add break-glass playbook and role

playbooks/break-glass.yml

@@ -0,0 +1,30 @@
+---
+# Adds an emergency admin role to project requester and annotates & labels it as tainted.
+#
+# Pass variables to this playbook on the command line (-e):
+#
+#   project:      the name of the project (role.name)
+#
+- name: Ensure an ICHP-lookalike project is given admin rights.
+  hosts: workstation.lab.example.com
+  gather_subset: min
+  become: no
+  tasks:
+    - name: Ensure that the parameters are specified.
+      ansible.builtin.assert:
+        that:
+          - project is defined
+        success_msg: "OK, got all parameters, continuing."
+        fail_msg: "FATAL: You must specify the name of the project to delete using the \"project\" variable."
+
+    # Get auth info, and test comms.
+    - include_role:
+        name: check-env
+
+    - include_role:
+        name: break-glass
+      vars:
+        role:
+          name: "{{ project }}"
+...
+

playbooks/roles/break-glass/tasks/main.yml

@@ -0,0 +1,88 @@
+---
+# Adds ichp-project-admin role to project requester and taints the project.
+#
+- name: Check if the project exists.
+  kubernetes.core.k8s_info:
+    kubeconfig: tmp/kubeconfig-ocp4
+    validate_certs: no
+    api_version: v1
+    kind: namespace
+    name: "{{ role.name }}"
+  register: project_state
+
+- name: Some basic assertions.
+  ansible.builtin.assert:
+    that:
+      - project_state.resources is defined
+      - project_state.resources | length == 1
+    success_msg: "OK, project found."
+    fail_msg: "FATAL: project \"{{ role.name }}\" not found."
+
+- name: Verify that this is an ICHP project.
+  ansible.builtin.assert:
+    that:
+      - project_state.resources[0].metadata.labels.keys() is contains('ichp.ing.net/generated')
+    success_msg: "OK, project is an ICHP project."
+    fail_msg: "FATAL: project is NOT an ICHP project."
+
+- name: Check if we can see who the requester is.
+  ansible.builtin.assert:
+    that:
+      - project_state.resources[0].metadata.annotations['openshift.io/requester'] is defined
+    success_msg: "OK, found project requester."
+    fail_msg: "FATAL: can not find out who requested the project."
+
+- name: Remember the requester as a fact.
+  ansible.builtin.set_fact:
+    requester: "{{ project_state.resources[0].metadata.annotations['openshift.io/requester'] }}"
+
+- name: Verify that this is an actual user.
+  kubernetes.core.k8s_info:
+    kubeconfig: tmp/kubeconfig-ocp4
+    validate_certs: no
+    api_version: user.openshift.io/v1
+    kind: user
+    name: "{{ requester }}"
+  register: requester_user
+
+- name: Assertions about the user.
+  ansible.builtin.assert:
+    that:
+      - requester_user.resources is defined
+      - requester_user.resources | length == 1
+    success_msg: "OK, \"{{ requester }}\" is an existing user."
+    fail_msg: "FATAL: \"{{ requester }}\" user does not exist."
+
+- name: Annotate and label the project as tainted.
+  kubernetes.core.k8s_info:
+    kubeconfig: tmp/kubeconfig-ocp4
+    validate_certs: no
+    api_version: v1
+    kind: namespace
+    name: "{{ role.name }}"
+    state: patched
+    resource_definition:
+      metadata:
+        annotations:
+          ichp.ing.net/tainted: "true"
+        labels:
+          ichp.ing.net/tainted: "true"
+
+- name: Create an admin rolebinding.
+  kubernetes.core.k8s:
+    kubeconfig: tmp/kubeconfig-ocp4
+    validate_certs: no
+    api_version: rbac.authorization.k8s.io/v1
+    kind: rolebinding
+    name: ichp-break-glass-rb
+    namespace: "{{ role.name }}"
+    resource_definition:
+      roleRef:
+        apiGroup: rbac.authorization.k8s.io
+        kind: ClusterRole
+        name: ichp-project-admin
+      subjects:
+        apiGroup: rbac.authorization.k8s.io
+        kind: User
+        name: "{{ requester }}"
+...