From e0090381732d43de74715b9d41480b3c43391783 Mon Sep 17 00:00:00 2001 From: Kenny Woodson Date: Fri, 24 Feb 2017 16:46:06 -0500 Subject: Adding support for a route with certs and reencrypt. --- roles/lib_openshift/library/oc_route.py | 8 +++++- roles/lib_openshift/src/class/oc_route.py | 8 +++++- roles/openshift_hosted/tasks/registry/registry.yml | 4 +++ roles/openshift_hosted/tasks/registry/secure.yml | 32 +++++++++++++++++++++- 4 files changed, 49 insertions(+), 3 deletions(-) diff --git a/roles/lib_openshift/library/oc_route.py b/roles/lib_openshift/library/oc_route.py index 9d95fcdbb..e40e21e8f 100644 --- a/roles/lib_openshift/library/oc_route.py +++ b/roles/lib_openshift/library/oc_route.py @@ -1594,7 +1594,13 @@ class OCRoute(OpenShiftCLI): def update(self): '''update the object''' - # need to update the tls information and the service name + # when the host attribute is being updated, we need to delete and recreate + if self.config.host != self.route.host: + import time + self.delete() + time.sleep(3) + return self.create() + return self._replace_content(self.kind, self.config.name, self.config.data) def needs_update(self): diff --git a/roles/lib_openshift/src/class/oc_route.py b/roles/lib_openshift/src/class/oc_route.py index 448457292..122cc5fe9 100644 --- a/roles/lib_openshift/src/class/oc_route.py +++ b/roles/lib_openshift/src/class/oc_route.py @@ -55,7 +55,13 @@ class OCRoute(OpenShiftCLI): def update(self): '''update the object''' - # need to update the tls information and the service name + # when the host attribute is being updated, we need to delete and recreate + if self.config.host != self.route.host: + import time + self.delete() + time.sleep(3) + return self.create() + return self._replace_content(self.kind, self.config.name, self.config.data) def needs_update(self): diff --git a/roles/openshift_hosted/tasks/registry/registry.yml b/roles/openshift_hosted/tasks/registry/registry.yml index 2369c4e2e..f9441dd57 100644 --- a/roles/openshift_hosted/tasks/registry/registry.yml +++ b/roles/openshift_hosted/tasks/registry/registry.yml @@ -40,6 +40,9 @@ openshift_hosted_registry_images: "{{ openshift.hosted.registry.registryurl | default('openshift3/ose-${component}:${version}')}}" openshift_hosted_registry_volumes: [] openshift_hosted_registry_env_vars: {} + openshift_hosted_registry_route_certificates: "{{ openshift.hosted.registry.route.certificates | default(false) }}" + openshift_hosted_registry_route_host: "{{ openshift.hosted.registry.route.host | default(false) }}" + openshift_hosted_registry_route_termination: "{{ openshift.hosted.registry.route.termination | default('passthrough') }}" openshift_hosted_registry_edits: # These edits are being specified only to prevent 'changed' on rerun - key: spec.strategy.rollingParams @@ -89,6 +92,7 @@ - name: Create OpenShift registry oc_adm_registry: +#debug: True name: "{{ openshift_hosted_registry_name }}" namespace: "{{ openshift_hosted_registry_namespace }}" selector: "{{ openshift_hosted_registry_selector }}" diff --git a/roles/openshift_hosted/tasks/registry/secure.yml b/roles/openshift_hosted/tasks/registry/secure.yml index e70d377c6..244979f2e 100644 --- a/roles/openshift_hosted/tasks/registry/secure.yml +++ b/roles/openshift_hosted/tasks/registry/secure.yml @@ -2,14 +2,43 @@ - name: Set fact docker_registry_route_hostname set_fact: docker_registry_route_hostname: "{{ 'docker-registry-default.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true)) }}" + run_once: true + +#- name: Create passthrough route for docker-registry +# oc_route: +# name: docker-registry +# namespace: "{{ openshift_hosted_registry_namespace }}" +# service_name: docker-registry +# tls_termination: passthrough +# host: "{{ docker_registry_route_hostname }}" +# run_once: true +- name: Get the certificate contents for registry + local_action: + module: slurp + src: "{{ item }}" + register: openshift_hosted_registry_certificate_content + with_items: + - "{{ (openshift_hosted_registry_route_certificates | default({'certfile':none})).certfile }}" + - "{{ (openshift_hosted_registry_route_certificates | default({'keyfile':none})).keyfile }}" + - "{{ (openshift_hosted_registry_route_certificates | default({'cafile':none})).cafile }}" + when: openshift_hosted_registry_route_certificates + +- debug: var=openshift_hosted_registry_certificate_content + when: openshift_hosted_registry_route_certificates - name: Create passthrough route for docker-registry oc_route: name: docker-registry namespace: "{{ openshift_hosted_registry_namespace }}" service_name: docker-registry - tls_termination: passthrough host: "{{ docker_registry_route_hostname }}" + tls_termination: "{{ openshift_hosted_registry_route_termination }}" + host: "{{ openshift_hosted_registry_route_host | default(docker_registry_route_hostname) }}" + cert_content: "{{ openshift_hosted_registry_certificate_content is defined | ternary(openshift_hosted_registry_certificate_content.results[0].content,omit) }}" + key_content: "{{ openshift_hosted_registry_certificate_content is defined | ternary(openshift_hosted_registry_certificate_content.results[0].content, omit) }}" + cacert_content: "{{ openshift_hosted_registry_certificate_content is defined | ternary(openshift_hosted_registry_certificate_content.results[0].content, omit) }}" + dest_cacert_path: "{{ openshift_hosted_registry_certificate_content is defined | ternary('/etc/origin/master/ca.crt', omit) }}" + run_once: true - name: Retrieve registry service IP oc_service: @@ -17,6 +46,7 @@ name: docker-registry state: list register: docker_registry_service_ip + run_once: true - name: Create registry certificates oc_adm_ca_server_cert: -- cgit v1.2.3