openshift vsphere permissions with govc

create-existing-folder-permissions.sh

#!/bin/bash

#######################################################################
# Borrowed from the following gist and updated for 4.14
# https://gist.github.com/davoult/2259f17579f19e9618f48f92aa9740cd
######################

set -e
set -x


declare -A roles
MY_DATACENTER=Smallville
MY_CLUSTER=Smallville-Cluster
MY_FOLDER=smallville
MY_RESOURCES=Resources
MY_DATASTORE=vsanDatastore-Smallville
MY_SWITCH=esxi-DSwitch
MY_PORTGROUP=esxi-smallville



VCENTER="Cns.Searchable InventoryService.Tagging.AttachTag InventoryService.Tagging.CreateCategory InventoryService.Tagging.CreateTag InventoryService.Tagging.DeleteCategory InventoryService.Tagging.DeleteTag InventoryService.Tagging.EditCategory InventoryService.Tagging.EditTag Sessions.ValidateSession StorageProfile.Update StorageProfile.View"
VCENTER_ROLE_NAME="openshift-vcenter-level"
roles+=( ["${VCENTER_ROLE_NAME}"]=${VCENTER} )

CLUSTER="Host.Config.Storage Resource.AssignVMToPool VApp.AssignResourcePool VApp.Import VirtualMachine.Config.AddNewDisk"
CLUSTER_ROLE_NAME="openshift-cluster-level"
roles+=( ["${CLUSTER_ROLE_NAME}"]=${CLUSTER} )

RESOURCE_POOL="Host.Config.Storage Resource.AssignVMToPool VApp.AssignResourcePool VApp.Import VirtualMachine.Config.AddNewDisk"
RESOURCE_POOL_NAME="openshift-resourcepool-level"
roles+=( ["${RESOURCE_POOL_NAME}"]=${RESOURCE_POOL} )

DATASTORE="Datastore.AllocateSpace Datastore.Browse Datastore.FileManagement InventoryService.Tagging.ObjectAttachable"
DATASTORE_ROLE_NAME="openshift-datastore-level"
roles+=( ["${DATASTORE_ROLE_NAME}"]=${DATASTORE} )

PORTGROUP="Network.Assign"
PORTGROUP_ROLE_NAME="openshift-portgroup-level"
roles+=( ["${PORTGROUP_ROLE_NAME}"]=${PORTGROUP} )


FOLDER="InventoryService.Tagging.ObjectAttachable Resource.AssignVMToPool VApp.Import VirtualMachine.Config.AddExistingDisk VirtualMachine.Config.AddNewDisk VirtualMachine.Config.AddRemoveDevice VirtualMachine.Config.AdvancedConfig VirtualMachine.Config.Annotation VirtualMachine.Config.CPUCount VirtualMachine.Config.DiskExtend VirtualMachine.Config.DiskLease VirtualMachine.Config.EditDevice VirtualMachine.Config.Memory VirtualMachine.Config.RemoveDisk VirtualMachine.Config.Rename VirtualMachine.Config.ResetGuestInfo VirtualMachine.Config.Resource VirtualMachine.Config.Settings VirtualMachine.Config.UpgradeVirtualHardware VirtualMachine.Interact.GuestControl VirtualMachine.Interact.PowerOff VirtualMachine.Interact.PowerOn VirtualMachine.Interact.Reset VirtualMachine.Inventory.Create VirtualMachine.Inventory.CreateFromExisting VirtualMachine.Inventory.Delete VirtualMachine.Provisioning.Clone VirtualMachine.Provisioning.MarkAsTemplate VirtualMachine.Provisioning.DeployTemplate"
FOLDER_ROLE_NAME="openshift-folder-level"
roles+=( ["${FOLDER_ROLE_NAME}"]=${FOLDER} )

