diff --git a/roles/openshift_hosted/tasks/main.yml b/roles/openshift_hosted/tasks/main.yml index 67c6bbfd719..a6cb95a2856 100644 --- a/roles/openshift_hosted/tasks/main.yml +++ b/roles/openshift_hosted/tasks/main.yml @@ -4,7 +4,8 @@ register: mktemp changed_when: False -- set_fact: +- name: set_fact openshift_hosted_kubeconfig + set_fact: openshift_hosted_kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig" - name: Copy the admin client config(s) diff --git a/roles/openshift_hosted/tasks/registry/registry.yml b/roles/openshift_hosted/tasks/registry/registry.yml index 93b701ebcea..5366d5ab3b9 100644 --- a/roles/openshift_hosted/tasks/registry/registry.yml +++ b/roles/openshift_hosted/tasks/registry/registry.yml @@ -1,64 +1,68 @@ --- - name: Retrieve list of openshift nodes matching registry selector - command: > - {{ openshift.common.client_binary }} --api-version='v1' -o json - get nodes -n default --config={{ openshift_hosted_kubeconfig }} - --selector={{ openshift.hosted.registry.selector | default('') }} - register: registry_nodes_json - changed_when: false + oc_obj: + state: list + kind: node + selector: "{{ openshift.hosted.registry.selector | default('') }}" + register: registry_nodes when: openshift.hosted.registry.replicas | default(none) is none -- set_fact: - l_node_count: "{{ (registry_nodes_json.stdout | default('{\"items\":[]}') | from_json)['items'] | length }}" +- name: set_fact l_node_count to number of nodes matching registry selector + set_fact: + l_node_count: "{{ registry_nodes.results.results[0]['items'] | length }}" # Determine the default number of registry/router replicas to use if no count # has been specified. # If no registry nodes defined, the default should be 0. -- set_fact: +- name: set_fact l_default_replicas when l_node_count == 0 + set_fact: l_default_replicas: 0 when: l_node_count | int == 0 # If registry nodes are defined and the registry storage kind is # defined, default should be the number of registry nodes, otherwise # just 1: -- set_fact: +- name: set_fact l_default_replicas when l_node_count > 0 + set_fact: l_default_replicas: "{{ l_node_count if openshift.hosted.registry.storage.kind | default(none) is not none else 1 }}" when: l_node_count | int > 0 -- set_fact: +- name: set_fact replicas + set_fact: replicas: "{{ openshift.hosted.registry.replicas | default(l_default_replicas) }}" - name: Create OpenShift registry - command: > - {{ openshift.common.client_binary }} adm registry --create - --config={{ openshift_hosted_kubeconfig }} - {% if replicas > 1 -%} - --replicas={{ replicas }} - {% endif -%} - --namespace={{ openshift.hosted.registry.namespace | default('default') }} - --service-account=registry - {% if openshift.hosted.registry.selector | default(none) is not none -%} - --selector='{{ openshift.hosted.registry.selector }}' - {% endif -%} - {% if not openshift.common.version_gte_3_2_or_1_2 | bool -%} - --credentials={{ openshift_master_config_dir }}/openshift-registry.kubeconfig - {% endif -%} - {% if openshift.hosted.registry.registryurl | default(none) is not none -%} - --images='{{ openshift.hosted.registry.registryurl }}' - {% endif -%} - register: openshift_hosted_registry_results - changed_when: "'service exists' not in openshift_hosted_registry_results.stdout" - failed_when: "openshift_hosted_registry_results.rc != 0 and 'service exists' not in openshift_hosted_registry_results.stdout and 'deployment_config' not in openshift_hosted_registry_results.stderr and 'service' not in openshift_hosted_registry_results.stderr" + oc_adm_registry: + state: present + name: registry + namespace: "{{ openshift.hosted.registry.namespace | default('default') }}" + selector: "{{ openshift.hosted.registry.selector }}" + replicas: "{{ replicas }}" + service_account: registry + images: "{{ openshift.hosted.registry.registryurl }}" when: replicas | int > 0 - include: secure.yml static: no - when: replicas | int > 0 and not (openshift.docker.hosted_registry_insecure | default(false) | bool) + when: + - replicas | int > 0 + - not (openshift.docker.hosted_registry_insecure | default(false) | bool) - include: storage/object_storage.yml static: no - when: replicas | int > 0 and openshift.hosted.registry.storage.kind | default(none) == 'object' + when: + - replicas | int > 0 + - openshift.hosted.registry.storage.kind | default(none) == 'object' -- include: storage/persistent_volume.yml - static: no - when: replicas | int > 0 and openshift.hosted.registry.storage.kind | default(none) in ['nfs', 'openstack'] +- name: Add persistent volume to dc/docker-registry + oc_adm_registry: + state: present + name: docker-registry + namespace: "{{ openshift.hosted.registry.namespace | default('default') }}" + volume_mounts: + - name: registry-storage + type: persistentVolumeClaim + claim_name: "{{ openshift.hosted.registry.storage.volume.name }}-claim" + when: + - replicas | int > 0 + - openshift.hosted.registry.storage.kind | default(none) in ['nfs', 'openstack'] diff --git a/roles/openshift_hosted/tasks/registry/secure.yml b/roles/openshift_hosted/tasks/registry/secure.yml index 8b44b94c645..f90bffe6b7b 100644 --- a/roles/openshift_hosted/tasks/registry/secure.yml +++ b/roles/openshift_hosted/tasks/registry/secure.yml @@ -1,7 +1,6 @@ --- - name: Create passthrough route for docker-registry oc_route: - kubeconfig: "{{ openshift_hosted_kubeconfig }}" name: docker-registry namespace: default service_name: docker-registry @@ -9,41 +8,28 @@ tls_termination: passthrough run_once: true -- name: Determine if registry certificate must be created - stat: - path: "{{ openshift_master_config_dir }}/{{ item }}" - with_items: - - registry.crt - - registry.key - register: docker_registry_certificates_stat_result - changed_when: false - failed_when: false - - name: Retrieve registry service IP oc_service: namespace: default name: docker-registry state: list register: docker_registry_service_ip - changed_when: false -- set_fact: +- name: Set fact docker_registry_route_hostname + set_fact: docker_registry_route_hostname: "{{ 'docker-registry-default.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true)) }}" -- name: Create registry certificates if they do not exist - command: > - {{ openshift.common.client_binary }} adm ca create-server-cert - --signer-cert={{ openshift_master_config_dir }}/ca.crt - --signer-key={{ openshift_master_config_dir }}/ca.key - --signer-serial={{ openshift_master_config_dir }}/ca.serial.txt - --hostnames="{{ docker_registry_service_ip.results.clusterip }},docker-registry.default.svc.cluster.local,{{ docker_registry_route_hostname }}" - --cert={{ openshift_master_config_dir }}/registry.crt - --key={{ openshift_master_config_dir }}/registry.key - when: False in (docker_registry_certificates_stat_result.results | default([]) | oo_collect(attribute='stat.exists') | list) +- name: Create registry certificates + oc_adm_ca_server_cert: + signer-cert: "{{ openshift_master_config_dir }}/ca.crt" + signer-key: "{{ openshift_master_config_dir }}/ca.key" + signer-serial: "{{ openshift_master_config_dir }}/ca.serial.txt" + hostnames: "{{ docker_registry_service_ip.results.clusterip }},docker-registry.default.svc.cluster.local,{{ docker_registry_route_hostname }}" + cert: "{{ openshift_master_config_dir }}/registry.crt" + key: "{{ openshift_master_config_dir }}/registry.key" - name: Create the secret for the registry certificates oc_secret: - kubeconfig: "{{ openshift_hosted_kubeconfig }}" name: registry-certificates namespace: default state: present @@ -60,73 +46,26 @@ service_account: "{{ item }}" secret: registry-certificates namespace: default - kubeconfig: "{{ openshift_hosted_kubeconfig }}" state: present with_items: - registry - default -- name: Determine if registry-certificates secret volume attached - command: > - {{ openshift.common.client_binary }} get dc/docker-registry - -o jsonpath='{.spec.template.spec.volumes[?(@.secret)].secret.secretName}' - --config={{ openshift_hosted_kubeconfig }} - -n default - register: docker_registry_volumes - changed_when: false - failed_when: "docker_registry_volumes.stdout != '' and 'secretName is not found' not in docker_registry_volumes.stdout and docker_registry_volumes.rc != 0" - -- name: Attach registry-certificates secret volume - command: > - {{ openshift.common.client_binary }} volume dc/docker-registry --add --type=secret - --secret-name=registry-certificates - -m /etc/secrets - --config={{ openshift_hosted_kubeconfig }} - -n default - when: "'registry-certificates' not in docker_registry_volumes.stdout" - -- name: Determine if registry environment variables must be set - command: > - {{ openshift.common.client_binary }} env dc/docker-registry - --list - --config={{ openshift_hosted_kubeconfig }} - -n default - register: docker_registry_env - changed_when: false - -- name: Configure certificates in registry deplomentConfig - command: > - {{ openshift.common.client_binary }} env dc/docker-registry - REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt - REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key - --config={{ openshift_hosted_kubeconfig }} - -n default - when: "'REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt' not in docker_registry_env.stdout or 'REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key' not in docker_registry_env.stdout" - -- name: Determine if registry liveness probe scheme is HTTPS - command: > - {{ openshift.common.client_binary }} get dc/docker-registry - -o jsonpath='{.spec.template.spec.containers[*].livenessProbe.httpGet.scheme}' - --config={{ openshift_hosted_kubeconfig }} - -n default - register: docker_registry_liveness_probe - changed_when: false - -# This command is on a single line to preserve patch json. -- name: Update registry liveness probe from HTTP to HTTPS - command: "{{ openshift.common.client_binary }} patch dc/docker-registry --api-version=v1 -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"registry\",\"livenessProbe\":{\"httpGet\":{\"scheme\":\"HTTPS\"}}}]}}}}' --config={{ openshift_hosted_kubeconfig }} -n default" - when: "'HTTPS' not in docker_registry_liveness_probe.stdout" - -- name: Determine if registry readiness probe scheme is HTTPS - command: > - {{ openshift.common.client_binary }} get dc/docker-registry - -o jsonpath='{.spec.template.spec.containers[*].readinessProbe.httpGet.scheme}' - --config={{ openshift_hosted_kubeconfig }} - -n default - register: docker_registry_readiness_probe - changed_when: false - -# This command is on a single line to preserve patch json. -- name: Update registry readiness probe from HTTP to HTTPS - command: "{{ openshift.common.client_binary }} patch dc/docker-registry --api-version=v1 -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"registry\",\"readinessProbe\":{\"httpGet\":{\"scheme\":\"HTTPS\"}}}]}}}}' --config={{ openshift_hosted_kubeconfig }} -n default" - when: "'HTTPS' not in docker_registry_readiness_probe.stdout" +- name: Update registry configuration + oc_adm_registry: + name: registry + namespace: "{{ openshift.hosted.registry.namespace | default('default') }}" + volume_mounts: + - path: /etc/secrets + type: secret + secret_name: registry-certificates + env_vars: + REGISTRY_HTTP_TLS_CERTIFICATE: /etc/secrets/registry.crt + REGISTRY_HTTP_TLS_KEY: /etc/secrets/registry.key + edits: + - key: spec.template.spec.containers[0].livenessProbe.httpGet.scheme + value: HTTPS + action: put + - key: spec.template.spec.containers[0].readinessProbe.httpGet.scheme + value: HTTPS + action: put diff --git a/roles/openshift_hosted/tasks/registry/storage/object_storage.yml b/roles/openshift_hosted/tasks/registry/storage/object_storage.yml index 15128784e26..397c8258e9f 100644 --- a/roles/openshift_hosted/tasks/registry/storage/object_storage.yml +++ b/roles/openshift_hosted/tasks/registry/storage/object_storage.yml @@ -34,6 +34,7 @@ same_storage_provider: "{{ (secrets.stdout|from_json)['metadata']['annotations']['provider'] | default(none) == openshift.hosted.registry.storage.provider }}" when: secrets.rc == 0 +# TODO (rteague): Not sure how to handle this one - name: Update registry config secret command: > {{ openshift.common.client_binary }} @@ -44,6 +45,7 @@ register: update_config_secret when: secrets.rc == 0 and (secrets.stdout|from_json)['data']['config.yml'] != registry_config and same_storage_provider | bool +# TODO (rteague): Not sure how to handle this one - name: Create registry config secret shell: > echo '{{ registry_config_secret |to_json }}' | @@ -58,48 +60,17 @@ service_account: registry secret: "{{ registry_config_secret_name }}" namespace: "{{ openshift.hosted.registry.namespace | default('default') }}" - kubeconfig: "{{ openshift_hosted_kubeconfig }}" state: present -- name: Determine if deployment