Provide support for global OpenShift resources (ClusterRoles, etc.)

17 files changed, 99 insertions, 93 deletions

diff --git a/opts.sh b/opts.sh
index c4d2196..25d232a 100644
--- a/opts.sh
+++ b/opts.sh
@@ -50,11 +50,15 @@ Actions:
     project <name>      - reconfigures a single OpenShift namespace
     project_groups <n>  - reconfigures fs groups for a single OpenShift namespace (required for Ganesha)
     apps <prj> [app]    - only re-generates templates for the specific namespaces (or even only specific application)
+    templates           - Regenerate global templates (roles, etc.)
+    templates <prj> [t] - Regenerate specified templates, i.e. 'setup.sh templates adei 01-webdav-secret.yml'
     vpn                 - reconfigure VPN tunnels
     certs               - re-generate OpenShift x509 certificates
     check               - check current setup and report if any maintenace should be peformed
     setup <type>        - executes specific configuration task from ands-openshift
                           Tasks: users, ssh, storage, heketi
+ ADEI configuration
+    adei_template       - Regenerate ADEI template
 
  Host system managment
     software            - Install additionaly configured software
diff --git a/playbooks/openshift-setup-projects.yml b/playbooks/openshift-setup-projects.yml
index aac5eb0..350675e 100644
--- a/playbooks/openshift-setup-projects.yml
+++ b/playbooks/openshift-setup-projects.yml
@@ -3,6 +3,8 @@
 - name: Configure users & user projects
   hosts: masters
   roles:
+    - { role: ands_openshift, subrole: projects }
+    - { role: ands_openshift, subrole: resources }
     - { role: ands_openshift, subrole: users }
     - { role: ands_openshift, subrole: security }
     - { role: ands_openshift, subrole: storage }
diff --git a/playbooks/openshift-setup-resources.yml b/playbooks/openshift-setup-resources.yml
new file mode 100644
index 0000000..b8d808b
--- /dev/null
+++ b/playbooks/openshift-setup-resources.yml
@@ -0,0 +1,7 @@
+- import_playbook: maintain.yml
+
+- name: Configure OpenShift resources
+  hosts: masters
+  roles:
+    - { role: ands_openshift, subrole: resources }
+
diff --git a/playbooks/openshift-setup-users.yml b/playbooks/openshift-setup-users.yml
index 03057d9..c819a9a 100644
--- a/playbooks/openshift-setup-users.yml
+++ b/playbooks/openshift-setup-users.yml
@@ -3,5 +3,6 @@
 - name: Configure users
   hosts: masters
   roles:
+    - { role: ands_openshift, subrole: projects }
     - { role: ands_openshift, subrole: users }
 
diff --git a/roles/ands_kaas/00-local-volumes.yml.j2 b/roles/ands_kaas/00-local-volumes.yml.j2
deleted file mode 100644
index 8d1a1c8..0000000
--- a/roles/ands_kaas/00-local-volumes.yml.j2
+++ /dev/null
@@ -1,67 +0,0 @@
----
-apiVersion: v1
-kind: Template
-metadata:
-  name: {{ kaas_project }}-local-volumes
-  annotations:
-    descriptions: "{{ kaas_project }} local volumes"
-objects:
-{% for name, vol in kaas_project_local_volumes.iteritems() %}
-{%   set voltypes = kaas_storage_domains | json_query("[*].volumes." + vol.volume + ".type") %}
-{%   set voltype = voltypes[0] | default('host') %}
-{%   set mntpaths = kaas_storage_domains | json_query("[*].volumes." + vol.volume + ".mount") %}
-{%   set mntpath = mntpaths[0] | default('') %}
-{%   set oc_name = vol.name | default(name) | regex_replace('_','-') %}
-{%   set cfgpath = vol.path | default("") %}
-{%   set path = cfgpath if cfgpath[:1] == "/" else "/" + kaas_project + "/" + cfgpath %}
-{%   if oc_name | regex_search("^" + kaas_project) %}
-{%     set pvprefix = oc_name %}
-{%   else %}
-{%     set pvprefix = (kaas_project + "-" + oc_name) | regex_replace('_','-') %}
-{%   endif %}
-{%   set i = 0 %}
-{%   for id in vol.nodes | default(hostvars[inventory_hostname]['ands_volume_' + vol.volume + '_server_ids']) %}
-{%      set srvid = (id | string) %}
-{%      set server_name = hostvars[inventory_hostname]['ands_host_' + srvid + '_public_hostname'] %}
-{%      set openshift_name = hostvars[inventory_hostname]['ands_host_' + srvid + '_openshift_fqdn'] %}
-{%      set pvname = pvprefix + '-' + server_name %}
-{%      set pvcname = oc_name + '-' + (i|string) %}
-  - apiVersion: v1
-    kind: PersistentVolume
-    metadata:
-      name: {{ pvname }}
-      annotations:
-        "volume.alpha.kubernetes.io/node-affinity": '{
-            "requiredDuringSchedulingIgnoredDuringExecution": {
-                "nodeSelectorTerms": [
-                    { "matchExpressions": [ { "key": "kubernetes.io/hostname", "operator": "In", "values": ["{{ openshift_name }}"] } ]}
-                ]
-            }
-        }'
-    spec:
-      storageClassName: kaas-local-storage
-      persistentVolumeReclaimPolicy: Retain 
-      local:
-        path: "{{ mntpath }}{{ path }}"
-        readOnly: {{ not (vol.write | default(false)) }}
-      accessModes:
-        - ReadWriteOnce
-      capacity:
-        storage: {{ vol.capacity | default(kaas_default_volume_capacity) }}
-      claimRef:
-        name: {{ pvcname }}
-        namespace: {{ kaas_project }}
-  - apiVersion: v1
-    kind: PersistentVolumeClaim
-    metadata:
-      name: {{ pvcname }}
-    spec:
-      volumeName: {{ pvname }}
-      accessModes:
-        - ReadWriteOnce
-      resources:
-        requests:
-          storage: {{ vol.capacity | default(kaas_default_volume_capacity) }}
-{%      set i = i + 1 %}
-{%   endfor %}
-{% endfor %}
diff --git a/roles/ands_kaas/tasks/main.yml b/roles/ands_kaas/tasks/main.yml
index f1cff02..fed0525 100644
--- a/roles/ands_kaas/tasks/main.yml
+++ b/roles/ands_kaas/tasks/main.yml
@@ -7,6 +7,6 @@
   loop_control:
     loop_var: kaas_project
   vars:
-    do_subrole: "{{ subrole | default('project') }}"
+    do_subrole: "{{ kaas_subrole | default(subrole | default('project')) }}"
     kaas_template_path: "{{ kaas_template_root }}/{{ kaas_project }}"
     kaas_project_path: "{{playbook_dir}}/projects/{{ kaas_project }}"
diff --git a/roles/ands_kaas/tasks/oc.yml b/roles/ands_kaas/tasks/oc.yml
index d3504f8..9b17c3b 100644
--- a/roles/ands_kaas/tasks/oc.yml
+++ b/roles/ands_kaas/tasks/oc.yml
@@ -6,5 +6,5 @@
   vars: 
     resource: "{{ ocitem.resource | default('') }}"
     command: "{{ ocitem.oc }}"
-    project: "{{ kaas_project }}"
+    project: "{{ kaas_namespace | default(kaas_project) }}"
     recreate: "{{ ocitem.recreate | default(false) }}"
diff --git a/roles/ands_kaas/tasks/template.yml b/roles/ands_kaas/tasks/template.yml
index 841c80e..89c30e0 100644
--- a/roles/ands_kaas/tasks/template.yml
+++ b/roles/ands_kaas/tasks/template.yml
@@ -19,7 +19,7 @@
     dest_name: "{{ (appname is defined) | ternary ( '90-' + (appname | default('')) + '.yml', default_name ) }}"
     template: "{{ dest_name }}"
     template_path: "{{ kaas_template_path }}"
-    project: "{{ kaas_project }}"
+    project: "{{ kaas_namespace | default(kaas_project) }}"
     recreate: "{{ result | changed | ternary (delete | default(true) | ternary(true, false), false) }}"
     replace: "{{ result | changed | ternary (delete | default(true) | ternary(false, true), false) }}"
 
diff --git a/roles/ands_openshift/defaults/main.yml b/roles/ands_openshift/defaults/main.yml
index d279345..feec093 100644
--- a/roles/ands_openshift/defaults/main.yml
+++ b/roles/ands_openshift/defaults/main.yml
@@ -1,4 +1,4 @@
-openshift_common_subroles: "{{ [ 'users', 'security', 'storage' ] }}"
+openshift_common_subroles: "{{ [ 'projects', 'resources', 'users', 'security', 'storage' ] }}"
 openshift_heketi_subroles: "{{ [ 'ssh', 'heketi' ] }}"
 openshift_all_subroles: "{{ ands_configure_heketi | default(False) | ternary(openshift_common_subroles + openshift_heketi_subroles, openshift_common_subroles) }}"
 
