opendev/system-config
Code Issues Proposed changes
7513b5b74f
system-config/playbooks/roles/letsencrypt-create-certs/handlers/restart_zuul_registry.yaml

40 lines
1.0 KiB
YAML
Raw Normal View History

Manage insecure-ci-registry cert with LE This adds a new handler to restart the zuul registry to pick up the new cert. We may want to consider updating zuul registry to accept a reload of ssl config without restarting the service. Depends-On: https://review.opendev.org/702050 Change-Id: I23f6bea68285bc7cb0d12224235eaa16f0d07986
2020-01-10 14:10:25 -08:00
- name: Ensure registry cert directy exists
file:
state: directory
path: "/var/registry/certs"
owner: root
group: root
- name: Put key in place
copy:
remote_src: yes
src: /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.key
dest: /var/registry/certs/domain.key
owner: root
group: root
mode: '0644'
- name: Put cert in place
copy:
remote_src: yes
# Zuul-registry doesn't seem to accept separate ca chain and cert files.
# I believe it wants a single combined file as per fullchain.cer.
src: /etc/letsencrypt-certs/{{ inventory_hostname }}/fullchain.cer
dest: /var/registry/certs/domain.crt
owner: root
group: root
mode: '0644'
- name: Check for running registry
command: pgrep -f zuul-registry
ignore_errors: yes
register: registry_pids
- name: Restart registry if running
when: registry_pids.rc == 0
block:
- name: Restart registry
shell:
cmd: docker-compose restart registry
chdir: /etc/registry-docker/
Copy Permalink