openshift · sdodson · Feb 24, 2017 · Feb 21, 2017
diff --git a/roles/openshift_hosted/handlers/main.yml b/roles/openshift_hosted/handlers/main.yml
diff --git a/roles/openshift_hosted/meta/main.yml b/roles/openshift_hosted/meta/main.yml
@@ -20,6 +20,7 @@ dependencies:
 - role: openshift_serviceaccounts
   openshift_serviceaccounts_names:
   - router
+  - registry
   openshift_serviceaccounts_namespace: default
   openshift_serviceaccounts_sccs:
   - hostnetwork

diff --git a/roles/openshift_hosted/tasks/main.yml b/roles/openshift_hosted/tasks/main.yml
@@ -1,25 +1,6 @@
 ---
-- name: Create temp directory for kubeconfig
-  command: mktemp -d /tmp/openshift-ansible-XXXXXX
-  register: mktemp
-  changed_when: False
-
-- set_fact:
-    openshift_hosted_kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig"
-
-- name: Copy the admin client config(s)
-  command: >
-    cp {{ openshift_master_config_dir }}/admin.kubeconfig {{ openshift_hosted_kubeconfig }}
-  changed_when: False
-
 - include: router/router.yml
   when: openshift_hosted_manage_router | default(true) | bool
 
 - include: registry/registry.yml
   when: openshift_hosted_manage_registry | default(true) | bool
-
-- name: Delete temp directory
-  file:
-    name: "{{ mktemp.stdout }}"
-    state: absent
-  changed_when: False
diff --git a/roles/openshift_hosted/tasks/registry/registry.yml b/roles/openshift_hosted/tasks/registry/registry.yml
@@ -1,64 +1,88 @@
 ---
-- name: Retrieve list of openshift nodes matching registry selector
-  command: >
-    {{ openshift.common.client_binary }} --api-version='v1' -o json
-    get nodes -n default --config={{ openshift_hosted_kubeconfig }}
-    --selector={{ openshift.hosted.registry.selector | default('') }}
-  register: registry_nodes_json
-  changed_when: false
-  when: openshift.hosted.registry.replicas | default(none) is none
+- block:
 
-- set_fact:
-    l_node_count: "{{ (registry_nodes_json.stdout | default('{\"items\":[]}') | from_json)['items'] | length }}"
+  - name: Retrieve list of openshift nodes matching registry selector
+    oc_obj:
+      state: list
+      kind: node
+      selector: "{{ openshift.hosted.registry.selector | default(omit) }}"
+    register: registry_nodes
 
-# Determine the default number of registry/router replicas to use if no count
-# has been specified.
-# If no registry nodes defined, the default should be 0.
-- set_fact:
-    l_default_replicas: 0
-  when: l_node_count | int == 0
+  - name: set_fact l_node_count to number of nodes matching registry selector
+    set_fact:
+      l_node_count: "{{ registry_nodes.results.results[0]['items'] | length }}"
 
-# If registry nodes are defined and the registry storage kind is
-# defined, default should be the number of registry nodes, otherwise
-# just 1:
-- set_fact:
-    l_default_replicas: "{{ l_node_count if openshift.hosted.registry.storage.kind | default(none) is not none else 1 }}"
-  when: l_node_count | int > 0
+  # Determine the default number of registry/router replicas to use if no count
+  # has been specified.
+  # If no registry nodes defined, the default should be 0.
+  - name: set_fact l_default_replicas when l_node_count == 0
+    set_fact:
+      l_default_replicas: 0
+    when: l_node_count | int == 0
 
-- set_fact:
-    replicas: "{{ openshift.hosted.registry.replicas | default(l_default_replicas) }}"
+  # If registry nodes are defined and the registry storage kind is
+  # defined, default should be the number of registry nodes, otherwise
+  # just 1:
+  - name: set_fact l_default_replicas when l_node_count > 0
+    set_fact:
+      l_default_replicas: "{{ l_node_count if openshift.hosted.registry.storage.kind | default(none) is not none else 1 }}"
+    when: l_node_count | int > 0
 
