Refactor openshift_hosted plays and role

Currently, openshift_hosted role duplicates some logic
across separate task chains.  This commit cleans up
the openshift_hosted role and converts it to be
primarily used with include_role to give better
logic to the playbooks that utilize this role.

This commit also refactors the playbook that calls
various openshift_hosted roles into individual playbooks.
This allows more granularity for advanced users.

2 files changed, 83 insertions, 0 deletions

diff --git a/roles/openshift_hosted/tasks/secure/passthrough.yml b/roles/openshift_hosted/tasks/secure/passthrough.yml
new file mode 100644
index 000000000..5b44fda10
--- /dev/null
+++ b/roles/openshift_hosted/tasks/secure/passthrough.yml
@@ -0,0 +1,45 @@
+---
+# Generate a self-signed certificate when there is no user-supplied certificate
+- name: Configure self-signed certificate file paths
+  set_fact:
+    docker_registry_cert_path: "{{ openshift_master_config_dir }}/registry.crt"
+    docker_registry_key_path: "{{ openshift_master_config_dir }}/registry.key"
+    docker_registry_cacert_path: "{{ openshift_master_config_dir }}/ca.crt"
+    docker_registry_self_signed: true
+  when:
+  - "'certfile' not in openshift_hosted_registry_routecertificates"
+  - "'keyfile' not in openshift_hosted_registry_routecertificates"
+
+# Retrieve user supplied certificate files if they are provided
+- when:
+  - "'certfile' in openshift_hosted_registry_routecertificates"
+  - "'keyfile' in openshift_hosted_registry_routecertificates"
+  block:
+  - name: Configure provided certificate file paths
+    set_fact:
+      docker_registry_cert_path: "{{ openshift_master_config_dir }}/named_certificates/{{ openshift_hosted_registry_routecertificates['certfile'] | basename }}"
+      docker_registry_key_path: "{{ openshift_master_config_dir }}/named_certificates/{{ openshift_hosted_registry_routecertificates['keyfile'] | basename }}"
+      docker_registry_self_signed: false
+
+  # Since we end up bundling the cert, cacert and key in a .pem file, the 'cafile'
+  # is optional
+  - name: Configure provided ca certificate file path
+    set_fact:
+      docker_registry_cacert_path: "{{ openshift_master_config_dir }}/named_certificates/{{ openshift_hosted_registry_routecertificates['cafile'] | basename }}"
+    when: "'cafile' in openshift_hosted_registry_routecertificates"
+
+  - name: Retrieve provided certificate files
+    copy:
+      backup: True
+      dest: "{{ openshift_master_config_dir }}/named_certificates/{{ item.value | basename }}"
+      src: "{{ item.value }}"
+    when: item.key in ['certfile', 'keyfile', 'cafile'] and item.value
+    with_dict: "{{ openshift_hosted_registry_routecertificates }}"
+
+- name: Configure a passthrough route for docker-registry
+  oc_route:
+    name: docker-registry
+    namespace: "{{ openshift_hosted_registry_namespace }}"
+    service_name: docker-registry
+    tls_termination: "{{ openshift_hosted_registry_routetermination }}"
+    host: "{{ openshift_hosted_registry_routehost | default(omit, true) }}"
diff --git a/roles/openshift_hosted/tasks/secure/reencrypt.yml b/roles/openshift_hosted/tasks/secure/reencrypt.yml
new file mode 100644
index 000000000..48e5b0fba
--- /dev/null
+++ b/roles/openshift_hosted/tasks/secure/reencrypt.yml
@@ -0,0 +1,38 @@
+---
+- name: Validate route termination configuration
+  fail:
+    msg: >
+     When 'openshift_hosted_registry_routetermination' is 'reencrypt', you must
+     provide certificate files with 'openshift_hosted_registry_routecertificates'
+  when: ('certfile' not in openshift_hosted_registry_routecertificates) or
+        ('keyfile' not in openshift_hosted_registry_routecertificates) or
+        ('cafile' not in openshift_hosted_registry_routecertificates)
+
+- name: Configure self-signed certificate file paths
+  set_fact:
+    docker_registry_cert_path: "{{ openshift_master_config_dir }}/registry.crt"
+    docker_registry_key_path: "{{ openshift_master_config_dir }}/registry.key"
+    docker_registry_cacert_path: "{{ openshift_master_config_dir }}/ca.crt"
+    docker_registry_self_signed: true
+
+- name: Retrieve provided certificate files
+  copy:
+    backup: True
+    dest: "{{ openshift_master_config_dir }}/named_certificates/{{ item.value | basename }}"
+    src: "{{ item.value }}"
+  when: item.key in ['certfile', 'keyfile', 'cafile'] and item.value
+  with_dict: "{{ openshift_hosted_registry_routecertificates }}"
+
+# Encrypt with the provided certificate and provide the dest_cacert for the
+# self-signed certificate at the endpoint
+- name: Configure a reencrypt route for docker-registry
+  oc_route:
+    name: docker-registry
+    namespace: "{{ openshift_hosted_registry_namespace }}"
+    service_name: docker-registry
+    tls_termination: "{{ openshift_hosted_registry_routetermination }}"
+    host: "{{ openshift_hosted_registry_routehost | default(omit, true) }}"
+    cert_path: "{{ openshift_master_config_dir }}/named_certificates/{{ openshift_hosted_registry_routecertificates['certfile'] | basename }}"
+    key_path: "{{ openshift_master_config_dir }}/named_certificates/{{ openshift_hosted_registry_routecertificates['keyfile'] | basename }}"
+    cacert_path: "{{ openshift_master_config_dir }}/named_certificates/{{ openshift_hosted_registry_routecertificates['cafile'] | basename }}"
+    dest_cacert_path: "{{ openshift_master_config_dir }}/ca.crt"