diff --git a/Makefile b/Makefile index 805e4e5..98ff7ad 100644 --- a/Makefile +++ b/Makefile @@ -40,10 +40,12 @@ pull: docker.image.pull create: - $(ANSIBLE) create-cluster.yaml + $(ANSIBLE) create-cluster.yaml -i ./environment/default/hosts \ + --extra-vars "cluster_name=$(CLUSTER_NAME) rosa_account_roles_prefix=$(CLUSTER_NAME)" delete: - $(ANSIBLE) delete-cluster.yaml + $(ANSIBLE) delete-cluster.yaml -i ./environment/default/hosts \ + --extra-vars "cluster_name=$(CLUSTER_NAME) rosa_account_roles_prefix=$(CLUSTER_NAME)" create.multiaz: $(ANSIBLE) create-cluster.yaml -i ./environment/multi-az/hosts \ diff --git a/environment/default/group_vars/all.yaml b/environment/default/group_vars/all.yaml index f02c363..580c3c5 100644 --- a/environment/default/group_vars/all.yaml +++ b/environment/default/group_vars/all.yaml @@ -1,4 +1,4 @@ -cluster_name: rosa-cwooley-ans +cluster_name: ansible-rosa # rosa_disable_workload_monitoring: true rosa_private_link: false # note private-link forces private to be true diff --git a/galaxy.yml b/galaxy.yml index 69b8e77..8cc44a8 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -1,6 +1,6 @@ namespace: rh_mobb name: rosa -version: 3.0.0 +version: 3.0.1 readme: README.md authors: - Paul Czarkowski diff --git a/roles/rosa_cluster/tasks/absent/main.yml b/roles/rosa_cluster/tasks/absent/main.yml index 65abd4a..a3c6a94 100644 --- a/roles/rosa_cluster/tasks/absent/main.yml +++ b/roles/rosa_cluster/tasks/absent/main.yml @@ -59,6 +59,6 @@ name: rosa_operator_roles vars: rosa_operator_roles: - operator_roles_prefix: "{{ _operator_roles_prefix }}" + operator_roles_prefix: "{{ _operator_roles_prefix | default(omit) }}" oidc_endpoint_url: "{{ _oidc_endpoint_url | default(omit) }}" - + when: _operator_roles_prefix is defined diff --git a/roles/rosa_operator_roles/files/classic/openshift_cloud_credential_operator_cloud_credential_operator_iam_ro_creds_policy.json b/roles/rosa_operator_roles/files/classic/openshift_cloud_credential_operator_cloud_credential_operator_iam_ro_creds_policy.json new file mode 100644 index 0000000..e83b87e --- /dev/null +++ b/roles/rosa_operator_roles/files/classic/openshift_cloud_credential_operator_cloud_credential_operator_iam_ro_creds_policy.json @@ -0,0 +1 @@ +{"Version": "2012-10-17", "Statement": [{"Action": ["iam:GetUser", "iam:GetUserPolicy", "iam:ListAccessKeys"], "Effect": "Allow", "Resource": "*"}]} \ No newline at end of file diff --git a/roles/rosa_operator_roles/files/classic/openshift_cloud_network_config_controller_cloud_credentials_policy.json b/roles/rosa_operator_roles/files/classic/openshift_cloud_network_config_controller_cloud_credentials_policy.json new file mode 100644 index 0000000..fd14b2a --- /dev/null +++ b/roles/rosa_operator_roles/files/classic/openshift_cloud_network_config_controller_cloud_credentials_policy.json @@ -0,0 +1 @@ +{"Version": "2012-10-17", "Statement": [{"Action": ["ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypes", "ec2:UnassignPrivateIpAddresses", "ec2:AssignPrivateIpAddresses", "ec2:UnassignIpv6Addresses", "ec2:AssignIpv6Addresses", "ec2:DescribeSubnets", "ec2:DescribeNetworkInterfaces"], "Effect": "Allow", "Resource": "*"}]} \ No newline at end of file diff --git a/roles/rosa_operator_roles/files/classic/openshift_cluster_csi_drivers_ebs_cloud_credentials_policy.json b/roles/rosa_operator_roles/files/classic/openshift_cluster_csi_drivers_ebs_cloud_credentials_policy.json new file