From 6c9133b38d6cf1efab71a55f896988315b36a246 Mon Sep 17 00:00:00 2001
From: Nick Carboni <ncarboni@redhat.com>
Date: Wed, 28 Jun 2017 18:15:18 -0400
Subject: [PATCH 1/4] Add MY_POD_NAMESPACE environment variable

This utilizes the OpenShift "Downward API"
ref: https://docs.openshift.org/latest/dev_guide/downward_api.html#dapi-values-using-environment-variables
---
 templates/miq-template-ext-db.yaml | 5 +++++
 templates/miq-template.yaml        | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/templates/miq-template-ext-db.yaml b/templates/miq-template-ext-db.yaml
index f959383b..6118d228 100644
--- a/templates/miq-template-ext-db.yaml
+++ b/templates/miq-template-ext-db.yaml
@@ -130,6 +130,11 @@ objects:
                 name: "${NAME}-server"
                 mountPath: "/persistent"
           env:
+            -
+              name: MY_POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
             -
               name: "APPLICATION_INIT_DELAY"
               value: "${APPLICATION_INIT_DELAY}"
diff --git a/templates/miq-template.yaml b/templates/miq-template.yaml
index 41efa850..477a8683 100644
--- a/templates/miq-template.yaml
+++ b/templates/miq-template.yaml
@@ -148,6 +148,11 @@ objects:
                 name: "${NAME}-server"
                 mountPath: "/persistent"
           env:
+            -
+              name: MY_POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
             -
               name: "APPLICATION_INIT_DELAY"
               value: "${APPLICATION_INIT_DELAY}"

From 5a8e8a0ff1079a0486840df74b8a105e68c7ec63 Mon Sep 17 00:00:00 2001
From: Nick Carboni <ncarboni@redhat.com>
Date: Fri, 30 Jun 2017 16:11:43 -0400
Subject: [PATCH 2/4] Add a new service account for the orchestrator

This account will be given the view and edit role for the namespace
to allow it to scale the ansible pod when the role is enabled or
disabled.
---
 templates/miq-template-ext-db.yaml | 8 ++++++--
 templates/miq-template.yaml        | 8 ++++++--
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/templates/miq-template-ext-db.yaml b/templates/miq-template-ext-db.yaml
index 6118d228..de37c890 100644
--- a/templates/miq-template-ext-db.yaml
+++ b/templates/miq-template-ext-db.yaml
@@ -9,6 +9,10 @@ metadata:
     tags: "instant-app,manageiq,miq"
     iconClass: "icon-rails"
 objects:
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: miq-orchestrator
 - apiVersion: v1
   kind: ServiceAccount
   metadata:
@@ -182,8 +186,8 @@ objects:
               exec:
                 command:
                   - /opt/manageiq/container-scripts/sync-pv-data
-        serviceAccount: miq-anyuid
-        serviceAccountName: miq-anyuid
+        serviceAccount: miq-orchestrator
+        serviceAccountName: miq-orchestrator
         terminationGracePeriodSeconds: 90
     volumeClaimTemplates:
       - metadata:
diff --git a/templates/miq-template.yaml b/templates/miq-template.yaml
index 477a8683..4b14f865 100644
--- a/templates/miq-template.yaml
+++ b/templates/miq-template.yaml
@@ -9,6 +9,10 @@ metadata:
     tags: "instant-app,manageiq,miq"
     iconClass: "icon-rails"
 objects:
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: miq-orchestrator
 - apiVersion: v1
   kind: ServiceAccount
   metadata:
@@ -200,8 +204,8 @@ objects:
               exec:
                 command:
                   - /opt/manageiq/container-scripts/sync-pv-data
-        serviceAccount: miq-anyuid
-        serviceAccountName: miq-anyuid
+        serviceAccount: miq-orchestrator
+        serviceAccountName: miq-orchestrator
         terminationGracePeriodSeconds: 90
     volumeClaimTemplates:
       - metadata:

