shixiong
/
okd


			
				
					
						
						
							12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697
							---
- name: Set fact docker_registry_route_hostname
  set_fact:
    docker_registry_route_hostname: "{{ 'docker-registry-default.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true)) }}"
  run_once: true

- debug: var=openshift_hosted_registry_routecertificates

- name: Get the certificate contents for registry
  copy:
    backup: True
    dest: "/etc/origin/master/named_certificates/{{ item.value | basename }}"
    src: "{{ item.value }}"
  when: item.key in ['certfile', 'keyfile', 'cafile'] and item.value is not None
  with_dict: "{{ openshift_hosted_registry_routecertificates }}"
  when: openshift_hosted_registry_routecertificates

- debug: var=openshift_hosted_registry_route_termination

- name: Create passthrough route for docker-registry
  oc_route:
    name: docker-registry
    namespace: "{{ openshift_hosted_registry_namespace }}"
    service_name: docker-registry
    tls_termination: "{{ openshift_hosted_registry_routetermination }}"
    host: "{{ openshift_hosted_registry_routehost | default(docker_registry_route_hostname) }}"
    cert_path: "{{ ('certfile' in openshift_hosted_registry_routecertificates) | ternary('/etc/origin/master/named_certificates/' ~ (openshift_hosted_registry_routecertificates.certfile | basename), omit) }}"
    key_path: "{{ ('keyfile' in openshift_hosted_registry_routecertificates) | ternary('/etc/origin/master/named_certificates/' ~ (openshift_hosted_registry_routecertificates.keyfile | basename), omit) }}"
    cacert_path: "{{ ('cafile' in openshift_hosted_registry_routecertificates) | ternary('/etc/origin/master/named_certificates/' ~ (openshift_hosted_registry_routecertificates.cafile | basename), omit) }}"
    dest_cacert_path: "{{ (openshift_hosted_registry_routetermination == 'reencrypt') | ternary('/etc/origin/master/ca.crt', omit) }}"
  run_once: true

- name: Retrieve registry service IP
  oc_service:
    namespace: "{{ openshift_hosted_registry_namespace }}"
    name: docker-registry
    state: list
  register: docker_registry_service_ip
  run_once: true

- name: Create registry certificates
  oc_adm_ca_server_cert:
    signer_cert: "{{ openshift_master_config_dir }}/ca.crt"
    signer_key: "{{ openshift_master_config_dir }}/ca.key"
    signer_serial: "{{ openshift_master_config_dir }}/ca.serial.txt"
    hostnames:
    - "{{ docker_registry_service_ip.results.clusterip }}"
    - docker-registry.default.svc.cluster.local
    - "{{ docker_registry_route_hostname }}"
    cert: "{{ openshift_master_config_dir }}/registry.crt"
    key: "{{ openshift_master_config_dir }}/registry.key"
  register: server_cert_out

- name: Create the secret for the registry certificates
  oc_secret:
    name: registry-certificates
    namespace: "{{ openshift_hosted_registry_namespace }}"
    files:
    - name: registry.crt
      path: "{{ openshift_master_config_dir }}/registry.crt"
    - name: registry.key
      path: "{{ openshift_master_config_dir }}/registry.key"
  register: create_registry_certificates_secret_out

- name: Add the secret to the registry's pod service accounts
  oc_serviceaccount_secret:
    service_account: "{{ item }}"
    secret: registry-certificates
    namespace: "{{ openshift_hosted_registry_namespace }}"
  with_items:
  - registry
  - default

- name: Set facts for secure registry
  set_fact:
    registry_secure_volume_mounts:
    - name: registry-certificates
      path: /etc/secrets
      type: secret
      secret_name: registry-certificates
    registry_secure_env_vars:
      REGISTRY_HTTP_TLS_CERTIFICATE: /etc/secrets/registry.crt
      REGISTRY_HTTP_TLS_KEY: /etc/secrets/registry.key
    registry_secure_edits:
    - key: spec.template.spec.containers[0].livenessProbe.httpGet.scheme
      value: HTTPS
      action: put
    - key: spec.template.spec.containers[0].readinessProbe.httpGet.scheme
      value: HTTPS
      action: put

- name: Update openshift_hosted facts with secure registry variables
  set_fact:
    openshift_hosted_registry_volumes: "{{ openshift_hosted_registry_volumes | union(registry_secure_volume_mounts) }}"
    openshift_hosted_registry_env_vars: "{{ openshift_hosted_registry_env_vars | combine(registry_secure_env_vars) }}"
    openshift_hosted_registry_edits: "{{ openshift_hosted_registry_edits | union(registry_secure_edits) }}"
    openshift_hosted_registry_force: "{{ openshift_hosted_registry_force | union([server_cert_out.changed]) | union([create_registry_certificates_secret_out.changed]) }}"