Merge "Docker registry TLS"
This commit is contained in:
commit
80e0e671ba
@ -13,3 +13,4 @@
|
|||||||
roles:
|
roles:
|
||||||
- role: docker-registry
|
- role: docker-registry
|
||||||
docker_registry_action: "{{ kayobe_action }}"
|
docker_registry_action: "{{ kayobe_action }}"
|
||||||
|
docker_registry_config_path: "{{ config_path }}/docker-registry"
|
||||||
|
@ -21,3 +21,12 @@ docker_registry_port: 4000
|
|||||||
|
|
||||||
# Name or path to use as the volume for the docker registry.
|
# Name or path to use as the volume for the docker registry.
|
||||||
docker_registry_datadir_volume: docker_registry
|
docker_registry_datadir_volume: docker_registry
|
||||||
|
|
||||||
|
# Whether to enable TLS for the registry.
|
||||||
|
docker_registry_enable_tls: false
|
||||||
|
|
||||||
|
# Path to a TLS certificate to use when TLS is enabled.
|
||||||
|
docker_registry_cert_path:
|
||||||
|
|
||||||
|
# Path to a TLS key to use when TLS is enabled.
|
||||||
|
docker_registry_key_path:
|
||||||
|
@ -17,18 +17,23 @@ docker_registry_enabled: true
|
|||||||
# pull through cache.
|
# pull through cache.
|
||||||
docker_registry_env: {}
|
docker_registry_env: {}
|
||||||
|
|
||||||
|
# Dict of environment variables to provide to the docker registry container
|
||||||
|
# when TLS is enabled.
|
||||||
|
docker_registry_env_tls:
|
||||||
|
REGISTRY_HTTP_TLS_CERTIFICATE: "{{ docker_registry_config_path }}/cert.pem"
|
||||||
|
REGISTRY_HTTP_TLS_KEY: "{{ docker_registry_config_path }}/key.pem"
|
||||||
|
|
||||||
# Service deployment definition.
|
# Service deployment definition.
|
||||||
docker_registry_services:
|
docker_registry_services:
|
||||||
docker_registry:
|
docker_registry:
|
||||||
container_name: docker_registry
|
container_name: docker_registry
|
||||||
env: "{{ docker_registry_env }}"
|
env: "{{ docker_registry_env }}"
|
||||||
|
env: "{{ (docker_registry_env_tls if docker_registry_enable_tls | bool else {}) | combine(docker_registry_env) }}"
|
||||||
enabled: "{{ docker_registry_enabled }}"
|
enabled: "{{ docker_registry_enabled }}"
|
||||||
image: "{{ docker_registry_image_full }}"
|
image: "{{ docker_registry_image_full }}"
|
||||||
ports:
|
ports:
|
||||||
- "{{ docker_registry_port }}:5000"
|
- "{{ docker_registry_port }}:5000"
|
||||||
volumes:
|
volumes: "{{ docker_registry_volumes | select | list }}"
|
||||||
- "/etc/localtime:/etc/localtime:ro"
|
|
||||||
- "{{ docker_registry_datadir_volume }}:/var/lib/registry"
|
|
||||||
|
|
||||||
# The port on which the docker registry server should listen.
|
# The port on which the docker registry server should listen.
|
||||||
docker_registry_port: 5000
|
docker_registry_port: 5000
|
||||||
@ -37,6 +42,18 @@ docker_registry_port: 5000
|
|||||||
# Defaults to ``docker_registry``.
|
# Defaults to ``docker_registry``.
|
||||||
docker_registry_datadir_volume: docker_registry
|
docker_registry_datadir_volume: docker_registry
|
||||||
|
|
||||||
|
# Path in which to store docker registry configuration.
|
||||||
|
docker_registry_config_path: "/etc/docker/registry"
|
||||||
|
|
||||||
|
# Whether to enable TLS for the registry.
|
||||||
|
docker_registry_enable_tls: false
|
||||||
|
|
||||||
|
# Path to a TLS certificate to use when TLS is enabled.
|
||||||
|
docker_registry_cert_path:
