8 years ago · 5444c0f474
--- a/playbooks/common/openshift-cluster/redeploy-certificates/registry.yml
+++ b/playbooks/common/openshift-cluster/redeploy-certificates/registry.yml
@@ -2,6 +2,8 @@
 
				 - name: Update registry certificates
			
 
				   hosts: oo_first_master
			
 
				   vars:
			
 
				+  roles:
			
 
				+  - lib_openshift
			
 
				   tasks:
			
 
				   - name: Create temp directory for kubeconfig
			
 
				     command: mktemp -d /tmp/openshift-ansible-XXXXXX
			
@@ -70,13 +72,17 @@
 
				         --key={{ openshift.common.config_base }}/master/registry.key
			
 
				 
			
 
				     - name: Update registry certificates secret
			
 
				-      shell: >
			
 
				-        {{ openshift.common.client_binary }} secret new registry-certificates
			
 
				-        {{ openshift.common.config_base }}/master/registry.crt
			
 
				-        {{ openshift.common.config_base }}/master/registry.key
			
 
				-        --config={{ mktemp.stdout }}/admin.kubeconfig
			
 
				-        -n default
			
 
				-        -o json | oc replace -f -
			
 
				+      oc_secret:
			
 
				+        kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig"
			
 
				+        name: registry-certificates
			
 
				+        namespace: default
			
 
				+        state: present
			
 
				+        files:
			
 
				+        - name: registry.crt
			
 
				+          path: "{{ openshift.common.config_base }}/master/registry.crt"
			
 
				+        - name: registry.key
			
 
				+          path: "{{ openshift.common.config_base }}/master/registry.key"
			
 
				+      run_once: true
			
 
				     when: l_docker_registry_dc.rc == 0 and 'registry-certificates' in docker_registry_secrets and 'REGISTRY_HTTP_TLS_CERTIFICATE' in docker_registry_env_vars and 'REGISTRY_HTTP_TLS_KEY' in docker_registry_env_vars
			
 
				 
			
 
				   - name: Redeploy docker registry
			
--- a/playbooks/common/openshift-cluster/redeploy-certificates/router.yml
+++ b/playbooks/common/openshift-cluster/redeploy-certificates/router.yml
@@ -7,6 +7,8 @@
 
				     command: mktemp -d /tmp/openshift-ansible-XXXXXX
			
 
				     register: mktemp
			
 
				     changed_when: false
			
 
				+  roles:
			
 
				+  - lib_openshift
			
 
				 
			
 
				   - name: Copy admin client config(s)
			
 
				     command: >
			
@@ -45,10 +47,12 @@
 
				 
			
 
				   - block:
			
 
				     - name: Delete existing router certificate secret
			
 
				-      command: >
			
 
				-        {{ openshift.common.client_binary }} delete secret/router-certs
			
 
				-        --config={{ mktemp.stdout }}/admin.kubeconfig
			
 
				-        -n default
			
 
				+      oc_secret:
			
 
				+        kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig"
			
 
				+        name: router-certs
			
 
				+        namespace: default
			
 
				+        state: absent
			
 
				+        run_once: true
			
 
				 
			
 
				     - name: Remove router service annotations
			
 
				       command: >
			
--- a/roles/openshift_hosted/tasks/registry/secure.yml
+++ b/roles/openshift_hosted/tasks/registry/secure.yml
@@ -43,15 +43,18 @@
 
				   when: False in (docker_registry_certificates_stat_result.results | default([]) | oo_collect(attribute='stat.exists') | list)
			
 
				 
			
 
				 - name: Create the secret for the registry certificates
			
 
				-  command: >
			
 
				-    {{ openshift.common.client_binary }} secrets new registry-certificates
			
 
				-    {{ openshift_master_config_dir }}/registry.crt
			
 
				-    {{ openshift_master_config_dir }}/registry.key
			
 
				-    --config={{ openshift_hosted_kubeconfig }}
			
 
				-    -n default
			
 
				+  oc_secret:
			
 
				+    kubeconfig: "{{ openshift_hosted_kubeconfig }}"
			
 
				+    name: registry-certificates
			
 
				+    namespace: default
			
 
				+    state: present
			
 
				+    files:
			
 
				+    - name: registry.crt
			
 
				+      path: "{{ openshift_master_config_dir }}/registry.crt"
			
 
				+    - name: registry.key
			
 
				+      path: "{{ openshift_master_config_dir }}/registry.key"
			
 
				   register: create_registry_certificates_secret
			
 
				-  changed_when: "'already exists' not in create_registry_certificates_secret.stderr"
			
 
				-  failed_when: "'already exists' not in create_registry_certificates_secret.stderr and create_registry_certificates_secret.rc != 0"
			
 
				+  run_once: true
			
 
				 
			
 
				 - name: "Add the secret to the registry's pod service accounts"
			
 
				   oc_serviceaccount_secret: