diff options
Diffstat (limited to 'roles/openshift_hosted/tasks/registry')
5 files changed, 193 insertions, 302 deletions
diff --git a/roles/openshift_hosted/tasks/registry/registry.yml b/roles/openshift_hosted/tasks/registry/registry.yml index 93b701ebc..cad5c666c 100644 --- a/roles/openshift_hosted/tasks/registry/registry.yml +++ b/roles/openshift_hosted/tasks/registry/registry.yml @@ -1,64 +1,88 @@ --- -- name: Retrieve list of openshift nodes matching registry selector - command: > - {{ openshift.common.client_binary }} --api-version='v1' -o json - get nodes -n default --config={{ openshift_hosted_kubeconfig }} - --selector={{ openshift.hosted.registry.selector | default('') }} - register: registry_nodes_json - changed_when: false - when: openshift.hosted.registry.replicas | default(none) is none +- block: -- set_fact: - l_node_count: "{{ (registry_nodes_json.stdout | default('{\"items\":[]}') | from_json)['items'] | length }}" + - name: Retrieve list of openshift nodes matching registry selector + oc_obj: + state: list + kind: node + selector: "{{ openshift.hosted.registry.selector | default(omit) }}" + register: registry_nodes -# Determine the default number of registry/router replicas to use if no count -# has been specified. -# If no registry nodes defined, the default should be 0. -- set_fact: - l_default_replicas: 0 - when: l_node_count | int == 0 + - name: set_fact l_node_count to number of nodes matching registry selector + set_fact: + l_node_count: "{{ registry_nodes.results.results[0]['items'] | length }}" -# If registry nodes are defined and the registry storage kind is -# defined, default should be the number of registry nodes, otherwise -# just 1: -- set_fact: - l_default_replicas: "{{ l_node_count if openshift.hosted.registry.storage.kind | default(none) is not none else 1 }}" - when: l_node_count | int > 0 + # Determine the default number of registry/router replicas to use if no count + # has been specified. + # If no registry nodes defined, the default should be 0. + - name: set_fact l_default_replicas when l_node_count == 0 + set_fact: + l_default_replicas: 0 + when: l_node_count | int == 0 -- set_fact: - replicas: "{{ openshift.hosted.registry.replicas | default(l_default_replicas) }}" + # If registry nodes are defined and the registry storage kind is + # defined, default should be the number of registry nodes, otherwise + # just 1: + - name: set_fact l_default_replicas when l_node_count > 0 + set_fact: + l_default_replicas: "{{ l_node_count if openshift.hosted.registry.storage.kind | default(none) is not none else 1 }}" + when: l_node_count | int > 0 -- name: Create OpenShift registry - command: > - {{ openshift.common.client_binary }} adm registry --create - --config={{ openshift_hosted_kubeconfig }} - {% if replicas > 1 -%} - --replicas={{ replicas }} - {% endif -%} - --namespace={{ openshift.hosted.registry.namespace | default('default') }} - --service-account=registry - {% if openshift.hosted.registry.selector | default(none) is not none -%} - --selector='{{ openshift.hosted.registry.selector }}' - {% endif -%} - {% if not openshift.common.version_gte_3_2_or_1_2 | bool -%} - --credentials={{ openshift_master_config_dir }}/openshift-registry.kubeconfig - {% endif -%} - {% if openshift.hosted.registry.registryurl | default(none) is not none -%} - --images='{{ openshift.hosted.registry.registryurl }}' - {% endif -%} - register: openshift_hosted_registry_results - changed_when: "'service exists' not in openshift_hosted_registry_results.stdout" - failed_when: "openshift_hosted_registry_results.rc != 0 and 'service exists' not in openshift_hosted_registry_results.stdout and 'deployment_config' not in openshift_hosted_registry_results.stderr and 'service' not in openshift_hosted_registry_results.stderr" - when: replicas | int > 0 + when: openshift.hosted.registry.replicas | default(none) is none + +- name: set openshift_hosted facts + set_fact: + openshift_hosted_registry_replicas: "{{ openshift.hosted.registry.replicas | default(l_default_replicas) }}" + openshift_hosted_registry_name: docker-registry + openshift_hosted_registry_serviceaccount: registry + openshift_hosted_registry_namespace: "{{ openshift.hosted.registry.namespace | default('default') }}" + openshift_hosted_registry_selector: "{{ openshift.hosted.registry.selector }}" + openshift_hosted_registry_images: "{{ openshift.hosted.registry.registryurl | default('openshift3/ose-${component}:${version}')}}" + openshift_hosted_registry_volumes: [] + openshift_hosted_registry_env_vars: {} + openshift_hosted_registry_edits: + # These edits are being specified only to prevent 'changed' on rerun + - key: spec.strategy.rollingParams + value: + intervalSeconds: 1 + maxSurge: "25%" + maxUnavailable: "25%" + timeoutSeconds: 600 + updatePeriodSeconds: 1 + action: put + openshift_hosted_registry_force: + - False - include: secure.yml static: no - when: replicas | int > 0 and not (openshift.docker.hosted_registry_insecure | default(false) | bool) + run_once: true + when: + - not (openshift.docker.hosted_registry_insecure | default(false) | bool) - include: storage/object_storage.yml static: no - when: replicas | int > 0 and openshift.hosted.registry.storage.kind | default(none) == 'object' + when: + - openshift.hosted.registry.storage.kind | default(none) == 'object' -- include: storage/persistent_volume.yml - static: no - when: replicas | int > 0 and openshift.hosted.registry.storage.kind | default(none) in ['nfs', 'openstack'] +- name: Set facts for persistent volume + set_fact: + pvc_volume_mounts: + - name: registry-storage + type: persistentVolumeClaim + claim_name: "{{ openshift.hosted.registry.storage.volume.name }}-claim" + openshift_hosted_registry_volumes: "{{ openshift_hosted_registry_volumes | union(pvc_volume_mounts) }}" + when: + - openshift.hosted.registry.storage.kind | default(none) in ['nfs', 'openstack'] + +- name: Create OpenShift registry + oc_adm_registry: + name: "{{ openshift_hosted_registry_name }}" + namespace: "{{ openshift_hosted_registry_namespace }}" + selector: "{{ openshift_hosted_registry_selector }}" + replicas: "{{ openshift_hosted_registry_replicas }}" + service_account: "{{ openshift_hosted_registry_serviceaccount }}" + images: "{{ openshift_hosted_registry_images }}" + env_vars: "{{ openshift_hosted_registry_env_vars }}" + volume_mounts: "{{ openshift_hosted_registry_volumes }}" + edits: "{{ openshift_hosted_registry_edits }}" + force: "{{ True|bool in openshift_hosted_registry_force }}" diff --git a/roles/openshift_hosted/tasks/registry/secure.yml b/roles/openshift_hosted/tasks/registry/secure.yml index 8b44b94c6..e70d377c6 100644 --- a/roles/openshift_hosted/tasks/registry/secure.yml +++ b/roles/openshift_hosted/tasks/registry/secure.yml @@ -1,132 +1,77 @@ --- +- name: Set fact docker_registry_route_hostname + set_fact: + docker_registry_route_hostname: "{{ 'docker-registry-default.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true)) }}" + - name: Create passthrough route for docker-registry oc_route: - kubeconfig: "{{ openshift_hosted_kubeconfig }}" name: docker-registry - namespace: default + namespace: "{{ openshift_hosted_registry_namespace }}" service_name: docker-registry - state: present tls_termination: passthrough - run_once: true - -- name: Determine if registry certificate must be created - stat: - path: "{{ openshift_master_config_dir }}/{{ item }}" - with_items: - - registry.crt - - registry.key - register: docker_registry_certificates_stat_result - changed_when: false - failed_when: false + host: "{{ docker_registry_route_hostname }}" - name: Retrieve registry service IP oc_service: - namespace: default + namespace: "{{ openshift_hosted_registry_namespace }}" name: docker-registry state: list register: docker_registry_service_ip - changed_when: false - -- set_fact: - docker_registry_route_hostname: "{{ 'docker-registry-default.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true)) }}" -- name: Create registry certificates if they do not exist - command: > - {{ openshift.common.client_binary }} adm ca create-server-cert - --signer-cert={{ openshift_master_config_dir }}/ca.crt - --signer-key={{ openshift_master_config_dir }}/ca.key - --signer-serial={{ openshift_master_config_dir }}/ca.serial.txt - --hostnames="{{ docker_registry_service_ip.results.clusterip }},docker-registry.default.svc.cluster.local,{{ docker_registry_route_hostname }}" - --cert={{ openshift_master_config_dir }}/registry.crt - --key={{ openshift_master_config_dir }}/registry.key - when: False in (docker_registry_certificates_stat_result.results | default([]) | oo_collect(attribute='stat.exists') | list) +- name: Create registry certificates + oc_adm_ca_server_cert: + signer_cert: "{{ openshift_master_config_dir }}/ca.crt" + signer_key: "{{ openshift_master_config_dir }}/ca.key" + signer_serial: "{{ openshift_master_config_dir }}/ca.serial.txt" + hostnames: + - "{{ docker_registry_service_ip.results.clusterip }}" + - docker-registry.default.svc.cluster.local + - "{{ docker_registry_route_hostname }}" + cert: "{{ openshift_master_config_dir }}/registry.crt" + key: "{{ openshift_master_config_dir }}/registry.key" + register: server_cert_out - name: Create the secret for the registry certificates oc_secret: - kubeconfig: "{{ openshift_hosted_kubeconfig }}" name: registry-certificates - namespace: default - state: present + namespace: "{{ openshift_hosted_registry_namespace }}" files: - name: registry.crt path: "{{ openshift_master_config_dir }}/registry.crt" - name: registry.key path: "{{ openshift_master_config_dir }}/registry.key" - register: create_registry_certificates_secret - run_once: true + register: create_registry_certificates_secret_out -- name: "Add the secret to the registry's pod service accounts" +- name: Add the secret to the registry's pod service accounts oc_serviceaccount_secret: service_account: "{{ item }}" secret: registry-certificates - namespace: default - kubeconfig: "{{ openshift_hosted_kubeconfig }}" - state: present + namespace: "{{ openshift_hosted_registry_namespace }}" with_items: - registry - default -- name: Determine if registry-certificates secret volume attached - command: > - {{ openshift.common.client_binary }} get dc/docker-registry - -o jsonpath='{.spec.template.spec.volumes[?(@.secret)].secret.secretName}' - --config={{ openshift_hosted_kubeconfig }} - -n default - register: docker_registry_volumes - changed_when: false - failed_when: "docker_registry_volumes.stdout != '' and 'secretName is not found' not in docker_registry_volumes.stdout and docker_registry_volumes.rc != 0" - -- name: Attach registry-certificates secret volume - command: > - {{ openshift.common.client_binary }} volume dc/docker-registry --add --type=secret - --secret-name=registry-certificates - -m /etc/secrets - --config={{ openshift_hosted_kubeconfig }} - -n default - when: "'registry-certificates' not in docker_registry_volumes.stdout" - -- name: Determine if registry environment variables must be set - command: > - {{ openshift.common.client_binary }} env dc/docker-registry - --list - --config={{ openshift_hosted_kubeconfig }} - -n default - register: docker_registry_env - changed_when: false - -- name: Configure certificates in registry deplomentConfig - command: > - {{ openshift.common.client_binary }} env dc/docker-registry - REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt - REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key - --config={{ openshift_hosted_kubeconfig }} - -n default - when: "'REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt' not in docker_registry_env.stdout or 'REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key' not in docker_registry_env.stdout" - -- name: Determine if registry liveness probe scheme is HTTPS - command: > - {{ openshift.common.client_binary }} get dc/docker-registry - -o jsonpath='{.spec.template.spec.containers[*].livenessProbe.httpGet.scheme}' - --config={{ openshift_hosted_kubeconfig }} - -n default - register: docker_registry_liveness_probe - changed_when: false - -# This command is on a single line to preserve patch json. -- name: Update registry liveness probe from HTTP to HTTPS - command: "{{ openshift.common.client_binary }} patch dc/docker-registry --api-version=v1 -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"registry\",\"livenessProbe\":{\"httpGet\":{\"scheme\":\"HTTPS\"}}}]}}}}' --config={{ openshift_hosted_kubeconfig }} -n default" - when: "'HTTPS' not in docker_registry_liveness_probe.stdout" - -- name: Determine if registry readiness probe scheme is HTTPS - command: > - {{ openshift.common.client_binary }} get dc/docker-registry - -o jsonpath='{.spec.template.spec.containers[*].readinessProbe.httpGet.scheme}' - --config={{ openshift_hosted_kubeconfig }} - -n default - register: docker_registry_readiness_probe - changed_when: false +- name: Set facts for secure registry + set_fact: + registry_secure_volume_mounts: + - name: registry-certificates + path: /etc/secrets + type: secret + secret_name: registry-certificates + registry_secure_env_vars: + REGISTRY_HTTP_TLS_CERTIFICATE: /etc/secrets/registry.crt + REGISTRY_HTTP_TLS_KEY: /etc/secrets/registry.key + registry_secure_edits: + - key: spec.template.spec.containers[0].livenessProbe.httpGet.scheme + value: HTTPS + action: put + - key: spec.template.spec.containers[0].readinessProbe.httpGet.scheme + value: HTTPS + action: put -# This command is on a single line to preserve patch json. -- name: Update registry readiness probe from HTTP to HTTPS - command: "{{ openshift.common.client_binary }} patch dc/docker-registry --api-version=v1 -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"registry\",\"readinessProbe\":{\"httpGet\":{\"scheme\":\"HTTPS\"}}}]}}}}' --config={{ openshift_hosted_kubeconfig }} -n default" - when: "'HTTPS' not in docker_registry_readiness_probe.stdout" +- name: Update openshift_hosted facts with secure registry variables + set_fact: + openshift_hosted_registry_volumes: "{{ openshift_hosted_registry_volumes | union(registry_secure_volume_mounts) }}" + openshift_hosted_registry_env_vars: "{{ openshift_hosted_registry_env_vars | combine(registry_secure_env_vars) }}" + openshift_hosted_registry_edits: "{{ openshift_hosted_registry_edits | union(registry_secure_edits) }}" + openshift_hosted_registry_force: "{{ openshift_hosted_registry_force | union([server_cert_out.changed]) | union([create_registry_certificates_secret_out.changed]) }}" diff --git a/roles/openshift_hosted/tasks/registry/storage/object_storage.yml b/roles/openshift_hosted/tasks/registry/storage/object_storage.yml index 15128784e..3dde83bee 100644 --- a/roles/openshift_hosted/tasks/registry/storage/object_storage.yml +++ b/roles/openshift_hosted/tasks/registry/storage/object_storage.yml @@ -1,105 +1,52 @@ --- -- fail: +- name: Assert supported openshift.hosted.registry.storage.provider + assert: + that: + - openshift.hosted.registry.storage.provider in ['azure_blob', 's3', 'swift'] msg: > - Object Storage Provider: {{ openshift.hosted.registry.storage.provider }} + Object Storage Provider: "{{ openshift.hosted.registry.storage.provider }}" is not currently supported - when: openshift.hosted.registry.storage.provider not in ['azure_blob', 's3', 'swift'] -- fail: +- name: Assert implemented openshift.hosted.registry.storage.provider + assert: + that: + - openshift.hosted.registry.storage.provider not in ['azure_blob', 'swift'] msg: > Support for provider: "{{ openshift.hosted.registry.storage.provider }}" not implemented yet - when: openshift.hosted.registry.storage.provider in ['azure_blob', 'swift'] - include: s3.yml when: openshift.hosted.registry.storage.provider == 's3' -- name: Test if docker registry config secret exists - command: > - {{ openshift.common.client_binary }} - --config={{ openshift_hosted_kubeconfig }} - --namespace={{ openshift.hosted.registry.namespace | default('default') }} - get secrets {{ registry_config_secret_name }} -o json - register: secrets - changed_when: false - failed_when: false - -- set_fact: - registry_config: "{{ lookup('template', 'registry_config.j2') | b64encode }}" - -- set_fact: - registry_config_secret: "{{ lookup('template', 'registry_config_secret.j2') | from_yaml }}" - -- set_fact: - same_storage_provider: "{{ (secrets.stdout|from_json)['metadata']['annotations']['provider'] | default(none) == openshift.hosted.registry.storage.provider }}" - when: secrets.rc == 0 - -- name: Update registry config secret - command: > - {{ openshift.common.client_binary }} - --config={{ openshift_hosted_kubeconfig }} - --namespace={{ openshift.hosted.registry.namespace | default('default') }} - patch secret/{{ registry_config_secret_name }} - -p '{"data": {"config.yml": "{{ registry_config }}"}}' - register: update_config_secret - when: secrets.rc == 0 and (secrets.stdout|from_json)['data']['config.yml'] != registry_config and same_storage_provider | bool - -- name: Create registry config secret - shell: > - echo '{{ registry_config_secret |to_json }}' | - {{ openshift.common.client_binary }} - --config={{ openshift_hosted_kubeconfig }} - --namespace={{ openshift.hosted.registry.namespace | default('default') }} - create -f - - when: secrets.rc == 1 +- name: Ensure the resgistry secret exists + oc_secret: + name: "{{ registry_config_secret_name }}" + state: present + contents: + - path: /tmp/config.yml + data: "{{ lookup('template', 'registry_config.j2') }}" + register: registry_config_out - name: Add secrets to registry service account oc_serviceaccount_secret: service_account: registry secret: "{{ registry_config_secret_name }}" - namespace: "{{ openshift.hosted.registry.namespace | default('default') }}" - kubeconfig: "{{ openshift_hosted_kubeconfig }}" + namespace: "{{ openshift_hosted_registry_namespace }}" state: present - -- name: Determine if deployment config contains secrets - command: > - {{ openshift.common.client_binary }} - --config={{ openshift_hosted_kubeconfig }} - --namespace={{ openshift.hosted.registry.namespace | default('default') }} - set volumes dc/docker-registry --list - register: volume - changed_when: false - -- name: Add secrets to registry deployment config - command: > - {{ openshift.common.client_binary }} - --config={{ openshift_hosted_kubeconfig }} - --namespace={{ openshift.hosted.registry.namespace | default('default') }} - set volumes dc/docker-registry --add --name=docker-config -m /etc/registry - --type=secret --secret-name={{ registry_config_secret_name }} - when: registry_config_secret_name not in volume.stdout - -- name: Determine if registry environment variable needs to be created - command: > - {{ openshift.common.client_binary }} - --config={{ openshift_hosted_kubeconfig }} - --namespace={{ openshift.hosted.registry.namespace | default('default') }} - set env --list dc/docker-registry - register: oc_env - changed_when: false - -- name: Add registry environment variable - command: > - {{ openshift.common.client_binary }} - --config={{ openshift_hosted_kubeconfig }} - --namespace={{ openshift.hosted.registry.namespace | default('default') }} - set env dc/docker-registry REGISTRY_CONFIGURATION_PATH=/etc/registry/config.yml - when: "'REGISTRY_CONFIGURATION_PATH' not in oc_env.stdout" - -- name: Redeploy registry - command: > - {{ openshift.common.client_binary }} - --config={{ openshift_hosted_kubeconfig }} - --namespace={{ openshift.hosted.registry.namespace | default('default') }} - deploy dc/docker-registry --latest - when: secrets.rc == 0 and not update_config_secret | skipped and update_config_secret.rc == 0 and same_storage_provider | bool + register: svcac + +- name: Set facts for registry object storage + set_fact: + registry_obj_storage_volume_mounts: + - name: docker-config + path: /etc/registry + type: secret + secret_name: "{{ registry_config_secret_name }}" + registry_obj_storage_env_vars: + REGISTRY_CONFIGURATION_PATH: /etc/registry/config.yml + +- name: Update openshift_hosted registry facts for storage + set_fact: + openshift_hosted_registry_volumes: "{{ openshift_hosted_registry_volumes | union(registry_obj_storage_volume_mounts) }}" + openshift_hosted_registry_env_vars: "{{ openshift_hosted_registry_env_vars | combine(registry_obj_storage_env_vars) }}" + openshift_hosted_registry_force: "{{ openshift_hosted_registry_force | union([registry_config_out.changed]) | union([svcac.changed]) }}" diff --git a/roles/openshift_hosted/tasks/registry/storage/persistent_volume.yml b/roles/openshift_hosted/tasks/registry/storage/persistent_volume.yml deleted file mode 100644 index 0172f5ca0..000000000 --- a/roles/openshift_hosted/tasks/registry/storage/persistent_volume.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -- set_fact: - registry_volume_claim: "{{ openshift.hosted.registry.storage.volume.name }}-claim" - -- name: Determine if volume is already attached to dc/docker-registry - command: > - {{ openshift.common.client_binary }} - --config={{ openshift_hosted_kubeconfig }} - --namespace={{ openshift.hosted.registry.namespace | default('default') }} - get -o template dc/docker-registry --template=\\{\\{.spec.template.spec.volumes\\}\\} --output-version=v1 - changed_when: false - failed_when: false - register: registry_volumes_output - -- set_fact: - volume_attached: "{{ registry_volume_claim in (registry_volumes_output).stdout | default(['']) }}" - -- name: Add volume to dc/docker-registry - command: > - {{ openshift.common.client_binary }} - --config={{ openshift_hosted_kubeconfig }} - --namespace={{ openshift.hosted.registry.namespace | default('default') }} - volume dc/docker-registry - --add --overwrite -t