diff options
Diffstat (limited to 'roles/openshift_hosted/tasks/registry/secure.yml')
-rw-r--r-- | roles/openshift_hosted/tasks/registry/secure.yml | 119 |
1 files changed, 0 insertions, 119 deletions
diff --git a/roles/openshift_hosted/tasks/registry/secure.yml b/roles/openshift_hosted/tasks/registry/secure.yml deleted file mode 100644 index a8a6f6fc8..000000000 --- a/roles/openshift_hosted/tasks/registry/secure.yml +++ /dev/null @@ -1,119 +0,0 @@ ---- -- name: Configure facts for docker-registry - set_fact: - openshift_hosted_registry_routecertificates: "{{ ('routecertificates' in openshift.hosted.registry.keys()) | ternary(openshift.hosted.registry.routecertificates, {}) }}" - openshift_hosted_registry_routehost: "{{ ('routehost' in openshift.hosted.registry.keys()) | ternary(openshift.hosted.registry.routehost, False) }}" - openshift_hosted_registry_routetermination: "{{ ('routetermination' in openshift.hosted.registry.keys()) | ternary(openshift.hosted.registry.routetermination, 'passthrough') }}" - -- name: Include reencrypt route configuration - include: secure/reencrypt.yml - static: no - when: openshift_hosted_registry_routetermination == 'reencrypt' - -- name: Include passthrough route configuration - include: secure/passthrough.yml - static: no - when: openshift_hosted_registry_routetermination == 'passthrough' - -- name: Fetch the docker-registry route - oc_route: - name: docker-registry - namespace: default - state: list - register: docker_registry_route - -- name: Retrieve registry service for the clusterip - oc_service: - namespace: "{{ openshift_hosted_registry_namespace }}" - name: docker-registry - state: list - register: docker_registry_service - -- name: Generate self-signed docker-registry certificates - oc_adm_ca_server_cert: - signer_cert: "{{ openshift_master_config_dir }}/ca.crt" - signer_key: "{{ openshift_master_config_dir }}/ca.key" - signer_serial: "{{ openshift_master_config_dir }}/ca.serial.txt" - hostnames: - - "{{ docker_registry_service.results.clusterip }}" - - "{{ docker_registry_route.results[0].spec.host }}" - - "{{ openshift_hosted_registry_name }}.default.svc" - - "{{ openshift_hosted_registry_name }}.default.svc.{{ openshift.common.dns_domain }}" - - "{{ openshift_hosted_registry_routehost }}" - cert: "{{ docker_registry_cert_path }}" - key: "{{ docker_registry_key_path }}" - expire_days: "{{ openshift_hosted_registry_cert_expire_days if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool else omit }}" - register: registry_self_cert - when: docker_registry_self_signed - -# Setting up REGISTRY_HTTP_TLS_CLIENTCAS as the cacert doesn't seem to work. -# If we need to set up a cacert, bundle it with the cert. -- when: docker_registry_cacert_path is defined - block: - - name: Retrieve certificate files to generate certificate bundle - slurp: - src: "{{ item }}" - with_items: - - "{{ docker_registry_cert_path }}" - - "{{ docker_registry_cacert_path }}" - register: certificate_files - - - name: Generate certificate bundle - copy: - content: "{{ certificate_files.results | map(attribute='content') | map('b64decode') | join('') }}" - dest: "{{ openshift_master_config_dir }}/named_certificates/docker-registry.pem" - - - name: Reset the certificate path to use the bundle - set_fact: - docker_registry_cert_path: "{{ openshift_master_config_dir }}/named_certificates/docker-registry.pem" - -- name: Create the secret for the registry certificates - oc_secret: - name: registry-certificates - namespace: "{{ openshift_hosted_registry_namespace }}" - files: - - name: registry.crt - path: "{{ docker_registry_cert_path }}" - - name: registry.key - path: "{{ docker_registry_key_path }}" - register: create_registry_certificates_secret_out - -- name: Add the secret to the registry's pod service accounts - oc_serviceaccount_secret: - service_account: "{{ item }}" - secret: registry-certificates - namespace: "{{ openshift_hosted_registry_namespace }}" - with_items: - - registry - - default - -- name: Set facts for secure registry - set_fact: - registry_secure_volume_mounts: - - name: registry-certificates - path: /etc/secrets - type: secret - secret_name: registry-certificates - registry_secure_env_vars: - REGISTRY_HTTP_TLS_CERTIFICATE: /etc/secrets/registry.crt - REGISTRY_HTTP_TLS_KEY: /etc/secrets/registry.key - registry_secure_edits: - - key: spec.template.spec.containers[0].livenessProbe.httpGet.scheme - value: HTTPS - action: put - - key: spec.template.spec.containers[0].readinessProbe.httpGet.scheme - value: HTTPS - action: put - -- name: Detect if there has been certificate changes - set_fact: - registry_cert_changed: true - when: ( registry_self_cert is defined and registry_self_cert.changed ) or - create_registry_certificates_secret_out.changed - -- name: Update openshift_hosted facts with secure registry variables - set_fact: - openshift_hosted_registry_volumes: "{{ openshift_hosted_registry_volumes | union(registry_secure_volume_mounts) }}" - openshift_hosted_registry_env_vars: "{{ openshift_hosted_registry_env_vars | combine(registry_secure_env_vars) }}" - openshift_hosted_registry_edits: "{{ openshift_hosted_registry_edits | union(registry_secure_edits) }}" - openshift_hosted_registry_force: "{{ openshift_hosted_registry_force | union([registry_cert_changed | default(false)]) }}" |