From d4d197b83decbea47756a8381eec2a5d74d451ff Mon Sep 17 00:00:00 2001 From: Steve Milner Date: Wed, 15 Feb 2017 09:36:37 -0500 Subject: Register cloudfront privkey when required --- roles/openshift_hosted/meta/main.yml | 2 +- .../openshift_hosted/tasks/registry/storage/s3.yml | 32 ++++++++++++++++------ .../openshift_hosted/templates/registry_config.j2 | 2 +- 3 files changed, 25 insertions(+), 11 deletions(-) (limited to 'roles') diff --git a/roles/openshift_hosted/meta/main.yml b/roles/openshift_hosted/meta/main.yml index ced71bb41..afea0ac59 100644 --- a/roles/openshift_hosted/meta/main.yml +++ b/roles/openshift_hosted/meta/main.yml @@ -4,7 +4,7 @@ galaxy_info: description: OpenShift Embedded Router company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 1.9 + min_ansible_version: 2.1 platforms: - name: EL versions: diff --git a/roles/openshift_hosted/tasks/registry/storage/s3.yml b/roles/openshift_hosted/tasks/registry/storage/s3.yml index f73d9f0ae..7d51594bd 100644 --- a/roles/openshift_hosted/tasks/registry/storage/s3.yml +++ b/roles/openshift_hosted/tasks/registry/storage/s3.yml @@ -21,13 +21,27 @@ openshift_hosted_registry_storage_s3_cloudfront_keypairid and openshift_hosted_registry_storage_s3_cloudfront_privatekeyfile are required -# Copy the cloudfront.pem to the host if the baseurl is given -- name: Copy cloudfront.pem to the registry - copy: - src: "{{ openshift_hosted_registry_storage_s3_cloudfront_privatekeyfile }}" - dest: /etc/s3-cloudfront/cloudfront.pem - backup: true - owner: root - group: root - mode: 0600 + +# Inject the cloudfront private key as a secret when required +- block: + + - name: Create registry secret for cloudfront + oc_secret: + state: present + namespace: "{{ openshift.hosted.registry.namespace | default('default') }}" + name: docker-registry-s3-cloudfront + contents: + path: cloudfront.pem + data: "{{ lookup('file', openshift_hosted_registry_storage_s3_cloudfront_privatekeyfile) }}" + + - name: Add cloudfront secret to the registry deployment config + command: > + oc volume dc/docker-registry --add --name=cloudfront-vol + --namespace="{{ openshift.hosted.registry.namespace | default('default') }}" + -m /etc/origin --type=secret --secret-name=docker-registry-s3-cloudfront + register: cloudfront_vol_attach + failed_when: + - "'already exists' not in cloudfront_vol_attach.stderr" + - "cloudfront_vol_attach.rc != 0" + when: openshift_hosted_registry_storage_s3_cloudfront_baseurl | default(none) is not none diff --git a/roles/openshift_hosted/templates/registry_config.j2 b/roles/openshift_hosted/templates/registry_config.j2 index 557fd03af..f3336334a 100644 --- a/roles/openshift_hosted/templates/registry_config.j2 +++ b/roles/openshift_hosted/templates/registry_config.j2 @@ -78,7 +78,7 @@ middleware: - name: cloudfront options: baseurl: {{ openshift_hosted_registry_storage_s3_cloudfront_baseurl }} - privatekey: {{ openshift_hosted_registry_storage_s3_cloudfront_privatekeyfile }} + privatekey: /etc/origin/cloudfront.pem keypairid: {{ openshift_hosted_registry_storage_s3_cloudfront_keypairid }} {% elif openshift.common.version_gte_3_3_or_1_3 | bool %} storage: -- cgit v1.2.1