summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2018-02-08 22:25:15 -0800
committerGitHub <noreply@github.com>2018-02-08 22:25:15 -0800
commit6254ea23dd7167fa4b548cebd87809a47dc5f778 (patch)
tree1d41224dbdaee07f732a6940501f01ed68b0312a
parent4fb27adfd2f9006c90f99aa1ecd7487ca13008a7 (diff)
parentc625f3b517b0f2754132ff6fa35b1391d7c0563a (diff)
downloadopenshift-6254ea23dd7167fa4b548cebd87809a47dc5f778.tar.gz
openshift-6254ea23dd7167fa4b548cebd87809a47dc5f778.tar.bz2
openshift-6254ea23dd7167fa4b548cebd87809a47dc5f778.tar.xz
openshift-6254ea23dd7167fa4b548cebd87809a47dc5f778.zip
Merge pull request #7074 from kwoodson/redeploy_certs_insecure
Automatic merge from submit-queue. Redeploy router certificates during upgrade only when secure. Wrap the upgrade logic for redeploying certificates into another block so that insecure registries do not perform any certificate tasks.
-rw-r--r--playbooks/common/openshift-cluster/upgrades/post_control_plane.yml36
1 files changed, 20 insertions, 16 deletions
diff --git a/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml
index 9c927c0a1..fafbd8d1c 100644
--- a/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml
+++ b/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml
@@ -114,22 +114,26 @@
openshift_hosted_templates_import_command: replace
post_tasks:
- # we need to migrate customers to the new pattern of pushing to the registry via dns
- # Step 1: verify the certificates have the docker registry service name
- - shell: >
- echo -n | openssl s_client -showcerts -servername docker-registry.default.svc -connect docker-registry.default.svc:5000 | openssl x509 -text | grep -A1 'X509v3 Subject Alternative Name:' | grep -Pq 'DNS:docker-registry\.default\.svc(,|$)'
- register: cert_output
- changed_when: false
- failed_when:
- - cert_output.rc not in [0, 1]
-
- # Step 2: Set a fact to be used to determine if we should run the redeploy of registry certs
- - name: set a fact to include the registry certs playbook if needed
- set_fact:
- openshift_hosted_rollout_certs_and_registry: "{{ cert_output.rc == 0 }}"
-
-# Run the redeploy certs based upon the certificates
-- when: hostvars[groups.oo_first_master.0].openshift_hosted_rollout_certs_and_registry
+ # Do not perform these tasks when the registry is insecure. The default registry is insecure in openshift_hosted/defaults/main.yml
+ - when: not (openshift_docker_hosted_registry_insecure | default(True))
+ block:
+ # we need to migrate customers to the new pattern of pushing to the registry via dns
+ # Step 1: verify the certificates have the docker registry service name
+ - name: shell command to determine if the docker-registry.default.svc is found in the registry certificate
+ shell: >
+ echo -n | openssl s_client -showcerts -servername docker-registry.default.svc -connect docker-registry.default.svc:5000 | openssl x509 -text | grep -A1 'X509v3 Subject Alternative Name:' | grep -Pq 'DNS:docker-registry\.default\.svc(,|$)'
+ register: cert_output
+ changed_when: false
+ failed_when:
+ - cert_output.rc not in [0, 1]
+
+ # Step 2: Set a fact to be used to determine if we should run the redeploy of registry certs
+ - name: set a fact to include the registry certs playbook if needed
+ set_fact:
+ openshift_hosted_rollout_certs_and_registry: "{{ cert_output.rc == 0 }}"
+
+# Run the redeploy certs based upon the certificates. Defaults to False for insecure registries
+- when: (hostvars[groups.oo_first_master.0].openshift_hosted_rollout_certs_and_registry | default(False)) | bool
import_playbook: ../../../openshift-hosted/redeploy-registry-certificates.yml
# Check for warnings to be printed at the end of the upgrade: