10 files changed, 102 insertions, 29 deletions

diff --git a/roles/openshift_hosted/README.md b/roles/openshift_hosted/README.md
index 328f800bf..6d576df71 100644
--- a/roles/openshift_hosted/README.md
+++ b/roles/openshift_hosted/README.md
@@ -26,6 +26,7 @@ From this role:
 | openshift_hosted_registry_registryurl | 'openshift3/ose-${component}:${version}' | The image to base the OpenShift registry on.                                                                             |
 | openshift_hosted_registry_replicas    | Number of nodes matching selector        | The number of replicas to configure.                                                                                     |
 | openshift_hosted_registry_selector    | region=infra                             | Node selector used when creating registry. The OpenShift registry will only be deployed to nodes matching this selector. |
+| openshift_hosted_registry_cert_expire_days | `730` (2 years)                     | Validity of the certificates in days. Works only with OpenShift version 1.5 (3.5) and later.                             |
 
 Dependencies
 ------------
diff --git a/roles/openshift_hosted/defaults/main.yml b/roles/openshift_hosted/defaults/main.yml
index 0a6299c9b..596b36239 100644
--- a/roles/openshift_hosted/defaults/main.yml
+++ b/roles/openshift_hosted/defaults/main.yml
@@ -14,17 +14,19 @@ openshift_hosted_router_edits:
 
 openshift_hosted_routers:
 - name: router
-  replicas: "{{ replicas }}"
+  replicas: "{{ replicas | default(1) }}"
   namespace: default
   serviceaccount: router
-  selector: "{{ openshift_hosted_router_selector }}"
-  images: "{{ openshift_hosted_router_image }}"
+  selector: "{{ openshift_hosted_router_selector | default(None) }}"
+  images: "{{ openshift_hosted_router_image | default(None)  }}"
   edits: "{{ openshift_hosted_router_edits }}"
   stats_port: 1936
   ports:
   - 80:80
   - 443:443
-  certificates: "{{ openshift_hosted_router_certificate | default({}) }}"
+  certificates: "{{ openshift_hosted_router_certificates | default({}) }}"
 
 
 openshift_hosted_router_certificates: {}
+openshift_hosted_registry_cert_expire_days: 730
+openshift_hosted_router_create_certificate: False
diff --git a/roles/openshift_hosted/filter_plugins/filters.py b/roles/openshift_hosted/filter_plugins/filters.py
index cbfadfe9d..7f41529ac 100644
--- a/roles/openshift_hosted/filter_plugins/filters.py
+++ b/roles/openshift_hosted/filter_plugins/filters.py
@@ -21,14 +21,21 @@ class FilterModule(object):
         if replicas is not None:
             return replicas
 
+        replicas = 1
+
+        # Ignore boolean expression limit of 5.
+        # pylint: disable=too-many-boolean-expressions
         if (isinstance(router_nodes, dict) and
                 'results' in router_nodes and
                 'results' in router_nodes['results'] and
-                'items' in router_nodes['results']['results']):
+                isinstance(router_nodes['results']['results'], list) and
+                len(router_nodes['results']['results']) > 0 and
+                'items' in router_nodes['results']['results'][0]):
 
-            return len(router_nodes['results']['results'][0]['items'])
+            if len(router_nodes['results']['results'][0]['items']) > 0:
+                replicas = len(router_nodes['results']['results'][0]['items'])
 
-        return 1
+        return replicas
 
     def filters(self):
         ''' returns a mapping of filters to methods '''
diff --git a/roles/openshift_hosted/meta/main.yml b/roles/openshift_hosted/meta/main.yml
index e9b590550..9626c23c1 100644
--- a/roles/openshift_hosted/meta/main.yml
+++ b/roles/openshift_hosted/meta/main.yml
@@ -15,21 +15,3 @@ dependencies:
 - role: openshift_cli
 - role: openshift_hosted_facts
 - role: lib_openshift
-- role: openshift_projects
-  openshift_projects: "{{ openshift_additional_projects | default({}) | oo_merge_dicts({'default':{'default_node_selector':''},'openshift-infra':{'default_node_selector':''},'logging':{'default_node_selector':''}}) }}"
-- role: openshift_serviceaccounts
-  openshift_serviceaccounts_names:
-  - router
-  - registry
-  openshift_serviceaccounts_namespace: default
-  openshift_serviceaccounts_sccs:
-  - hostnetwork
-  when: openshift.common.version_gte_3_2_or_1_2
-- role: openshift_serviceaccounts
-  openshift_serviceaccounts_names:
-  - router
-  - registry
-  openshift_serviceaccounts_namespace: default
-  openshift_serviceaccounts_sccs:
-  - privileged
-  when: not openshift.common.version_gte_3_2_or_1_2
diff --git a/roles/openshift_hosted/tasks/main.yml b/roles/openshift_hosted/tasks/main.yml
index fe254f72d..6efe2f63c 100644
--- a/roles/openshift_hosted/tasks/main.yml
+++ b/roles/openshift_hosted/tasks/main.yml
@@ -1,4 +1,11 @@
 ---
+- name: Create projects
+  oc_project:
+    name: "{{ item.key }}"
+    node_selector:
+    - "{{ item.value.default_node_selector }}"
+  with_dict: "{{ openshift_projects }}"
+
 - include: router/router.yml
   when: openshift_hosted_manage_router | default(true) | bool
 
