Use zuul-registry as buildset registry
The proxy functionality is no longer needed so it is removed. Change-Id: I29ff75d331b433ea4ad3b66ed723eee14a90b404 Depends-On: https://review.opendev.org/689829
This commit is contained in:
parent
4da8f6c3a7
commit
8766890012
@ -2,8 +2,7 @@ Runs a docker registry for the use of this buildset.
|
||||
|
||||
This may be used for a single job running on a single node, or it may
|
||||
be used at the root of a job graph so that multiple jobs running for a
|
||||
single change can share the registry. Two registry endpoints are
|
||||
provided -- one is a local registry, the second is an upstream proxy.
|
||||
single change can share the registry.
|
||||
|
||||
**Role Variables**
|
||||
|
||||
@ -26,10 +25,6 @@ provided -- one is a local registry, the second is an upstream proxy.
|
||||
|
||||
The port on which the registry is listening.
|
||||
|
||||
.. zuul:rolevar:: proxy_port
|
||||
|
||||
The port on which the proxy is listening.
|
||||
|
||||
.. zuul:rolevar:: username
|
||||
|
||||
The username used to access the registry via HTTP basic auth.
|
||||
|
@ -3,9 +3,8 @@
|
||||
package:
|
||||
name:
|
||||
- python-docker
|
||||
- python-openssl
|
||||
- openssl
|
||||
- python-passlib
|
||||
- python-bcrypt
|
||||
state: present
|
||||
when: "'python3' not in ansible_python_interpreter"
|
||||
- name: Install packages
|
||||
@ -13,94 +12,50 @@
|
||||
package:
|
||||
name:
|
||||
- python3-docker
|
||||
- python3-openssl
|
||||
- openssl
|
||||
- python3-passlib
|
||||
- python3-bcrypt
|
||||
state: present
|
||||
when: "'python3' in ansible_python_interpreter"
|
||||
- name: Ensure Docker registry volume directories exists
|
||||
- name: Ensure registry volume directories exists
|
||||
file:
|
||||
state: directory
|
||||
path: "{{ buildset_registry_root }}/{{ item }}"
|
||||
loop:
|
||||
- certs
|
||||
- auth
|
||||
- name: Generate registry password
|
||||
- tls
|
||||
- conf
|
||||
- name: Generate registry secrets
|
||||
set_fact:
|
||||
registry_password: "{{ lookup('password', '/dev/null') }}"
|
||||
- name: Write htpassword file
|
||||
htpasswd:
|
||||
create: true
|
||||
crypt_scheme: bcrypt
|
||||
path: "{{ buildset_registry_root }}/auth/htpasswd"
|
||||
name: "zuul"
|
||||
password: "{{ registry_password }}"
|
||||
- name: Generate a TLS key for the Docker registry
|
||||
openssl_privatekey:
|
||||
path: "{{ buildset_registry_root }}/certs/domain.key"
|
||||
- name: Generate a TLS CSR for the Docker registry
|
||||
openssl_csr:
|
||||
path: "{{ buildset_registry_root }}/certs/domain.csr"
|
||||
privatekey_path: "{{ buildset_registry_root }}/certs/domain.key"
|
||||
common_name: "{{ ansible_host }}"
|
||||
subject_alt_name: "DNS:zuul-jobs.buildset-registry,DNS:{{ ansible_host }},IP:{{ ansible_host }},IP:127.0.0.1"
|
||||
- name: Generate a TLS cert for the Docker registry
|
||||
openssl_certificate:
|
||||
path: "{{ buildset_registry_root }}/certs/domain.crt"
|
||||
csr_path: "{{ buildset_registry_root }}/certs/domain.csr"
|
||||
privatekey_path: "{{ buildset_registry_root }}/certs/domain.key"
|
||||
provider: selfsigned
|
||||
register: generated_cert
|
||||
registry_secret: "{{ lookup('password', '/dev/null') }}"
|
||||
- name: Write registry config
|
||||
template:
|
||||
src: registry.yaml.j2
|
||||
dest: "{{ buildset_registry_root }}/conf/registry.yaml"
|
||||
- name: Generate a TLS key for the registry
|
||||
command: "openssl req -x509 -newkey rsa:2048 -keyout {{ buildset_registry_root }}/tls/cert.key -out {{ buildset_registry_root }}/tls/cert.pem -days 365 -nodes -subj '/C=US/ST=California/L=Oakland/O=Company Name/OU=Org/CN={{ ansible_host }}' -addext 'subjectAltName = DNS:zuul-jobs.buildset-registry,DNS:{{ ansible_host }},IP:{{ ansible_host }},IP:127.0.0.1'"
|
||||
- name: Read TLS certificate
|
||||
slurp:
|
||||
src: "{{ generated_cert.filename }}"
|
||||
src: "{{ buildset_registry_root }}/tls/cert.pem"
|
||||
register: certificate
|
||||
- name: Decode TLS certificate
|
||||
set_fact:
|
||||
certificate: "{{ certificate.content | b64decode }}"
|
||||
- name: Start a docker registry
|
||||
- name: Start the buildset registry
|
||||
docker_container:
|
||||
name: buildset_registry
|
||||
image: registry:2
|
||||
image: zuul/zuul-registry:latest
|
||||
state: started
|
||||
restart_policy: always
|
||||
ports:
|
||||
- "5000:5000"
|
||||
env:
|
||||
REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
|
||||
