diff --git a/roles/run-buildset-registry/README.rst b/roles/run-buildset-registry/README.rst index 4f937644c..bcd26de26 100644 --- a/roles/run-buildset-registry/README.rst +++ b/roles/run-buildset-registry/README.rst @@ -2,8 +2,7 @@ Runs a docker registry for the use of this buildset. This may be used for a single job running on a single node, or it may be used at the root of a job graph so that multiple jobs running for a -single change can share the registry. Two registry endpoints are -provided -- one is a local registry, the second is an upstream proxy. +single change can share the registry. **Role Variables** @@ -26,10 +25,6 @@ provided -- one is a local registry, the second is an upstream proxy. The port on which the registry is listening. - .. zuul:rolevar:: proxy_port - - The port on which the proxy is listening. - .. zuul:rolevar:: username The username used to access the registry via HTTP basic auth. diff --git a/roles/run-buildset-registry/tasks/main.yaml b/roles/run-buildset-registry/tasks/main.yaml index 3a5291f34..c6297a526 100644 --- a/roles/run-buildset-registry/tasks/main.yaml +++ b/roles/run-buildset-registry/tasks/main.yaml @@ -3,9 +3,8 @@ package: name: - python-docker - - python-openssl + - openssl - python-passlib - - python-bcrypt state: present when: "'python3' not in ansible_python_interpreter" - name: Install packages @@ -13,94 +12,50 @@ package: name: - python3-docker - - python3-openssl + - openssl - python3-passlib - - python3-bcrypt state: present when: "'python3' in ansible_python_interpreter" -- name: Ensure Docker registry volume directories exists +- name: Ensure registry volume directories exists file: state: directory path: "{{ buildset_registry_root }}/{{ item }}" loop: - - certs - - auth -- name: Generate registry password + - tls + - conf +- name: Generate registry secrets set_fact: registry_password: "{{ lookup('password', '/dev/null') }}" -- name: Write htpassword file - htpasswd: - create: true - crypt_scheme: bcrypt - path: "{{ buildset_registry_root }}/auth/htpasswd" - name: "zuul" - password: "{{ registry_password }}" -- name: Generate a TLS key for the Docker registry - openssl_privatekey: - path: "{{ buildset_registry_root }}/certs/domain.key" -- name: Generate a TLS CSR for the Docker registry - openssl_csr: - path: "{{ buildset_registry_root }}/certs/domain.csr" - privatekey_path: "{{ buildset_registry_root }}/certs/domain.key" - common_name: "{{ ansible_host }}" - subject_alt_name: "DNS:zuul-jobs.buildset-registry,DNS:{{ ansible_host }},IP:{{ ansible_host }},IP:127.0.0.1" -- name: Generate a TLS cert for the Docker registry - openssl_certificate: - path: "{{ buildset_registry_root }}/certs/domain.crt" - csr_path: "{{ buildset_registry_root }}/certs/domain.csr" - privatekey_path: "{{ buildset_registry_root }}/certs/domain.key" - provider: selfsigned - register: generated_cert + registry_secret: "{{ lookup('password', '/dev/null') }}" +- name: Write registry config + template: + src: registry.yaml.j2 + dest: "{{ buildset_registry_root }}/conf/registry.yaml" +- name: Generate a TLS key for the registry + command: "openssl req -x509 -newkey rsa:2048 -keyout {{ buildset_registry_root }}/tls/cert.key -out {{ buildset_registry_root }}/tls/cert.pem -days 365 -nodes -subj '/C=US/ST=California/L=Oakland/O=Company Name/OU=Org/CN={{ ansible_host }}' -addext 'subjectAltName = DNS:zuul-jobs.buildset-registry,DNS:{{ ansible_host }},IP:{{ ansible_host }},IP:127.0.0.1'" - name: Read TLS certificate slurp: - src: "{{ generated_cert.filename }}" + src: "{{ buildset_registry_root }}/tls/cert.pem" register: certificate - name: Decode TLS certificate set_fact: certificate: "{{ certificate.content | b64decode }}" -- name: Start a docker registry +- name: Start the buildset registry docker_container: name: buildset_registry - image: registry:2 + image: zuul/zuul-registry:latest state: started restart_policy: always ports: - "5000:5000" - env: - REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt - REGISTRY_HTTP_TLS_KEY: /certs/domain.key - REGISTRY_AUTH: htpasswd - REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd - REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm volumes: - - "{{ buildset_registry_root }}/certs:/certs" - - "{{ buildset_registry_root }}/auth:/auth" -- name: Start