Further secure registry improvements

- Default to hosted_registry_insecure=False
- Add openshift ca to system ca-trust.
- Update ca trust in openshift_node_certificates rather than docker_ca_trust

playbooks/common/openshift-cluster/node_docker_ca.yml

@@ -1,128 +0,0 @@
----
-- name: Configure CA certificate for secure registry
-  hosts: oo_nodes_to_config
-  tags:
-  - hosted
-  tasks:
-  - name: Create temp directory for kubeconfig
-    command: mktemp -d /tmp/openshift-ansible-XXXXXX
-    register: mktemp
-    when: openshift_hosted_manage_registry | default(true) | bool
-    changed_when: false
-    delegate_to: "{{ groups.oo_first_master.0 }}"
-    run_once: true
-
-  - set_fact:
-      openshift_hosted_kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig"
-    when: openshift_hosted_manage_registry | default(true) | bool
-    delegate_to: "{{ groups.oo_first_master.0 }}"
-    run_once: true
-
-  - name: Copy the admin client config(s)
-    command: >
-      cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{ openshift_hosted_kubeconfig }}
-    when: openshift_hosted_manage_registry | default(true) | bool
-    changed_when: false
-    delegate_to: "{{ groups.oo_first_master.0 }}"
-    run_once: true
-
-  - name: Retrieve docker-registry route
-    command: >
-      {{ openshift.common.client_binary }} get route docker-registry
-      -o jsonpath='{.spec.host}'
-      --config={{ openshift_hosted_kubeconfig }}
-      -n default
-    register: docker_registry_route
-    when: openshift_hosted_manage_registry | default(true) | bool
-    changed_when: false
-    delegate_to: "{{ groups.oo_first_master.0 }}"
-    run_once: true
-
-  - name: Retrieve registry service IP
-    command: >
-      {{ openshift.common.client_binary }} get svc/docker-registry
-      -o jsonpath='{.spec.clusterIP}'
-      --config={{ openshift_hosted_kubeconfig }}
-      -n default
-    register: docker_registry_service_ip
-    when: openshift_hosted_manage_registry | default(true) | bool
-    changed_when: false
-    delegate_to: "{{ groups.oo_first_master.0 }}"
-    run_once: true
-
-  - name: Create registry CA directories
-    file:
-      path: "/etc/docker/certs.d/{{ item }}"
-      state: directory
-    with_items:
-    - "{{ docker_registry_service_ip.stdout }}:5000"
-    - "{{ docker_registry_route.stdout }}"
-    - "docker-registry.default.svc.cluster.local:5000"
-    when: openshift_hosted_manage_registry | default(true) | bool
-
-  - name: Copy CA to registry CA directories
-    copy:
-      src: "{{ openshift.common.config_base }}/node/ca.crt"
-      dest: "/etc/docker/certs.d/{{ item }}"
-      remote_src: yes
-      force: yes
-    with_items:
-    - "{{ docker_registry_service_ip.stdout }}:5000"
-    - "{{ docker_registry_route.stdout }}"
-    - "docker-registry.default.svc.cluster.local:5000"
-    when: openshift_hosted_manage_registry | default(true) | bool
-    notify:
-    - Wait for docker-registry deployment
-    - Wait for registry-console deployment
-    - Restart docker
-
-  handlers:
-  # Restarting docker before deployments have begun will block the
-  # deployments from ever starting so try waiting for the registry to
-  # become available.
-  - name: Wait for docker-registry deployment
-    command: >
-      {{ openshift.common.client_binary }} get dc/docker-registry
-      -o jsonpath='{.status.availableReplicas}'
-      --config={{ openshift_hosted_kubeconfig }}
-      -n default
-    delegate_to: "{{ groups.oo_first_master.0}}"
-    register: l_docker_registry_available_replicas
-    until: l_docker_registry_available_replicas.stdout | default("0") != "0"
-    retries: 30
-    delay: 1
-    failed_when: false
-    changed_when: false
-    run_once: true
-
-  - name: Wait for registry-console deployment
-    command: >
-      {{ openshift.common.client_binary }} get dc/registry-console
-      -o jsonpath='{.status.availableReplicas}'
-      --config={{ openshift_hosted_kubeconfig }}
-      -n default
-    delegate_to: "{{ groups.oo_first_master.0 }}"
-    register: l_registry_console_available_replicas
-    until: l_registry_console_available_replicas.stdout | default("0") != "0"
-    retries: 30
-    delay: 1
-    failed_when: false
-    changed_when: false
-    run_once: true
-
-  - name: Restart docker
-    service:
-      name: docker
-      state: restarted
-
-- name: Delete temp directory
-  hosts: oo_first_master
-  tags:
-  - hosted
-  tasks:
-  - name: Delete temp directory
-    file:
-      name: "{{ mktemp.stdout }}"
-      state: absent
-    when: openshift_hosted_manage_registry | default(true) | bool
-    changed_when: False

playbooks/common/openshift-node/config.yml

@@ -60,12 +60,12 @@
     when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and
             openshift_generate_no_proxy_hosts | default(True) | bool }}"
   roles:
+  - role: openshift_common
   - role: openshift_clock
   - role: openshift_docker
   - role: openshift_node_certificates
     openshift_ca_host: "{{ groups.oo_first_master.0 }}"
   - role: openshift_cloud_provider
-  - role: openshift_common
   - role: openshift_node_dnsmasq
     when: openshift.common.use_dnsmasq
   - role: os_firewall
@@ -99,12 +99,12 @@
     when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and
             openshift_generate_no_proxy_hosts | default(True) | bool }}"
   roles:
+  - role: openshift_common
   - role: openshift_clock
   - role: openshift_docker
   - role: openshift_node_certificates
     openshift_ca_host: "{{ groups.oo_first_master.0 }}"
   - role: openshift_cloud_provider
-  - role: openshift_common
   - role: openshift_node_dnsmasq
     when: openshift.common.use_dnsmasq
   - role: os_firewall

roles/openshift_docker_facts/tasks/main.yml

@@ -13,7 +13,7 @@
       log_options: "{{ openshift_docker_log_options | default(None) }}"
       options: "{{ openshift_docker_options | default(None) }}"
       disable_push_dockerhub: "{{ openshift_disable_push_dockerhub | default(None) }}"
-      hosted_registry_insecure: "{{ openshift_docker_hosted_registry_insecure | default(openshift.common.deployment_subtype != 'registry') }}"
+      hosted_registry_insecure: "{{ openshift_docker_hosted_registry_insecure | default(False) }}"
       hosted_registry_network: "{{ openshift_docker_hosted_registry_network | default(None) }}"
 
 - set_fact:

roles/openshift_node_certificates/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+- name: update ca trust
+  command: update-ca-trust
+  notify:
+  - restart docker after updating ca trust
+
+- name: restart docker after updating ca trust
+  service:
+    name: docker
+    state: restarted

roles/openshift_node_certificates/tasks/main.yml

@@ -124,3 +124,14 @@
   when: node_certs_missing | bool
   delegate_to: localhost
   become: no
+
+- name: Copy OpenShift CA to system CA trust
+  copy:
+    src: "{{ item.cert }}"
+    dest: "/etc/pki/ca-trust/source/anchors/{{ item.id }}-{{ item.cert | basename }}"
+    remote_src: yes
+  with_items:
+  - id: openshift
+    cert: "{{ openshift_node_cert_dir }}/ca.crt"
+  notify:
+  - update ca trust