Refactor openshift_hosted plays and role

Currently, openshift_hosted role duplicates some logic
across separate task chains.  This commit cleans up
the openshift_hosted role and converts it to be
primarily used with include_role to give better
logic to the playbooks that utilize this role.

This commit also refactors the playbook that calls
various openshift_hosted roles into individual playbooks.
This allows more granularity for advanced users.

1 files changed, 119 insertions, 0 deletions

diff --git a/roles/openshift_hosted/tasks/secure.yml b/roles/openshift_hosted/tasks/secure.yml
new file mode 100644
index 000000000..0da8ac8a7
--- /dev/null
+++ b/roles/openshift_hosted/tasks/secure.yml
@@ -0,0 +1,119 @@
+---
+- name: Configure facts for docker-registry
+  set_fact:
+    openshift_hosted_registry_routecertificates: "{{ ('routecertificates' in openshift.hosted.registry.keys()) | ternary(openshift_hosted_registry_routecertificates, {}) }}"
+    openshift_hosted_registry_routehost: "{{ ('routehost' in openshift.hosted.registry.keys()) | ternary(openshift.hosted.registry.routehost, False) }}"
+    openshift_hosted_registry_routetermination: "{{ ('routetermination' in openshift.hosted.registry.keys()) | ternary(openshift.hosted.registry.routetermination, 'passthrough') }}"
+
+- name: Include reencrypt route configuration
+  include: secure/reencrypt.yml
+  static: no
+  when: openshift_hosted_registry_routetermination == 'reencrypt'
+
+- name: Include passthrough route configuration
+  include: secure/passthrough.yml
+  static: no
+  when: openshift_hosted_registry_routetermination == 'passthrough'
+
+- name: Fetch the docker-registry route
+  oc_route:
+    name: docker-registry
+    namespace: default
+    state: list
+  register: docker_registry_route
+
+- name: Retrieve registry service for the clusterip
+  oc_service:
+    namespace: "{{ openshift_hosted_registry_namespace }}"
+    name: docker-registry
+    state: list
+  register: docker_registry_service
+
+- name: Generate self-signed docker-registry certificates
+  oc_adm_ca_server_cert:
+    signer_cert: "{{ openshift_master_config_dir }}/ca.crt"
+    signer_key: "{{ openshift_master_config_dir }}/ca.key"
+    signer_serial: "{{ openshift_master_config_dir }}/ca.serial.txt"
+    hostnames:
+    - "{{ docker_registry_service.results.clusterip }}"
+    - "{{ docker_registry_route.results[0].spec.host }}"
+    - "{{ openshift_hosted_registry_name }}.default.svc"
+    - "{{ openshift_hosted_registry_name }}.default.svc.{{ openshift_cluster_domain }}"
+    - "{{ openshift_hosted_registry_routehost }}"
+    cert: "{{ docker_registry_cert_path }}"
+    key: "{{ docker_registry_key_path }}"
+    expire_days: "{{ openshift_hosted_registry_cert_expire_days if openshift_version | oo_version_gte_3_5_or_1_5(openshift_deployment_type) | bool else omit }}"
+  register: registry_self_cert
+  when: docker_registry_self_signed
+
+# Setting up REGISTRY_HTTP_TLS_CLIENTCAS as the cacert doesn't seem to work.
+# If we need to set up a cacert, bundle it with the cert.
+- when: docker_registry_cacert_path is defined
+  block:
+  - name: Retrieve certificate files to generate certificate bundle
+    slurp:
+      src: "{{ item }}"
+    with_items:
+    - "{{ docker_registry_cert_path }}"
+    - "{{ docker_registry_cacert_path }}"
+    register: certificate_files
+
+  - name: Generate certificate bundle
+    copy:
+      content: "{{ certificate_files.results | map(attribute='content') | map('b64decode') | join('') }}"
+      dest: "{{ openshift_master_config_dir }}/named_certificates/docker-registry.pem"
+
+  - name: Reset the certificate path to use the bundle
+    set_fact:
+      docker_registry_cert_path: "{{ openshift_master_config_dir }}/named_certificates/docker-registry.pem"
+
+- name: Create the secret for the registry certificates
+  oc_secret:
+    name: registry-certificates
+    namespace: "{{ openshift_hosted_registry_namespace }}"
+    files:
+    - name: registry.crt
+      path: "{{ docker_registry_cert_path }}"
+    - name: registry.key
+      path: "{{ docker_registry_key_path }}"
+  register: create_registry_certificates_secret_out
+
+- name: Add the secret to the registry's pod service accounts
+  oc_serviceaccount_secret:
+    service_account: "{{ item }}"
+    secret: registry-certificates
+    namespace: "{{ openshift_hosted_registry_namespace }}"
+  with_items:
+  - registry
+  - default
+
+- name: Set facts for secure registry
+  set_fact:
+    registry_secure_volume_mounts:
+    - name: registry-certificates
+      path: /etc/secrets
+      type: secret
+      secret_name: registry-certificates
+    registry_secure_env_vars:
+      REGISTRY_HTTP_TLS_CERTIFICATE: /etc/secrets/registry.crt
+      REGISTRY_HTTP_TLS_KEY: /etc/secrets/registry.key
+    registry_secure_edits:
+    - key: spec.template.spec.containers[0].livenessProbe.httpGet.scheme
+      value: HTTPS
+      action: put
+    - key: spec.template.spec.containers[0].readinessProbe.httpGet.scheme
+      value: HTTPS
+      action: put
+
+- name: Detect if there has been certificate changes
+  set_fact:
+    registry_cert_changed: true
+  when: ( registry_self_cert is defined and registry_self_cert.changed ) or
+        create_registry_certificates_secret_out.changed
+
+- name: Update openshift_hosted facts with secure registry variables
+  set_fact:
+    openshift_hosted_registry_volumes: "{{ openshift_hosted_registry_volumes | union(registry_secure_volume_mounts) }}"
+    openshift_hosted_registry_env_vars: "{{ openshift_hosted_registry_env_vars | combine(registry_secure_env_vars) }}"
+    openshift_hosted_registry_edits: "{{ openshift_hosted_registry_edits | union(registry_secure_edits) }}"
+    openshift_hosted_registry_force: "{{ openshift_hosted_registry_force | union([registry_cert_changed | default(false)]) }}"