diff options
| -rw-r--r-- | playbooks/common/openshift-cluster/node_docker_ca.yml | 124 | ||||
| -rw-r--r-- | playbooks/common/openshift-cluster/openshift_hosted.yml | 103 | ||||
| -rw-r--r-- | roles/cockpit-ui/tasks/main.yml | 4 | ||||
| -rw-r--r-- | roles/openshift_hosted/tasks/registry/registry.yml | 1 | ||||
| -rw-r--r-- | roles/openshift_hosted/tasks/registry/secure.yml | 57 |
5 files changed, 176 insertions, 113 deletions
diff --git a/playbooks/common/openshift-cluster/node_docker_ca.yml b/playbooks/common/openshift-cluster/node_docker_ca.yml new file mode 100644 index 000000000..6482c827b --- /dev/null +++ b/playbooks/common/openshift-cluster/node_docker_ca.yml @@ -0,0 +1,124 @@ +--- +- name: Configure CA certificate for secure registry + hosts: oo_nodes_to_config + tags: + - hosted + tasks: + - name: Create temp directory for kubeconfig + command: mktemp -d /tmp/openshift-ansible-XXXXXX + register: mktemp + when: openshift_hosted_manage_registry | default(true) | bool + changed_when: false + delegate_to: "{{ groups.oo_first_master.0 }}" + run_once: true + + - set_fact: + openshift_hosted_kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig" + when: openshift_hosted_manage_registry | default(true) | bool + delegate_to: "{{ groups.oo_first_master.0 }}" + run_once: true + + - name: Copy the admin client config(s) + command: > + cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{ openshift_hosted_kubeconfig }} + when: openshift_hosted_manage_registry | default(true) | bool + changed_when: false + delegate_to: "{{ groups.oo_first_master.0 }}" + run_once: true + + - name: Retrieve docker-registry route + command: > + {{ openshift.common.client_binary }} get route docker-registry + -o jsonpath='{.spec.host}' + --config={{ openshift_hosted_kubeconfig }} + -n default + register: docker_registry_route + when: openshift_hosted_manage_registry | default(true) | bool + changed_when: false + delegate_to: "{{ groups.oo_first_master.0 }}" + run_once: true + + - name: Retrieve registry service IP + command: > + {{ openshift.common.client_binary }} get svc/docker-registry + -o jsonpath='{.spec.clusterIP}' + --config={{ openshift_hosted_kubeconfig }} + -n default + register: docker_registry_service_ip + when: openshift_hosted_manage_registry | default(true) | bool + changed_when: false + delegate_to: "{{ groups.oo_first_master.0 }}" + run_once: true + + - name: Create registry CA directories + file: + path: "/etc/docker/certs.d/{{ item }}" + state: directory + with_items: + - "{{ docker_registry_service_ip.stdout }}:5000" + - "{{ docker_registry_route.stdout }}" + - "docker-registry.default.svc.cluster.local:5000" + when: openshift_hosted_manage_registry | default(true) | bool + + - name: Copy CA to registry CA directories + copy: + src: "{{ openshift.common.config_base }}/node/ca.crt" + dest: "/etc/docker/certs.d/{{ item }}" + remote_src: yes + force: yes + with_items: + - "{{ docker_registry_service_ip.stdout }}:5000" + - "{{ docker_registry_route.stdout }}" + - "docker-registry.default.svc.cluster.local:5000" + when: openshift_hosted_manage_registry | default(true) | bool + notify: + - Wait for docker-registry deployment + - Wait for registry-console deployment + - Restart docker + + handlers: + # Restarting docker before deployments have begun will block the + # deployments from ever starting so try waiting for the registry to + # become available. + - name: Wait for docker-registry deployment + command: > + {{ openshift.common.client_binary }} get dc/docker-registry + -o jsonpath='{.status.availableReplicas}' + --config={{ openshift_hosted_kubeconfig }} + -n default + register: l_docker_registry_available_replicas + until: l_docker_registry_available_replicas.stdout | default("0") != "0" + retries: 30 + delay: 1 + failed_when: false + changed_when: false + + - name: Wait for registry-console deployment + command: > + {{ openshift.common.client_binary }} get dc/registry-console + -o jsonpath='{.status.availableReplicas}' + --config={{ openshift_hosted_kubeconfig }} + -n default + register: l_registry_console_available_replicas + until: l_registry_console_available_replicas.stdout | default("0") != "0" + retries: 30 + delay: 1 + failed_when: false + changed_when: false + + - name: Restart docker + service: + name: docker + state: restarted + +- name: Delete temp directory + hosts: oo_first_master + tags: + - hosted + tasks: + - name: Delete temp directory + file: + name: "{{ mktemp.stdout }}" + state: absent + when: openshift_hosted_manage_registry | default(true) | bool + changed_when: False diff --git a/playbooks/common/openshift-cluster/openshift_hosted.yml b/playbooks/common/openshift-cluster/openshift_hosted.yml index 044de2c94..ea9ba14e1 100644 --- a/playbooks/common/openshift-cluster/openshift_hosted.yml +++ b/playbooks/common/openshift-cluster/openshift_hosted.yml @@ -65,105 +65,4 @@ openshift_hosted_logging_elasticsearch_ops_pvc_prefix: "{{ 'logging-es' if openshift.hosted.logging.storage_kind | default(none) is not none else '' }}" - role: cockpit-ui - when: openshift.common.version_gte_3_3_or_1_3 | bool - -- name: Configure all masters for logging - serial: 1 - handlers: - - include: ../../../roles/openshift_master/handlers/main.yml - static: yes - hosts: oo_masters - tasks: - - openshift_facts: - role: master - local_facts: - logging_public_url: "https://{{ openshift_hosted_logging_hostname | default('kibana.' ~ openshift_master_default_subdomain) }}" - when: openshift.hosted.logging.deploy | default(openshift.common.version_gte_3_3_or_1_3) - - modify_yaml: - dest: "{{ openshift.common.config_base }}/master/master-config.yaml" - yaml_key: assetConfig.loggingPublicURL - yaml_value: "{{ openshift.master.logging_public_url }}" - notify: restart master - when: openshift.hosted.logging.deploy | default(openshift.common.version_gte_3_3_or_1_3) - -- name: Configure CA certificate for secure registry - hosts: oo_nodes_to_config - tags: - - hosted - tasks: - - name: Create temp directory for kubeconfig - command: mktemp -d /tmp/openshift-ansible-XXXXXX - register: mktemp - when: openshift.common.version_gte_3_3_or_1_3 | bool - changed_when: false - delegate_to: "{{ groups.oo_first_master.0 }}" - run_once: true - - set_fact: - openshift_hosted_kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig" - when: openshift.common.version_gte_3_3_or_1_3 | bool - delegate_to: "{{ groups.oo_first_master.0 }}" - run_once: true - - name: Copy the admin client config(s) - command: > - cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{ openshift_hosted_kubeconfig }} - when: openshift.common.version_gte_3_3_or_1_3 | bool - changed_when: false - delegate_to: "{{ groups.oo_first_master.0 }}" - run_once: true - - name: Retrieve docker-registry route - command: > - {{ openshift.common.client_binary }} get route docker-registry - --template='{{ '{{' }} .spec.host {{ '}}' }}' - --config={{ openshift_hosted_kubeconfig }} - -n default - register: docker_registry_route - when: openshift.common.version_gte_3_3_or_1_3 | bool - changed_when: false - delegate_to: "{{ groups.oo_first_master.0 }}" - run_once: true - - name: Retrieve registry service IP - command: > - {{ openshift.common.client_binary }} get service docker-registry - --template='{{ '{{' }} .spec.clusterIP {{ '}}' }}' - --config={{ openshift_hosted_kubeconfig }} - -n default - register: docker_registry_service_ip - when: openshift.common.version_gte_3_3_or_1_3 | bool - changed_when: false - delegate_to: "{{ groups.oo_first_master.0 }}" - run_once: true - - name: Create registry CA directories - file: - path: "/etc/docker/certs.d/{{ item }}" - state: directory - with_items: - - "{{ docker_registry_service_ip.stdout }}:5000" - - "{{ docker_registry_route.stdout }}" - - "docker-registry.default.svc.cluster.local:5000" - when: openshift.common.version_gte_3_3_or_1_3 | bool - - name: Copy CA to registry CA directories - copy: - src: "{{ openshift.common.config_base }}/node/ca.crt" - dest: "/etc/docker/certs.d/{{ item }}" - remote_src: yes - force: yes - with_items: - - "{{ docker_registry_service_ip.stdout }}:5000" - - "{{ docker_registry_route.stdout }}" - - "docker-registry.default.svc.cluster.local:5000" - when: openshift.common.version_gte_3_3_or_1_3 | bool - notify: - - Restart docker - - name: Delete temp directory - file: - name: "{{ mktemp.stdout }}" - state: absent - when: openshift.common.version_gte_3_3_or_1_3 | bool - changed_when: False - delegate_to: "{{ groups.oo_first_master.0 }}" - run_once: true - handlers: - - name: Restart docker - service: - name: docker - state: restarted + when: ( openshift.common.version_gte_3_3_or_1_3 | bool ) and ( openshift_hosted_manage_registry | default(true) | bool ) diff --git a/roles/cockpit-ui/tasks/main.yml b/roles/cockpit-ui/tasks/main.yml index 953357392..c573da6d6 100644 --- a/roles/cockpit-ui/tasks/main.yml +++ b/roles/cockpit-ui/tasks/main.yml @@ -36,7 +36,7 @@ - name: Retrieve docker-registry route command: > {{ openshift.common.client_binary }} get route docker-registry - --template='{{ '{{' }} .spec.host {{ '}}' }}' + -o jsonpath='{.spec.host}' --config={{ openshift_hosted_kubeconfig }} -n default register: docker_registry_route @@ -45,7 +45,7 @@ - name: Retrieve cockpit kube url command: > {{ openshift.common.client_binary }} get route registry-console - --template='https://{{ '{{' }} .spec.host {{ '}}' }}' + -o jsonpath='https://{.spec.host}' -n default register: registry_console_cockpit_kube_url changed_when: false diff --git a/roles/openshift_hosted/tasks/registry/registry.yml b/roles/openshift_hosted/tasks/registry/registry.yml index d5077932b..ed0a2b38d 100644 --- a/roles/openshift_hosted/tasks/registry/registry.yml +++ b/roles/openshift_hosted/tasks/registry/registry.yml @@ -53,7 +53,6 @@ - include: secure.yml static: no - when: openshift.common.deployment_subtype == 'registry' - include: storage/object_storage.yml static: no diff --git a/roles/openshift_hosted/tasks/registry/secure.yml b/roles/openshift_hosted/tasks/registry/secure.yml index 4cb85df04..664edef41 100644 --- a/roles/openshift_hosted/tasks/registry/secure.yml +++ b/roles/openshift_hosted/tasks/registry/secure.yml @@ -1,5 +1,15 @@ --- -- name: Determine if registry certificates must be created +- name: Create passthrough route for docker-registry + command: > + {{ openshift.common.client_binary }} create route passthrough + --service docker-registry + --config={{ openshift_hosted_kubeconfig }} + -n default + register: create_docker_registry_route + changed_when: "'already exists' not in create_docker_registry_route.stderr" + failed_when: "'already exists' not in create_docker_registry_route.stderr and create_docker_registry_route.rc != 0" + +- name: Determine if registry certificate must be created stat: path: "{{ openshift_master_config_dir }}/{{ item }}" with_items: @@ -12,7 +22,7 @@ - name: Retrieve registry service IP command: > {{ openshift.common.client_binary }} get service docker-registry - --template='{{ '{{' }} .spec.clusterIP {{ '}}' }}' + -o jsonpath='{.spec.clusterIP}' --config={{ openshift_hosted_kubeconfig }} -n default register: docker_registry_service_ip @@ -45,8 +55,8 @@ - name: "Add the secret to the registry's pod service accounts" command: > - {{ openshift.common.client_binary }} secrets link {{ item }} registry-certificates - --config={{ openshift_hosted_kubeconfig }} + {{ openshift.common.client_binary }} secrets add {{ item }} registry-certificates + --config={{ openshift_hosted_kubeconfig }} -n default with_items: - registry @@ -55,12 +65,12 @@ - name: Determine if registry-certificates secret volume attached command: > {{ openshift.common.client_binary }} get dc/docker-registry - --template='{{ '{{' }} range .spec.template.spec.volumes {{ '}}' }}{{ '{{' }} .secret.secretName {{ '}}' }}{{ '{{' }} end {{ '}}' }}' + -o jsonpath='{.spec.template.spec.volumes[*].secret.secretName}' --config={{ openshift_hosted_kubeconfig }} -n default register: docker_registry_volumes changed_when: false - failed_when: false + failed_when: "'secretName is not found' not in docker_registry_volumes.stdout and docker_registry_volumes.rc != 0" - name: Attach registry-certificates secret volume command: > @@ -71,17 +81,48 @@ -n default when: "'registry-certificates' not in docker_registry_volumes.stdout" -- name: Set registry environment variables for TLS certificate +- name: Determine if registry environment variables must be set + command: > + {{ openshift.common.client_binary }} env dc/docker-registry + --list + --config={{ openshift_hosted_kubeconfig }} + -n default + register: docker_registry_env + changed_when: false + +- name: Configure certificates in registry deplomentConfig command: > {{ openshift.common.client_binary }} env dc/docker-registry REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key --config={{ openshift_hosted_kubeconfig }} -n default + when: "'REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt' not in docker_registry_env.stdout or 'REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key' not in docker_registry_env.stdout" -# These commands are on a single line to preserve patch json. +- name: Determine if registry liveness probe scheme is HTTPS + command: > + {{ openshift.common.client_binary }} get dc/docker-registry + -o jsonpath='{.spec.template.spec.containers[*].livenessProbe.httpGet.scheme}' + --config={{ openshift_hosted_kubeconfig }} + -n default + register: docker_registry_liveness_probe + changed_when: false + +# This command is on a single line to preserve patch json. - name: Update registry liveness probe from HTTP to HTTPS command: "{{ openshift.common.client_binary }} patch dc/docker-registry --api-version=v1 -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"registry\",\"livenessProbe\":{\"httpGet\":{\"scheme\":\"HTTPS\"}}}]}}}}' --config={{ openshift_hosted_kubeconfig }} -n default" + when: "'HTTPS' not in docker_registry_liveness_probe.stdout" + +- name: Determine if registry readiness probe scheme is HTTPS + command: > + {{ openshift.common.client_binary }} get dc/docker-registry + -o jsonpath='{.spec.template.spec.containers[*].readinessProbe.httpGet.scheme}' + --config={{ openshift_hosted_kubeconfig }} + -n default + register: docker_registry_readiness_probe + changed_when: false +# This command is on a single line to preserve patch json. - name: Update registry readiness probe from HTTP to HTTPS command: "{{ openshift.common.client_binary }} patch dc/docker-registry --api-version=v1 -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"registry\",\"readinessProbe\":{\"httpGet\":{\"scheme\":\"HTTPS\"}}}]}}}}' --config={{ openshift_hosted_kubeconfig }} -n default" + when: "'HTTPS' not in docker_registry_readiness_probe.stdout" |