Bug 1373106

Summary: [RFE] installer should support deploy secure docker-registry
Product: OpenShift Container Platform Reporter: Johnny Liu <jialiu>
Component: InstallerAssignee: Andrew Butcher <abutcher>
Status: CLOSED ERRATA QA Contact: Johnny Liu <jialiu>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.3.0CC: aos-bugs, jokerman, mmccomas
Target Milestone: ---   
Target Release: 3.3.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
The OpenShift registry created by openshift-ansible is now secured by default. Management of the OpenShift registry can be disabled by setting openshift_hosted_manage_registry=false in the inventory.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-27 16:13:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Johnny Liu 2016-09-05 08:38:49 UTC 
Description of problem:
According to https://github.com/openshift/openshift-ansible/pull/2409, we have roles/openshift_hosted/tasks/registry/secure.yml to secure the registry, but it is only called when deploying standalone atomic registry. 

It is better to spread it a little so that a normal OCP installation also could call this role to deploy a secure registry. E.g: could provide user a option, openshift_secure_registry=True

Of course, we also need avoid new issues when both openshift_secure_registry=True and deployment_subtype=registry are set when implement this new feature.

Version-Release number of selected component (if applicable):
openshift-ansible-playbooks-3.3.22-1.git.0.6c888c2.el7.noarch

How reproducible:
Always

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Scott Dodson 2016-10-04 15:29:37 UTC 
https://github.com/openshift/openshift-ansible/pull/2475
Comment 3 Johnny Liu 2016-10-10 07:49:13 UTC 
Verified this bug with openshift-ansible-3.3.30-1.git.0.b260e04.el7.noarch, and PASS.

Now installer would deploy registry-console by default which is requiring a secure registry. So a secure docker-registry will be deployed by default.
Comment 5 errata-xmlrpc 2016-10-27 16:13:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:2122