From f255943326ad3be91d233609ec5e61382302fff5 Mon Sep 17 00:00:00 2001
From: Andrew Butcher <abutcher@redhat.com>
Date: Wed, 21 Sep 2016 10:32:22 -0400
Subject: Secure registry improvements.
* Convert oc template calls to jsonpath.
* Wait for deployments to finish before restarting docker.
* Re-organize node ca configuration.
---
roles/cockpit-ui/tasks/main.yml | 4 +-
roles/openshift_hosted/tasks/registry/registry.yml | 1 -
roles/openshift_hosted/tasks/registry/secure.yml | 57 +++++++++++++++++++---
3 files changed, 51 insertions(+), 11 deletions(-)
(limited to 'roles')
diff --git a/roles/cockpit-ui/tasks/main.yml b/roles/cockpit-ui/tasks/main.yml
index 953357392..c573da6d6 100644
--- a/roles/cockpit-ui/tasks/main.yml
+++ b/roles/cockpit-ui/tasks/main.yml
@@ -36,7 +36,7 @@
- name: Retrieve docker-registry route
command: >
{{ openshift.common.client_binary }} get route docker-registry
- --template='{{ '{{' }} .spec.host {{ '}}' }}'
+ -o jsonpath='{.spec.host}'
--config={{ openshift_hosted_kubeconfig }}
-n default
register: docker_registry_route
@@ -45,7 +45,7 @@
- name: Retrieve cockpit kube url
command: >
{{ openshift.common.client_binary }} get route registry-console
- --template='https://{{ '{{' }} .spec.host {{ '}}' }}'
+ -o jsonpath='https://{.spec.host}'
-n default
register: registry_console_cockpit_kube_url
changed_when: false
diff --git a/roles/openshift_hosted/tasks/registry/registry.yml b/roles/openshift_hosted/tasks/registry/registry.yml
index d5077932b..ed0a2b38d 100644
--- a/roles/openshift_hosted/tasks/registry/registry.yml
+++ b/roles/openshift_hosted/tasks/registry/registry.yml
@@ -53,7 +53,6 @@
- include: secure.yml
static: no
- when: openshift.common.deployment_subtype == 'registry'
- include: storage/object_storage.yml
static: no
diff --git a/roles/openshift_hosted/tasks/registry/secure.yml b/roles/openshift_hosted/tasks/registry/secure.yml
index 4cb85df04..664edef41 100644
--- a/roles/openshift_hosted/tasks/registry/secure.yml
+++ b/roles/openshift_hosted/tasks/registry/secure.yml
@@ -1,5 +1,15 @@
---
-- name: Determine if registry certificates must be created
+- name: Create passthrough route for docker-registry
+ command: >
+ {{ openshift.common.client_binary }} create route passthrough
+ --service docker-registry
+ --config={{ openshift_hosted_kubeconfig }}
+ -n default
+ register: create_docker_registry_route
+ changed_when: "'already exists' not in create_docker_registry_route.stderr"
+ failed_when: "'already exists' not in create_docker_registry_route.stderr and create_docker_registry_route.rc != 0"
+
+- name: Determine if registry certificate must be created
stat:
path: "{{ openshift_master_config_dir }}/{{ item }}"
with_items:
@@ -12,7 +22,7 @@
- name: Retrieve registry service IP
command: >
{{ openshift.common.client_binary }} get service docker-registry
- --template='{{ '{{' }} .spec.clusterIP {{ '}}' }}'
+ -o jsonpath='{.spec.clusterIP}'
--config={{ openshift_hosted_kubeconfig }}
-n default
register: docker_registry_service_ip
@@ -45,8 +55,8 @@
- name: "Add the secret to the registry's pod service accounts"
command: >
- {{ openshift.common.client_binary }} secrets link {{ item }} registry-certificates
- --config={{ openshift_hosted_kubeconfig }}
+ {{ openshift.common.client_binary }} secrets add {{ item }} registry-certificates
+ --config={{ openshift_hosted_kubeconfig }}
-n default
with_items:
- registry
@@ -55,12 +65,12 @@
- name: Determine if registry-certificates secret volume attached
command: >
{{ openshift.common.client_binary }} get dc/docker-registry
- --template='{{ '{{' }} range .spec.template.spec.volumes {{ '}}' }}{{ '{{' }} .secret.secretName {{ '}}' }}{{ '{{' }} end {{ '}}' }}'
+ -o jsonpath='{.spec.template.spec.volumes[*].secret.secretName}'
--config={{ openshift_hosted_kubeconfig }}
-n default
register: docker_registry_volumes
changed_when: false
- failed_when: false
+ failed_when: "'secretName is not found' not in docker_registry_volumes.stdout and docker_registry_volumes.rc != 0"
- name: Attach registry-certificates secret volume
command: >
@@ -71,17 +81,48 @@
-n default
when: "'registry-certificates' not in docker_registry_volumes.stdout"
-- name: Set registry environment variables for TLS certificate
+- name: Determine if registry environment variables must be set
+ command: >
+ {{ openshift.common.client_binary }} env dc/docker-registry
+ --list
+ --config={{ openshift_hosted_kubeconfig }}
+ -n default
+ register: docker_registry_env
+ changed_when: false
+
+- name: Configure certificates in registry deplomentConfig
command: >
{{ openshift.common.client_binary }} env dc/docker-registry
REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt
REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key
--config={{ openshift_hosted_kubeconfig }}
-n default
+ when: "'REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt' not in docker_registry_env.stdout or 'REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key' not in docker_registry_env.stdout"
-# These commands are on a single line to preserve patch json.
