ansible-playbooks/playbookconfig/src/playbooks/roles/bootstrap/bringup-essential-services/tasks/setup_registry_certificate_...

82 lines
2.2 KiB
YAML

---
#
# Copyright (c) 2019 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# SUB-TASKS DESCRIPTION:
# Set up docker registry certificate and keys required for the unlock
#
- block:
- name: Generate cnf file from template
copy:
src: "{{ cert_cnf_template }}"
dest: "{{ cert_cnf_file }}"
remote_src: yes
- name: Update cnf file with network info
command: "sed -i -e 's|<%= @docker_registry_ip %>|'$DOCKER_REGISTRY_IP'|g' {{ cert_cnf_file }}"
args:
warn: false
environment:
DOCKER_REGISTRY_IP: "{{ controller_floating_address }}"
- name: Generate certificate and key files
command: >-
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout {{ registry_cert_key }}
-out {{ registry_cert_crt }} -config {{ cert_cnf_file }}
- name: Generate pkcs1 key file
command: openssl rsa -in {{ registry_cert_key }} -out {{ registry_cert_pkcs1_key }}
- name: Remove extfile used in certificate generation
file:
path: "{{ cert_cnf_file }}"
state: absent
- name: Set certificate file and key permissions to root read-only
file:
path: "{{ item }}"
mode: 0400
with_items:
- "{{ registry_cert_key }}"
- "{{ registry_cert_crt }}"
- "{{ registry_cert_pkcs1_key }}"
when: mode == 'bootstrap'
- block:
- name: Restore certificate and key files
command: >-
tar -C /etc/ssl/private -xpf {{ target_backup_dir }}/{{ backup_filename }} --transform='s,.*/,,'
'etc/ssl/private/registry-cert*'
args:
warn: false
when: mode == 'restore'
- name: Copy certificate and keys to shared filesystem for mate
copy:
src: "{{ item }}"
dest: "{{ config_permdir }}"
remote_src: yes
mode: preserve
with_items:
- "{{ registry_cert_key }}"
- "{{ registry_cert_crt }}"
- "{{ registry_cert_pkcs1_key }}"
- name: Create docker certificate directory
file:
path: "{{ docker_cert_dir }}/registry.local:9001"
state: directory
recurse: yes
mode: 0700
- name: Copy certificate file to docker certificate directory
copy:
src: "{{ registry_cert_crt }}"
dest: "{{ docker_cert_dir }}/registry.local:9001"
remote_src: yes