+clusters:
+    x86_64:
+    -   enabled: true
+        max_concurrent_builds: 10
+        name: x86_64-on-premise
+image_labels:
+    authoritative-source-url: registry.example.com
+    distribution-scope: private
+    vendor: Example, Inc.
+version: 1

roles/osbs-namespace/tests/files/expected-reactor-config-map-scratch.yml

@@ -0,0 +1,23 @@
+# reactor-config-map-scratch
+---
+artifacts_allowed_domains: []
+clusters:
+    ppc64le:
+    -   enabled: true
+        max_concurrent_builds: 11
+        name: ppc64le-on-premise
+    x86_64:
+    -   enabled: true
+        max_concurrent_builds: 10
+        name: x86_64-on-premise
+    -   enabled: false
+        max_concurrent_builds: 20
+        name: x86_64-aws
+    -   enabled: false
+        max_concurrent_builds: 30
+        name: x86_64-azure
+image_labels:
+    authoritative-source-url: registry.example.com
+    distribution-scope: private
+    vendor: Example, Inc.
+version: 1

roles/osbs-namespace/tests/files/expected-reactor-config-map-x86-64-aws.yml

@@ -0,0 +1,15 @@
+# reactor-config-map-x86-64-aws
+---
+artifacts_allowed_domains:
+- example.com/beta
+- example.com/released
+clusters:
+    x86_64:
+    -   enabled: true
+        max_concurrent_builds: 20
+        name: x86_64-aws
+image_labels:
+    authoritative-source-url: registry.example.com
+    distribution-scope: public
+    vendor: Example, Inc.
+version: 1

roles/osbs-namespace/tests/files/expected-reactor-config-map-x86-64-azure.yml

@@ -0,0 +1,15 @@
+# reactor-config-map-x86-64-azure
+---
+artifacts_allowed_domains:
+- example.com/beta
+- example.com/released
+clusters:
+    x86_64:
+    -   enabled: true
+        max_concurrent_builds: 30
+        name: x86_64-azure
+image_labels:
+    authoritative-source-url: registry.example.com
+    distribution-scope: public
+    vendor: Example, Inc.
+version: 1

roles/osbs-namespace/tests/files/expected-reactor-config-map-x86-64-on-premise.yml

@@ -0,0 +1,15 @@
+# reactor-config-map-x86-64-on-premise
+---
+artifacts_allowed_domains:
+- example.com/beta
+- example.com/released
+clusters:
+    x86_64:
+    -   enabled: true
+        max_concurrent_builds: 10
+        name: x86_64-on-premise
+image_labels:
+    authoritative-source-url: registry.example.com
+    distribution-scope: public
+    vendor: Example, Inc.
+version: 1

roles/osbs-namespace/tests/files/expected-reactor-config-map.yml

@@ -0,0 +1,25 @@
+# reactor-config-map
+---
+artifacts_allowed_domains:
+- example.com/beta
+- example.com/released
+clusters:
+    ppc64le:
+    -   enabled: true
+        max_concurrent_builds: 11
+        name: ppc64le-on-premise
+    x86_64:
+    -   enabled: true
+        max_concurrent_builds: 10
+        name: x86_64-on-premise
+    -   enabled: false
+        max_concurrent_builds: 20
+        name: x86_64-aws
+    -   enabled: false
+        max_concurrent_builds: 30
+        name: x86_64-azure
+image_labels:
+    authoritative-source-url: registry.example.com
+    distribution-scope: public
+    vendor: Example, Inc.
+version: 1

