Secure registry improvements.

* Convert oc template calls to jsonpath.
* Wait for deployments to finish before restarting docker.
* Re-organize node ca configuration.

playbooks/common/openshift-cluster/node_docker_ca.yml

@@ -0,0 +1,124 @@
+---
+- name: Configure CA certificate for secure registry
+  hosts: oo_nodes_to_config
+  tags:
+  - hosted
+  tasks:
+  - name: Create temp directory for kubeconfig
+    command: mktemp -d /tmp/openshift-ansible-XXXXXX
+    register: mktemp
+    when: openshift_hosted_manage_registry | default(true) | bool
+    changed_when: false
+    delegate_to: "{{ groups.oo_first_master.0 }}"
+    run_once: true
+
+  - set_fact:
+      openshift_hosted_kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig"
+    when: openshift_hosted_manage_registry | default(true) | bool
+    delegate_to: "{{ groups.oo_first_master.0 }}"
+    run_once: true
+
+  - name: Copy the admin client config(s)
+    command: >
+      cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{ openshift_hosted_kubeconfig }}
+    when: openshift_hosted_manage_registry | default(true) | bool
+    changed_when: false
+    delegate_to: "{{ groups.oo_first_master.0 }}"
+    run_once: true
+
+  - name: Retrieve docker-registry route
+    command: >
+      {{ openshift.common.client_binary }} get route docker-registry
+      -o jsonpath='{.spec.host}'
+      --config={{ openshift_hosted_kubeconfig }}
+      -n default
+    register: docker_registry_route
+    when: openshift_hosted_manage_registry | default(true) | bool
+    changed_when: false
+    delegate_to: "{{ groups.oo_first_master.0 }}"
+    run_once: true
+
+  - name: Retrieve registry service IP
+    command: >
+      {{ openshift.common.client_binary }} get svc/docker-registry
+      -o jsonpath='{.spec.clusterIP}'
+      --config={{ openshift_hosted_kubeconfig }}
+      -n default
+    register: docker_registry_service_ip
+    when: openshift_hosted_manage_registry | default(true) | bool
+    changed_when: false
+    delegate_to: "{{ groups.oo_first_master.0 }}"
+    run_once: true
+
+  - name: Create registry CA directories
+    file:
+      path: "/etc/docker/certs.d/{{ item }}"
+      state: directory
+    with_items:
+    - "{{ docker_registry_service_ip.stdout }}:5000"
+    - "{{ docker_registry_route.stdout }}"
+    - "docker-registry.default.svc.cluster.local:5000"
+    when: openshift_hosted_manage_registry | default(true) | bool
+
+  - name: Copy CA to registry CA directories
+    copy:
+      src: "{{ openshift.common.config_base }}/node/ca.crt"
+      dest: "/etc/docker/certs.d/{{ item }}"
+      remote_src: yes
+      force: yes
+    with_items:
+    - "{{ docker_registry_service_ip.stdout }}:5000"
+    - "{{ docker_registry_route.stdout }}"
+    - "docker-registry.default.svc.cluster.local:5000"
+    when: openshift_hosted_manage_registry | default(true) | bool
+    notify:
+    - Wait for docker-registry deployment
+    - Wait for registry-console deployment
+    - Restart docker
+
+  handlers:
+  # Restarting docker before deployments have begun will block the
+  # deployments from ever starting so try waiting for the registry to
+  # become available.
+  - name: Wait for docker-registry deployment
+    command: >
+      {{ openshift.common.client_binary }} get dc/docker-registry
+      -o jsonpath='{.status.availableReplicas}'
+      --config={{ openshift_hosted_kubeconfig }}
+      -n default
+    register: l_docker_registry_available_replicas
+    until: l_docker_registry_available_replicas.stdout | default("0") != "0"
+    retries: 30
+    delay: 1
+    failed_when: false
+    changed_when: false
+
+  - name: Wait for registry-console deployment
+    command: >
+      {{ openshift.common.client_binary }} get dc/registry-console
+      -o jsonpath='{.status.availableReplicas}'
+      --config={{ openshift_hosted_kubeconfig }}
+      -n default
+    register: l_registry_console_available_replicas
+    until: l_registry_console_available_replicas.stdout | default("0") != "0"
+    retries: 30
+    delay: 1
+    failed_when: false
+    changed_when: false
+
+  - name: Restart docker
+    service:
+      name: docker
+      state: restarted
+
+- name: Delete temp directory
+  hosts: oo_first_master
+  tags:
+  - hosted
+  tasks:
+  - name: Delete temp directory
+    file:
+      name: "{{ mktemp.stdout }}"
+      state: absent
+    when: openshift_hosted_manage_registry | default(true) | bool
+    changed_when: False

playbooks/common/openshift-cluster/openshift_hosted.yml

@@ -65,105 +65,4 @@
     openshift_hosted_logging_elasticsearch_ops_pvc_prefix: "{{ 'logging-es' if openshift.hosted.logging.storage_kind | default(none) is not none else '' }}"
 
   - role: cockpit-ui
-    when: openshift.common.version_gte_3_3_or_1_3 | bool
-
-- name: Configure all masters for logging
-  serial: 1
-  handlers:
-  - include: ../../../roles/openshift_master/handlers/main.yml
-    static: yes
-  hosts: oo_masters
-  tasks:
-  - openshift_facts:
-      role: master
-      local_facts:
-        logging_public_url: "https://{{ openshift_hosted_logging_hostname | default('kibana.' ~ openshift_master_default_subdomain) }}"
-    when: openshift.hosted.logging.deploy | default(openshift.common.version_gte_3_3_or_1_3)
-  - modify_yaml:
-      dest: "{{ openshift.common.config_base }}/master/master-config.yaml"
-      yaml_key: assetConfig.loggingPublicURL
-      yaml_value: "{{ openshift.master.logging_public_url }}"
-    notify: restart master
-    when: openshift.hosted.logging.deploy | default(openshift.common.version_gte_3_3_or_1_3)
-
-- name: Configure CA certificate for secure registry
-  hosts: oo_nodes_to_config
-  tags:
-  - hosted
-  tasks:
-  - name: Create temp directory for kubeconfig
-    command: mktemp -d /tmp/openshift-ansible-XXXXXX
-    register: mktemp
-    when: openshift.common.version_gte_3_3_or_1_3 | bool
-    changed_when: false
-    delegate_to: "{{ groups.oo_first_master.0 }}"
-    run_once: true
-  - set_fact:
-      openshift_hosted_kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig"
-    when: openshift.common.version_gte_3_3_or_1_3 | bool
-    delegate_to: "{{ groups.oo_first_master.0 }}"
-    run_once: true
-  - name: Copy the admin client config(s)
-    command: >
-      cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{ openshift_hosted_kubeconfig }}
-    when: openshift.common.version_gte_3_3_or_1_3 | bool
-    changed_when: false
-    delegate_to: "{{ groups.oo_first_master.0 }}"
-    run_once: true
-  - name: Retrieve docker-registry route
-    command: >
-      {{ openshift.common.client_binary }} get route docker-registry
-      --template='{{ '{{' }} .spec.host {{ '}}' }}'
-      --config={{ openshift_hosted_kubeconfig }}
-      -n default
-    register: docker_registry_route
-    when: openshift.common.version_gte_3_3_or_1_3 | bool
-    changed_when: false
-    delegate_to: "{{ groups.oo_first_master.0 }}"
-    run_once: true
-  - name: Retrieve registry service IP
-    command: >
-      {{ openshift.common.client_binary }} get service docker-registry
-      --template='{{ '{{' }} .spec.clusterIP {{ '}}' }}'
-      --config={{ openshift_hosted_kubeconfig }}
-      -n default
-    register: docker_registry_service_ip
-    when: openshift.common.version_gte_3_3_or_1_3 | bool
-    changed_when: false
-    delegate_to: "{{ groups.oo_first_master.0 }}"
-    run_once: true
-  - name: Create registry CA directories
-    file:
-      path: "/etc/docker/certs.d/{{ item }}"
-      state: directory
-    with_items:
-    - "{{ docker_registry_service_ip.stdout }}:5000"
-    - "{{ docker_registry_route.stdout }}"
-    - "docker-registry.default.svc.cluster.local:5000"
-    when: openshift.common.version_gte_3_3_or_1_3 | bool
-  - name: Copy CA to registry CA directories
-    copy:
-      src: "{{ openshift.common.config_base }}/node/ca.crt"
-      dest: "/etc/docker/certs.d/{{ item }}"
-      remote_src: yes
-      force: yes
-    with_items:
-    - "{{ docker_registry_service_ip.stdout }}:5000"
-    - "{{ docker_registry_route.stdout }}"
-    - "docker-registry.default.svc.cluster.local:5000"
-    when: openshift.common.version_gte_3_3_or_1_3 | bool
-    notify:
-    - Restart docker
-  - name: Delete temp directory
-    file:
-      name: "{{ mktemp.stdout }}"
-      state: absent
-    when: openshift.common.version_gte_3_3_or_1_3 | bool
-    changed_when: False
-    delegate_to: "{{ groups.oo_first_master.0 }}"
-    run_once: true
-  handlers:
-  - name: Restart docker
-    service:
-      name: docker
-      state: restarted
+    when: ( openshift.common.version_gte_3_3_or_1_3  | bool ) and ( openshift_hosted_manage_registry | default(true) | bool )

