summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorScott Dodson <sdodson@redhat.com>2016-09-04 23:02:08 -0400
committerGitHub <noreply@github.com>2016-09-04 23:02:08 -0400
commit5ca0a74fb271678708268c940fd52ccd15d207ca (patch)
tree9ebe1aedcabccef7968d7aa99dcce5905e618f77
parent88ef051955288fbfaedebe35a12b64d00ac285a1 (diff)
parent9c114231850ac265e7414afefbf78da194d0a8e4 (diff)
downloadopenshift-5ca0a74fb271678708268c940fd52ccd15d207ca.tar.gz
openshift-5ca0a74fb271678708268c940fd52ccd15d207ca.tar.bz2
openshift-5ca0a74fb271678708268c940fd52ccd15d207ca.tar.xz
openshift-5ca0a74fb271678708268c940fd52ccd15d207ca.zip
Merge pull request #2409 from abutcher/secure-registry
Secure registry for atomic registry deployment
-rw-r--r--playbooks/common/openshift-cluster/openshift_hosted.yml84
-rw-r--r--roles/cockpit-ui/tasks/main.yml49
-rw-r--r--roles/openshift_docker_facts/tasks/main.yml2
-rw-r--r--roles/openshift_hosted/tasks/registry/registry.yml8
-rw-r--r--roles/openshift_hosted/tasks/registry/secure.yml83
5 files changed, 213 insertions, 13 deletions
diff --git a/playbooks/common/openshift-cluster/openshift_hosted.yml b/playbooks/common/openshift-cluster/openshift_hosted.yml
index f65b7a2cd..4aca4daf4 100644
--- a/playbooks/common/openshift-cluster/openshift_hosted.yml
+++ b/playbooks/common/openshift-cluster/openshift_hosted.yml
@@ -45,4 +45,86 @@
- role: openshift_metrics
when: openshift.hosted.metrics.deploy | bool
- role: cockpit-ui
- when: ( openshift.common.deployment_subtype == 'registry' )
+ when: openshift.common.deployment_subtype == 'registry'
+
+- name: Configure CA certificate for secure registry
+ hosts: oo_nodes_to_config
+ tags:
+ - hosted
+ tasks:
+ - name: Create temp directory for kubeconfig
+ command: mktemp -d /tmp/openshift-ansible-XXXXXX
+ register: mktemp
+ when: openshift.common.deployment_subtype == 'registry'
+ changed_when: false
+ delegate_to: "{{ groups.oo_first_master.0 }}"
+ run_once: true
+ - set_fact:
+ openshift_hosted_kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig"
+ when: openshift.common.deployment_subtype == 'registry'
+ delegate_to: "{{ groups.oo_first_master.0 }}"
+ run_once: true
+ - name: Copy the admin client config(s)
+ command: >
+ cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{ openshift_hosted_kubeconfig }}
+ when: openshift.common.deployment_subtype == 'registry'
+ changed_when: false
+ delegate_to: "{{ groups.oo_first_master.0 }}"
+ run_once: true
+ - name: Retrieve docker-registry route
+ command: >
+ {{ openshift.common.client_binary }} get route docker-registry
+ --template='{{ '{{' }} .spec.host {{ '}}' }}'
+ --config={{ openshift_hosted_kubeconfig }}
+ -n default
+ register: docker_registry_route
+ when: openshift.common.deployment_subtype == 'registry'
+ changed_when: false
+ delegate_to: "{{ groups.oo_first_master.0 }}"
+ run_once: true
+ - name: Retrieve registry service IP
+ command: >
+ {{ openshift.common.client_binary }} get service docker-registry
+ --template='{{ '{{' }} .spec.clusterIP {{ '}}' }}'
+ --config={{ openshift_hosted_kubeconfig }}
+ -n default
+ register: docker_registry_service_ip
+ when: openshift.common.deployment_subtype == 'registry'
+ changed_when: false
+ delegate_to: "{{ groups.oo_first_master.0 }}"
+ run_once: true
+ - name: Create registry CA directories
+ file:
+ path: "/etc/docker/certs.d/{{ item }}"
+ state: directory
+ with_items:
+ - "{{ docker_registry_service_ip.stdout }}:5000"
+ - "{{ docker_registry_route.stdout }}"
+ - "docker-registry.default.svc.cluster.local:5000"
