From a3ab3d539bb57bc224b3f4457a0bfc68484cf8ee Mon Sep 17 00:00:00 2001 From: Samuel Munilla Date: Tue, 20 Sep 2016 13:34:15 -0400 Subject: Install Registry by Default Instead of restricting cockpit-ui to Atomic Registry installations, install it by default everywhere. Fixes Bug 1371459 --- .../common/openshift-cluster/openshift_hosted.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/playbooks/common/openshift-cluster/openshift_hosted.yml b/playbooks/common/openshift-cluster/openshift_hosted.yml index 3975e2686..044de2c94 100644 --- a/playbooks/common/openshift-cluster/openshift_hosted.yml +++ b/playbooks/common/openshift-cluster/openshift_hosted.yml @@ -65,7 +65,7 @@ openshift_hosted_logging_elasticsearch_ops_pvc_prefix: "{{ 'logging-es' if openshift.hosted.logging.storage_kind | default(none) is not none else '' }}" - role: cockpit-ui - when: openshift.common.deployment_subtype == 'registry' + when: openshift.common.version_gte_3_3_or_1_3 | bool - name: Configure all masters for logging serial: 1 @@ -94,19 +94,19 @@ - name: Create temp directory for kubeconfig command: mktemp -d /tmp/openshift-ansible-XXXXXX register: mktemp - when: openshift.common.deployment_subtype == 'registry' + when: openshift.common.version_gte_3_3_or_1_3 | bool changed_when: false delegate_to: "{{ groups.oo_first_master.0 }}" run_once: true - set_fact: openshift_hosted_kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig" - when: openshift.common.deployment_subtype == 'registry' + when: openshift.common.version_gte_3_3_or_1_3 | bool delegate_to: "{{ groups.oo_first_master.0 }}" run_once: true - name: Copy the admin client config(s) command: > cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{ openshift_hosted_kubeconfig }} - when: openshift.common.deployment_subtype == 'registry' + when: openshift.common.version_gte_3_3_or_1_3 | bool changed_when: false delegate_to: "{{ groups.oo_first_master.0 }}" run_once: true @@ -117,7 +117,7 @@ --config={{ openshift_hosted_kubeconfig }} -n default register: docker_registry_route - when: openshift.common.deployment_subtype == 'registry' + when: openshift.common.version_gte_3_3_or_1_3 | bool changed_when: false delegate_to: "{{ groups.oo_first_master.0 }}" run_once: true @@ -128,7 +128,7 @@ --config={{ openshift_hosted_kubeconfig }} -n default register: docker_registry_service_ip - when: openshift.common.deployment_subtype == 'registry' + when: openshift.common.version_gte_3_3_or_1_3 | bool changed_when: false delegate_to: "{{ groups.oo_first_master.0 }}" run_once: true @@ -140,7 +140,7 @@ - "{{ docker_registry_service_ip.stdout }}:5000" - "{{ docker_registry_route.stdout }}" - "docker-registry.default.svc.cluster.local:5000" - when: openshift.common.deployment_subtype == 'registry' + when: openshift.common.version_gte_3_3_or_1_3 | bool - name: Copy CA to registry CA directories copy: src: "{{ openshift.common.config_base }}/node/ca.crt" @@ -151,14 +151,14 @@ - "{{ docker_registry_service_ip.stdout }}:5000" - "{{ docker_registry_route.stdout }}" - "docker-registry.default.svc.cluster.local:5000" - when: openshift.common.deployment_subtype == 'registry' + when: openshift.common.version_gte_3_3_or_1_3 | bool notify: - Restart docker - name: Delete temp directory file: name: "{{ mktemp.stdout }}" state: absent - when: openshift.common.deployment_subtype == 'registry' + when: openshift.common.version_gte_3_3_or_1_3 | bool changed_when: False delegate_to: "{{ groups.oo_first_master.0 }}" run_once: true -- cgit v1.2.3 From f255943326ad3be91d233609ec5e61382302fff5 Mon Sep 17 00:00:00 2001 From: Andrew Butcher Date: Wed, 21 Sep 2016 10:32:22 -0400 Subject: Secure registry improvements. * Convert oc template calls to jsonpath. * Wait for deployments to finish before restarting docker. * Re-organize node ca configuration. --- .../common/openshift-cluster/node_docker_ca.yml | 124 +++++++++++++++++++++ .../common/openshift-cluster/openshift_hosted.yml | 103 +---------------- roles/cockpit-ui/tasks/main.yml | 4 +- roles/openshift_hosted/tasks/registry/registry.yml | 1 - roles/openshift_hosted/tasks/registry/secure.yml | 57 ++++++++-- 5 files changed, 176 insertions(+), 113 deletions(-) create mode 100644 playbooks/common/openshift-cluster/node_docker_ca.yml diff --git a/playbooks/common/openshift-cluster/node_docker_ca.yml b/playbooks/common/openshift-cluster/node_docker_ca.yml new file mode 100644 index 000000000..6482c827b --- /dev/null +++ b/playbooks/common/openshift-cluster/node_docker_ca.yml @@ -0,0 +1,124 @@ +--- +- name: Configure CA certificate for secure registry + hosts: oo_nodes_to_config + tags: + - hosted + tasks: + - name: Create temp directory for kubeconfig + command: mktemp -d /tmp/openshift-ansible-XXXXXX + register: mktemp + when: openshift_hosted_manage_registry | default(true) | bool + changed_when: false + delegate_to: "{{ groups.oo_first_master.0 }}" + run_once: true + + - set_fact: + openshift_hosted_kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig" + when: openshift_hosted_manage_registry | default(true) | bool + delegate_to: "{{ groups.oo_first_master.0 }}" + run_once: true + + - name: Copy the admin client config(s) + command: > + cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{ openshift_hosted_kubeconfig }} + when: openshift_hosted_manage_registry | default(true) | bool + changed_when: false + delegate_to: "{{ groups.oo_first_master.0 }}" + run_once: true + + - name: Retrieve docker-registry route + command: > + {{ openshift.common.client_binary }} get route docker-registry + -o jsonpath='{.spec.host}' + --config={{ openshift_hosted_kubeconfig }} + -n default + register: docker_registry_route + when: openshift_hosted_manage_registry | default(true) | bool + changed_when: false + delegate_to: "{{ groups.oo_first_master.0 }}" + run_once: true + + - name: Retrieve registry service IP + command: > + {{ openshift.common.client_binary }} get svc/docker-registry + -o jsonpath='{.spec.clusterIP}' + --config={{ openshift_hosted_kubeconfig }} + -n default + register: docker_registry_service_ip + when: openshift_hosted_manage_registry | default(true) | bool + changed_when: false + delegate_to: "{{ groups.oo_first_master.0 }}" + run_once: true + + - name: Create registry CA directories + file: + path: "/etc/docker/certs.d/{{ item }}" + state: directory + with_items: + - "{{ docker_registry_service_ip.stdout }}:5000" + - "{{ docker_registry_route.stdout }}" + - "docker-registry.default.svc.cluster.local:5000" + when: openshift_hosted_manage_registry | default(true) | bool + + - name: Copy CA to registry CA directories + copy: + src: "{{ openshift.common.config_base }}/node/ca.crt" + dest: "/etc/docker/certs.d/{{ item }}" + remote_src: yes + force: yes + with_items: + - "{{ docker_registry_service_ip.stdout }}:5000" + - "{{ docker_registry_route.stdout }}" + - "docker-registry.default.svc.cluster.local:5000" + when: openshift_hosted_manage_registry | default(true) | bool + notify: + - Wait for docker-registry deployment + - Wait for registry-console deployment + - Restart docker + + handlers: + # Restarting docker before deployments have begun will block the + # deployments from ever starting so try waiting for the registry to + # become available. + - name: Wait for docker-registry deployment + command: > + {{ openshift.common.client_binary }} get dc/docker-registry + -o jsonpath='{.status.availableReplicas}' + --config={{ openshift_hosted_kubeconfig }} + -n default + register: l_docker_registry_available_replicas + until: l_docker_registry_available_replicas.stdout | default("0") != "0" + retries: 30 + delay: 1 + failed_when: false + changed_when: false + + - name: Wait for registry-console deployment + command: > + {{ openshift.common.client_binary }} get dc/registry-console + -o jsonpath='{.status.availableReplicas}' + --config={{ openshift_hosted_kubeconfig }} + -n default + register: l_registry_console_available_replicas + until: l_registry_console_available_replicas.stdout | default("0") != "0" + retries: 30 + delay: 1 + failed_when: false + changed_when: false + + - name: