ocp4_workload_rhacs: fix route to central (#9016)

* fix route to central * whitespace
redhat-cop · Jan 24, 2025 · fb22b83 · fb22b83
1 parent 2be1414
commit fb22b83
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 2 deletions.
diff --git a/ansible/roles_ocp_workloads/ocp4_workload_rhacs/defaults/main.yml b/ansible/roles_ocp_workloads/ocp4_workload_rhacs/defaults/main.yml
@@ -12,3 +12,7 @@ ocp4_workload_rhacs_install_operator_catalog_source_tag: "v4.15_2024_04_08"
 ocp4_workload_rhacs_central_namespace: stackrox
 # Enable the new V4 central scanner
 ocp4_workload_rhacs_enable_central_scanner_v4: false
+
+# To avoid browser cert nag screens, this adds the Stackrox CA cert to the Route for Central.
+# change this once we're happy that it works consistently
+ocp4_workload_rhacs_enable_route_certs: true
diff --git a/ansible/roles_ocp_workloads/ocp4_workload_rhacs/readme.adoc b/ansible/roles_ocp_workloads/ocp4_workload_rhacs/readme.adoc
@@ -1,5 +1,10 @@
 = ocp4_workload_rhacs - Deploys RHACS
 
+== Recent Updates
+
+*ocp4_workload_rhacs_enable_route_certs*: true::
+To avoid browser cert nag screens, this adds the Stackrox CA cert to the Route for Central.
+
 == Role overview
 
 * This role installs the following onto the cluster:
@@ -31,8 +36,6 @@
 * The variable *ocp_username* is mandatory to assign the workload to the correct OpenShift user.
 * A variable *silent=True* can be passed to suppress debug messages.
 * Other variables:
-** *ocp4_workload_rhacm_acs_namespace*: The name of the project where ACM is deployed. Default: `open-cluster-management`
-** *ocp4_workload_rhacm_acs_release*: ACM release to be deployed. Default: `release-3.68.0`
 
 * You can modify any of these default values by adding `-e "variable_name=variable_value"` to the command line
 

diff --git a/ansible/roles_ocp_workloads/ocp4_workload_rhacs/tasks/workload.yml b/ansible/roles_ocp_workloads/ocp4_workload_rhacs/tasks/workload.yml
@@ -82,6 +82,30 @@
   retries: 30
   delay: 20
 
+- name: Fix Route to Central
+  when: ocp4_workload_rhacs_enable_route_certs | bool
+  block:
+
+    - name: Get CA cert value from Central
+      kubernetes.core.k8s_info:
+        kind: Secret
+        name: central-tls
+        namespace: stackrox
+      register: _r_central_ca_cert
+
+    - name: Update Route central with reencrypt and CA Cert from Central
+      kubernetes.core.k8s_json_patch:
+        kind: Route
+        namespace: stackrox
+        name: central
+        patch:
+          - op: replace
+            path: /spec/tls/termination
+            value: "reencrypt"
+          - op: add
+            path: /spec/tls/destinationCACertificate
+            value: "{{ _r_central_ca_cert.resources[0].data['ca.pem'] | b64decode }}"
+
 # ACS Secured Cluster Installation
 - name: Get cluster init bundle
   ansible.builtin.uri: