From 2292ce9aed3f404107251b76a22a1e80b98f67ac Mon Sep 17 00:00:00 2001 From: "James E. Blair" Date: Thu, 31 Jan 2019 13:44:04 -0800 Subject: [PATCH] Add a role to run a buildset registry Part of a system to interact with an intermediate registry. Change-Id: I2f4662cc587f9379e9ba3b7b705c85793a41864e --- roles/run-buildset-registry/README.rst | 38 ++++++++ .../run-buildset-registry/defaults/main.yaml | 1 + roles/run-buildset-registry/tasks/main.yaml | 91 +++++++++++++++++++ 3 files changed, 130 insertions(+) create mode 100644 roles/run-buildset-registry/README.rst create mode 100644 roles/run-buildset-registry/defaults/main.yaml create mode 100644 roles/run-buildset-registry/tasks/main.yaml diff --git a/roles/run-buildset-registry/README.rst b/roles/run-buildset-registry/README.rst new file mode 100644 index 000000000..bcd26de26 --- /dev/null +++ b/roles/run-buildset-registry/README.rst @@ -0,0 +1,38 @@ +Runs a docker registry for the use of this buildset. + +This may be used for a single job running on a single node, or it may +be used at the root of a job graph so that multiple jobs running for a +single change can share the registry. + +**Role Variables** + +.. zuul:rolevar:: buildset_registry_root + :default: {{ ansible_user_dir }}/buildset_registry + + Path for the registry volumes. + +**Return Values** + +.. zuul:rolevar:: buildset_registry + + Information about the registry. + + .. zuul:rolevar:: host + + The host (IP address) of the registry. + + .. zuul:rolevar:: port + + The port on which the registry is listening. + + .. zuul:rolevar:: username + + The username used to access the registry via HTTP basic auth. + + .. zuul:rolevar:: password + + The password used to access the registry via HTTP basic auth. + + .. zuul:rolevar:: cert + + The (self-signed) certificate used by the registry. diff --git a/roles/run-buildset-registry/defaults/main.yaml b/roles/run-buildset-registry/defaults/main.yaml new file mode 100644 index 000000000..37c0730d4 --- /dev/null +++ b/roles/run-buildset-registry/defaults/main.yaml @@ -0,0 +1 @@ +buildset_registry_root: "{{ ansible_user_dir }}/buildset_registry" diff --git a/roles/run-buildset-registry/tasks/main.yaml b/roles/run-buildset-registry/tasks/main.yaml new file mode 100644 index 000000000..4e7575b36 --- /dev/null +++ b/roles/run-buildset-registry/tasks/main.yaml @@ -0,0 +1,91 @@ +- name: Install packages + become: yes + package: + name: + - python-docker + - python-openssl + - python-passlib + - python-bcrypt + state: present + when: "'python3' not in ansible_python_interpreter" +- name: Install packages + become: yes + package: + name: + - python3-docker + - python3-openssl + - python3-passlib + - python3-bcrypt + state: present + when: "'python3' in ansible_python_interpreter" +- name: Ensure Docker registry volume directories exists + file: + state: directory + path: "{{ buildset_registry_root}}/{{ item }}" + loop: + - certs + - auth +# TODO: use password lookup after allowing access to it in Zuul +- name: Generate registry password + set_fact: + registry_password: "{{ (ansible_date_time.iso8601_micro | password_hash('sha256'))[-20:] }}" +- name: Write htpassword file + htpasswd: + create: true + crypt_scheme: bcrypt + path: "{{ buildset_registry_root}}/auth/htpasswd" + name: "zuul" + password: "{{ registry_password }}" +- name: Generate a TLS key for the Docker registry + openssl_privatekey: + path: "{{ buildset_registry_root}}/certs/domain.key" +- name: Generate a TLS CSR for the Docker registry + openssl_csr: + path: "{{ buildset_registry_root}}/certs/domain.csr" + privatekey_path: "{{ buildset_registry_root}}/certs/domain.key" + common_name: "{{ ansible_host }}" + subject_alt_name: "DNS:{{ ansible_host }},IP:{{ ansible_host }}" +- name: Generate a TLS cert for the Docker registry + openssl_certificate: + path: "{{ buildset_registry_root}}/certs/domain.crt" + csr_path: "{{ buildset_registry_root}}/certs/domain.csr" + privatekey_path: "{{ buildset_registry_root}}/certs/domain.key" + provider: selfsigned + register: generated_cert +- name: Read TLS certificate + slurp: + src: "{{ generated_cert.filename }}" + register: certificate +- name: Decode TLS certificate + set_fact: + certificate: "{{ certificate.content | b64decode }}" +- name: Start a docker registry + docker_container: + name: buildset_registry + image: registry:2 + state: started + restart_policy: always + ports: + - "5000:5000" + env: + REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt + REGISTRY_HTTP_TLS_KEY: /certs/domain.key + REGISTRY_AUTH: htpasswd + REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd + REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm + volumes: + - "{{ buildset_registry_root}}/data:/var/lib/registry" + - "{{ buildset_registry_root}}/certs:/certs" + - "{{ buildset_registry_root}}/auth:/auth" +- name: Set registry information fact + set_fact: + buildset_registry: + host: "{{ ansible_host }}" + port: 5000 + username: zuul + password: "{{ registry_password }}" + cert: "{{ certificate }}" +- name: Return registry information to Zuul + zuul_return: + data: + buildset_registry: "{{ buildset_registry }}"