Create an APB for the automation broker deployment #1
Conversation
| resources: ["networkpolicies"] | ||
| verbs: ["create", "delete"] | ||
| - apiGroups: ["automationbroker.io"] | ||
| # attributeRestrictions: null |
There was a problem hiding this comment.
These aren't actually supported in the python-client. What happens if we don't specifically set them to null?
- Only create the broker auth secret if basic auth is enabled - Flatten the variables in defaults to make it easy for a user to modify them - Use jinja templating more heavily in configmap - Push crd logic into it's own tasks file - Push variables the user shouldn't touch into vars/
djzager
changed the title
| name: {{ broker_name }}-auth-secret | ||
| namespace: {{ broker_namespace }} | ||
| data: | ||
| username: {{ broker_basic_auth_username | b64encode }} |
There was a problem hiding this comment.
I figured @fabianvf would appreciate this.
|
Example run, in OpenShift: |
There was a problem hiding this comment.
Ran into an error testing with the readme instructions.
TASK [automation-broker-apb : Set broker deployment object state=present] ******
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Error parsing resource definition. Encountered spec_selector_app, which does not map to a parameter expected by the OpenShift Python module."}
to retry, use: --limit @/opt/apb/actions/provision.retry
PLAY RECAP *********************************************************************
| $ kubectl create namespace automation-broker | ||
| $ kubectl create serviceaccount automation-broker-apb --namespace automation-broker | ||
| $ kubectl create clusterrolebinding automation-broker-apb --clusterrole=cluster-admin --serviceaccount=automation-broker:automation-broker-apb | ||
| $ kubectl run automation-broker-apb \ |
|
Ah... my error was probably because I didn't set the cluster var. Retrying. |
|
|
There are a few issues with k8s that I need to work through. Specifically, creating the tls stuff. |
|
@dymurray I think this is cleaned up. Let me know if you have any more issues. @rthallisey if you could have a look at this from the k8s perspective that would be really helpful. |
tasks/kubernetes.yaml
Outdated
| -out /tmp/{{ broker_name }}-cert/cert.pem | ||
| -days 365 | ||
| -subj "/CN={{ broker_name }}.{{ broker_name }}.svc" | ||
| when: cluster == 'kubernetes' and apb_action == 'provision' |
tasks/kubernetes.yaml
Outdated
| file: | ||
| path: /tmp/{{ broker_name }}-cert | ||
| state: directory | ||
| when: cluster == 'kubernetes' and apb_action == 'provision' |
There was a problem hiding this comment.
I think it's cleaner to encapsulate tasks that share a condition in a block or import task. Also prevents you from missing a conditional update somewhere if something changes.
There was a problem hiding this comment.
Yeah. I can definitely improve this file and the OpenShift file to encapsulate better.
There was a problem hiding this comment.
I believe I fixed it with the latest commit @fabianvf let me know what you think.
tasks/generate_certificate.yaml
Outdated
| resource_name=broker_name + '-client' | ||
| ) | json_query('secrets') | first | json_query('name') | ||
| }}" | ||
| when: cluster == 'kubernetes' |
There was a problem hiding this comment.
not to nitpick, but for large blocks like these I like to put the when at the top (like after name), because the whitespace can be kind of hard to parse.
tasks/generate_certificate.yaml
Outdated
| # privatekey_path: /tmp/{{ broker_name }}-cert/key.pem | ||
| # subject: "/CN={{ broker_name }}.{{ broker_name }}.svc" | ||
| # provider: selfsigned | ||
| - name: 'Create OpenSSL Cert for Broker' |
There was a problem hiding this comment.
just FYI I don't think the task name is displayed in the output for blocks.
There was a problem hiding this comment.
That's what I get for trusting the example 😎 http://docs.ansible.com/ansible/latest/user_guide/playbooks_blocks.html#id1
templates/bundle.crd.yaml
Outdated
| @@ -0,0 +1,155 @@ | |||
| --- | |||
There was a problem hiding this comment.
Since this isn't a template it might make more sense to put it in files/
No description provided.