From 6826f27769563d30194818a0f13b9da086ddf7ab Mon Sep 17 00:00:00 2001 From: Andrew Butcher Date: Mon, 26 Sep 2016 10:36:02 -0400 Subject: Further secure registry improvements - Default to hosted_registry_insecure=False - Add openshift ca to system ca-trust. - Update ca trust in openshift_node_certificates rather than docker_ca_trust --- roles/openshift_node_certificates/handlers/main.yml | 10 ++++++++++ roles/openshift_node_certificates/tasks/main.yml | 11 +++++++++++ 2 files changed, 21 insertions(+) create mode 100644 roles/openshift_node_certificates/handlers/main.yml (limited to 'roles/openshift_node_certificates') diff --git a/roles/openshift_node_certificates/handlers/main.yml b/roles/openshift_node_certificates/handlers/main.yml new file mode 100644 index 000000000..f2299cecf --- /dev/null +++ b/roles/openshift_node_certificates/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: update ca trust + command: update-ca-trust + notify: + - restart docker after updating ca trust + +- name: restart docker after updating ca trust + service: + name: docker + state: restarted diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml index a729b4d6c..80ab4bb1d 100644 --- a/roles/openshift_node_certificates/tasks/main.yml +++ b/roles/openshift_node_certificates/tasks/main.yml @@ -124,3 +124,14 @@ when: node_certs_missing | bool delegate_to: localhost become: no + +- name: Copy OpenShift CA to system CA trust + copy: + src: "{{ item.cert }}" + dest: "/etc/pki/ca-trust/source/anchors/{{ item.id }}-{{ item.cert | basename }}" + remote_src: yes + with_items: + - id: openshift + cert: "{{ openshift_node_cert_dir }}/ca.crt" + notify: + - update ca trust -- cgit v1.2.1