Fix docker reg auth bugs

This commit updates docker_creds custom module
to account for correct retry condition in task files.

This commit also updates the module's code to
test registry credentials with skopeo instead of
using a more simplistic python-request based approach.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1602120

roles/container_runtime/tasks/registry_auth.yml

@@ -10,9 +10,11 @@
     password: "{{ oreg_auth_password }}"
     # Test that we can actually connect with provided info
     test_login: "{{ oreg_test_login | default(True) }}"
+    proxy_vars: "{{ l_docker_creds_proxy_vars }}"
+    image_name: "{{ l_docker_creds_image_name }}"
   when:
   - oreg_auth_user is defined
   register: crt_oreg_auth_credentials_create
   retries: 3
   delay: 5
-  until: crt_oreg_auth_credentials_create.rc == 0
+  until: crt_oreg_auth_credentials_create is succeeded

roles/lib_utils/library/docker_creds.py

@@ -21,7 +21,6 @@ import json
 import os
 
 from ansible.module_utils.basic import AnsibleModule
-from six.moves import urllib
 
 DOCUMENTATION = '''
 ---
@@ -131,15 +130,22 @@ def load_config_file(module, dest):
         return {}
 
 
-def validate_registry_login(module, registry, encoded_auth):
+def gen_skopeo_cmd(registry, username, password, proxy_vars, image_name):
+    '''Generate skopeo command to run'''
+    skopeo_temp = ("{proxy_vars} timeout 10 skopeo inspect"
+                   " {creds} docker://{registry}/{image_name}")
+    creds = '--creds {}:{}'.format(username, password)
+    skopeo_args = {'proxy_vars': proxy_vars, 'creds': creds,
+                   'registry': registry, 'image_name': image_name}
+    return skopeo_temp.format(**skopeo_args).strip()
+
+
+def validate_registry_login(module, skopeo_command):
     '''Attempt to use credentials to log into registry'''
-    url = 'https://' + registry + '/v2/'
-    auth_header = 'Basic {}'.format(encoded_auth)
-    headers = {'Authorization': auth_header}
-    req = urllib.request.Request(url=url, headers=headers)
-    try:
-        urllib.request.urlopen(req)
-    except urllib.error.HTTPError as err:
+    # skopeo doesn't honor docker config file proxy settings; need to specify
+    # proxy vars on the cli.
+    rtnc, _, err = module.run_command(skopeo_command, use_unsafe_shell=True)
+    if rtnc:
         result = {'failed': True,
                   'changed': False,
                   'msg': str(err),
@@ -189,6 +195,8 @@ def run_module():
         username=dict(type='str', required=True),
         password=dict(type='str', required=True, no_log=True),
         test_login=dict(type='str', required=False, default=True),
+        proxy_vars=dict(type='str', required=False, default=''),
+        image_name=dict(type='str', required=True),
     )
 
     module = AnsibleModule(
@@ -202,6 +210,8 @@ def run_module():
     username = module.params['username']
     password = module.params['password']
     test_login = module.params['test_login']
+    proxy_vars = module.params['proxy_vars']
+    image_name = module.params['image_name']
 
     if not check_dest_dir_exists(module, dest):
         create_dest_dir(module, dest)
@@ -211,13 +221,14 @@ def run_module():
         # in case there are other registries/settings already present.
         docker_config = load_config_file(module, dest)
 
-    # base64 encode our username:password string
-    encoded_auth = base64.b64encode('{}:{}'.format(username, password).encode())
-
     # Test the credentials
     if test_login:
-        validate_registry_login(module, registry, encoded_auth)
+        skopeo_command = gen_skopeo_cmd(registry, username, password,
+                                        proxy_vars, image_name)
+        validate_registry_login(module, skopeo_command)
 
+    # base64 encode our username:password string
+    encoded_auth = base64.b64encode('{}:{}'.format(username, password).encode())
     # Put the registry auth info into the config dict.
     changed = update_config(docker_config, registry, encoded_auth)
 

roles/openshift_control_plane/tasks/registry_auth.yml

@@ -10,10 +10,12 @@
     password: "{{ oreg_auth_password }}"
     # Test that we can actually connect with provided info
     test_login: "{{ oreg_test_login | default(True) }}"
+    proxy_vars: "{{ l_docker_creds_proxy_vars }}"
+    image_name: "{{ l_docker_creds_image_name }}"
   when:
   - oreg_auth_user is defined
   register: master_oreg_auth_credentials_create
   notify: restart master
   retries: 3
   delay: 5
-  until: master_oreg_auth_credentials_create.rc == 0
+  until: master_oreg_auth_credentials_create is succeeded

roles/openshift_facts/defaults/main.yml

@@ -15,6 +15,16 @@ l_oreg_host_temp: "{{ oreg_url | default(l_osm_registry_url_default) }}"
 # oreg_url is defined by user input.
 oreg_host: "{{ l_oreg_host_temp.split('/')[0] }}"
 
+l_docker_creds_image_dict:
+  openshift-enterprise: 'openshift3/ose'
+  origin: 'openshift/origin'
+l_docker_creds_image_name: "{{ l_docker_creds_image_dict[openshift_deployment_type] }}"
+
+l_docker_creds_http_proxy: "{{ 'HTTP_PROXY=' ~ openshift.common.http_proxy if openshift.common.http_proxy is defined and openshift.common.http_proxy != '' else ''}}"
+l_docker_creds_https_proxy: "{{ 'HTTPS_PROXY=' ~ openshift.common.https_proxy if openshift.common.https_proxy is defined and openshift.common.https_proxy != '' else ''}}"
+l_docker_creds_no_proxy: "{{ 'NO_PROXY=' ~ openshift.common.no_proxy if openshift.common.no_proxy is defined and openshift.common.no_proxy != '' else ''}}"
+l_docker_creds_proxy_vars: "{{ l_docker_creds_http_proxy }} {{ l_docker_creds_https_proxy }} {{ l_docker_creds_no_proxy }}"
+
 l_osm_registry_url: "{{ oreg_url | default(l_osm_registry_url_default) | regex_replace('${version}' | regex_escape, openshift_image_tag | default('${version}')) }}"
 l_os_registry_url: "{{ oreg_url | default(l_osm_registry_url_default) | regex_replace('${version}' | regex_escape, openshift_image_tag | default('${version}')) }}"
 openshift_image_default: "{{ l_os_registry_url | regex_replace('${component}' | regex_escape, 'node') }}"

roles/openshift_node/tasks/registry_auth.yml

@@ -18,12 +18,14 @@
     password: "{{ oreg_auth_password }}"
     # Test that we can actually connect with provided info
     test_login: "{{ oreg_test_login | default(True) }}"
+    proxy_vars: "{{ l_docker_creds_proxy_vars }}"
+    image_name: "{{ l_docker_creds_image_name }}"
   when:
     - oreg_auth_user is defined
   register: node_oreg_auth_credentials_create
   retries: 3
   delay: 5
-  until: node_oreg_auth_credentials_create.rc == 0
+  until: node_oreg_auth_credentials_create is succeeded
 
 # Container images may need the registry credentials
 - name: Setup ro mount of /root/.docker for containerized hosts