diff --git a/roles/openshift_hosted/tasks/registry/registry.yml b/roles/openshift_hosted/tasks/registry/registry.yml
index d89ce855a..0b8042473 100644
--- a/roles/openshift_hosted/tasks/registry/registry.yml
+++ b/roles/openshift_hosted/tasks/registry/registry.yml
@@ -56,12 +56,24 @@
     openshift_hosted_registry_force:
     - False
 
+- name: Create the registry service account
+  oc_serviceaccount:
+    name: "{{ openshift_hosted_registry_serviceaccount }}"
+    namespace: "{{ openshift_hosted_registry_namespace }}"
+
+- name: Grant the registry serivce account access to the appropriate scc
+  oc_adm_policy_user:
+    user: "system:serviceaccount:{{ openshift_hosted_registry_namespace }}:{{ openshift_hosted_registry_serviceaccount }}"
+    namespace: "{{ openshift_hosted_registry_namespace }}"
+    resource_kind: scc
+    resource_name: hostnetwork
+
 - name: oc adm policy add-cluster-role-to-user system:registry system:serviceaccount:default:registry
   oc_adm_policy_user:
-    user: system:serviceaccount:default:registry
+    user: "system:serviceaccount:{{ openshift_hosted_registry_namespace }}:{{ openshift_hosted_registry_serviceaccount }}"
+    namespace: "{{ openshift_hosted_registry_namespace }}"
     resource_kind: cluster-role
     resource_name: system:registry
-    state: present
 
 - name: create the default registry service
   oc_service:
diff --git a/roles/openshift_hosted/tasks/registry/secure.yml b/roles/openshift_hosted/tasks/registry/secure.yml
index f9ea2ebeb..29c164f52 100644
--- a/roles/openshift_hosted/tasks/registry/secure.yml
+++ b/roles/openshift_hosted/tasks/registry/secure.yml
@@ -53,10 +53,12 @@
     signer_serial: "{{ openshift_master_config_dir }}/ca.serial.txt"
     hostnames:
     - "{{ docker_registry_service_ip.results.clusterip }}"
-    - docker-registry.default.svc.cluster.local
+    - "{{ openshift_hosted_registry_name }}.default.svc"
+    - "{{ openshift_hosted_registry_name }}.default.svc.{{ openshift.common.dns_domain }}"
     - "{{ docker_registry_route_hostname }}"
     cert: "{{ openshift_master_config_dir }}/registry.crt"
     key: "{{ openshift_master_config_dir }}/registry.key"
+    expire_days: "{{ openshift_hosted_registry_cert_expire_days if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool else omit }}"
   register: server_cert_out
 
 - name: Create the secret for the registry certificates
diff --git a/roles/openshift_hosted/tasks/router/router.yml b/roles/openshift_hosted/tasks/router/router.yml
index 3b7021eae..c71d0a34f 100644
--- a/roles/openshift_hosted/tasks/router/router.yml
+++ b/roles/openshift_hosted/tasks/router/router.yml
@@ -14,6 +14,31 @@
     openshift_hosted_router_selector: "{{ openshift.hosted.router.selector | default(None) }}"
     openshift_hosted_router_image: "{{ openshift.hosted.router.registryurl }}"
 
