From 6826f27769563d30194818a0f13b9da086ddf7ab Mon Sep 17 00:00:00 2001
From: Andrew Butcher <abutcher@redhat.com>
Date: Mon, 26 Sep 2016 10:36:02 -0400
Subject: Further secure registry improvements

- Default to hosted_registry_insecure=False
- Add openshift ca to system ca-trust.
- Update ca trust in openshift_node_certificates rather than docker_ca_trust
---
 roles/openshift_node_certificates/tasks/main.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'roles/openshift_node_certificates/tasks/main.yml')

diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml
index a729b4d6c..80ab4bb1d 100644
--- a/roles/openshift_node_certificates/tasks/main.yml
+++ b/roles/openshift_node_certificates/tasks/main.yml
@@ -124,3 +124,14 @@
   when: node_certs_missing | bool
   delegate_to: localhost
   become: no
+
+- name: Copy OpenShift CA to system CA trust
+  copy:
+    src: "{{ item.cert }}"
+    dest: "/etc/pki/ca-trust/source/anchors/{{ item.id }}-{{ item.cert | basename }}"
+    remote_src: yes
+  with_items:
+  - id: openshift
+    cert: "{{ openshift_node_cert_dir }}/ca.crt"
+  notify:
+  - update ca trust
-- 
cgit v1.2.3