a docker proxy - docker_container: - name: buildset_proxy - image: registry:2 - state: started - restart_policy: always - ports: - - "5001:5000" - env: - REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt - REGISTRY_HTTP_TLS_KEY: /certs/domain.key - REGISTRY_AUTH: htpasswd - REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd - REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm - REGISTRY_PROXY_REMOTEURL: https://registry-1.docker.io - REGISTRY_PROXY_USERNAME: '' - REGISTRY_PROXY_PASSWORD: '' - volumes: - - "{{ buildset_registry_root }}/certs:/certs" - - "{{ buildset_registry_root }}/auth:/auth" + - "{{ buildset_registry_root }}/tls:/tls" + - "{{ buildset_registry_root }}/conf:/conf" - name: Set registry information fact set_fact: buildset_registry: host: "{{ ansible_host }}" port: 5000 - proxy_port: 5001 username: zuul password: "{{ registry_password }}" cert: "{{ certificate }}" diff --git a/roles/run-buildset-registry/templates/registry.yaml.j2 b/roles/run-buildset-registry/templates/registry.yaml.j2 new file mode 100644 index 000000000..7901b727f --- /dev/null +++ b/roles/run-buildset-registry/templates/registry.yaml.j2 @@ -0,0 +1,14 @@ +registry: + address: '::' + port: 5000 + public-url: 'https://{{ ansible_host | ipwrap }}:5000' + tls-cert: /tls/cert.pem + tls-key: /tls/cert.key + secret: "{{ registry_secret }}" + users: + - name: zuul + pass: "{{ registry_password }}" + access: write + storage: + driver: filesystem + root: /storage diff --git a/roles/use-buildset-registry/README.rst b/roles/use-buildset-registry/README.rst index 8c93942a3..2801477a0 100644 --- a/roles/use-buildset-registry/README.rst +++ b/roles/use-buildset-registry/README.rst @@ -17,10 +17,6 @@ Use this role on any host which should use the buildset registry. The port on which the registry is listening. - .. zuul:rolevar:: proxy_port - - The port on which the registry proxy is listening. - .. zuul:rolevar:: username The username used to access the registry via HTTP basic auth. diff --git a/roles/use-buildset-registry/tasks/main.yaml b/roles/use-buildset-registry/tasks/main.yaml index a276442ea..12ee2ac4e 100644 --- a/roles/use-buildset-registry/tasks/main.yaml +++ b/roles/use-buildset-registry/tasks/main.yaml @@ -28,21 +28,11 @@ file: path: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.port }}/" state: directory -- name: Ensure proxy registry cert directory exists - become: true - file: - path: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.proxy_port }}/" - state: directory - name: Write buildset registry TLS certificate become: true copy: content: "{{ buildset_registry.cert }}" dest: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.port }}/ca.crt" -- name: Write proxy registry TLS certificate - become: true - copy: - content: "{{ buildset_registry.cert }}" - dest: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.proxy_port }}/ca.crt" # Update daemon config - name: Check if docker daemon configuration exists @@ -66,7 +56,7 @@ - name: Add registry to docker daemon configuration vars: new_config: - registry-mirrors: "['https://{{ buildset_registry_alias }}:{{ buildset_registry.port }}/', 'https://{{ buildset_registry_alias }}:{{ buildset_registry.proxy_port }}/']" + registry-mirrors: "['https://{{ buildset_registry_alias }}:{{ buildset_registry.port }}/']" set_fact: docker_config: "{{ docker_config | combine(new_config) }}" - name: Save docker daemon configuration diff --git a/roles/use-buildset-registry/tasks/user-config.yaml b/roles/use-buildset-registry/tasks/user-config.yaml index 8b7ebbff8..7aff92d4a 100644 --- a/roles/use-buildset-registry/tasks/user-config.yaml +++ b/roles/use-buildset-registry/tasks/user-config.yaml @@ -27,11 +27,7 @@ new_config: auths: | { - "https://index.docker.io/v1/": - {"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"}, "{{ buildset_registry_alias }}:{{ buildset_registry.port }}": - {"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"}, - "{{ buildset_registry_alias }}:{{ buildset_registry.proxy_port }}": {"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"} } set_fact: @@ -51,4 +47,4 @@ file: src: "~{{ buildset_registry_docker_user | default(ansible_user) }}/.docker/config.json" dest: /var/lib/kubelet/config.json - state: link \ No newline at end of file + state: link