-- name: Create OpenShift registry
-  command: >
-    {{ openshift.common.client_binary }} adm registry --create
-    --config={{ openshift_hosted_kubeconfig }}
-    {% if replicas > 1 -%}
-    --replicas={{ replicas }}
-    {% endif -%}
-    --namespace={{ openshift.hosted.registry.namespace | default('default') }}
-    --service-account=registry
-    {% if openshift.hosted.registry.selector | default(none) is not none -%}
-    --selector='{{ openshift.hosted.registry.selector }}'
-    {% endif -%}
-    {% if not openshift.common.version_gte_3_2_or_1_2 | bool -%}
-    --credentials={{ openshift_master_config_dir }}/openshift-registry.kubeconfig
-    {% endif -%}
-    {% if openshift.hosted.registry.registryurl | default(none) is not none -%}
-    --images='{{ openshift.hosted.registry.registryurl }}'
-    {% endif -%}
-  register: openshift_hosted_registry_results
-  changed_when: "'service exists' not in openshift_hosted_registry_results.stdout"
-  failed_when: "openshift_hosted_registry_results.rc != 0 and 'service exists' not in openshift_hosted_registry_results.stdout and 'deployment_config' not in openshift_hosted_registry_results.stderr and 'service' not in openshift_hosted_registry_results.stderr"
-  when: replicas | int > 0
+  when: openshift.hosted.registry.replicas | default(none) is none
+
+- name: set openshift_hosted facts
+  set_fact:
+    openshift_hosted_registry_replicas: "{{ openshift.hosted.registry.replicas | default(l_default_replicas) }}"
+    openshift_hosted_registry_name: docker-registry
+    openshift_hosted_registry_serviceaccount: registry
+    openshift_hosted_registry_namespace: "{{ openshift.hosted.registry.namespace | default('default') }}"
+    openshift_hosted_registry_selector: "{{ openshift.hosted.registry.selector }}"
+    openshift_hosted_registry_images: "{{ openshift.hosted.registry.registryurl | default('openshift3/ose-${component}:${version}')}}"
+    openshift_hosted_registry_volumes: []
+    openshift_hosted_registry_env_vars: {}
+    openshift_hosted_registry_edits:
+    # These edits are being specified only to prevent 'changed' on rerun
+    - key: spec.strategy.rollingParams
+      value:
+        intervalSeconds: 1
+        maxSurge: "25%"
+        maxUnavailable: "25%"
+        timeoutSeconds: 600
+        updatePeriodSeconds: 1
+      action: put
+    openshift_hosted_registry_force:
+    - False
 
 - include: secure.yml
   static: no
-  when: replicas | int > 0 and not (openshift.docker.hosted_registry_insecure | default(false) | bool)
+  run_once: true
+  when:
+  - not (openshift.docker.hosted_registry_insecure | default(false) | bool)
 
 - include: storage/object_storage.yml
   static: no
-  when: replicas | int > 0 and openshift.hosted.registry.storage.kind | default(none) == 'object'
+  when:
+  - openshift.hosted.registry.storage.kind | default(none) == 'object'
 
-- include: storage/persistent_volume.yml
-  static: no
-  when: replicas | int > 0 and openshift.hosted.registry.storage.kind | default(none) in ['nfs', 'openstack']
+- name: Set facts for persistent volume
+  set_fact:
+    pvc_volume_mounts:
+    - name: registry-storage
+      type: persistentVolumeClaim
+      claim_name: "{{ openshift.hosted.registry.storage.volume.name }}-claim"
+    openshift_hosted_registry_volumes: "{{ openshift_hosted_registry_volumes | union(pvc_volume_mounts) }}"
+  when:
+  - openshift.hosted.registry.storage.kind | default(none) in ['nfs', 'openstack']
+
+- name: Create OpenShift registry
+  oc_adm_registry:
+    name: "{{ openshift_hosted_registry_name }}"
+    namespace: "{{ openshift_hosted_registry_namespace }}"
+    selector: "{{ openshift_hosted_registry_selector }}"
+    replicas: "{{ openshift_hosted_registry_replicas }}"
+    service_account: "{{ openshift_hosted_registry_serviceaccount }}"
+    images: "{{ openshift_hosted_registry_images }}"
+    env_vars: "{{ openshift_hosted_registry_env_vars }}"
+    volume_mounts: "{{ openshift_hosted_registry_volumes }}"
+    edits: "{{ openshift_hosted_registry_edits }}"
+    force: "{{ True|bool in openshift_hosted_registry_force }}"
diff --git a/roles/openshift_hosted/tasks/registry/secure.yml b/roles/openshift_hosted/tasks/registry/secure.yml
@@ -1,132 +1,77 @@
 ---
+- name: Set fact docker_registry_route_hostname
+  set_fact:
+    docker_registry_route_hostname: "{{ 'docker-registry-default.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true)) }}"
+
 - name: Create passthrough route for docker-registry
   oc_route:
-    kubeconfig: "{{ openshift_hosted_kubeconfig }}"
     name: docker-registry
-    namespace: default
+    namespace: "{{ openshift_hosted_registry_namespace }}"
     service_name: docker-registry
-    state: present
     tls_termination: passthrough
-  run_once: true
-
-- name: Determine if registry certificate must be created
-  stat:
-    path: "{{ openshift_master_config_dir }}/{{ item }}"
-  with_items:
-  - registry.crt
-  - registry.key
-  register: docker_registry_certificates_stat_result
-  changed_when: false
-  failed_when: false
+    host: "{{ docker_registry_route_hostname }}"
 
