diff options
Diffstat (limited to 'roles/openshift_hosted/tasks/registry')
9 files changed, 0 insertions, 602 deletions
diff --git a/roles/openshift_hosted/tasks/registry/firewall.yml b/roles/openshift_hosted/tasks/registry/firewall.yml deleted file mode 100644 index 775b7d6d7..000000000 --- a/roles/openshift_hosted/tasks/registry/firewall.yml +++ /dev/null @@ -1,40 +0,0 @@ ---- -- when: r_openshift_hosted_registry_firewall_enabled | bool and not r_openshift_hosted_registry_use_firewalld | bool - block: - - name: Add iptables allow rules - os_firewall_manage_iptables: - name: "{{ item.service }}" - action: add - protocol: "{{ item.port.split('/')[1] }}" - port: "{{ item.port.split('/')[0] }}" - when: item.cond | default(True) - with_items: "{{ r_openshift_hosted_registry_os_firewall_allow }}" - - - name: Remove iptables rules - os_firewall_manage_iptables: - name: "{{ item.service }}" - action: remove - protocol: "{{ item.port.split('/')[1] }}" - port: "{{ item.port.split('/')[0] }}" - when: item.cond | default(True) - with_items: "{{ r_openshift_hosted_registry_os_firewall_deny }}" - -- when: r_openshift_hosted_registry_firewall_enabled | bool and r_openshift_hosted_registry_use_firewalld | bool - block: - - name: Add firewalld allow rules - firewalld: - port: "{{ item.port }}" - permanent: true - immediate: true - state: enabled - when: item.cond | default(True) - with_items: "{{ r_openshift_hosted_registry_os_firewall_allow }}" - - - name: Remove firewalld allow rules - firewalld: - port: "{{ item.port }}" - permanent: true - immediate: true - state: disabled - when: item.cond | default(True) - with_items: "{{ r_openshift_hosted_registry_os_firewall_deny }}" diff --git a/roles/openshift_hosted/tasks/registry/registry.yml b/roles/openshift_hosted/tasks/registry/registry.yml deleted file mode 100644 index d73c290ff..000000000 --- a/roles/openshift_hosted/tasks/registry/registry.yml +++ /dev/null @@ -1,173 +0,0 @@ ---- -- name: setup firewall - include: firewall.yml - static: yes - -- when: openshift.hosted.registry.replicas | default(none) is none - block: - - name: Retrieve list of openshift nodes matching registry selector - oc_obj: - state: list - kind: node - selector: "{{ openshift.hosted.registry.selector | default(omit) }}" - register: registry_nodes - - - name: set_fact l_node_count to number of nodes matching registry selector - set_fact: - l_node_count: "{{ registry_nodes.results.results[0]['items'] | length }}" - - # Determine the default number of registry/router replicas to use if no count - # has been specified. - # If no registry nodes defined, the default should be 0. - - name: set_fact l_default_replicas when l_node_count == 0 - set_fact: - l_default_replicas: 0 - when: l_node_count | int == 0 - - # If registry nodes are defined and the registry storage kind is - # defined, default should be the number of registry nodes, otherwise - # just 1: - - name: set_fact l_default_replicas when l_node_count > 0 - set_fact: - l_default_replicas: "{{ l_node_count if openshift.hosted.registry.storage.kind | default(none) is not none else 1 }}" - when: l_node_count | int > 0 - - -- name: set openshift_hosted facts - set_fact: - openshift_hosted_registry_replicas: "{{ openshift.hosted.registry.replicas | default(l_default_replicas) }}" - openshift_hosted_registry_name: docker-registry - openshift_hosted_registry_serviceaccount: registry - openshift_hosted_registry_namespace: "{{ openshift.hosted.registry.namespace | default('default') }}" - openshift_hosted_registry_selector: "{{ openshift.hosted.registry.selector }}" - openshift_hosted_registry_images: "{{ openshift.hosted.registry.registryurl | default('openshift3/ose-${component}:${version}')}}" - openshift_hosted_registry_volumes: [] - openshift_hosted_registry_env_vars: {} - openshift_hosted_registry_edits: - # These edits are being specified only to prevent 'changed' on