Manage insecure-ci-registry cert with LE

This adds a new handler to restart the zuul registry to pick up the new cert. We may want to consider updating zuul registry to accept a reload of ssl config without restarting the service. Depends-On: https://review.opendev.org/702050 Change-Id: I23f6bea68285bc7cb0d12224235eaa16f0d07986
2020-01-10 14:10:25 -08:00 · 2020-01-10 14:10:25 -08:00 · 3deef00ba9
commit 3deef00ba9
parent f30b39c769
5 changed files with 47 additions and 8 deletions
--- a/inventory/groups.yaml
+++ b/inventory/groups.yaml
@ -65,6 +65,7 @@ groups:
    - opendev-k8s*.opendev.org
  letsencrypt:
    - graphite01.opendev.org
+    - insecure-ci-registry[0-9]*.opendev.org
    - mirror[0-9]*.opendev.org
    - files[0-9]*.open*.org
    - static.openstack.org
--- a/playbooks/host_vars/insecure-ci-registry01.opendev.org.yaml
+++ b/playbooks/host_vars/insecure-ci-registry01.opendev.org.yaml
@ -1 +1,5 @@
 ansible_python_interpreter: python3
+letsencrypt_certs:
+  insecure-ci-registry01-main:
+    - insecure-ci-registry01.opendev.org
+    - insecure-ci-registry.opendev.org
--- a/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml
+++ b/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml
@ -31,6 +31,9 @@
 - name: letsencrypt updated logs-main
  include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml

+- name: letsencrypt updated insecure-ci-registry01-main
+  include_tasks: roles/letsencrypt-create-certs/handlers/restart_zuul_registry.yaml
+
 # Mirrors

 - name: letsencrypt updated mirror01-dfw-rax-main
--- a/playbooks/roles/letsencrypt-create-certs/handlers/restart_zuul_registry.yaml
+++ b/playbooks/roles/letsencrypt-create-certs/handlers/restart_zuul_registry.yaml
@ -0,0 +1,39 @@
+- name: Ensure registry cert directy exists
+  file:
+    state: directory
+    path: "/var/registry/certs"
+    owner: root
+    group: root
+
+- name: Put key in place
+  copy:
+    remote_src: yes
+    src: /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.key
+    dest: /var/registry/certs/domain.key
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Put cert in place
+  copy:
+    remote_src: yes
+    # Zuul-registry doesn't seem to accept separate ca chain and cert files.
+    # I believe it wants a single combined file as per fullchain.cer.
+    src: /etc/letsencrypt-certs/{{ inventory_hostname }}/fullchain.cer
+    dest: /var/registry/certs/domain.crt
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Check for running registry
+  command: pgrep -f zuul-registry
+  ignore_errors: yes
+  register: registry_pids
+
+- name: Restart registry if running
+  when: registry_pids.rc == 0
+  block:
+    - name: Restart registry
+      shell:
+        cmd: docker-compose restart registry
+        chdir: /etc/registry-docker/
--- a/playbooks/roles/registry/tasks/main.yaml
+++ b/playbooks/roles/registry/tasks/main.yaml
@ -10,14 +10,6 @@
    - certs
    - conf
    - etc
- name: Write TLS private key
-  copy:
-    content: "{{ registry_tls_key }}"
-    dest: /var/registry/certs/domain.key
- name: Write TLS certificate
-  copy:
-    content: "{{ registry_tls_cert }}{{ registry_tls_chain | default('') }}"
-    dest: /var/registry/certs/domain.crt
 - name: Write clouds.yaml
  template:
    src: clouds.yaml.j2