diff options
author | Andrew Butcher <abutcher@redhat.com> | 2016-09-26 10:36:02 -0400 |
---|---|---|
committer | Samuel Munilla <smunilla@redhat.com> | 2016-09-29 15:35:40 -0400 |
commit | 6826f27769563d30194818a0f13b9da086ddf7ab (patch) | |
tree | aadb0d4868d9f98e4d513e3b79b9636730083d2e | |
parent | 4b102facfb32e4de14147fcbbe97626c4e08e264 (diff) | |
download | openshift-6826f27769563d30194818a0f13b9da086ddf7ab.tar.gz openshift-6826f27769563d30194818a0f13b9da086ddf7ab.tar.bz2 openshift-6826f27769563d30194818a0f13b9da086ddf7ab.tar.xz openshift-6826f27769563d30194818a0f13b9da086ddf7ab.zip |
Further secure registry improvements
- Default to hosted_registry_insecure=False
- Add openshift ca to system ca-trust.
- Update ca trust in openshift_node_certificates rather than docker_ca_trust
-rw-r--r-- | playbooks/common/openshift-cluster/node_docker_ca.yml | 128 | ||||
-rw-r--r-- | playbooks/common/openshift-node/config.yml | 4 | ||||
-rw-r--r-- | roles/openshift_docker_facts/tasks/main.yml | 2 | ||||
-rw-r--r-- | roles/openshift_node_certificates/handlers/main.yml | 10 | ||||
-rw-r--r-- | roles/openshift_node_certificates/tasks/main.yml | 11 |
5 files changed, 24 insertions, 131 deletions
diff --git a/playbooks/common/openshift-cluster/node_docker_ca.yml b/playbooks/common/openshift-cluster/node_docker_ca.yml deleted file mode 100644 index a291aeeb7..000000000 --- a/playbooks/common/openshift-cluster/node_docker_ca.yml +++ /dev/null @@ -1,128 +0,0 @@ ---- -- name: Configure CA certificate for secure registry - hosts: oo_nodes_to_config - tags: - - hosted - tasks: - - name: Create temp directory for kubeconfig - command: mktemp -d /tmp/openshift-ansible-XXXXXX - register: mktemp - when: openshift_hosted_manage_registry | default(true) | bool - changed_when: false - delegate_to: "{{ groups.oo_first_master.0 }}" - run_once: true - - - set_fact: - openshift_hosted_kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig" - when: openshift_hosted_manage_registry | default(true) | bool - delegate_to: "{{ groups.oo_first_master.0 }}" - run_once: true - - - name: Copy the admin client config(s) - command: > - cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{ openshift_hosted_kubeconfig }} - when: openshift_hosted_manage_registry | default(true) | bool - changed_when: false - delegate_to: "{{ groups.oo_first_master.0 }}" - run_once: true - - - name: Retrieve docker-registry route - command: > - {{ openshift.common.client_binary }} get route docker-registry - -o jsonpath='{.spec.host}' - --config={{ openshift_hosted_kubeconfig }} - -n default - register: docker_registry_route - when: openshift_hosted_manage_registry | default(true) | bool - changed_when: false - delegate_to: "{{ groups.oo_first_master.0 }}" - run_once: true - - - name: Retrieve registry service IP - command: > - {{ openshift.common.client_binary }} get svc/docker-registry - -o jsonpath='{.spec.clusterIP}' - --config={{ openshift_hosted_kubeconfig }} - -n default - register: docker_registry_service_ip - when: openshift_hosted_manage_registry | default(true) | bool - changed_when: false - delegate_to: "{{ groups.oo_first_master.0 }}" - run_once: true - - - name: Create registry CA directories - file: - path: "/etc/docker/certs.d/{{ item }}" - state: directory - with_items: - - "{{ docker_registry_service_ip.stdout }}:5000" - - "{{ docker_registry_route.stdout }}" - - "docker-registry.default.svc.cluster.local:5000" - when: openshift_hosted_manage_registry | default(true) | bool - - - name: Copy CA to registry CA directories - copy: - src: "{{ openshift.common.config_base }}/node/ca.crt" - dest: "/etc/docker/certs.d/{{ item }}" - remote_src: yes - force: yes - with_items: - - "{{ docker_registry_service_ip.stdout }}:5000" - - "{{ docker_registry_route.stdout }}" - - "docker-registry.default.svc.cluster.local:5000" - when: openshift_hosted_manage_registry | default(true) | bool - notify: - - Wait for docker-registry deployment - - Wait for registry-console deployment - - Restart docker - - handlers: - # Restarting docker before deployments have begun will block the - # deployments from ever starting so try waiting for the registry to - # become available. - - name: Wait for docker-registry deployment - command: > - {{ openshift.common.client_binary }} get dc/docker-registry - -o jsonpath='{.status.availableReplicas}' - --config={{ openshift_hosted_kubeconfig }} - -n default - delegate_to: "{{ groups.oo_first_master.0}}" - register: l_docker_registry_available_replicas - until: l_docker_registry_available_replicas.stdout | default("0") != "0" - retries: 30 - delay: 1 - failed_when: false - changed_when: false - run_once: true - - - name: Wait for registry-console deployment - command: > - {{ openshift.common.client_binary }} get dc/registry-console - -o jsonpath='{.status.availableReplicas}' - --config={{ openshift_hosted_kubeconfig }} - -n default - delegate_to: "{{ groups.oo_first_master.0 }}" - register: l_registry_console_available_replicas - until: l_registry_console_available_replicas.stdout | default("0") != "0" - retries: 30 - delay: 1 - failed_when: false - changed_when: false - run_once: true - - - name: Restart docker - service: - name: docker - state: restarted - -- name: Delete temp directory - hosts: oo_first_master - tags: - - hosted - tasks: - - name: Delete temp directory - file: - name: "{{ mktemp.stdout }}" - state: absent - when: openshift_hosted_manage_registry | default(true) | bool - changed_when: False diff --git a/playbooks/common/openshift-node/config.yml b/playbooks/common/openshift-node/config.yml index f718dbfbd..364a62dd0 100644 --- a/playbooks/common/openshift-node/config.yml +++ b/playbooks/common/openshift-node/config.yml @@ -60,12 +60,12 @@ when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and openshift_generate_no_proxy_hosts | default(True) | bool }}" roles: + - role: openshift_common - role: openshift_clock - role: openshift_docker - role: openshift_node_certificates openshift_ca_host: "{{ groups.oo_first_master.0 }}" - role: openshift_cloud_provider - - role: openshift_common - role: openshift_node_dnsmasq when: openshift.common.use_dnsmasq - role: os_firewall @@ -99,12 +99,12 @@ when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and openshift_generate_no_proxy_hosts | default(True) | bool }}" roles: + - role: openshift_common - role: openshift_clock - role: openshift_docker - role: openshift_node_certificates openshift_ca_host: "{{ groups.oo_first_master.0 }}" - role: openshift_cloud_provider - - role: openshift_common - role: openshift_node_dnsmasq when: openshift.common.use_dnsmasq - role: os_firewall diff --git a/roles/openshift_docker_facts/tasks/main.yml b/roles/openshift_docker_facts/tasks/main.yml index 0ce142983..0c8a36d65 100644 --- a/roles/openshift_docker_facts/tasks/main.yml +++ b/roles/openshift_docker_facts/tasks/main.yml @@ -13,7 +13,7 @@ log_options: "{{ openshift_docker_log_options | default(None) }}" options: "{{ openshift_docker_options | default(None) }}" disable_push_dockerhub: "{{ openshift_disable_push_dockerhub | default(None) }}" - hosted_registry_insecure: "{{ openshift_docker_hosted_registry_insecure | default(openshift.common.deployment_subtype != 'registry') }}" + hosted_registry_insecure: "{{ openshift_docker_hosted_registry_insecure | default(False) }}" hosted_registry_network: "{{ openshift_docker_hosted_registry_network | default(None) }}" - set_fact: diff --git a/roles/openshift_node_certificates/handlers/main.yml b/roles/openshift_node_certificates/handlers/main.yml new file mode 100644 index 000000000..f2299cecf --- /dev/null +++ b/roles/openshift_node_certificates/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: update ca trust + command: update-ca-trust + notify: + - restart docker after updating ca trust + +- name: restart docker after updating ca trust + service: + name: docker + state: restarted diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml index a729b4d6c..80ab4bb1d 100644 --- a/roles/openshift_node_certificates/tasks/main.yml +++ b/roles/openshift_node_certificates/tasks/main.yml @@ -124,3 +124,14 @@ when: node_certs_missing | bool delegate_to: localhost become: no + +- name: Copy OpenShift CA to system CA trust + copy: + src: "{{ item.cert }}" + dest: "/etc/pki/ca-trust/source/anchors/{{ item.id }}-{{ item.cert | basename }}" + remote_src: yes + with_items: + - id: openshift + cert: "{{ openshift_node_cert_dir }}/ca.crt" + notify: + - update ca trust |