rerun - - key: spec.strategy.rollingParams - value: - intervalSeconds: 1 - maxSurge: "25%" - maxUnavailable: "25%" - timeoutSeconds: 600 - updatePeriodSeconds: 1 - action: put - openshift_hosted_registry_force: - - False - -- name: Update registry environment variables when pushing via dns - set_fact: - openshift_hosted_registry_env_vars: "{{ openshift_hosted_registry_env_vars | combine({'OPENSHIFT_DEFAULT_REGISTRY':'docker-registry.default.svc:5000'}) }}" - when: openshift_push_via_dns | default(false) | bool - -- name: Update registry proxy settings for dc/docker-registry - set_fact: - openshift_hosted_registry_env_vars: "{{ {'HTTPS_PROXY': (openshift.common.https_proxy | default('')), - 'HTTP_PROXY': (openshift.common.http_proxy | default('')), - 'NO_PROXY': (openshift.common.no_proxy | default(''))} - | combine(openshift_hosted_registry_env_vars) }}" - when: (openshift.common.https_proxy | default(False)) or (openshift.common.http_proxy | default('')) != '' - -- name: Create the registry service account - oc_serviceaccount: - name: "{{ openshift_hosted_registry_serviceaccount }}" - namespace: "{{ openshift_hosted_registry_namespace }}" - -- name: Grant the registry service account access to the appropriate scc - oc_adm_policy_user: - user: "system:serviceaccount:{{ openshift_hosted_registry_namespace }}:{{ openshift_hosted_registry_serviceaccount }}" - namespace: "{{ openshift_hosted_registry_namespace }}" - resource_kind: scc - resource_name: hostnetwork - -- name: oc adm policy add-cluster-role-to-user system:registry system:serviceaccount:default:registry - oc_adm_policy_user: - user: "system:serviceaccount:{{ openshift_hosted_registry_namespace }}:{{ openshift_hosted_registry_serviceaccount }}" - namespace: "{{ openshift_hosted_registry_namespace }}" - resource_kind: cluster-role - resource_name: system:registry - -- name: create the default registry service - oc_service: - namespace: "{{ openshift_hosted_registry_namespace }}" - name: "{{ openshift_hosted_registry_name }}" - ports: - - name: 5000-tcp - port: 5000 - protocol: TCP - targetPort: 5000 - selector: - docker-registry: default - session_affinity: ClientIP - service_type: ClusterIP - -- include: secure.yml - static: no - run_once: true - when: - - not (openshift.docker.hosted_registry_insecure | default(false) | bool) - -- include: storage/object_storage.yml - static: no - when: - - openshift.hosted.registry.storage.kind | default(none) == 'object' - -- name: Update openshift_hosted facts for persistent volumes - set_fact: - openshift_hosted_registry_volumes: "{{ openshift_hosted_registry_volumes | union(pvc_volume_mounts) }}" - vars: - pvc_volume_mounts: - - name: registry-storage - type: persistentVolumeClaim - claim_name: "{{ openshift.hosted.registry.storage.volume.name }}-claim" - when: - - openshift.hosted.registry.storage.kind | default(none) in ['nfs', 'openstack', 'glusterfs'] - -- name: Create OpenShift registry - oc_adm_registry: - name: "{{ openshift_hosted_registry_name }}" - namespace: "{{ openshift_hosted_registry_namespace }}" - selector: "{{ openshift_hosted_registry_selector }}" - replicas: "{{ openshift_hosted_registry_replicas }}" - service_account: "{{ openshift_hosted_registry_serviceaccount }}" - images: "{{ openshift_hosted_registry_images }}" - env_vars: "{{ openshift_hosted_registry_env_vars }}" - volume_mounts: "{{ openshift_hosted_registry_volumes }}" - edits: "{{ openshift_hosted_registry_edits }}" - force: "{{ True|bool in openshift_hosted_registry_force }}" - -- when: openshift_hosted_registry_wait - block: - - name: Ensure OpenShift registry correctly rolls out (best-effort today) - command: | - oc rollout status deploymentconfig {{ openshift_hosted_registry_name }} \ - --namespace {{ openshift_hosted_registry_namespace }} \ - --config {{ openshift.common.config_base }}/master/admin.kubeconfig - async: 600 - poll: 15 - failed_when: false - - - name: Determine the latest version of the OpenShift registry deployment - command: | - {{ openshift.common.client_binary }} get deploymentconfig {{ openshift_hosted_registry_name }} \ - --namespace {{ openshift_hosted_registry_namespace }} \ - --config {{ openshift.common.config_base }}/master/admin.kubeconfig \ - -o jsonpath='{ .status.latestVersion }' - register: openshift_hosted_registry_latest_version - - - name: Sanity-check that the OpenShift registry rolled out correctly - command: | - {{ openshift.common.client_binary }} get replicationcontroller {{ openshift_hosted_registry_name }}-{{ openshift_hosted_registry_latest_version.stdout }} \ - --namespace {{ openshift_hosted_registry_namespace }} \ - --config {{ openshift.common.config_base }}/master/admin.kubeconfig \ - -o jsonpath='{ .metadata.annotations.openshift\.io/deployment\.phase }' - register: openshift_hosted_registry_rc_phase - until: "'Running' not in openshift_hosted_registry_rc_phase.stdout" - delay: 15 - retries: 40 - failed_when: "'Failed' in openshift_hosted_registry_rc_phase.stdout" - -- include: storage/glusterfs.yml - when: - - openshift.hosted.registry.storage.kind | default(none) == 'glusterfs' or openshift.hosted.registry.storage.glusterfs.swap diff --git a/roles/openshift_hosted/tasks/registry/secure.yml b/roles/openshift_hosted/tasks/registry/secure.yml deleted file mode 100644 index a8a6f6fc8..000000000 --- a/roles/openshift_hosted/tasks/registry/secure.yml +++ /dev/null @@ -1,119 +0,0 @@ ---- -- name: Configure facts for docker-registry - set_fact: - openshift_hosted_registry_routecertificates: "{{ ('routecertificates' in openshift.hosted.registry.keys()) | ternary(openshift.hosted.registry.routecertificates, {}) }}" - openshift_hosted_registry_routehost: "{{ ('routehost' in openshift.hosted.registry.keys()) | ternary(openshift.hosted.registry.routehost, False) }}" - openshift_hosted_registry_routetermination: "{{ ('routetermination' in openshift.hosted.registry.keys()) | ternary(openshift.hosted.registry.routetermination, 'passthrough') }}" - -- name: Include reencrypt route configuration - include: secure/reencrypt.yml - static: no - when: openshift_hosted_registry_routetermination == 'reencrypt' - -- name: Include passthrough route configuration - include: secure/passthrough.yml - static: no - when: openshift_hosted_registry_routetermination == 'passthrough' - -- name: Fetch the docker-registry route - oc_route: - name: docker-registry - namespace: default - state: list - register: docker_registry_route - -- name: Retrieve registry service for the clusterip - oc_service: - namespace: "{{ openshift_hosted_registry_namespace }}" - name: docker-registry - state: list - register: docker_registry_service - -- name: Generate self-signed docker-registry certificates - oc_adm_ca_server_cert: - signer_cert: "{{ openshift_master_config_dir }}/ca.crt" - signer_key: "{{ openshift_master_config_dir }}/ca.key" - signer_serial: "{{ openshift_master_config_dir }}/ca.serial.txt" - hostnames: - - "{{ docker_registry_service.results.clusterip }}" - - "{{ docker_registry_route.results[0].spec.host }}" - - "{{ openshift_hosted_registry_name }}.default.svc" - - "{{ openshift_hosted_registry_name }}.default.svc.{{ openshift.common.dns_domain }}" - - "{{ openshift_hosted_registry_routehost }}" - cert: "{{ docker_registry_cert_path }}" - key: "{{ docker_registry_key_path }}" - expire_days: "{{ openshift_hosted_registry_cert_expire_days if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool else omit }}" - register: registry_self_cert - when: docker_registry_self_signed - -# Setting up REGISTRY_HTTP_TLS_CLIENTCAS as the cacert doesn't seem to work. -# If we need to set up a cacert, bundle it with the cert. -- when: docker_registry_cacert_path is defined - block: - - name: Retrieve certificate files to generate certificate bundle - slurp: - src: "{{ item }}" - with_items: - - "{{ docker_registry_cert_path }}" - - "{{ docker_registry_cacert_path }}" - register: certificate_files - - - name: Generate certificate bundle - copy: - content: "{{ certificate_files.results | map(attribute='content') | map('b64decode') | join('') }}" - dest: "{{ openshift_master_config_dir }}/named_certificates/docker-registry.pem" - - - name: Reset the certificate path to use the bundle - set_fact: - docker_registry_cert_path: "{{ openshift_master_config_dir }}/named_certificates/docker-registry.pem" - -- name: Create the secret for the registry certificates - oc_secret: - name: registry-certificates - namespace: "{{ openshift_hosted_registry_namespace }}" - files: - - name: registry.crt - path: "{{ docker_registry_cert_path }}" - - name: registry.key - path: "{{ docker_registry_key_path }}" - register: create_registry_certificates_secret_out - -- name: Add the secret to the registry's pod service accounts - oc_serviceaccount_secret: - service_account: "{{ item }}" - secret: registry-certificates - namespace: "{{ openshift_hosted_registry_namespace }}" - with_items: - - registry - - default - -- name: Set facts for secure registry - set_fact: - registry_secure_volume_mounts: - - name: registry-certificates - path: /etc/secrets - type: secret - secret_name: registry-certificates - registry_secure_env_vars: - REGISTRY_HTTP_TLS_CERTIFICATE: /etc/secrets/registry.crt - REGISTRY_HTTP_TLS_KEY: /etc/secrets/registry.key - registry_secure_edits: - - key: spec.template.spec.containers[0].livenessProbe.httpGet.scheme - value: HTTPS - action: put - - key: spec.template.spec.containers[0].readinessProbe.httpGet.scheme - value: HTTPS - action: put - -- name: Detect if there has been certificate changes - set_fact: - registry_cert_changed: true - when: ( registry_self_cert is defined and registry_self_cert.changed ) or - create_registry_certificates_secret_out.changed - -- name: Update openshift_hosted facts with secure registry variables - set_fact: - openshift_hosted_registry_volumes: "{{ openshift_hosted_registry_volumes | union(registry_secure_volume_mounts) }}" - openshift_hosted_registry_env_vars: "{{ openshift_hosted_registry_env_vars | combine(registry_secure_env_vars) }}" - openshift_hosted_registry_edits: "{{ openshift_hosted_registry_edits | union(registry_secure_edits) }}" - openshift_hosted_registry_force: "{{ openshift_hosted_registry_force | union([registry_cert_changed | default(false)]) }}" diff --git a/roles/openshift_hosted/tasks/registry/secure/passthrough.yml b/roles/openshift_hosted/tasks/registry/secure/passthrough.yml deleted file mode 100644 index 5b44fda10..000000000 --- a/roles/openshift_hosted/tasks/registry/secure/passthrough.yml +++ /dev/null @@ -1,45 +0,0 @@ ---- -# Generate a self-signed certificate when there is no user-supplied certificate -- name: Configure self-signed certificate file paths - set_fact: - docker_registry_cert_path: "{{ openshift_master_config_dir }}/registry.crt" - docker_registry_key_path: "{{ openshift_master_config_dir }}/registry.key" - docker_registry_cacert_path: "{{ openshift_master_config_dir }}/ca.crt" - docker_registry_self_signed: true - when: - - "'certfile' not in openshift_hosted_registry_routecertificates" - - "'keyfile' not in openshift_hosted_registry_routecertificates" - -# Retrieve user supplied certificate files if they are provided -- when: - - "'certfile' in openshift_hosted_registry_routecertificates" - - "'keyfile' in openshift_hosted_registry_routecertificates" - block: - - name: Configure provided certificate file paths - set_fact: - docker_registry_cert_path: "{{ openshift_master_config_dir }}/named_certificates/{{ openshift_hosted_registry_routecertificates['certfile'] | basename }}" - docker_registry_key_path: "{{ openshift_master_config_dir }}/named_certificates/{{ openshift_hosted_registry_routecertificates['keyfile'] | basename }}" - docker_registry_self_signed: false - - # Since we end up bundling the cert, cacert and key in a .pem file, the 'cafile' - # is optional - - name: Configure provided ca certificate file path - set_fact: - docker_registry_cacert_path: "{{ openshift_master_config_dir }}/named_certificates/{{ openshift_hosted_registry_routecertificates['cafile'] | basename }}" - when: "'cafile' in openshift_hosted_registry_routecertificates" - - - name: Retrieve provided certificate files - copy: - backup: True - dest: "{{ openshift_master_config_dir }}/named_certificates/{{ item.value | basename }}" - src: "{{ item.value }}" - when: item.key in ['certfile', 'keyfile', 'cafile'] and item.value - with_dict: "{{ openshift_hosted_registry_routecertificates }}" - -- name: Configure a passthrough route for docker-registry - oc_route: - name: docker-registry - namespace: "{{ openshift_hosted_registry_namespace }}" - service_name: docker-registry - tls_termination: "{{ openshift_hosted_registry_routetermination }}" - host: "{{ openshift_hosted_registry_routehost | default(omit, true) }}" diff --git a/roles/openshift_hosted/tasks/registry/secure/reencrypt.yml b/roles/openshift_hosted/tasks/registry/secure/reencrypt.yml deleted file mode 100644 index 48e5b0fba..000000000 --- a/roles/openshift_hosted/tasks/registry/secure/reencrypt.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- -- name: Validate route termination configuration - fail: - msg: > - When 'openshift_hosted_registry_routetermination' is 'reencrypt', you must - provide certificate files with 'openshift_hosted_registry_routecertificates' - when: ('certfile' not in openshift_hosted_registry_routecertificates) or - ('keyfile' not in openshift_hosted_registry_routecertificates) or - ('cafile' not in openshift_hosted_registry_routecertificates) - -- name: Configure self-signed certificate file paths - set_fact: - docker_registry_cert_path: "{{ openshift_master_config_dir }}/registry.crt" - docker_registry_key_path: "{{ openshift_master_config_dir }}/registry.key" - docker_registry_cacert_path: "{{ openshift_master_config_dir }}/ca.crt" - docker_registry_self_signed: true - -- name: Retrieve provided certificate files - copy: - backup: True - dest: "{{ openshift_master_config_dir }}/named_certificates/{{ item.value | basename }}" - src: "{{ item.value }}" - when: item.key in ['certfile', 'keyfile', 'cafile'] and item.value - with_dict: "{{ openshift_hosted_registry_routecertificates }}" - -# Encrypt with the provided certificate and provide the dest_cacert for the -# self-signed certificate at the endpoint -- name: Configure a reencrypt route for docker-registry - oc_route: - name: docker-registry - namespace: "{{ openshift_hosted_registry_namespace }}" - service_name: docker-registry - tls_termination: "{{ openshift_hosted_registry_routetermination }}" - host: "{{ openshift_hosted_registry_routehost | default(omit, true) }}" - cert_path: "{{ openshift_master_config_dir }}/named_certificates/{{ openshift_hosted_registry_routecertificates['certfile'] | basename }}" - key_path: "{{ openshift_master_config_dir }}/named_certificates/{{ openshift_hosted_registry_routecertificates['keyfile'] | basename }}" - cacert_path: "{{ openshift_master_config_dir }}/named_certificates/{{ openshift_hosted_registry_routecertificates['cafile'] | basename }}" - dest_cacert_path: "{{ openshift_master_config_dir }}/ca.crt" diff --git a/roles/openshift_hosted/tasks/registry/storage/glusterfs.yml b/roles/openshift_hosted/tasks/registry/storage/glusterfs.yml deleted file mode 100644 index c2954fde1..000000000 --- a/roles/openshift_hosted/tasks/registry/storage/glusterfs.yml +++ /dev/null @@ -1,92 +0,0 @@ ---- -- name: Get registry DeploymentConfig - oc_obj: - namespace: "{{ openshift_hosted_registry_namespace }}" - state: list - kind: dc - name: "{{ openshift_hosted_registry_name }}" - register: registry_dc - -- name: Wait for registry pods - oc_obj: - namespace: "{{ openshift_hosted_registry_namespace }}" - state: list - kind: pod - selector: "{% for label, value in registry_dc.results.results[0].spec.selector.iteritems() %}{{ label }}={{ value }}{% if not loop.last %},{% endif %}{% endfor %}" - register: registry_pods - until: - - "registry_pods.results.results[0]['items'] | count > 0" - # There must be as many matching pods with 'Ready' status True as there are expected replicas - - "registry_pods.results.results[0]['items'] | oo_collect(attribute='status.conditions') | oo_collect(attribute='status', filters={'type': 'Ready'}) | map('bool') | select | list | count == openshift_hosted_registry_replicas | int" - delay: 10 - retries: "{{ (600 / 10) | int }}" - -- name: Determine registry fsGroup - set_fact: - openshift_hosted_registry_fsgroup: "{{ registry_pods.results.results[0]['items'][0].spec.securityContext.fsGroup }}" - -- name: Create temp mount directory - command: mktemp -d /tmp/openshift-glusterfs-registry-XXXXXX - register: mktemp - changed_when: False - check_mode: no - -- name: Mount registry volume - mount: - state: mounted - fstype: glusterfs - src: "{% if 'glusterfs_registry' in groups %}{% set node = groups.glusterfs_registry[0] %}{% else %}{% set node = groups.glusterfs[0] %}{% endif %}{% if 'glusterfs_hostname' in hostvars[node] %}{{ hostvars[node].glusterfs_hostname }}{% elif 'openshift' in hostvars[node] %}{{ hostvars[node].openshift.node.nodename }}{% else %}{{ node }}{% endif %}:/{{ openshift.hosted.registry.storage.glusterfs.path }}" - name: "{{ mktemp.stdout }}" - -- name: Set registry volume permissions - file: - dest: "{{ mktemp.stdout }}" - state: directory - group: "{{ openshift_hosted_registry_fsgroup }}" - mode: "2775" - recurse: True - -- block: - - name: Activate registry maintenance mode - oc_env: - namespace: "{{ openshift_hosted_registry_namespace }}" - name: "{{ openshift_hosted_registry_name }}" - env_vars: - - REGISTRY_STORAGE_MAINTENANCE_READONLY_ENABLED: 'true' - - - name: Get first registry pod name - set_fact: - registry_pod_name: "{{ registry_pods.results.results[0]['items'][0].metadata.name }}" - - - name: Copy current registry contents to new GlusterFS volume - command: "oc rsync {{ registry_pod_name }}:/registry/ {{ mktemp.stdout }}/" - when: openshift.hosted.registry.storage.glusterfs.swapcopy - - - name: Swap new GlusterFS registry volume - oc_volume: - namespace: "{{ openshift_hosted_registry_namespace }}" - name: "{{ openshift_hosted_registry_name }}" - vol_name: registry-storage - mount_type: pvc - claim_name: "{{ openshift.hosted.registry.storage.volume.name }}-glusterfs-claim" - - - name: Deactivate registry maintenance mode - oc_env: - namespace: "{{ openshift_hosted_registry_namespace }}" - name: "{{ openshift_hosted_registry_name }}" - state: absent - env_vars: - - REGISTRY_STORAGE_MAINTENANCE_READONLY_ENABLED: 'true' - when: openshift.hosted.registry.storage.glusterfs.swap - -- name: Unmount registry volume - mount: - state: unmounted - name: "{{ mktemp.stdout }}" - -- name: Delete temp mount directory - file: - dest: "{{ mktemp.stdout }}" - state: absent - changed_when: False - check_mode: no diff --git a/roles/openshift_hosted/tasks/registry/storage/object_storage.yml b/roles/openshift_hosted/tasks/registry/storage/object_storage.yml deleted file mode 100644 index 8553a8098..000000000 --- a/roles/openshift_hosted/tasks/registry/storage/object_storage.yml +++ /dev/null @@ -1,49 +0,0 @@ ---- -- include: s3.yml - when: openshift.hosted.registry.storage.provider == 's3' - -- name: Ensure the registry secret exists - oc_secret: - name: "{{ registry_config_secret_name }}" - state: present - contents: - - path: /tmp/config.yml - data: "{{ lookup('template', 'registry_config.j2') }}" - register: registry_config_out - when: openshift_hosted_registry_storage_gcs_keyfile is