|
||||||
|
|
||||||
|
# Path to a TLS key to use when TLS is enabled.
|
||||||
|
docker_registry_key_path:
|
||||||
|
|
||||||
####################
|
####################
|
||||||
# Docker
|
# Docker
|
||||||
####################
|
####################
|
||||||
@ -47,5 +64,11 @@ docker_registry_image: "{{ docker_registry_namespace ~ '/' if docker_registry_na
|
|||||||
docker_registry_tag: "latest"
|
docker_registry_tag: "latest"
|
||||||
docker_registry_image_full: "{{ docker_registry_image }}:{{ docker_registry_tag }}"
|
docker_registry_image_full: "{{ docker_registry_image }}:{{ docker_registry_tag }}"
|
||||||
|
|
||||||
|
# List of volumes to be mounted to the docker registry container.
|
||||||
|
docker_registry_volumes:
|
||||||
|
- "/etc/localtime:/etc/localtime:ro"
|
||||||
|
- "{{ docker_registry_datadir_volume }}:/var/lib/registry"
|
||||||
|
- "{% if docker_registry_enable_tls | bool %}{{ docker_registry_config_path }}:{{ docker_registry_config_path }}:ro{% endif %}"
|
||||||
|
|
||||||
docker_registry_restart_policy: "unless-stopped"
|
docker_registry_restart_policy: "unless-stopped"
|
||||||
#docker_registry_restart_retries:
|
#docker_registry_restart_retries:
|
||||||
|
12
ansible/roles/docker-registry/handlers/main.yml
Normal file
12
ansible/roles/docker-registry/handlers/main.yml
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
---
|
||||||
|
- name: Restart docker-registry container
|
||||||
|
docker_container:
|
||||||
|
name: "{{ item.value.container_name }}"
|
||||||
|
state: started
|
||||||
|
restart: True
|
||||||
|
# NOTE: The image argument shouldn't be required, but without it this
|
||||||
|
# handler fails on Ansible 2.3. Related bug:
|
||||||
|
# https://github.com/ansible/ansible/issues/21188.
|
||||||
|
image: "{{ item.value.image }}"
|
||||||
|
with_dict: "{{ docker_registry_services }}"
|
||||||
|
when: item.value.enabled
|
34
ansible/roles/docker-registry/tasks/config.yml
Normal file
34
ansible/roles/docker-registry/tasks/config.yml
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
---
|
||||||
|
- name: Ensure configuration path exists
|
||||||
|
file:
|
||||||
|
path: "{{ docker_registry_config_path }}"
|
||||||
|
state: directory
|
||||||
|
owner: "{{ ansible_user_uid }}"
|
||||||
|
group: "{{ ansible_user_gid }}"
|
||||||
|
mode: 0750
|
||||||
|
become: True
|
||||||
|
when: docker_registry_enable_tls | bool
|
||||||
|
|
||||||
|
- name: Ensure TLS certificate exists
|
||||||
|
copy:
|
||||||
|
src: "{{ docker_registry_cert_path }}"
|
||||||
|
dest: "{{ docker_registry_config_path }}/cert.pem"
|
||||||
|
owner: "{{ ansible_user_uid }}"
|
||||||
|
group: "{{ ansible_user_gid }}"
|
||||||
|
mode: 0600
|
||||||
|
become: True
|
||||||
|
when: docker_registry_enable_tls | bool
|
||||||
|
notify:
|
||||||
|
- Restart docker-registry container
|
||||||
|
|
||||||
|
- name: Ensure TLS key exists
|
||||||
|
copy:
|
||||||
|
src: "{{ docker_registry_key_path }}"
|
||||||
|
dest: "{{ docker_registry_config_path }}/key.pem"
|
||||||
|
owner: "{{ ansible_user_uid }}"
|
||||||
|
group: "{{ ansible_user_gid }}"
|
||||||
|
mode: 0600
|
||||||
|
become: True
|
||||||
|
when: docker_registry_enable_tls | bool
|
||||||
|
notify:
|
||||||
|
- Restart docker-registry container
|
@ -1,4 +1,6 @@
|
|||||||
---
|
---
|
||||||
|
- import_tasks: config.yml
|
||||||
|
|
||||||
- name: Ensure Docker registry container is running
|
- name: Ensure Docker registry container is running
|
||||||
docker_container:
|
docker_container:
|
||||||
env: "{{ item.value.env }}"
|
env: "{{ item.value.env }}"
|
||||||
@ -10,5 +12,5 @@
|
