zuul/zuul-operator
Code Issues Proposed changes
zuul-operator/roles/zuul-ensure-registry-tls/tasks/main.yaml
Tristan Cacqueray 62b5ca9ad8 Add registry tls secret provided by cert-manager 
This change adds a Cerficiate resource to manage
the registry tls secret with the cert-manager service.

This change also splits the registry rw user to a
dedicated secret to enable separate creation of the passwords.

Change-Id: I673ea8db31fd2926c82a4288fd9362f225794da8
2020-04-15 00:15:09 +00:00

53 lines
2.0 KiB
YAML
Raw Blame History

- name: Check if registry tls cert exists
set_fact:
registry_certs: "{{ lookup('k8s', api_version='v1', kind='Secret', namespace=namespace, resource_name=zuul_name + '-registry-tls') }}"
- name: Generate and store certs
when:
- not cert_manager
- registry_certs.data is not defined
block:
- name: Generate certs
command: "{{ item }}"
loop:
# Server
- "openssl req -new -newkey rsa:2048 -nodes -keyout registry-{{ zuul_name }}.key -out registry-{{ zuul_name }}.csr -subj '/C=US/ST=Texas/L=Austin/O=Zuul/CN=server-{{ zuul_name }}'"
- "openssl x509 -req -days 3650 -in registry-{{ zuul_name }}.csr -out registry-{{ zuul_name }}.pem -CA ca-{{ zuul_name }}.pem -CAkey ca-{{ zuul_name }}.key -CAcreateserial"
- name: Create k8s secret
k8s:
state: "{{ state }}"
namespace: "{{ namespace }}"
definition:
apiVersion: v1
kind: Secret
metadata:
name: "{{ zuul_name }}-registry-tls"
stringData:
username: "zuul"
password: "{{ lookup('password', '/dev/null') }}"
secret: "{{ lookup('password', '/dev/null') }}"
tls.key: "{{ lookup('file', 'registry-' + zuul_name + '.key') }}"
tls.crt: "{{ lookup('file', 'registry-' + zuul_name + '.pem') }}"
- name: Check if registry rw user exists
set_fact:
registry_user_rw: "{{ lookup('k8s', api_version='v1', kind='Secret', namespace=namespace, resource_name=zuul_name + '-registry-user-rw') }}"
- name: Generate and store user
when: registry_user_rw.data is not defined
block:
- name: Create k8s secret
k8s:
state: "{{ state }}"
namespace: "{{ namespace }}"
definition:
apiVersion: v1
kind: Secret
metadata:
name: "{{ zuul_name }}-registry-user-rw"
stringData:
username: "zuul"
password: "{{ lookup('password', '/dev/null') }}"
secret: "{{ lookup('password', '/dev/null') }}"
View Git Blame Copy Permalink