Merge "Docker registry TLS"

This commit is contained in:
Zuul 2020-08-06 12:14:48 +00:00 committed by Gerrit Code Review
commit 80e0e671ba
11 changed files with 189 additions and 7 deletions

View File

@ -13,3 +13,4 @@
roles: roles:
- role: docker-registry - role: docker-registry
docker_registry_action: "{{ kayobe_action }}" docker_registry_action: "{{ kayobe_action }}"
docker_registry_config_path: "{{ config_path }}/docker-registry"

View File

@ -21,3 +21,12 @@ docker_registry_port: 4000
# Name or path to use as the volume for the docker registry. # Name or path to use as the volume for the docker registry.
docker_registry_datadir_volume: docker_registry docker_registry_datadir_volume: docker_registry
# Whether to enable TLS for the registry.
docker_registry_enable_tls: false
# Path to a TLS certificate to use when TLS is enabled.
docker_registry_cert_path:
# Path to a TLS key to use when TLS is enabled.
docker_registry_key_path:

View File

@ -17,18 +17,23 @@ docker_registry_enabled: true
# pull through cache. # pull through cache.
docker_registry_env: {} docker_registry_env: {}
# Dict of environment variables to provide to the docker registry container
# when TLS is enabled.
docker_registry_env_tls:
REGISTRY_HTTP_TLS_CERTIFICATE: "{{ docker_registry_config_path }}/cert.pem"
REGISTRY_HTTP_TLS_KEY: "{{ docker_registry_config_path }}/key.pem"
# Service deployment definition. # Service deployment definition.
docker_registry_services: docker_registry_services:
docker_registry: docker_registry:
container_name: docker_registry container_name: docker_registry
env: "{{ docker_registry_env }}" env: "{{ docker_registry_env }}"
env: "{{ (docker_registry_env_tls if docker_registry_enable_tls | bool else {}) | combine(docker_registry_env) }}"
enabled: "{{ docker_registry_enabled }}" enabled: "{{ docker_registry_enabled }}"
image: "{{ docker_registry_image_full }}" image: "{{ docker_registry_image_full }}"
ports: ports:
- "{{ docker_registry_port }}:5000" - "{{ docker_registry_port }}:5000"
volumes: volumes: "{{ docker_registry_volumes | select | list }}"
- "/etc/localtime:/etc/localtime:ro"
- "{{ docker_registry_datadir_volume }}:/var/lib/registry"
# The port on which the docker registry server should listen. # The port on which the docker registry server should listen.
docker_registry_port: 5000 docker_registry_port: 5000
@ -37,6 +42,18 @@ docker_registry_port: 5000
# Defaults to ``docker_registry``. # Defaults to ``docker_registry``.
docker_registry_datadir_volume: docker_registry docker_registry_datadir_volume: docker_registry
# Path in which to store docker registry configuration.
docker_registry_config_path: "/etc/docker/registry"
# Whether to enable TLS for the registry.
docker_registry_enable_tls: false
# Path to a TLS certificate to use when TLS is enabled.
docker_registry_cert_path:
# Path to a TLS key to use when TLS is enabled.
docker_registry_key_path:
#################### ####################
# Docker # Docker
#################### ####################
@ -47,5 +64,11 @@ docker_registry_image: "{{ docker_registry_namespace ~ '/' if docker_registry_na
docker_registry_tag: "latest" docker_registry_tag: "latest"
docker_registry_image_full: "{{ docker_registry_image }}:{{ docker_registry_tag }}" docker_registry_image_full: "{{ docker_registry_image }}:{{ docker_registry_tag }}"
# List of volumes to be mounted to the docker registry container.
docker_registry_volumes:
- "/etc/localtime:/etc/localtime:ro"
- "{{ docker_registry_datadir_volume }}:/var/lib/registry"
- "{% if docker_registry_enable_tls | bool %}{{ docker_registry_config_path }}:{{ docker_registry_config_path }}:ro{% endif %}"
docker_registry_restart_policy: "unless-stopped" docker_registry_restart_policy: "unless-stopped"
#docker_registry_restart_retries: #docker_registry_restart_retries:

View File

@ -0,0 +1,12 @@
---
- name: Restart docker-registry container
docker_container:
name: "{{ item.value.container_name }}"
state: started
restart: True
# NOTE: The image argument shouldn't be required, but without it this
# handler fails on Ansible 2.3. Related bug:
# https://github.com/ansible/ansible/issues/21188.
image: "{{ item.value.image }}"
with_dict: "{{ docker_registry_services }}"
when: item.value.enabled

View File

@ -0,0 +1,34 @@
---
- name: Ensure configuration path exists
file:
path: "{{ docker_registry_config_path }}"
state: directory
owner: "{{ ansible_user_uid }}"
group: "{{ ansible_user_gid }}"
mode: 0750
become: True
when: docker_registry_enable_tls | bool
- name: Ensure TLS certificate exists
copy:
src: "{{ docker_registry_cert_path }}"
dest: "{{ docker_registry_config_path }}/cert.pem"
owner: "{{ ansible_user_uid }}"
group: "{{ ansible_user_gid }}"
mode: 0600
become: True
when: docker_registry_enable_tls | bool
notify:
- Restart docker-registry container
- name: Ensure TLS key exists
copy:
src: "{{ docker_registry_key_path }}"
dest: "{{ docker_registry_config_path }}/key.pem"
owner: "{{ ansible_user_uid }}"
group: "{{ ansible_user_gid }}"
mode: 0600
become: True
when: docker_registry_enable_tls | bool
notify:
- Restart docker-registry container

