Home Explore Help
Register Sign In
shixiong
/
okd
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: a46b63f8dd
Branches Tags
okd
/
roles
/
openshift_hosted
/
tasks
/
registry
/
secure.yml

secure.yml 3.0 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677 
  1. ---
    2. 

  2. - name: Set fact docker_registry_route_hostname
    3. 

  3.   set_fact:
    4. 

  4.     docker_registry_route_hostname: "{{ 'docker-registry-default.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true)) }}"
    5. 

  5. 

  6. - name: Create passthrough route for docker-registry
    7. 

  7.   oc_route:
    8. 

  8.     name: docker-registry
    9. 

  9.     namespace: "{{ openshift_hosted_registry_namespace }}"
    10. 

  10.     service_name: docker-registry
    11. 

  11.     tls_termination: passthrough
    12. 

  12.     host: "{{ docker_registry_route_hostname }}"
    13. 

  13. 

  14. - name: Retrieve registry service IP
    15. 

  15.   oc_service:
    16. 

  16.     namespace: "{{ openshift_hosted_registry_namespace }}"
    17. 

  17.     name: docker-registry
    18. 

  18.     state: list
    19. 

  19.   register: docker_registry_service_ip
    20. 

  20. 

  21. - name: Create registry certificates
    22. 

  22.   oc_adm_ca_server_cert:
    23. 

  23.     signer_cert: "{{ openshift_master_config_dir }}/ca.crt"
    24. 

  24.     signer_key: "{{ openshift_master_config_dir }}/ca.key"
    25. 

  25.     signer_serial: "{{ openshift_master_config_dir }}/ca.serial.txt"
    26. 

  26.     hostnames:
    27. 

  27.     - "{{ docker_registry_service_ip.results.clusterip }}"
    28. 

  28.     - docker-registry.default.svc.cluster.local
    29. 

  29.     - "{{ docker_registry_route_hostname }}"
    30. 

  30.     cert: "{{ openshift_master_config_dir }}/registry.crt"
    31. 

  31.     key: "{{ openshift_master_config_dir }}/registry.key"
    32. 

  32.   register: server_cert_out
    33. 

  33. 

  34. - name: Create the secret for the registry certificates
    35. 

  35.   oc_secret:
    36. 

  36.     name: registry-certificates
    37. 

  37.     namespace: "{{ openshift_hosted_registry_namespace }}"
    38. 

  38.     files:
    39. 

  39.     - name: registry.crt
    40. 

  40.       path: "{{ openshift_master_config_dir }}/registry.crt"
    41. 

  41.     - name: registry.key
    42. 

  42.       path: "{{ openshift_master_config_dir }}/registry.key"
    43. 

  43.   register: create_registry_certificates_secret_out
    44. 

  44. 

  45. - name: Add the secret to the registry's pod service accounts
    46. 

  46.   oc_serviceaccount_secret:
    47. 

  47.     service_account: "{{ item }}"
    48. 

  48.     secret: registry-certificates
    49. 

  49.     namespace: "{{ openshift_hosted_registry_namespace }}"
    50. 

  50.   with_items:
    51. 

  51.   - registry
    52. 

  52.   - default
    53. 

  53. 

  54. - name: Set facts for secure registry
    55. 

  55.   set_fact:
    56. 

  56.     registry_secure_volume_mounts:
    57. 

  57.     - name: registry-certificates
    58. 

  58.       path: /etc/secrets
    59. 

  59.       type: secret
    60. 

  60.       secret_name: registry-certificates
    61. 

  61.     registry_secure_env_vars:
    62. 

  62.       REGISTRY_HTTP_TLS_CERTIFICATE: /etc/secrets/registry.crt
    63. 

  63.       REGISTRY_HTTP_TLS_KEY: /etc/secrets/registry.key
    64. 

  64.     registry_secure_edits:
    65. 

  65.     - key: spec.template.spec.containers[0].livenessProbe.httpGet.scheme
    66. 

  66.       value: HTTPS
    67. 

  67.       action: put
    68. 

  68.     - key: spec.template.spec.containers[0].readinessProbe.httpGet.scheme
    69. 

  69.       value: HTTPS
    70. 

  70.       action: put
    71. 

  71. 

  72. - name: Update openshift_hosted facts with secure registry variables
    73. 

  73.   set_fact:
    74. 

  74.     openshift_hosted_registry_volumes: "{{ openshift_hosted_registry_volumes | union(registry_secure_volume_mounts) }}"
    75. 

  75.     openshift_hosted_registry_env_vars: "{{ openshift_hosted_registry_env_vars | combine(registry_secure_env_vars) }}"
    76. 

  76.     openshift_hosted_registry_edits: "{{ openshift_hosted_registry_edits | union(registry_secure_edits) }}"
    77. 

  77.     openshift_hosted_registry_force: "{{ openshift_hosted_registry_force | union([server_cert_out.changed]) | union([create_registry_certificates_secret_out.changed]) }}"
    78.