From 3a308068c31a9cc495f6963cf26197af831642dc Mon Sep 17 00:00:00 2001 From: Fredrik Liv Date: Thu, 17 Mar 2022 11:50:19 +0100 Subject: [PATCH 1/2] Updated openstack cloud controller version to match kubernetes version --- .../openstack/defaults/main.yml | 2 +- .../openstack/tasks/main.yml | 4 +- ...oud-controller-manager-role-binding.yml.j2 | 12 ++ ...ud-controller-manager-role-bindings.yml.j2 | 40 ----- ...stack-cloud-controller-manager-role.yml.j2 | 93 ++++++++++++ ...tack-cloud-controller-manager-roles.yml.j2 | 142 ------------------ 6 files changed, 108 insertions(+), 185 deletions(-) create mode 100644 roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-role-binding.yml.j2 delete mode 100644 roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-role-bindings.yml.j2 create mode 100644 roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-role.yml.j2 delete mode 100644 roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-roles.yml.j2 diff --git a/roles/kubernetes-apps/external_cloud_controller/openstack/defaults/main.yml b/roles/kubernetes-apps/external_cloud_controller/openstack/defaults/main.yml index 70f20adb992..8cf86cf2871 100644 --- a/roles/kubernetes-apps/external_cloud_controller/openstack/defaults/main.yml +++ b/roles/kubernetes-apps/external_cloud_controller/openstack/defaults/main.yml @@ -21,4 +21,4 @@ external_openstack_cacert: "{{ lookup('env','OS_CACERT') }}" ## arg1: "value1" ## arg2: "value2" external_openstack_cloud_controller_extra_args: {} -external_openstack_cloud_controller_image_tag: "v1.18.2" +external_openstack_cloud_controller_image_tag: "v1.22.0" diff --git a/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/main.yml b/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/main.yml index ac3810c7c74..452520cea50 100644 --- a/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/main.yml +++ b/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/main.yml @@ -26,8 +26,8 @@ mode: 0640 with_items: - {name: external-openstack-cloud-config-secret, file: external-openstack-cloud-config-secret.yml} - - {name: external-openstack-cloud-controller-manager-roles, file: external-openstack-cloud-controller-manager-roles.yml} - - {name: external-openstack-cloud-controller-manager-role-bindings, file: external-openstack-cloud-controller-manager-role-bindings.yml} + - {name: external-openstack-cloud-controller-manager-role, file: external-openstack-cloud-controller-manager-role.yml} + - {name: external-openstack-cloud-controller-manager-role-binding, file: external-openstack-cloud-controller-manager-role-binding.yml} - {name: external-openstack-cloud-controller-manager-ds, file: external-openstack-cloud-controller-manager-ds.yml} register: external_openstack_manifests when: inventory_hostname == groups['kube_control_plane'][0] diff --git a/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-role-binding.yml.j2 b/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-role-binding.yml.j2 new file mode 100644 index 00000000000..2a74474363e --- /dev/null +++ b/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-role-binding.yml.j2 @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: system:cloud-controller-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:cloud-controller-manager +subjects: +- kind: ServiceAccount + name: cloud-controller-manager + namespace: kube-system diff --git a/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-role-bindings.yml.j2 b/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-role-bindings.yml.j2 deleted file mode 100644 index 136486ffe0c..00000000000 --- a/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-role-bindings.yml.j2 +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: v1 -items: -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - name: system:cloud-node-controller - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:cloud-node-controller - subjects: - - kind: ServiceAccount - name: cloud-node-controller - namespace: kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - name: system:pvl-controller - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:pvl-controller - subjects: - - kind: ServiceAccount - name: pvl-controller - namespace: kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - name: system:cloud-controller-manager - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:cloud-controller-manager - subjects: - - kind: ServiceAccount - name: cloud-controller-manager - namespace: kube-system -kind: List -metadata: {} diff --git a/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-role.yml.j2 b/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-role.yml.j2 new file mode 100644 index 00000000000..4ffaad7105c --- /dev/null +++ b/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-role.yml.j2 @@ -0,0 +1,93 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: system:cloud-controller-manager +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - create + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - update +- apiGroups: + - "" + resources: + - nodes + verbs: + - '*' +- apiGroups: + - "" + resources: + - nodes/status + verbs: + - patch +- apiGroups: + - "" + resources: + - services + verbs: + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - services/status + verbs: + - patch +- apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - get +- apiGroups: + - "" + resources: + - persistentvolumes + verbs: + - '*' +- apiGroups: + - "" + resources: + - endpoints + verbs: + - create + - get + - list + - watch + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - list + - get + - watch diff --git a/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-roles.yml.j2 b/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-roles.yml.j2 deleted file mode 100644 index f89cd4b6710..00000000000 --- a/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-roles.yml.j2 +++ /dev/null @@ -1,142 +0,0 @@ -apiVersion: v1 -items: -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - name: system:cloud-controller-manager - rules: - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - create - - update - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update - - apiGroups: - - "" - resources: - - nodes - verbs: - - '*' - - apiGroups: - - "" - resources: - - nodes/status - verbs: - - patch - - apiGroups: - - "" - resources: - - services - verbs: - - list - - patch - - update - - watch - - apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - create - - get - - apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - '*' - - apiGroups: - - "" - resources: - - endpoints - verbs: - - create - - get - - list - - watch - - update - - apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - secrets - verbs: - - list - - get - - watch - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create - -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - name: system:cloud-node-controller - rules: - - apiGroups: - - "" - resources: - - nodes - verbs: - - '*' - - apiGroups: - - "" - resources: - - nodes/status - verbs: - - patch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - name: system:pvl-controller - rules: - - apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - '*' - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update -kind: List -metadata: {} From 5b7dca87fb34b96133e0e6eddb1f5a97ac80c458 Mon Sep 17 00:00:00 2001 From: Fredrik Liv Date: Thu, 17 Mar 2022 14:00:20 +0100 Subject: [PATCH 2/2] Rolled back file structure change --- .../openstack/tasks/main.yml | 4 +- ...oud-controller-manager-role-binding.yml.j2 | 12 --- ...ud-controller-manager-role-bindings.yml.j2 | 16 ++++ ...stack-cloud-controller-manager-role.yml.j2 | 93 ------------------- ...tack-cloud-controller-manager-roles.yml.j2 | 54 +++++++++++ 5 files changed, 72 insertions(+), 107 deletions(-) delete mode 100644 roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-role-binding.yml.j2 create mode 100644 roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-role-bindings.yml.j2 delete mode 100644 roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-role.yml.j2 create mode 100644 roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-roles.yml.j2 diff --git a/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/main.yml b/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/main.yml index 452520cea50..ac3810c7c74 100644 --- a/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/main.yml +++ b/roles/kubernetes-apps/external_cloud_controller/openstack/tasks/main.yml @@ -26,8 +26,8 @@ mode: 0640 with_items: - {name: external-openstack-cloud-config-secret, file: external-openstack-cloud-config-secret.yml} - - {name: external-openstack-cloud-controller-manager-role, file: external-openstack-cloud-controller-manager-role.yml} - - {name: external-openstack-cloud-controller-manager-role-binding, file: external-openstack-cloud-controller-manager-role-binding.yml} + - {name: external-openstack-cloud-controller-manager-roles, file: external-openstack-cloud-controller-manager-roles.yml} + - {name: external-openstack-cloud-controller-manager-role-bindings, file: external-openstack-cloud-controller-manager-role-bindings.yml} - {name: external-openstack-cloud-controller-manager-ds, file: external-openstack-cloud-controller-manager-ds.yml} register: external_openstack_manifests when: inventory_hostname == groups['kube_control_plane'][0] diff --git a/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-role-binding.yml.j2 b/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-role-binding.yml.j2 deleted file mode 100644 index 2a74474363e..00000000000 --- a/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-role-binding.yml.j2 +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: system:cloud-controller-manager -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:cloud-controller-manager -subjects: -- kind: ServiceAccount - name: cloud-controller-manager - namespace: kube-system diff --git a/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-role-bindings.yml.j2 b/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-role-bindings.yml.j2 new file mode 100644 index 00000000000..bbdf3364a14 --- /dev/null +++ b/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-role-bindings.yml.j2 @@ -0,0 +1,16 @@ +apiVersion: v1 +items: +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: system:cloud-controller-manager + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:cloud-controller-manager + subjects: + - kind: ServiceAccount + name: cloud-controller-manager + namespace: kube-system +kind: List +metadata: {} diff --git a/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-role.yml.j2 b/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-role.yml.j2 deleted file mode 100644 index 4ffaad7105c..00000000000 --- a/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-role.yml.j2 +++ /dev/null @@ -1,93 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: system:cloud-controller-manager -rules: -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - create - - update -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - update -- apiGroups: - - "" - resources: - - nodes - verbs: - - '*' -- apiGroups: - - "" - resources: - - nodes/status - verbs: - - patch -- apiGroups: - - "" - resources: - - services - verbs: - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - services/status - verbs: - - patch -- apiGroups: - - "" - resources: - - serviceaccounts/token - verbs: - - create -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - create - - get -- apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - '*' -- apiGroups: - - "" - resources: - - endpoints - verbs: - - create - - get - - list - - watch - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - secrets - verbs: - - list - - get - - watch diff --git a/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-roles.yml.j2 b/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-roles.yml.j2 new file mode 100644 index 00000000000..72f8da54545 --- /dev/null +++ b/roles/kubernetes-apps/external_cloud_controller/openstack/templates/external-openstack-cloud-controller-manager-roles.yml.j2 @@ -0,0 +1,54 @@ +apiVersion: v1 +items: +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: system:cloud-controller-manager + rules: + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - create + - update + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - update + - apiGroups: + - "" + resources: + - nodes + verbs: + - '*' + - apiGroups: + - "" + resources: + - nodes/status + verbs: + - patch + - apiGroups: + - "" + resources: + - services + verbs: + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - services/status + verbs: + - patch + - apiGroups: + - "" +kind: List +metadata: {}