config contains secrets - command: > - {{ openshift.common.client_binary }} - --config={{ openshift_hosted_kubeconfig }} - --namespace={{ openshift.hosted.registry.namespace | default('default') }} - set volumes dc/docker-registry --list - register: volume - changed_when: false - - name: Add secrets to registry deployment config - command: > - {{ openshift.common.client_binary }} - --config={{ openshift_hosted_kubeconfig }} - --namespace={{ openshift.hosted.registry.namespace | default('default') }} - set volumes dc/docker-registry --add --name=docker-config -m /etc/registry - --type=secret --secret-name={{ registry_config_secret_name }} - when: registry_config_secret_name not in volume.stdout - -- name: Determine if registry environment variable needs to be created - command: > - {{ openshift.common.client_binary }} - --config={{ openshift_hosted_kubeconfig }} - --namespace={{ openshift.hosted.registry.namespace | default('default') }} - set env --list dc/docker-registry - register: oc_env - changed_when: false - -- name: Add registry environment variable - command: > - {{ openshift.common.client_binary }} - --config={{ openshift_hosted_kubeconfig }} - --namespace={{ openshift.hosted.registry.namespace | default('default') }} - set env dc/docker-registry REGISTRY_CONFIGURATION_PATH=/etc/registry/config.yml - when: "'REGISTRY_CONFIGURATION_PATH' not in oc_env.stdout" - -- name: Redeploy registry - command: > - {{ openshift.common.client_binary }} - --config={{ openshift_hosted_kubeconfig }} - --namespace={{ openshift.hosted.registry.namespace | default('default') }} - deploy dc/docker-registry --latest - when: secrets.rc == 0 and not update_config_secret | skipped and update_config_secret.rc == 0 and same_storage_provider | bool + oc_adm_registry: + state: present + name: docker-registry + namespace: "{{ openshift.hosted.registry.namespace | default('default') }}" + volume_mounts: + - name: docker-config + path: /etc/secrets + type: secret + secret_name: "{{ registry_config_secret_name }}" + env_vars: + REGISTRY_CONFIGURATION_PATH: /etc/registry/config.yml diff --git a/roles/openshift_hosted/tasks/registry/storage/persistent_volume.yml b/roles/openshift_hosted/tasks/registry/storage/persistent_volume.yml deleted file mode 100644 index 0172f5ca0a0..00000000000 --- a/roles/openshift_hosted/tasks/registry/storage/persistent_volume.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -- set_fact: - registry_volume_claim: "{{ openshift.hosted.registry.storage.volume.name }}-claim" - -- name: Determine if volume is already attached to dc/docker-registry - command: > - {{ openshift.common.client_binary }} - --config={{ openshift_hosted_kubeconfig }} - --namespace={{ openshift.hosted.registry.namespace | default('default') }} - get -o template dc/docker-registry --template=\\{\\{.spec.template.spec.volumes\\}\\} --output-version=v1 - changed_when: false - failed_when: false - register: registry_volumes_output - -- set_fact: - volume_attached: "{{ registry_volume_claim in (registry_volumes_output).stdout | default(['']) }}" - -- name: Add volume to dc/docker-registry - command: > - {{ openshift.common.client_binary }} - --config={{ openshift_hosted_kubeconfig }} - --namespace={{ openshift.hosted.registry.namespace | default('default') }} - volume dc/docker-registry - --add --overwrite -t persistentVolumeClaim --claim-name={{ registry_volume_claim }} - --name=registry-storage - when: not volume_attached | bool diff --git a/roles/openshift_hosted/tasks/registry/storage/s3.yml b/roles/openshift_hosted/tasks/registry/storage/s3.yml index 7d51594bdcf..d006dd2c72c 100644 --- a/roles/openshift_hosted/tasks/registry/storage/s3.yml +++ b/roles/openshift_hosted/tasks/registry/storage/s3.yml @@ -35,13 +35,14 @@ data: "{{ lookup('file', openshift_hosted_registry_storage_s3_cloudfront_privatekeyfile) }}" - name: Add cloudfront secret to the registry deployment config - command: > - oc volume dc/docker-registry --add --name=cloudfront-vol - --namespace="{{ openshift.hosted.registry.namespace | default('default') }}" - -m /etc/origin --type=secret --secret-name=docker-registry-s3-cloudfront - register: cloudfront_vol_attach - failed_when: - - "'already exists' not in cloudfront_vol_attach.stderr" - - "cloudfront_vol_attach.rc != 0" + oc_adm_registry: + state: present + name: docker-registry + namespace: "{{ openshift.hosted.registry.namespace | default('default') }}" + volume_mounts: + - name: cloudfront-vol + path: /etc/origin + type: secret + secret_name: docker-registry-s3-cloudfront when: openshift_hosted_registry_storage_s3_cloudfront_baseurl | default(none) is not none diff --git a/roles/openshift_hosted/tasks/router/router.yml b/roles/openshift_hosted/tasks/router/router.yml index 3d5713d6b01..ac03c396fad 100644 --- a/roles/openshift_hosted/tasks/router/router.yml +++ b/roles/openshift_hosted/tasks/router/router.yml @@ -1,104 +1,78 @@ --- -- fail: - msg: "'certfile', 'keyfile' and 'cafile' keys must be specified when supplying the openshift_hosted_router_certificate variable." - when: openshift_hosted_router_certificate is defined and ('certfile' not in openshift_hosted_router_certificate or 'keyfile' not in openshift_hosted_router_certificate or 'cafile' not in openshift_hosted_router_certificate) +- name: Retrieve list of openshift nodes matching router selector + oc_obj: + state: list + kind: node + namespace: default + selector: "{{ openshift.hosted.router.selector | default('') }}" + register: router_nodes + when: openshift.hosted.router.replicas | default(none) is none -- name: Read router certificate and key - become: no - local_action: - module: slurp - src: "{{ item }}" - register: openshift_router_certificate_output - # Defaulting dictionary keys to none to avoid deprecation warnings - # (future fatal errors) during template evaluation. Dictionary keys - # won't be accessed unless openshift_hosted_router_certificate is - # defined and has all keys (certfile, keyfile, cafile) which we - # check above. - with_items: - - "{{ (openshift_hosted_router_certificate | default({'certfile':none})).certfile }}" - - "{{ (openshift_hosted_router_certificate | default({'keyfile':none})).keyfile }}" - - "{{ (openshift_hosted_router_certificate | default({'cafile':none})).cafile }}" - when: openshift_hosted_router_certificate is defined +- name: set_fact replicas + set_fact: + replicas: "{{ openshift.hosted.router.replicas | default(router_nodes.results.results[0]['items'] | length) }}" -- name: Persist certificate contents - openshift_facts: - role: hosted - openshift_env: - openshift_hosted_router_certificate_contents: "{% for certificate in openshift_router_certificate_output.results -%}{{ certificate.content | b64decode }}{% endfor -%}" - when: openshift_hosted_router_certificate is defined +- name: Create OpenShift router + oc_adm_router: + name: "{{ openshift.hosted.router.name | default('router') }}" + replicas: "{{ replicas }}" + namespace: "{{ openshift.hosted.router.namespace | default('default') }}" + # force_subdomain: "{{ openshift.hosted.router.force_subdomain | default(none) }}" + service_account: router + selector: "{{ openshift.hosted.router.selector | default(none) }}" + images: "{{ openshift.hosted.router.registryurl | default(none) }}" + when: replicas | int > 0 -- name: Create PEM certificate - copy: - content: "{{ openshift.hosted.router.certificate.contents }}" - dest: "{{ openshift_master_config_dir }}/openshift-router.pem" - mode: 0600 - when: "'certificate' in openshift.hosted.router and 'contents' in openshift.hosted.router.certificate" +- block: -- name: Retrieve list of openshift nodes matching router selector - command: > - {{ openshift.common.client_binary }} --api-version='v1' -o json - get nodes -n default --config={{ openshift_hosted_kubeconfig }} - --selector={{ openshift.hosted.router.selector | default('') }} - register: router_nodes_json - changed_when: false - when: openshift.hosted.router.replicas | default(none) is none + - name: Assert that 'certfile', 'keyfile' and 'cafile' keys provided in openshift_hosted_router_certificate + assert: + that: + - "'certfile' in openshift_hosted_router_certificate" + - "'keyfile' in openshift_hosted_router_certificate" + - "'cafile' in openshift_hosted_router_certificate" + msg: "'certfile', 'keyfile' and 'cafile' keys must be specified when supplying the openshift_hosted_router_certificate variable." -- set_fact: - replicas: "{{ openshift.hosted.router.replicas | default((router_nodes_json.stdout | default('{\"items\":[]}') | from_json)['items'] | length) }}" + - name: Read router certificate and key + become: no + local_action: + module: slurp + src: "{{ item }}" + register: openshift_router_certificate_output + # Defaulting dictionary keys to none to avoid deprecation warnings + # (future fatal errors) during template evaluation. Dictionary keys + # won't be accessed unless openshift_hosted_router_certificate is + # defined and has all keys (certfile, keyfile, cafile) which we + # check above. + with_items: + - "{{ (openshift_hosted_router_certificate | default({'certfile':none})).certfile }}" + - "{{ (openshift_hosted_router_certificate | default({'keyfile':none})).keyfile }}" + - "{{ (openshift_hosted_router_certificate | default({'cafile':none})).cafile }}" -- name: Create OpenShift router - command: > - {{ openshift.common.client_binary }} adm router --create - --config={{ openshift_hosted_kubeconfig }} - {% if replicas > 1 -%} - --replicas={{ replicas }} - {% endif -%} - {% if 'certificate' in openshift.hosted.router and 'contents' in openshift.hosted.router.certificate -%} - --default-cert={{ openshift_master_config_dir }}/openshift-router.pem - {% endif -%} - --namespace={{ openshift.hosted.router.namespace | default('default') }} - {% if openshift.hosted.router.force_subdomain | default(none) is not none %} - --force-subdomain={{ openshift.hosted.router.force_subdomain }} - {% endif %} - --service-account=router - {% if openshift.hosted.router.selector | default(none) is not none -%} - --selector='{{ openshift.hosted.router.selector }}' - {% endif -%} - {% if not openshift.common.version_gte_3_2_or_1_2 | bool -%} - --credentials={{ openshift_master_config_dir }}/openshift-router.kubeconfig - {% endif -%} - {% if openshift.hosted.router.registryurl | default(none) is not none -%} - --images='{{ openshift.hosted.router.registryurl }}' - {% endif -%} - {% if openshift.hosted.router.name | default(none) is not none -%} - {{ openshift.hosted.router.name }} - {% endif -%} + - name: Persist certificate contents + openshift_facts: + role: hosted + openshift_env: + openshift_hosted_router_certificate_contents: "{% for certificate in openshift_router_certificate_output.results -%}{{ certificate.content | b64decode }}{% endfor -%}" - register: openshift_hosted_router_results - changed_when: "'service exists' not in openshift_hosted_router_results.stdout" - failed_when: "openshift_hosted_router_results.rc != 0 and 'service exists' not in openshift_hosted_router_results.stdout and 'deployment_config' not in openshift_hosted_router_results.stderr and 'service' not in openshift_hosted_router_results.stderr" - when: replicas | int > 0 + - name: Create PEM certificate + copy: + content: "{{ openshift.hosted.router.certificate.contents }}" + dest: "{{ openshift_master_config_dir }}/openshift-router.pem" + mode: 0600 -- command: > - {{ openshift.common.client_binary }} - {% if openshift.hosted.router.name | default(none) is not none -%} - get dc/{{ openshift.hosted.router.name }} - {% else %} - get dc/router - {% endif%} - --template=\\{\\{.spec.replicas\\}\\} - --namespace={{ openshift.hosted.router.namespace | default('default') }} - register: current_replicas - when: replicas | int > 0 + - name: Add certificate to OpenShift Router + oc_adm_router: + name: "{{ openshift.hosted.router.name | default('router') }}" + namespace: "{{ openshift.hosted.router.namespace | default('default') }}" + default_cert: "{{ {{ openshift_master_config_dir }}/openshift-router.pem }}" + + when: openshift_hosted_router_certificate is defined - name: Ensure router replica count matches desired - command: > - {{ openshift.common.client_binary }} - scale --replicas={{ replicas }} - {% if openshift.hosted.router.name | default(none) is not none -%} - dc/{{ openshift.hosted.router.name }} - {% else %} - dc/router - {% endif%} - --namespace={{ openshift.hosted.router.namespace | default('default') }} - when: replicas | int > 0 and replicas | int != current_replicas.stdout | int + oc_scale: + kind: dc + name: "{{ openshift.hosted.router.name | default('router') }}" + namespace: "{{ openshift.hosted.router.namespace | default('default') }}" + replicas: "{{ replicas }}" + when: replicas | int > 0