+- name: Determine if registry liveness probe scheme is HTTPS
+ command: >
+ {{ openshift.common.client_binary }} get dc/docker-registry
+ -o jsonpath='{.spec.template.spec.containers[*].livenessProbe.httpGet.scheme}'
+ --config={{ openshift_hosted_kubeconfig }}
+ -n default
+ register: docker_registry_liveness_probe
+ changed_when: false
+
+# This command is on a single line to preserve patch json.
- name: Update registry liveness probe from HTTP to HTTPS
command: "{{ openshift.common.client_binary }} patch dc/docker-registry --api-version=v1 -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"registry\",\"livenessProbe\":{\"httpGet\":{\"scheme\":\"HTTPS\"}}}]}}}}' --config={{ openshift_hosted_kubeconfig }} -n default"
+ when: "'HTTPS' not in docker_registry_liveness_probe.stdout"
+
+- name: Determine if registry readiness probe scheme is HTTPS
+ command: >
+ {{ openshift.common.client_binary }} get dc/docker-registry
+ -o jsonpath='{.spec.template.spec.containers[*].readinessProbe.httpGet.scheme}'
+ --config={{ openshift_hosted_kubeconfig }}
+ -n default
+ register: docker_registry_readiness_probe
+ changed_when: false
+# This command is on a single line to preserve patch json.
- name: Update registry readiness probe from HTTP to HTTPS
command: "{{ openshift.common.client_binary }} patch dc/docker-registry --api-version=v1 -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"registry\",\"readinessProbe\":{\"httpGet\":{\"scheme\":\"HTTPS\"}}}]}}}}' --config={{ openshift_hosted_kubeconfig }} -n default"
+ when: "'HTTPS' not in docker_registry_readiness_probe.stdout"
--
cgit v1.2.3
From 6826f27769563d30194818a0f13b9da086ddf7ab Mon Sep 17 00:00:00 2001
From: Andrew Butcher <abutcher@redhat.com>
Date: Mon, 26 Sep 2016 10:36:02 -0400
Subject: Further secure registry improvements
- Default to hosted_registry_insecure=False
- Add openshift ca to system ca-trust.
- Update ca trust in openshift_node_certificates rather than docker_ca_trust
---
roles/openshift_docker_facts/tasks/main.yml | 2 +-
roles/openshift_node_certificates/handlers/main.yml | 10 ++++++++++
roles/openshift_node_certificates/tasks/main.yml | 11 +++++++++++
3 files changed, 22 insertions(+), 1 deletion(-)
create mode 100644 roles/openshift_node_certificates/handlers/main.yml
(limited to 'roles')
diff --git a/roles/openshift_docker_facts/tasks/main.yml b/roles/openshift_docker_facts/tasks/main.yml
index 0ce142983..0c8a36d65 100644
--- a/roles/openshift_docker_facts/tasks/main.yml
+++ b/roles/openshift_docker_facts/tasks/main.yml
@@ -13,7 +13,7 @@
log_options: "{{ openshift_docker_log_options | default(None) }}"
options: "{{ openshift_docker_options | default(None) }}"
disable_push_dockerhub: "{{ openshift_disable_push_dockerhub | default(None) }}"
- hosted_registry_insecure: "{{ openshift_docker_hosted_registry_insecure | default(openshift.common.deployment_subtype != 'registry') }}"
+ hosted_registry_insecure: "{{ openshift_docker_hosted_registry_insecure | default(False) }}"
hosted_registry_network: "{{ openshift_docker_hosted_registry_network | default(None) }}"
- set_fact:
diff --git a/roles/openshift_node_certificates/handlers/main.yml b/roles/openshift_node_certificates/handlers/main.yml
new file mode 100644
index 000000000..f2299cecf
--- /dev/null
+++ b/roles/openshift_node_certificates/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+- name: update ca trust
+ command: update-ca-trust
+ notify:
+ - restart docker after updating ca trust
+
+- name: restart docker after updating ca trust
+ service:
+ name: docker
+ state: restarted
diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml
index a729b4d6c..80ab4bb1d 100644
--- a/roles/openshift_node_certificates/tasks/main.yml
+++ b/roles/openshift_node_certificates/tasks/main.yml
@@ -124,3 +124,14 @@
when: node_certs_missing | bool
delegate_to: localhost
become: no
+
+- name: Copy OpenShift CA to system CA trust
+ copy:
+ src: "{{ item.cert }}"
+ dest: "/etc/pki/ca-trust/source/anchors/{{ item.id }}-{{ item.cert | basename }}"
+ remote_src: yes
+ with_items:
+ - id: openshift
+ cert: "{{ openshift_node_cert_dir }}/ca.crt"
+ notify:
+ - update ca trust
--
cgit v1.2.3