X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=blobdiff_plain;f=ansible%2Froles%2Fkubeconfig%2Ftasks%2Fmain.yml;fp=ansible%2Froles%2Fkubeconfig%2Ftasks%2Fmain.yml;h=f23d59fa57a9b04fb0b85fd6bf3749af1c5f71e8;hb=8321feb501701dcb4023e3c052cb6a982d5db3fa;hp=0000000000000000000000000000000000000000;hpb=5c0c2acd0caea77595026e996555547312518395;p=ta%2Fcaas-kubernetes.git

diff --git a/ansible/roles/kubeconfig/tasks/main.yml b/ansible/roles/kubeconfig/tasks/main.yml
new file mode 100644
index 0000000..f23d59f
--- /dev/null
+++ b/ansible/roles/kubeconfig/tasks/main.yml
@@ -0,0 +1,68 @@
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: create directory
+  file:
+    name: "{{ config.path | dirname }}"
+    state: directory
+    mode: 0755
+    owner: "{{ config.owner | default('root') }}"
+    group: "{{ config.group | default('root') }}"
+
+- name: create kubeconfig
+  command: "/usr/bin/kubectl config {{ cmd }} --kubeconfig={{ config.path }}"
+  with_items:
+    - "set-cluster kubernetes --certificate-authority=/etc/openssl/ca.pem --embed-certs=true --server=https://{{ config.apiserver }}:{{ config.apiserver_port }}"
+    - "set-context default --cluster=kubernetes --user={{ config.user }}"
+    - "use-context default"
+  loop_control:
+    loop_var: cmd
+
+- name: set user auth with token
+  command: "/usr/bin/kubectl config set-credentials {{ config.user }} --token={{ config.token }} --kubeconfig={{ config.path }}"
+  when: config.token is defined and config.token
+
+- name: set user auth with certs
+  command: "/usr/bin/kubectl config set-credentials {{ config.user }} --client-certificate={{ config.cert }} --client-key={{ config.key }} --embed-certs=true --kubeconfig={{ config.path }}"
+  when: not (config.token is defined and config.token)
+
+- name: changing permissions of kubeconfig
+  file:
+    path: "{{ config.path }}"
+    mode: "{{ config.restricted | default(true) | ternary('0640', '0644') }}"
+    owner: "{{ config.owner | default('root') }}"
+    group: "{{ config.group | default('root') }}"
+
+- name: allowing users to access kubeconfig
+  acl:
+    name: "{{ config.path }}"
+    entity: "{{ user }}"
+    etype: user
+    permissions: "r"
+    state: present
+  with_items: "{{ config.add_users | default([]) }}"
+  loop_control:
+    loop_var: user
+
+- name: adding read permission to kubeconfig dir
+  acl:
+    name: "{{ config.path | dirname }}"
+    entity: "{{ user }}"
+    etype: user
+    permissions: "rx"
+    state: present
+  with_items: "{{ config.add_users | default([]) }}"
+  loop_control:
+    loop_var: user