summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJames E. Blair <jeblair@redhat.com>2019-01-31 13:44:04 -0800
committerJames E. Blair <jeblair@redhat.com>2019-02-01 13:25:11 -0800
commit2292ce9aed3f404107251b76a22a1e80b98f67ac (patch)
tree8e9adb8041e68f798ba7274a53ff47589d67b0b8
parentee5d3853437d55cfe4f15d37a85a6e378f0a06a3 (diff)
Add a role to run a buildset registry
Part of a system to interact with an intermediate registry. Change-Id: I2f4662cc587f9379e9ba3b7b705c85793a41864e
Notes
Notes (review): Code-Review+2: Monty Taylor <mordred@inaugust.com> Code-Review+2: Tobias Henkel <tobias.henkel@bmw.de> Workflow+1: Tobias Henkel <tobias.henkel@bmw.de> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Sat, 02 Feb 2019 08:10:39 +0000 Reviewed-on: https://review.openstack.org/634319 Project: openstack-infra/zuul-jobs Branch: refs/heads/master
-rw-r--r--roles/run-buildset-registry/README.rst38
-rw-r--r--roles/run-buildset-registry/defaults/main.yaml1
-rw-r--r--roles/run-buildset-registry/tasks/main.yaml91
3 files changed, 130 insertions, 0 deletions
diff --git a/roles/run-buildset-registry/README.rst b/roles/run-buildset-registry/README.rst
new file mode 100644
index 0000000..bcd26de
--- /dev/null
+++ b/roles/run-buildset-registry/README.rst
@@ -0,0 +1,38 @@
1Runs a docker registry for the use of this buildset.
2
3This may be used for a single job running on a single node, or it may
4be used at the root of a job graph so that multiple jobs running for a
5single change can share the registry.
6
7**Role Variables**
8
9.. zuul:rolevar:: buildset_registry_root
10 :default: {{ ansible_user_dir }}/buildset_registry
11
12 Path for the registry volumes.
13
14**Return Values**
15
16.. zuul:rolevar:: buildset_registry
17
18 Information about the registry.
19
20 .. zuul:rolevar:: host
21
22 The host (IP address) of the registry.
23
24 .. zuul:rolevar:: port
25
26 The port on which the registry is listening.
27
28 .. zuul:rolevar:: username
29
30 The username used to access the registry via HTTP basic auth.
31
32 .. zuul:rolevar:: password
33
34 The password used to access the registry via HTTP basic auth.
35
36 .. zuul:rolevar:: cert
37
38 The (self-signed) certificate used by the registry.
diff --git a/roles/run-buildset-registry/defaults/main.yaml b/roles/run-buildset-registry/defaults/main.yaml
new file mode 100644
index 0000000..37c0730
--- /dev/null
+++ b/roles/run-buildset-registry/defaults/main.yaml
@@ -0,0 +1 @@
buildset_registry_root: "{{ ansible_user_dir }}/buildset_registry"
diff --git a/roles/run-buildset-registry/tasks/main.yaml b/roles/run-buildset-registry/tasks/main.yaml
new file mode 100644
index 0000000..4e7575b
--- /dev/null
+++ b/roles/run-buildset-registry/tasks/main.yaml
@@ -0,0 +1,91 @@
1- name: Install packages
2 become: yes
3 package:
4 name:
5 - python-docker
6 - python-openssl
7 - python-passlib
8 - python-bcrypt
9 state: present
10 when: "'python3' not in ansible_python_interpreter"
11- name: Install packages
12 become: yes
13 package:
14 name:
15 - python3-docker
16 - python3-openssl
17 - python3-passlib
18 - python3-bcrypt
19 state: present
20 when: "'python3' in ansible_python_interpreter"
21- name: Ensure Docker registry volume directories exists
22 file:
23 state: directory
24 path: "{{ buildset_registry_root}}/{{ item }}"
25 loop:
26 - certs
27 - auth
28# TODO: use password lookup after allowing access to it in Zuul
29- name: Generate registry password
30 set_fact:
31 registry_password: "{{ (ansible_date_time.iso8601_micro | password_hash('sha256'))[-20:] }}"
32- name: Write htpassword file
33 htpasswd:
34 create: true
35 crypt_scheme: bcrypt
36 path: "{{ buildset_registry_root}}/auth/htpasswd"
37 name: "zuul"
38 password: "{{ registry_password }}"
39- name: Generate a TLS key for the Docker registry
40 openssl_privatekey:
41 path: "{{ buildset_registry_root}}/certs/domain.key"
42- name: Generate a TLS CSR for the Docker registry
43 openssl_csr:
44 path: "{{ buildset_registry_root}}/certs/domain.csr"
45 privatekey_path: "{{ buildset_registry_root}}/certs/domain.key"
46 common_name: "{{ ansible_host }}"
47 subject_alt_name: "DNS:{{ ansible_host }},IP:{{ ansible_host }}"
48- name: Generate a TLS cert for the Docker registry
49 openssl_certificate:
50 path: "{{ buildset_registry_root}}/certs/domain.crt"
51 csr_path: "{{ buildset_registry_root}}/certs/domain.csr"
52 privatekey_path: "{{ buildset_registry_root}}/certs/domain.key"
53 provider: selfsigned
54 register: generated_cert
55- name: Read TLS certificate
56 slurp:
57 src: "{{ generated_cert.filename }}"
58 register: certificate
59- name: Decode TLS certificate
60 set_fact:
61 certificate: "{{ certificate.content | b64decode }}"
62- name: Start a docker registry
63 docker_container:
64 name: buildset_registry
65 image: registry:2
66 state: started
67 restart_policy: always
68 ports:
69 - "5000:5000"
70 env:
71 REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
72 REGISTRY_HTTP_TLS_KEY: /certs/domain.key
73 REGISTRY_AUTH: htpasswd
74 REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
75 REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
76 volumes:
77 - "{{ buildset_registry_root}}/data:/var/lib/registry"
78 - "{{ buildset_registry_root}}/certs:/certs"
79 - "{{ buildset_registry_root}}/auth:/auth"
80- name: Set registry information fact
81 set_fact:
82 buildset_registry:
83 host: "{{ ansible_host }}"
84 port: 5000
85 username: zuul
86 password: "{{ registry_password }}"
87 cert: "{{ certificate }}"
88- name: Return registry information to Zuul
89 zuul_return:
90 data:
91 buildset_registry: "{{ buildset_registry }}"