Docker registry basic auth
Adds support for HTTP basic authentication with the Docker registry. The kolla docker registry password is now written to passwords.yml. Change-Id: Ie6e854a66a6660d4e02771fe2b5dd97af814194d Story: 2007952 Task: 40429
This commit is contained in:
parent
54b6b72b67
commit
7b80482ac3
@ -30,3 +30,9 @@ docker_registry_cert_path:
|
|||||||
|
|
||||||
# Path to a TLS key to use when TLS is enabled.
|
# Path to a TLS key to use when TLS is enabled.
|
||||||
docker_registry_key_path:
|
docker_registry_key_path:
|
||||||
|
|
||||||
|
# Whether to enable basic authentication for the registry.
|
||||||
|
docker_registry_enable_basic_auth: false
|
||||||
|
|
||||||
|
# Path to a htpasswd formatted password store for the registry.
|
||||||
|
docker_registry_basic_auth_htpasswd_path:
|
||||||
|
@ -496,6 +496,7 @@ kolla_ansible_default_custom_passwords:
|
|||||||
kolla_ssh_key:
|
kolla_ssh_key:
|
||||||
private_key: "{{ lookup('file', ssh_private_key_path) }}"
|
private_key: "{{ lookup('file', ssh_private_key_path) }}"
|
||||||
public_key: "{{ lookup('file', ssh_public_key_path) }}"
|
public_key: "{{ lookup('file', ssh_public_key_path) }}"
|
||||||
|
docker_registry_password: "{{ kolla_docker_registry_password }}"
|
||||||
|
|
||||||
# Dictionary containing custom passwords to add or override in the Kolla
|
# Dictionary containing custom passwords to add or override in the Kolla
|
||||||
# passwords file.
|
# passwords file.
|
||||||
|
@ -23,12 +23,22 @@ docker_registry_env_tls:
|
|||||||
REGISTRY_HTTP_TLS_CERTIFICATE: "{{ docker_registry_config_path }}/cert.pem"
|
REGISTRY_HTTP_TLS_CERTIFICATE: "{{ docker_registry_config_path }}/cert.pem"
|
||||||
REGISTRY_HTTP_TLS_KEY: "{{ docker_registry_config_path }}/key.pem"
|
REGISTRY_HTTP_TLS_KEY: "{{ docker_registry_config_path }}/key.pem"
|
||||||
|
|
||||||
|
# Dict of environment variables to provide to the docker registry container
|
||||||
|
# when basic authentication is enabled.
|
||||||
|
docker_registry_env_basic_auth:
|
||||||
|
REGISTRY_AUTH: htpasswd
|
||||||
|
REGISTRY_AUTH_HTPASSWD_REALM: "Registry realm"
|
||||||
|
REGISTRY_AUTH_HTPASSWD_PATH: "{{ docker_registry_config_path }}/htpasswd"
|
||||||
|
|
||||||
# Service deployment definition.
|
# Service deployment definition.
|
||||||
docker_registry_services:
|
docker_registry_services:
|
||||||
docker_registry:
|
docker_registry:
|
||||||
container_name: docker_registry
|
container_name: docker_registry
|
||||||
env: "{{ docker_registry_env }}"
|
env: >-
|
||||||
env: "{{ (docker_registry_env_tls if docker_registry_enable_tls | bool else {}) | combine(docker_registry_env) }}"
|
{{ {} |
|
||||||
|
combine(docker_registry_env_tls if docker_registry_enable_tls | bool else {}) |
|
||||||
|
combine(docker_registry_env_basic_auth if docker_registry_enable_basic_auth | bool else {}) |
|
||||||
|
combine(docker_registry_env) }}
|
||||||
enabled: "{{ docker_registry_enabled }}"
|
enabled: "{{ docker_registry_enabled }}"
|
||||||
image: "{{ docker_registry_image_full }}"
|
image: "{{ docker_registry_image_full }}"
|
||||||
ports:
|
ports:
|
||||||
@ -54,6 +64,12 @@ docker_registry_cert_path:
|
|||||||
# Path to a TLS key to use when TLS is enabled.
|
# Path to a TLS key to use when TLS is enabled.
|
||||||
docker_registry_key_path:
|
docker_registry_key_path:
