From 7b80482ac3f015fbe518e2e2578639562baa4c68 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Wed, 1 Jul 2020 14:00:14 +0000 Subject: [PATCH] Docker registry basic auth Adds support for HTTP basic authentication with the Docker registry. The kolla docker registry password is now written to passwords.yml. Change-Id: Ie6e854a66a6660d4e02771fe2b5dd97af814194d Story: 2007952 Task: 40429 --- ansible/group_vars/all/docker-registry | 6 +++ ansible/group_vars/all/kolla | 1 + .../roles/docker-registry/defaults/main.yml | 22 +++++++-- .../roles/docker-registry/tasks/config.yml | 16 +++++- ansible/roles/kolla-ansible/defaults/main.yml | 3 -- .../kolla-ansible/templates/globals.yml.j2 | 3 +- .../roles/kolla-ansible/tests/test-extras.yml | 2 - .../reference/docker-registry.rst | 49 +++++++++++++++++++ etc/kayobe/docker-registry.yml | 7 +++ ...-registry-basic-auth-b94b4a66e1ce9095.yaml | 5 ++ 10 files changed, 103 insertions(+), 11 deletions(-) create mode 100644 releasenotes/notes/docker-registry-basic-auth-b94b4a66e1ce9095.yaml diff --git a/ansible/group_vars/all/docker-registry b/ansible/group_vars/all/docker-registry index 31999532f..13e959fbe 100644 --- a/ansible/group_vars/all/docker-registry +++ b/ansible/group_vars/all/docker-registry @@ -30,3 +30,9 @@ docker_registry_cert_path: # Path to a TLS key to use when TLS is enabled. docker_registry_key_path: + +# Whether to enable basic authentication for the registry. +docker_registry_enable_basic_auth: false + +# Path to a htpasswd formatted password store for the registry. +docker_registry_basic_auth_htpasswd_path: diff --git a/ansible/group_vars/all/kolla b/ansible/group_vars/all/kolla index a2d040401..1d74f662c 100644 --- a/ansible/group_vars/all/kolla +++ b/ansible/group_vars/all/kolla @@ -496,6 +496,7 @@ kolla_ansible_default_custom_passwords: kolla_ssh_key: private_key: "{{ lookup('file', ssh_private_key_path) }}" public_key: "{{ lookup('file', ssh_public_key_path) }}" + docker_registry_password: "{{ kolla_docker_registry_password }}" # Dictionary containing custom passwords to add or override in the Kolla # passwords file. diff --git a/ansible/roles/docker-registry/defaults/main.yml b/ansible/roles/docker-registry/defaults/main.yml index ba319fba7..7d25a518e 100644 --- a/ansible/roles/docker-registry/defaults/main.yml +++ b/ansible/roles/docker-registry/defaults/main.yml @@ -23,12 +23,22 @@ docker_registry_env_tls: REGISTRY_HTTP_TLS_CERTIFICATE: "{{ docker_registry_config_path }}/cert.pem" REGISTRY_HTTP_TLS_KEY: "{{ docker_registry_config_path }}/key.pem" +# Dict of environment variables to provide to the docker registry container +# when basic authentication is enabled. +docker_registry_env_basic_auth: + REGISTRY_AUTH: htpasswd + REGISTRY_AUTH_HTPASSWD_REALM: "Registry realm" + REGISTRY_AUTH_HTPASSWD_PATH: "{{ docker_registry_config_path }}/htpasswd" + # Service deployment definition. docker_registry_services: docker_registry: container_name: docker_registry - env: "{{ docker_registry_env }}" - env: "{{ (docker_registry_env_tls if docker_registry_enable_tls | bool else {}) | combine(docker_registry_env) }}" + env: >- + {{ {} | + combine(docker_registry_env_tls if docker_registry_enable_tls | bool else {}) | + combine(docker_registry_env_basic_auth if docker_registry_enable_basic_auth | bool else {}) | + combine(docker_registry_env) }} enabled: "{{ docker_registry_enabled }}" image: "{{ docker_registry_image_full }}" ports: @@ -54,6 +64,12 @@ docker_registry_cert_path: # Path to a TLS key to use when TLS is enabled. docker_registry_key_path: +# Whether to enable basic authentication for the registry. +docker_registry_enable_basic_auth: false + +# Path to a htpasswd formatted