Merge pull request #9428 from spadgett/console-certs

Bug 1611841 - Allow customizing admin console certificates

roles/openshift_console/defaults/main.yml

@@ -10,6 +10,9 @@ openshift_console_image_name: "{{ l_osm_registry_url | regex_replace('${componen
 openshift_console_replica_count: "{{ groups.oo_masters_to_config | length }}"
 
 openshift_console_hostname: "console.{{openshift_master_default_subdomain}}"
+openshift_console_cert: ""
+openshift_console_key: ""
+openshift_console_ca: ""
 
 openshift_console_auth_ca_file: "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
 

roles/openshift_console/files/console-template.yaml

@@ -20,6 +20,9 @@ parameters:
 - name: CONSOLE_HOSTNAME
   value: console.router.default.svc.cluster.local
   required: true
+- name: TLS_CERT
+- name: TLS_KEY
+- name: TLS_CA_CERT
 - name: NODE_SELECTOR
   value: "{}"
   required: true
@@ -196,6 +199,9 @@ objects:
     tls:
       insecureEdgeTerminationPolicy: Redirect
       termination: reencrypt
+      certificate: ${TLS_CERT}
+      key: ${TLS_KEY}
+      caCertificate: ${TLS_CA_CERT}
 
 # to let users log in
 - apiVersion: oauth.openshift.io/v1

roles/openshift_console/tasks/install.yml

@@ -47,6 +47,18 @@
     console_picker_developer_console_public_url: "{{ openshift.master.public_console_url }}/"
   when: openshift_web_console_install | default(true) | bool
 
+- set_fact: console_cert={{ lookup('file', openshift_console_cert) }}
+  when: openshift_console_cert is exists
+  changed_when: false
+
+- set_fact: console_key={{ lookup('file', openshift_console_key) }}
+  when: openshift_console_key is exists
+  changed_when: false
+
+- set_fact: console_ca_cert={{ lookup('file', openshift_console_ca) }}
+  when: openshift_console_ca is exists
+  changed_when: false
+
 # Generate a new config when a config map is not defined.
 - name: Set web console config properties from inventory variables
   yedit:
@@ -84,6 +96,9 @@
     --param SERVER_CONFIG="{{ updated_console_config['content'] | b64decode }}"
     --param REPLICA_COUNT="{{ openshift_console_replica_count }}"
     --param CONSOLE_HOSTNAME="{{ openshift_console_hostname }}"
+    --param TLS_CERT="{{ console_cert | default('') }}"
+    --param TLS_KEY="{{ console_key | default('') }}"
+    --param TLS_CA_CERT="{{ console_ca_cert | default('') }}"
     --config={{ mktemp.stdout }}/admin.kubeconfig
     | {{ openshift_client_binary }} apply --config={{ mktemp.stdout }}/admin.kubeconfig -f -