|
||||||
|
|
||||||
|
# Whether to enable basic authentication for the registry.
|
||||||
|
docker_registry_enable_basic_auth: false
|
||||||
|
|
||||||
|
# Path to a htpasswd formatted password store for the registry.
|
||||||
|
docker_registry_basic_auth_htpasswd_path:
|
||||||
|
|
||||||
####################
|
####################
|
||||||
# Docker
|
# Docker
|
||||||
####################
|
####################
|
||||||
@ -68,7 +84,7 @@ docker_registry_image_full: "{{ docker_registry_image }}:{{ docker_registry_tag
|
|||||||
docker_registry_volumes:
|
docker_registry_volumes:
|
||||||
- "/etc/localtime:/etc/localtime:ro"
|
- "/etc/localtime:/etc/localtime:ro"
|
||||||
- "{{ docker_registry_datadir_volume }}:/var/lib/registry"
|
- "{{ docker_registry_datadir_volume }}:/var/lib/registry"
|
||||||
- "{% if docker_registry_enable_tls | bool %}{{ docker_registry_config_path }}:{{ docker_registry_config_path }}:ro{% endif %}"
|
- "{% if docker_registry_enable_tls | bool or docker_registry_enable_basic_auth | bool %}{{ docker_registry_config_path }}:{{ docker_registry_config_path }}:ro{% endif %}"
|
||||||
|
|
||||||
docker_registry_restart_policy: "unless-stopped"
|
docker_registry_restart_policy: "unless-stopped"
|
||||||
#docker_registry_restart_retries:
|
#docker_registry_restart_retries:
|
||||||
|
@ -7,7 +7,9 @@
|
|||||||
group: "{{ ansible_user_gid }}"
|
group: "{{ ansible_user_gid }}"
|
||||||
mode: 0750
|
mode: 0750
|
||||||
become: True
|
become: True
|
||||||
when: docker_registry_enable_tls | bool
|
when: >-
|
||||||
|
docker_registry_enable_tls | bool or
|
||||||
|
docker_registry_enable_basic_auth | bool
|
||||||
|
|
||||||
- name: Ensure TLS certificate exists
|
- name: Ensure TLS certificate exists
|
||||||
copy:
|
copy:
|
||||||
@ -32,3 +34,15 @@
|
|||||||
when: docker_registry_enable_tls | bool
|
when: docker_registry_enable_tls | bool
|
||||||
notify:
|
notify:
|
||||||
- Restart docker-registry container
|
- Restart docker-registry container
|
||||||
|
|
||||||
|
- name: Ensure basic auth htpasswd file exists
|
||||||
|
copy:
|
||||||
|
src: "{{ docker_registry_basic_auth_htpasswd_path }}"
|
||||||
|
dest: "{{ docker_registry_config_path }}/htpasswd"
|
||||||
|
owner: "{{ ansible_user_uid }}"
|
||||||
|
group: "{{ ansible_user_gid }}"
|
||||||
|
mode: 0600
|
||||||
|
become: True
|
||||||
|
when: docker_registry_enable_basic_auth | bool
|
||||||
|
notify:
|
||||||
|
- Restart docker-registry container
|
||||||
|
@ -164,9 +164,6 @@ kolla_docker_registry:
|
|||||||
# Username to use to access a docker registry.
|
# Username to use to access a docker registry.
|
||||||
kolla_docker_registry_username:
|
kolla_docker_registry_username:
|
||||||
|
|
||||||
# Password to use to access a docker registry.
|
|
||||||
kolla_docker_registry_password:
|
|
||||||
|
|
||||||
# Valid option is Docker repository tag
|
# Valid option is Docker repository tag
|
||||||
kolla_openstack_release:
|
kolla_openstack_release:
|
||||||
|
|
||||||
|
@ -58,9 +58,8 @@ kolla_external_fqdn: "{{ kolla_external_fqdn }}"
|
|||||||
docker_registry: "{{ kolla_docker_registry }}"
|
docker_registry: "{{ kolla_docker_registry }}"
|
||||||
{% endif %}
|
{% endif %}
|
||||||
docker_namespace: "{{ kolla_docker_namespace }}"
|
docker_namespace: "{{ kolla_docker_namespace }}"
|
||||||
{% if kolla_docker_registry_username and kolla_docker_registry_password %}
|
{% if kolla_docker_registry_username %}
|
||||||
docker_registry_username: "{{ kolla_docker_registry_username }}"
|
docker_registry_username: "{{ kolla_docker_registry_username }}"
|
||||||
docker_registry_password: "{{ kolla_docker_registry_password }}"
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
docker_storage_driver: "{{ docker_storage_driver }}"
|
docker_storage_driver: "{{ docker_storage_driver }}"
|
||||||
docker_custom_config: {{ kolla_docker_custom_config | to_nice_json | indent(2) }}
|
docker_custom_config: {{ kolla_docker_custom_config | to_nice_json | indent(2) }}
|
||||||
|
@ -106,7 +106,6 @@
|
|||||||
kolla_docker_namespace: "fake-namespace"
|
kolla_docker_namespace: "fake-namespace"
|
||||||
kolla_docker_registry: "fake-registry"
|
kolla_docker_registry: "fake-registry"
|
||||||
kolla_docker_registry_username: "fake-username"
|
kolla_docker_registry_username: "fake-username"
|
||||||
kolla_docker_registry_password: "fake-password"
|
|
||||||
kolla_openstack_release: "fake-release"
|
kolla_openstack_release: "fake-release"
|
||||||
kolla_internal_vip_address: "10.0.0.1"
|
kolla_internal_vip_address: "10.0.0.1"
|
||||||
kolla_internal_fqdn: "fake.internal.fqdn"
|
kolla_internal_fqdn: "fake.internal.fqdn"
|
||||||
@ -261,7 +260,6 @@
|
|||||||
docker_namespace: "fake-namespace"
|
docker_namespace: "fake-namespace"
|
||||||
docker_registry: "fake-registry"
|
docker_registry: "fake-registry"
|
||||||
docker_registry_username: "fake-username"
|
docker_registry_username: "fake-username"
|
||||||
docker_registry_password: "fake-password"
|
|
||||||
neutron_plugin_agent: "openvswitch"
|
neutron_plugin_agent: "openvswitch"
|
||||||
kolla_enable_tls_external: True
|
kolla_enable_tls_external: True
|
||||||
kolla_external_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/external.pem"
|
kolla_external_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/external.pem"
|
||||||
|
@ -59,6 +59,43 @@ may be encrypted via Ansible Vault.