From adb256634781519a16659e0e9bbf60fc9eb05ccd Mon Sep 17 00:00:00 2001
From: Nick Carboni <ncarboni@redhat.com>
Date: Fri, 30 Jun 2017 16:12:54 -0400
Subject: [PATCH 3/4] Start the ansible pods at 0 replicas

We will scale the pod up to 1 when the role is activated
---
 templates/miq-template-ext-db.yaml | 2 +-
 templates/miq-template.yaml        | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/miq-template-ext-db.yaml b/templates/miq-template-ext-db.yaml
index de37c890..757a63b3 100644
--- a/templates/miq-template-ext-db.yaml
+++ b/templates/miq-template-ext-db.yaml
@@ -335,7 +335,7 @@ objects:
     strategy:
       type: "Recreate"
     serviceName: "${ANSIBLE_SERVICE_NAME}"
-    replicas: 1
+    replicas: 0
     template:
       metadata:
         labels:
diff --git a/templates/miq-template.yaml b/templates/miq-template.yaml
index 4b14f865..620f8571 100644
--- a/templates/miq-template.yaml
+++ b/templates/miq-template.yaml
@@ -426,7 +426,7 @@ objects:
     strategy:
       type: "Recreate"
     serviceName: "${ANSIBLE_SERVICE_NAME}"
-    replicas: 1
+    replicas: 0
     template:
       metadata:
         labels:

From cd296ddc0c1657260da5faa392012c6af2a229af Mon Sep 17 00:00:00 2001
From: Nick Carboni <ncarboni@redhat.com>
Date: Fri, 30 Jun 2017 16:13:31 -0400
Subject: [PATCH 4/4] Edit the README to add the correct roles and scc to the
 new user

We use a new user (service account) so that only pods which need
API access to the project can get it.
For now this will be just the manageiq app pod which will use
the API (and the service account token) to scale up or down
the ansible pod.
---
 README.md | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 8973a345..047ef5cd 100644
--- a/README.md
+++ b/README.md
@@ -52,22 +52,23 @@ $ oc new-project <project_name> \
    
    _At a minimum, only `<project_name>` is required._
 
-### Add the miq-anyuid service account to the anyuid security context
+### Add the miq-anyuid and miq-orchestrator service accounts to the anyuid security context
 
 _**Note:**_ The current MIQ image requires the root user.
 
-The miq-anyuid service account for your namespace (project) must be added to the anyuid SCC before pods using the service account can run as root.
+These service accounts for your namespace (project) must be added to the anyuid SCC before pods using the service accounts can run as root.
 
 _**As admin**_
 
 ```bash
 $ oc adm policy add-scc-to-user anyuid system:serviceaccount:<your-namespace>:miq-anyuid
+$ oc adm policy add-scc-to-user anyuid system:serviceaccount:<your-namespace>:miq-orchestrator
 ```
 
-Verify that the miq-anyuid service account is now included in the anyuid scc
+Verify that the service accounts are now included in the anyuid scc
 ```
 $ oc describe scc anyuid | grep Users
-Users:					system:serviceaccount:<your-namespace>:miq-anyuid
+Users:					system:serviceaccount:<your-namespace>:miq-anyuid,system:serviceaccount:<your-namespace>:miq-orchestrator
 ```
 
 ### Add the miq-privileged service account to the privileged security context
@@ -88,6 +89,18 @@ $ oc describe scc privileged | grep Users
 Users:					system:serviceaccount:<your-namespace>:miq-privileged
 ```
 
+### Add the view and edit roles to the orchestrator service account
+
+This will allow the ManageIQ pod to scale other pods up and down.
+In particular we use this to scale the Ansible pod when the Embedded Ansible role is enabled.
+
+_**As basic user**_
+
+```bash
+oc policy add-role-to-user view system:serviceaccount:<your-namespace>:miq-orchestrator -n <your-namespace>
+oc policy add-role-to-user edit system:serviceaccount:<your-namespace>:miq-orchestrator -n <your-namespace>
+```
+
 ### Make persistent volumes to host the MIQ database and application data
 
 A basic (single server/replica) deployment needs at least 2 persistent volumes (PVs) to store MIQ data: