blob: 216a4087476ebec7b98fa36a53d57bab9ac97313 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
---
- name: Create passthrough route for docker-registry
command: >
{{ openshift.common.client_binary }} create route passthrough
--service docker-registry
--config={{ openshift_hosted_kubeconfig }}
-n default
register: create_docker_registry_route
changed_when: "'already exists' not in create_docker_registry_route.stderr"
failed_when: "'already exists' not in create_docker_registry_route.stderr and create_docker_registry_route.rc != 0"
- name: Determine if registry certificate must be created
stat:
path: "{{ openshift_master_config_dir }}/{{ item }}"
with_items:
- registry.crt
- registry.key
register: docker_registry_certificates_stat_result
changed_when: false
failed_when: false
- name: Retrieve registry service IP
command: >
{{ openshift.common.client_binary }} get service docker-registry
-o jsonpath='{.spec.clusterIP}'
--config={{ openshift_hosted_kubeconfig }}
-n default
register: docker_registry_service_ip
changed_when: false
- set_fact:
docker_registry_route_hostname: "{{ 'docker-registry-default.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true)) }}"
- name: Create registry certificates if they do not exist
command: >
{{ openshift.common.client_binary }} adm ca create-server-cert
--signer-cert={{ openshift_master_config_dir }}/ca.crt
--signer-key={{ openshift_master_config_dir }}/ca.key
--signer-serial={{ openshift_master_config_dir }}/ca.serial.txt
--hostnames="{{ docker_registry_service_ip.stdout }},docker-registry.default.svc.cluster.local,{{ docker_registry_route_hostname }}"
--cert={{ openshift_master_config_dir }}/registry.crt
--key={{ openshift_master_config_dir }}/registry.key
when: False in (docker_registry_certificates_stat_result.results | default([]) | oo_collect(attribute='stat.exists') | list)
- name: Create the secret for the registry certificates
oc_secret:
kubeconfig: "{{ openshift_hosted_kubeconfig }}"
name: registry-certificates
namespace: default
state: present
files:
- name: registry.crt
path: "{{ openshift_master_config_dir }}/registry.crt"
- name: registry.key
path: "{{ openshift_master_config_dir }}/registry.key"
register: create_registry_certificates_secret
run_once: true
- name: "Add the secret to the registry's pod service accounts"
oc_serviceaccount_secret:
service_account: "{{ item }}"
secret: registry-certificates
namespace: default
kubeconfig: "{{ openshift_hosted_kubeconfig }}"
state: present
with_items:
- registry
- default
- name: Determine if registry-certificates secret volume attached
command: >
{{ openshift.common.client_binary }} get dc/docker-registry
-o jsonpath='{.spec.template.spec.volumes[?(@.secret)].secret.secretName}'
--config={{ openshift_hosted_kubeconfig }}
-n default
register: docker_registry_volumes
changed_when: false
failed_when: "docker_registry_volumes.stdout != '' and 'secretName is not found' not in docker_registry_volumes.stdout and docker_registry_volumes.rc != 0"
- name: Attach registry-certificates secret volume
command: >
{{ openshift.common.client_binary }} volume dc/docker-registry --add --type=secret
--secret-name=registry-certificates
-m /etc/secrets
--config={{ openshift_hosted_kubeconfig }}
-n default
when: "'registry-certificates' not in docker_registry_volumes.stdout"
- name: Determine if registry environment variables must be set
command: >
{{ openshift.common.client_binary }} env dc/docker-registry
--list
--config={{ openshift_hosted_kubeconfig }}
-n default
register: docker_registry_env
changed_when: false
- name: Configure certificates in registry deplomentConfig
command: >
{{ openshift.common.client_binary }} env dc/docker-registry
REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt
REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key
--config={{ openshift_hosted_kubeconfig }}
-n default
when: "'REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt' not in docker_registry_env.stdout or 'REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key' not in docker_registry_env.stdout"
- name: Determine if registry liveness probe scheme is HTTPS
command: >
{{ openshift.common.client_binary }} get dc/docker-registry
-o jsonpath='{.spec.template.spec.containers[*].livenessProbe.httpGet.scheme}'
--config={{ openshift_hosted_kubeconfig }}
-n default
register: docker_registry_liveness_probe
changed_when: false
# This command is on a single line to preserve patch json.
- name: Update registry liveness probe from HTTP to HTTPS
command: "{{ openshift.common.client_binary }} patch dc/docker-registry --api-version=v1 -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"registry\",\"livenessProbe\":{\"httpGet\":{\"scheme\":\"HTTPS\"}}}]}}}}' --config={{ openshift_hosted_kubeconfig }} -n default"
when: "'HTTPS' not in docker_registry_liveness_probe.stdout"
- name: Determine if registry readiness probe scheme is HTTPS
command: >
{{ openshift.common.client_binary }} get dc/docker-registry
-o jsonpath='{.spec.template.spec.containers[*].readinessProbe.httpGet.scheme}'
--config={{ openshift_hosted_kubeconfig }}
-n default
register: docker_registry_readiness_probe
changed_when: false
# This command is on a single line to preserve patch json.
- name: Update registry readiness probe from HTTP to HTTPS
command: "{{ openshift.common.client_binary }} patch dc/docker-registry --api-version=v1 -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"registry\",\"readinessProbe\":{\"httpGet\":{\"scheme\":\"HTTPS\"}}}]}}}}' --config={{ openshift_hosted_kubeconfig }} -n default"
when: "'HTTPS' not in docker_registry_readiness_probe.stdout"
|