 - name: Retrieve registry service IP
   oc_service:
-    namespace: default
+    namespace: "{{ openshift_hosted_registry_namespace }}"
     name: docker-registry
     state: list
   register: docker_registry_service_ip
-  changed_when: false
-
-- set_fact:
-    docker_registry_route_hostname: "{{ 'docker-registry-default.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true)) }}"
 
-- name: Create registry certificates if they do not exist
-  command: >
-    {{ openshift.common.client_binary }} adm ca create-server-cert
-    --signer-cert={{ openshift_master_config_dir }}/ca.crt
-    --signer-key={{ openshift_master_config_dir }}/ca.key
-    --signer-serial={{ openshift_master_config_dir }}/ca.serial.txt
-    --hostnames="{{ docker_registry_service_ip.results.clusterip }},docker-registry.default.svc.cluster.local,{{ docker_registry_route_hostname }}"
-    --cert={{ openshift_master_config_dir }}/registry.crt
-    --key={{ openshift_master_config_dir }}/registry.key
-  when: False in (docker_registry_certificates_stat_result.results | default([]) | oo_collect(attribute='stat.exists') | list)
+- name: Create registry certificates
+  oc_adm_ca_server_cert:
+    signer_cert: "{{ openshift_master_config_dir }}/ca.crt"
+    signer_key: "{{ openshift_master_config_dir }}/ca.key"
+    signer_serial: "{{ openshift_master_config_dir }}/ca.serial.txt"
+    hostnames:
+    - "{{ docker_registry_service_ip.results.clusterip }}"
+    - docker-registry.default.svc.cluster.local
+    - "{{ docker_registry_route_hostname }}"
+    cert: "{{ openshift_master_config_dir }}/registry.crt"
+    key: "{{ openshift_master_config_dir }}/registry.key"
+  register: server_cert_out
 
 - name: Create the secret for the registry certificates
   oc_secret:
-    kubeconfig: "{{ openshift_hosted_kubeconfig }}"
     name: registry-certificates
-    namespace: default
-    state: present
+    namespace: "{{ openshift_hosted_registry_namespace }}"
     files:
     - name: registry.crt
       path: "{{ openshift_master_config_dir }}/registry.crt"
     - name: registry.key
       path: "{{ openshift_master_config_dir }}/registry.key"
-  register: create_registry_certificates_secret
-  run_once: true
+  register: create_registry_certificates_secret_out
 
-- name: "Add the secret to the registry's pod service accounts"
+- name: Add the secret to the registry's pod service accounts
   oc_serviceaccount_secret:
     service_account: "{{ item }}"
     secret: registry-certificates
-    namespace: default
-    kubeconfig: "{{ openshift_hosted_kubeconfig  }}"
-    state: present
+    namespace: "{{ openshift_hosted_registry_namespace }}"
   with_items:
   - registry
   - default
 