+ when: openshift.common.deployment_subtype == 'registry'
+ - name: Copy CA to registry CA directories
+ copy:
+ src: "{{ openshift.common.config_base }}/node/ca.crt"
+ dest: "/etc/docker/certs.d/{{ item }}"
+ remote_src: yes
+ force: yes
+ with_items:
+ - "{{ docker_registry_service_ip.stdout }}:5000"
+ - "{{ docker_registry_route.stdout }}"
+ - "docker-registry.default.svc.cluster.local:5000"
+ when: openshift.common.deployment_subtype == 'registry'
+ notify:
+ - Restart docker
+ - name: Delete temp directory
+ file:
+ name: "{{ mktemp.stdout }}"
+ state: absent
+ when: openshift.common.deployment_subtype == 'registry'
+ changed_when: False
+ delegate_to: "{{ groups.oo_first_master.0 }}"
+ run_once: true
+ handlers:
+ - name: Restart docker
+ service:
+ name: docker
+ state: restarted
diff --git a/roles/cockpit-ui/tasks/main.yml b/roles/cockpit-ui/tasks/main.yml
index c752bcff1..9fc15ee8b 100644
--- a/roles/cockpit-ui/tasks/main.yml
+++ b/roles/cockpit-ui/tasks/main.yml
@@ -1,31 +1,53 @@
---
-- name: Expose docker-registry
+- name: Create temp directory for kubeconfig
+ command: mktemp -d /tmp/openshift-ansible-XXXXXX
+ register: mktemp
+ changed_when: False
+
+- set_fact:
+ openshift_hosted_kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig"
+
+- name: Copy the admin client config(s)
command: >
- {{ openshift.common.client_binary }} expose service docker-registry -n default
- register: expose_docker_registry
- changed_when: "'already exists' not in expose_docker_registry.stderr"
- failed_when: "'already exists' not in expose_docker_registry.stderr and expose_docker_registry.rc != 0"
+ cp {{ openshift_master_config_dir }}/admin.kubeconfig {{ openshift_hosted_kubeconfig }}
+ changed_when: False
+
+- name: Create passthrough route for docker-registry
+ command: >
+ {{ openshift.common.client_binary }} create route passthrough
+ --service docker-registry
+ --config={{ openshift_hosted_kubeconfig }}
+ -n default
+ register: create_docker_registry_route
+ changed_when: "'already exists' not in create_docker_registry_route.stderr"
+ failed_when: "'already exists' not in create_docker_registry_route.stderr and create_docker_registry_route.rc != 0"
- name: Create passthrough route for registry-console
command: >
{{ openshift.common.client_binary }} create route passthrough
--service registry-console
--port registry-console
+ --config={{ openshift_hosted_kubeconfig }}
-n default
register: create_registry_console_route
changed_when: "'already exists' not in create_registry_console_route.stderr"
failed_when: "'already exists' not in create_registry_console_route.stderr and create_registry_console_route.rc != 0"
- name: Retrieve docker-registry route
- command: "{{ openshift.common.client_binary }} get route docker-registry -n default --template='{{ '{{' }} .spec.host {{ '}}' }}'"
+ command: >
+ {{ openshift.common.client_binary }} get route docker-registry
+ --template='{{ '{{' }} .spec.host {{ '}}' }}'
+ --config={{ openshift_hosted_kubeconfig }}
+ -n default
register: docker_registry_route
- failed_when: false
changed_when: false
- name: Retrieve cockpit kube url
- command: "{{ openshift.common.client_binary }} get route registry-console -n default --template='https://{{ '{{' }} .spec.host {{ '}}' }}'"
+ command: >
+ {{ openshift.common.client_binary }} get route registry-console
+ --template='https://{{ '{{' }} .spec.host {{ '}}' }}'
+ -n default
register: registry_console_cockpit_kube_url
- failed_when: false
changed_when: false
- set_fact:
@@ -36,9 +58,16 @@
{{ openshift.common.client_binary }} new-app --template=registry-console
{{ cockpit_image_prefix }}
-p OPENSHIFT_OAUTH_PROVIDER_URL="{{ openshift.master.public_api_url }}"
- -p REGISTRY_HOST="{{ docker_registry_route.stdout }}:80"
+ -p REGISTRY_HOST="{{ docker_registry_route.stdout }}"
-p COCKPIT_KUBE_URL="{{ registry_console_cockpit_kube_url.stdout }}"
+ --config={{ openshift_hosted_kubeconfig }}
-n default
register: deploy_registry_console
changed_when: "'already exists' not in deploy_registry_console.stderr"
failed_when: "'already exists' not in deploy_registry_console.stderr and deploy_registry_console.rc != 0"
+
+- name: Delete temp directory
+ file:
+ name: "{{ mktemp.stdout }}"
+ state: absent
+ changed_when: False
diff --git a/roles/openshift_docker_facts/tasks/main.yml b/roles/openshift_docker_facts/tasks/main.yml
index eb8b5e99b..0ce142983 100644
--- a/roles/openshift_docker_facts/tasks/main.yml
+++ b/roles/openshift_docker_facts/tasks/main.yml
@@ -13,7 +13,7 @@
log_options: "{{ openshift_docker_log_options | default(None) }}"
options: "{{ openshift_docker_options | default(None) }}"
disable_push_dockerhub: "{{ openshift_disable_push_dockerhub | default(None) }}"
- hosted_registry_insecure: "{{ openshift_docker_hosted_registry_insecure | default(None) }}"
+ hosted_registry_insecure: "{{ openshift_docker_hosted_registry_insecure | default(openshift.common.deployment_subtype != 'registry') }}"
hosted_registry_network: "{{ openshift_docker_hosted_registry_network | default(None) }}"
- set_fact:
diff --git a/roles/openshift_hosted/tasks/registry/registry.yml b/roles/openshift_hosted/tasks/registry/registry.yml
index b28974236..d5077932b 100644
--- a/roles/openshift_hosted/tasks/registry/registry.yml
+++ b/roles/openshift_hosted/tasks/registry/registry.yml
@@ -18,7 +18,9 @@
l_default_replicas: 0
when: l_node_count | int == 0
-# If registry nodes are defined and the registry storage kind is defined, default should be the number of registry nodes, otherwise just 1:
+# If registry nodes are defined and the registry storage kind is
+# defined, default should be the number of registry nodes, otherwise
+# just 1:
- set_fact:
l_default_replicas: "{{ l_node_count if openshift.hosted.registry.storage.kind | default(none) is not none else 1 }}"
when: l_node_count | int > 0
@@ -49,6 +51,10 @@
failed_when: "openshift_hosted_registry_results.rc != 0 and 'service exists' not in openshift_hosted_registry_results.stdout and 'deployment_config' not in openshift_hosted_registry_results.stderr and 'service' not in openshift_hosted_registry_results.stderr"
when: replicas | int > 0
+- include: secure.yml
+ static: no
+ when: openshift.common.deployment_subtype == 'registry'
+
- include: storage/object_storage.yml
static: no
when: replicas | int > 0 and openshift.hosted.registry.storage.kind | default(none) == 'object'
diff --git a/roles/openshift_hosted/tasks/registry/secure.yml b/roles/openshift_hosted/tasks/registry/secure.yml
new file mode 100644
index 000000000..ef1c7c5bc
--- /dev/null
+++ b/roles/openshift_hosted/tasks/registry/secure.yml
@@ -0,0 +1,83 @@
+---
+- name: Determine if registry certificates must be created
+ stat:
+ path: "{{ openshift_master_config_dir }}/{{ item }}"
+ with_items:
+ - registry.crt
+ - registry.key
+ register: docker_registry_certificates_stat_result
+ changed_when: false
+ failed_when: false
+
+- name: Retrieve registry service IP
+ command: >
+ {{ openshift.common.client_binary }} get service docker-registry
