blob: d2f6ba5f610ef1a0efd1a8e5bf3997631bbc0c07 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
---
- name: Create passthrough route for docker-registry
command: >
{{ openshift.common.client_binary }} create route passthrough
--service docker-registry
--config={{ openshift_hosted_kubeconfig }}
-n default
register: create_docker_registry_route
changed_when: "'already exists' not in create_docker_registry_route.stderr"
failed_when: "'already exists' not in create_docker_registry_route.stderr and create_docker_registry_route.rc != 0"
- name: Determine if registry certificate must be created
stat:
path: "{{ openshift_master_config_dir }}/{{ item }}"
with_items:
- registry.crt
- registry.key
register: docker_registry_certificates_stat_result
changed_when: false
failed_when: false
- name: Retrieve registry service IP
command: >
{{ openshift.common.client_binary }} get service docker-registry
-o jsonpath='{.spec.clusterIP}'
--config={{ openshift_hosted_kubeconfig }}
-n default
register: docker_registry_service_ip
changed_when: false
- set_fact:
docker_registry_route_hostname: "{{ 'docker-registry-default.' ~ (openshift.master.default_subdomain | default('router.default.svc.cluster.local', true)) }}"
- name: Create registry certificates if they do not exist
command: >
{{ openshift.common.client_binary }} adm ca create-server-cert
--signer-cert=/etc/origin/master/ca.crt
--signer-key=/etc/origin/master/ca.key
--signer-serial=/etc/origin/master/ca.serial.txt
--hostnames="{{ docker_registry_service_ip.stdout }},docker-registry.default.svc.cluster.local,{{ docker_registry_route_hostname }}"
--cert={{ openshift_master_config_dir }}/registry.crt
--key={{ openshift_master_config_dir }}/registry.key
when: False in (docker_registry_certificates_stat_result.results | default([]) | oo_collect(attribute='stat.exists') | list)
- name: Create the secret for the registry certificates
command: >
{{ openshift.common.client_binary }} secrets new registry-certificates
{{ openshift_master_config_dir }}/registry.crt
{{ openshift_master_config_dir }}/registry.key
--config={{ openshift_hosted_kubeconfig }}
-n default
register: create_registry_certificates_secret
changed_when: "'already exists' not in create_registry_certificates_secret.stderr"
failed_when: "'already exists' not in create_registry_certificates_secret.stderr and create_registry_certificates_secret.rc != 0"
- name: "Add the secret to the registry's pod service accounts"
command: >
{{ openshift.common.client_binary }} secrets add {{ item }} registry-certificates
--config={{ openshift_hosted_kubeconfig }}
-n default
with_items:
- registry
- default
- name: Determine if registry-certificates secret volume attached
command: >
{{ openshift.common.client_binary }} get dc/docker-registry
-o jsonpath='{.spec.template.spec.volumes[*].secret.secretName}'
--config={{ openshift_hosted_kubeconfig }}
-n default
register: docker_registry_volumes
changed_when: false
failed_when: "'secretName is not found' not in docker_registry_volumes.stdout and docker_registry_volumes.rc != 0"
- name: Attach registry-certificates secret volume
command: >
{{ openshift.common.client_binary }} volume dc/docker-registry --add --type=secret
--secret-name=registry-certificates
-m /etc/secrets
--config={{ openshift_hosted_kubeconfig }}
-n default
when: "'registry-certificates' not in docker_registry_volumes.stdout"
- name: Determine if registry environment variables must be set
command: >
{{ openshift.common.client_binary }} env dc/docker-registry
--list
--config={{ openshift_hosted_kubeconfig }}
-n default
register: docker_registry_env
changed_when: false
- name: Configure certificates in registry deplomentConfig
command: >
{{ openshift.common.client_binary }} env dc/docker-registry
REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt
REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key
--config={{ openshift_hosted_kubeconfig }}
-n default
when: "'REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt' not in docker_registry_env.stdout or 'REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key' not in docker_registry_env.stdout"
- name: Determine if registry liveness probe scheme is HTTPS
command: >
{{ openshift.common.client_binary }} get dc/docker-registry
-o jsonpath='{.spec.template.spec.containers[*].livenessProbe.httpGet.scheme}'
--config={{ openshift_hosted_kubeconfig }}
-n default
register: docker_registry_liveness_probe
changed_when: false
# This command is on a single line to preserve patch json.
- name: Update registry liveness probe from HTTP to HTTPS
command: "{{ openshift.common.client_binary }} patch dc/docker-registry --api-version=v1 -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"registry\",\"livenessProbe\":{\"httpGet\":{\"scheme\":\"HTTPS\"}}}]}}}}' --config={{ openshift_hosted_kubeconfig }} -n default"
when: "'HTTPS' not in docker_registry_liveness_probe.stdout"
- name: Determine if registry readiness probe scheme is HTTPS
command: >
{{ openshift.common.client_binary }} get dc/docker-registry
-o jsonpath='{.spec.template.spec.containers[*].readinessProbe.httpGet.scheme}'
--config={{ openshift_hosted_kubeconfig }}
-n default
register: docker_registry_readiness_probe
changed_when: false
# This command is on a single line to preserve patch json.
- name: Update registry readiness probe from HTTP to HTTPS
command: "{{ openshift.common.client_binary }} patch dc/docker-registry --api-version=v1 -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"registry\",\"readinessProbe\":{\"httpGet\":{\"scheme\":\"HTTPS\"}}}]}}}}' --config={{ openshift_hosted_kubeconfig }} -n default"
when: "'HTTPS' not in docker_registry_readiness_probe.stdout"
|