roles/osbs-namespace/tests/group_vars/masters.yml

@@ -16,3 +16,52 @@ osbs_worker_clusters:
     - allowed.domain.com
     - also-allowed.domain.com
     auto_build_node_selector: 'auto_build=true'
+
+_reactor_config_map:
+  version: 1
+
+  clusters:
+
+    x86_64:
+    - name: x86_64-on-premise
+      max_concurrent_builds: 10
+      enabled: True
+
+    - name: x86_64-aws
+      max_concurrent_builds: 20
+      enabled: False
+
+    - name: x86_64-azure
+      max_concurrent_builds: 30
+      enabled: False
+
+    ppc64le:
+    - name: ppc64le-on-premise
+      max_concurrent_builds: 11
+      enabled: True
+
+  artifacts_allowed_domains:
+  - example.com/beta
+  - example.com/released
+
+  image_labels:
+    vendor: "Example, Inc."
+    authoritative-source-url: registry.example.com
+    distribution-scope: public
+
+_scratch_reactor_config_map_overrides:
+
+  artifacts_allowed_domains: []
+
+  image_labels:
+    distribution-scope: private
+
+osbs_reactor_config_maps:
+
+- name: reactor-config-map
+  data: "{{ _reactor_config_map }}"
+
+- name: reactor-config-map-scratch
+  data: >
+    {{ _reactor_config_map |
+       combine(_scratch_reactor_config_map_overrides, recursive=True) }}

roles/osbs-namespace/tests/pre-oc-cluster.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+set -xeuo pipefail
+
+# Script inspired by:
+#   https://github.com/radanalyticsio/radanalyticsio.github.io/blob/master/.travis.yml
+
+TEST_DIR=`pwd`
+ORIGIN_DIR=$TEST_DIR/../origin
+OC_VERSION='v3.7.0'
+OC_RELEASE_NAME='openshift-origin-client-tools-v3.7.0-7ed6862-linux-64bit'
+
+# Add required insecure container registry
+sudo sed -i -e 's/sock/sock --insecure-registry 172.30.0.0\/16/' /etc/default/docker
+sudo cat /etc/default/docker
+sudo service docker restart
+
+# Download and setup oc binary
+sudo mkdir -p $ORIGIN_DIR
+sudo chmod -R 766 $ORIGIN_DIR
+sudo curl -L \
+    https://github.com/openshift/origin/releases/download/${OC_VERSION}/${OC_RELEASE_NAME}.tar.gz | \
+    sudo tar -C $ORIGIN_DIR -xz ${OC_RELEASE_NAME}/oc
+sudo cp $ORIGIN_DIR/${OC_RELEASE_NAME}/oc /bin/
+sudo chmod +x /bin/oc
+
+oc version
+
+# Below cmd is important to get oc working in ubuntu
+sudo docker run -v /:/rootfs -ti --rm \
+    --entrypoint=/bin/bash \
+    --privileged openshift/origin:v3.7.0 \
+    -c "mv /rootfs/bin/findmnt /rootfs/bin/findmnt.backup"
+
+# Avoid error from travis wrapper script with unbound variable:
+#   https://github.com/travis-ci/travis-ci/issues/5434
+set +u

roles/osbs-namespace/tests/test.yml

@@ -17,7 +17,8 @@
   - name: bring up new cluster
     command: >
       oc cluster up
-      --version v3.6.0
+      --image {{ osbs_test_ocp_image | default('registry.access.redhat.com/openshift3/ose') }}
+      --version {{ osbs_test_ocp_version | default('v3.7') }}
     register: cmd_cluster_up
     changed_when: cmd_cluster_up.rc == 0
 
@@ -64,24 +65,11 @@
       oc -n test-worker get serviceaccount orchestrator
     changed_when: false
 
-  - name: policy binding created
-    command: >
-      oc -n test-worker get policybinding ':default'
-    changed_when: false
-
-  - name: custom builds roles created
-    command: >
-      oc -n test-worker get role osbs-custom-build
-    changed_when: false
-
   - name: expected rolebindings created in worker namespace
     command: >
       oc -n test-worker get rolebinding {{ item }}
     with_items:
     - osbs-admin
-    - osbs-admin
-    - osbs-custom-build-admin
-    - osbs-custom-build-readwrite
     - osbs-custom-build-serviceaccounts
     - osbs-readonly
     - osbs-readwrite
@@ -128,6 +116,28 @@
       {{ playbook_dir }}/tmp/test-orchestrator-client-config-secret.conf
     changed_when: false
 
