Allow specifying appowners for projects

Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
2017-10-08 21:45:19 +02:00 · 2017-10-08 21:45:19 +02:00 · 65f21ee450
commit 65f21ee450
parent 101a9044a9
3 changed files with 247 additions and 0 deletions
--- a/roles/openshift/project/tasks/main.yml
+++ b/roles/openshift/project/tasks/main.yml
@ -28,3 +28,15 @@
    name: openshift/object
  vars:
    template_fullpath: "{{roles_path}}/openshift/project/templates/imagepuller.yml"
+
+- name: role-appowners.yml
+  include_role:
+    name: openshift/object
+  vars:
+    template_fullpath: "{{roles_path}}/openshift/project/templates/roles-appowners.yml"
+
+- name: appowners.yml
+  include_role:
+    name: openshift/object
+  vars:
+    template_fullpath: "{{roles_path}}/openshift/project/templates/appowners.yml"
--- a/roles/openshift/project/templates/appowners.yml
+++ b/roles/openshift/project/templates/appowners.yml
@ -0,0 +1,13 @@
+apiVersion: v1
+kind: RoleBinding
+metadata:
+  namespace: "{{app}}"
+  name: appowners
+roleRef:
+  kind: Role
+  name: appowner
+subjects:
+{% for owner in appowner %}
+- kind: User
+  name: "{{owner}}"
+{% endfor %}
--- a/roles/openshift/project/templates/role-appowners.yml
+++ b/roles/openshift/project/templates/role-appowners.yml
@ -0,0 +1,222 @@
+apiVersion: v1
+kind: Role
+metadata:
+  annotations:
+    openshift.io/description: An application owner. Can view everything but ConfigMaps.
+  name: appowner
+rules:
+- apiGroups:
+  - ""
+  attributeRestrictions: null
+  resources:
+  - endpoints
+  - persistentvolumeclaims
+  - pods
+  - replicationcontrollers
+  - serviceaccounts
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  attributeRestrictions: null
+  resources:
+  - bindings
+  - events
+  - limitranges
+  - namespaces
+  - namespaces/status
+  - pods/log
+  - pods/status
+  - replicationcontrollers/status
+  - resourcequotas
+  - resourcequotas/status
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - autoscaling
+  attributeRestrictions: null
+  resources:
+  - horizontalpodautoscalers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - batch
+  attributeRestrictions: null
+  resources:
+  - cronjobs
+  - jobs
+  - scheduledjobs
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - extensions
+  attributeRestrictions: null
+  resources:
+  - deployments
+  - deployments/scale
+  - horizontalpodautoscalers
+  - jobs
+  - replicasets
+  - replicasets/scale
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - extensions
+  attributeRestrictions: null
+  resources:
+  - daemonsets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - apps
+  attributeRestrictions: null
+  resources:
+  - statefulsets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  attributeRestrictions: null
+  resources:
+  - buildconfigs
+  - buildconfigs/webhooks
+  - builds
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  attributeRestrictions: null
+  resources:
+  - builds/log
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - build.openshift.io
+  attributeRestrictions: null
+  resources:
+  - jenkins
+  verbs:
+  - view
+- apiGroups:
+  - ""
+  attributeRestrictions: null
+  resources:
+  - deploymentconfigs
+  - deploymentconfigs/scale
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  attributeRestrictions: null
+  resources:
+  - deploymentconfigs/log
+  - deploymentconfigs/status
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  attributeRestrictions: null
+  resources:
+  - imagestreamimages
+  - imagestreammappings
+  - imagestreams
+  - imagestreamtags
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  attributeRestrictions: null
+  resources:
+  - imagestreams/status
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  attributeRestrictions: null
+  resources:
+  - projects
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  attributeRestrictions: null
+  resources:
+  - appliedclusterresourcequotas
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  attributeRestrictions: null
+  resources:
+  - routes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  attributeRestrictions: null
+  resources:
+  - routes/status
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  attributeRestrictions: null
+  resources:
+  - processedtemplates
+  - templateconfigs
+  - templates
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  attributeRestrictions: null
+  resources:
+  - buildlogs
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  attributeRestrictions: null
+  resources:
+  - resourcequotausages
+  verbs:
+  - get
+  - list
+  - watch