From d489ab855fc9f86ec91bddc18168d8762d9c8768 Mon Sep 17 00:00:00 2001
From: Clement Verna <cverna@tutanota.com>
Date: Thu, 1 Mar 2018 14:29:55 +0100
Subject: [PATCH] Add osbs-secret role to create secret for namedspaced cluster

Signed-off-by: Clement Verna <cverna@tutanota.com>
---
 roles/osbs-secret/README.md                   | 70 +++++++++++++++++++
 roles/osbs-secret/defaults/main.yml           | 17 +++++
 roles/osbs-secret/handlers/main.yml           | 22 ++++++
 roles/osbs-secret/meta/main.yml               | 21 ++++++
 roles/osbs-secret/tasks/main.yml              | 40 +++++++++++
 .../templates/openshift-secret.yml.j2         | 10 +++
 6 files changed, 180 insertions(+)
 create mode 100644 roles/osbs-secret/README.md
 create mode 100644 roles/osbs-secret/defaults/main.yml
 create mode 100644 roles/osbs-secret/handlers/main.yml
 create mode 100644 roles/osbs-secret/meta/main.yml
 create mode 100644 roles/osbs-secret/tasks/main.yml
 create mode 100644 roles/osbs-secret/templates/openshift-secret.yml.j2

diff --git a/roles/osbs-secret/README.md b/roles/osbs-secret/README.md
new file mode 100644
index 0000000000..e59fab6a79
--- /dev/null
+++ b/roles/osbs-secret/README.md
@@ -0,0 +1,70 @@
+osbs-secret
+===========
+
+This role imports various secrets, such as Pulp or Koji certificates, from
+filesystem into OpenShift. See the [OSBS
+documentation](https://github.com/projectatomic/osbs-client/blob/master/docs/secret.md)
+for more information.
+
+This role is part of
+[ansible-osbs](https://github.com/projectatomic/ansible-osbs/) playbook for
+deploying OpenShift build service. Please refer to that github repository for
+[documentation](https://github.com/projectatomic/ansible-osbs/blob/master/README.md)
+and [issue tracker](https://github.com/projectatomic/ansible-osbs/issues).
+
+Role Variables
+--------------
+
+The role imports the keys from the machine running ansible. You have to provide
+`osbs_secret_files` list, which enumerates what files to import. Elements of
+the list are dictionaries with two keys: `source` and `dest`. Source is the
+location of the file on the machine where ansible is run. Dest is the filename
+of the secret.
+
+    osbs_secret_files:
+    - source: /home/user/.pulp/pulp.cer
+      dest: pulp.cer
+    - source: /home/user/.pulp/pulp.key
+      dest: pulp.key
+
+The name of the secret in OpenShift is defined by the `osbs_secret_name`
+variable.
+
+    osbs_secret_name: pulpsecret
+
+The secret has to be associated with a service account. This service account
+can be set by the `osbs_secret_service_account` variable.
+
+    osbs_secret_service_account: builder
+
+We need a kubeconfig file on the remote machine in order to talk to OpenShift.
+Its location is contained in the `pulp_secret_kubeconfig`.
+
+    osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
+
+Example Playbook
+----------------
+
+Following playbook imports the keys from my home directory on the machine where
+ansible is executed. You may need to run something like this after the current
+set of keys expires.
+
+    - hosts: builders
+      roles:
+      - role: osbs-secret
+        osbs_secret_name: pulpsecret
+        osbs_secret_files:
+        - source: /home/mmilata/.pulp/pulp.cer
+          dest: pulp.cer
+        - source: {{ pulp_secret_local_dir }}/pulp.key
+          dest: pulp.key
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+Martin Milata &lt;mmilata@redhat.com&gt;
diff --git a/roles/osbs-secret/defaults/main.yml b/roles/osbs-secret/defaults/main.yml
new file mode 100644
index 0000000000..0e317c61fc
--- /dev/null
+++ b/roles/osbs-secret/defaults/main.yml
@@ -0,0 +1,17 @@
+---
+osbs_secret_name: pulpsecret
+osbs_secret_type: Opaque
+osbs_secret_service_account: builder
+osbs_secret_remote_dir: /var/lib/origin
+osbs_secret_can_fail: false
+
+osbs_secret_files:
+- source: /home/user/.pulp/pulp.cer
+  dest: pulp.cer
+- source: /home/user/.pulp/pulp.key
+  dest: pulp.key
+
+osbs_namespace: default
+osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
+osbs_environment:
+  KUBECONFIG: "{{ osbs_kubeconfig_path }}"
diff --git a/roles/osbs-secret/handlers/main.yml b/roles/osbs-secret/handlers/main.yml
new file mode 100644
index 0000000000..b3c0f8a4fa
--- /dev/null
+++ b/roles/osbs-secret/handlers/main.yml
@@ -0,0 +1,22 @@
+---
+- name: import osbs secret
+  command: >
+    oc replace
+    --namespace={{ osbs_namespace }}
+    --force=true
+    --filename={{ osbs_secret_remote_dir }}/openshift-secret-{{ inventory_hostname }}-{{ osbs_namespace }}-{{ osbs_secret_name }}.yml
+  environment: "{{ osbs_environment }}"
+  notify: allow service account
+
+- name: allow service account
+  command: >
+    oc secrets
+    add serviceaccount/{{ osbs_secret_service_account }} secrets/{{ osbs_secret_name }}
+    --for=mount
+    --namespace={{ osbs_namespace }}
+  environment: "{{ osbs_environment }}"
+
+- name: delete secret resource file
+  file:
+    path: "{{ osbs_secret_remote_dir }}/openshift-secret-{{ inventory_hostname }}-{{ osbs_namespace }}-{{ osbs_secret_name }}.yml"
+    state: absent
diff --git a/roles/osbs-secret/meta/main.yml b/roles/osbs-secret/meta/main.yml
new file mode 100644
index 0000000000..c8d34fb335
--- /dev/null
+++ b/roles/osbs-secret/meta/main.yml
@@ -0,0 +1,21 @@
+---
+galaxy_info:
+  author: Martin Milata
+  description: Import secrets from local filesystem into OpenShift.
+  company: Red Hat
+  issue_tracker_url: https://github.com/projectatomic/ansible-osbs/issues
+  license: BSD
+  min_ansible_version: 1.2
+  platforms:
+  - name: EL
+    versions:
+    - 7
+  - name: Fedora
+    versions:
+    - 21
+    - 22
+  categories:
+  - cloud
+  - development
+  - packaging
+dependencies: []
diff --git a/roles/osbs-secret/tasks/main.yml b/roles/osbs-secret/tasks/main.yml
new file mode 100644
index 0000000000..c1428406bd
--- /dev/null
+++ b/roles/osbs-secret/tasks/main.yml
@@ -0,0 +1,40 @@
+---
+- set_fact:
+    osbs_secret_files_exist: true
+  tags:
+  - oc
+
+- set_fact:
+    osbs_secret_files_exist: false
+  when: lookup('file', lookup('first_found', [item.source, '/dev/null'])) == ''
+  with_items: "{{ osbs_secret_files }}"
+  tags:
+  - oc
+
+- fail:
+    msg: Some of the source secret files do not exist (and osbs_secret_can_fail is false)
+  when: not (osbs_secret_files_exist or osbs_secret_can_fail)
+  tags:
+  - oc
+
+- debug:
+    msg: Some of the source secret files do not exist, skipping import
+  when: not osbs_secret_files_exist
+  tags:
+  - oc
+
+- name: create secrets resource file
+  template:
+    src: openshift-secret.yml.j2
+    dest: "{{ osbs_secret_remote_dir }}/openshift-secret-{{ inventory_hostname }}-{{ osbs_namespace }}-{{ osbs_secret_name }}.yml"
+    mode: "0600"
+  when: osbs_secret_files_exist
+  notify:
+  - import osbs secret
+  - delete secret resource file
+  tags:
+  - oc
+
+- meta: flush_handlers
+  tags:
+  - oc
diff --git a/roles/osbs-secret/templates/openshift-secret.yml.j2 b/roles/osbs-secret/templates/openshift-secret.yml.j2
new file mode 100644
index 0000000000..2b08c05b12
--- /dev/null
+++ b/roles/osbs-secret/templates/openshift-secret.yml.j2
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ osbs_secret_name }}
+type: {{ osbs_secret_type }}
+data:
+{% for f in osbs_secret_files %}
+  {{ f.dest }}: {{ lookup('file', f.source) | b64encode }}
+{% endfor %}
+