Restart docker + service: + name: docker + state: restarted + +- name: Delete temp directory + hosts: oo_first_master + tags: + - hosted + tasks: + - name: Delete temp directory + file: + name: "{{ mktemp.stdout }}" + state: absent + when: openshift_hosted_manage_registry | default(true) | bool + changed_when: False diff --git a/playbooks/common/openshift-cluster/openshift_hosted.yml b/playbooks/common/openshift-cluster/openshift_hosted.yml index 044de2c94..ea9ba14e1 100644 --- a/playbooks/common/openshift-cluster/openshift_hosted.yml +++ b/playbooks/common/openshift-cluster/openshift_hosted.yml @@ -65,105 +65,4 @@ openshift_hosted_logging_elasticsearch_ops_pvc_prefix: "{{ 'logging-es' if openshift.hosted.logging.storage_kind | default(none) is not none else '' }}" - role: cockpit-ui - when: openshift.common.version_gte_3_3_or_1_3 | bool - -- name: Configure all masters for logging - serial: 1 - handlers: - - include: ../../../roles/openshift_master/handlers/main.yml - static: yes - hosts: oo_masters - tasks: - - openshift_facts: - role: master - local_facts: - logging_public_url: "https://{{ openshift_hosted_logging_hostname | default('kibana.' ~ openshift_master_default_subdomain) }}" - when: openshift.hosted.logging.deploy | default(openshift.common.version_gte_3_3_or_1_3) - - modify_yaml: - dest: "{{ openshift.common.config_base }}/master/master-config.yaml" - yaml_key: assetConfig.loggingPublicURL - yaml_value: "{{ openshift.master.logging_public_url }}" - notify: restart master - when: openshift.hosted.logging.deploy | default(openshift.common.version_gte_3_3_or_1_3) - -- name: Configure CA certificate for secure registry - hosts: oo_nodes_to_config - tags: - - hosted - tasks: - - name: Create temp directory for kubeconfig - command: mktemp -d /tmp/openshift-ansible-XXXXXX - register: mktemp - when: openshift.common.version_gte_3_3_or_1_3 | bool - changed_when: false - delegate_to: "{{ groups.oo_first_master.0 }}" - run_once: true - - set_fact: - openshift_hosted_kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig" - when: openshift.common.version_gte_3_3_or_1_3 | bool - delegate_to: "{{ groups.oo_first_master.0 }}" - run_once: true - - name: Copy the admin client config(s) - command: > - cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{ openshift_hosted_kubeconfig }} - when: openshift.common.version_gte_3_3_or_1_3 | bool - changed_when: false - delegate_to: "{{ groups.oo_first_master.0 }}" - run_once: true - - name: Retrieve docker-registry route - command: > - {{ openshift.common.client_binary }} get route docker-registry - --template='{{ '{{' }} .spec.host {{ '}}' }}' - --config={{ openshift_hosted_kubeconfig }} - -n default - register: docker_registry_route - when: openshift.common.version_gte_3_3_or_1_3 | bool - changed_when: false - delegate_to: "{{ groups.oo_first_master.0 }}" - run_once: true - - name: Retrieve registry service IP - command: > - {{ openshift.common.client_binary }} get service docker-registry - --template='{{ '{{' }} .spec.clusterIP {{ '}}' }}' - --config={{ openshift_hosted_kubeconfig }} - -n default - register: docker_registry_service_ip - when: openshift.common.version_gte_3_3_or_1_3 | bool - changed_when: false - delegate_to: "{{ groups.oo_first_master.0 }}" - run_once: true - - name: Create registry CA directories - file: - path: "/etc/docker/certs.d/{{ item }}" - state: directory - with_items: - - "{{ docker_registry_service_ip.stdout }}:5000" - - "{{ docker_registry_route.stdout }}" - - "docker-registry.default.svc.cluster.local:5000" - when: openshift.common.version_gte_3_3_or_1_3 | bool - - name: Copy CA to registry CA directories - copy: - src: "{{ openshift.common.config_base }}/node/ca.crt" - dest: "/etc/docker/certs.d/{{ item }}" - remote_src: yes - force: yes - with_items: - - "{{ docker_registry_service_ip.stdout }}:5000" - - "{{ docker_registry_route.stdout }}" - - "docker-registry.default.svc.cluster.local:5000" - when: openshift.common.version_gte_3_3_or_1_3 | bool - notify: - - Restart docker - - name: Delete temp directory - file: - name: "{{ mktemp.stdout }}" - state: absent - when: openshift.common.version_gte_3_3_or_1_3 | bool - changed_when: False - delegate_to: "{{ groups.oo_first_master.0 }}" - run_once: true - handlers: - - name: Restart docker - service: - name: docker - state: restarted + when: ( openshift.common.version_gte_3_3_or_1_3 | bool ) and ( openshift_hosted_manage_registry | default(true) | bool ) diff --git a/roles/cockpit-ui/tasks/main.yml b/roles/cockpit-ui/tasks/main.yml index 953357392..c573da6d6 100644 --- a/roles/cockpit-ui/tasks/main.yml +++ b/roles/cockpit-ui/tasks/main.yml @@ -36,7 +36,7 @@ - name: Retrieve docker-registry route command: > {{ openshift.common.client_binary }} get route docker-registry - --template='{{ '{{' }} .spec.host {{ '}}' }}' + -o jsonpath='{.spec.host}' --config={{ openshift_hosted_kubeconfig }} -n default register: docker_registry_route @@ -45,7 +45,7 @@ - name: Retrieve cockpit kube url command: > {{ openshift.common.client_binary }} get route registry-console - --template='https://{{ '{{' }} .spec.host {{ '}}' }}' + -o jsonpath='https://{.spec.host}' -n default register: registry_console_cockpit_kube_url changed_when: false diff --git a/roles/openshift_hosted/tasks/registry/registry.yml b/roles/openshift_hosted/tasks/registry/registry.yml index d5077932b..ed0a2b38d 100644 --- a/roles/openshift_hosted/tasks/registry/registry.yml +++ b/roles/openshift_hosted/tasks/registry/registry.yml @@ -53,7 +53,6 @@ - include: secure.yml static: no - when: openshift.common.deployment_subtype == 'registry' - include: storage/object_storage.yml static: no diff --git a/roles/openshift_hosted/tasks/registry/secure.yml b/roles/openshift_hosted/tasks/registry/secure.yml index 4cb85df04..664edef41 100644 --- a/roles/openshift_hosted/tasks/registry/secure.yml +++ b/roles/openshift_hosted/tasks/registry/secure.yml @@ -1,5 +1,15 @@ --- -- name: Determine if registry certificates must be created +- name: Create passthrough route for docker-registry + command: > + {{ openshift.common.client_binary }} create route passthrough + --service docker-registry + --config={{ openshift_hosted_kubeconfig }} + -n default + register: create_docker_registry_route + changed_when: "'already exists' not in create_docker_registry_route.stderr" + failed_when: "'already exists' not in create_docker_registry_route.stderr and create_docker_registry_route.rc != 0" + +- name: Determine if registry certificate must be created stat: path: "{{ openshift_master_config_dir }}/{{ item }}" with_items: @@ -12,7 +22,7 @@ - name: Retrieve registry service IP command: > {{ openshift.common.client_binary }} get service docker-registry - --template='{{ '{{' }} .spec.clusterIP {{ '}}' }}' + -o jsonpath='{.spec.clusterIP}' --config={{ openshift_hosted_kubeconfig }} -n default register: docker_registry_service_ip @@ -45,8 +55,8 @@ - name: "Add the secret to the registry's pod service accounts" command: > - {{ openshift.common.client_binary }} secrets link {{ item }} registry-certificates - --config={{ openshift_hosted_kubeconfig }} + {{ openshift.common.client_binary }} secrets add {{ item }} registry-certificates + --config={{ openshift_hosted_kubeconfig }} -n default with_items: - registry @@ -55,12 +65,12 @@ - name: Determine if registry-certificates secret volume attached command: > {{ openshift.common.client_binary }} get dc/docker-registry - --template='{{ '{{' }} range .spec.template.spec.volumes {{ '}}' }}{{ '{{' }} .secret.secretName {{ '}}' }}{{ '{{' }} end {{ '}}' }}' + -o jsonpath='{.spec.template.spec.volumes[*].secret.secretName}' --config={{ openshift_hosted_kubeconfig }} -n default register: docker_registry_volumes changed_when: false - failed_when: false + failed_when: "'secretName is not found' not in docker_registry_volumes.stdout and docker_registry_volumes.rc != 0" - name: Attach registry-certificates secret volume command: > @@ -71,17 +81,48 @@ -n default when: "'registry-certificates' not in docker_registry_volumes.stdout" -- name: Set registry