Home Explore Help
Register Sign In
shixiong
/
okd
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Fix: authenticated registry support for containerized hosts

Currently, openshift-anisble supports authentication to
container registries to pull down openshift container images.
The openshift_verison role uses the docker cli to gather
image information from container registries before authentication
credentials are provided by openshift-ansible.

This commit creates the necessary token to authenticate to
private registries during openshift_version.  The token
is generated by the role 'docker' on all hosts where
docker is installed/configured when oreg_auth_users
is defined.

This commit also adds a read-only mount into the
openshift master and node container services.  This
mount is '/var/lib/origin/.docker:/root/.docker:ro'.
This is because the container images do not currently
read the values in '/var/lib/origin/.docker' as this
may be a bug upstream.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1316341
Michael Gugino 7 years ago
parent
4acdef4af8
commit
db30a2eb38
11 changed files with 111 additions and 34 deletions
Split View Show Diff Stats
  1. 5 0
      roles/docker/defaults/main.yml
  2. 12 0
      roles/docker/tasks/package_docker.yml
  3. 1 1
      roles/openshift_master/defaults/main.yml
  4. 1 15
      roles/openshift_master/tasks/main.yml
  5. 27 0
      roles/openshift_master/tasks/registry_auth.yml
  6. 11 1
      roles/openshift_master/templates/docker-cluster/atomic-openshift-master-api.service.j2
  7. 11 1
      roles/openshift_master/templates/docker-cluster/atomic-openshift-master-controllers.service.j2
  8. 1 1
      roles/openshift_node/defaults/main.yml
  9. 1 14
      roles/openshift_node/tasks/main.yml
  10. 25 0
      roles/openshift_node/tasks/registry_auth.yml
  11. 16 1
      roles/openshift_node/templates/openshift.docker.node.service

+ 5 - 0
roles/docker/defaults/main.yml
View File 

@@ -1 +1,6 @@
 
 ---
 
+docker_cli_auth_config_path: '/root/.docker'
 
+
 
+oreg_url: ''
 
+oreg_host: "{{ oreg_url.split('/')[0] if '.' in oreg_url.split('/')[0] else '' }}"
 
+oreg_auth_credentials_replace: False

+ 12 - 0
roles/docker/tasks/package_docker.yml
View File 

@@ -117,6 +117,18 @@
 
   notify:
 
   - restart docker
 
 
+- name: Check for credentials file for registry auth
 
+  stat:
 
+    path: "{{ docker_cli_auth_config_path }}/config.json"
 
+  when: oreg_auth_user is defined
 
+  register: docker_cli_auth_credentials_stat
 
+
 
+- name: Create credentials for docker cli registry auth
 
+  command: "docker --config={{ docker_cli_auth_config_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}"
 
+  when:
 
+  - oreg_auth_user is defined
 
+  - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
 
+
 
 - name: Start the Docker service
 
   systemd:
 
     name: docker

+ 1 - 1
roles/openshift_master/defaults/main.yml
View File 

@@ -24,7 +24,7 @@ oreg_url: ''
 
 oreg_host: "{{ oreg_url.split('/')[0] if '.' in oreg_url.split('/')[0] else '' }}"
 
 oreg_auth_credentials_path: "{{ r_openshift_master_data_dir }}/.docker"
 
 oreg_auth_credentials_replace: False
 
-
 
+l_bind_docker_reg_auth: False
 
 
 # NOTE
 
 # r_openshift_master_*_default may be defined external to this role.

+ 1 - 15
roles/openshift_master/tasks/main.yml
View File 

@@ -229,21 +229,7 @@
 
   - restart master controllers
 
   when: openshift_master_bootstrap_enabled | default(False)
 
 
-- name: Check for credentials file for registry auth
 
-  stat:
 
-    path: "{{oreg_auth_credentials_path }}"
 
-  when:
 
-  - oreg_auth_user is defined
 
-  register: master_oreg_auth_credentials_stat
 
-
 
-- name: Create credentials for registry auth
 
-  command: "docker --config={{ oreg_auth_credentials_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}"
 
-  when:
 