+  - name: reactor config maps were generated properly
+    command: >
+      diff {{ playbook_dir }}/files/expected-{{ item }}.yml
+      {{ playbook_dir }}/tmp/test-host-test-orchestrator-{{ item }}.yml
+    changed_when: false
+    with_items:
+    - reactor-config-map-ppc64le-on-premise
+    - reactor-config-map-scratch-ppc64le-on-premise
+    - reactor-config-map-scratch-x86-64-aws
+    - reactor-config-map-scratch-x86-64-azure
+    - reactor-config-map-scratch-x86-64-on-premise
+    - reactor-config-map-scratch
+    - reactor-config-map-x86-64-aws
+    - reactor-config-map-x86-64-azure
+    - reactor-config-map-x86-64-on-premise
+    - reactor-config-map
+    register: cmd_diff_config_maps
+
+  - name: reactor config mpas were created
+    command: oc -n test-orchestrator get configmaps {{ item.item }}
+    changed_when: false
+    with_items: "{{ cmd_diff_config_maps.results }}"
 
 - name: setup namespace as non admin
   hosts: masters
@@ -151,6 +161,8 @@
       oc login -u system:admin
     register: cmd_login_admin
     changed_when: cmd_login_admin.rc == 0
+  tags:
+  - wip
 
 - name: test non-admin namespace
   hosts: masters
@@ -179,14 +191,13 @@
     failed_when: ('No resources found' not in cmd_rolebinding.stderr) and ('NotFound' not in cmd_rolebinding.stderr)
     with_items:
     - osbs-admin
-    - osbs-admin
-    - osbs-custom-build-admin
-    - osbs-custom-build-readwrite
     - osbs-custom-build-serviceaccounts
     - osbs-readonly
     - osbs-readwrite
     - osbs-readwrite-serviceaccounts
     changed_when: false
+  tags:
+  - wip
 
 - name: create limitrange namespace
   hosts: masters
@@ -292,6 +303,8 @@
       oc login -u system:admin
     register: cmd_login_admin
     changed_when: cmd_login_admin.rc == 0
+  tags:
+  - wip
 
 - name: test policybinding dedicated-admin namespace
   hosts: masters
@@ -310,3 +323,63 @@
     - osbs-readwrite
     - osbs-readwrite-serviceaccounts
     changed_when: false
+  tags:
+  - wip
+
+- name: setup users and groups in namespace
+  hosts: masters
+  roles:
+  - role: "{{ playbook_dir }}/../."
+    osbs_kubeconfig_path: "{{ lookup('env','HOME') }}/.kube/config"
+    osbs_openshift_home: tmp
+    osbs_namespace: test-users-and-groups
+    osbs_nodeselector: "worker=true"
+    osbs_admin_groups:
+    - admin-group
+    osbs_admin_users:
+    - admin-user
+    osbs_cluster_reader_groups:
+    - cluster-reader-group
+    osbs_cluster_reader_users:
+    - cluster-reader-user
+    osbs_readonly_groups:
+    - readonly-group
+    osbs_readonly_users:
+    - readonly-user
+    osbs_readwrite_groups:
+    - readwrite-group
+    osbs_readwrite_users:
+    - readwrite-user
+
+- name: test users and groups namespace
+  hosts: masters
+  vars:
+    osbs_users_groups_info:
+    - role_name: osbs-admin
+      type: rolebinding
+      expected: User Groupadmin-user admin-group
+    - role_name: osbs-readonly
+      type: rolebinding
+      expected: User Groupreadonly-user readonly-group
+    - role_name: osbs-readwrite
+      type: rolebinding
+      expected: User Groupreadwrite-user readwrite-group
+    - role_name: osbs-cluster-reader
+      type: clusterrolebinding
+      expected: User Groupcluster-reader-user cluster-reader-group
+  tasks:
+  - name: query rolebindings
+    command: >
+      oc -n test-users-and-groups get {{ item.type }} {{ item.role_name }}
+      -o jsonpath='{.subjects[*].kind}{.subjects[*].name}'
+    register: osbs_rolebindings
+    changed_when: false
+    with_items: "{{ osbs_users_groups_info }}"
+
+  - name: verify rolebindings
+    fail:
+      msg: "{{ item.1.type }} {{ item.1.role_name }} not as expected"
+    when: "item.0.stdout != item.1.expected"
+    with_together:
+    - "{{ osbs_rolebindings.results }}"
+    - "{{ osbs_users_groups_info }}"