DATACENTER="InventoryService.Tagging.ObjectAttachable Resource.AssignVMToPool VApp.Import VirtualMachine.Config.AddExistingDisk VirtualMachine.Config.AddNewDisk VirtualMachine.Config.AddRemoveDevice VirtualMachine.Config.AdvancedConfig VirtualMachine.Config.Annotation VirtualMachine.Config.CPUCount VirtualMachine.Config.DiskExtend VirtualMachine.Config.DiskLease VirtualMachine.Config.EditDevice VirtualMachine.Config.Memory VirtualMachine.Config.RemoveDisk VirtualMachine.Config.Rename VirtualMachine.Config.ResetGuestInfo VirtualMachine.Config.Resource VirtualMachine.Config.Settings VirtualMachine.Config.UpgradeVirtualHardware VirtualMachine.Interact.GuestControl VirtualMachine.Interact.PowerOff VirtualMachine.Interact.PowerOn VirtualMachine.Interact.Reset VirtualMachine.Inventory.Create VirtualMachine.Inventory.CreateFromExisting VirtualMachine.Inventory.Delete VirtualMachine.Provisioning.Clone VirtualMachine.Provisioning.DeployTemplate VirtualMachine.Provisioning.MarkAsTemplate Folder.Create Folder.Delete"
DATACENTER_NAME="openshift-datacenter-level"
roles+=( ["${DATACENTER_NAME}"]=${DATACENTER} )


# apply from above
for key in "${!roles[@]}"; do
        if ! govc role.ls "${key}"; then
                govc role.create ${key} ${roles[${key}]} || true
                sleep 5
        fi
done

### from 4.14 official documentation
#       - vSphere object -      |       - When required -                       |   - Propagate to children -   |   - Permissions required -
#vSphere vCenter                | Always                                        | False                         | Listed required privileges
#vSphere vCenter Datacenter     | Existing folder                               | False                         | ReadOnly permission
#                               | Installation program creates the folder       | True                          | Listed required privileges
#vSphere vCenter Cluster        | Existing resource pool                        | False                         | ReadOnly permission
#                               | VMs in cluster root                           | True                          | Listed required privileges
#vSphere vCenter Datastore      | Always                                        | False                         | Listed required privileges
#vSphere Switch                 | Always                                        | False                         | ReadOnly permission
#vSphere Port Group             | Always                                        | False                         | Listed required privileges
#vSphere vCenter Virtual Machine Folder | Existing folder                       | True                          | Listed required privileges
#vSphere vCenter Resource Pool  | Existing resource pool                        | True                          | Listed required privileges

# set defaults
existing_datacenter_folder=false
existing_resource_pool=false
existing_resource_folder=false

# set "vSphere vCenter" permissions
govc permissions.set --propagate=false -principal [email protected] -role openshift-vcenter-level /

# set "vSphere vCenter Datacenter" permissions
if [ "$existing_datacenter_folder" == "true" ]; then
        govc permissions.set -propagate=false -principal [email protected] -role ReadOnly /$MY_DATACENTER
else
        govc permissions.set -propagate=true -principal [email protected] -role openshift-datacenter-level /$MY_DATACENTER
fi

# set "vSphere vCenter Cluster" permissions
if [ "$existing_resource_pool" == "true" ]; then
        govc permissions.set -propagate=false -principal [email protected] -role ReadOnly /$MY_DATACENTER/host/$MY_CLUSTER
else
        govc permissions.set -propagate=true -principal [email protected] -role openshift-cluster-level /$MY_DATACENTER/host/$MY_CLUSTER
fi

# set "vSphere vCenter Datastore" permissions
govc permissions.set -propagate=false -principal [email protected] -role openshift-datastore-level /$MY_DATACENTER/datastore/$MY_DATASTORE

# set "vSphere Switch" permissions
govc permissions.set  -propagate=false -principal [email protected] -role ReadOnly /$MY_DATACENTER/network/$MY_SWITCH

# set "vSphere Port Group" permissions
govc permissions.set -propagate=false -principal [email protected] -role openshift-portgroup-level /$MY_DATACENTER/network/$MY_PORTGROUP

# set "vSphere vCenter Virtual Machine" permissions
if [ "$existing_resource_pool" == "true" ]; then
        govc permissions.set -propagate=true -principal [email protected] -role openshift-folder-level /$MY_DATACENTER/vm
else
        govc folder.create /$MY_DATACENTER/vm/$MY_FOLDER
        govc permissions.set -propagate=true -principal [email protected] -role openshift-folder-level /$MY_DATACENTER/vm/$MY_FOLDER
fi

# set "vSphere vCenter Resource Pool" permissions
govc permissions.set -propagate=true -principal [email protected] -role openshift-resourcepool-level /$MY_DATACENTER/host/$MY_CLUSTER
# didn't work govc permissions.set -propagate=true -principal [email protected] -role openshift-resourcepool-level /$MY_DATACENTER/host/$MY_CLUSTER/$MY_RESOURCES