Configure the OCI registry for BMaaS

dtantsur · dtantsur · commit a10f0e5e57a0 · 2025-08-25T16:13:57.000+02:00
Generated-By: Claude Code
Signed-off-by: Dmitry Tantsur &lt;dtantsur@protonmail.com&gt;
diff --git a/install-bmaas.yml b/install-bmaas.yml
@@ -0,0 +1,5 @@
+---
+- name: Setup Bare-Metal as a Service (BMaaS)
+  hosts: localhost
+  roles:
+    - bmaas
diff --git a/install-oras.yml b/install-oras.yml
diff --git a/prepare-bmaas.sh b/prepare-bmaas.sh
@@ -4,8 +4,8 @@ set -euo pipefail
 
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 
-echo "Installing ORAS CLI for bare-metal as a service preparation..."
+echo "Setting up bare-metal as a service (BMaaS) configuration..."
 
-ansible-playbook -i localhost, -c local "${SCRIPT_DIR}/install-oras.yml"
+ansible-playbook -i localhost, -c local "${SCRIPT_DIR}/install-bmaas.yml"
 
-echo "ORAS CLI installation completed."
+echo "BMaaS setup completed successfully."
diff --git a/roles/bmaas/defaults/main.yml b/roles/bmaas/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+bmaas_service_account_name: bmaas-images
+bmaas_namespace: openshift-machine-api
diff --git a/roles/bmaas/meta/main.yml b/roles/bmaas/meta/main.yml
@@ -0,0 +1,23 @@
+---
+galaxy_info:
+  author: dev-scripts
+  description: Configure bare-metal as a service with ORAS CLI and OpenShift registry access
+  license: Apache-2.0
+  min_ansible_version: "2.9"
+  platforms:
+    - name: EL
+      versions:
+        - 8
+        - 9
+    - name: Ubuntu
+      versions:
+        - focal
+        - jammy
+    - name: Fedora
+      versions:
+        - 36
+        - 37
+        - 38
+
+dependencies:
+  - oras
diff --git a/roles/bmaas/tasks/main.yml b/roles/bmaas/tasks/main.yml
@@ -0,0 +1,59 @@
+---
+- name: Include oras role
+  include_role:
+    name: oras
+
+- name: Create bmaas-images service account
+  kubernetes.core.k8s:
+    name: "{{ bmaas_service_account_name }}"
+    api_version: v1
+    kind: ServiceAccount
+    namespace: "{{ bmaas_namespace }}"
+    state: present
+
+- name: Create ClusterRoleBinding for registry-viewer
+  kubernetes.core.k8s:
+    name: "{{ bmaas_service_account_name }}-registry-viewer"
+    api_version: rbac.authorization.k8s.io/v1
+    kind: ClusterRoleBinding
+    state: present
+    definition:
+      subjects:
+        - kind: ServiceAccount
+          name: "{{ bmaas_service_account_name }}"
+          namespace: "{{ bmaas_namespace }}"
+      roleRef:
+        kind: ClusterRole
+        name: registry-viewer
+        apiGroup: rbac.authorization.k8s.io
+
+- name: Create ClusterRoleBinding for registry-editor
+  kubernetes.core.k8s:
+    name: "{{ bmaas_service_account_name }}-registry-editor"
+    api_version: rbac.authorization.k8s.io/v1
+    kind: ClusterRoleBinding
+    state: present
+    definition:
+      subjects:
+        - kind: ServiceAccount
+          name: "{{ bmaas_service_account_name }}"
+          namespace: "{{ bmaas_namespace }}"
+      roleRef:
+        kind: ClusterRole
+        name: registry-editor
+        apiGroup: rbac.authorization.k8s.io
+
+- name: Enable default route for OpenShift image registry
+  kubernetes.core.k8s:
+    name: cluster
+    api_version: imageregistry.operator.openshift.io/v1
+    kind: Config
+    state: present
+    merge_type: merge
+    definition:
+      spec:
+        defaultRoute: true
+
+- name: Display service account information
+  debug:
+    msg: "BMaaS service account '{{ bmaas_service_account_name }}' created with registry-viewer and registry-editor roles in namespace '{{ bmaas_namespace }}'"

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +- name: Setup Bare-Metal as a Service (BMaaS)
 +  hosts: localhost
 +  roles:
 +    - bmaas
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+---`
	`2`	`+bmaas_service_account_name: bmaas-images`
	`3`	`+bmaas_namespace: openshift-machine-api`