fix osbs openshift internal certs, remove some prod/stg duplication with proper variable sub

Signed-off-by: Adam Miller <admiller@redhat.com>
2016-04-13 16:40:37 +00:00 · 2016-04-13 16:40:37 +00:00 · 2f0192ebe9
commit 2f0192ebe9
parent 1572dcbbac
2 changed files with 13 additions and 56 deletions
--- a/inventory/group_vars/osbs-stg
+++ b/inventory/group_vars/osbs-stg
@ -9,11 +9,8 @@ tcp_ports: [ 80, 443, 8443]
 fas_client_groups: sysadmin-releng,fi-apprentice
 sudoers: "{{ private }}/files/sudo/00releng-sudoers"

-osbs_api_cert: "osbs.stg.fedoraproject.org.crt"
-osbs_api_key: "osbs.stg.fedoraproject.org.key"
-
-osbs_internal_ca: "files/osbs/osbs-stg.certs/osbs.stg.fedoraproject.org.crt"
-
-
 docker_cert_dir: "/etc/docker/certs.d/registry.stg.fedoraproject.org"
 docker_registry: "registry.stg.fedoraproject.org"
+
+osbs_url: "osbs.stg.fedoraproject.org"
+osbs_koji_username: "kojibuilder_stg"
--- a/playbooks/groups/osbs-master.yml
+++ b/playbooks/groups/osbs-master.yml
@ -45,13 +45,13 @@

    - name: install cert for openshift public facing REST API SSL
      copy:
-        src: "{{private}}/files/osbs/osbs-stg.certs/{{osbs_api_cert}}"
-        dest: "/etc/origin/master/named_certificates/{{osbs_api_cert}}"
+        src: "{{private}}/files/osbs/{{env}}/osbs-internal.pem"
+        dest: "/etc/origin/master/named_certificates/{{osbs_url}}.pem"

    - name: install key for openshift public facing REST API SSL
      copy:
-        src: "{{private}}/files/osbs/osbs-stg.certs/{{osbs_api_key}}"
-        dest: "/etc/origin/master/named_certificates/{{osbs_api_key}}"
+        src: "{{private}}/files/osbs/{{env}}/osbs-internal.key"
+        dest: "/etc/origin/master/named_certificates/{{osbs_url}}.key"

 - name: setup osbs
  hosts: osbs:osbs-stg
@ -75,7 +75,7 @@
          osbs_proxy_ca_file: '/etc/origin/proxy_selfsigned.crt',
          osbs_readonly_users: [],
          osbs_readonly_groups: [],
-          osbs_readwrite_users: [ "{{ osbs_koji_stg_username }}" ],
+          osbs_readwrite_users: [ "{{ osbs_koji_username }}" ],
          osbs_readwrite_groups: [],
          osbs_admin_users: [],
          osbs_admin_groups: [],
@ -92,46 +92,11 @@
          },
          osbs_named_certificates: {
            enabled: true,
-            cert_file: "named_certificates/osbs.stg.fedoraproject.org.crt",
-            key_file: "named_certificates/osbs.stg.fedoraproject.org.key",
-            names: [ "osbs.stg.fedoraproject.org" ],
+            cert_file: "named_certificates/{{osbs_url}}.pem",
+            key_file: "named_certificates/{{osbs_url}}.key",
+            names: [ "{{osbs_url}}" ],
          },
-          osbs_public_api_url: "osbs.stg.fedoraproject.org",
-          when: env == "staging"
-      }
-    - {
-        role: osbs-master,
-          osbs_master_export_port: true,
-          osbs_manage_firewalld: true,
-          osbs_proxy_cert_file: '/etc/origin/proxy_selfsigned.crt',
-          osbs_proxy_key_file: '/etc/origin/proxy_selfsigned.key',
-          osbs_proxy_certkey_file: '/etc/origin/proxy_certkey.crt',
-          osbs_proxy_ca_file: '/etc/origin/proxy_selfsigned.crt',
-          osbs_readonly_users: [],
-          osbs_readonly_groups: [],
-          osbs_readwrite_users: [ "{{ osbs_koji_stg_username }}" ],
-          osbs_readwrite_groups: [],
-          osbs_admin_users: [],
-          osbs_admin_groups: [],
-          osbs_master_max_pods: 3,
-          osbs_update_packages: false,
-          osbs_image_gc_high_threshold: 90,
-          osbs_image_gc_low_threshold: 80,
-          osbs_identity_provider: "htpasswd_provider",
-          osbs_identity_htpasswd: {
-            name: htpasswd_provider,
-            challenge: true,
-            login: true,
-            provider_file: "/etc/origin/htpasswd"
-          },
-          osbs_named_certificates: {
-            enabled: true,
-            cert_file: "named_certificates/osbs.fedoraproject.org.crt",
-            key_file: "named_certificates/osbs.fedoraproject.org.key",
-            names: [ "osbs.stg.fedoraproject.org" ],
-          },
-          osbs_public_api_url: "osbs.fedoraproject.org",
-          when: env == "production"
+          osbs_public_api_url: "{{osbs_url}}",
      }

    - {
@ -295,13 +260,8 @@
      args:
        creates: /etc/osbs_fedora_imagestream_created

-    - name: set policy for koji builder in openshift for osbs
-      shell: "oadm policy add-role-to-user -n default edit htpasswd_provider: {{ osbs_koji_stg_username }}"
-      when: env == "staging"
-
    - name: set policy for koji builder in openshift for osbs
      shell: "oadm policy add-role-to-user -n default edit htpasswd_provider: {{ osbs_koji_username }}"
-      when: env == "production"

    - name: set policy for koji builder in openshift for atomic-reactor
      shell: "oadm policy add-role-to-user -n default edit system:serviceaccount:default:builder"
@ -326,7 +286,7 @@

    - name: Upload internal CA for buildroot
      copy:
-        src: "{{private}}/{{osbs_internal_ca}}"
+        src: "{{private}}/files/osbs/{{env}}/osbs-internal.pem"
        dest: "/etc/osbs/buildroot/ca.crt"
        mode: 0400
      notify: