shixiong
/
okd


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132
							---
- name: Create passthrough route for docker-registry
  oc_route:
    kubeconfig: "{{ openshift_hosted_kubeconfig }}"
    name: docker-registry
    namespace: default
    service_name: docker-registry
    state: present
    tls_termination: passthrough
  run_once: true

- name: Determine if registry certificate must be created
  stat:
    path: "{{ openshift_master_config_dir }}/{{ item }}"
  with_items:
  - registry.crt
  - registry.key
  register: docker_registry_certificates_stat_result
  changed_when: false
  failed_when: false

- name: Retrieve registry service IP
  oc_service:
    namespace: default
    name: docker-registry
    state: list
  register: docker_registry_service_ip
  changed_when: false

- set_fact:
    docker_registry_route_hostname: "{{ 'docker-registry-default.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true)) }}"

- name: Create registry certificates if they do not exist
  command: >
    {{ openshift.common.client_binary }} adm ca create-server-cert
    --signer-cert={{ openshift_master_config_dir }}/ca.crt
    --signer-key={{ openshift_master_config_dir }}/ca.key
    --signer-serial={{ openshift_master_config_dir }}/ca.serial.txt
    --hostnames="{{ docker_registry_service_ip.results.clusterip }},docker-registry.default.svc.cluster.local,{{ docker_registry_route_hostname }}"
    --cert={{ openshift_master_config_dir }}/registry.crt
    --key={{ openshift_master_config_dir }}/registry.key
  when: False in (docker_registry_certificates_stat_result.results | default([]) | oo_collect(attribute='stat.exists') | list)

- name: Create the secret for the registry certificates
  oc_secret:
    kubeconfig: "{{ openshift_hosted_kubeconfig }}"
    name: registry-certificates
    namespace: default
    state: present
    files:
    - name: registry.crt
      path: "{{ openshift_master_config_dir }}/registry.crt"
    - name: registry.key
      path: "{{ openshift_master_config_dir }}/registry.key"
  register: create_registry_certificates_secret
  run_once: true

- name: "Add the secret to the registry's pod service accounts"
  oc_serviceaccount_secret:
    service_account: "{{ item }}"
    secret: registry-certificates
    namespace: default
    kubeconfig: "{{ openshift_hosted_kubeconfig  }}"
    state: present
  with_items:
  - registry
  - default

- name: Determine if registry-certificates secret volume attached
  command: >
    {{ openshift.common.client_binary }} get dc/docker-registry
    -o jsonpath='{.spec.template.spec.volumes[?(@.secret)].secret.secretName}'
    --config={{ openshift_hosted_kubeconfig }}
    -n default
  register: docker_registry_volumes
  changed_when: false
  failed_when: "docker_registry_volumes.stdout != '' and 'secretName is not found' not in docker_registry_volumes.stdout and docker_registry_volumes.rc != 0"

- name: Attach registry-certificates secret volume
  command: >
   {{ openshift.common.client_binary }} volume dc/docker-registry --add --type=secret
   --secret-name=registry-certificates
   -m /etc/secrets
   --config={{ openshift_hosted_kubeconfig }}
   -n default
  when: "'registry-certificates' not in docker_registry_volumes.stdout"

- name: Determine if registry environment variables must be set
  command: >
    {{ openshift.common.client_binary }} env dc/docker-registry
    --list
    --config={{ openshift_hosted_kubeconfig }}
    -n default
  register: docker_registry_env
  changed_when: false

- name: Configure certificates in registry deplomentConfig
  command: >
    {{ openshift.common.client_binary }} env dc/docker-registry
    REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt
    REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key
    --config={{ openshift_hosted_kubeconfig }}
    -n default
  when: "'REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt' not in docker_registry_env.stdout or 'REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key' not in docker_registry_env.stdout"

- name: Determine if registry liveness probe scheme is HTTPS
  command: >
    {{ openshift.common.client_binary }} get dc/docker-registry
    -o jsonpath='{.spec.template.spec.containers[*].livenessProbe.httpGet.scheme}'
    --config={{ openshift_hosted_kubeconfig }}
    -n default
  register: docker_registry_liveness_probe
  changed_when: false

# This command is on a single line to preserve patch json.
- name: Update registry liveness probe from HTTP to HTTPS
  command: "{{ openshift.common.client_binary }} patch dc/docker-registry --api-version=v1 -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"registry\",\"livenessProbe\":{\"httpGet\":{\"scheme\":\"HTTPS\"}}}]}}}}' --config={{ openshift_hosted_kubeconfig }} -n default"
  when: "'HTTPS' not in docker_registry_liveness_probe.stdout"

- name: Determine if registry readiness probe scheme is HTTPS
  command: >
    {{ openshift.common.client_binary }} get dc/docker-registry
    -o jsonpath='{.spec.template.spec.containers[*].readinessProbe.httpGet.scheme}'
    --config={{ openshift_hosted_kubeconfig }}
    -n default
  register: docker_registry_readiness_probe
  changed_when: false

# This command is on a single line to preserve patch json.
- name: Update registry readiness probe from HTTP to HTTPS
  command: "{{ openshift.common.client_binary }} patch dc/docker-registry --api-version=v1 -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"registry\",\"readinessProbe\":{\"httpGet\":{\"scheme\":\"HTTPS\"}}}]}}}}' --config={{ openshift_hosted_kubeconfig }} -n default"
  when: "'HTTPS' not in docker_registry_readiness_probe.stdout"