environment variables for TLS certificate +- name: Determine if registry environment variables must be set + command: > + {{ openshift.common.client_binary }} env dc/docker-registry + --list + --config={{ openshift_hosted_kubeconfig }} + -n default + register: docker_registry_env + changed_when: false + +- name: Configure certificates in registry deplomentConfig command: > {{ openshift.common.client_binary }} env dc/docker-registry REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key --config={{ openshift_hosted_kubeconfig }} -n default + when: "'REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt' not in docker_registry_env.stdout or 'REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key' not in docker_registry_env.stdout" -# These commands are on a single line to preserve patch json. +- name: Determine if registry liveness probe scheme is HTTPS + command: > + {{ openshift.common.client_binary }} get dc/docker-registry + -o jsonpath='{.spec.template.spec.containers[*].livenessProbe.httpGet.scheme}' + --config={{ openshift_hosted_kubeconfig }} + -n default + register: docker_registry_liveness_probe + changed_when: false + +# This command is on a single line to preserve patch json. - name: Update registry liveness probe from HTTP to HTTPS command: "{{ openshift.common.client_binary }} patch dc/docker-registry --api-version=v1 -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"registry\",\"livenessProbe\":{\"httpGet\":{\"scheme\":\"HTTPS\"}}}]}}}}' --config={{ openshift_hosted_kubeconfig }} -n default" + when: "'HTTPS' not in docker_registry_liveness_probe.stdout" + +- name: Determine if registry readiness probe scheme is HTTPS + command: > + {{ openshift.common.client_binary }} get dc/docker-registry + -o jsonpath='{.spec.template.spec.containers[*].readinessProbe.httpGet.scheme}' + --config={{ openshift_hosted_kubeconfig }} + -n default + register: docker_registry_readiness_probe + changed_when: false +# This command is on a single line to preserve patch json. - name: Update registry readiness probe from HTTP to HTTPS command: "{{ openshift.common.client_binary }} patch dc/docker-registry --api-version=v1 -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"registry\",\"readinessProbe\":{\"httpGet\":{\"scheme\":\"HTTPS\"}}}]}}}}' --config={{ openshift_hosted_kubeconfig }} -n default" + when: "'HTTPS' not in docker_registry_readiness_probe.stdout" -- cgit v1.2.3 From 4b102facfb32e4de14147fcbbe97626c4e08e264 Mon Sep 17 00:00:00 2001 From: Samuel Munilla Date: Fri, 23 Sep 2016 14:51:40 -0400 Subject: Delgate handlers to first master --- .gitignore | 1 + playbooks/common/openshift-cluster/node_docker_ca.yml | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/.gitignore b/.gitignore index dcea26d60..48507c5d1 100644 --- a/.gitignore +++ b/.gitignore @@ -20,3 +20,4 @@ multi_inventory.yaml .tags* ansible.cfg *.retry +.vscode/* diff --git a/playbooks/common/openshift-cluster/node_docker_ca.yml b/playbooks/common/openshift-cluster/node_docker_ca.yml index 6482c827b..a291aeeb7 100644 --- a/playbooks/common/openshift-cluster/node_docker_ca.yml +++ b/playbooks/common/openshift-cluster/node_docker_ca.yml @@ -86,12 +86,14 @@ -o jsonpath='{.status.availableReplicas}' --config={{ openshift_hosted_kubeconfig }} -n default + delegate_to: "{{ groups.oo_first_master.0}}" register: l_docker_registry_available_replicas until: l_docker_registry_available_replicas.stdout | default("0") != "0" retries: 30 delay: 1 failed_when: false changed_when: false + run_once: true - name: Wait for registry-console deployment command: > @@ -99,12 +101,14 @@ -o jsonpath='{.status.availableReplicas}' --config={{ openshift_hosted_kubeconfig }} -n default + delegate_to: "{{ groups.oo_first_master.0 }}" register: l_registry_console_available_replicas until: l_registry_console_available_replicas.stdout | default("0") != "0" retries: 30 delay: 1 failed_when: false changed_when: false + run_once: true - name: Restart docker service: -- cgit v1.2.3 From 6826f27769563d30194818a0f13b9da086ddf7ab