diff options
author | Michael Gugino <mgugino@redhat.com> | 2017-08-31 18:01:56 -0400 |
---|---|---|
committer | Michael Gugino <mgugino@redhat.com> | 2017-09-25 09:40:01 -0400 |
commit | 82d61ae9e23c2ae1f722ed3b458a6e39721e71fd (patch) | |
tree | 54b79f1033aa3d210597e285e1346239ce7fad86 /roles/openshift_hosted/tasks/secure.yml | |
parent | c390d382a2c1783964179490eec810ee2206fa32 (diff) | |
download | openshift-82d61ae9e23c2ae1f722ed3b458a6e39721e71fd.tar.gz openshift-82d61ae9e23c2ae1f722ed3b458a6e39721e71fd.tar.bz2 openshift-82d61ae9e23c2ae1f722ed3b458a6e39721e71fd.tar.xz openshift-82d61ae9e23c2ae1f722ed3b458a6e39721e71fd.zip |
Refactor openshift_hosted plays and role
Currently, openshift_hosted role duplicates some logic
across separate task chains. This commit cleans up
the openshift_hosted role and converts it to be
primarily used with include_role to give better
logic to the playbooks that utilize this role.
This commit also refactors the playbook that calls
various openshift_hosted roles into individual playbooks.
This allows more granularity for advanced users.
Diffstat (limited to 'roles/openshift_hosted/tasks/secure.yml')
-rw-r--r-- | roles/openshift_hosted/tasks/secure.yml | 119 |
1 files changed, 119 insertions, 0 deletions
diff --git a/roles/openshift_hosted/tasks/secure.yml b/roles/openshift_hosted/tasks/secure.yml new file mode 100644 index 000000000..0da8ac8a7 --- /dev/null +++ b/roles/openshift_hosted/tasks/secure.yml @@ -0,0 +1,119 @@ +--- +- name: Configure facts for docker-registry + set_fact: + openshift_hosted_registry_routecertificates: "{{ ('routecertificates' in openshift.hosted.registry.keys()) | ternary(openshift_hosted_registry_routecertificates, {}) }}" + openshift_hosted_registry_routehost: "{{ ('routehost' in openshift.hosted.registry.keys()) | ternary(openshift.hosted.registry.routehost, False) }}" + openshift_hosted_registry_routetermination: "{{ ('routetermination' in openshift.hosted.registry.keys()) | ternary(openshift.hosted.registry.routetermination, 'passthrough') }}" + +- name: Include reencrypt route configuration + include: secure/reencrypt.yml + static: no + when: openshift_hosted_registry_routetermination == 'reencrypt' + +- name: Include passthrough route configuration + include: secure/passthrough.yml + static: no + when: openshift_hosted_registry_routetermination == 'passthrough' + +- name: Fetch the docker-registry route + oc_route: + name: docker-registry + namespace: default + state: list + register: docker_registry_route + +- name: Retrieve registry service for the clusterip + oc_service: + namespace: "{{ openshift_hosted_registry_namespace }}" + name: docker-registry + state: list + register: docker_registry_service + +- name: Generate self-signed docker-registry certificates + oc_adm_ca_server_cert: + signer_cert: "{{ openshift_master_config_dir }}/ca.crt" + signer_key: "{{ openshift_master_config_dir }}/ca.key" + signer_serial: "{{ openshift_master_config_dir }}/ca.serial.txt" + hostnames: + - "{{ docker_registry_service.results.clusterip }}" + - "{{ docker_registry_route.results[0].spec.host }}" + - "{{ openshift_hosted_registry_name }}.default.svc" + - "{{ openshift_hosted_registry_name }}.default.svc.{{ openshift_cluster_domain }}" + - "{{ openshift_hosted_registry_routehost }}" + cert: "{{ docker_registry_cert_path }}" + key: "{{ docker_registry_key_path }}" + expire_days: "{{ openshift_hosted_registry_cert_expire_days if openshift_version | oo_version_gte_3_5_or_1_5(openshift_deployment_type) | bool else omit }}" + register: registry_self_cert + when: docker_registry_self_signed + +# Setting up REGISTRY_HTTP_TLS_CLIENTCAS as the cacert doesn't seem to work. +# If we need to set up a cacert, bundle it with the cert. +- when: docker_registry_cacert_path is defined + block: + - name: Retrieve certificate files to generate certificate bundle + slurp: + src: "{{ item }}" + with_items: + - "{{ docker_registry_cert_path }}" + - "{{ docker_registry_cacert_path }}" + register: certificate_files + + - name: Generate certificate bundle + copy: + content: "{{ certificate_files.results | map(attribute='content') | map('b64decode') | join('') }}" + dest: "{{ openshift_master_config_dir }}/named_certificates/docker-registry.pem" + + - name: Reset the certificate path to use the bundle + set_fact: + docker_registry_cert_path: "{{ openshift_master_config_dir }}/named_certificates/docker-registry.pem" + +- name: Create the secret for the registry certificates + oc_secret: + name: registry-certificates + namespace: "{{ openshift_hosted_registry_namespace }}" + files: + - name: registry.crt + path: "{{ docker_registry_cert_path }}" + - name: registry.key + path: "{{ docker_registry_key_path }}" + register: create_registry_certificates_secret_out + +- name: Add the secret to the registry's pod service accounts + oc_serviceaccount_secret: + service_account: "{{ item }}" + secret: registry-certificates + namespace: "{{ openshift_hosted_registry_namespace }}" + with_items: + - registry + - default + +- name: Set facts for secure registry + set_fact: + registry_secure_volume_mounts: + - name: registry-certificates + path: /etc/secrets + type: secret + secret_name: registry-certificates + registry_secure_env_vars: + REGISTRY_HTTP_TLS_CERTIFICATE: /etc/secrets/registry.crt + REGISTRY_HTTP_TLS_KEY: /etc/secrets/registry.key + registry_secure_edits: + - key: spec.template.spec.containers[0].livenessProbe.httpGet.scheme + value: HTTPS + action: put + - key: spec.template.spec.containers[0].readinessProbe.httpGet.scheme + value: HTTPS + action: put + +- name: Detect if there has been certificate changes + set_fact: + registry_cert_changed: true + when: ( registry_self_cert is defined and registry_self_cert.changed ) or + create_registry_certificates_secret_out.changed + +- name: Update openshift_hosted facts with secure registry variables + set_fact: + openshift_hosted_registry_volumes: "{{ openshift_hosted_registry_volumes | union(registry_secure_volume_mounts) }}" + openshift_hosted_registry_env_vars: "{{ openshift_hosted_registry_env_vars | combine(registry_secure_env_vars) }}" + openshift_hosted_registry_edits: "{{ openshift_hosted_registry_edits | union(registry_secure_edits) }}" + openshift_hosted_registry_force: "{{ openshift_hosted_registry_force | union([registry_cert_changed | default(false)]) }}" |