openshift_serviceaccounts updates

- make service account creation more flexible
- create service accounts near where they are consumed

3 files changed, 44 insertions, 32 deletions

diff --git a/roles/openshift_serviceaccounts/meta/main.yml b/roles/openshift_serviceaccounts/meta/main.yml
new file mode 100644
index 000000000..a2c9fee70
--- /dev/null
+++ b/roles/openshift_serviceaccounts/meta/main.yml
@@ -0,0 +1,15 @@
+---
+galaxy_info:
+  author: OpenShift Operations
+  description: OpenShift Service Accounts
+  company: Red Hat, Inc.
+  license: Apache License, Version 2.0
+  min_ansible_version: 1.9
+  platforms:
+  - name: EL
+    versions:
+    - 7
+  categories:
+  - cloud
+dependencies:
+- { role: openshift_facts }
diff --git a/roles/openshift_serviceaccounts/tasks/main.yml b/roles/openshift_serviceaccounts/tasks/main.yml
index 4c7faa6fe..5fe7d28f3 100644
--- a/roles/openshift_serviceaccounts/tasks/main.yml
+++ b/roles/openshift_serviceaccounts/tasks/main.yml
@@ -1,36 +1,33 @@
-- name: tmp dir for openshift
-  file:
-    path: /tmp/openshift
-    state: directory
-    owner: root
-    mode: 700
-
-- name: Create service account configs
-  template:
-    src: serviceaccount.j2
-    dest: "/tmp/openshift/{{ item }}-serviceaccount.yaml"
-  with_items: accounts
-
-- name: Create {{ item }} service account
+- name: test if service accounts exists
   command: >
-    {{ openshift.common.client_binary }} create -f "/tmp/openshift/{{ item }}-serviceaccount.yaml"
-  with_items: accounts
-  register: _sa_result
-  failed_when: "'serviceaccounts \"{{ item }}\" already exists' not in _sa_result.stderr and _sa_result.rc != 0"
-  changed_when: "'serviceaccounts \"{{ item }}\" already exists' not in _sa_result.stderr and _sa_result.rc == 0"
+      {{ openshift.common.client_binary }} get sa {{ item }} -n {{ openshift_serviceaccounts_namespace }}
+  with_items: openshift_serviceaccounts_names
+  failed_when: false
+  changed_when: false
+  register: account_test
 
-- name: Get current security context constraints
+- name: create the service account
   shell: >
-    {{ openshift.common.client_binary }} get scc privileged -o yaml
-    --output-version=v1 > /tmp/openshift/scc.yaml
-  changed_when: false
+       echo {{ lookup('template', '../templates/serviceaccount.j2')
+               | from_yaml | to_json | quote }} | {{ openshift.common.client_binary }}  create -f -
+  when: item.1.rc != 0
+  with_together:
+  - openshift_serviceaccounts_names
+  - account_test.results
 
-- name: Add security context constraint for {{ item }}
-  lineinfile:
-    dest: /tmp/openshift/scc.yaml
-    line: "- system:serviceaccount:default:{{ item }}"
-    insertafter: "^users:$"
-  with_items: accounts
+- name: test if scc needs to be updated
+  command: >
+      {{ openshift.common.client_binary }} get scc {{ item }} -o yaml
+  changed_when: false
+  failed_when: false
+  register: scc_test
+  with_items: openshift_serviceaccounts_sccs
 
-- name: Apply new scc rules for service accounts
-  command: "{{ openshift.common.client_binary }} update -f /tmp/openshift/scc.yaml --api-version=v1"
+- name: Grant the user access to the privileged scc
+  command: >
+      {{ openshift.common.admin_binary }} policy add-scc-to-user
+      privileged system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }}
+  when: "item.1.rc == 0 and 'system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }}' not in {{ (item.1.stdout | from_yaml).users }}"
+  with_nested:
+  - openshift_serviceaccounts_names
+  - scc_test.results
diff --git a/roles/openshift_serviceaccounts/templates/serviceaccount.j2 b/roles/openshift_serviceaccounts/templates/serviceaccount.j2
index 931e249f9..c5f12421f 100644
--- a/roles/openshift_serviceaccounts/templates/serviceaccount.j2
+++ b/roles/openshift_serviceaccounts/templates/serviceaccount.j2
@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ item }}
+  name: {{ item.0 }}