diff options
author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2018-02-08 22:25:15 -0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-02-08 22:25:15 -0800 |
commit | 6254ea23dd7167fa4b548cebd87809a47dc5f778 (patch) | |
tree | 1d41224dbdaee07f732a6940501f01ed68b0312a /playbooks/common/openshift-cluster | |
parent | 4fb27adfd2f9006c90f99aa1ecd7487ca13008a7 (diff) | |
parent | c625f3b517b0f2754132ff6fa35b1391d7c0563a (diff) | |
download | openshift-6254ea23dd7167fa4b548cebd87809a47dc5f778.tar.gz openshift-6254ea23dd7167fa4b548cebd87809a47dc5f778.tar.bz2 openshift-6254ea23dd7167fa4b548cebd87809a47dc5f778.tar.xz openshift-6254ea23dd7167fa4b548cebd87809a47dc5f778.zip |
Merge pull request #7074 from kwoodson/redeploy_certs_insecure
Automatic merge from submit-queue.
Redeploy router certificates during upgrade only when secure.
Wrap the upgrade logic for redeploying certificates into another block so that insecure registries do not perform any certificate tasks.
Diffstat (limited to 'playbooks/common/openshift-cluster')
-rw-r--r-- | playbooks/common/openshift-cluster/upgrades/post_control_plane.yml | 36 |
1 files changed, 20 insertions, 16 deletions
diff --git a/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml index 9c927c0a1..fafbd8d1c 100644 --- a/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml @@ -114,22 +114,26 @@ openshift_hosted_templates_import_command: replace post_tasks: - # we need to migrate customers to the new pattern of pushing to the registry via dns - # Step 1: verify the certificates have the docker registry service name - - shell: > - echo -n | openssl s_client -showcerts -servername docker-registry.default.svc -connect docker-registry.default.svc:5000 | openssl x509 -text | grep -A1 'X509v3 Subject Alternative Name:' | grep -Pq 'DNS:docker-registry\.default\.svc(,|$)' - register: cert_output - changed_when: false - failed_when: - - cert_output.rc not in [0, 1] - - # Step 2: Set a fact to be used to determine if we should run the redeploy of registry certs - - name: set a fact to include the registry certs playbook if needed - set_fact: - openshift_hosted_rollout_certs_and_registry: "{{ cert_output.rc == 0 }}" - -# Run the redeploy certs based upon the certificates -- when: hostvars[groups.oo_first_master.0].openshift_hosted_rollout_certs_and_registry + # Do not perform these tasks when the registry is insecure. The default registry is insecure in openshift_hosted/defaults/main.yml + - when: not (openshift_docker_hosted_registry_insecure | default(True)) + block: + # we need to migrate customers to the new pattern of pushing to the registry via dns + # Step 1: verify the certificates have the docker registry service name + - name: shell command to determine if the docker-registry.default.svc is found in the registry certificate + shell: > + echo -n | openssl s_client -showcerts -servername docker-registry.default.svc -connect docker-registry.default.svc:5000 | openssl x509 -text | grep -A1 'X509v3 Subject Alternative Name:' | grep -Pq 'DNS:docker-registry\.default\.svc(,|$)' + register: cert_output + changed_when: false + failed_when: + - cert_output.rc not in [0, 1] + + # Step 2: Set a fact to be used to determine if we should run the redeploy of registry certs + - name: set a fact to include the registry certs playbook if needed + set_fact: + openshift_hosted_rollout_certs_and_registry: "{{ cert_output.rc == 0 }}" + +# Run the redeploy certs based upon the certificates. Defaults to False for insecure registries +- when: (hostvars[groups.oo_first_master.0].openshift_hosted_rollout_certs_and_registry | default(False)) | bool import_playbook: ../../../openshift-hosted/redeploy-registry-certificates.yml # Check for warnings to be printed at the end of the upgrade: |