--- # Fact setting and validations - name: Set default image variables based on deployment type include_vars: "{{ item }}" with_first_found: - "{{ openshift_deployment_type | default(deployment_type) }}.yml" - "default_images.yml" - name: set ansible_service_broker facts set_fact: ansible_service_broker_image_prefix: "{{ ansible_service_broker_image_prefix | default(__ansible_service_broker_image_prefix) }}" ansible_service_broker_image_tag: "{{ ansible_service_broker_image_tag | default(__ansible_service_broker_image_tag) }}" ansible_service_broker_etcd_image_prefix: "{{ ansible_service_broker_etcd_image_prefix | default(__ansible_service_broker_etcd_image_prefix) }}" ansible_service_broker_etcd_image_tag: "{{ ansible_service_broker_etcd_image_tag | default(__ansible_service_broker_etcd_image_tag) }}" ansible_service_broker_etcd_image_etcd_path: "{{ ansible_service_broker_etcd_image_etcd_path | default(__ansible_service_broker_etcd_image_etcd_path) }}" ansible_service_broker_registry_type: "{{ ansible_service_broker_registry_type | default(__ansible_service_broker_registry_type) }}" ansible_service_broker_registry_name: "{{ ansible_service_broker_registry_name | default(__ansible_service_broker_registry_name) }}" ansible_service_broker_registry_url: "{{ ansible_service_broker_registry_url | default(__ansible_service_broker_registry_url) }}" ansible_service_broker_registry_user: "{{ ansible_service_broker_registry_user | default(__ansible_service_broker_registry_user) }}" ansible_service_broker_registry_password: "{{ ansible_service_broker_registry_password | default(__ansible_service_broker_registry_password) }}" ansible_service_broker_registry_organization: "{{ ansible_service_broker_registry_organization | default(__ansible_service_broker_registry_organization) }}" ansible_service_broker_certs_dir: "{{ openshift.common.config_base }}/service-catalog" - name: set ansible-service-broker image facts using set prefix and tag set_fact: ansible_service_broker_image: "{{ ansible_service_broker_image_prefix }}ansible-service-broker:{{ ansible_service_broker_image_tag }}" ansible_service_broker_etcd_image: "{{ ansible_service_broker_etcd_image_prefix }}etcd:{{ ansible_service_broker_etcd_image_tag }}" - slurp: src: "{{ ansible_service_broker_certs_dir }}/ca.crt" register: catalog_ca - include: validate_facts.yml # Deployment of ansible-service-broker starts here - name: create openshift-ansible-service-broker project oc_project: name: openshift-ansible-service-broker state: present - name: create ansible-service-broker serviceaccount oc_serviceaccount: name: asb namespace: openshift-ansible-service-broker state: present - name: create ansible-service-broker client serviceaccount oc_serviceaccount: name: asb-client namespace: openshift-ansible-service-broker state: present - name: Create asb-auth cluster role oc_clusterrole: state: present name: asb-auth rules: - apiGroups: [""] resources: ["namespaces"] verbs: ["create", "delete"] - apiGroups: ["authorization.openshift.io"] resources: ["subjectrulesreview"] verbs: ["create"] - apiGroups: ["authorization.k8s.io"] resources: ["subjectaccessreviews"] verbs: ["create"] - apiGroups: ["authentication.k8s.io"] resources: ["tokenreviews"] verbs: ["create"] - name: Create asb-access cluster role oc_clusterrole: state: present name: asb-access rules: - nonResourceURLs: ["/ansible-service-broker", "ansible-service-broker/*"] verbs: ["get", "post", "put", "patch", "delete"] - name: Bind admin cluster-role to asb serviceaccount oc_adm_policy_user: state: present namespace: openshift-ansible-service-broker resource_kind: cluster-role resource_name: admin user: "system:serviceaccount:openshift-ansible-service-broker:asb" - name: Bind auth cluster role to asb service account oc_adm_policy_user: state: present namespace: openshift-ansible-service-broker resource_kind: cluster-role resource_name: asb-auth user: "system:serviceaccount:openshift-ansible-service-broker:asb" - name: Bind asb-access role to asb-client service account oc_adm_policy_user: state: present namespace: openshift-ansible-service-broker resource_kind: cluster-role resource_name: asb-access user: "system:serviceaccount:openshift-ansible-service-broker:asb-client" - name: create asb-client token secret oc_obj: name: asb-client state: present kind: Secret content: path: /tmp/asbclientsecretout data: apiVersion: v1 kind: Secret metadata: name: asb-client annotations: kubernetes.io/service-account.name: asb-client type: kubernetes.io/service-account-token # Using oc_obj because oc_service doesn't seem to allow annotations # TODO: Extend oc_service to allow annotations - name: create ansible-service-broker service oc_obj: name: asb namespace: openshift-ansible-service-broker state: present kind: Service content: path: /tmp/asbsvcout