From aae4df5024e1393f1f72ab5b62d52d2f9459d55f Mon Sep 17 00:00:00 2001 From: "James E. Blair" Date: Mon, 22 Apr 2019 14:35:29 -0700 Subject: [PATCH] Fix localhost cert location for push-to-intermediate-registry We're using 127.0.0.1 everywhere rather than localhost; the cert directory and auth information need to match. Change-Id: Id72332625c234519ce4c819e88c184035eac8203 --- .../tasks/main.yaml | 18 +++++++++-------- .../tasks/push.yaml | 20 ++++++++++--------- 2 files changed, 21 insertions(+), 17 deletions(-) diff --git a/roles/pull-from-intermediate-registry/tasks/main.yaml b/roles/pull-from-intermediate-registry/tasks/main.yaml index 6fd26d892..f71e843cd 100644 --- a/roles/pull-from-intermediate-registry/tasks/main.yaml +++ b/roles/pull-from-intermediate-registry/tasks/main.yaml @@ -3,14 +3,6 @@ when: buildset_registry is not defined set_fact: buildset_registry: "{{ (lookup('file', zuul.executor.work_root + '/results.json') | from_json)['buildset_registry'] }}" -- name: Ensure registry cert directory exists - file: - path: "/etc/docker/certs.d/{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port }}/" - state: directory -- name: Write registry TLS certificate - copy: - content: "{{ buildset_registry.cert }}" - dest: "/etc/docker/certs.d/{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port }}/ca.crt" # Start a socat tunnel to the buildset registry to work around the # fact that docker does not correctly parse ipv6 addresses. The socat @@ -21,6 +13,16 @@ set_fact: socat_port: "{{ lookup('file', zuul.executor.work_root + '/socat_port') | regex_replace('.*?0\\.0\\.0\\.0:(\\d+)', '\\1') }}" +# Set up cert files for the buildset registry +- name: Ensure registry cert directory exists + file: + path: "/etc/docker/certs.d/127.0.0.1:{{ socat_port }}/" + state: directory +- name: Write registry TLS certificate + copy: + content: "{{ buildset_registry.cert }}" + dest: "/etc/docker/certs.d/127.0.0.1:{{ socat_port }}/ca.crt" + # Update user config for intermediate and buildset registries - name: Ensure docker user directory exists file: diff --git a/roles/push-to-intermediate-registry/tasks/push.yaml b/roles/push-to-intermediate-registry/tasks/push.yaml index 42ae563a1..db41d9b5a 100644 --- a/roles/push-to-intermediate-registry/tasks/push.yaml +++ b/roles/push-to-intermediate-registry/tasks/push.yaml @@ -3,14 +3,6 @@ when: buildset_registry is not defined set_fact: buildset_registry: "{{ (lookup('file', zuul.executor.work_root + '/results.json') | from_json)['buildset_registry'] }}" -- name: Ensure registry cert directory exists - file: - path: "/etc/docker/certs.d/{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port }}/" - state: directory -- name: Write registry TLS certificate - copy: - content: "{{ buildset_registry.cert }}" - dest: "/etc/docker/certs.d/{{ buildset_registry.host | ipwrap }}:{{ buildset_registry.port }}/ca.crt" # Start a socat tunnel to the buildset registry to work around the # fact that docker does not correctly parse ipv6 addresses. The socat @@ -21,6 +13,16 @@ set_fact: socat_port: "{{ lookup('file', zuul.executor.work_root + '/socat_port') | regex_replace('.*?0\\.0\\.0\\.0:(\\d+)', '\\1') }}" +# Set up cert files for the buildset registry +- name: Ensure registry cert directory exists + file: + path: "/etc/docker/certs.d/127.0.0.1:{{ socat_port }}/" + state: directory +- name: Write registry TLS certificate + copy: + content: "{{ buildset_registry.cert }}" + dest: "/etc/docker/certs.d/127.0.0.1:{{ socat_port }}/ca.crt" + # Update user config for intermediate and buildset registries - name: Ensure docker user directory exists file: @@ -52,7 +54,7 @@ { "{{ intermediate_registry.host | ipwrap }}:{{ intermediate_registry.port }}": {"auth": "{{ (intermediate_registry.username + ":" + intermediate_registry.password) | b64encode }}"}, - "localhost:{{ socat_port }}": + "127.0.0.1:{{ socat_port }}": {"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"}, } set_fact: