diff --git a/playbooks/manual/ocp4-sysadmin-openshift.yml b/playbooks/manual/ocp4-postinstall-setup.yml similarity index 79% rename from playbooks/manual/ocp4-sysadmin-openshift.yml rename to playbooks/manual/ocp4-postinstall-setup.yml index e664ff8ad7..669dd22df7 100644 --- a/playbooks/manual/ocp4-sysadmin-openshift.yml +++ b/playbooks/manual/ocp4-postinstall-setup.yml @@ -4,8 +4,8 @@ gather_facts: false roles: - - role: openshift/sysadmin-openshift - sysadmin_openshift_appowners: + - role: openshift/cluster + cluster_appowners: - darknao - dkirwan - jrichardson diff --git a/roles/openshift/cluster/defaults/main.yaml b/roles/openshift/cluster/defaults/main.yaml new file mode 100644 index 0000000000..5f70a1b9de --- /dev/null +++ b/roles/openshift/cluster/defaults/main.yaml @@ -0,0 +1,3 @@ +--- +cluster_filepath: /root/ocp4/cluster-config +cluster_appowners: [] diff --git a/roles/openshift/cluster/tasks/main.yaml b/roles/openshift/cluster/tasks/main.yaml new file mode 100644 index 0000000000..867607dd9c --- /dev/null +++ b/roles/openshift/cluster/tasks/main.yaml @@ -0,0 +1,33 @@ +--- +- name: Create the directories to hold the templates + ansible.builtin.file: + path: "{{ cluster_filepath }}" + state: directory + owner: root + group: root + mode: "0770" + recurse: yes + tags: + - create-resources + +# generate the templates for project to be created +- name: Copy the templates + ansible.builtin.template: + src: "{{ item }}.j2" + dest: "{{ cluster_filepath }}/{{ item }}" + mode: "0770" + with_items: + - sysadmin-openshift-group.yml + - sysadmin-openshift-rolebinding.yml + - webhooks-rolebinding.yml + register: cluster_template_result + tags: + - create-resources + +# apply created openshift resources +- name: Oc apply resources + ansible.builtin.command: "oc apply --validate=strict -f {{ item.dest }}" + with_items: "{{ cluster_template_result.results }}" + when: item.changed + tags: + - create-resources diff --git a/roles/openshift/sysadmin-openshift/templates/group.yaml.j2 b/roles/openshift/cluster/templates/sysadmin-openshift-group.yml.j2 similarity index 72% rename from roles/openshift/sysadmin-openshift/templates/group.yaml.j2 rename to roles/openshift/cluster/templates/sysadmin-openshift-group.yml.j2 index 1997f0b364..a82c728e6c 100644 --- a/roles/openshift/sysadmin-openshift/templates/group.yaml.j2 +++ b/roles/openshift/cluster/templates/sysadmin-openshift-group.yml.j2 @@ -4,6 +4,6 @@ apiVersion: user.openshift.io/v1 metadata: name: "sysadmin-openshift" users: -{% for item in sysadmin_openshift_appowners %} +{% for item in cluster_appowners %} - "{{ item }}" {% endfor %} diff --git a/roles/openshift/sysadmin-openshift/templates/rolebinding.yaml.j2 b/roles/openshift/cluster/templates/sysadmin-openshift-rolebinding.yml.j2 similarity index 100% rename from roles/openshift/sysadmin-openshift/templates/rolebinding.yaml.j2 rename to roles/openshift/cluster/templates/sysadmin-openshift-rolebinding.yml.j2 diff --git a/roles/openshift/cluster/templates/webhooks-rolebinding.yml.j2 b/roles/openshift/cluster/templates/webhooks-rolebinding.yml.j2 new file mode 100644 index 0000000000..7e5f29380c --- /dev/null +++ b/roles/openshift/cluster/templates/webhooks-rolebinding.yml.j2 @@ -0,0 +1,17 @@ +--- +# Allow unauthenticated webhooks to kick off builds +# https://docs.redhat.com/en/documentation/openshift_container_platform/4.17/html/builds_using_buildconfig/triggering-builds-build-hooks +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: webhook-access-unauthenticated + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "system:webhook" +subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: "system:unauthenticated" diff --git a/roles/openshift/sysadmin-openshift/defaults/main.yaml b/roles/openshift/sysadmin-openshift/defaults/main.yaml deleted file mode 100644 index a0b431e2be..0000000000 --- a/roles/openshift/sysadmin-openshift/defaults/main.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -sysadmin_openshift_appowners: [] -sysadmin_openshift_project_name: sysadmin-openshift -sysadmin_openshift_project_templates: - - group.yaml.j2 - - rolebinding.yaml.j2 diff --git a/roles/openshift/sysadmin-openshift/tasks/main.yaml b/roles/openshift/sysadmin-openshift/tasks/main.yaml deleted file mode 100644 index 7ff687b507..0000000000 --- a/roles/openshift/sysadmin-openshift/tasks/main.yaml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- import_tasks: resources.yaml -- import_tasks: upgrade.yaml diff --git a/roles/openshift/sysadmin-openshift/tasks/resources.yaml b/roles/openshift/sysadmin-openshift/tasks/resources.yaml deleted file mode 100644 index 05a1b04dce..0000000000 --- a/roles/openshift/sysadmin-openshift/tasks/resources.yaml +++ /dev/null @@ -1,28 +0,0 @@ ---- -- name: Create the directories to hold the templates - ansible.builtin.file: - path: "/root/ocp4/openshift-apps/{{sysadmin_openshift_project_name}}" - state: directory - owner: root - group: root - mode: "0770" - recurse: yes - tags: - - create-resources - -# generate the templates for project to be created -- name: Create the templates - ansible.builtin.template: - src: "{{ item }}" - dest: "/root/ocp4/openshift-apps/{{sysadmin_openshift_project_name}}/{{ item }}" - mode: "0770" - with_items: "{{ sysadmin_openshift_project_templates }}" - tags: - - create-resources - -# apply created openshift resources -- name: Oc apply resources - ansible.builtin.command: "/root/bin/oc apply -f /root/ocp4/openshift-apps/{{sysadmin_openshift_project_name}}/{{ item }}" - with_items: "{{ sysadmin_openshift_project_templates }}" - tags: - - create-resources diff --git a/roles/openshift/sysadmin-openshift/tasks/upgrade.yaml b/roles/openshift/sysadmin-openshift/tasks/upgrade.yaml deleted file mode 100644 index 5e16b9fa26..0000000000 --- a/roles/openshift/sysadmin-openshift/tasks/upgrade.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Install oc-client.rpm package. - yum: - name: /srv/web/infra/bigfiles/openshiftboot/oc-client/oc-client.rpm - state: present - delegate_to: 127.0.0.1 - tags: - - upgrade-rpm