Add missing RoleBindings for waiverdb project, and abstract project out to openshift/project

Signed-off-by: Ricky Elrod <codeblock@fedoraproject.org>
2017-08-01 03:54:10 +00:00 · 2017-08-01 03:54:10 +00:00 · 30021e1935
commit 30021e1935
parent 0736fcb4f7
8 changed files with 92 additions and 1 deletions
--- a/playbooks/openshift-apps/waiverdb.yml
+++ b/playbooks/openshift-apps/waiverdb.yml
@ -9,7 +9,7 @@
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  roles:
-  - { role: openshift/object, app: waiverdb, template: project.yml, description: waiverdb }
+  - { role: openshift/project, app: waiverdb, description: waiverdb, fas_owner: codeblock }
  - { role: openshift/object, app: waiverdb, template: secret.yml }
  #- { role: openshift/secret-file
  #  , app: waiverdb
--- a/roles/openshift/object/tasks/main.yml
+++ b/roles/openshift/object/tasks/main.yml
@ -8,6 +8,11 @@
  when: template is defined
  run_once: true

+- name: Copy template {{template_fullpath}} to temporary file ({{tmpfile.path}})
+  template: src={{template_fullpath}} dest={{tmpfile.path}}
+  when: template_fullpath is defined
+  run_once: true
+
 - name: Copy file {{file}} to temporary file ({{tmpfile.path}})
  copy: src={{roles_path}}/openshift-apps/{{app}}/files/{{file}} dest={{tmpfile.path}}
  when: file is defined
--- a/roles/openshift/project/tasks/main.yml
+++ b/roles/openshift/project/tasks/main.yml
@ -0,0 +1,30 @@
+---
+- name: project.yml
+  include_role:
+    name: openshift/object
+  vars:
+    template_fullpath: "{{roles_path}}/openshift/project/templates/project.yml"
+
+- name: admin.yml
+  include_role:
+    name: openshift/object
+  vars:
+    template_fullpath: "{{roles_path}}/openshift/project/templates/admin.yml"
+
+- name: deployer.yml
+  include_role:
+    name: openshift/object
+  vars:
+    template_fullpath: "{{roles_path}}/openshift/project/templates/deploywer.yml"
+
+- name: imagebuilder.yml
+  include_role:
+    name: openshift/object
+  vars:
+    template_fullpath: "{{roles_path}}/openshift/project/templates/imagebuilder.yml"
+
+- name: imagepuller.yml
+  include_role:
+    name: openshift/object
+  vars:
+    template_fullpath: "{{roles_path}}/openshift/project/templates/imagepuller.yml"
--- a/roles/openshift/project/templates/admin.yml
+++ b/roles/openshift/project/templates/admin.yml
@ -0,0 +1,14 @@
+apiVersion: v1
+groupNames: []
+kind: RoleBinding
+metadata:
+  creationTimestamp: null
+  name: admins
+  namespace: "{{app}}"
+roleRef:
+  name: admin
+subjects:
+- kind: User
+  name: "{{fas_owner}}"
+userNames:
+- "{{fas_owner}}"
--- a/roles/openshift/project/templates/deployer.yml
+++ b/roles/openshift/project/templates/deployer.yml
@ -0,0 +1,14 @@
+apiVersion: v1
+groupNames: []
+kind: RoleBinding
+metadata:
+  creationTimestamp: null
+  name: system:deployers
+  namespace: "{{app}}"
+roleRef:
+  name: system:deployer
+subjects:
+- kind: ServiceAccount
+  name: deployer
+userNames:
+- system:serviceaccount:"{{app}}":deployer
--- a/roles/openshift/project/templates/imagebuilder.yml
+++ b/roles/openshift/project/templates/imagebuilder.yml
@ -0,0 +1,14 @@
+apiVersion: v1
+groupNames: []
+kind: RoleBinding
+metadata:
+  creationTimestamp: null
+  name: system:image-builders
+  namespace: "{{app}}"
+roleRef:
+  name: system:image-builder
+subjects:
+- kind: ServiceAccount
+  name: builder
+userNames:
+- system:serviceaccount:"{{app}}":builder
--- a/roles/openshift/project/templates/imagepuller.yml
+++ b/roles/openshift/project/templates/imagepuller.yml
@ -0,0 +1,14 @@
+apiVersion: v1
+groupNames:
+- system:serviceaccounts:"{{app}}"
+kind: RoleBinding
+metadata:
+  creationTimestamp: null
+  name: system:image-pullers
+  namespace: "{{app}}"
+roleRef:
+  name: system:image-puller
+subjects:
+- kind: SystemGroup
+  name: system:serviceaccounts:"{{app}}"
+userNames: []
--- a/roles/openshift-apps/waiverdb/templates/project.yml
+++ b/roles/openshift-apps/waiverdb/templates/project.yml