summaryrefslogtreecommitdiffstats
path: root/playbooks
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2018-02-08 22:25:15 -0800
committerGitHub <noreply@github.com>2018-02-08 22:25:15 -0800
commit6254ea23dd7167fa4b548cebd87809a47dc5f778 (patch)
tree1d41224dbdaee07f732a6940501f01ed68b0312a /playbooks
parent4fb27adfd2f9006c90f99aa1ecd7487ca13008a7 (diff)
parentc625f3b517b0f2754132ff6fa35b1391d7c0563a (diff)
downloadopenshift-6254ea23dd7167fa4b548cebd87809a47dc5f778.tar.gz
openshift-6254ea23dd7167fa4b548cebd87809a47dc5f778.tar.bz2
openshift-6254ea23dd7167fa4b548cebd87809a47dc5f778.tar.xz
openshift-6254ea23dd7167fa4b548cebd87809a47dc5f778.zip
Merge pull request #7074 from kwoodson/redeploy_certs_insecure
Automatic merge from submit-queue. Redeploy router certificates during upgrade only when secure. Wrap the upgrade logic for redeploying certificates into another block so that insecure registries do not perform any certificate tasks.
Diffstat (limited to 'playbooks')
-rw-r--r--playbooks/common/openshift-cluster/upgrades/post_control_plane.yml36
1 files changed, 20 insertions, 16 deletions
diff --git a/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml
index 9c927c0a1..fafbd8d1c 100644
--- a/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml
+++ b/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml
@@ -114,22 +114,26 @@
openshift_hosted_templates_import_command: replace
post_tasks:
- # we need to migrate customers to the new pattern of pushing to the registry via dns
- # Step 1: verify the certificates have the docker registry service name
- - shell: >
- echo -n | openssl s_client -showcerts -servername docker-registry.default.svc -connect docker-registry.default.svc:5000 | openssl x509 -text | grep -A1 'X509v3 Subject Alternative Name:' | grep -Pq 'DNS:docker-registry\.default\.svc(,|$)'
- register: cert_output
- changed_when: false
- failed_when:
- - cert_output.rc not in [0, 1]
-
- # Step 2: Set a fact to be used to determine if we should run the redeploy of registry certs
- - name: set a fact to include the registry certs playbook if needed
- set_fact:
- openshift_hosted_rollout_certs_and_registry: "{{ cert_output.rc == 0 }}"
-
-# Run the redeploy certs based upon the certificates
-- when: hostvars[groups.oo_first_master.0].openshift_hosted_rollout_certs_and_registry
+ # Do not perform these tasks when the registry is insecure. The default registry is insecure in openshift_hosted/defaults/main.yml
+ - when: not (openshift_docker_hosted_registry_insecure | default(True))
+ block:
+ # we need to migrate customers to the new pattern of pushing to the registry via dns
+ # Step 1: verify the certificates have the docker registry service name
+ - name: shell command to determine if the docker-registry.default.svc is found in the registry certificate
+ shell: >
+ echo -n | openssl s_client -showcerts -servername docker-registry.default.svc -connect docker-registry.default.svc:5000 | openssl x509 -text | grep -A1 'X509v3 Subject Alternative Name:' | grep -Pq 'DNS:docker-registry\.default\.svc(,|$)'
+ register: cert_output
+ changed_when: false
+ failed_when:
+ - cert_output.rc not in [0, 1]
+
+ # Step 2: Set a fact to be used to determine if we should run the redeploy of registry certs
+ - name: set a fact to include the registry certs playbook if needed
+ set_fact:
+ openshift_hosted_rollout_certs_and_registry: "{{ cert_output.rc == 0 }}"
+
+# Run the redeploy certs based upon the certificates. Defaults to False for insecure registries
+- when: (hostvars[groups.oo_first_master.0].openshift_hosted_rollout_certs_and_registry | default(False)) | bool
import_playbook: ../../../openshift-hosted/redeploy-registry-certificates.yml
# Check for warnings to be printed at the end of the upgrade: