allow webconsole to discover cluster information

openshift · Jan 11, 2018 · 98b9fa6 · 98b9fa6
1 parent 40c7741
commit 98b9fa6
Show file tree

Hide file tree

Showing 5 changed files with 160 additions and 0 deletions.
diff --git a/install/origin-web-console/rbac-template.yaml b/install/origin-web-console/rbac-template.yaml
@@ -0,0 +1,38 @@
+apiVersion: template.openshift.io/v1
+kind: Template
+metadata:
+  name: web-console-server-rbac
+parameters:
+- name: NAMESPACE
+  # This namespace cannot be changed. Only `openshift-web-console` is supported.
+  value: openshift-web-console
+objects:
+
+
+# allow grant powers to the webconsole server for cluster inspection
+- apiVersion: rbac.authorization.k8s.io/v1beta1
+  kind: ClusterRole
+  metadata:
+    name: system:openshift:web-console-server
+  rules:
+  - apiGroups:
+    - "servicecatalog.k8s.io"
+    resources:
+    - clusterservicebrokers
+    verbs:
+    - get
+    - list
+    - watch
+
+# Grant the service account for the web console
+- apiVersion: rbac.authorization.k8s.io/v1beta1
+  kind: ClusterRoleBinding
+  metadata:
+    name: system:openshift:web-console-server
+  roleRef:
+    kind: ClusterRole
+    name: system:openshift:web-console-server
+  subjects:
+  - kind: ServiceAccount
+    namespace: ${NAMESPACE}
+    name: webconsole
diff --git a/pkg/oc/bootstrap/bindata.go b/pkg/oc/bootstrap/bindata.go
diff --git a/pkg/oc/bootstrap/docker/openshift/webconsole.go b/pkg/oc/bootstrap/docker/openshift/webconsole.go
@@ -21,6 +21,7 @@ import (
 
 const (
 	consoleNamespace             = "openshift-web-console"
+	consoleRBACTemplateName      = "web-console-server-rbac"
 	consoleAPIServerTemplateName = "openshift-web-console"
 	consoleAssetConfigFile       = "install/origin-web-console/console-config.yaml"
 )
@@ -41,6 +42,10 @@ func (h *Helper) InstallWebConsole(f *clientcmd.Factory, imageFormat string, ser
 		return errors.NewError("cannot create web console project").WithCause(err)
 	}
 
+	if err = instantiateTemplate(templateClient.Template(), f, OpenshiftInfraNamespace, consoleRBACTemplateName, consoleNamespace, map[string]string{}, true); err != nil {
+		return errors.NewError("cannot instantiate template service broker permissions").WithCause(err)
+	}
+
 	// read in the asset config YAML file like the installer
 	assetConfigYaml, err := bootstrap.Asset(consoleAssetConfigFile)
 	if err != nil {

diff --git a/pkg/oc/bootstrap/docker/up.go b/pkg/oc/bootstrap/docker/up.go
@@ -127,6 +127,7 @@ var (
 	// the cluster version.
 	internalCurrentTemplateLocations = map[string]string{
 		"web console server template":       "install/origin-web-console/console-template.yaml",
+		"web console server rbac":           "install/origin-web-console/rbac-template.yaml",
 		"template service broker apiserver": "install/templateservicebroker/apiserver-template.yaml",
 	}
 	// internalPreviousTemplateLocations are templates that will be registered in an internal namespace.

diff --git a/test/extended/testdata/bindata.go b/test/extended/testdata/bindata.go