Split staging and prod docker push certs

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
2017-04-10 22:06:44 +02:00 · 2017-04-10 22:06:44 +02:00 · 3a8e11cf7e
commit 3a8e11cf7e
parent 989c36132f
8 changed files with 27 additions and 5 deletions
--- a/roles/fedora-web/candidate-registry/files/passwd-production
+++ b/roles/fedora-web/candidate-registry/files/passwd-production
--- a/roles/fedora-web/candidate-registry/files/passwd-staging
+++ b/roles/fedora-web/candidate-registry/files/passwd-staging
@ -0,0 +1 @@
+/C=US/ST=NM/L=Raleigh/O=Red Hat/OU=Fedora Project/CN=docker-registry-internal-stg:xxj31ZMTZzkVA
--- a/roles/fedora-web/candidate-registry/tasks/main.yml
+++ b/roles/fedora-web/candidate-registry/tasks/main.yml
@ -7,8 +7,18 @@
  - fedora-web
  - fedora-web/candidate-registry

- name: Copy over the registry passwd
-  copy: src=passwd dest=/etc/httpd/conf.d/candidate-registry.fedoraproject.org/passwd
+- name: Copy over the registry CA
+  copy: src="{{private}}/files/docker-registry/{{env}}/docker-registry-ca.pem"
+        dest="/etc/pki/httpd/registry-ca-{{env}}.cert"
+        owner=root group=root mode=0644
+  notify:
+  - reload proxyhttpd
+  tags:
+  - fedora-web
+  - fedora-web/candidate-registry
+
+- name: Copy over the registry passwd
+  copy: src="passwd-{{env}}" dest=/etc/httpd/conf.d/candidate-registry.fedoraproject.org/passwd
        owner=root group=root mode=0644
  notify:
  - reload proxyhttpd
--- a/roles/fedora-web/registry/files/passwd-production
+++ b/roles/fedora-web/registry/files/passwd-production
--- a/roles/fedora-web/registry/files/passwd-staging
+++ b/roles/fedora-web/registry/files/passwd-staging
@ -0,0 +1 @@
+/C=US/ST=NM/L=Raleigh/O=Red Hat/OU=Fedora Project/CN=docker-registry-internal-stg:xxj31ZMTZzkVA
--- a/roles/fedora-web/registry/tasks/main.yml
+++ b/roles/fedora-web/registry/tasks/main.yml
@ -13,8 +13,18 @@
  - fedora-web
  - fedora-web/registry

+- name: Copy over the registry CA
+  copy: src="{{private}}/files/docker-registry/{{env}}/docker-registry-ca.pem"
+        dest="/etc/pki/httpd/registry-ca-{{env}}.cert"
+        owner=root group=root mode=0644
+  notify:
+  - reload proxyhttpd
+  tags:
+  - fedora-web
+  - fedora-web/candidate-registry
+
 - name: Copy over the registry passwd
-  copy: src=passwd dest=/etc/httpd/conf.d/registry.fedoraproject.org/passwd
+  copy: src="passwd-{{env}}" dest=/etc/httpd/conf.d/registry.fedoraproject.org/passwd
        owner=root group=root mode=0644
  notify:
  - reload proxyhttpd
--- a/roles/httpd/reverseproxy/templates/reversepassproxy.candidate-registry.conf
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.candidate-registry.conf
@ -8,7 +8,7 @@ ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}}

 SSLVerifyClient optional
 SSLVerifyDepth 1
-SSLCACertificateFile /etc/pki/httpd/fedora-server-ca.cert
+SSLCACertificateFile /etc/pki/httpd/registry-ca-{{env}}.cert
 SSLOptions +FakeBasicAuth


--- a/roles/httpd/reverseproxy/templates/reversepassproxy.registry.conf
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.registry.conf
@ -23,7 +23,7 @@ RewriteRule ^/(.*)$ http://localhost:6081/$1 [P,L]

 SSLVerifyClient optional
 SSLVerifyDepth 1
-SSLCACertificateFile /etc/pki/httpd/fedora-server-ca.cert
+SSLCACertificateFile /etc/pki/httpd/registry-ca-{{env}}.cert
 SSLOptions +FakeBasicAuth

 <Directory /srv/web/registry-signatures>
				`@ -0,0 +1 @@`
				`/C=US/ST=NM/L=Raleigh/O=Red Hat/OU=Fedora Project/CN=docker-registry-internal-stg:xxj31ZMTZzkVA`