data: apiVersion: v1 kind: Service metadata: name: asb labels: app: openshift-ansible-service-broker service: asb annotations: service.alpha.openshift.io/serving-cert-secret-name: asb-tls spec: ports: - name: port-1338 port: 1338 targetPort: 1338 protocol: TCP selector: app: openshift-ansible-service-broker service: asb - name: create route for ansible-service-broker service oc_route: name: asb-1338 namespace: openshift-ansible-service-broker state: present labels: app: openshift-ansible-service-broker service: asb service_name: asb port: 1338 tls_termination: Reencrypt - name: create persistent volume claim for etcd oc_obj: name: etcd namespace: openshift-ansible-service-broker state: present kind: PersistentVolumeClaim content: path: /tmp/pvcout data: apiVersion: v1 kind: PersistentVolumeClaim metadata: name: etcd namespace: openshift-ansible-service-broker spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi - name: Create Ansible Service Broker deployment config oc_obj: name: asb namespace: openshift-ansible-service-broker state: present kind: DeploymentConfig content: path: /tmp/dcout data: apiVersion: v1 kind: DeploymentConfig metadata: name: asb labels: app: openshift-ansible-service-broker service: asb spec: replicas: 1 selector: app: openshift-ansible-service-broker strategy: type: Rolling template: metadata: labels: app: openshift-ansible-service-broker service: asb spec: serviceAccount: asb containers: - image: "{{ ansible_service_broker_image }}" name: asb imagePullPolicy: IfNotPresent volumeMounts: - name: config-volume mountPath: /etc/ansible-service-broker - name: asb-tls mountPath: /etc/tls/private ports: - containerPort: 1338 protocol: TCP env: - name: BROKER_CONFIG value: /etc/ansible-service-broker/config.yaml resources: {} terminationMessagePath: /tmp/termination-log - image: "{{ ansible_service_broker_etcd_image }}" name: etcd imagePullPolicy: IfNotPresent terminationMessagePath: /tmp/termination-log workingDir: /etcd args: - "{{ ansible_service_broker_etcd_image_etcd_path }}" - "--data-dir=/data" - "--listen-client-urls=http://0.0.0.0:2379" - "--advertise-client-urls=http://0.0.0.0:2379" ports: - containerPort: 2379 protocol: TCP env: - name: ETCDCTL_API value: "3" volumeMounts: - mountPath: /data name: etcd volumes: - name: etcd persistentVolumeClaim: claimName: etcd - name: config-volume configMap: name: broker-config items: - key: broker-config path: config.yaml - name: asb-tls secret: secretName: asb-tls # TODO: saw a oc_configmap in the library, but didn't understand how to get it to do the following: - name: Create config map for ansible-service-broker oc_obj: name: broker-config namespace: openshift-ansible-service-broker state: present kind: ConfigMap content: path: /tmp/cmout data: apiVersion: v1 kind: ConfigMap metadata: name: broker-config namespace: openshift-ansible-service-broker labels: app: openshift-ansible-service-broker data: broker-config: | registry: - type: {{ ansible_service_broker_registry_type }} name: {{ ansible_service_broker_registry_name }} url: {{ ansible_service_broker_registry_url }} user: {{ ansible_service_broker_registry_user }} pass: {{ ansible_service_broker_registry_password }} org: {{ ansible_service_broker_registry_organization }} tag: {{ ansible_service_broker_registry_tag }} white_list: {{ ansible_service_broker_registry_whitelist }} dao: etcd_host: 0.0.0.0 etcd_port: 2379 log: logfile: /var/log/ansible-service-broker/asb.log stdout: true level: {{ ansible_service_broker_log_level }} color: true openshift: host: "" ca_file: "" bearer_token_file: "" sandbox_role: {{ ansible_service_broker_sandbox_role }} image_pull_policy: {{ ansible_service_broker_image_pull_policy }} broker: dev_broker: {{ ansible_service_broker_dev_broker | bool | lower }} bootstrap_on_startup: {{ ansible_service_broker_bootstrap_on_startup | bool | lower }} refresh_interval: {{ ansible_service_broker_refresh_interval }} launch_apb_on_bind: {{ ansible_service_broker_launch_apb_on_bind | bool | lower }} output_request: {{ ansible_service_broker_output_request | bool | lower }} recovery: {{ ansible_service_broker_recovery | bool | lower }} ssl_cert_key: /etc/tls/private/tls.key ssl_cert: /etc/tls/private/tls.crt auto_escalate: {{ ansible_service_broker_auto_escalate }} auth: - type: basic enabled: false - name: Create the Broker resource in the catalog oc_obj: name: ansible-service-broker state: present kind: ServiceBroker content: path: /tmp/brokerout data: apiVersion: servicecatalog.k8s.io/v1alpha1 kind: ServiceBroker metadata: name: ansible-service-broker spec: url: http://asb.openshift-ansible-service-broker.svc:1338/ansible-service-broker authInfo: bearer: secretRef: name: asb-client namespace: openshift-ansible-service-broker kind: Secret caBundle: "{{ catalog_ca.content }}"