diff options
| author | ewolinetz <ewolinet@redhat.com> | 2017-07-17 10:02:32 -0500 |
|---|---|---|
| committer | ewolinetz <ewolinet@redhat.com> | 2017-07-17 15:27:12 -0500 |
| commit | 650149e1fa1e631775aac5ced9b22e03b3090f33 (patch) | |
| tree | b151f5c5f3e9b3f5988a8dc2145410643e38071a | |
| parent | da7551b82fc37a77181a8c9aa9b82060b7101c5f (diff) | |
| download | openshift-650149e1fa1e631775aac5ced9b22e03b3090f33.tar.gz openshift-650149e1fa1e631775aac5ced9b22e03b3090f33.tar.bz2 openshift-650149e1fa1e631775aac5ced9b22e03b3090f33.tar.xz openshift-650149e1fa1e631775aac5ced9b22e03b3090f33.zip | |
Updating to use oc replace and conditionally update edit and admin roles
| -rw-r--r-- | filter_plugins/oo_filters.py | 16 | ||||
| -rw-r--r-- | roles/openshift_service_catalog/tasks/install.yml | 16 |
2 files changed, 29 insertions, 3 deletions
diff --git a/filter_plugins/oo_filters.py b/filter_plugins/oo_filters.py index cff9f8a60..399e83bec 100644 --- a/filter_plugins/oo_filters.py +++ b/filter_plugins/oo_filters.py @@ -1008,6 +1008,19 @@ def oo_random_word(length, source='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRS """ return ''.join(random.choice(source) for i in range(length)) +def oo_contains_rule(source, apiGroups, resources, verbs): + '''Return true if the specified rule is contained within the provided source''' + + rules=source['rules'] + + if rules: + for rule in rules: + if rule['apiGroups'].sort() == apiGroups.sort(): + if rule['resources'].sort() == resources.sort(): + if rule['verbs'].sort() == verbs.sort(): + return True + + return False class FilterModule(object): """ Custom ansible filter mapping """ @@ -1049,5 +1062,6 @@ class FilterModule(object): "oo_openshift_loadbalancer_frontends": oo_openshift_loadbalancer_frontends, "oo_openshift_loadbalancer_backends": oo_openshift_loadbalancer_backends, "to_padded_yaml": to_padded_yaml, - "oo_random_word": oo_random_word + "oo_random_word": oo_random_word, + "oo_contains_rule": oo_contains_rule } diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml index de7511f71..98a13a462 100644 --- a/roles/openshift_service_catalog/tasks/install.yml +++ b/roles/openshift_service_catalog/tasks/install.yml @@ -72,16 +72,22 @@ state: list register: edit_yaml +# only do this if we don't already have the updated role info - name: Generate apply template for clusterrole/edit template: src: sc_role_patching.j2 dest: "{{ mktemp.stdout }}/edit_sc_patch.yml" vars: original_content: "{{ edit_yaml.results.results[0] | to_yaml }}" + when: + - not edit_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not edit_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch']) +# only do this if we don't already have the updated role info - name: update edit role for service catalog and pod preset access command: > - oc apply -f {{ mktemp.stdout }}/edit_sc_patch.yml + oc replace -f {{ mktemp.stdout }}/edit_sc_patch.yml + when: + - not edit_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not edit_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch']) - oc_obj: name: admin @@ -89,16 +95,22 @@ state: list register: admin_yaml +# only do this if we don't already have the updated role info - name: Generate apply template for clusterrole/admin template: src: sc_role_patching.j2 dest: "{{ mktemp.stdout }}/admin_sc_patch.yml" vars: original_content: "{{ admin_yaml.results.results[0] | to_yaml }}" + when: + - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch']) +# only do this if we don't already have the updated role info - name: update admin role for service catalog and pod preset access command: > - oc apply -f {{ mktemp.stdout }}/admin_sc_patch.yml + oc replace -f {{ mktemp.stdout }}/admin_sc_patch.yml + when: + - not admin_yaml.results.results[0] | oo_contains_rule(['servicecatalog.k8s.io'], ['instances', 'bindings'], ['create', 'update', 'delete', 'get', 'list', 'watch']) or not admin_yaml.results.results[0] | oo_contains_rule(['settings.k8s.io'], ['podpresets'], ['create', 'update', 'delete', 'get', 'list', 'watch']) - shell: > oc get policybindings/kube-system:default -n kube-system || echo "not found" |