zuul/zuul-jobs
Code Issues Proposed changes

Use zuul-registry as buildset registry

Browse Source 
The proxy functionality is no longer needed so it is removed.

Change-Id: I29ff75d331b433ea4ad3b66ed723eee14a90b404
Depends-On: https://review.opendev.org/689829
This commit is contained in:
James E. Blair 2019-10-17 11:13:46 -07:00
parent 4da8f6c3a7
commit 8766890012
6 changed files with 35 additions and 89 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
roles/run-buildset-registry/README.rst
View File

@ -2,8 +2,7 @@ Runs a docker registry for the use of this buildset.
This may be used for a single job running on a single node, or it may This may be used for a single job running on a single node, or it may
be used at the root of a job graph so that multiple jobs running for a be used at the root of a job graph so that multiple jobs running for a
single change can share the registry. Two registry endpoints are single change can share the registry.
provided -- one is a local registry, the second is an upstream proxy.
**Role Variables** **Role Variables**
@ -26,10 +25,6 @@ provided -- one is a local registry, the second is an upstream proxy.
The port on which the registry is listening. The port on which the registry is listening.
.. zuul:rolevar:: proxy_port
The port on which the proxy is listening.
.. zuul:rolevar:: username .. zuul:rolevar:: username
The username used to access the registry via HTTP basic auth. The username used to access the registry via HTTP basic auth.

81
roles/run-buildset-registry/tasks/main.yaml
View File

@ -3,9 +3,8 @@
package: package:
name: name:
- python-docker - python-docker
- python-openssl - openssl
- python-passlib - python-passlib
- python-bcrypt
state: present state: present
when: "'python3' not in ansible_python_interpreter" when: "'python3' not in ansible_python_interpreter"
- name: Install packages - name: Install packages
@ -13,94 +12,50 @@
package: package:
name: name:
- python3-docker - python3-docker
- python3-openssl - openssl
- python3-passlib - python3-passlib
- python3-bcrypt
state: present state: present
when: "'python3' in ansible_python_interpreter" when: "'python3' in ansible_python_interpreter"
- name: Ensure Docker registry volume directories exists - name: Ensure registry volume directories exists
file: file:
state: directory state: directory
path: "{{ buildset_registry_root }}/{{ item }}" path: "{{ buildset_registry_root }}/{{ item }}"
loop: loop:
- certs - tls
- auth - conf
- name: Generate registry password - name: Generate registry secrets
set_fact: set_fact:
registry_password: "{{ lookup('password', '/dev/null') }}" registry_password: "{{ lookup('password', '/dev/null') }}"
- name: Write htpassword file registry_secret: "{{ lookup('password', '/dev/null') }}"
htpasswd: - name: Write registry config
create: true template:
crypt_scheme: bcrypt src: registry.yaml.j2
path: "{{ buildset_registry_root }}/auth/htpasswd" dest: "{{ buildset_registry_root }}/conf/registry.yaml"
name: "zuul" - name: Generate a TLS key for the registry
password: "{{ registry_password }}" command: "openssl req -x509 -newkey rsa:2048 -keyout {{ buildset_registry_root }}/tls/cert.key -out {{ buildset_registry_root }}/tls/cert.pem -days 365 -nodes -subj '/C=US/ST=California/L=Oakland/O=Company Name/OU=Org/CN={{ ansible_host }}' -addext 'subjectAltName = DNS:zuul-jobs.buildset-registry,DNS:{{ ansible_host }},IP:{{ ansible_host }},IP:127.0.0.1'"
- name: Generate a TLS key for the Docker registry
openssl_privatekey:
path: "{{ buildset_registry_root }}/certs/domain.key"
- name: Generate a TLS CSR for the Docker registry
openssl_csr:
path: "{{ buildset_registry_root }}/certs/domain.csr"
privatekey_path: "{{ buildset_registry_root }}/certs/domain.key"
common_name: "{{ ansible_host }}"
subject_alt_name: "DNS:zuul-jobs.buildset-registry,DNS:{{ ansible_host }},IP:{{ ansible_host }},IP:127.0.0.1"
- name: Generate a TLS cert for the Docker registry
openssl_certificate:
path: "{{ buildset_registry_root }}/certs/domain.crt"
csr_path: "{{ buildset_registry_root }}/certs/domain.csr"
privatekey_path: "{{ buildset_registry_root }}/certs/domain.key"
provider: selfsigned
register: generated_cert
- name: Read TLS certificate - name: Read TLS certificate
slurp: slurp:
src: "{{ generated_cert.filename }}" src: "{{ buildset_registry_root }}/tls/cert.pem"
register: certificate register: certificate
- name: Decode TLS certificate - name: Decode TLS certificate
set_fact: set_fact:
certificate: "{{ certificate.content | b64decode }}" certificate: "{{ certificate.content | b64decode }}"
- name: Start a docker registry - name: Start the buildset registry
docker_container: docker_container:
name: buildset_registry name: buildset_registry
image: registry:2 image: zuul/zuul-registry:latest
state: started state: started
restart_policy: always restart_policy: always
ports: ports:
- "5000:5000" - "5000:5000"
env:
REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
REGISTRY_HTTP_TLS_KEY: /certs/domain.key
REGISTRY_AUTH: htpasswd
REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
volumes: volumes:
- "{{ buildset_registry_root }}/certs:/certs" - "{{ buildset_registry_root }}/tls:/tls"
- "{{ buildset_registry_root }}/auth:/auth" - "{{ buildset_registry_root }}/conf:/conf"
- name: Start a docker proxy
docker_container:
name: buildset_proxy
image: registry:2
state: started
restart_policy: always
ports:
- "5001:5000"
env:
REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
REGISTRY_HTTP_TLS_KEY: /certs/domain.key
REGISTRY_AUTH: htpasswd
REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
REGISTRY_PROXY_REMOTEURL: https://registry-1.docker.io
REGISTRY_PROXY_USERNAME: ''
REGISTRY_PROXY_PASSWORD: ''
volumes:
- "{{ buildset_registry_root }}/certs:/certs"
- "{{ buildset_registry_root }}/auth:/auth"
- name: Set registry information fact - name: Set registry information fact
set_fact: set_fact:
buildset_registry: buildset_registry:
host: "{{ ansible_host }}" host: "{{ ansible_host }}"
port: 5000 port: 5000
proxy_port: 5001
username: zuul username: zuul
password: "{{ registry_password }}" password: "{{ registry_password }}"
cert: "{{ certificate }}" cert: "{{ certificate }}"

