Add openshift_additional_registry_credentials

These credentials are appended to ansible_ssh_user's
~/.docker/config.json and /var/lib/origin/.docker/config.json so that
the admin and kubelet can pull images from multiple authenticated
registries at install time

roles/container_runtime/tasks/registry_auth.yml

@@ -2,7 +2,7 @@
 # docker_creds is a custom module from lib_utils
 # 'docker login' requires a docker.service running on the local host, this is an
 # alternative implementation that operates directly on config.json
-- name: Create credentials for docker cli registry auth (alternative)
+- name: Create credentials for oreg_url
   docker_creds:
     path: "{{ docker_cli_auth_config_path }}"
     registry: "{{ oreg_host }}"
@@ -18,3 +18,23 @@
   retries: 3
   delay: 5
   until: crt_oreg_auth_credentials_create is succeeded
+
+- name: Create for any additional registries
+  docker_creds:
+    path: "{{ docker_cli_auth_config_path }}"
+    registry: "{{ item.host }}"
+    username: "{{ item.user | default('openshift') }}"
+    password: "{{ item.password }}"
+    # Test that we can actually connect with provided info
+    test_login: "{{ item.test_login | default(omit) }}"
+    proxy_vars: "{{ l_docker_creds_proxy_vars }}"
+    image_name: "{{ item.image_name | default('openshift3/ose-pod') }}"
+    tls_verify: "{{ item.tls_verify | default(omit) }}"
+  when:
+  - openshift_additional_registry_credentials is defined
+  register: crt_addl_credentials_create
+  retries: 3
+  delay: 5
+  until: crt_addl_credentials_create is succeeded
+  with_items:
+    "{{ openshift_additional_registry_credentials }}"

roles/openshift_control_plane/tasks/registry_auth.yml

@@ -2,7 +2,7 @@
 # docker_creds is a custom module from lib_utils
 # 'docker login' requires a docker.service running on the local host, this is an
 # alternative implementation that operates directly on config.json
-- name: Create credentials for registry auth (alternative)
+- name: Create credentials for oreg_url
   docker_creds:
     path: "{{ oreg_auth_credentials_path }}"
     registry: "{{ oreg_host }}"
@@ -18,3 +18,23 @@
   retries: 3
   delay: 5
   until: master_oreg_auth_credentials_create is succeeded
+
+- name: Create credentials for any additional registries
+  docker_creds:
+    path: "{{ oreg_auth_credentials_path }}"
+    registry: "{{ item.host }}"
+    username: "{{ item.user | default('openshift') }}"
+    password: "{{ item.password }}"
+    # Test that we can actually connect with provided info
+    test_login: "{{ item.test_login | default(omit) }}"
+    proxy_vars: "{{ l_docker_creds_proxy_vars }}"
+    image_name: "{{ item.image_name | default('openshift3/ose-pod') }}"
+    tls_verify: "{{ item.tls_verify | default(omit) }}"
+  when:
+  - openshift_additional_registry_credentials is defined
+  register: crt_addl_credentials_create
+  retries: 3
+  delay: 5
+  until: crt_addl_credentials_create is succeeded
+  with_items:
+    "{{ openshift_additional_registry_credentials }}"

roles/openshift_examples/tasks/main.yml

@@ -49,18 +49,32 @@
 ######################################################################
 # Begin image streams
 
-- name: Create imagestream import secret
+- name: Create imagestream import secret for oreg_url
   command: >
-    {{ openshift_client_binary }} create secret docker-registry imagestreamsecret --docker-server={{ registry_host }} --docker-username={{ oreg_auth_user }} --docker-email=openshift@openshift.com --docker-password={{ oreg_auth_password }} --config={{ openshift.common.config_base }}/master/admin.kubeconfig -n openshift
+    {{ openshift_client_binary }} create secret docker-registry imagestreamsecret
+    --docker-server={{ registry_host }} --docker-username={{ oreg_auth_user }}
+    --docker-email=openshift@openshift.com --docker-password={{ oreg_auth_password }}
+    --config={{ openshift.common.config_base }}/master/admin.kubeconfig -n openshift
   when:
     - openshift_examples_load_rhel | bool
     - oreg_auth_password is defined
-  with_items:
-    - "{{ rhel_image_streams }}"
   register: oex_imagestream_import_secret
   failed_when: "'already exists' not in oex_imagestream_import_secret.stderr and oex_imagestream_import_secret.rc != 0"
   changed_when: false
 
+- name: Create imagestream import secrets for any additional registries
+  command: >
+      {{ openshift_client_binary }} create secret docker-registry imagestreamsecret
+      --docker-server={{ item.host }} --docker-username={{ item.user }}
+      --docker-email=openshift@openshift.com --docker-password={{ item.password }}
+      --config={{ openshift.common.config_base }}/master/admin.kubeconfig -n openshift
+  when:
+    - openshift_additional_registry_credentials is defined
+  with_items:
+    - "{{ openshift_additional_registry_credentials }}"
+  register: oex_additional_creds
+  failed_when: "'already exists' not in oex_additional_creds.stderr and oex_additional_creds.rc != 0"
+
 - name: Modify registry paths if registry_url is not registry.redhat.io
   shell: >
     find {{ examples_base }} -type f | xargs -n 1 sed -i 's|registry.redhat.io|{{ registry_host | quote }}|g'

roles/openshift_facts/defaults/main.yml

@@ -15,6 +15,10 @@ l_oreg_host_temp: "{{ oreg_url | default(l_osm_registry_url_default) }}"
 # oreg_url is defined by user input.
 oreg_host: "{{ l_oreg_host_temp.split('/')[0] }}"
 
+# Used to define a list of registry credentials
+# ex openshift_additional_registry_credentials=[{'host':'registry.redhat.io','user':'bob','password':'redhat'},{'host':'registry.connect.redhat.com','user':'alice','password':'redhat','test_login':False}]
+openshift_additional_registry_credentials: []
+
 # this variable does not replace ${version} with openshift_image_tag
 l_os_non_standard_reg_url: "{{ oreg_url | default(l_osm_registry_url_default) }}"
 

roles/openshift_node/tasks/registry_auth.yml

@@ -30,13 +30,30 @@
   delay: 5
   until: node_oreg_auth_credentials_create is succeeded
 
+- name: Create credentials for any additional registries
+  docker_creds:
+    path: "{{ oreg_auth_credentials_path }}"
+    registry: "{{ item.host }}"
+    username: "{{ item.user | default('openshift') }}"
+    password: "{{ item.password }}"
+    # Test that we can actually connect with provided info
+    test_login: "{{ item.test_login | default(omit) }}"
+    proxy_vars: "{{ l_docker_creds_proxy_vars }}"
+    image_name: "{{ item.image_name | default('openshift3/ose-pod') }}"
+    tls_verify: "{{ item.tls_verify | default(omit) }}"
+  when:
+    - openshift_additional_registry_credentials is defined
+  register: node_additional_registry_creds
+  retries: 3
+  delay: 5
+  until: node_additional_registry_creds is succeeded
+  with_items:
+    "{{ openshift_additional_registry_credentials }}"
+
 # Container images may need the registry credentials
 - name: Setup ro mount of /root/.docker for containerized hosts
   set_fact:
     l_bind_docker_reg_auth: True
   when:
     - openshift_is_atomic | bool
-    - oreg_auth_user is defined
-    - >
-        (node_oreg_auth_credentials_stat.stat.exists
-        or node_oreg_auth_credentials_create.changed) | bool
+    - oreg_auth_user is defined or openshift_additional_registry_credentials is defined or node_oreg_auth_credentials_stat.stat.exists