diff options
| author | Scott Dodson <sdodson@redhat.com> | 2017-03-01 16:34:48 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-03-01 16:34:48 -0500 |
| commit | ef3aa534d7b54c92c076f89c91f514972ba64612 (patch) | |
| tree | 6031a633254d5e0a6803186a88e4ff0bb14599b3 /roles/openshift_hosted | |
| parent | 0a782a06d49942dadb2b8d51509e94f656570ec4 (diff) | |
| parent | e62a4bf341637bc26503a9ba5246afb9b016ea36 (diff) | |
| download | openshift-ef3aa534d7b54c92c076f89c91f514972ba64612.tar.gz openshift-ef3aa534d7b54c92c076f89c91f514972ba64612.tar.bz2 openshift-ef3aa534d7b54c92c076f89c91f514972ba64612.tar.xz openshift-ef3aa534d7b54c92c076f89c91f514972ba64612.zip | |
Merge pull request #3493 from kwoodson/registry_reencyrpt_route
Adding support for a route with reencrypt and certificates.
Diffstat (limited to 'roles/openshift_hosted')
| -rw-r--r-- | roles/openshift_hosted/tasks/registry/registry.yml | 3 | ||||
| -rw-r--r-- | roles/openshift_hosted/tasks/registry/secure.yml | 32 |
2 files changed, 33 insertions, 2 deletions
diff --git a/roles/openshift_hosted/tasks/registry/registry.yml b/roles/openshift_hosted/tasks/registry/registry.yml index dcb1277f3..39e7de230 100644 --- a/roles/openshift_hosted/tasks/registry/registry.yml +++ b/roles/openshift_hosted/tasks/registry/registry.yml @@ -40,6 +40,9 @@ openshift_hosted_registry_images: "{{ openshift.hosted.registry.registryurl | default('openshift3/ose-${component}:${version}')}}" openshift_hosted_registry_volumes: [] openshift_hosted_registry_env_vars: {} + openshift_hosted_registry_routecertificates: "{{ ('routecertificates' in openshift.hosted.registry.keys()) | ternary(openshift.hosted.registry.routecertificates, {}) }}" + openshift_hosted_registry_routehost: "{{ ('routehost' in openshift.hosted.registry.keys()) | ternary(openshift.hosted.registry.routehost, False) }}" + openshift_hosted_registry_routetermination: "{{ ('routetermination' in openshift.hosted.registry.keys()) | ternary(openshift.hosted.registry.routetermination, 'passthrough') }}" openshift_hosted_registry_edits: # These edits are being specified only to prevent 'changed' on rerun - key: spec.strategy.rollingParams diff --git a/roles/openshift_hosted/tasks/registry/secure.yml b/roles/openshift_hosted/tasks/registry/secure.yml index e70d377c6..bd513b943 100644 --- a/roles/openshift_hosted/tasks/registry/secure.yml +++ b/roles/openshift_hosted/tasks/registry/secure.yml @@ -3,13 +3,41 @@ set_fact: docker_registry_route_hostname: "{{ 'docker-registry-default.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true)) }}" +- name: Get the certificate contents for registry + copy: + backup: True + dest: "/etc/origin/master/named_certificates/{{ item.value | basename }}" + src: "{{ item.value }}" + when: item.key in ['certfile', 'keyfile', 'cafile'] and item.value is not None + with_dict: "{{ openshift_hosted_registry_routecertificates }}" + +# When certificates are defined we will create the reencrypt +# docker-registry route +- name: Create a reencrypt route for docker-registry + oc_route: + name: docker-registry + namespace: "{{ openshift_hosted_registry_namespace }}" + service_name: docker-registry + tls_termination: "{{ openshift_hosted_registry_routetermination }}" + host: "{{ openshift_hosted_registry_routehost | default(docker_registry_route_hostname) }}" + cert_path: "/etc/origin/master/named_certificates/{{ openshift_hosted_registry_routecertificates['certfile'] | basename }}" + key_path: "/etc/origin/master/named_certificates/{{ openshift_hosted_registry_routecertificates['keyfile'] | basename }}" + cacert_path: "/etc/origin/master/named_certificates/{{ openshift_hosted_registry_routecertificates['cafile'] | basename }}" + dest_cacert_path: /etc/origin/master/ca.crt + when: + - "'cafile' in openshift_hosted_registry_routecertificates" + - "'certfile' in openshift_hosted_registry_routecertificates" + - "'keyfile' in openshift_hosted_registry_routecertificates" + +# When routetermination is passthrough we will create the route - name: Create passthrough route for docker-registry oc_route: name: docker-registry namespace: "{{ openshift_hosted_registry_namespace }}" service_name: docker-registry - tls_termination: passthrough - host: "{{ docker_registry_route_hostname }}" + tls_termination: "{{ openshift_hosted_registry_routetermination }}" + host: "{{ openshift_hosted_registry_routehost | ternary(openshift_hosted_registry_routehost, docker_registry_route_hostname) }}" + when: openshift_hosted_registry_routetermination == 'passthrough' - name: Retrieve registry service IP oc_service: |