okd/roles/openshift_node/tasks/registry_auth.yml

---
# There might be other settings in this file besides auth; we want to ensure it
# will always be bind-mounted into the node for system containers (atomic).
- name: Check for credentials file for registry auth
  stat:
    path: "{{ oreg_auth_credentials_path }}"
  when: oreg_auth_user is defined
  register: node_oreg_auth_credentials_stat

# docker_creds is a custom module from lib_utils
# 'docker login' requires a docker.service running on the local host, this is an
# alternative implementation that operates directly on config.json
- name: Create credentials for registry auth
  docker_creds:
    path: "{{ oreg_auth_credentials_path }}"
    registry: "{{ oreg_host }}"
    username: "{{ oreg_auth_user }}"
    password: "{{ oreg_auth_password }}"
    # Test that we can actually connect with provided info
    test_login: "{{ oreg_test_login | default(True) }}"
  when:
    - oreg_auth_user is defined
  register: node_oreg_auth_credentials_create
  retries: 3
  delay: 5
  until: node_oreg_auth_credentials_create.rc == 0

# Container images may need the registry credentials
- name: Setup ro mount of /root/.docker for containerized hosts
  set_fact:
    l_bind_docker_reg_auth: True
  when:
    - openshift_is_atomic | bool
    - oreg_auth_user is defined
    - >
        (node_oreg_auth_credentials_stat.stat.exists
        or node_oreg_auth_credentials_create.changed) | bool