7 files changed, 29 insertions, 13 deletions

diff --git a/playbooks/byo/openshift-cluster/upgrades/v3_5/upgrade.yml b/playbooks/byo/openshift-cluster/upgrades/v3_5/upgrade.yml
index 6a6f0952b..69cabcd33 100644
--- a/playbooks/byo/openshift-cluster/upgrades/v3_5/upgrade.yml
+++ b/playbooks/byo/openshift-cluster/upgrades/v3_5/upgrade.yml
@@ -102,4 +102,4 @@
 
 - include: ../../../../common/openshift-cluster/upgrades/post_control_plane.yml
 
-- inlcude: ../../../../common/openshift-cluster/upgrades/v3_5/storage_upgrade.yml
+- include: ../../../../common/openshift-cluster/upgrades/v3_5/storage_upgrade.yml
diff --git a/playbooks/byo/openshift-cluster/upgrades/v3_5/upgrade_control_plane.yml b/playbooks/byo/openshift-cluster/upgrades/v3_5/upgrade_control_plane.yml
index 2d4e0ff1c..719057d2b 100644
--- a/playbooks/byo/openshift-cluster/upgrades/v3_5/upgrade_control_plane.yml
+++ b/playbooks/byo/openshift-cluster/upgrades/v3_5/upgrade_control_plane.yml
@@ -108,4 +108,4 @@
 
 - include: ../../../../common/openshift-cluster/upgrades/post_control_plane.yml
 
-- inlcude: ../../../../common/openshift-cluster/upgrades/v3_5/storage_upgrade.yml
+- include: ../../../../common/openshift-cluster/upgrades/v3_5/storage_upgrade.yml
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_5/filter_plugins b/playbooks/common/openshift-cluster/upgrades/v3_5/filter_plugins
new file mode 120000
index 000000000..7de3c1dd7
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/v3_5/filter_plugins
@@ -0,0 +1 @@
+../../../../../filter_plugins/
\ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_5/roles b/playbooks/common/openshift-cluster/upgrades/v3_5/roles
new file mode 120000
index 000000000..415645be6
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/v3_5/roles
@@ -0,0 +1 @@
+../../../../../roles/
\ No newline at end of file
diff --git a/roles/openshift_hosted/meta/main.yml b/roles/openshift_hosted/meta/main.yml
index ced71bb41..afea0ac59 100644
--- a/roles/openshift_hosted/meta/main.yml
+++ b/roles/openshift_hosted/meta/main.yml
@@ -4,7 +4,7 @@ galaxy_info:
   description: OpenShift Embedded Router
   company: Red Hat, Inc.
   license: Apache License, Version 2.0
-  min_ansible_version: 1.9
+  min_ansible_version: 2.1
   platforms:
   - name: EL
     versions:
diff --git a/roles/openshift_hosted/tasks/registry/storage/s3.yml b/roles/openshift_hosted/tasks/registry/storage/s3.yml
index f73d9f0ae..7d51594bd 100644
--- a/roles/openshift_hosted/tasks/registry/storage/s3.yml
+++ b/roles/openshift_hosted/tasks/registry/storage/s3.yml
@@ -21,13 +21,27 @@
       openshift_hosted_registry_storage_s3_cloudfront_keypairid and
       openshift_hosted_registry_storage_s3_cloudfront_privatekeyfile are required
 
-# Copy the cloudfront.pem to the host if the baseurl is given
-- name: Copy cloudfront.pem to the registry
-  copy:
-    src: "{{ openshift_hosted_registry_storage_s3_cloudfront_privatekeyfile }}"
-    dest: /etc/s3-cloudfront/cloudfront.pem
-    backup: true
-    owner: root
-    group: root
-    mode: 0600
+
+# Inject the cloudfront private key as a secret when required
+- block:
+
+    - name: Create registry secret for cloudfront
+      oc_secret:
+        state: present
+        namespace: "{{ openshift.hosted.registry.namespace | default('default') }}"
+        name: docker-registry-s3-cloudfront
+        contents:
+          path: cloudfront.pem
+          data: "{{ lookup('file', openshift_hosted_registry_storage_s3_cloudfront_privatekeyfile) }}"
+
+    - name: Add cloudfront secret to the registry deployment config
+      command: >
+        oc volume dc/docker-registry --add --name=cloudfront-vol
+        --namespace="{{ openshift.hosted.registry.namespace | default('default') }}"
+        -m /etc/origin --type=secret --secret-name=docker-registry-s3-cloudfront
+      register: cloudfront_vol_attach
+      failed_when:
+        - "'already exists' not in cloudfront_vol_attach.stderr"
+        - "cloudfront_vol_attach.rc != 0"
+
   when: openshift_hosted_registry_storage_s3_cloudfront_baseurl | default(none) is not none
diff --git a/roles/openshift_hosted/templates/registry_config.j2 b/roles/openshift_hosted/templates/registry_config.j2
index 557fd03af..f3336334a 100644
--- a/roles/openshift_hosted/templates/registry_config.j2
+++ b/roles/openshift_hosted/templates/registry_config.j2
@@ -78,7 +78,7 @@ middleware:
   - name: cloudfront
     options:
       baseurl: {{ openshift_hosted_registry_storage_s3_cloudfront_baseurl }}
-      privatekey: {{ openshift_hosted_registry_storage_s3_cloudfront_privatekeyfile }}
+      privatekey: /etc/origin/cloudfront.pem
       keypairid: {{ openshift_hosted_registry_storage_s3_cloudfront_keypairid }}
 {% elif openshift.common.version_gte_3_3_or_1_3 | bool %}
   storage: