diff options
author | David Moreau-Simard <dms@redhat.com> | 2017-05-19 14:28:42 -0400 |
---|---|---|
committer | David Moreau-Simard <dms@redhat.com> | 2017-07-23 10:13:03 -0400 |
commit | d7d97964f5e3b5d2df9985e7f9d7b74a974458cb (patch) | |
tree | 6295ba96709b55bdef549ab4011422930076e0ae /roles/openshift_hosted/tasks/registry/secure/reencrypt.yml | |
parent | 2a706ad80a4286afc4fe5a1cc0cadab302bc7291 (diff) | |
download | openshift-d7d97964f5e3b5d2df9985e7f9d7b74a974458cb.tar.gz openshift-d7d97964f5e3b5d2df9985e7f9d7b74a974458cb.tar.bz2 openshift-d7d97964f5e3b5d2df9985e7f9d7b74a974458cb.tar.xz openshift-d7d97964f5e3b5d2df9985e7f9d7b74a974458cb.zip |
Refactor openshift_hosted's docker-registry route setup
We have identified an issue where a docker-registry service set up
as 'reencrypt' with a provided certificate and a self-signed certificate
on the pod does not authorize users to push images.
If the docker-registry service is set up as 'passthrough' with the
same provided certificate, everything works.
In light of this, this commit essentially adds support for configuring
provided certificates with a passthrough route while maintaining backwards
compatibility with the other use cases.
The default remains 'passthrough' with self-generated certificates.
Other miscellaneous changes include:
- Move fact setup that were only used in secure.yml there
- Omit the hostname for the route if there are none to configure,
oc_route takes care of handling the default
- Replace hardcoded /etc/origin/master by openshift_master_config_dir
Diffstat (limited to 'roles/openshift_hosted/tasks/registry/secure/reencrypt.yml')
-rw-r--r-- | roles/openshift_hosted/tasks/registry/secure/reencrypt.yml | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/roles/openshift_hosted/tasks/registry/secure/reencrypt.yml b/roles/openshift_hosted/tasks/registry/secure/reencrypt.yml new file mode 100644 index 000000000..48e5b0fba --- /dev/null +++ b/roles/openshift_hosted/tasks/registry/secure/reencrypt.yml @@ -0,0 +1,38 @@ +--- +- name: Validate route termination configuration + fail: + msg: > + When 'openshift_hosted_registry_routetermination' is 'reencrypt', you must + provide certificate files with 'openshift_hosted_registry_routecertificates' + when: ('certfile' not in openshift_hosted_registry_routecertificates) or + ('keyfile' not in openshift_hosted_registry_routecertificates) or + ('cafile' not in openshift_hosted_registry_routecertificates) + +- name: Configure self-signed certificate file paths + set_fact: + docker_registry_cert_path: "{{ openshift_master_config_dir }}/registry.crt" + docker_registry_key_path: "{{ openshift_master_config_dir }}/registry.key" + docker_registry_cacert_path: "{{ openshift_master_config_dir }}/ca.crt" + docker_registry_self_signed: true + +- name: Retrieve provided certificate files + copy: + backup: True + dest: "{{ openshift_master_config_dir }}/named_certificates/{{ item.value | basename }}" + src: "{{ item.value }}" + when: item.key in ['certfile', 'keyfile', 'cafile'] and item.value + with_dict: "{{ openshift_hosted_registry_routecertificates }}" + +# Encrypt with the provided certificate and provide the dest_cacert for the +# self-signed certificate at the endpoint +- name: Configure a reencrypt route for docker-registry + oc_route: + name: docker-registry + namespace: "{{ openshift_hosted_registry_namespace }}" + service_name: docker-registry + tls_termination: "{{ openshift_hosted_registry_routetermination }}" + host: "{{ openshift_hosted_registry_routehost | default(omit, true) }}" + cert_path: "{{ openshift_master_config_dir }}/named_certificates/{{ openshift_hosted_registry_routecertificates['certfile'] | basename }}" + key_path: "{{ openshift_master_config_dir }}/named_certificates/{{ openshift_hosted_registry_routecertificates['keyfile'] | basename }}" + cacert_path: "{{ openshift_master_config_dir }}/named_certificates/{{ openshift_hosted_registry_routecertificates['cafile'] | basename }}" + dest_cacert_path: "{{ openshift_master_config_dir }}/ca.crt" |