roles/cockpit-ui/tasks/main.yml

@@ -36,7 +36,7 @@
 - name: Retrieve docker-registry route
   command: >
     {{ openshift.common.client_binary }} get route docker-registry
-    --template='{{ '{{' }} .spec.host {{ '}}' }}'
+    -o jsonpath='{.spec.host}'
     --config={{ openshift_hosted_kubeconfig }}
     -n default
   register: docker_registry_route
@@ -45,7 +45,7 @@
 - name: Retrieve cockpit kube url
   command: >
     {{ openshift.common.client_binary }} get route registry-console
-    --template='https://{{ '{{' }} .spec.host {{ '}}' }}'
+    -o jsonpath='https://{.spec.host}'
     -n default
   register: registry_console_cockpit_kube_url
   changed_when: false

roles/openshift_hosted/tasks/registry/registry.yml

@@ -53,7 +53,6 @@
 
 - include: secure.yml
   static: no
-  when: openshift.common.deployment_subtype == 'registry'
 
 - include: storage/object_storage.yml
   static: no

roles/openshift_hosted/tasks/registry/secure.yml

@@ -1,5 +1,15 @@
 ---
-- name: Determine if registry certificates must be created
+- name: Create passthrough route for docker-registry
+  command: >
+    {{ openshift.common.client_binary }} create route passthrough
+    --service docker-registry
+    --config={{ openshift_hosted_kubeconfig }}
+    -n default
+  register: create_docker_registry_route
+  changed_when: "'already exists' not in create_docker_registry_route.stderr"
+  failed_when: "'already exists' not in create_docker_registry_route.stderr and create_docker_registry_route.rc != 0"
+
+- name: Determine if registry certificate must be created
   stat:
     path: "{{ openshift_master_config_dir }}/{{ item }}"
   with_items:
@@ -12,7 +22,7 @@
 - name: Retrieve registry service IP
   command: >
     {{ openshift.common.client_binary }} get service docker-registry
-    --template='{{ '{{' }} .spec.clusterIP {{ '}}' }}'
+    -o jsonpath='{.spec.clusterIP}'
     --config={{ openshift_hosted_kubeconfig }}
     -n default
   register: docker_registry_service_ip
@@ -45,8 +55,8 @@
 
 - name: "Add the secret to the registry's pod service accounts"
   command: >
-    {{ openshift.common.client_binary }} secrets link {{ item }} registry-certificates
-    --config={{ openshift_hosted_kubeconfig }}
+    {{ openshift.common.client_binary }} secrets add {{ item }} registry-certificates
+    --config={{ openshift_hosted_kubeconfig  }}
     -n default
   with_items:
   - registry
@@ -55,12 +65,12 @@
 - name: Determine if registry-certificates secret volume attached
   command: >
     {{ openshift.common.client_binary }} get dc/docker-registry
-    --template='{{ '{{' }} range .spec.template.spec.volumes {{ '}}' }}{{ '{{' }} .secret.secretName {{ '}}' }}{{ '{{' }} end {{ '}}' }}'
+    -o jsonpath='{.spec.template.spec.volumes[*].secret.secretName}'
     --config={{ openshift_hosted_kubeconfig }}
     -n default
   register: docker_registry_volumes
   changed_when: false
-  failed_when: false
+  failed_when: "'secretName is not found' not in docker_registry_volumes.stdout and docker_registry_volumes.rc != 0"
 
 - name: Attach registry-certificates secret volume
   command: >
@@ -71,17 +81,48 @@
    -n default
   when: "'registry-certificates' not in docker_registry_volumes.stdout"
 
-- name: Set registry environment variables for TLS certificate
+- name: Determine if registry environment variables must be set
+  command: >
+    {{ openshift.common.client_binary }} env dc/docker-registry
+    --list
+    --config={{ openshift_hosted_kubeconfig }}
+    -n default
+  register: docker_registry_env
+  changed_when: false
+
+- name: Configure certificates in registry deplomentConfig
   command: >
     {{ openshift.common.client_binary }} env dc/docker-registry
     REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt
     REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key
     --config={{ openshift_hosted_kubeconfig }}
     -n default
+  when: "'REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt' not in docker_registry_env.stdout or 'REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key' not in docker_registry_env.stdout"
 
-# These commands are on a single line to preserve patch json.
+- name: Determine if registry liveness probe scheme is HTTPS
+  command: >
+    {{ openshift.common.client_binary }} get dc/docker-registry
+    -o jsonpath='{.spec.template.spec.containers[*].livenessProbe.httpGet.scheme}'
+    --config={{ openshift_hosted_kubeconfig }}
+    -n default
+  register: docker_registry_liveness_probe
+  changed_when: false
+
+# This command is on a single line to preserve patch json.
 - name: Update registry liveness probe from HTTP to HTTPS
   command: "{{ openshift.common.client_binary }} patch dc/docker-registry --api-version=v1 -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"registry\",\"livenessProbe\":{\"httpGet\":{\"scheme\":\"HTTPS\"}}}]}}}}' --config={{ openshift_hosted_kubeconfig }} -n default"
+  when: "'HTTPS' not in docker_registry_liveness_probe.stdout"
+
+- name: Determine if registry readiness probe scheme is HTTPS
+  command: >
+    {{ openshift.common.client_binary }} get dc/docker-registry
+    -o jsonpath='{.spec.template.spec.containers[*].readinessProbe.httpGet.scheme}'
+    --config={{ openshift_hosted_kubeconfig }}
+    -n default
+  register: docker_registry_readiness_probe
+  changed_when: false
 
+# This command is on a single line to preserve patch json.
 - name: Update registry readiness probe from HTTP to HTTPS
   command: "{{ openshift.common.client_binary }} patch dc/docker-registry --api-version=v1 -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"registry\",\"readinessProbe\":{\"httpGet\":{\"scheme\":\"HTTPS\"}}}]}}}}' --config={{ openshift_hosted_kubeconfig }} -n default"
+  when: "'HTTPS' not in docker_registry_readiness_probe.stdout"