-
Notifications
You must be signed in to change notification settings - Fork 2.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Refactor registry-console setup and add support for SSL
This is a refactor to significantly improve the configurability of the registry console service and route in order to bring it in line with the way we configure docker-registry. Effectively, this adds the ability to select a hostname for the registry console and adds support for securing the registry-console route with a provided SSL certificate either with passthrough or reencrypt termination. We maintain backwards compatibility by keeping the same default which provides a default registry-console hostname and self-signed certificates on a passthrough route.
- Loading branch information
David Moreau-Simard
committed
May 21, 2017
1 parent
22dfad7
commit 1fbc8cf
Showing
4 changed files
with
166 additions
and
31 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
--- | ||
openshift_hosted_registry_console_cert_expire_days: 730 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
--- | ||
# We'll generate a self-signed certificate when there is no user-supplied | ||
# certificate | ||
- name: Configure self-signed certificate file paths | ||
set_fact: | ||
docker_registry_console_cert_path: "{{ openshift_master_config_dir }}/registry-console.crt" | ||
docker_registry_console_key_path: "{{ openshift_master_config_dir }}/registry-console.key" | ||
docker_registry_console_cacert_path: "{{ openshift_master_config_dir }}/ca.crt" | ||
docker_registry_console_self_signed: true | ||
when: | ||
- "'certfile' not in openshift_hosted_registry_console_routecertificates" | ||
- "'keyfile' not in openshift_hosted_registry_console_routecertificates" | ||
|
||
# Retrieve user supplied certificate files if they are provided | ||
- when: | ||
- "'certfile' in openshift_hosted_registry_console_routecertificates" | ||
- "'keyfile' in openshift_hosted_registry_console_routecertificates" | ||
block: | ||
- name: Configure provided certificate file paths | ||
set_fact: | ||
docker_registry_console_cert_path: "{{ openshift_master_config_dir }}/named_certificates/{{ openshift_hosted_registry_console_routecertificates['certfile'] | basename }}" | ||
docker_registry_console_key_path: "{{ openshift_master_config_dir }}/named_certificates/{{ openshift_hosted_registry_console_routecertificates['keyfile'] | basename }}" | ||
docker_registry_console_self_signed: false | ||
|
||
# Since we end up bundling the cert, cacert and key in a .pem file, the 'cafile' | ||
# is optional | ||
- name: Configure provided ca certificate file path | ||
set_fact: | ||
docker_registry_console_cacert_path: "{{ openshift_master_config_dir }}/named_certificates/{{ openshift_hosted_registry_console_routecertificates['cafile'] | basename }}" | ||
when: "'cafile' in openshift_hosted_registry_console_routecertificates" | ||
|
||
- name: Retrieve provided certificate files | ||
copy: | ||
backup: True | ||
dest: "{{ openshift_master_config_dir }}/named_certificates/{{ item.value | basename }}" | ||
src: "{{ item.value }}" | ||
when: item.key in ['certfile', 'keyfile', 'cafile'] and item.value | ||
with_dict: "{{ openshift_hosted_registry_console_routecertificates }}" | ||
|
||
- name: Configure a passthrough route for registry-console | ||
oc_route: | ||
name: registry-console | ||
namespace: "{{ openshift_hosted_registry_console_namespace }}" | ||
service_name: registry-console | ||
tls_termination: "{{ openshift_hosted_registry_console_routetermination }}" | ||
host: "{{ openshift_hosted_registry_console_routehost | default(omit, true) }}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
--- | ||
- name: Validate route termination configuration | ||
fail: | ||
msg: > | ||
When 'openshift_hosted_registry_console_routetermination' is 'reencrypt', you must | ||
provide certificate files with 'openshift_hosted_registry_console_routecertificates' | ||
when: ('certfile' not in openshift_hosted_registry_console_routecertificates) or | ||
('keyfile' not in openshift_hosted_registry_console_routecertificates) or | ||
('cafile' not in openshift_hosted_registry_console_routecertificates) | ||
|
||
- name: Configure self-signed certificate file paths | ||
set_fact: | ||
docker_registry_console_cert_path: "{{ openshift_master_config_dir }}/registry-console.crt" | ||
docker_registry_console_key_path: "{{ openshift_master_config_dir }}/registry-console.key" | ||
docker_registry_console_cacert_path: "{{ openshift_master_config_dir }}/ca.crt" | ||
docker_registry_console_self_signed: true | ||
|
||
- name: Retrieve provided certificate files | ||
copy: | ||
backup: True | ||
dest: "{{ openshift_master_config_dir }}/named_certificates/{{ item.value | basename }}" | ||
src: "{{ item.value }}" | ||
when: item.key in ['certfile', 'keyfile', 'cafile'] and item.value | ||
with_dict: "{{ openshift_hosted_registry_console_routecertificates }}" | ||
|
||
# Encrypt with the provided certificate and provide the dest_cacert for the | ||
# self-signed certificate at the endpoint | ||
- name: Configure a reencrypt route for registry-console | ||
oc_route: | ||
name: registry-console | ||
namespace: "{{ openshift_hosted_registry_console_namespace }}" | ||
service_name: registry-console | ||
tls_termination: "{{ openshift_hosted_registry_console_routetermination }}" | ||
host: "{{ openshift_hosted_registry_console_routehost | default(omit, true) }}" | ||
cert_path: "{{ openshift_master_config_dir }}/named_certificates/{{ openshift_hosted_registry_console_routecertificates['certfile'] | basename }}" | ||
key_path: "{{ openshift_master_config_dir }}/named_certificates/{{ openshift_hosted_registry_console_routecertificates['keyfile'] | basename }}" | ||
cacert_path: "{{ openshift_master_config_dir }}/named_certificates/{{ openshift_hosted_registry_console_routecertificates['cafile'] | basename }}" | ||
dest_cacert_path: "{{ openshift_master_config_dir }}/ca.crt" |