diff --git a/roles/ands_openshift/tasks/projects.yml b/roles/ands_openshift/tasks/projects.yml
new file mode 100644
index 0000000..4f13136
--- /dev/null
+++ b/roles/ands_openshift/tasks/projects.yml
@@ -0,0 +1,4 @@
+---
+- include_tasks: projects_resources.yml
+  run_once: true
+  delegate_to: "{{ groups.masters[0] }}"
diff --git a/roles/ands_openshift/tasks/projects_resources.yml b/roles/ands_openshift/tasks/projects_resources.yml
new file mode 100644
index 0000000..2afe9e1
--- /dev/null
+++ b/roles/ands_openshift/tasks/projects_resources.yml
@@ -0,0 +1,20 @@
+- name: Get project list
+  command: "oc get projects -o json"
+  changed_when: false
+  register: results
+
+- name: Find missing projects
+  set_fact: new_projects="{{ ands_openshift_projects.keys() | difference (results.stdout | from_json | json_query('items[*].metadata.name')) }}"
+  when: (results | succeeded)
+
+- name: Create missing projects
+  command: "oc adm new-project --description '{{ ands_openshift_projects[item] }}' {{ item }}"
+  with_items: "{{ new_projects | default([]) }}"
+
+- name: Allow projects to pull images from KaaS imagestreams
+  command: "oc policy add-role-to-group system:image-puller system:serviceaccounts:{{ prj_item }} --namespace=kaas"
+  with_items: "{{ ands_openshift_projects.keys() }}"
+  when:
+    prj_item != "kaas"
+  loop_control: 
+    loop_var: prj_item
diff --git a/roles/ands_openshift/tasks/resources.yml b/roles/ands_openshift/tasks/resources.yml
new file mode 100644
index 0000000..b691372
--- /dev/null
+++ b/roles/ands_openshift/tasks/resources.yml
@@ -0,0 +1,9 @@
+- name: Run configuration script and populate resources
+  include_role: name="ands_kaas"
+  vars:
+    kaas_openshift_volumes: "{{ ands_openshift_volumes }}"
+    kaas_projects: "{{ ands_openshift_projects.keys() }}"
+    kaas_single_project: "openshift"
+    kaas_namespace: "kaas"
+    kaas_subrole: "script"
+    delete: false
diff --git a/roles/ands_openshift/tasks/users_resources.yml b/roles/ands_openshift/tasks/users_resources.yml
index 722e1eb..2a73cd0 100644
--- a/roles/ands_openshift/tasks/users_resources.yml
+++ b/roles/ands_openshift/tasks/users_resources.yml
@@ -6,27 +6,6 @@
   vars:
     key_len: "{{ item.key.split('/') | length }}"
 
-- name: Get project list
-  command: "oc get projects -o json"
-  changed_when: false
-  register: results
-
-- name: Find missing projects
-  set_fact: new_projects="{{ ands_openshift_projects.keys() | difference (results.stdout | from_json | json_query('items[*].metadata.name')) }}"
-  when: (results | succeeded)
-
-- name: Create missing projects
-  command: "oc adm new-project --description '{{ ands_openshift_projects[item] }}' {{ item }}"
-  with_items: "{{ new_projects | default([]) }}"
-
-- name: Allow projects to pull images from KaaS imagestreams
-  command: "oc policy add-role-to-group system:image-puller system:serviceaccounts:{{ prj_item }} --namespace=kaas"
-  with_items: "{{ ands_openshift_projects.keys() }}"
-  when:
-    prj_item != "kaas"
-  loop_control: 
-    loop_var: prj_item
-
 - name: Configure per project roles
   command: "oc adm policy add-role-to-user -n {{  item.key.split('/')[0] }} {{ item.key.split('/')[1] }} {{ item.value.replace(' ','').split(',') | join(' ') }}"
   with_dict: "{{ ands_openshift_roles }}"
diff --git a/setup.sh b/setup.sh
index add68a4..8d67d6d 100755
--- a/setup.sh
+++ b/setup.sh
@@ -73,7 +73,17 @@ case "$action" in
         fi
         apply playbooks/openshift-setup-apps.yml --extra-vars "$vars"  "$@" || exit 1
         ;;
-    templates|project_templates)
+    templates)
+        if [ -n "$1" ]; then
+            ./setup.sh -i $inventory project_templates "$@" || exit 1
+        else
+            ./setup.sh -i $inventory global_templates "$@" || exit 1
+        fi
+        ;;
+    global_templates)
+        apply playbooks/openshift-setup-resources.yml "$@" || exit 1
+        ;;
+    project_templates)
         [ -n "$1" ] || { usage 'project name should be specified...' ; exit 1; }
 
         vars="ands_configure_project=$1"
diff --git a/setup/configs/openshift.yml b/setup/configs/openshift.yml
index 10146e8..a4024ae 100644
--- a/setup/configs/openshift.yml
+++ b/setup/configs/openshift.yml
@@ -20,6 +20,8 @@ ands_openshift_roles:
   kaas/admin: csa, kopmann
   katrin/admin: katrin
   adei/admin: csa
+  adei/view: pdv, kopmann
+  adei/kaas-maintain: pdv, kopmann
   bora/admin: ntj
   web/admin: kopmann
   mon/admin: csa
diff --git a/setup/projects/openshift/templates/maintain.yml.j2 b/setup/projects/openshift/templates/maintain.yml.j2
new file mode 100644
index 0000000..41017a5
--- /dev/null
+++ b/setup/projects/openshift/templates/maintain.yml.j2
@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: ClusterRole
+metadata:
+  annotations:
+    openshift.io/description: A user that can create and edit most objects in a project,
+      but can not update the project's membership.
+    openshift.io/reconcile-protect: "false"
+  creationTimestamp: null
+  name: kaas-maintain
+rules:
+- resources:
+  - pods/exec
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- resources:
+  - replicationcontrollers/scale
+  - deploymentconfigs/scale
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
diff --git a/setup/projects/openshift/vars/script.yml b/setup/projects/openshift/vars/script.yml
new file mode 100644
index 0000000..0d9ccef
--- /dev/null
+++ b/setup/projects/openshift/vars/script.yml
@@ -0,0 +1,2 @@
+oc:
+  - templates: "maintain*"