From 6826f27769563d30194818a0f13b9da086ddf7ab Mon Sep 17 00:00:00 2001
From: Andrew Butcher <abutcher@redhat.com>
Date: Mon, 26 Sep 2016 10:36:02 -0400
Subject: Further secure registry improvements

- Default to hosted_registry_insecure=False
- Add openshift ca to system ca-trust.
- Update ca trust in openshift_node_certificates rather than docker_ca_trust
---
 .../common/openshift-cluster/node_docker_ca.yml    | 128 ---------------------
 playbooks/common/openshift-node/config.yml         |   4 +-
 roles/openshift_docker_facts/tasks/main.yml        |   2 +-
 .../openshift_node_certificates/handlers/main.yml  |  10 ++
 roles/openshift_node_certificates/tasks/main.yml   |  11 ++
 5 files changed, 24 insertions(+), 131 deletions(-)
 delete mode 100644 playbooks/common/openshift-cluster/node_docker_ca.yml
 create mode 100644 roles/openshift_node_certificates/handlers/main.yml

diff --git a/playbooks/common/openshift-cluster/node_docker_ca.yml b/playbooks/common/openshift-cluster/node_docker_ca.yml
deleted file mode 100644
index a291aeeb7..000000000
--- a/playbooks/common/openshift-cluster/node_docker_ca.yml
+++ /dev/null
@@ -1,128 +0,0 @@
----
-- name: Configure CA certificate for secure registry
-  hosts: oo_nodes_to_config
-  tags:
-  - hosted
-  tasks:
-  - name: Create temp directory for kubeconfig
-    command: mktemp -d /tmp/openshift-ansible-XXXXXX
-    register: mktemp
-    when: openshift_hosted_manage_registry | default(true) | bool
-    changed_when: false
-    delegate_to: "{{ groups.oo_first_master.0 }}"
-    run_once: true
-
-  - set_fact:
-      openshift_hosted_kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig"
-    when: openshift_hosted_manage_registry | default(true) | bool
-    delegate_to: "{{ groups.oo_first_master.0 }}"
-    run_once: true
-
-  - name: Copy the admin client config(s)
-    command: >
-      cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{ openshift_hosted_kubeconfig }}
-    when: openshift_hosted_manage_registry | default(true) | bool
-    changed_when: false
-    delegate_to: "{{ groups.oo_first_master.0 }}"
-    run_once: true
-
-  - name: Retrieve docker-registry route
-    command: >
-      {{ openshift.common.client_binary }} get route docker-registry
-      -o jsonpath='{.spec.host}'
-      --config={{ openshift_hosted_kubeconfig }}
-      -n default
-    register: docker_registry_route
-    when: openshift_hosted_manage_registry | default(true) | bool
-    changed_when: false
-    delegate_to: "{{ groups.oo_first_master.0 }}"
-    run_once: true
-
-  - name: Retrieve registry service IP
-    command: >
-      {{ openshift.common.client_binary }} get svc/docker-registry
-      -o jsonpath='{.spec.clusterIP}'
-      --config={{ openshift_hosted_kubeconfig }}
-      -n default
-    register: docker_registry_service_ip
-    when: openshift_hosted_manage_registry | default(true) | bool
-    changed_when: false
-    delegate_to: "{{ groups.oo_first_master.0 }}"
-    run_once: true
-
-  - name: Create registry CA directories
-    file:
-      path: "/etc/docker/certs.d/{{ item }}"
-      state: directory
-    with_items:
-    - "{{ docker_registry_service_ip.stdout }}:5000"
-    - "{{ docker_registry_route.stdout }}"
-    - "docker-registry.default.svc.cluster.local:5000"
-    when: openshift_hosted_manage_registry | default(true) | bool
-
-  - name: Copy CA to registry CA directories
-    copy:
-      src: "{{ openshift.common.config_base }}/node/ca.crt"
-      dest: "/etc/docker/certs.d/{{ item }}"
-      remote_src: yes
-      force: yes
-    with_items:
-    - "{{ docker_registry_service_ip.stdout }}:5000"
-    - "{{ docker_registry_route.stdout }}"
-    - "docker-registry.default.svc.cluster.local:5000"
-    when: openshift_hosted_manage_registry | default(true) | bool
-    notify:
-    - Wait for docker-registry deployment
-    - Wait for registry-console deployment
-    - Restart docker
-
-  handlers:
-  # Restarting docker before deployments have begun will block the
-  # deployments from ever starting so try waiting for the registry to
-  # become available.
-  - name: Wait for docker-registry deployment
-    command: >
-      {{ openshift.common.client_binary }} get dc/docker-registry
-      -o jsonpath='{.status.availableReplicas}'
-      --config={{ openshift_hosted_kubeconfig }}
-      -n default
