diff options
| author | Andrew Butcher <abutcher@redhat.com> | 2016-09-21 10:32:22 -0400 |
|---|---|---|
| committer | Samuel Munilla <smunilla@redhat.com> | 2016-09-29 15:16:39 -0400 |
| commit | f255943326ad3be91d233609ec5e61382302fff5 (patch) | |
| tree | 9e2a96b8ec3ef25d109d663d6b1fcb79b8500937 /playbooks/common/openshift-cluster/node_docker_ca.yml | |
| parent | a3ab3d539bb57bc224b3f4457a0bfc68484cf8ee (diff) | |
| download | openshift-f255943326ad3be91d233609ec5e61382302fff5.tar.gz openshift-f255943326ad3be91d233609ec5e61382302fff5.tar.bz2 openshift-f255943326ad3be91d233609ec5e61382302fff5.tar.xz openshift-f255943326ad3be91d233609ec5e61382302fff5.zip | |
Secure registry improvements.
* Convert oc template calls to jsonpath.
* Wait for deployments to finish before restarting docker.
* Re-organize node ca configuration.
Diffstat (limited to 'playbooks/common/openshift-cluster/node_docker_ca.yml')
| -rw-r--r-- | playbooks/common/openshift-cluster/node_docker_ca.yml | 124 |
1 files changed, 124 insertions, 0 deletions
diff --git a/playbooks/common/openshift-cluster/node_docker_ca.yml b/playbooks/common/openshift-cluster/node_docker_ca.yml new file mode 100644 index 000000000..6482c827b --- /dev/null +++ b/playbooks/common/openshift-cluster/node_docker_ca.yml @@ -0,0 +1,124 @@ +--- +- name: Configure CA certificate for secure registry + hosts: oo_nodes_to_config + tags: + - hosted + tasks: + - name: Create temp directory for kubeconfig + command: mktemp -d /tmp/openshift-ansible-XXXXXX + register: mktemp + when: openshift_hosted_manage_registry | default(true) | bool + changed_when: false + delegate_to: "{{ groups.oo_first_master.0 }}" + run_once: true + + - set_fact: + openshift_hosted_kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig" + when: openshift_hosted_manage_registry | default(true) | bool + delegate_to: "{{ groups.oo_first_master.0 }}" + run_once: true + + - name: Copy the admin client config(s) + command: > + cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{ openshift_hosted_kubeconfig }} + when: openshift_hosted_manage_registry | default(true) | bool + changed_when: false + delegate_to: "{{ groups.oo_first_master.0 }}" + run_once: true + + - name: Retrieve docker-registry route + command: > + {{ openshift.common.client_binary }} get route docker-registry + -o jsonpath='{.spec.host}' + --config={{ openshift_hosted_kubeconfig }} + -n default + register: docker_registry_route + when: openshift_hosted_manage_registry | default(true) | bool + changed_when: false + delegate_to: "{{ groups.oo_first_master.0 }}" + run_once: true + + - name: Retrieve registry service IP + command: > + {{ openshift.common.client_binary }} get svc/docker-registry + -o jsonpath='{.spec.clusterIP}' + --config={{ openshift_hosted_kubeconfig }} + -n default + register: docker_registry_service_ip + when: openshift_hosted_manage_registry | default(true) | bool + changed_when: false + delegate_to: "{{ groups.oo_first_master.0 }}" + run_once: true + + - name: Create registry CA directories + file: + path: "/etc/docker/certs.d/{{ item }}" + state: directory + with_items: + - "{{ docker_registry_service_ip.stdout }}:5000" + - "{{ docker_registry_route.stdout }}" + - "docker-registry.default.svc.cluster.local:5000" + when: openshift_hosted_manage_registry | default(true) | bool + + - name: Copy CA to registry CA directories + copy: + src: "{{ openshift.common.config_base }}/node/ca.crt" + dest: "/etc/docker/certs.d/{{ item }}" + remote_src: yes + force: yes + with_items: + - "{{ docker_registry_service_ip.stdout }}:5000" + - "{{ docker_registry_route.stdout }}" + - "docker-registry.default.svc.cluster.local:5000" + when: openshift_hosted_manage_registry | default(true) | bool + notify: + - Wait for docker-registry deployment + - Wait for registry-console deployment + - Restart docker + + handlers: + # Restarting docker before deployments have begun will block the + # deployments from ever starting so try waiting for the registry to + # become available. + - name: Wait for docker-registry deployment + command: > + {{ openshift.common.client_binary }} get dc/docker-registry + -o jsonpath='{.status.availableReplicas}' + --config={{ openshift_hosted_kubeconfig }} + -n default + register: l_docker_registry_available_replicas + until: l_docker_registry_available_replicas.stdout | default("0") != "0" + retries: 30 + delay: 1 + failed_when: false + changed_when: false + + - name: Wait for registry-console deployment + command: > + {{ openshift.common.client_binary }} get dc/registry-console + -o jsonpath='{.status.availableReplicas}' + --config={{ openshift_hosted_kubeconfig }} + -n default + register: l_registry_console_available_replicas + until: l_registry_console_available_replicas.stdout | default("0") != "0" + retries: 30 + delay: 1 + failed_when: false + changed_when: false + + - name: Restart docker + service: + name: docker + state: restarted + +- name: Delete temp directory + hosts: oo_first_master + tags: + - hosted + tasks: + - name: Delete temp directory + file: + name: "{{ mktemp.stdout }}" + state: absent + when: openshift_hosted_manage_registry | default(true) | bool + changed_when: False |