Home Explore Help
Register Sign In
shixiong
/
okd
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge pull request #6851 from kwoodson/upgrade_dns_push

Automatic merge from submit-queue.

Upgrade to migrate to using push to DNS for registries.

This is the beginning of the migration to push to docker-registry by DNS.  This migrates users by rerolling their certificates and then redeploying the registry so that hosts can push to the registries with the newly created certificates.
OpenShift Merge Robot 7 years ago
parent
22462aa170 8e0b7761a1
commit
3e2c7c22a5
6 changed files with 43 additions and 12 deletions
Split View Show Diff Stats
  1. 16 0
      playbooks/common/openshift-cluster/upgrades/post_control_plane.yml
  2. 4 0
      playbooks/openshift-hosted/deploy_registry.yml
  3. 4 0
      playbooks/openshift-hosted/deploy_router.yml
  4. 2 11
      roles/openshift_master/tasks/main.yml
  5. 13 0
      roles/openshift_master/tasks/push_via_dns.yml
  6. 4 1
      roles/openshift_master/tasks/systemd_units.yml

+ 16 - 0
playbooks/common/openshift-cluster/upgrades/post_control_plane.yml
View File 

@@ -113,6 +113,22 @@
 
     registry_url: "{{ openshift.master.registry_url }}"
 
     openshift_hosted_templates_import_command: replace
 
 
+  post_tasks:
 
+  # we need to migrate customers to the new pattern of pushing to the registry via dns
 
+  # Step 1: verify the certificates have the docker registry service name
 
+  - shell: >
 
+      echo -n | openssl s_client -showcerts -servername docker-registry.default.svc -connect docker-registry.default.svc:5000  | openssl x509 -text |  grep -A1 'X509v3 Subject Alternative Name:' | grep -Pq 'DNS:docker-registry\.default\.svc(,|$)'
 
+    register: cert_output
 
+
 
+  # Step 2: Set a fact to be used to determine if we should run the redeploy of registry certs
 
+  - name: set a fact to include the registry certs playbook if needed
 
+    set_fact:
 
+      openshift_hosted_rollout_certs_and_registry: "{{ cert_output.rc == 0  }}"
 
+
 
+# Run the redeploy certs based upon the certificates
 
+- when: hostvars[groups.oo_first_master.0].openshift_hosted_rollout_certs_and_registry
 
+  import_playbook: ../../../openshift-hosted/redeploy-registry-certificates.yml
 
+
 
 # Check for warnings to be printed at the end of the upgrade:
 
 - name: Clean up and display warnings
 
   hosts: oo_masters_to_config

+ 4 - 0
playbooks/openshift-hosted/deploy_registry.yml
View File 

@@ -0,0 +1,4 @@
 
+---
 
+- import_playbook: ../init/main.yml
 
+
 
+- import_playbook: private/openshift_hosted_registry.yml

+ 4 - 0
playbooks/openshift-hosted/deploy_router.yml
View File 

@@ -0,0 +1,4 @@
 
+---
 
+- import_playbook: ../init/main.yml
 
+
 
+- import_playbook: private/openshift_hosted_router.yml

+ 2 - 11
roles/openshift_master/tasks/main.yml
View File 

@@ -137,17 +137,8 @@
 
   - item.clientCA | default('') != ''
 
   with_items: "{{ openshift.master.identity_providers }}"
 
 
-# This is an ugly hack to verify settings are in a file without modifying them with lineinfile.
 
-# The template file will stomp any other settings made.
 
-- block:
 
-  - name: check whether our docker-registry setting exists in the env file
 
-    command: "awk '/^OPENSHIFT_DEFAULT_REGISTRY=docker-registry.default.svc:5000/' /etc/sysconfig/{{ openshift_service_type }}-master"
 
-    failed_when: false
 
-    changed_when: false
 
-    register: l_already_set
 
-
 
-  - set_fact:
 
-      openshift_push_via_dns: "{{ openshift.common.version_gte_3_6 or (l_already_set.stdout is defined and l_already_set.stdout is match('OPENSHIFT_DEFAULT_REGISTRY=docker-registry.default.svc:5000')) }}"
 
+- name: Include push_via_dns.yml
 
+  include_tasks: push_via_dns.yml
 
 
 - name: Set fact of all etcd host IPs
 
   openshift_facts:

+ 13 - 0
roles/openshift_master/tasks/push_via_dns.yml
View File 

@@ -0,0 +1,13 @@
 
+---
 
+# This is an ugly hack to verify settings are in a file without modifying them with lineinfile.
 
+# The template file will stomp any other settings made.
 
+- when: openshift_push_via_dns is not defined
 
+  block:
 
+  - name: check whether our docker-registry setting exists in the env file
 
+    shell: "awk '/^OPENSHIFT_DEFAULT_REGISTRY=docker-registry.default.svc:5000/' /etc/sysconfig/{{ openshift_service_type }}-master*"
 
+    failed_when: false
 
+    changed_when: false
 
+    register: l_already_set
 
+
 
+  - set_fact:
 
+      openshift_push_via_dns: "{{ openshift.common.version_gte_3_6 or (l_already_set.stdout is defined and l_already_set.stdout is match('OPENSHIFT_DEFAULT_REGISTRY=docker-registry.default.svc:5000')) }}"

+ 4 - 1
roles/openshift_master/tasks/systemd_units.yml
View File 

@@ -1,6 +1,8 @@
 
 ---
 
 # systemd_units.yml is included both in the openshift_master role and in the upgrade
 
 # playbooks.
 
+- name: include push_via_dns.yml tasks
 
+  include_tasks: push_via_dns.yml
 
 
 - name: Set HA Service Info for containerized installs
 
   set_fact:
 
@@ -9,7 +11,8 @@
 
   when:
 
   - openshift_is_containerized | bool
 
 
-- include_tasks: registry_auth.yml
 
+- name: include registry_auth tasks
 
+  include_tasks: registry_auth.yml
 
 
 - name: Disable the legacy master service if it exists
 
   systemd: