Merge pull request #2475 from smunilla/registry_all_the_time

Install Registry by Default

.gitignore

@@ -20,3 +20,4 @@ multi_inventory.yaml
 .tags*
 ansible.cfg
 *.retry
+.vscode/*

playbooks/common/openshift-cluster/openshift_hosted.yml

@@ -65,105 +65,4 @@
     openshift_hosted_logging_elasticsearch_ops_pvc_prefix: "{{ 'logging-es' if openshift.hosted.logging.storage_kind | default(none) is not none else '' }}"
 
   - role: cockpit-ui
-    when: openshift.common.deployment_subtype == 'registry'
-
-- name: Configure all masters for logging
-  serial: 1
-  handlers:
-  - include: ../../../roles/openshift_master/handlers/main.yml
-    static: yes
-  hosts: oo_masters
-  tasks:
-  - openshift_facts:
-      role: master
-      local_facts:
-        logging_public_url: "https://{{ openshift_hosted_logging_hostname | default('kibana.' ~ openshift_master_default_subdomain) }}"
-    when: openshift.hosted.logging.deploy | default(openshift.common.version_gte_3_3_or_1_3)
-  - modify_yaml:
-      dest: "{{ openshift.common.config_base }}/master/master-config.yaml"
-      yaml_key: assetConfig.loggingPublicURL
-      yaml_value: "{{ openshift.master.logging_public_url }}"
-    notify: restart master
-    when: openshift.hosted.logging.deploy | default(openshift.common.version_gte_3_3_or_1_3)
-
-- name: Configure CA certificate for secure registry
-  hosts: oo_nodes_to_config
-  tags:
-  - hosted
-  tasks:
-  - name: Create temp directory for kubeconfig
-    command: mktemp -d /tmp/openshift-ansible-XXXXXX
-    register: mktemp
-    when: openshift.common.deployment_subtype == 'registry'
-    changed_when: false
-    delegate_to: "{{ groups.oo_first_master.0 }}"
-    run_once: true
-  - set_fact:
-      openshift_hosted_kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig"
-    when: openshift.common.deployment_subtype == 'registry'
-    delegate_to: "{{ groups.oo_first_master.0 }}"
-    run_once: true
-  - name: Copy the admin client config(s)
-    command: >
-      cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{ openshift_hosted_kubeconfig }}
-    when: openshift.common.deployment_subtype == 'registry'
-    changed_when: false
-    delegate_to: "{{ groups.oo_first_master.0 }}"
-    run_once: true
-  - name: Retrieve docker-registry route
-    command: >
-      {{ openshift.common.client_binary }} get route docker-registry
-      --template='{{ '{{' }} .spec.host {{ '}}' }}'
-      --config={{ openshift_hosted_kubeconfig }}
-      -n default
-    register: docker_registry_route
-    when: openshift.common.deployment_subtype == 'registry'
-    changed_when: false
-    delegate_to: "{{ groups.oo_first_master.0 }}"
-    run_once: true
-  - name: Retrieve registry service IP
-    command: >
-      {{ openshift.common.client_binary }} get service docker-registry
-      --template='{{ '{{' }} .spec.clusterIP {{ '}}' }}'
-      --config={{ openshift_hosted_kubeconfig }}
-      -n default
-    register: docker_registry_service_ip
-    when: openshift.common.deployment_subtype == 'registry'
-    changed_when: false
-    delegate_to: "{{ groups.oo_first_master.0 }}"
-    run_once: true
-  - name: Create registry CA directories
-    file:
-      path: "/etc/docker/certs.d/{{ item }}"
-      state: directory
-    with_items:
-    - "{{ docker_registry_service_ip.stdout }}:5000"
-    - "{{ docker_registry_route.stdout }}"
-    - "docker-registry.default.svc.cluster.local:5000"
-    when: openshift.common.deployment_subtype == 'registry'
-  - name: Copy CA to registry CA directories
-    copy:
-      src: "{{ openshift.common.config_base }}/node/ca.crt"
-      dest: "/etc/docker/certs.d/{{ item }}"
-      remote_src: yes
-      force: yes
-    with_items:
-    - "{{ docker_registry_service_ip.stdout }}:5000"
-    - "{{ docker_registry_route.stdout }}"
-    - "docker-registry.default.svc.cluster.local:5000"
-    when: openshift.common.deployment_subtype == 'registry'
-    notify:
-    - Restart docker
-  - name: Delete temp directory
-    file:
-      name: "{{ mktemp.stdout }}"
-      state: absent
-    when: openshift.common.deployment_subtype == 'registry'
-    changed_when: False
-    delegate_to: "{{ groups.oo_first_master.0 }}"
-    run_once: true
-  handlers:
-  - name: Restart docker
-    service:
-      name: docker
-      state: restarted
+    when: ( openshift.common.version_gte_3_3_or_1_3  | bool ) and ( openshift_hosted_manage_registry | default(true) | bool )

playbooks/common/openshift-node/config.yml

@@ -60,12 +60,12 @@
     when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and
             openshift_generate_no_proxy_hosts | default(True) | bool }}"
   roles:
+  - role: openshift_common
   - role: openshift_clock
   - role: openshift_docker
   - role: openshift_node_certificates
     openshift_ca_host: "{{ groups.oo_first_master.0 }}"
   - role: openshift_cloud_provider
-  - role: openshift_common
   - role: openshift_node_dnsmasq
     when: openshift.common.use_dnsmasq
   - role: os_firewall
@@ -99,12 +99,12 @@
     when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and
             openshift_generate_no_proxy_hosts | default(True) | bool }}"
   roles:
+  - role: openshift_common
   - role: openshift_clock
   - role: openshift_docker
   - role: openshift_node_certificates
     openshift_ca_host: "{{ groups.oo_first_master.0 }}"
   - role: openshift_cloud_provider
-  - role: openshift_common
   - role: openshift_node_dnsmasq
     when: openshift.common.use_dnsmasq
   - role: os_firewall

roles/cockpit-ui/tasks/main.yml

@@ -36,7 +36,7 @@
 - name: Retrieve docker-registry route
   command: >
     {{ openshift.common.client_binary }} get route docker-registry
-    --template='{{ '{{' }} .spec.host {{ '}}' }}'
+    -o jsonpath='{.spec.host}'
     --config={{ openshift_hosted_kubeconfig }}
     -n default
   register: docker_registry_route
@@ -45,7 +45,7 @@
 - name: Retrieve cockpit kube url
   command: >
     {{ openshift.common.client_binary }} get route registry-console
-    --template='https://{{ '{{' }} .spec.host {{ '}}' }}'
+    -o jsonpath='https://{.spec.host}'
     -n default
   register: registry_console_cockpit_kube_url
   changed_when: false

roles/openshift_docker_facts/tasks/main.yml

@@ -13,7 +13,7 @@
       log_options: "{{ openshift_docker_log_options | default(None) }}"
       options: "{{ openshift_docker_options | default(None) }}"
       disable_push_dockerhub: "{{ openshift_disable_push_dockerhub | default(None) }}"
-      hosted_registry_insecure: "{{ openshift_docker_hosted_registry_insecure | default(openshift.common.deployment_subtype != 'registry') }}"
+      hosted_registry_insecure: "{{ openshift_docker_hosted_registry_insecure | default(False) }}"
       hosted_registry_network: "{{ openshift_docker_hosted_registry_network | default(None) }}"
 
 - set_fact:

roles/openshift_hosted/tasks/registry/registry.yml

@@ -53,7 +53,6 @@
 
 - include: secure.yml
   static: no
-  when: openshift.common.deployment_subtype == 'registry'
 
 - include: storage/object_storage.yml
   static: no

roles/openshift_hosted/tasks/registry/secure.yml

@@ -1,5 +1,15 @@
 ---
-- name: Determine if registry certificates must be created
+- name: Create passthrough route for docker-registry
+  command: >
+    {{ openshift.common.client_binary }} create route passthrough
+    --service docker-registry
+    --config={{ openshift_hosted_kubeconfig }}
+    -n default
+  register: create_docker_registry_route
+  changed_when: "'already exists' not in create_docker_registry_route.stderr"
+  failed_when: "'already exists' not in create_docker_registry_route.stderr and create_docker_registry_route.rc != 0"
+
+- name: Determine if registry certificate must be created
   stat:
     path: "{{ openshift_master_config_dir }}/{{ item }}"
   with_items:
@@ -12,7 +22,7 @@
 - name: Retrieve registry service IP
   command: >
     {{ openshift.common.client_binary }} get service docker-registry
-    --template='{{ '{{' }} .spec.clusterIP {{ '}}' }}'
+    -o jsonpath='{.spec.clusterIP}'
     --config={{ openshift_hosted_kubeconfig }}
     -n default
   register: docker_registry_service_ip
@@ -45,8 +55,8 @@
 
