summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrew Butcher <abutcher@redhat.com>2016-09-26 10:36:02 -0400
committerSamuel Munilla <smunilla@redhat.com>2016-09-29 15:35:40 -0400
commit6826f27769563d30194818a0f13b9da086ddf7ab (patch)
treeaadb0d4868d9f98e4d513e3b79b9636730083d2e
parent4b102facfb32e4de14147fcbbe97626c4e08e264 (diff)
downloadopenshift-6826f27769563d30194818a0f13b9da086ddf7ab.tar.gz
openshift-6826f27769563d30194818a0f13b9da086ddf7ab.tar.bz2
openshift-6826f27769563d30194818a0f13b9da086ddf7ab.tar.xz
openshift-6826f27769563d30194818a0f13b9da086ddf7ab.zip
Further secure registry improvements
- Default to hosted_registry_insecure=False - Add openshift ca to system ca-trust. - Update ca trust in openshift_node_certificates rather than docker_ca_trust
-rw-r--r--playbooks/common/openshift-cluster/node_docker_ca.yml128
-rw-r--r--playbooks/common/openshift-node/config.yml4
-rw-r--r--roles/openshift_docker_facts/tasks/main.yml2
-rw-r--r--roles/openshift_node_certificates/handlers/main.yml10
-rw-r--r--roles/openshift_node_certificates/tasks/main.yml11
5 files changed, 24 insertions, 131 deletions
diff --git a/playbooks/common/openshift-cluster/node_docker_ca.yml b/playbooks/common/openshift-cluster/node_docker_ca.yml
deleted file mode 100644
index a291aeeb7..000000000
--- a/playbooks/common/openshift-cluster/node_docker_ca.yml
+++ /dev/null
@@ -1,128 +0,0 @@
----
-- name: Configure CA certificate for secure registry
- hosts: oo_nodes_to_config
- tags:
- - hosted
- tasks:
- - name: Create temp directory for kubeconfig
- command: mktemp -d /tmp/openshift-ansible-XXXXXX
- register: mktemp
- when: openshift_hosted_manage_registry | default(true) | bool
- changed_when: false
- delegate_to: "{{ groups.oo_first_master.0 }}"
- run_once: true
-
- - set_fact:
- openshift_hosted_kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig"
- when: openshift_hosted_manage_registry | default(true) | bool
- delegate_to: "{{ groups.oo_first_master.0 }}"
- run_once: true
-
- - name: Copy the admin client config(s)
- command: >
- cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{ openshift_hosted_kubeconfig }}
- when: openshift_hosted_manage_registry | default(true) | bool
- changed_when: false
- delegate_to: "{{ groups.oo_first_master.0 }}"
- run_once: true
-
- - name: Retrieve docker-registry route
- command: >
- {{ openshift.common.client_binary }} get route docker-registry
- -o jsonpath='{.spec.host}'
- --config={{ openshift_hosted_kubeconfig }}
- -n default
- register: docker_registry_route
- when: openshift_hosted_manage_registry | default(true) | bool
- changed_when: false
- delegate_to: "{{ groups.oo_first_master.0 }}"
- run_once: true
-
- - name: Retrieve registry service IP
- command: >
- {{ openshift.common.client_binary }} get svc/docker-registry
- -o jsonpath='{.spec.clusterIP}'
- --config={{ openshift_hosted_kubeconfig }}
- -n default
- register: docker_registry_service_ip
- when: openshift_hosted_manage_registry | default(true) | bool
- changed_when: false
- delegate_to: "{{ groups.oo_first_master.0 }}"
- run_once: true
-
- - name: Create registry CA directories
- file:
- path: "/etc/docker/certs.d/{{ item }}"
- state: directory
- with_items:
- - "{{ docker_registry_service_ip.stdout }}:5000"
- - "{{ docker_registry_route.stdout }}"
- - "docker-registry.default.svc.cluster.local:5000"
- when: openshift_hosted_manage_registry | default(true) | bool
-
- - name: Copy CA to registry CA directories
- copy:
- src: "{{ openshift.common.config_base }}/node/ca.crt"
- dest: "/etc/docker/certs.d/{{ item }}"
- remote_src: yes
- force: yes
- with_items:
- - "{{ docker_registry_service_ip.stdout }}:5000"
- - "{{ docker_registry_route.stdout }}"
- - "docker-registry.default.svc.cluster.local:5000"
- when: openshift_hosted_manage_registry | default(true) | bool
- notify:
- - Wait for docker-registry deployment
- - Wait for registry-console deployment
- - Restart docker
-
- handlers:
- # Restarting docker before deployments have begun will block the
- # deployments from ever starting so try waiting for the registry to
- # become available.
