ansible/roles/ocp4-workload-quay-operator/tasks/remove_workload.yml | ●●●●● patch | view | raw | blame | history | |
ansible/roles/ocp4-workload-quay-operator/tasks/workload.yml | ●●●●● patch | view | raw | blame | history | |
ansible/roles/ocp4-workload-quay-operator/templates/cluster_role_binding.j2 | ●●●●● patch | view | raw | blame | history | |
ansible/roles/ocp4-workload-quay-operator/templates/quay.j2 | ●●●●● patch | view | raw | blame | history |
ansible/roles/ocp4-workload-quay-operator/tasks/remove_workload.yml
@@ -1,9 +1,6 @@ --- # Implement your Workload removal tasks here - name: Remove ClusterRoleBinding shell: "oc adm policy remove-cluster-role-from-user quay-operator system:serviceaccount:{{ _quay_project }}:quay-operator" - name: Remove Red Hat Quay Operator k8s: state: absent @@ -14,13 +11,14 @@ - ./templates/service_account.j2 - ./templates/role.j2 - ./templates/role_binding.j2 - ./templates/cluster_role_binding.j2 - ./templates/pull_secret.j2 - ./templates/quay_superuser_secret.j2 - ./templates/quay_config_secret.j2 - ./templates/quay_ssl_certificate_secret.j2 - ./templates/project.j2 # NOT removing Cluster Resources because there may be # Other projects with Operators in them. # other projects with Quay Operators in them. # Removing Cluster Resources would screw those up. #- ./templates/cluster_role.j2 #- ./templates/crd.j2 ansible/roles/ocp4-workload-quay-operator/tasks/workload.yml
@@ -72,25 +72,12 @@ - ./templates/crd.j2 - ./templates/service_account.j2 - ./templates/cluster_role.j2 - ./templates/cluster_role_binding.j2 - ./templates/role.j2 - ./templates/role_binding.j2 - ./templates/pull_secret.j2 - ./templates/quay_superuser_secret.j2 - ./templates/quay_config_secret.j2 # Use command rather than k8s module to grant the cluster role to the service account # Using the k8s module resulted in the role to be *only* granted to the last deployed Quay project... - name: Grant the ClusterRole quay-operator to the service account shell: "oc adm policy add-cluster-role-to-user quay-operator system:serviceaccount:{{ _quay_project }}:quay-operator" - name: Create OpenShift Objects for Red Hat Quay Operator k8s: state: present merge_type: - strategic-merge - merge definition: "{{ lookup('template', item ) | from_yaml }}" loop: - ./templates/operator.j2 - name: Create OpenShift Objects for Red Hat Quay Registry Certificates ansible/roles/ocp4-workload-quay-operator/templates/cluster_role_binding.j2
New file @@ -0,0 +1,12 @@ kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: "quay-operator-{{ guid }}" subjects: - kind: ServiceAccount name: quay-operator namespace: "{{ _quay_project }}" roleRef: kind: ClusterRole name: quay-operator apiGroup: rbac.authorization.k8s.io ansible/roles/ocp4-workload-quay-operator/templates/quay.j2
@@ -5,7 +5,9 @@ namespace: "{{ _quay_project }}" spec: quay: {% if _quay_image_tag is version_compare('v3.2.0', '>=') %} enableRepoMirroring: true {% endif %} imagePullSecretName: quay-pull-secret superuserCredentialsSecretName: quay-superuser-secret configSecretName: quay-config-secret