opendev/system-config
Code Issues Proposed changes

Manage insecure-ci-registry cert with LE

Browse Source 
This adds a new handler to restart the zuul registry to pick up the new
cert. We may want to consider updating zuul registry to accept a reload
of ssl config without restarting the service.

Depends-On: https://review.opendev.org/702050
Change-Id: I23f6bea68285bc7cb0d12224235eaa16f0d07986
This commit is contained in:
Clark Boylan 2020-01-10 14:10:25 -08:00
parent f30b39c769
commit 3deef00ba9
5 changed files with 47 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
inventory/groups.yaml
View File

@ -65,6 +65,7 @@ groups:
- opendev-k8s*.opendev.org - opendev-k8s*.opendev.org
letsencrypt: letsencrypt:
- graphite01.opendev.org - graphite01.opendev.org
- insecure-ci-registry[0-9]*.opendev.org
- mirror[0-9]*.opendev.org - mirror[0-9]*.opendev.org
- files[0-9]*.open*.org - files[0-9]*.open*.org
- static.openstack.org - static.openstack.org

4
playbooks/host_vars/insecure-ci-registry01.opendev.org.yaml
View File

@ -1 +1,5 @@
ansible_python_interpreter: python3 ansible_python_interpreter: python3
letsencrypt_certs:
insecure-ci-registry01-main:
- insecure-ci-registry01.opendev.org
- insecure-ci-registry.opendev.org

3
playbooks/roles/letsencrypt-create-certs/handlers/main.yaml
View File

@ -31,6 +31,9 @@
- name: letsencrypt updated logs-main - name: letsencrypt updated logs-main
include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
- name: letsencrypt updated insecure-ci-registry01-main
include_tasks: roles/letsencrypt-create-certs/handlers/restart_zuul_registry.yaml
# Mirrors # Mirrors
- name: letsencrypt updated mirror01-dfw-rax-main - name: letsencrypt updated mirror01-dfw-rax-main

39
playbooks/roles/letsencrypt-create-certs/handlers/restart_zuul_registry.yaml Normal file
View File

@ -0,0 +1,39 @@
- name: Ensure registry cert directy exists
file:
state: directory
path: "/var/registry/certs"
owner: root
group: root
- name: Put key in place
copy:
remote_src: yes
src: /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.key
dest: /var/registry/certs/domain.key
owner: root
group: root
mode: '0644'
- name: Put cert in place
copy:
remote_src: yes
# Zuul-registry doesn't seem to accept separate ca chain and cert files.
# I believe it wants a single combined file as per fullchain.cer.
src: /etc/letsencrypt-certs/{{ inventory_hostname }}/fullchain.cer
dest: /var/registry/certs/domain.crt
owner: root
group: root
mode: '0644'
- name: Check for running registry
command: pgrep -f zuul-registry
ignore_errors: yes
register: registry_pids
- name: Restart registry if running
when: registry_pids.rc == 0
block:
- name: Restart registry
shell:
cmd: docker-compose restart registry
chdir: /etc/registry-docker/

8
playbooks/roles/registry/tasks/main.yaml
View File

@ -10,14 +10,6 @@
- certs - certs
- conf - conf
- etc - etc
- name: Write TLS private key
copy:
content: "{{ registry_tls_key }}"
dest: /var/registry/certs/domain.key
- name: Write TLS certificate
copy:
content: "{{ registry_tls_cert }}{{ registry_tls_chain | default('') }}"
dest: /var/registry/certs/domain.crt
- name: Write clouds.yaml - name: Write clouds.yaml
template: template:
src: clouds.yaml.j2 src: clouds.yaml.j2