persistentVolumeClaim --claim-name={{ registry_volume_claim }} - --name=registry-storage - when: not volume_attached | bool diff --git a/roles/openshift_hosted/tasks/registry/storage/s3.yml b/roles/openshift_hosted/tasks/registry/storage/s3.yml index 7d51594bd..69b91be0b 100644 --- a/roles/openshift_hosted/tasks/registry/storage/s3.yml +++ b/roles/openshift_hosted/tasks/registry/storage/s3.yml @@ -1,47 +1,48 @@ --- -- fail: - msg: > - openshift_hosted_registry_storage_s3_accesskey and - openshift_hosted_registry_storage_s3_secretkey are required - when: openshift.hosted.registry.storage.s3.accesskey | default(none) is none or openshift.hosted.registry.storage.s3.secretkey | default(none) is none - -- fail: - msg: > - openshift_hosted_registry_storage_s3_bucket and - openshift_hosted_registry_storage_s3_region are required - when: openshift.hosted.registry.storage.s3.bucket | default(none) is none or openshift.hosted.registry.storage.s3.region | default(none) is none +- name: Assert that S3 variables are provided for registry_config template + assert: + that: + - openshift.hosted.registry.storage.s3.accesskey | default(none) is not none + - openshift.hosted.registry.storage.s3.secretkey | default(none) is not none + - openshift.hosted.registry.storage.s3.bucket | default(none) is not none + - openshift.hosted.registry.storage.s3.region | default(none) is not none + msg: | + When using S3 storage, the following variables are required: + openshift_hosted_registry_storage_s3_accesskey + openshift_hosted_registry_storage_s3_secretkey + openshift_hosted_registry_storage_s3_bucket + openshift_hosted_registry_storage_s3_region -# If cloudfront is being used, fail if we don't have all the required variables -- assert: +- name: If cloudfront is being used, assert that we have all the required variables + assert: that: - - "openshift_hosted_registry_storage_s3_cloudfront_baseurl is not defined or openshift_hosted_registry_storage_s3_cloudfront_privatekeyfile | default(none) is not none" - - "openshift_hosted_registry_storage_s3_cloudfront_baseurl is not defined or openshift_hosted_registry_storage_s3_cloudfront_keypairid | default(none) is not none" - msg: > + - "openshift_hosted_registry_storage_s3_cloudfront_privatekeyfile | default(none) is not none" + - "openshift_hosted_registry_storage_s3_cloudfront_keypairid | default(none) is not none" + msg: | When openshift_hosted_registry_storage_s3_cloudfront_baseurl is provided - openshift_hosted_registry_storage_s3_cloudfront_keypairid and - openshift_hosted_registry_storage_s3_cloudfront_privatekeyfile are required - + openshift_hosted_registry_storage_s3_cloudfront_keypairid and + openshift_hosted_registry_storage_s3_cloudfront_privatekeyfile are required + when: openshift_hosted_registry_storage_s3_cloudfront_baseurl is defined # Inject the cloudfront private key as a secret when required - block: - - name: Create registry secret for cloudfront - oc_secret: - state: present - namespace: "{{ openshift.hosted.registry.namespace | default('default') }}" - name: docker-registry-s3-cloudfront - contents: - path: cloudfront.pem - data: "{{ lookup('file', openshift_hosted_registry_storage_s3_cloudfront_privatekeyfile) }}" + - name: Create registry secret for cloudfront + oc_secret: + state: present + namespace: "{{ openshift_hosted_registry_namespace }}" + name: docker-registry-s3-cloudfront + contents: + - path: cloudfront.pem + data: "{{ lookup('file', openshift_hosted_registry_storage_s3_cloudfront_privatekeyfile) }}" - - name: Add cloudfront secret to the registry deployment config - command: > - oc volume dc/docker-registry --add --name=cloudfront-vol - --namespace="{{ openshift.hosted.registry.namespace | default('default') }}" - -m /etc/origin --type=secret --secret-name=docker-registry-s3-cloudfront - register: cloudfront_vol_attach - failed_when: - - "'already exists' not in cloudfront_vol_attach.stderr" - - "cloudfront_vol_attach.rc != 0" + - name: Add cloudfront secret to the registry volumes + set_fact: + s3_volume_mount: + - name: cloudfront-vol + path: /etc/origin + type: secret + secret_name: docker-registry-s3-cloudfront + openshift_hosted_registry_volumes: "{{ openshift_hosted_registry_volumes | union(s3_volume_mount) }}" when: openshift_hosted_registry_storage_s3_cloudfront_baseurl | default(none) is not none |