opendev/system-config
Code Issues Proposed changes

Switch the insecure-ci-registry to zuul-registry

Browse Source 
This uses the new zuul-registry container image to run the
intermediate registry.  The same authentication data and certs
are used.  The new registry also writes to the same swift container,
but uses different pseudo-directories so it won't clash with the
current registry.  If there are problems, we can switch back easily.
After successful use of the new registry, we can delete the old data.

Change-Id: Ib855fb99c991411293a617b9b238d79a6bfae328
This commit is contained in:
James E. Blair 2019-10-02 14:11:33 -07:00
parent 1ef7315ae4
commit 8223eadf01
5 changed files with 36 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
playbooks/roles/registry/files/registry-docker/docker-compose.yaml
View File

@ -5,10 +5,9 @@ version: '2'
services:
registry:
restart: always
image: registry:2
image: zuul/zuul-registry
network_mode: host
volumes:
- /var/registry/data:/var/lib/registry
- /var/registry/certs:/certs
- /var/registry/auth:/auth
- /var/registry/etc:/etc/docker/registry
- /var/registry/conf:/conf
- /var/registry/etc:/etc

27
playbooks/roles/registry/tasks/main.yaml
View File

@ -7,23 +7,9 @@
state: directory
path: "/var/registry/{{ item }}"
loop:
- data
- certs
- auth
- conf
- etc
- name: Install passlib
package:
name:
- python3-passlib
- python3-bcrypt
state: present
- name: Write htpassword file
htpasswd:
create: true
crypt_scheme: bcrypt
path: /var/registry/auth/htpasswd
name: "{{ registry_user }}"
password: "{{ registry_password }}"
- name: Write TLS private key
copy:
content: "{{ registry_tls_key }}"
@ -32,10 +18,14 @@
copy:
content: "{{ registry_tls_cert }}{{ registry_tls_chain | default('') }}"
dest: /var/registry/certs/domain.crt
- name: Write clouds.yaml
template:
src: clouds.yaml.j2
dest: /var/registry/etc/clouds.yaml
- name: Write registry config
template:
src: config.yml.j2
dest: /var/registry/etc/config.yml
src: registry.yaml.j2
dest: /var/registry/conf/registry.yaml
- name: Install docker-compose
package:
name:
@ -52,10 +42,9 @@
- name: Run docker prune to cleanup unneeded images
shell:
cmd: docker image prune -f
- name: Install cron to garbage collect the registry daily
cron:
name: "docker registry garbage-collect"
minute: "0"
hour: "0"
job: "/usr/bin/docker exec registrydocker_registry_1 registry garbage-collect /etc/docker/registry/config.yml > /dev/null"
job: "/usr/bin/docker exec registrydocker_registry_1 zuul-registry prune"

8
playbooks/roles/registry/templates/clouds.yaml.j2 Normal file
View File

@ -0,0 +1,8 @@
clouds:
registry:
profile: rackspace
region_name: {{ registry_swift_region }}
auth:
username: {{ registry_swift_username }}
password: {{ registry_swift_password }}
project_id: {{ registry_swift_tenant }}

33
playbooks/roles/registry/templates/config.yml.j2
View File

@ -1,33 +0,0 @@
version: 0.1
log:
fields:
service: registry
storage:
cache:
blobdescriptor: inmemory
swift:
username: {{ registry_swift_username }}
password: {{ registry_swift_password }}
authurl: {{ registry_swift_authurl }}
tenant: {{ registry_swift_tenant }}
region: {{ registry_swift_region }}
container: {{ registry_swift_container }}
secretkey: {{ registry_swift_secretkey }}
delete:
enabled: true
http:
addr: :5000
headers:
X-Content-Type-Options: [nosniff]
tls:
certificate: /certs/domain.crt
key: /certs/domain.key
health:
storagedriver:
enabled: true
interval: 10s
threshold: 3
auth:
htpasswd:
realm: Registry Realm
path: /auth/htpasswd

17
playbooks/roles/registry/templates/registry.yaml.j2 Normal file
View File

@ -0,0 +1,17 @@
registry:
address: '0.0.0.0'
port: 5000
tls-cert: /certs/domain.crt
tls-key: /certs/domain.key
users:
- name: {{ registry_user }}
pass: {{ registry_password }}
access: write
- name: anonymous
pass: ''
access: read
storage:
driver: swift
cloud: registry
container: {{ registry_swift_container }}
expiration: 15552000 # 180 days