- - name: Wait for docker-registry deployment
- command: >
- {{ openshift.common.client_binary }} get dc/docker-registry
- -o jsonpath='{.status.availableReplicas}'
- --config={{ openshift_hosted_kubeconfig }}
- -n default
- delegate_to: "{{ groups.oo_first_master.0}}"
- register: l_docker_registry_available_replicas
- until: l_docker_registry_available_replicas.stdout | default("0") != "0"
- retries: 30
- delay: 1
- failed_when: false
- changed_when: false
- run_once: true
-
- - name: Wait for registry-console deployment
- command: >
- {{ openshift.common.client_binary }} get dc/registry-console
- -o jsonpath='{.status.availableReplicas}'
- --config={{ openshift_hosted_kubeconfig }}
- -n default
- delegate_to: "{{ groups.oo_first_master.0 }}"
- register: l_registry_console_available_replicas
- until: l_registry_console_available_replicas.stdout | default("0") != "0"
- retries: 30
- delay: 1
- failed_when: false
- changed_when: false
- run_once: true
-
- - name: Restart docker
- service:
- name: docker
- state: restarted
-
-- name: Delete temp directory
- hosts: oo_first_master
- tags:
- - hosted
- tasks:
- - name: Delete temp directory
- file:
- name: "{{ mktemp.stdout }}"
- state: absent
- when: openshift_hosted_manage_registry | default(true) | bool
- changed_when: False
diff --git a/playbooks/common/openshift-node/config.yml b/playbooks/common/openshift-node/config.yml
index f718dbfbd..364a62dd0 100644
--- a/playbooks/common/openshift-node/config.yml
+++ b/playbooks/common/openshift-node/config.yml
@@ -60,12 +60,12 @@
when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and
openshift_generate_no_proxy_hosts | default(True) | bool }}"
roles:
+ - role: openshift_common
- role: openshift_clock
- role: openshift_docker
- role: openshift_node_certificates
openshift_ca_host: "{{ groups.oo_first_master.0 }}"
- role: openshift_cloud_provider
- - role: openshift_common
- role: openshift_node_dnsmasq
when: openshift.common.use_dnsmasq
- role: os_firewall
@@ -99,12 +99,12 @@
when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and
openshift_generate_no_proxy_hosts | default(True) | bool }}"
roles:
+ - role: openshift_common
- role: openshift_clock
- role: openshift_docker
- role: openshift_node_certificates
openshift_ca_host: "{{ groups.oo_first_master.0 }}"
- role: openshift_cloud_provider
- - role: openshift_common
- role: openshift_node_dnsmasq
when: openshift.common.use_dnsmasq
- role: os_firewall
diff --git a/roles/openshift_docker_facts/tasks/main.yml b/roles/openshift_docker_facts/tasks/main.yml
index 0ce142983..0c8a36d65 100644
--- a/roles/openshift_docker_facts/tasks/main.yml
+++ b/roles/openshift_docker_facts/tasks/main.yml
@@ -13,7 +13,7 @@
log_options: "{{ openshift_docker_log_options | default(None) }}"
options: "{{ openshift_docker_options | default(None) }}"
disable_push_dockerhub: "{{ openshift_disable_push_dockerhub | default(None) }}"
- hosted_registry_insecure: "{{ openshift_docker_hosted_registry_insecure | default(openshift.common.deployment_subtype != 'registry') }}"
+ hosted_registry_insecure: "{{ openshift_docker_hosted_registry_insecure | default(False) }}"
hosted_registry_network: "{{ openshift_docker_hosted_registry_network | default(None) }}"
- set_fact:
diff --git a/roles/openshift_node_certificates/handlers/main.yml b/roles/openshift_node_certificates/handlers/main.yml
new file mode 100644
index 000000000..f2299cecf
--- /dev/null
+++ b/roles/openshift_node_certificates/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+- name: update ca trust
+ command: update-ca-trust
+ notify:
+ - restart docker after updating ca trust
+
+- name: restart docker after updating ca trust
+ service:
+ name: docker
+ state: restarted
diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml
index a729b4d6c..80ab4bb1d 100644
--- a/roles/openshift_node_certificates/tasks/main.yml
+++ b/roles/openshift_node_certificates/tasks/main.yml
@@ -124,3 +124,14 @@
when: node_certs_missing | bool
delegate_to: localhost
become: no
+
+- name: Copy OpenShift CA to system CA trust
+ copy:
+ src: "{{ item.cert }}"
+ dest: "/etc/pki/ca-trust/source/anchors/{{ item.id }}-{{ item.cert | basename }}"
+ remote_src: yes
+ with_items:
+ - id: openshift
+ cert: "{{ openshift_node_cert_dir }}/ca.crt"
+ notify:
+ - update ca trust