password store for the registry. +docker_registry_basic_auth_htpasswd_path: + #################### # Docker #################### @@ -68,7 +84,7 @@ docker_registry_image_full: "{{ docker_registry_image }}:{{ docker_registry_tag docker_registry_volumes: - "/etc/localtime:/etc/localtime:ro" - "{{ docker_registry_datadir_volume }}:/var/lib/registry" - - "{% if docker_registry_enable_tls | bool %}{{ docker_registry_config_path }}:{{ docker_registry_config_path }}:ro{% endif %}" + - "{% if docker_registry_enable_tls | bool or docker_registry_enable_basic_auth | bool %}{{ docker_registry_config_path }}:{{ docker_registry_config_path }}:ro{% endif %}" docker_registry_restart_policy: "unless-stopped" #docker_registry_restart_retries: diff --git a/ansible/roles/docker-registry/tasks/config.yml b/ansible/roles/docker-registry/tasks/config.yml index 568256305..bde4dbbdc 100644 --- a/ansible/roles/docker-registry/tasks/config.yml +++ b/ansible/roles/docker-registry/tasks/config.yml @@ -7,7 +7,9 @@ group: "{{ ansible_user_gid }}" mode: 0750 become: True - when: docker_registry_enable_tls | bool + when: >- + docker_registry_enable_tls | bool or + docker_registry_enable_basic_auth | bool - name: Ensure TLS certificate exists copy: @@ -32,3 +34,15 @@ when: docker_registry_enable_tls | bool notify: - Restart docker-registry container + +- name: Ensure basic auth htpasswd file exists + copy: + src: "{{ docker_registry_basic_auth_htpasswd_path }}" + dest: "{{ docker_registry_config_path }}/htpasswd" + owner: "{{ ansible_user_uid }}" + group: "{{ ansible_user_gid }}" + mode: 0600 + become: True + when: docker_registry_enable_basic_auth | bool + notify: + - Restart docker-registry container diff --git a/ansible/roles/kolla-ansible/defaults/main.yml b/ansible/roles/kolla-ansible/defaults/main.yml index 05181f8d2..56941562b 100644 --- a/ansible/roles/kolla-ansible/defaults/main.yml +++ b/ansible/roles/kolla-ansible/defaults/main.yml @@ -164,9 +164,6 @@ kolla_docker_registry: # Username to use to access a docker registry. kolla_docker_registry_username: -# Password to use to access a docker registry. -kolla_docker_registry_password: - # Valid option is Docker repository tag kolla_openstack_release: diff --git a/ansible/roles/kolla-ansible/templates/globals.yml.j2 b/ansible/roles/kolla-ansible/templates/globals.yml.j2 index 9a6ade0ac..85b84472e 100644 --- a/ansible/roles/kolla-ansible/templates/globals.yml.j2 +++ b/ansible/roles/kolla-ansible/templates/globals.yml.j2 @@ -58,9 +58,8 @@ kolla_external_fqdn: "{{ kolla_external_fqdn }}" docker_registry: "{{ kolla_docker_registry }}" {% endif %} docker_namespace: "{{ kolla_docker_namespace }}" -{% if kolla_docker_registry_username and kolla_docker_registry_password %} +{% if kolla_docker_registry_username %} docker_registry_username: "{{ kolla_docker_registry_username }}" -docker_registry_password: "{{ kolla_docker_registry_password }}" {% endif %} docker_storage_driver: "{{ docker_storage_driver }}" docker_custom_config: {{ kolla_docker_custom_config | to_nice_json | indent(2) }} diff --git a/ansible/roles/kolla-ansible/tests/test-extras.yml b/ansible/roles/kolla-ansible/tests/test-extras.yml index 8c43d3c2d..76d0c8dbb 100644 --- a/ansible/roles/kolla-ansible/tests/test-extras.yml +++ b/ansible/roles/kolla-ansible/tests/test-extras.yml @@ -106,7 +106,6 @@ kolla_docker_namespace: "fake-namespace" kolla_docker_registry: "fake-registry" kolla_docker_registry_username: "fake-username" - kolla_docker_registry_password: "fake-password" kolla_openstack_release: "fake-release" kolla_internal_vip_address: "10.0.0.1" kolla_internal_fqdn: "fake.internal.fqdn" @@ -261,7 +260,6 @@ docker_namespace: "fake-namespace" docker_registry: "fake-registry" docker_registry_username: "fake-username" - docker_registry_password: "fake-password" neutron_plugin_agent: "openvswitch" kolla_enable_tls_external: True kolla_external_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/external.pem" diff --git a/doc/source/configuration/reference/docker-registry.rst b/doc/source/configuration/reference/docker-registry.rst index 58334a6ff..dd459077d 100644 --- a/doc/source/configuration/reference/docker-registry.rst +++ b/doc/source/configuration/reference/docker-registry.rst @@ -59,6 +59,43 @@ may be encrypted via Ansible Vault. docker_registry_cert_path: "{{ kayobe_config_path }}/docker-registry/cert.pem docker_registry_key_path: "{{ kayobe_config_path }}/docker-registry/key.pem +Basic authentication +-------------------- + +It is recommended to enable HTTP basic authentication for the registry. This +needs to be done in conjunction with enabling TLS for the registry: `using +basic authentication over unencrypted HTTP is not supported +`__. + +``docker_registry_enable_basic_auth`` + Whether to enable basic authentication for the registry. Default is + ``false``. + +``docker_registry_basic_auth_htpasswd_path`` + Path to a `htpasswd + `__ formatted + password store for the registry. Default is none. + +The password store uses a ``htpasswd`` format. The following example shows how +to generate a password and add it to the ``kolla`` user in the password store. +The password store may be stored with the Kayobe configuration, under +``${KAYOBE_CONFIG_PATH}/docker-registry/``. The file may be encrypted via +Ansible Vault. + +.. code-block:: console + + uuidgen | tr -d '\n' > registry-password + cat registry-password | docker run --rm -i --entrypoint htpasswd httpd:latest -niB kolla > $KAYOBE_CONFIG_PATH/docker-registry/htpasswd + +Next we configure Kayobe to enable basic authentication for the registry, and +specify the path to the password store. + +.. code-block:: yaml + :caption: ``docker-registry.yml`` + + docker_registry_enable_basic_auth: true + docker_registry_basic_auth_htpasswd_path: "{{ kayobe_config_path }}/docker-registry/htpasswd" + Using the registry ================== @@ -80,3 +117,15 @@ communicate with it: :caption: ``kolla/globals.yml`` docker_registry_insecure: false + +Basic authentication +-------------------- + +If basic authentication is enabled, Kolla Ansible needs to be configured with +the username and password. + +.. code-block:: yaml + :caption: ``kolla.yml`` + + kolla_docker_registry_username: + kolla_docker_registry_password: diff --git a/etc/kayobe/docker-registry.yml b/etc/kayobe/docker-registry.yml index 5be695f74..7ba79ed90 100644 --- a/etc/kayobe/docker-registry.yml +++ b/etc/kayobe/docker-registry.yml @@ -30,6 +30,13 @@ # Path to a TLS key to use when TLS is enabled. Default is none. #docker_registry_key_path: +# Whether to enable basic authentication for the registry. Default is false. +#docker_registry_enable_basic_auth: + +# Path to a htpasswd formatted password store for the registry. Default is +# none. +#docker_registry_basic_auth_htpasswd_path: + ############################################################################### # Dummy variable to allow Ansible to accept this file. workaround_ansible_issue_8743: yes diff --git a/releasenotes/notes/docker-registry-basic-auth-b94b4a66e1ce9095.yaml b/releasenotes/notes/docker-registry-basic-auth-b94b4a66e1ce9095.yaml new file mode 100644 index 000000000..72a2efbf4 --- /dev/null +++ b/releasenotes/notes/docker-registry-basic-auth-b94b4a66e1ce9095.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Adds support for deploying a Docker registry with HTTP basic + authentication.