14
roles/run-buildset-registry/templates/registry.yaml.j2 Normal file
View File

@ -0,0 +1,14 @@
registry:
address: '::'
port: 5000
public-url: 'https://{{ ansible_host | ipwrap }}:5000'
tls-cert: /tls/cert.pem
tls-key: /tls/cert.key
secret: "{{ registry_secret }}"
users:
- name: zuul
pass: "{{ registry_password }}"
access: write
storage:
driver: filesystem
root: /storage

4
roles/use-buildset-registry/README.rst
View File

@ -17,10 +17,6 @@ Use this role on any host which should use the buildset registry.
The port on which the registry is listening. The port on which the registry is listening.
.. zuul:rolevar:: proxy_port
The port on which the registry proxy is listening.
.. zuul:rolevar:: username .. zuul:rolevar:: username
The username used to access the registry via HTTP basic auth. The username used to access the registry via HTTP basic auth.

12
roles/use-buildset-registry/tasks/main.yaml
View File

@ -28,21 +28,11 @@
file: file:
path: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.port }}/" path: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.port }}/"
state: directory state: directory
- name: Ensure proxy registry cert directory exists
become: true
file:
path: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.proxy_port }}/"
state: directory
- name: Write buildset registry TLS certificate - name: Write buildset registry TLS certificate
become: true become: true
copy: copy:
content: "{{ buildset_registry.cert }}" content: "{{ buildset_registry.cert }}"
dest: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.port }}/ca.crt" dest: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.port }}/ca.crt"
- name: Write proxy registry TLS certificate
become: true
copy:
content: "{{ buildset_registry.cert }}"
dest: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.proxy_port }}/ca.crt"
# Update daemon config # Update daemon config
- name: Check if docker daemon configuration exists - name: Check if docker daemon configuration exists
@ -66,7 +56,7 @@
- name: Add registry to docker daemon configuration - name: Add registry to docker daemon configuration
vars: vars:
new_config: new_config:
registry-mirrors: "['https://{{ buildset_registry_alias }}:{{ buildset_registry.port }}/', 'https://{{ buildset_registry_alias }}:{{ buildset_registry.proxy_port }}/']" registry-mirrors: "['https://{{ buildset_registry_alias }}:{{ buildset_registry.port }}/']"
set_fact: set_fact:
docker_config: "{{ docker_config | combine(new_config) }}" docker_config: "{{ docker_config | combine(new_config) }}"
- name: Save docker daemon configuration - name: Save docker daemon configuration

6
roles/use-buildset-registry/tasks/user-config.yaml
View File

@ -27,11 +27,7 @@
new_config: new_config:
auths: | auths: |
{ {
"https://index.docker.io/v1/":
{"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"},
"{{ buildset_registry_alias }}:{{ buildset_registry.port }}": "{{ buildset_registry_alias }}:{{ buildset_registry.port }}":
{"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"},
"{{ buildset_registry_alias }}:{{ buildset_registry.proxy_port }}":
{"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"} {"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"}
} }
set_fact: set_fact:
@ -51,4 +47,4 @@
file: file:
src: "~{{ buildset_registry_docker_user | default(ansible_user) }}/.docker/config.json" src: "~{{ buildset_registry_docker_user | default(ansible_user) }}/.docker/config.json"
dest: /var/lib/kubelet/config.json dest: /var/lib/kubelet/config.json
state: link state: link