diff --git a/playbooks/openshift-apps/waiverdb.yml b/playbooks/openshift-apps/waiverdb.yml index b567ef7e95..3f2da490c6 100644 --- a/playbooks/openshift-apps/waiverdb.yml +++ b/playbooks/openshift-apps/waiverdb.yml @@ -9,7 +9,7 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - { role: openshift/object, app: waiverdb, template: project.yml, description: waiverdb } + - { role: openshift/project, app: waiverdb, description: waiverdb, fas_owner: codeblock } - { role: openshift/object, app: waiverdb, template: secret.yml } #- { role: openshift/secret-file # , app: waiverdb diff --git a/roles/openshift/object/tasks/main.yml b/roles/openshift/object/tasks/main.yml index afc3e1448a..e7c19847b6 100644 --- a/roles/openshift/object/tasks/main.yml +++ b/roles/openshift/object/tasks/main.yml @@ -8,6 +8,11 @@ when: template is defined run_once: true +- name: Copy template {{template_fullpath}} to temporary file ({{tmpfile.path}}) + template: src={{template_fullpath}} dest={{tmpfile.path}} + when: template_fullpath is defined + run_once: true + - name: Copy file {{file}} to temporary file ({{tmpfile.path}}) copy: src={{roles_path}}/openshift-apps/{{app}}/files/{{file}} dest={{tmpfile.path}} when: file is defined diff --git a/roles/openshift/project/tasks/main.yml b/roles/openshift/project/tasks/main.yml new file mode 100644 index 0000000000..269f0ef45a --- /dev/null +++ b/roles/openshift/project/tasks/main.yml @@ -0,0 +1,30 @@ +--- +- name: project.yml + include_role: + name: openshift/object + vars: + template_fullpath: "{{roles_path}}/openshift/project/templates/project.yml" + +- name: admin.yml + include_role: + name: openshift/object + vars: + template_fullpath: "{{roles_path}}/openshift/project/templates/admin.yml" + +- name: deployer.yml + include_role: + name: openshift/object + vars: + template_fullpath: "{{roles_path}}/openshift/project/templates/deploywer.yml" + +- name: imagebuilder.yml + include_role: + name: openshift/object + vars: + template_fullpath: "{{roles_path}}/openshift/project/templates/imagebuilder.yml" + +- name: imagepuller.yml + include_role: + name: openshift/object + vars: + template_fullpath: "{{roles_path}}/openshift/project/templates/imagepuller.yml" diff --git a/roles/openshift/project/templates/admin.yml b/roles/openshift/project/templates/admin.yml new file mode 100644 index 0000000000..160246888c --- /dev/null +++ b/roles/openshift/project/templates/admin.yml @@ -0,0 +1,14 @@ +apiVersion: v1 +groupNames: [] +kind: RoleBinding +metadata: + creationTimestamp: null + name: admins + namespace: "{{app}}" +roleRef: + name: admin +subjects: +- kind: User + name: "{{fas_owner}}" +userNames: +- "{{fas_owner}}" diff --git a/roles/openshift/project/templates/deployer.yml b/roles/openshift/project/templates/deployer.yml new file mode 100644 index 0000000000..41b46f2510 --- /dev/null +++ b/roles/openshift/project/templates/deployer.yml @@ -0,0 +1,14 @@ +apiVersion: v1 +groupNames: [] +kind: RoleBinding +metadata: + creationTimestamp: null + name: system:deployers + namespace: "{{app}}" +roleRef: + name: system:deployer +subjects: +- kind: ServiceAccount + name: deployer +userNames: +- system:serviceaccount:"{{app}}":deployer diff --git a/roles/openshift/project/templates/imagebuilder.yml b/roles/openshift/project/templates/imagebuilder.yml new file mode 100644 index 0000000000..4a738ea5e8 --- /dev/null +++ b/roles/openshift/project/templates/imagebuilder.yml @@ -0,0 +1,14 @@ +apiVersion: v1 +groupNames: [] +kind: RoleBinding +metadata: + creationTimestamp: null + name: system:image-builders + namespace: "{{app}}" +roleRef: + name: system:image-builder +subjects: +- kind: ServiceAccount + name: builder +userNames: +- system:serviceaccount:"{{app}}":builder diff --git a/roles/openshift/project/templates/imagepuller.yml b/roles/openshift/project/templates/imagepuller.yml new file mode 100644 index 0000000000..f0b0d98f54 --- /dev/null +++ b/roles/openshift/project/templates/imagepuller.yml @@ -0,0 +1,14 @@ +apiVersion: v1 +groupNames: +- system:serviceaccounts:"{{app}}" +kind: RoleBinding +metadata: + creationTimestamp: null + name: system:image-pullers + namespace: "{{app}}" +roleRef: + name: system:image-puller +subjects: +- kind: SystemGroup + name: system:serviceaccounts:"{{app}}" +userNames: [] diff --git a/roles/openshift-apps/waiverdb/templates/project.yml b/roles/openshift/project/templates/project.yml similarity index 100% rename from roles/openshift-apps/waiverdb/templates/project.yml rename to roles/openshift/project/templates/project.yml