Merge pull request #5472 from mgugino-upstream-stage/split-hosted-v2

Automatic merge from submit-queue

Refactor openshift_hosted plays and role (version 2)

Currently, openshift_hosted role duplicates some logic
across separate task chains.  This commit cleans up
the openshift_hosted role and converts it to be
primarily used with include_role to give better
logic to the playbooks that utilize this role.

This commit also refactors the playbook that calls
various openshift_hosted roles into individual playbooks.
This allows more granularity for advanced users.

-----
This version of the patch set rolls back some of the refactoring (removal of running fact roles as a dependency) and focuses on just realigning the roles and plays.

Original PR: https://github.com/openshift/openshift-ansible/pull/5284

Once this merges, I will close the old PR.  Leaving it open for now for reference.

1 files changed, 45 insertions, 0 deletions

diff --git a/roles/openshift_hosted/tasks/secure/passthrough.yml b/roles/openshift_hosted/tasks/secure/passthrough.yml
new file mode 100644
index 000000000..5b44fda10
--- /dev/null
+++ b/roles/openshift_hosted/tasks/secure/passthrough.yml
@@ -0,0 +1,45 @@
+---
+# Generate a self-signed certificate when there is no user-supplied certificate
+- name: Configure self-signed certificate file paths
+  set_fact:
+    docker_registry_cert_path: "{{ openshift_master_config_dir }}/registry.crt"
+    docker_registry_key_path: "{{ openshift_master_config_dir }}/registry.key"
+    docker_registry_cacert_path: "{{ openshift_master_config_dir }}/ca.crt"
+    docker_registry_self_signed: true
+  when:
+  - "'certfile' not in openshift_hosted_registry_routecertificates"
+  - "'keyfile' not in openshift_hosted_registry_routecertificates"
+
+# Retrieve user supplied certificate files if they are provided
+- when:
+  - "'certfile' in openshift_hosted_registry_routecertificates"
+  - "'keyfile' in openshift_hosted_registry_routecertificates"
+  block:
+  - name: Configure provided certificate file paths
+    set_fact:
+      docker_registry_cert_path: "{{ openshift_master_config_dir }}/named_certificates/{{ openshift_hosted_registry_routecertificates['certfile'] | basename }}"
+      docker_registry_key_path: "{{ openshift_master_config_dir }}/named_certificates/{{ openshift_hosted_registry_routecertificates['keyfile'] | basename }}"
+      docker_registry_self_signed: false
+
+  # Since we end up bundling the cert, cacert and key in a .pem file, the 'cafile'
+  # is optional
+  - name: Configure provided ca certificate file path
+    set_fact:
+      docker_registry_cacert_path: "{{ openshift_master_config_dir }}/named_certificates/{{ openshift_hosted_registry_routecertificates['cafile'] | basename }}"
+    when: "'cafile' in openshift_hosted_registry_routecertificates"
+
+  - name: Retrieve provided certificate files
+    copy:
+      backup: True
+      dest: "{{ openshift_master_config_dir }}/named_certificates/{{ item.value | basename }}"
+      src: "{{ item.value }}"
+    when: item.key in ['certfile', 'keyfile', 'cafile'] and item.value
+    with_dict: "{{ openshift_hosted_registry_routecertificates }}"
+
+- name: Configure a passthrough route for docker-registry
+  oc_route:
+    name: docker-registry
+    namespace: "{{ openshift_hosted_registry_namespace }}"
+    service_name: docker-registry
+    tls_termination: "{{ openshift_hosted_registry_routetermination }}"
+    host: "{{ openshift_hosted_registry_routehost | default(omit, true) }}"