View File

@ -1,4 +1,6 @@
--- ---
- import_tasks: config.yml
- name: Ensure Docker registry container is running - name: Ensure Docker registry container is running
docker_container: docker_container:
env: "{{ item.value.env }}" env: "{{ item.value.env }}"
@ -10,5 +12,5 @@
restart_policy: "{{ docker_registry_restart_policy }}" restart_policy: "{{ docker_registry_restart_policy }}"
restart_retries: "{{ docker_registry_restart_retries | default(omit) }}" restart_retries: "{{ docker_registry_restart_retries | default(omit) }}"
state: "{{ item.value.enabled | ternary('started', 'absent') }}" state: "{{ item.value.enabled | ternary('started', 'absent') }}"
volumes: "{{ item.value.volumes }}" volumes: "{{ item.value.volumes | select | list }}"
with_dict: "{{ docker_registry_services }}" with_dict: "{{ docker_registry_services }}"

View File

@ -1,3 +1,4 @@
--- ---
- import_tasks: config.yml
- include_tasks: pull.yml - include_tasks: pull.yml
- include_tasks: deploy.yml - include_tasks: deploy.yml

View File

@ -0,0 +1,82 @@
.. _configuration-docker-registry:
===============
Docker registry
===============
This section covers configuration of the Docker registry that may be deployed,
by default on the seed host. Docker registry configuration is typically applied
in ``${KAYOBE_CONFIG_PATH}/docker-registry.yml``. Consult the `Docker registry
documentation <https://docs.docker.com/registry/>`__ for further details of
registry usage and configuration.
The registry is deployed during the ``kayobe seed host configure`` command.
Configuring the registry
========================
``docker_registry_enabled``
Whether a docker registry is enabled. Default is ``false``. When set to
``true``, the Docker registry is deployed on all hosts in the
``docker-registry`` group. By default this includes the seed host.
``docker_registry_env``
Dict of environment variables to provide to the docker registry container.
This allows to configure the registry by overriding specific configuration
options, as described at https://docs.docker.com/registry/configuration/
For example, the registry can be configured as a pull through cache to
Docker Hub by setting REGISTRY_PROXY_REMOTEURL to
"https://registry-1.docker.io". Note that it is not possible to push to a
registry configured as a pull through cache. Default is ``{}``.
``docker_registry_port``
The port on which the docker registry server should listen. Default is
4000.
``docker_registry_datadir_volume``
Name or path to use as the volume for the docker registry. Default is
``docker_registry``.
TLS
---
It is recommended to enable TLS for the registry.
``docker_registry_enable_tls``
Whether to enable TLS for the registry. Default is ``false``.
``docker_registry_cert_path``
Path to a TLS certificate to use when TLS is enabled. Default is none.
``docker_registry_key_path``
Path to a TLS key to use when TLS is enabled. Default is none.
For example, the certificate and key could be stored with the Kayobe
configuration, under ``${KAYOBE_CONFIG_PATH}/docker-registry/``. These files
may be encrypted via Ansible Vault.
.. code-block:: yaml
:caption: ``docker-registry.yml``
docker_registry_enable_tls: true
docker_registry_cert_path: "{{ kayobe_config_path }}/docker-registry/cert.pem
docker_registry_key_path: "{{ kayobe_config_path }}/docker-registry/key.pem
Using the registry
==================
Enabling the registry does not automatically set the configuration for Docker
engine to use it. This should be done via the :ref:`docker_registry variable
<configuration-hosts-docker>`.
TLS
---
If the registry is using a privately signed TLS certificate, it is necessary to
:ref:`configure Docker engine with the CA certificate
<configuration-hosts-docker>`.
If TLS is enabled, Docker engine should be configured to use HTTPS to
communicate with it:
.. code-block:: yaml
:caption: ``kolla/globals.yml``
docker_registry_insecure: false

View File

@ -14,5 +14,6 @@ Configuration Guide
kolla-ansible kolla-ansible
bifrost bifrost
ironic-python-agent ironic-python-agent
docker-registry
seed-custom-containers seed-custom-containers
nova-cells nova-cells

View File

@ -2,7 +2,7 @@
############################################################################### ###############################################################################
# Docker registry configuration. # Docker registry configuration.
# Whether a docker registry is enabled. # Whether a docker registry is enabled. Default is false.
#docker_registry_enabled: #docker_registry_enabled:
# Dict of environment variables to provide to the docker registry container. # Dict of environment variables to provide to the docker registry container.
@ -11,12 +11,25 @@
# For example, the registry can be configured as a pull through cache to Docker # For example, the registry can be configured as a pull through cache to Docker
# Hub by setting REGISTRY_PROXY_REMOTEURL to "https://registry-1.docker.io". # Hub by setting REGISTRY_PROXY_REMOTEURL to "https://registry-1.docker.io".
# Note that it is not possible to push to a registry configured as a # Note that it is not possible to push to a registry configured as a
# pull through cache. # pull through cache. Default is an empty dict.
#docker_registry_env: #docker_registry_env:
# The port on which the docker registry server should listen. # The port on which the docker registry server should listen. Default is 4000.
#docker_registry_port: #docker_registry_port:
# Name or path to use as the volume for the docker registry. Default is
# 'docker_registry'.
#docker_registry_datadir_volume:
# Whether to enable TLS for the registry. Default is false.
#docker_registry_enable_tls:
# Path to a TLS certificate to use when TLS is enabled. Default is none.
#docker_registry_cert_path:
# Path to a TLS key to use when TLS is enabled. Default is none.
#docker_registry_key_path:
############################################################################### ###############################################################################
# Dummy variable to allow Ansible to accept this file. # Dummy variable to allow Ansible to accept this file.
workaround_ansible_issue_8743: yes workaround_ansible_issue_8743: yes

View File

@ -0,0 +1,4 @@
---
features:
- |
Adds support for deploying a Docker registry with TLS.