REGISTRY_HTTP_TLS_KEY: /certs/domain.key
|
||||
REGISTRY_AUTH: htpasswd
|
||||
REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
|
||||
REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
|
||||
volumes:
|
||||
- "{{ buildset_registry_root }}/certs:/certs"
|
||||
- "{{ buildset_registry_root }}/auth:/auth"
|
||||
- name: Start a docker proxy
|
||||
docker_container:
|
||||
name: buildset_proxy
|
||||
image: registry:2
|
||||
state: started
|
||||
restart_policy: always
|
||||
ports:
|
||||
- "5001:5000"
|
||||
env:
|
||||
REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
|
||||
REGISTRY_HTTP_TLS_KEY: /certs/domain.key
|
||||
REGISTRY_AUTH: htpasswd
|
||||
REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
|
||||
REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
|
||||
REGISTRY_PROXY_REMOTEURL: https://registry-1.docker.io
|
||||
REGISTRY_PROXY_USERNAME: ''
|
||||
REGISTRY_PROXY_PASSWORD: ''
|
||||
volumes:
|
||||
- "{{ buildset_registry_root }}/certs:/certs"
|
||||
- "{{ buildset_registry_root }}/auth:/auth"
|
||||
- "{{ buildset_registry_root }}/tls:/tls"
|
||||
- "{{ buildset_registry_root }}/conf:/conf"
|
||||
- name: Set registry information fact
|
||||
set_fact:
|
||||
buildset_registry:
|
||||
host: "{{ ansible_host }}"
|
||||
port: 5000
|
||||
proxy_port: 5001
|
||||
username: zuul
|
||||
password: "{{ registry_password }}"
|
||||
cert: "{{ certificate }}"
|
||||
|
14
roles/run-buildset-registry/templates/registry.yaml.j2
Normal file
14
roles/run-buildset-registry/templates/registry.yaml.j2
Normal file
@ -0,0 +1,14 @@
|
||||
registry:
|
||||
address: '::'
|
||||
port: 5000
|
||||
public-url: 'https://{{ ansible_host | ipwrap }}:5000'
|
||||
tls-cert: /tls/cert.pem
|
||||
tls-key: /tls/cert.key
|
||||
secret: "{{ registry_secret }}"
|
||||
users:
|
||||
- name: zuul
|
||||
pass: "{{ registry_password }}"
|
||||
access: write
|
||||
storage:
|
||||
driver: filesystem
|
||||
root: /storage
|
@ -17,10 +17,6 @@ Use this role on any host which should use the buildset registry.
|
||||
|
||||
The port on which the registry is listening.
|
||||
|
||||
.. zuul:rolevar:: proxy_port
|
||||
|
||||
The port on which the registry proxy is listening.
|
||||
|
||||
.. zuul:rolevar:: username
|
||||
|
||||
The username used to access the registry via HTTP basic auth.
|
||||
|
@ -28,21 +28,11 @@
|
||||
file:
|
||||
path: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.port }}/"
|
||||
state: directory
|
||||
- name: Ensure proxy registry cert directory exists
|
||||
become: true
|
||||
file:
|
||||
path: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.proxy_port }}/"
|
||||
state: directory
|
||||
- name: Write buildset registry TLS certificate
|
||||
become: true
|
||||
copy:
|
||||
content: "{{ buildset_registry.cert }}"
|
||||
dest: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.port }}/ca.crt"
|
||||
- name: Write proxy registry TLS certificate
|
||||
become: true
|
||||
copy:
|
||||
content: "{{ buildset_registry.cert }}"
|
||||
dest: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.proxy_port }}/ca.crt"
|
||||
|
||||
# Update daemon config
|
||||
- name: Check if docker daemon configuration exists
|
||||
@ -66,7 +56,7 @@
|
||||
- name: Add registry to docker daemon configuration
|
||||
vars:
|
||||
new_config:
|
||||
registry-mirrors: "['https://{{ buildset_registry_alias }}:{{ buildset_registry.port }}/', 'https://{{ buildset_registry_alias }}:{{ buildset_registry.proxy_port }}/']"
|
||||
registry-mirrors: "['https://{{ buildset_registry_alias }}:{{ buildset_registry.port }}/']"
|
||||
set_fact:
|
||||
docker_config: "{{ docker_config | combine(new_config) }}"
|
||||
- name: Save docker daemon configuration
|
||||
|
@ -27,11 +27,7 @@
|
||||
new_config:
|
||||
auths: |
|
||||
{
|
||||
"https://index.docker.io/v1/":
|
||||
{"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"},
|
||||
"{{ buildset_registry_alias }}:{{ buildset_registry.port }}":
|
||||
{"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"},
|
||||
"{{ buildset_registry_alias }}:{{ buildset_registry.proxy_port }}":
|
||||
{"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"}
|
||||
}
|
||||
set_fact:
|
||||
@ -51,4 +47,4 @@
|
||||
file:
|
||||
src: "~{{ buildset_registry_docker_user | default(ansible_user) }}/.docker/config.json"
|
||||
dest: /var/lib/kubelet/config.json
|
||||
state: link
|
||||
state: link
|
||||
|
Loading…
Reference in New Issue
Block a user