shixiong
/
okd


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107
							---
- name: Set fact docker_registry_route_hostname
  set_fact:
    docker_registry_route_hostname: "{{ 'docker-registry-default.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true)) }}"

- name: Get the certificate contents for registry
  copy:
    backup: True
    dest: "/etc/origin/master/named_certificates/{{ item.value | basename }}"
    src: "{{ item.value }}"
  when: item.key in ['certfile', 'keyfile', 'cafile'] and item.value
  with_dict: "{{ openshift_hosted_registry_routecertificates }}"

# When certificates are defined we will create the reencrypt
# docker-registry route
- name: Create a reencrypt route for docker-registry
  oc_route:
    name: docker-registry
    namespace: "{{ openshift_hosted_registry_namespace }}"
    service_name: docker-registry
    tls_termination: "{{ openshift_hosted_registry_routetermination }}"
    host: "{{ openshift_hosted_registry_routehost | default(docker_registry_route_hostname) }}"
    cert_path: "/etc/origin/master/named_certificates/{{ openshift_hosted_registry_routecertificates['certfile'] | basename }}"
    key_path: "/etc/origin/master/named_certificates/{{ openshift_hosted_registry_routecertificates['keyfile'] | basename }}"
    cacert_path: "/etc/origin/master/named_certificates/{{ openshift_hosted_registry_routecertificates['cafile'] | basename }}"
    dest_cacert_path: /etc/origin/master/ca.crt
  when:
  - "'cafile' in openshift_hosted_registry_routecertificates"
  - "'certfile' in openshift_hosted_registry_routecertificates"
  - "'keyfile' in openshift_hosted_registry_routecertificates"

# When routetermination is passthrough we will create the route
- name: Create passthrough route for docker-registry
  oc_route:
    name: docker-registry
    namespace: "{{ openshift_hosted_registry_namespace }}"
    service_name: docker-registry
    tls_termination: "{{ openshift_hosted_registry_routetermination }}"
    host: "{{ openshift_hosted_registry_routehost | ternary(openshift_hosted_registry_routehost, docker_registry_route_hostname) }}"
  when: openshift_hosted_registry_routetermination == 'passthrough'

- name: Retrieve registry service IP
  oc_service:
    namespace: "{{ openshift_hosted_registry_namespace }}"
    name: docker-registry
    state: list
  register: docker_registry_service_ip

- name: Create registry certificates
  oc_adm_ca_server_cert:
    signer_cert: "{{ openshift_master_config_dir }}/ca.crt"
    signer_key: "{{ openshift_master_config_dir }}/ca.key"
    signer_serial: "{{ openshift_master_config_dir }}/ca.serial.txt"
    hostnames:
    - "{{ docker_registry_service_ip.results.clusterip }}"
    - "{{ openshift_hosted_registry_name }}.default.svc"
    - "{{ openshift_hosted_registry_name }}.default.svc.{{ openshift.common.dns_domain }}"
    - "{{ docker_registry_route_hostname }}"
    cert: "{{ openshift_master_config_dir }}/registry.crt"
    key: "{{ openshift_master_config_dir }}/registry.key"
    expire_days: "{{ openshift_hosted_registry_cert_expire_days if openshift_version | oo_version_gte_3_5_or_1_5(openshift.common.deployment_type) | bool else omit }}"
  register: server_cert_out

- name: Create the secret for the registry certificates
  oc_secret:
    name: registry-certificates
    namespace: "{{ openshift_hosted_registry_namespace }}"
    files:
    - name: registry.crt
      path: "{{ openshift_master_config_dir }}/registry.crt"
    - name: registry.key
      path: "{{ openshift_master_config_dir }}/registry.key"
  register: create_registry_certificates_secret_out

- name: Add the secret to the registry's pod service accounts
  oc_serviceaccount_secret:
    service_account: "{{ item }}"
    secret: registry-certificates
    namespace: "{{ openshift_hosted_registry_namespace }}"
  with_items:
  - registry
  - default

- name: Set facts for secure registry
  set_fact:
    registry_secure_volume_mounts:
    - name: registry-certificates
      path: /etc/secrets
      type: secret
      secret_name: registry-certificates
    registry_secure_env_vars:
      REGISTRY_HTTP_TLS_CERTIFICATE: /etc/secrets/registry.crt
      REGISTRY_HTTP_TLS_KEY: /etc/secrets/registry.key
    registry_secure_edits:
    - key: spec.template.spec.containers[0].livenessProbe.httpGet.scheme
      value: HTTPS
      action: put
    - key: spec.template.spec.containers[0].readinessProbe.httpGet.scheme
      value: HTTPS
      action: put

- name: Update openshift_hosted facts with secure registry variables
  set_fact:
    openshift_hosted_registry_volumes: "{{ openshift_hosted_registry_volumes | union(registry_secure_volume_mounts) }}"
    openshift_hosted_registry_env_vars: "{{ openshift_hosted_registry_env_vars | combine(registry_secure_env_vars) }}"
    openshift_hosted_registry_edits: "{{ openshift_hosted_registry_edits | union(registry_secure_edits) }}"
    openshift_hosted_registry_force: "{{ openshift_hosted_registry_force | union([server_cert_out.changed]) | union([create_registry_certificates_secret_out.changed]) }}"