ptoal/toallab-automation
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update storage and Keycloak config

Browse Source
This commit is contained in:
Patrick Toal
2026-03-04 12:17:47 -05:00
parent d981b69669
commit d31b14cd72
28 changed files with 1433 additions and 205 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
roles/ocp_service_account/defaults/main.yml Normal file
View File

@@ -0,0 +1,6 @@
---
# ocp_service_account_name: "" # required — SA and ClusterRole name
# ocp_service_account_namespace: "" # required — namespace for SA and token secret
# ocp_service_account_cluster_role_rules: [] # required — list of RBAC policy rules
ocp_service_account_create_namespace: true

29
roles/ocp_service_account/meta/argument_specs.yml Normal file
View File

@@ -0,0 +1,29 @@
---
argument_specs:
main:
short_description: Create an OpenShift ServiceAccount with scoped ClusterRole
description:
- Creates a ServiceAccount, ClusterRole, ClusterRoleBinding, and a
long-lived token Secret. The token is registered as
__ocp_service_account_token for downstream use.
options:
ocp_service_account_name:
description: Name for the ServiceAccount, ClusterRole, and ClusterRoleBinding.
type: str
required: true
ocp_service_account_namespace:
description: Namespace where the ServiceAccount and token Secret are created.
type: str
required: true
ocp_service_account_cluster_role_rules:
description: >-
List of RBAC policy rules for the ClusterRole.
Each item follows the Kubernetes PolicyRule schema
(apiGroups, resources, verbs).
type: list
elements: dict
required: true
ocp_service_account_create_namespace:
description: Whether to create the namespace if it does not exist.
type: bool
default: true

16
roles/ocp_service_account/meta/main.yml Normal file
View File

@@ -0,0 +1,16 @@
---
galaxy_info:
author: ptoal
description: Create an OpenShift ServiceAccount with ClusterRole and long-lived token
license: MIT
min_ansible_version: "2.16"
platforms:
- name: GenericLinux
versions:
- all
galaxy_tags:
- openshift
- rbac
- serviceaccount
dependencies: []

111
roles/ocp_service_account/tasks/main.yml Normal file
View File

@@ -0,0 +1,111 @@
---
# Create an OpenShift ServiceAccount with a scoped ClusterRole and long-lived token.
#
# Requires: ocp_service_account_name, ocp_service_account_namespace,
# ocp_service_account_cluster_role_rules
#
# Registers: __ocp_service_account_token (decoded bearer token)
- name: Validate required variables
ansible.builtin.assert:
that:
- ocp_service_account_name | length > 0
- ocp_service_account_namespace | length > 0
- ocp_service_account_cluster_role_rules | length > 0
fail_msg: "ocp_service_account_name, ocp_service_account_namespace, and ocp_service_account_cluster_role_rules are required"
- name: Create namespace {{ ocp_service_account_namespace }}
kubernetes.core.k8s:
state: present
definition:
apiVersion: v1
kind: Namespace
metadata:
name: "{{ ocp_service_account_namespace }}"
when: ocp_service_account_create_namespace | bool
- name: Create ServiceAccount {{ ocp_service_account_name }}
kubernetes.core.k8s:
state: present
definition:
apiVersion: v1
kind: ServiceAccount
metadata:
name: "{{ ocp_service_account_name }}"
namespace: "{{ ocp_service_account_namespace }}"
labels:
app.kubernetes.io/managed-by: ocp-service-account-role
- name: Create ClusterRole {{ ocp_service_account_name }}
kubernetes.core.k8s:
state: present
definition:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: "{{ ocp_service_account_name }}"
labels:
app.kubernetes.io/managed-by: ocp-service-account-role
rules: "{{ ocp_service_account_cluster_role_rules }}"
- name: Create ClusterRoleBinding {{ ocp_service_account_name }}
kubernetes.core.k8s:
state: present
definition:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: "{{ ocp_service_account_name }}"
labels:
app.kubernetes.io/managed-by: ocp-service-account-role
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: "{{ ocp_service_account_name }}"
subjects:
- kind: ServiceAccount
name: "{{ ocp_service_account_name }}"
namespace: "{{ ocp_service_account_namespace }}"
- name: Create long-lived token Secret for {{ ocp_service_account_name }}
kubernetes.core.k8s:
state: present
definition:
apiVersion: v1
kind: Secret
metadata:
name: "{{ ocp_service_account_name }}-token"
namespace: "{{ ocp_service_account_namespace }}"
labels:
app.kubernetes.io/managed-by: ocp-service-account-role
app.kubernetes.io/instance: "{{ ocp_service_account_name }}"
annotations:
kubernetes.io/service-account.name: "{{ ocp_service_account_name }}"
type: kubernetes.io/service-account-token
- name: Wait for token to be populated
kubernetes.core.k8s_info:
api_version: v1
kind: Secret
namespace: "{{ ocp_service_account_namespace }}"
name: "{{ ocp_service_account_name }}-token"
register: __ocp_sa_token_secret
until: >-
__ocp_sa_token_secret.resources | length > 0 and
(__ocp_sa_token_secret.resources[0].data.token | default('') | length > 0)
retries: 12
delay: 5
- name: Register SA token for downstream use
ansible.builtin.set_fact:
__ocp_service_account_token: "{{ __ocp_sa_token_secret.resources[0].data.token | b64decode }}"
no_log: true
- name: Display SA token for vault storage
ansible.builtin.debug:
msg:
- "*** SERVICE ACCOUNT TOKEN — SAVE TO 1PASSWORD ***"
- "ServiceAccount: {{ ocp_service_account_name }} ({{ ocp_service_account_namespace }})"
- "Vault variable: vault_{{ ocp_service_account_name | regex_replace('-', '_') }}_token"
- ""
- "Token: {{ __ocp_service_account_token }}"