okd/roles/openshift_hosted/tasks/secure/reencrypt.yml

---
- name: Validate route termination configuration
  fail:
    msg: >
     When 'openshift_hosted_registry_routetermination' is 'reencrypt', you must
     provide certificate files with 'openshift_hosted_registry_routecertificates'
  when: ('certfile' not in openshift_hosted_registry_routecertificates) or
        ('keyfile' not in openshift_hosted_registry_routecertificates) or
        ('cafile' not in openshift_hosted_registry_routecertificates)

- name: Configure self-signed certificate file paths
  set_fact:
    docker_registry_cert_path: "/etc/origin/master/registry.crt"
    docker_registry_key_path: "/etc/origin/master/registry.key"
    docker_registry_cacert_path: "/etc/origin/master/ca.crt"
    docker_registry_self_signed: true

- name: Retrieve provided certificate files
  copy:
    backup: True
    dest: "/etc/origin/master/named_certificates/{{ item.value | basename }}"
    src: "{{ item.value }}"
  when: item.key in ['certfile', 'keyfile', 'cafile'] and item.value
  with_dict: "{{ openshift_hosted_registry_routecertificates }}"

# Encrypt with the provided certificate and provide the dest_cacert for the
# self-signed certificate at the endpoint
- name: Configure a reencrypt route for docker-registry
  oc_route:
    name: docker-registry
    namespace: "{{ openshift_hosted_registry_namespace }}"
    service_name: docker-registry
    tls_termination: "{{ openshift_hosted_registry_routetermination }}"
    host: "{{ openshift_hosted_registry_routehost | default(omit, true) }}"
    cert_path: "/etc/origin/master/named_certificates/{{ openshift_hosted_registry_routecertificates['certfile'] | basename }}"
    key_path: "/etc/origin/master/named_certificates/{{ openshift_hosted_registry_routecertificates['keyfile'] | basename }}"
    cacert_path: "/etc/origin/master/named_certificates/{{ openshift_hosted_registry_routecertificates['cafile'] | basename }}"
    dest_cacert_path: "/etc/origin/master/ca.crt"