+# This is for when we desire a cluster signed cert
+# The certificate is generated and placed in master_config_dir/
+- block:
+  - name: generate a default wildcard router certificate
+    oc_adm_ca_server_cert:
+      signer_cert: "{{ openshift_master_config_dir }}/ca.crt"
+      signer_key: "{{ openshift_master_config_dir }}/ca.key"
+      signer_serial: "{{ openshift_master_config_dir }}/ca.serial.txt"
+      hostnames:
+      - "{{ openshift_master_default_subdomain }}"
+      - "*.{{ openshift_master_default_subdomain }}"
+      cert: "{{ ('/etc/origin/master/' ~ (item.certificates.certfile | basename)) if 'certfile' in item.certificates else ((openshift_master_config_dir) ~ '/openshift-router.crt') }}"
+      key: "{{ ('/etc/origin/master/' ~ (item.certificates.keyfile | basename)) if 'keyfile' in item.certificates else ((openshift_master_config_dir) ~ '/openshift-router.key') }}"
+    with_items: "{{ openshift_hosted_routers }}"
+
+  - name: set the openshift_hosted_router_certificates
+    set_fact:
+      openshift_hosted_router_certificates:
+        certfile: "{{ openshift_master_config_dir ~ '/openshift-router.crt' }}"
+        keyfile: "{{ openshift_master_config_dir ~ '/openshift-router.key' }}"
+        cafile: "{{ openshift_master_config_dir ~ '/ca.crt' }}"
+
+  # End Block
+  when: openshift_hosted_router_create_certificate
+
 - name: Get the certificate contents for router
   copy:
     backup: True
@@ -21,6 +46,31 @@
     src: "{{ item }}"
   with_items: "{{ openshift_hosted_routers | oo_collect(attribute='certificates') |
                   oo_select_keys_from_list(['keyfile', 'certfile', 'cafile']) }}"
+  when: not openshift_hosted_router_create_certificate
+
+- name: Create the router service account(s)
+  oc_serviceaccount:
+    name: "{{ item.serviceaccount }}"
+    namespace: "{{ item.namespace }}"
+    state: present
+  with_items: "{{ openshift_hosted_routers }}"
+
+- name: Grant the router serivce account(s) access to the appropriate scc
+  oc_adm_policy_user:
+    user: "system:serviceaccount:{{ item.namespace }}:{{ item.serviceaccount }}"
+    namespace: "{{ item.namespace }}"
+    resource_kind: scc
+    resource_name: hostnetwork
+  with_items: "{{ openshift_hosted_routers }}"
+
+- name: Set additional permissions for router service account
+  oc_adm_policy_user:
+    user: "system:serviceaccount:{{ item.namespace }}:{{ item.serviceaccount }}"
+    namespace: "{{ item.namespace }}"
+    resource_kind: cluster-role
+    resource_name: cluster-reader
+  when: item.namespace == 'default'
+  with_items: "{{ openshift_hosted_routers }}"
 
 - name: Create OpenShift router
   oc_adm_router:
diff --git a/roles/openshift_hosted/templates/registry_config.j2 b/roles/openshift_hosted/templates/registry_config.j2
index f3336334a..ca6a23f21 100644
--- a/roles/openshift_hosted/templates/registry_config.j2
+++ b/roles/openshift_hosted/templates/registry_config.j2
@@ -71,7 +71,7 @@ middleware:
   - name: openshift
     options:
       pullthrough: {{ openshift_hosted_registry_pullthrough | default(true) }}
-      acceptschema2: {{ openshift_hosted_registry_acceptschema2 | default(false) }}
+      acceptschema2: {{ openshift_hosted_registry_acceptschema2 | default(true) }}
       enforcequota: {{ openshift_hosted_registry_enforcequota | default(false) }}
 {% if openshift_hosted_registry_storage_provider | default('') == 's3' and openshift_hosted_registry_storage_s3_cloudfront_baseurl is defined %}
   storage:
diff --git a/roles/openshift_hosted/vars/main.yml b/roles/openshift_hosted/vars/main.yml
index 521578cd0..0821d0e7e 100644
--- a/roles/openshift_hosted/vars/main.yml
+++ b/roles/openshift_hosted/vars/main.yml
@@ -1,3 +1,13 @@
 ---
 openshift_master_config_dir: "{{ openshift.common.config_base }}/master"
 registry_config_secret_name: registry-config
+
+openshift_default_projects:
+  default:
+    default_node_selector: ''
+  logging:
+    default_node_selector: ''
+  openshift-infra:
+    default_node_selector: ''
+
+openshift_projects: "{{ openshift_additional_projects | default({}) | oo_merge_dicts(openshift_default_projects) }}"