okd/roles/openshift_master/tasks/registry_auth.yml

---
# We need to setup some variables as this play might be called directly
# from outside of the role.
- set_fact:
    oreg_auth_credentials_path: "{{ r_openshift_master_data_dir }}/.docker"
  when: oreg_auth_credentials_path is not defined

- set_fact:
    oreg_host: "{{ oreg_url.split('/')[0] if (oreg_url is defined and '.' in oreg_url.split('/')[0]) else '' }}"
  when: oreg_host is not defined

- name: Check for credentials file for registry auth
  stat:
    path: "{{ oreg_auth_credentials_path }}"
  when: oreg_auth_user is defined
  register: master_oreg_auth_credentials_stat

- name: Create credentials for registry auth
  command: "docker --config={{ oreg_auth_credentials_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}"
  when:
  - oreg_auth_user is defined
  - (not master_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
  register: master_oreg_auth_credentials_create
  notify:
  - restart master api
  - restart master controllers

# Container images may need the registry credentials
- name: Setup ro mount of /root/.docker for containerized hosts
  set_fact:
    l_bind_docker_reg_auth: True
  when:
  - openshift.common.is_containerized | bool
  - oreg_auth_user is defined
  - (master_oreg_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace or master_oreg_auth_credentials_create.changed) | bool