-    delegate_to: "{{ groups.oo_first_master.0}}"
-    register: l_docker_registry_available_replicas
-    until: l_docker_registry_available_replicas.stdout | default("0") != "0"
-    retries: 30
-    delay: 1
-    failed_when: false
-    changed_when: false
-    run_once: true
-
-  - name: Wait for registry-console deployment
-    command: >
-      {{ openshift.common.client_binary }} get dc/registry-console
-      -o jsonpath='{.status.availableReplicas}'
-      --config={{ openshift_hosted_kubeconfig }}
-      -n default
-    delegate_to: "{{ groups.oo_first_master.0 }}"
-    register: l_registry_console_available_replicas
-    until: l_registry_console_available_replicas.stdout | default("0") != "0"
-    retries: 30
-    delay: 1
-    failed_when: false
-    changed_when: false
-    run_once: true
-
-  - name: Restart docker
-    service:
-      name: docker
-      state: restarted
-
-- name: Delete temp directory
-  hosts: oo_first_master
-  tags:
-  - hosted
-  tasks:
-  - name: Delete temp directory
-    file:
-      name: "{{ mktemp.stdout }}"
-      state: absent
-    when: openshift_hosted_manage_registry | default(true) | bool
-    changed_when: False
diff --git a/playbooks/common/openshift-node/config.yml b/playbooks/common/openshift-node/config.yml
index f718dbfbd..364a62dd0 100644
--- a/playbooks/common/openshift-node/config.yml
+++ b/playbooks/common/openshift-node/config.yml
@@ -60,12 +60,12 @@
     when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and
             openshift_generate_no_proxy_hosts | default(True) | bool }}"
   roles:
+  - role: openshift_common
   - role: openshift_clock
   - role: openshift_docker
   - role: openshift_node_certificates
     openshift_ca_host: "{{ groups.oo_first_master.0 }}"
   - role: openshift_cloud_provider
-  - role: openshift_common
   - role: openshift_node_dnsmasq
     when: openshift.common.use_dnsmasq
   - role: os_firewall
@@ -99,12 +99,12 @@
     when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and
             openshift_generate_no_proxy_hosts | default(True) | bool }}"
   roles:
+  - role: openshift_common
   - role: openshift_clock
   - role: openshift_docker
   - role: openshift_node_certificates
     openshift_ca_host: "{{ groups.oo_first_master.0 }}"
   - role: openshift_cloud_provider
-  - role: openshift_common
   - role: openshift_node_dnsmasq
     when: openshift.common.use_dnsmasq
   - role: os_firewall
diff --git a/roles/openshift_docker_facts/tasks/main.yml b/roles/openshift_docker_facts/tasks/main.yml
index 0ce142983..0c8a36d65 100644
--- a/roles/openshift_docker_facts/tasks/main.yml
+++ b/roles/openshift_docker_facts/tasks/main.yml
@@ -13,7 +13,7 @@
       log_options: "{{ openshift_docker_log_options | default(None) }}"
       options: "{{ openshift_docker_options | default(None) }}"
       disable_push_dockerhub: "{{ openshift_disable_push_dockerhub | default(None) }}"
-      hosted_registry_insecure: "{{ openshift_docker_hosted_registry_insecure | default(openshift.common.deployment_subtype != 'registry') }}"
+      hosted_registry_insecure: "{{ openshift_docker_hosted_registry_insecure | default(False) }}"
       hosted_registry_network: "{{ openshift_docker_hosted_registry_network | default(None) }}"
 
 - set_fact:
diff --git a/roles/openshift_node_certificates/handlers/main.yml b/roles/openshift_node_certificates/handlers/main.yml
new file mode 100644
index 000000000..f2299cecf
--- /dev/null
+++ b/roles/openshift_node_certificates/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+- name: update ca trust
+  command: update-ca-trust
+  notify:
+  - restart docker after updating ca trust
+
+- name: restart docker after updating ca trust
+  service:
+    name: docker
+    state: restarted
diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml
index a729b4d6c..80ab4bb1d 100644
--- a/roles/openshift_node_certificates/tasks/main.yml
+++ b/roles/openshift_node_certificates/tasks/main.yml
@@ -124,3 +124,14 @@
   when: node_certs_missing | bool
   delegate_to: localhost
   become: no
+
+- name: Copy OpenShift CA to system CA trust
+  copy:
+    src: "{{ item.cert }}"
+    dest: "/etc/pki/ca-trust/source/anchors/{{ item.id }}-{{ item.cert | basename }}"
+    remote_src: yes
+  with_items:
+  - id: openshift
+    cert: "{{ openshift_node_cert_dir }}/ca.crt"
+  notify:
+  - update ca trust
-- 
cgit v1.2.3