 - name: "Add the secret to the registry's pod service accounts"
   command: >
-    {{ openshift.common.client_binary }} secrets link {{ item }} registry-certificates
-    --config={{ openshift_hosted_kubeconfig }}
+    {{ openshift.common.client_binary }} secrets add {{ item }} registry-certificates
+    --config={{ openshift_hosted_kubeconfig  }}
     -n default
   with_items:
   - registry
@@ -55,12 +65,12 @@
 - name: Determine if registry-certificates secret volume attached
   command: >
     {{ openshift.common.client_binary }} get dc/docker-registry
-    --template='{{ '{{' }} range .spec.template.spec.volumes {{ '}}' }}{{ '{{' }} .secret.secretName {{ '}}' }}{{ '{{' }} end {{ '}}' }}'
+    -o jsonpath='{.spec.template.spec.volumes[*].secret.secretName}'
     --config={{ openshift_hosted_kubeconfig }}
     -n default
   register: docker_registry_volumes
   changed_when: false
-  failed_when: false
+  failed_when: "'secretName is not found' not in docker_registry_volumes.stdout and docker_registry_volumes.rc != 0"
 
 - name: Attach registry-certificates secret volume
   command: >
@@ -71,17 +81,48 @@
    -n default
   when: "'registry-certificates' not in docker_registry_volumes.stdout"
 
-- name: Set registry environment variables for TLS certificate
+- name: Determine if registry environment variables must be set
+  command: >
+    {{ openshift.common.client_binary }} env dc/docker-registry
+    --list
+    --config={{ openshift_hosted_kubeconfig }}
+    -n default
+  register: docker_registry_env
+  changed_when: false
+
+- name: Configure certificates in registry deplomentConfig
   command: >
     {{ openshift.common.client_binary }} env dc/docker-registry
     REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt
     REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key
     --config={{ openshift_hosted_kubeconfig }}
     -n default
+  when: "'REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt' not in docker_registry_env.stdout or 'REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key' not in docker_registry_env.stdout"
 
-# These commands are on a single line to preserve patch json.
+- name: Determine if registry liveness probe scheme is HTTPS
+  command: >
+    {{ openshift.common.client_binary }} get dc/docker-registry
+    -o jsonpath='{.spec.template.spec.containers[*].livenessProbe.httpGet.scheme}'
+    --config={{ openshift_hosted_kubeconfig }}
+    -n default
+  register: docker_registry_liveness_probe
+  changed_when: false
+
+# This command is on a single line to preserve patch json.
 - name: Update registry liveness probe from HTTP to HTTPS
   command: "{{ openshift.common.client_binary }} patch dc/docker-registry --api-version=v1 -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"registry\",\"livenessProbe\":{\"httpGet\":{\"scheme\":\"HTTPS\"}}}]}}}}' --config={{ openshift_hosted_kubeconfig }} -n default"
+  when: "'HTTPS' not in docker_registry_liveness_probe.stdout"
+
+- name: Determine if registry readiness probe scheme is HTTPS
+  command: >
+    {{ openshift.common.client_binary }} get dc/docker-registry
+    -o jsonpath='{.spec.template.spec.containers[*].readinessProbe.httpGet.scheme}'
+    --config={{ openshift_hosted_kubeconfig }}
+    -n default
+  register: docker_registry_readiness_probe
+  changed_when: false
 
+# This command is on a single line to preserve patch json.
 - name: Update registry readiness probe from HTTP to HTTPS
   command: "{{ openshift.common.client_binary }} patch dc/docker-registry --api-version=v1 -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"registry\",\"readinessProbe\":{\"httpGet\":{\"scheme\":\"HTTPS\"}}}]}}}}' --config={{ openshift_hosted_kubeconfig }} -n default"
+  when: "'HTTPS' not in docker_registry_readiness_probe.stdout"

roles/openshift_node_certificates/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+- name: update ca trust
+  command: update-ca-trust
+  notify:
+  - restart docker after updating ca trust
+
+- name: restart docker after updating ca trust
+  service:
+    name: docker
+    state: restarted

roles/openshift_node_certificates/tasks/main.yml

@@ -124,3 +124,14 @@
   when: node_certs_missing | bool
   delegate_to: localhost
   become: no
+
+- name: Copy OpenShift CA to system CA trust
+  copy:
+    src: "{{ item.cert }}"
+    dest: "/etc/pki/ca-trust/source/anchors/{{ item.id }}-{{ item.cert | basename }}"
+    remote_src: yes
+  with_items:
+  - id: openshift
+    cert: "{{ openshift_node_cert_dir }}/ca.crt"
+  notify:
+  - update ca trust