openshift-apps: add coreos-ci project

CoreOS CI is used for PR testing CoreOS projects.

playbooks/openshift-apps/coreos-ci.yml

@@ -0,0 +1,26 @@
+---
+- hosts: os_control:os_control_stg
+  user: root
+  gather_facts: false
+
+  roles:
+  - role: openshift-apps/coreos-ci
+    project_name: coreos-ci
+    project_description: CoreOS CI Infrastructure
+    appowners:
+    - bgilbert
+    - dustymabe
+    - jlebon
+    - kevin
+    - miabbott
+    - walters
+
+  ###############################################
+  # actions to delete the project from OpenShift
+  ###############################################
+  # to run: sudo rbac-playbook -l os_control_stg -t delete openshift-apps/coreos-ci.yml
+  - role: openshift/object-delete
+    app: coreos-ci
+    objecttype: project
+    objectname: coreos-ci
+    tags: [ never, delete ]

roles/openshift-apps/coreos-ci/defaults/main.yaml

@@ -0,0 +1,10 @@
+project_name: coreos-ci
+project_description: CoreOS CI Infrastructure
+project_service_account: coreos-ci-sa
+appowners: []
+ocp_service_account: root
+project_templates:
+  - project.yaml
+  - group.yaml
+  - rolebinding.yaml
+  - securitycontextconstraints.yaml

roles/openshift-apps/coreos-ci/tasks/main.yaml

@@ -0,0 +1,31 @@
+- name: Create the directories to hold the templates
+  file:
+    path: "/root/ocp4/openshift-apps/{{project_name}}"
+    state: directory
+    owner: root
+    group: root
+    mode: 0770
+    recurse: yes
+
+# generate the templates for project to be created
+- name: create the templates
+  template:
+    src: "{{ item }}"
+    dest: "/root/ocp4/openshift-apps/{{project_name}}/{{ item }}"
+    mode: 0770
+  with_items: "{{ project_templates }}"
+
+# apply created openshift resources
+- name: oc apply resources
+  command: "/root/bin/oc apply -f /root/ocp4/openshift-apps/{{project_name}}/{{ item }}"
+  with_items: "{{ project_templates }}"
+
+# create the service account
+- name: create service account
+  command: "/root/bin/oc create sa {{ project_service_account }} -n {{ project_name }}"
+  register: sa_resource_create
+  failed_when: sa_resource_create.stderr != '' and 'already exists' not in sa_resource_create.stderr
+
+# apply the anyuid-setfcap SCC to the service account
+- name: create service account
+  command: "/root/bin/oc adm policy add-scc-to-user anyuid-setfcap -z {{ project_service_account }}"

roles/openshift-apps/coreos-ci/templates/group.yaml

@@ -0,0 +1,8 @@
+kind: Group
+apiVersion: user.openshift.io/v1
+metadata:
+  name: "{{project_name}}-appowners"
+users:
+{% for item in appowners %}
+- "{{ item }}"
+{% endfor %}

roles/openshift-apps/coreos-ci/templates/project.yaml

@@ -0,0 +1,8 @@
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: "{{project_name}}"
+  annotations:
+    openshift.io/description: "{{ project_description }}"
+    openshift.io/display-name: "{{ project_name }}"

roles/openshift-apps/coreos-ci/templates/rolebinding.yaml

@@ -0,0 +1,13 @@
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: "{{project_name}}-appowners"
+  namespace: "{{project_name}}"
+subjects:
+  - kind: Group
+    apiGroup: rbac.authorization.k8s.io
+    name: "{{project_name}}-appowners"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: admin

roles/openshift-apps/coreos-ci/templates/securitycontextconstraints.yaml

@@ -0,0 +1,38 @@
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: false
+allowedCapabilities: null
+apiVersion: security.openshift.io/v1
+defaultAddCapabilities:
+- CAP_SETFCAP
+fsGroup:
+  type: RunAsAny
+groups:
+- system:cluster-admins
+kind: SecurityContextConstraints
+metadata:
+  annotations:
+    kubernetes.io/description: custom scc for anyuid + CAP_SETFCAP defaultAddCapability
+  name: anyuid-setfcap
+priority: 10
+readOnlyRootFilesystem: false
+requiredDropCapabilities:
+- MKNOD
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: MustRunAs
+supplementalGroups:
+  type: RunAsAny
+volumes:
+- configMap
+- downwardAPI
+- emptyDir
+- persistentVolumeClaim
+- projected
+- secret
+