+ --template='{{ '{{' }} .spec.clusterIP {{ '}}' }}'
+ register: docker_registry_service_ip
+ changed_when: false
+
+- set_fact:
+ docker_registry_route_hostname: "{{ 'docker-registry-default.' ~ (openshift.master.default_subdomain | default('router.default.svc.cluster.local', true)) }}"
+
+- name: Create registry certificates if they do not exist
+ command: >
+ {{ openshift.common.admin_binary }} ca create-server-cert
+ --signer-cert=/etc/origin/master/ca.crt
+ --signer-key=/etc/origin/master/ca.key
+ --signer-serial=/etc/origin/master/ca.serial.txt
+ --hostnames="{{ docker_registry_service_ip.stdout }},docker-registry.default.svc.cluster.local,{{ docker_registry_route_hostname }}"
+ --cert={{ openshift_master_config_dir }}/registry.crt
+ --key={{ openshift_master_config_dir }}/registry.key
+ when: False in (docker_registry_certificates_stat_result.results | default([]) | oo_collect(attribute='stat.exists') | list)
+
+- name: Create the secret for the registry certificates
+ command: >
+ {{ openshift.common.client_binary }} secrets new registry-certificates
+ {{ openshift_master_config_dir }}/registry.crt
+ {{ openshift_master_config_dir }}/registry.key
+ --config={{ openshift_hosted_kubeconfig }}
+ -n default
+ register: create_registry_certificates_secret
+ changed_when: "'already exists' not in create_registry_certificates_secret.stderr"
+ failed_when: "'already exists' not in create_registry_certificates_secret.stderr and create_registry_certificates_secret.rc != 0"
+
+- name: "Add the secret to the registry's pod service accounts"
+ command: >
+ {{ openshift.common.client_binary }} secrets link {{ item }} registry-certificates
+ --config={{ openshift_hosted_kubeconfig }}
+ -n default
+ with_items:
+ - registry
+ - default
+
+- name: Determine if registry-certificates secret volume attached
+ command: >
+ {{ openshift.common.client_binary }} get dc/docker-registry
+ --template='{{ '{{' }} range .spec.template.spec.volumes {{ '}}' }}{{ '{{' }} .secret.secretName {{ '}}' }}{{ '{{' }} end {{ '}}' }}'
+ --config={{ openshift_hosted_kubeconfig }}
+ -n default
+ register: docker_registry_volumes
+ changed_when: false
+ failed_when: false
+
+- name: Attach registry-certificates secret volume
+ command: >
+ {{ openshift.common.client_binary }} volume dc/docker-registry --add --type=secret
+ --secret-name=registry-certificates
+ -m /etc/secrets
+ --config={{ openshift_hosted_kubeconfig }}
+ -n default
+ when: "'registry-certificates' not in docker_registry_volumes.stdout"
+
+- name: Set registry environment variables for TLS certificate
+ command: >
+ {{ openshift.common.client_binary }} env dc/docker-registry
+ REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt
+ REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key
+
+# These commands are on a single line to preserve patch json.
+- name: Update registry liveness probe from HTTP to HTTPS
+ command: "{{ openshift.common.client_binary }} patch dc/docker-registry --api-version=v1 -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"registry\",\"livenessProbe\":{\"httpGet\":{\"scheme\":\"HTTPS\"}}}]}}}}' --config={{ openshift_hosted_kubeconfig }} -n default"
+
+- name: Update registry readiness probe from HTTP to HTTPS
+ command: "{{ openshift.common.client_binary }} patch dc/docker-registry --api-version=v1 -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"registry\",\"readinessProbe\":{\"httpGet\":{\"scheme\":\"HTTPS\"}}}]}}}}' --config={{ openshift_hosted_kubeconfig }} -n default"