Mon Sep 17 00:00:00 2001 From: Andrew Butcher Date: Mon, 26 Sep 2016 10:36:02 -0400 Subject: Further secure registry improvements - Default to hosted_registry_insecure=False - Add openshift ca to system ca-trust. - Update ca trust in openshift_node_certificates rather than docker_ca_trust --- .../common/openshift-cluster/node_docker_ca.yml | 128 --------------------- playbooks/common/openshift-node/config.yml | 4 +- roles/openshift_docker_facts/tasks/main.yml | 2 +- .../openshift_node_certificates/handlers/main.yml | 10 ++ roles/openshift_node_certificates/tasks/main.yml | 11 ++ 5 files changed, 24 insertions(+), 131 deletions(-) delete mode 100644 playbooks/common/openshift-cluster/node_docker_ca.yml create mode 100644 roles/openshift_node_certificates/handlers/main.yml diff --git a/playbooks/common/openshift-cluster/node_docker_ca.yml b/playbooks/common/openshift-cluster/node_docker_ca.yml deleted file mode 100644 index a291aeeb7..000000000 --- a/playbooks/common/openshift-cluster/node_docker_ca.yml +++ /dev/null @@ -1,128 +0,0 @@ ---- -- name: Configure CA certificate for secure registry - hosts: oo_nodes_to_config - tags: - - hosted - tasks: - - name: Create temp directory for kubeconfig - command: mktemp -d /tmp/openshift-ansible-XXXXXX - register: mktemp - when: openshift_hosted_manage_registry | default(true) | bool - changed_when: false - delegate_to: "{{ groups.oo_first_master.0 }}" - run_once: true - - - set_fact: - openshift_hosted_kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig" - when: openshift_hosted_manage_registry | default(true) | bool - delegate_to: "{{ groups.oo_first_master.0 }}" - run_once: true - - - name: Copy the admin client config(s) - command: > - cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{ openshift_hosted_kubeconfig }} - when: openshift_hosted_manage_registry | default(true) | bool - changed_when: false - delegate_to: "{{ groups.oo_first_master.0 }}" - run_once: true - - - name: Retrieve docker-registry route - command: > - {{ openshift.common.client_binary }} get route docker-registry - -o jsonpath='{.spec.host}' - --config={{ openshift_hosted_kubeconfig }} - -n default - register: docker_registry_route - when: openshift_hosted_manage_registry | default(true) | bool - changed_when: false - delegate_to: "{{ groups.oo_first_master.0 }}" - run_once: true - - - name: Retrieve registry service IP - command: > - {{ openshift.common.client_binary }} get svc/docker-registry - -o jsonpath='{.spec.clusterIP}' - --config={{ openshift_hosted_kubeconfig }} - -n default - register: docker_registry_service_ip - when: openshift_hosted_manage_registry | default(true) | bool - changed_when: false - delegate_to: "{{ groups.oo_first_master.0 }}" - run_once: true - - - name: Create registry CA directories - file: - path: "/etc/docker/certs.d/{{ item }}" - state: directory - with_items: - - "{{ docker_registry_service_ip.stdout }}:5000" - - "{{ docker_registry_route.stdout }}" - - "docker-registry.default.svc.cluster.local:5000" - when: openshift_hosted_manage_registry | default(true) | bool - - - name: Copy CA to registry CA directories - copy: - src: "{{ openshift.common.config_base }}/node/ca.crt" - dest: "/etc/docker/certs.d/{{ item }}" - remote_src: yes - force: yes - with_items: - - "{{ docker_registry_service_ip.stdout }}:5000" - - "{{ docker_registry_route.stdout }}" - - "docker-registry.default.svc.cluster.local:5000" - when: openshift_hosted_manage_registry | default(true) | bool - notify: - - Wait for docker-registry deployment - - Wait for registry-console deployment - - Restart docker - - handlers: - # Restarting docker before deployments have begun will block the - # deployments from ever starting so try waiting for the registry to - # become available. - - name: Wait for docker-registry deployment - command: > - {{ openshift.common.client_binary }} get dc/docker-registry - -o jsonpath='{.status.availableReplicas}' - --config={{ openshift_hosted_kubeconfig }} - -n default - delegate_to: "{{ groups.oo_first_master.0}}" - register: l_docker_registry_available_replicas - until: l_docker_registry_available_replicas.stdout | default("0") != "0" - retries: 30 - delay: 1 - failed_when: false - changed_when: false - run_once: true - - - name: Wait for registry-console deployment - command: > - {{ openshift.common.client_binary }} get dc/registry-console - -o jsonpath='{.status.availableReplicas}' - --config={{ openshift_hosted_kubeconfig }} - -n default - delegate_to: "{{ groups.oo_first_master.0 }}" - register: l_registry_console_available_replicas - until: l_registry_console_available_replicas.stdout | default("0") != "0" - retries: 30 - delay: 1 - failed_when: false - changed_when: false - run_once: true - - - name: Restart docker - service: - name: docker - state: restarted - -- name: Delete temp directory - hosts: oo_first_master - tags: - - hosted - tasks: - - name: Delete temp directory - file: - name: "{{ mktemp.stdout }}" - state: absent - when: openshift_hosted_manage_registry | default(true) | bool - changed_when: False diff --git a/playbooks/common/openshift-node/config.yml b/playbooks/common/openshift-node/config.yml index f718dbfbd..364a62dd0 100644 --- a/playbooks/common/openshift-node/config.yml +++ b/playbooks/common/openshift-node/config.yml @@ -60,12 +60,12 @@ when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and openshift_generate_no_proxy_hosts | default(True) | bool }}" roles: + - role: openshift_common - role: openshift_clock - role: openshift_docker - role: openshift_node_certificates openshift_ca_host: "{{ groups.oo_first_master.0 }}" - role: openshift_cloud_provider - - role: openshift_common - role: openshift_node_dnsmasq when: openshift.common.use_dnsmasq - role: os_firewall @@ -99,12 +99,12 @@ when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and openshift_generate_no_proxy_hosts | default(True) | bool }}" roles: + - role: openshift_common - role: openshift_clock - role: openshift_docker - role: openshift_node_certificates openshift_ca_host: "{{ groups.oo_first_master.0 }}" - role: openshift_cloud_provider - - role: openshift_common - role: openshift_node_dnsmasq when: openshift.common.use_dnsmasq - role: os_firewall diff --git a/roles/openshift_docker_facts/tasks/main.yml b/roles/openshift_docker_facts/tasks/main.yml index 0ce142983..0c8a36d65 100644 --- a/roles/openshift_docker_facts/tasks/main.yml +++ b/roles/openshift_docker_facts/tasks/main.yml @@ -13,7 +13,7 @@ log_options: "{{ openshift_docker_log_options | default(None) }}" options: "{{ openshift_docker_options | default(None) }}" disable_push_dockerhub: "{{ openshift_disable_push_dockerhub | default(None) }}" - hosted_registry_insecure: "{{ openshift_docker_hosted_registry_insecure | default(openshift.common.deployment_subtype != 'registry') }}" + hosted_registry_insecure: "{{ openshift_docker_hosted_registry_insecure | default(False) }}" hosted_registry_network: "{{ openshift_docker_hosted_registry_network | default(None) }}" - set_fact: diff --git a/roles/openshift_node_certificates/handlers/main.yml b/roles/openshift_node_certificates/handlers/main.yml new file mode 100644 index 000000000..f2299cecf --- /dev/null +++ b/roles/openshift_node_certificates/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: update ca trust + command: update-ca-trust + notify: + - restart docker after updating ca trust + +- name: restart docker after updating ca trust + service: + name: docker + state: restarted diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml index a729b4d6c..80ab4bb1d 100644 --- a/roles/openshift_node_certificates/tasks/main.yml +++ b/roles/openshift_node_certificates/tasks/main.yml @@ -124,3 +124,14 @@ when: node_certs_missing | bool delegate_to: localhost become: no + +- name: Copy OpenShift CA to system CA trust + copy: + src: "{{ item.cert }}" + dest: "/etc/pki/ca-trust/source/anchors/{{ item.id }}-{{ item.cert | basename }}" + remote_src: yes + with_items: + - id: openshift + cert: "{{ openshift_node_cert_dir }}/ca.crt" + notify: + - update ca trust -- cgit v1.2.3