-- name: Determine if registry-certificates secret volume attached
-  command: >
-    {{ openshift.common.client_binary }} get dc/docker-registry
-    -o jsonpath='{.spec.template.spec.volumes[?(@.secret)].secret.secretName}'
-    --config={{ openshift_hosted_kubeconfig }}
-    -n default
-  register: docker_registry_volumes
-  changed_when: false
-  failed_when: "docker_registry_volumes.stdout != '' and 'secretName is not found' not in docker_registry_volumes.stdout and docker_registry_volumes.rc != 0"
-
-- name: Attach registry-certificates secret volume
-  command: >
-   {{ openshift.common.client_binary }} volume dc/docker-registry --add --type=secret
-   --secret-name=registry-certificates
-   -m /etc/secrets
-   --config={{ openshift_hosted_kubeconfig }}
-   -n default
-  when: "'registry-certificates' not in docker_registry_volumes.stdout"
-
-- name: Determine if registry environment variables must be set
-  command: >
-    {{ openshift.common.client_binary }} env dc/docker-registry
-    --list
-    --config={{ openshift_hosted_kubeconfig }}
-    -n default
-  register: docker_registry_env
-  changed_when: false
-
-- name: Configure certificates in registry deplomentConfig
-  command: >
-    {{ openshift.common.client_binary }} env dc/docker-registry
-    REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt
-    REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key
-    --config={{ openshift_hosted_kubeconfig }}
-    -n default
-  when: "'REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt' not in docker_registry_env.stdout or 'REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key' not in docker_registry_env.stdout"
-
-- name: Determine if registry liveness probe scheme is HTTPS
-  command: >
-    {{ openshift.common.client_binary }} get dc/docker-registry
-    -o jsonpath='{.spec.template.spec.containers[*].livenessProbe.httpGet.scheme}'
-    --config={{ openshift_hosted_kubeconfig }}
-    -n default
-  register: docker_registry_liveness_probe
-  changed_when: false
-
-# This command is on a single line to preserve patch json.
-- name: Update registry liveness probe from HTTP to HTTPS
-  command: "{{ openshift.common.client_binary }} patch dc/docker-registry --api-version=v1 -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"registry\",\"livenessProbe\":{\"httpGet\":{\"scheme\":\"HTTPS\"}}}]}}}}' --config={{ openshift_hosted_kubeconfig }} -n default"
-  when: "'HTTPS' not in docker_registry_liveness_probe.stdout"
-
-- name: Determine if registry readiness probe scheme is HTTPS
-  command: >
-    {{ openshift.common.client_binary }} get dc/docker-registry
-    -o jsonpath='{.spec.template.spec.containers[*].readinessProbe.httpGet.scheme}'
-    --config={{ openshift_hosted_kubeconfig }}
-    -n default
-  register: docker_registry_readiness_probe
-  changed_when: false
+- name: Set facts for secure registry
+  set_fact:
+    registry_secure_volume_mounts:
+    - name: registry-certificates
+      path: /etc/secrets
+      type: secret
+      secret_name: registry-certificates
+    registry_secure_env_vars:
+      REGISTRY_HTTP_TLS_CERTIFICATE: /etc/secrets/registry.crt
+      REGISTRY_HTTP_TLS_KEY: /etc/secrets/registry.key
+    registry_secure_edits:
+    - key: spec.template.spec.containers[0].livenessProbe.httpGet.scheme
+      value: HTTPS
+      action: put
+    - key: spec.template.spec.containers[0].readinessProbe.httpGet.scheme
+      value: HTTPS
+      action: put
 
-# This command is on a single line to preserve patch json.
-- name: Update registry readiness probe from HTTP to HTTPS
-  command: "{{ openshift.common.client_binary }} patch dc/docker-registry --api-version=v1 -p '{\"spec\":{\"template\":{\"spec\":{\"containers\":[{\"name\":\"registry\",\"readinessProbe\":{\"httpGet\":{\"scheme\":\"HTTPS\"}}}]}}}}' --config={{ openshift_hosted_kubeconfig }} -n default"
-  when: "'HTTPS' not in docker_registry_readiness_probe.stdout"
+- name: Update openshift_hosted facts with secure registry variables
+  set_fact:
+    openshift_hosted_registry_volumes: "{{ openshift_hosted_registry_volumes | union(registry_secure_volume_mounts) }}"
+    openshift_hosted_registry_env_vars: "{{ openshift_hosted_registry_env_vars | combine(registry_secure_env_vars) }}"
+    openshift_hosted_registry_edits: "{{ openshift_hosted_registry_edits | union(registry_secure_edits) }}"
+    openshift_hosted_registry_force: "{{ openshift_hosted_registry_force | union([server_cert_out.changed]) | union([create_registry_certificates_secret_out.changed]) }}"