diff options
author | Scott Dodson <sdodson@redhat.com> | 2016-09-04 23:02:08 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2016-09-04 23:02:08 -0400 |
commit | 5ca0a74fb271678708268c940fd52ccd15d207ca (patch) | |
tree | 9ebe1aedcabccef7968d7aa99dcce5905e618f77 /playbooks | |
parent | 88ef051955288fbfaedebe35a12b64d00ac285a1 (diff) | |
parent | 9c114231850ac265e7414afefbf78da194d0a8e4 (diff) | |
download | openshift-5ca0a74fb271678708268c940fd52ccd15d207ca.tar.gz openshift-5ca0a74fb271678708268c940fd52ccd15d207ca.tar.bz2 openshift-5ca0a74fb271678708268c940fd52ccd15d207ca.tar.xz openshift-5ca0a74fb271678708268c940fd52ccd15d207ca.zip |
Merge pull request #2409 from abutcher/secure-registry
Secure registry for atomic registry deployment
Diffstat (limited to 'playbooks')
-rw-r--r-- | playbooks/common/openshift-cluster/openshift_hosted.yml | 84 |
1 files changed, 83 insertions, 1 deletions
diff --git a/playbooks/common/openshift-cluster/openshift_hosted.yml b/playbooks/common/openshift-cluster/openshift_hosted.yml index f65b7a2cd..4aca4daf4 100644 --- a/playbooks/common/openshift-cluster/openshift_hosted.yml +++ b/playbooks/common/openshift-cluster/openshift_hosted.yml @@ -45,4 +45,86 @@ - role: openshift_metrics when: openshift.hosted.metrics.deploy | bool - role: cockpit-ui - when: ( openshift.common.deployment_subtype == 'registry' ) + when: openshift.common.deployment_subtype == 'registry' + +- name: Configure CA certificate for secure registry + hosts: oo_nodes_to_config + tags: + - hosted + tasks: + - name: Create temp directory for kubeconfig + command: mktemp -d /tmp/openshift-ansible-XXXXXX + register: mktemp + when: openshift.common.deployment_subtype == 'registry' + changed_when: false + delegate_to: "{{ groups.oo_first_master.0 }}" + run_once: true + - set_fact: + openshift_hosted_kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig" + when: openshift.common.deployment_subtype == 'registry' + delegate_to: "{{ groups.oo_first_master.0 }}" + run_once: true + - name: Copy the admin client config(s) + command: > + cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{ openshift_hosted_kubeconfig }} + when: openshift.common.deployment_subtype == 'registry' + changed_when: false + delegate_to: "{{ groups.oo_first_master.0 }}" + run_once: true + - name: Retrieve docker-registry route + command: > + {{ openshift.common.client_binary }} get route docker-registry + --template='{{ '{{' }} .spec.host {{ '}}' }}' + --config={{ openshift_hosted_kubeconfig }} + -n default + register: docker_registry_route + when: openshift.common.deployment_subtype == 'registry' + changed_when: false + delegate_to: "{{ groups.oo_first_master.0 }}" + run_once: true + - name: Retrieve registry service IP + command: > + {{ openshift.common.client_binary }} get service docker-registry + --template='{{ '{{' }} .spec.clusterIP {{ '}}' }}' + --config={{ openshift_hosted_kubeconfig }} + -n default + register: docker_registry_service_ip + when: openshift.common.deployment_subtype == 'registry' + changed_when: false + delegate_to: "{{ groups.oo_first_master.0 }}" + run_once: true + - name: Create registry CA directories + file: + path: "/etc/docker/certs.d/{{ item }}" + state: directory + with_items: + - "{{ docker_registry_service_ip.stdout }}:5000" + - "{{ docker_registry_route.stdout }}" + - "docker-registry.default.svc.cluster.local:5000" + when: openshift.common.deployment_subtype == 'registry' + - name: Copy CA to registry CA directories + copy: + src: "{{ openshift.common.config_base }}/node/ca.crt" + dest: "/etc/docker/certs.d/{{ item }}" + remote_src: yes + force: yes + with_items: + - "{{ docker_registry_service_ip.stdout }}:5000" + - "{{ docker_registry_route.stdout }}" + - "docker-registry.default.svc.cluster.local:5000" + when: openshift.common.deployment_subtype == 'registry' + notify: + - Restart docker + - name: Delete temp directory + file: + name: "{{ mktemp.stdout }}" + state: absent + when: openshift.common.deployment_subtype == 'registry' + changed_when: False + delegate_to: "{{ groups.oo_first_master.0 }}" + run_once: true + handlers: + - name: Restart docker + service: + name: docker + state: restarted |