|||||||
restart_policy: "{{ docker_registry_restart_policy }}"
|
restart_policy: "{{ docker_registry_restart_policy }}"
|
||||||
restart_retries: "{{ docker_registry_restart_retries | default(omit) }}"
|
restart_retries: "{{ docker_registry_restart_retries | default(omit) }}"
|
||||||
state: "{{ item.value.enabled | ternary('started', 'absent') }}"
|
state: "{{ item.value.enabled | ternary('started', 'absent') }}"
|
||||||
volumes: "{{ item.value.volumes }}"
|
volumes: "{{ item.value.volumes | select | list }}"
|
||||||
with_dict: "{{ docker_registry_services }}"
|
with_dict: "{{ docker_registry_services }}"
|
||||||
|
@ -1,3 +1,4 @@
|
|||||||
---
|
---
|
||||||
|
- import_tasks: config.yml
|
||||||
- include_tasks: pull.yml
|
- include_tasks: pull.yml
|
||||||
- include_tasks: deploy.yml
|
- include_tasks: deploy.yml
|
||||||
|
82
doc/source/configuration/docker-registry.rst
Normal file
82
doc/source/configuration/docker-registry.rst
Normal file
@ -0,0 +1,82 @@
|
|||||||
|
.. _configuration-docker-registry:
|
||||||
|
|
||||||
|
===============
|
||||||
|
Docker registry
|
||||||
|
===============
|
||||||
|
|
||||||
|
This section covers configuration of the Docker registry that may be deployed,
|
||||||
|
by default on the seed host. Docker registry configuration is typically applied
|
||||||
|
in ``${KAYOBE_CONFIG_PATH}/docker-registry.yml``. Consult the `Docker registry
|
||||||
|
documentation <https://docs.docker.com/registry/>`__ for further details of
|
||||||
|
registry usage and configuration.
|
||||||
|
|
||||||
|
The registry is deployed during the ``kayobe seed host configure`` command.
|
||||||
|
|
||||||
|
Configuring the registry
|
||||||
|
========================
|
||||||
|
|
||||||
|
``docker_registry_enabled``
|
||||||
|
Whether a docker registry is enabled. Default is ``false``. When set to
|
||||||
|
``true``, the Docker registry is deployed on all hosts in the
|
||||||
|
``docker-registry`` group. By default this includes the seed host.
|
||||||
|
``docker_registry_env``
|
||||||
|
Dict of environment variables to provide to the docker registry container.
|
||||||
|
This allows to configure the registry by overriding specific configuration
|
||||||
|
options, as described at https://docs.docker.com/registry/configuration/
|
||||||
|
For example, the registry can be configured as a pull through cache to
|
||||||
|
Docker Hub by setting REGISTRY_PROXY_REMOTEURL to
|
||||||
|
"https://registry-1.docker.io". Note that it is not possible to push to a
|
||||||
|
registry configured as a pull through cache. Default is ``{}``.
|
||||||
|
``docker_registry_port``
|
||||||
|
The port on which the docker registry server should listen. Default is
|
||||||
|
4000.
|
||||||
|
``docker_registry_datadir_volume``
|
||||||
|
Name or path to use as the volume for the docker registry. Default is
|
||||||
|
``docker_registry``.
|
||||||
|
|
||||||
|
TLS
|
||||||
|
---
|
||||||
|
|
||||||
|
It is recommended to enable TLS for the registry.
|
||||||
|
|
||||||
|
``docker_registry_enable_tls``
|
||||||
|
Whether to enable TLS for the registry. Default is ``false``.
|
||||||
|
|
||||||
|
``docker_registry_cert_path``
|
||||||
|
Path to a TLS certificate to use when TLS is enabled. Default is none.
|
||||||
|
|
||||||
|
``docker_registry_key_path``
|
||||||
|
Path to a TLS key to use when TLS is enabled. Default is none.
|
||||||
|
|
||||||
|
For example, the certificate and key could be stored with the Kayobe
|
||||||
|
configuration, under ``${KAYOBE_CONFIG_PATH}/docker-registry/``. These files
|
||||||
|
may be encrypted via Ansible Vault.
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
:caption: ``docker-registry.yml``
|
||||||
|
|
||||||
|
docker_registry_enable_tls: true
|
||||||
|
docker_registry_cert_path: "{{ kayobe_config_path }}/docker-registry/cert.pem
|
||||||
|
docker_registry_key_path: "{{ kayobe_config_path }}/docker-registry/key.pem
|
||||||
|
|
||||||
|
Using the registry
|
||||||
|
==================
|
||||||
|
|
||||||
|
Enabling the registry does not automatically set the configuration for Docker
|
||||||
|
engine to use it. This should be done via the :ref:`docker_registry variable
|
||||||
|
<configuration-hosts-docker>`.
|
||||||
|
|
||||||
|
TLS
|
||||||
|
---
|
||||||
|
|
||||||
|
If the registry is using a privately signed TLS certificate, it is necessary to
|
||||||
|
:ref:`configure Docker engine with the CA certificate
|
||||||
|
<configuration-hosts-docker>`.
|
||||||
|
|
||||||
|
If TLS is enabled, Docker engine should be configured to use HTTPS to
|
||||||
|
communicate with it:
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
:caption: ``kolla/globals.yml``
|
||||||
|
|
||||||
|
docker_registry_insecure: false
|
@ -14,5 +14,6 @@ Configuration Guide
|
|||||||
kolla-ansible
|
kolla-ansible
|
||||||
bifrost
|
bifrost
|
||||||
ironic-python-agent
|
ironic-python-agent
|
||||||
|
docker-registry
|
||||||
seed-custom-containers
|
seed-custom-containers
|
||||||
nova-cells
|
nova-cells
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
###############################################################################
|
###############################################################################
|
||||||
# Docker registry configuration.
|
# Docker registry configuration.
|
||||||
|
|
||||||
# Whether a docker registry is enabled.
|
# Whether a docker registry is enabled. Default is false.
|
||||||
#docker_registry_enabled:
|
#docker_registry_enabled:
|
||||||
|
|
||||||
# Dict of environment variables to provide to the docker registry container.
|
# Dict of environment variables to provide to the docker registry container.
|
||||||
@ -11,12 +11,25 @@
|
|||||||
# For example, the registry can be configured as a pull through cache to Docker
|
# For example, the registry can be configured as a pull through cache to Docker
|
||||||
# Hub by setting REGISTRY_PROXY_REMOTEURL to "https://registry-1.docker.io".
|
# Hub by setting REGISTRY_PROXY_REMOTEURL to "https://registry-1.docker.io".
|
||||||
# Note that it is not possible to push to a registry configured as a
|
# Note that it is not possible to push to a registry configured as a
|
||||||
# pull through cache.
|
# pull through cache. Default is an empty dict.
|
||||||
#docker_registry_env:
|
#docker_registry_env:
|
||||||
|
|
||||||
# The port on which the docker registry server should listen.
|
# The port on which the docker registry server should listen. Default is 4000.
|
||||||
#docker_registry_port:
|
#docker_registry_port:
|
||||||
|
|
||||||
|
# Name or path to use as the volume for the docker registry. Default is
|
||||||
|
# 'docker_registry'.
|
||||||
|
#docker_registry_datadir_volume:
|
||||||
|
|
||||||
|
# Whether to enable TLS for the registry. Default is false.
|
||||||
|
#docker_registry_enable_tls:
|
||||||
|
|
||||||
|
# Path to a TLS certificate to use when TLS is enabled. Default is none.
|
||||||
|
#docker_registry_cert_path:
|
||||||
|
|
||||||
|
# Path to a TLS key to use when TLS is enabled. Default is none.
|
||||||
|
#docker_registry_key_path:
|
||||||
|
|
||||||
###############################################################################
|
###############################################################################
|
||||||
# Dummy variable to allow Ansible to accept this file.
|
# Dummy variable to allow Ansible to accept this file.
|
||||||
workaround_ansible_issue_8743: yes
|
workaround_ansible_issue_8743: yes
|
||||||
|
@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Adds support for deploying a Docker registry with TLS.
|
Loading…
Reference in New Issue
Block a user