summaryrefslogtreecommitdiffstats
path: root/playbooks
diff options
context:
space:
mode:
authorScott Dodson <sdodson@redhat.com>2016-09-04 23:02:08 -0400
committerGitHub <noreply@github.com>2016-09-04 23:02:08 -0400
commit5ca0a74fb271678708268c940fd52ccd15d207ca (patch)
tree9ebe1aedcabccef7968d7aa99dcce5905e618f77 /playbooks
parent88ef051955288fbfaedebe35a12b64d00ac285a1 (diff)
parent9c114231850ac265e7414afefbf78da194d0a8e4 (diff)
downloadopenshift-5ca0a74fb271678708268c940fd52ccd15d207ca.tar.gz
openshift-5ca0a74fb271678708268c940fd52ccd15d207ca.tar.bz2
openshift-5ca0a74fb271678708268c940fd52ccd15d207ca.tar.xz
openshift-5ca0a74fb271678708268c940fd52ccd15d207ca.zip
Merge pull request #2409 from abutcher/secure-registry
Secure registry for atomic registry deployment
Diffstat (limited to 'playbooks')
-rw-r--r--playbooks/common/openshift-cluster/openshift_hosted.yml84
1 files changed, 83 insertions, 1 deletions
diff --git a/playbooks/common/openshift-cluster/openshift_hosted.yml b/playbooks/common/openshift-cluster/openshift_hosted.yml
index f65b7a2cd..4aca4daf4 100644
--- a/playbooks/common/openshift-cluster/openshift_hosted.yml
+++ b/playbooks/common/openshift-cluster/openshift_hosted.yml
@@ -45,4 +45,86 @@
- role: openshift_metrics
when: openshift.hosted.metrics.deploy | bool
- role: cockpit-ui
- when: ( openshift.common.deployment_subtype == 'registry' )
+ when: openshift.common.deployment_subtype == 'registry'
+
+- name: Configure CA certificate for secure registry
+ hosts: oo_nodes_to_config
+ tags:
+ - hosted
+ tasks:
+ - name: Create temp directory for kubeconfig
+ command: mktemp -d /tmp/openshift-ansible-XXXXXX
+ register: mktemp
+ when: openshift.common.deployment_subtype == 'registry'
+ changed_when: false
+ delegate_to: "{{ groups.oo_first_master.0 }}"
+ run_once: true
+ - set_fact:
+ openshift_hosted_kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig"
+ when: openshift.common.deployment_subtype == 'registry'
+ delegate_to: "{{ groups.oo_first_master.0 }}"
+ run_once: true
+ - name: Copy the admin client config(s)
+ command: >
+ cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{ openshift_hosted_kubeconfig }}
+ when: openshift.common.deployment_subtype == 'registry'
+ changed_when: false
+ delegate_to: "{{ groups.oo_first_master.0 }}"
+ run_once: true
+ - name: Retrieve docker-registry route
+ command: >
+ {{ openshift.common.client_binary }} get route docker-registry
+ --template='{{ '{{' }} .spec.host {{ '}}' }}'
+ --config={{ openshift_hosted_kubeconfig }}
+ -n default
+ register: docker_registry_route
+ when: openshift.common.deployment_subtype == 'registry'
+ changed_when: false
+ delegate_to: "{{ groups.oo_first_master.0 }}"
+ run_once: true
+ - name: Retrieve registry service IP
+ command: >
+ {{ openshift.common.client_binary }} get service docker-registry
+ --template='{{ '{{' }} .spec.clusterIP {{ '}}' }}'
+ --config={{ openshift_hosted_kubeconfig }}
+ -n default
+ register: docker_registry_service_ip
+ when: openshift.common.deployment_subtype == 'registry'
+ changed_when: false
+ delegate_to: "{{ groups.oo_first_master.0 }}"
+ run_once: true
+ - name: Create registry CA directories
+ file:
+ path: "/etc/docker/certs.d/{{ item }}"
+ state: directory
+ with_items:
+ - "{{ docker_registry_service_ip.stdout }}:5000"
+ - "{{ docker_registry_route.stdout }}"
+ - "docker-registry.default.svc.cluster.local:5000"
+ when: openshift.common.deployment_subtype == 'registry'
+ - name: Copy CA to registry CA directories
+ copy:
+ src: "{{ openshift.common.config_base }}/node/ca.crt"
+ dest: "/etc/docker/certs.d/{{ item }}"
+ remote_src: yes
+ force: yes
+ with_items:
+ - "{{ docker_registry_service_ip.stdout }}:5000"
+ - "{{ docker_registry_route.stdout }}"
+ - "docker-registry.default.svc.cluster.local:5000"
+ when: openshift.common.deployment_subtype == 'registry'
+ notify:
+ - Restart docker
+ - name: Delete temp directory
+ file:
+ name: "{{ mktemp.stdout }}"
+ state: absent
+ when: openshift.common.deployment_subtype == 'registry'
+ changed_when: False
+ delegate_to: "{{ groups.oo_first_master.0 }}"
+ run_once: true
+ handlers:
+ - name: Restart docker
+ service:
+ name: docker
+ state: restarted