-  - oreg_auth_user is defined
 
-  - (not master_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
 
-  notify:
 
-  - restart master api
 
-  - restart master controllers
 
+- include: registry_auth.yml
 
 
 - include: set_loopback_context.yml
 
   when:

+ 27 - 0
roles/openshift_master/tasks/registry_auth.yml
View File 

@@ -0,0 +1,27 @@
 
+---
 
+- name: Check for credentials file for registry auth
 
+  stat:
 
+    path: "{{ oreg_auth_credentials_path }}"
 
+  when: oreg_auth_user is defined
 
+  register: master_oreg_auth_credentials_stat
 
+
 
+# Container images may need the registry credentials
 
+- name: Setup ro mount of /root/.docker for containerized hosts
 
+  set_fact:
 
+    l_bind_docker_reg_auth: True
 
+  when:
 
+  - openshift.common.is_containerized | bool
 
+  - oreg_auth_user is defined
 
+  - (not master_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
 
+  notify:
 
+  - restart master api
 
+  - restart master controllers
 
+
 
+- name: Create credentials for registry auth
 
+  command: "docker --config={{ oreg_auth_credentials_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}"
 
+  when:
 
+  - oreg_auth_user is defined
 
+  - (not master_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
 
+  notify:
 
+  - restart master api
 
+  - restart master controllers

File diff suppressed because it is too large
+ 11 - 1
roles/openshift_master/templates/docker-cluster/atomic-openshift-master-api.service.j2


File diff suppressed because it is too large
+ 11 - 1
roles/openshift_master/templates/docker-cluster/atomic-openshift-master-controllers.service.j2


+ 1 - 1
roles/openshift_node/defaults/main.yml
View File 

@@ -84,7 +84,7 @@ oreg_url: ''
 
 oreg_host: "{{ oreg_url.split('/')[0] if '.' in oreg_url.split('/')[0] else '' }}"
 
 oreg_auth_credentials_path: "{{ openshift_node_data_dir }}/.docker"
 
 oreg_auth_credentials_replace: False
 
-
 
+l_bind_docker_reg_auth: False
 
 
 # NOTE
 
 # r_openshift_node_*_default may be defined external to this role.

+ 1 - 14
roles/openshift_node/tasks/main.yml
View File 

@@ -76,20 +76,7 @@
 
   include: config.yml
 
   when: not openshift_node_bootstrap
 
 
-- name: Check for credentials file for registry auth
 
-  stat:
 
-    path: "{{oreg_auth_credentials_path }}"
 
-  when:
 
-    - oreg_auth_user is defined
 
-  register: node_oreg_auth_credentials_stat
 
-
 
-- name: Create credentials for registry auth
 
-  command: "docker --config={{ oreg_auth_credentials_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}"
 
-  when:
 
-    - oreg_auth_user is defined
 
-    - (not node_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
 
-  notify:
 
-    - restart node
 
+- include: registry_auth.yml
 
 
 - name: Configure AWS Cloud Provider Settings
 
   lineinfile:

+ 25 - 0
roles/openshift_node/tasks/registry_auth.yml
View File 

@@ -0,0 +1,25 @@
 
+---
 
+- name: Check for credentials file for registry auth
 
+  stat:
 
+    path: "{{ oreg_auth_credentials_path }}"
 
+  when: oreg_auth_user is defined
 
+  register: node_oreg_auth_credentials_stat
 
+
 
+# Container images may need the registry credentials
 
+- name: Setup ro mount of /root/.docker for containerized hosts
 
+  set_fact:
 
+    l_bind_docker_reg_auth: True
 
+  when:
 
+    - openshift.common.is_containerized | bool
 
+    - oreg_auth_user is defined
 
+    - (not node_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
 
+  notify:
 
+    - restart node
 
+
 
+- name: Create credentials for registry auth
 
+  command: "docker --config={{ oreg_auth_credentials_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}"
 
+  when:
 
+    - oreg_auth_user is defined
 
+    - (not node_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
 
+  notify:
 
+    - restart node

File diff suppressed because it is too large
+ 16 - 1
roles/openshift_node/templates/openshift.docker.node.service