openshift-metal3 · dtantsur · Aug 20, 2025 · Aug 20, 2025
diff --git a/install-bmaas.yml b/install-bmaas.yml
@@ -0,0 +1,5 @@
+---
+- name: Setup Bare-Metal as a Service (BMaaS)
+  hosts: localhost
+  roles:
+    - bmaas
diff --git a/prepare-bmaas.sh b/prepare-bmaas.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+echo "Setting up bare-metal as a service (BMaaS) configuration..."
+
+ansible-playbook -i localhost, -c local "${SCRIPT_DIR}/install-bmaas.yml"
+
+echo "BMaaS setup completed successfully."
diff --git a/roles/bmaas/defaults/main.yml b/roles/bmaas/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+bmaas_service_account_name: bmaas-images
+bmaas_namespace: openshift-machine-api
diff --git a/roles/bmaas/meta/main.yml b/roles/bmaas/meta/main.yml
@@ -0,0 +1,23 @@
+---
+galaxy_info:
+  author: dev-scripts
+  description: Configure bare-metal as a service with ORAS CLI and OpenShift registry access
+  license: Apache-2.0
+  min_ansible_version: "2.9"
+  platforms:
+    - name: EL
+      versions:
+        - 8
+        - 9
+    - name: Ubuntu
+      versions:
+        - focal
+        - jammy
+    - name: Fedora
+      versions:
+        - 36
+        - 37
+        - 38
+
+dependencies:
+  - oras
diff --git a/roles/bmaas/tasks/main.yml b/roles/bmaas/tasks/main.yml
@@ -0,0 +1,59 @@
+---
+- name: Include oras role
+  include_role:
+    name: oras
+
+- name: Create bmaas-images service account
+  kubernetes.core.k8s:
+    name: "{{ bmaas_service_account_name }}"
+    api_version: v1
+    kind: ServiceAccount
+    namespace: "{{ bmaas_namespace }}"
+    state: present
+
+- name: Create ClusterRoleBinding for registry-viewer
+  kubernetes.core.k8s:
+    name: "{{ bmaas_service_account_name }}-registry-viewer"
+    api_version: rbac.authorization.k8s.io/v1
+    kind: ClusterRoleBinding
+    state: present
+    definition:
+      subjects:
+        - kind: ServiceAccount
+          name: "{{ bmaas_service_account_name }}"
+          namespace: "{{ bmaas_namespace }}"
+      roleRef:
+        kind: ClusterRole
+        name: registry-viewer
+        apiGroup: rbac.authorization.k8s.io
+
+- name: Create ClusterRoleBinding for registry-editor
+  kubernetes.core.k8s:
+    name: "{{ bmaas_service_account_name }}-registry-editor"
+    api_version: rbac.authorization.k8s.io/v1
+    kind: ClusterRoleBinding
+    state: present
+    definition:
+      subjects:
+        - kind: ServiceAccount
+          name: "{{ bmaas_service_account_name }}"
+          namespace: "{{ bmaas_namespace }}"
+      roleRef:
+        kind: ClusterRole
+        name: registry-editor
+        apiGroup: rbac.authorization.k8s.io
+
+- name: Enable default route for OpenShift image registry
+  kubernetes.core.k8s:
+    name: cluster
+    api_version: imageregistry.operator.openshift.io/v1
+    kind: Config
+    state: present
+    merge_type: merge
+    definition:
+      spec:
+        defaultRoute: true
+
+- name: Display service account information
+  debug:
+    msg: "BMaaS service account '{{ bmaas_service_account_name }}' created with registry-viewer and registry-editor roles in namespace '{{ bmaas_namespace }}'"
diff --git a/roles/oras/defaults/main.yml b/roles/oras/defaults/main.yml
@@ -0,0 +1,5 @@
+---
+oras_version: "1.2.2"
+oras_install_dir: "/usr/local/bin"
+oras_download_dir: "/tmp"
+oras_architecture: "{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}"
diff --git a/roles/oras/meta/main.yml b/roles/oras/meta/main.yml
@@ -0,0 +1,22 @@
+---
+galaxy_info:
+  author: dev-scripts
+  description: Install ORAS CLI
+  license: Apache-2.0
+  min_ansible_version: "2.9"
+  platforms:
+    - name: EL
+      versions:
+        - 8
+        - 9
+    - name: Ubuntu
+      versions:
+        - focal
+        - jammy
+    - name: Fedora
+      versions:
+        - 36
+        - 37
+        - 38
+
+dependencies: []
diff --git a/roles/oras/tasks/main.yml b/roles/oras/tasks/main.yml
@@ -0,0 +1,43 @@
+---
+- name: Create temporary download directory
+  ansible.builtin.file:
+    path: "{{ oras_download_dir }}/oras-install"
+    state: directory
+    mode: '0755'
+
+- name: Download ORAS CLI
+  ansible.builtin.get_url:
+    url: "https://github.com/oras-project/oras/releases/download/v{{ oras_version }}/oras_{{ oras_version }}_linux_{{ oras_architecture }}.tar.gz"
+    dest: "{{ oras_download_dir }}/oras_{{ oras_version }}_linux_{{ oras_architecture }}.tar.gz"
+    mode: '0644'
+
+- name: Extract ORAS CLI
+  ansible.builtin.unarchive:
+    src: "{{ oras_download_dir }}/oras_{{ oras_version }}_linux_{{ oras_architecture }}.tar.gz"
+    dest: "{{ oras_download_dir }}/oras-install"
+    remote_src: yes
+
+- name: Install ORAS CLI binary
+  ansible.builtin.copy:
+    src: "{{ oras_download_dir }}/oras-install/oras"
+    dest: "{{ oras_install_dir }}/oras"
+    mode: '0755'
+    remote_src: yes
+  become: yes
+
+- name: Clean up download files
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - "{{ oras_download_dir }}/oras_{{ oras_version }}_linux_{{ oras_architecture }}.tar.gz"
+    - "{{ oras_download_dir }}/oras-install"
+
+- name: Verify ORAS CLI installation
+  ansible.builtin.command: "{{ oras_install_dir }}/oras version"
+  register: oras_version_output
+  changed_when: false
+
+- name: Display ORAS CLI version
+  ansible.builtin.debug:
+    msg: "ORAS CLI installed successfully: {{ oras_version_output.stdout }}"