mode 100644 index 0000000..5afca31 --- /dev/null +++ b/roles/rosa_operator_roles/files/classic/openshift_cluster_csi_drivers_ebs_cloud_credentials_policy.json @@ -0,0 +1 @@ +{"Version": "2012-10-17", "Statement": [{"Action": ["ec2:AttachVolume", "ec2:CreateSnapshot", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteSnapshot", "ec2:DeleteTags", "ec2:DeleteVolume", "ec2:DescribeInstances", "ec2:DescribeSnapshots", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DetachVolume", "ec2:ModifyVolume"], "Effect": "Allow", "Resource": "*"}]} \ No newline at end of file diff --git a/roles/rosa_operator_roles/files/classic/openshift_image_registry_installer_cloud_credentials_policy.json b/roles/rosa_operator_roles/files/classic/openshift_image_registry_installer_cloud_credentials_policy.json new file mode 100644 index 0000000..f4abfc9 --- /dev/null +++ b/roles/rosa_operator_roles/files/classic/openshift_image_registry_installer_cloud_credentials_policy.json @@ -0,0 +1 @@ +{"Version": "2012-10-17", "Statement": [{"Action": ["s3:CreateBucket", "s3:DeleteBucket", "s3:PutBucketTagging", "s3:GetBucketTagging", "s3:PutBucketPublicAccessBlock", "s3:GetBucketPublicAccessBlock", "s3:PutEncryptionConfiguration", "s3:GetEncryptionConfiguration", "s3:PutLifecycleConfiguration", "s3:GetLifecycleConfiguration", "s3:GetBucketLocation", "s3:ListBucket", "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:ListBucketMultipartUploads", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts"], "Effect": "Allow", "Resource": "*"}]} \ No newline at end of file diff --git a/roles/rosa_operator_roles/files/classic/openshift_ingress_operator_cloud_credentials_policy.json b/roles/rosa_operator_roles/files/classic/openshift_ingress_operator_cloud_credentials_policy.json new file mode 100644 index 0000000..3c8bb4e --- /dev/null +++ b/roles/rosa_operator_roles/files/classic/openshift_ingress_operator_cloud_credentials_policy.json @@ -0,0 +1 @@ +{"Version": "2012-10-17", "Statement": [{"Action": ["elasticloadbalancing:DescribeLoadBalancers", "route53:ListHostedZones", "route53:ChangeResourceRecordSets", "tag:GetResources"], "Effect": "Allow", "Resource": "*"}]} \ No newline at end of file diff --git a/roles/rosa_operator_roles/files/classic/openshift_machine_api_aws_cloud_credentials_policy.json b/roles/rosa_operator_roles/files/classic/openshift_machine_api_aws_cloud_credentials_policy.json new file mode 100644 index 0000000..fa61b81 --- /dev/null +++ b/roles/rosa_operator_roles/files/classic/openshift_machine_api_aws_cloud_credentials_policy.json @@ -0,0 +1 @@ +{"Version": "2012-10-17", "Statement": [{"Action": ["ec2:CreateTags", "ec2:DescribeAvailabilityZones", "ec2:DescribeDhcpOptions", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInternetGateways", "ec2:DescribeInstanceTypes", "ec2:DescribeSecurityGroups", "ec2:DescribeRegions", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:RunInstances", "ec2:TerminateInstances", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:DeregisterTargets", "iam:PassRole", "iam:CreateServiceLinkedRole"], "Effect": "Allow", "Resource": "*"}, {"Action": ["kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlainText", "kms:DescribeKey"], "Effect": "Allow", "Resource": "*"}, {"Action": ["kms:RevokeGrant", "kms:CreateGrant", "kms:ListGrants"], "Effect": "Allow", "Resource": "*", "Condition": {"Bool": {"kms:GrantIsForAWSResource": true}}}]} \ No newline at end of file