not defined - -- name: Ensure the registry secret exists for GCS - oc_secret: - name: "{{ registry_config_secret_name }}" - state: present - contents: - - path: /tmp/config.yml - data: "{{ lookup('template', 'registry_config.j2') }}" - - path: /tmp/gcs.json - data: "{{ lookup('file', openshift_hosted_registry_storage_gcs_keyfile) | string }}" - register: registry_config_out - when: openshift_hosted_registry_storage_gcs_keyfile is defined - -- name: Add secrets to registry service account - oc_serviceaccount_secret: - service_account: registry - secret: "{{ registry_config_secret_name }}" - namespace: "{{ openshift_hosted_registry_namespace }}" - state: present - register: svcac - -- name: Set facts for registry object storage - set_fact: - registry_obj_storage_volume_mounts: - - name: docker-config - path: /etc/registry - type: secret - secret_name: "{{ registry_config_secret_name }}" - registry_obj_storage_env_vars: - REGISTRY_CONFIGURATION_PATH: /etc/registry/config.yml - -- name: Update openshift_hosted registry facts for storage - set_fact: - openshift_hosted_registry_volumes: "{{ openshift_hosted_registry_volumes | union(registry_obj_storage_volume_mounts) }}" - openshift_hosted_registry_env_vars: "{{ openshift_hosted_registry_env_vars | combine(registry_obj_storage_env_vars) }}" - openshift_hosted_registry_force: "{{ openshift_hosted_registry_force | union([registry_config_out.changed]) | union([svcac.changed]) }}" diff --git a/roles/openshift_hosted/tasks/registry/storage/registry_config.j2 b/roles/openshift_hosted/tasks/registry/storage/registry_config.j2 deleted file mode 120000 index f3e82ad4f..000000000 --- a/roles/openshift_hosted/tasks/registry/storage/registry_config.j2 +++ /dev/null @@ -1 +0,0 @@ -../../../templates/registry_config.j2
\ No newline at end of file diff --git a/roles/openshift_hosted/tasks/registry/storage/s3.yml b/roles/openshift_hosted/tasks/registry/storage/s3.yml deleted file mode 100644 index 318969885..000000000 --- a/roles/openshift_hosted/tasks/registry/storage/s3.yml +++ /dev/null @@ -1,45 +0,0 @@ ---- -- name: Assert that S3 variables are provided for registry_config template - assert: - that: - - openshift.hosted.registry.storage.s3.bucket | default(none) is not none - - openshift.hosted.registry.storage.s3.region | default(none) is not none - msg: | - When using S3 storage, the following variables are required: - openshift_hosted_registry_storage_s3_bucket - openshift_hosted_registry_storage_s3_region - -- name: If cloudfront is being used, assert that we have all the required variables - assert: - that: - - "openshift_hosted_registry_storage_s3_cloudfront_privatekeyfile | default(none) is not none" - - "openshift_hosted_registry_storage_s3_cloudfront_keypairid | default(none) is not none" - msg: | - When openshift_hosted_registry_storage_s3_cloudfront_baseurl is provided - openshift_hosted_registry_storage_s3_cloudfront_keypairid and - openshift_hosted_registry_storage_s3_cloudfront_privatekeyfile are required - when: openshift_hosted_registry_storage_s3_cloudfront_baseurl is defined - -# Inject the cloudfront private key as a secret when required -- block: - - - name: Create registry secret for cloudfront - oc_secret: - state: present - namespace: "{{ openshift_hosted_registry_namespace }}" - name: docker-registry-s3-cloudfront - contents: - - path: cloudfront.pem - data: "{{ lookup('file', openshift_hosted_registry_storage_s3_cloudfront_privatekeyfile) }}" - - - name: Append cloudfront secret registry volume to openshift_hosted_registry_volumes - set_fact: - openshift_hosted_registry_volumes: "{{ openshift_hosted_registry_volumes | union(s3_volume_mount) }}" - vars: - s3_volume_mount: - - name: cloudfront-vol - path: /etc/origin - type: secret - secret_name: docker-registry-s3-cloudfront - - when: openshift_hosted_registry_storage_s3_cloudfront_baseurl | default(none) is not none |