diff options
author | Kenny Woodson <kwoodson@redhat.com> | 2018-02-08 11:34:56 -0500 |
---|---|---|
committer | Kenny Woodson <kwoodson@redhat.com> | 2018-02-08 11:40:55 -0500 |
commit | c625f3b517b0f2754132ff6fa35b1391d7c0563a (patch) | |
tree | 10b943b4b7a2deee47de2b7d9b404cd32824c102 /playbooks | |
parent | 5f056317c44486bd38ed58aba865189b1d0b4f64 (diff) | |
download | openshift-c625f3b517b0f2754132ff6fa35b1391d7c0563a.tar.gz openshift-c625f3b517b0f2754132ff6fa35b1391d7c0563a.tar.bz2 openshift-c625f3b517b0f2754132ff6fa35b1391d7c0563a.tar.xz openshift-c625f3b517b0f2754132ff6fa35b1391d7c0563a.zip |
Redeploy router certificates during upgrade only when secure.
Diffstat (limited to 'playbooks')
-rw-r--r-- | playbooks/common/openshift-cluster/upgrades/post_control_plane.yml | 36 |
1 files changed, 20 insertions, 16 deletions
diff --git a/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml index 9c927c0a1..fafbd8d1c 100644 --- a/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml @@ -114,22 +114,26 @@ openshift_hosted_templates_import_command: replace post_tasks: - # we need to migrate customers to the new pattern of pushing to the registry via dns - # Step 1: verify the certificates have the docker registry service name - - shell: > - echo -n | openssl s_client -showcerts -servername docker-registry.default.svc -connect docker-registry.default.svc:5000 | openssl x509 -text | grep -A1 'X509v3 Subject Alternative Name:' | grep -Pq 'DNS:docker-registry\.default\.svc(,|$)' - register: cert_output - changed_when: false - failed_when: - - cert_output.rc not in [0, 1] - - # Step 2: Set a fact to be used to determine if we should run the redeploy of registry certs - - name: set a fact to include the registry certs playbook if needed - set_fact: - openshift_hosted_rollout_certs_and_registry: "{{ cert_output.rc == 0 }}" - -# Run the redeploy certs based upon the certificates -- when: hostvars[groups.oo_first_master.0].openshift_hosted_rollout_certs_and_registry + # Do not perform these tasks when the registry is insecure. The default registry is insecure in openshift_hosted/defaults/main.yml + - when: not (openshift_docker_hosted_registry_insecure | default(True)) + block: + # we need to migrate customers to the new pattern of pushing to the registry via dns + # Step 1: verify the certificates have the docker registry service name + - name: shell command to determine if the docker-registry.default.svc is found in the registry certificate + shell: > + echo -n | openssl s_client -showcerts -servername docker-registry.default.svc -connect docker-registry.default.svc:5000 | openssl x509 -text | grep -A1 'X509v3 Subject Alternative Name:' | grep -Pq 'DNS:docker-registry\.default\.svc(,|$)' + register: cert_output + changed_when: false + failed_when: + - cert_output.rc not in [0, 1] + + # Step 2: Set a fact to be used to determine if we should run the redeploy of registry certs + - name: set a fact to include the registry certs playbook if needed + set_fact: + openshift_hosted_rollout_certs_and_registry: "{{ cert_output.rc == 0 }}" + +# Run the redeploy certs based upon the certificates. Defaults to False for insecure registries +- when: (hostvars[groups.oo_first_master.0].openshift_hosted_rollout_certs_and_registry | default(False)) | bool import_playbook: ../../../openshift-hosted/redeploy-registry-certificates.yml # Check for warnings to be printed at the end of the upgrade: |