diff options
Diffstat (limited to 'roles/openshift_hosted')
5 files changed, 62 insertions, 53 deletions
diff --git a/roles/openshift_hosted/meta/main.yml b/roles/openshift_hosted/meta/main.yml index ca5e88b15..afea0ac59 100644 --- a/roles/openshift_hosted/meta/main.yml +++ b/roles/openshift_hosted/meta/main.yml @@ -4,7 +4,7 @@ galaxy_info: description: OpenShift Embedded Router company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 1.9 + min_ansible_version: 2.1 platforms: - name: EL versions: @@ -14,6 +14,7 @@ galaxy_info: dependencies: - role: openshift_cli - role: openshift_hosted_facts +- role: lib_openshift - role: openshift_projects openshift_projects: "{{ openshift_additional_projects | default({}) | oo_merge_dicts({'default':{'default_node_selector':''},'openshift-infra':{'default_node_selector':''},'logging':{'default_node_selector':''}}) }}" - role: openshift_serviceaccounts diff --git a/roles/openshift_hosted/tasks/registry/secure.yml b/roles/openshift_hosted/tasks/registry/secure.yml index d87a3847c..8b44b94c6 100644 --- a/roles/openshift_hosted/tasks/registry/secure.yml +++ b/roles/openshift_hosted/tasks/registry/secure.yml @@ -1,13 +1,13 @@ --- - name: Create passthrough route for docker-registry - command: > - {{ openshift.common.client_binary }} create route passthrough - --service docker-registry - --config={{ openshift_hosted_kubeconfig }} - -n default - register: create_docker_registry_route - changed_when: "'already exists' not in create_docker_registry_route.stderr" - failed_when: "'already exists' not in create_docker_registry_route.stderr and create_docker_registry_route.rc != 0" + oc_route: + kubeconfig: "{{ openshift_hosted_kubeconfig }}" + name: docker-registry + namespace: default + service_name: docker-registry + state: present + tls_termination: passthrough + run_once: true - name: Determine if registry certificate must be created stat: @@ -20,11 +20,10 @@ failed_when: false - name: Retrieve registry service IP - command: > - {{ openshift.common.client_binary }} get service docker-registry - -o jsonpath='{.spec.clusterIP}' - --config={{ openshift_hosted_kubeconfig }} - -n default + oc_service: + namespace: default + name: docker-registry + state: list register: docker_registry_service_ip changed_when: false @@ -37,27 +36,32 @@ --signer-cert={{ openshift_master_config_dir }}/ca.crt --signer-key={{ openshift_master_config_dir }}/ca.key --signer-serial={{ openshift_master_config_dir }}/ca.serial.txt - --hostnames="{{ docker_registry_service_ip.stdout }},docker-registry.default.svc.cluster.local,{{ docker_registry_route_hostname }}" + --hostnames="{{ docker_registry_service_ip.results.clusterip }},docker-registry.default.svc.cluster.local,{{ docker_registry_route_hostname }}" --cert={{ openshift_master_config_dir }}/registry.crt --key={{ openshift_master_config_dir }}/registry.key when: False in (docker_registry_certificates_stat_result.results | default([]) | oo_collect(attribute='stat.exists') | list) - name: Create the secret for the registry certificates - command: > - {{ openshift.common.client_binary }} secrets new registry-certificates - {{ openshift_master_config_dir }}/registry.crt - {{ openshift_master_config_dir }}/registry.key - --config={{ openshift_hosted_kubeconfig }} - -n default + oc_secret: + kubeconfig: "{{ openshift_hosted_kubeconfig }}" + name: registry-certificates + namespace: default + state: present + files: + - name: registry.crt + path: "{{ openshift_master_config_dir }}/registry.crt" + - name: registry.key + path: "{{ openshift_master_config_dir }}/registry.key" register: create_registry_certificates_secret - changed_when: "'already exists' not in create_registry_certificates_secret.stderr" - failed_when: "'already exists' not in create_registry_certificates_secret.stderr and create_registry_certificates_secret.rc != 0" + run_once: true - name: "Add the secret to the registry's pod service accounts" - command: > - {{ openshift.common.client_binary }} secrets add {{ item }} registry-certificates - --config={{ openshift_hosted_kubeconfig }} - -n default + oc_serviceaccount_secret: + service_account: "{{ item }}" + secret: registry-certificates + namespace: default + kubeconfig: "{{ openshift_hosted_kubeconfig }}" + state: present with_items: - registry - default diff --git a/roles/openshift_hosted/tasks/registry/storage/object_storage.yml b/roles/openshift_hosted/tasks/registry/storage/object_storage.yml index e56a68e27..15128784e 100644 --- a/roles/openshift_hosted/tasks/registry/storage/object_storage.yml +++ b/roles/openshift_hosted/tasks/registry/storage/object_storage.yml @@ -53,23 +53,13 @@ create -f - when: secrets.rc == 1 -- name: Determine if service account contains secrets - command: > - {{ openshift.common.client_binary }} - --config={{ openshift_hosted_kubeconfig }} - --namespace={{ openshift.hosted.registry.namespace | default('default') }} - get serviceaccounts registry - -o jsonpath='{.secrets[?(@.name=="{{ registry_config_secret_name }}")].name}' - register: serviceaccount - changed_when: false - - name: Add secrets to registry service account - command: > - {{ openshift.common.client_binary }} - --config={{ openshift_hosted_kubeconfig }} - --namespace={{ openshift.hosted.registry.namespace | default('default') }} - secrets add serviceaccount/registry secrets/{{ registry_config_secret_name }} - when: serviceaccount.stdout == '' + oc_serviceaccount_secret: + service_account: registry + secret: "{{ registry_config_secret_name }}" + namespace: "{{ openshift.hosted.registry.namespace | default('default') }}" + kubeconfig: "{{ openshift_hosted_kubeconfig }}" + state: present - name: Determine if deployment config contains secrets command: > diff --git a/roles/openshift_hosted/tasks/registry/storage/s3.yml b/roles/openshift_hosted/tasks/registry/storage/s3.yml index f73d9f0ae..7d51594bd 100644 --- a/roles/openshift_hosted/tasks/registry/storage/s3.yml +++ b/roles/openshift_hosted/tasks/registry/storage/s3.yml @@ -21,13 +21,27 @@ openshift_hosted_registry_storage_s3_cloudfront_keypairid and openshift_hosted_registry_storage_s3_cloudfront_privatekeyfile are required -# Copy the cloudfront.pem to the host if the baseurl is given -- name: Copy cloudfront.pem to the registry - copy: - src: "{{ openshift_hosted_registry_storage_s3_cloudfront_privatekeyfile }}" - dest: /etc/s3-cloudfront/cloudfront.pem - backup: true - owner: root - group: root - mode: 0600 + +# Inject the cloudfront private key as a secret when required +- block: + + - name: Create registry secret for cloudfront + oc_secret: + state: present + namespace: "{{ openshift.hosted.registry.namespace | default('default') }}" + name: docker-registry-s3-cloudfront + contents: + path: cloudfront.pem + data: "{{ lookup('file', openshift_hosted_registry_storage_s3_cloudfront_privatekeyfile) }}" + + - name: Add cloudfront secret to the registry deployment config + command: > + oc volume dc/docker-registry --add --name=cloudfront-vol + --namespace="{{ openshift.hosted.registry.namespace | default('default') }}" + -m /etc/origin --type=secret --secret-name=docker-registry-s3-cloudfront + register: cloudfront_vol_attach + failed_when: + - "'already exists' not in cloudfront_vol_attach.stderr" + - "cloudfront_vol_attach.rc != 0" + when: openshift_hosted_registry_storage_s3_cloudfront_baseurl | default(none) is not none diff --git a/roles/openshift_hosted/templates/registry_config.j2 b/roles/openshift_hosted/templates/registry_config.j2 index 557fd03af..f3336334a 100644 --- a/roles/openshift_hosted/templates/registry_config.j2 +++ b/roles/openshift_hosted/templates/registry_config.j2 @@ -78,7 +78,7 @@ middleware: - name: cloudfront options: baseurl: {{ openshift_hosted_registry_storage_s3_cloudfront_baseurl }} - privatekey: {{ openshift_hosted_registry_storage_s3_cloudfront_privatekeyfile }} + privatekey: /etc/origin/cloudfront.pem keypairid: {{ openshift_hosted_registry_storage_s3_cloudfront_keypairid }} {% elif openshift.common.version_gte_3_3_or_1_3 | bool %} storage: |