Refactor the sysadmin-openshift role to be a more generic openshift post-install role

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>

playbooks/manual/ocp4-postinstall-setup.yml

@@ -4,8 +4,8 @@
   gather_facts: false
 
   roles:
-  - role: openshift/sysadmin-openshift
-    sysadmin_openshift_appowners:
+  - role: openshift/cluster
+    cluster_appowners:
     - darknao
     - dkirwan
     - jrichardson

roles/openshift/cluster/defaults/main.yaml

@@ -0,0 +1,3 @@
+---
+cluster_filepath: /root/ocp4/cluster-config
+cluster_appowners: []

roles/openshift/cluster/tasks/main.yaml

@@ -0,0 +1,33 @@
+---
+- name: Create the directories to hold the templates
+  ansible.builtin.file:
+    path: "{{ cluster_filepath }}"
+    state: directory
+    owner: root
+    group: root
+    mode: "0770"
+    recurse: yes
+  tags:
+    - create-resources
+
+# generate the templates for project to be created
+- name: Copy the templates
+  ansible.builtin.template:
+    src: "{{ item }}.j2"
+    dest: "{{ cluster_filepath }}/{{ item }}"
+    mode: "0770"
+  with_items:
+    - sysadmin-openshift-group.yml
+    - sysadmin-openshift-rolebinding.yml
+    - webhooks-rolebinding.yml
+  register: cluster_template_result
+  tags:
+    - create-resources
+
+# apply created openshift resources
+- name: Oc apply resources
+  ansible.builtin.command: "oc apply --validate=strict -f {{ item.dest }}"
+  with_items: "{{ cluster_template_result.results }}"
+  when: item.changed
+  tags:
+    - create-resources

roles/openshift/cluster/templates/sysadmin-openshift-group.yml.j2

@@ -4,6 +4,6 @@ apiVersion: user.openshift.io/v1
 metadata:
   name: "sysadmin-openshift"
 users:
-{% for item in sysadmin_openshift_appowners %}
+{% for item in cluster_appowners %}
 - "{{ item }}"
 {% endfor %}

roles/openshift/cluster/templates/webhooks-rolebinding.yml.j2

@@ -0,0 +1,17 @@
+---
+# Allow unauthenticated webhooks to kick off builds
+# https://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html/builds_using_buildconfig/triggering-builds-build-hooks
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: webhook-access-unauthenticated
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: "system:webhook"
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
+    name: "system:unauthenticated"

roles/openshift/sysadmin-openshift/defaults/main.yaml

@@ -1,6 +0,0 @@
----
-sysadmin_openshift_appowners: []
-sysadmin_openshift_project_name: sysadmin-openshift
-sysadmin_openshift_project_templates:
-  - group.yaml.j2
-  - rolebinding.yaml.j2

roles/openshift/sysadmin-openshift/tasks/main.yaml

@@ -1,3 +0,0 @@
----
-- import_tasks: resources.yaml
-- import_tasks: upgrade.yaml

roles/openshift/sysadmin-openshift/tasks/resources.yaml

@@ -1,28 +0,0 @@
----
-- name: Create the directories to hold the templates
-  ansible.builtin.file:
-    path: "/root/ocp4/openshift-apps/{{sysadmin_openshift_project_name}}"
-    state: directory
-    owner: root
-    group: root
-    mode: "0770"
-    recurse: yes
-  tags:
-    - create-resources
-
-# generate the templates for project to be created
-- name: Create the templates
-  ansible.builtin.template:
-    src: "{{ item }}"
-    dest: "/root/ocp4/openshift-apps/{{sysadmin_openshift_project_name}}/{{ item }}"
-    mode: "0770"
-  with_items: "{{ sysadmin_openshift_project_templates }}"
-  tags:
-    - create-resources
-
-# apply created openshift resources
-- name: Oc apply resources
-  ansible.builtin.command: "/root/bin/oc apply -f /root/ocp4/openshift-apps/{{sysadmin_openshift_project_name}}/{{ item }}"
-  with_items: "{{ sysadmin_openshift_project_templates }}"
-  tags:
-    - create-resources

roles/openshift/sysadmin-openshift/tasks/upgrade.yaml

@@ -1,8 +0,0 @@
----
-- name: Install oc-client.rpm package.
-  yum:
-    name: /srv/web/infra/bigfiles/openshiftboot/oc-client/oc-client.rpm
-    state: present
-  delegate_to: 127.0.0.1
-  tags:
-    - upgrade-rpm