|
|||||||
docker_registry_cert_path: "{{ kayobe_config_path }}/docker-registry/cert.pem
|
docker_registry_cert_path: "{{ kayobe_config_path }}/docker-registry/cert.pem
|
||||||
docker_registry_key_path: "{{ kayobe_config_path }}/docker-registry/key.pem
|
docker_registry_key_path: "{{ kayobe_config_path }}/docker-registry/key.pem
|
||||||
|
|
||||||
|
Basic authentication
|
||||||
|
--------------------
|
||||||
|
|
||||||
|
It is recommended to enable HTTP basic authentication for the registry. This
|
||||||
|
needs to be done in conjunction with enabling TLS for the registry: `using
|
||||||
|
basic authentication over unencrypted HTTP is not supported
|
||||||
|
<https://docs.docker.com/registry/deploying/#native-basic-auth>`__.
|
||||||
|
|
||||||
|
``docker_registry_enable_basic_auth``
|
||||||
|
Whether to enable basic authentication for the registry. Default is
|
||||||
|
``false``.
|
||||||
|
|
||||||
|
``docker_registry_basic_auth_htpasswd_path``
|
||||||
|
Path to a `htpasswd
|
||||||
|
<https://httpd.apache.org/docs/2.4/programs/htpasswd.html>`__ formatted
|
||||||
|
password store for the registry. Default is none.
|
||||||
|
|
||||||
|
The password store uses a ``htpasswd`` format. The following example shows how
|
||||||
|
to generate a password and add it to the ``kolla`` user in the password store.
|
||||||
|
The password store may be stored with the Kayobe configuration, under
|
||||||
|
``${KAYOBE_CONFIG_PATH}/docker-registry/``. The file may be encrypted via
|
||||||
|
Ansible Vault.
|
||||||
|
|
||||||
|
.. code-block:: console
|
||||||
|
|
||||||
|
uuidgen | tr -d '\n' > registry-password
|
||||||
|
cat registry-password | docker run --rm -i --entrypoint htpasswd httpd:latest -niB kolla > $KAYOBE_CONFIG_PATH/docker-registry/htpasswd
|
||||||
|
|
||||||
|
Next we configure Kayobe to enable basic authentication for the registry, and
|
||||||
|
specify the path to the password store.
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
:caption: ``docker-registry.yml``
|
||||||
|
|
||||||
|
docker_registry_enable_basic_auth: true
|
||||||
|
docker_registry_basic_auth_htpasswd_path: "{{ kayobe_config_path }}/docker-registry/htpasswd"
|
||||||
|
|
||||||
Using the registry
|
Using the registry
|
||||||
==================
|
==================
|
||||||
|
|
||||||
@ -80,3 +117,15 @@ communicate with it:
|
|||||||
:caption: ``kolla/globals.yml``
|
:caption: ``kolla/globals.yml``
|
||||||
|
|
||||||
docker_registry_insecure: false
|
docker_registry_insecure: false
|
||||||
|
|
||||||
|
Basic authentication
|
||||||
|
--------------------
|
||||||
|
|
||||||
|
If basic authentication is enabled, Kolla Ansible needs to be configured with
|
||||||
|
the username and password.
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
:caption: ``kolla.yml``
|
||||||
|
|
||||||
|
kolla_docker_registry_username: <registry username>
|
||||||
|
kolla_docker_registry_password: <registry password>
|
||||||
|
@ -30,6 +30,13 @@
|
|||||||
# Path to a TLS key to use when TLS is enabled. Default is none.
|
# Path to a TLS key to use when TLS is enabled. Default is none.
|
||||||
#docker_registry_key_path:
|
#docker_registry_key_path:
|
||||||
|
|
||||||
|
# Whether to enable basic authentication for the registry. Default is false.
|
||||||
|
#docker_registry_enable_basic_auth:
|
||||||
|
|
||||||
|
# Path to a htpasswd formatted password store for the registry. Default is
|
||||||
|
# none.
|
||||||
|
#docker_registry_basic_auth_htpasswd_path:
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# Dummy variable to allow Ansible to accept this file.
|
# Dummy variable to allow Ansible to accept this file.
|
||||||
workaround_ansible_issue_8743: yes
|
workaround_ansible_issue_8743: yes
|
||||||
|
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Adds support for deploying a Docker registry with HTTP basic
|
||||||
|
authentication.
|
Loading…
Reference in New Issue
Block a user