Browse Source

expand login subtasks so it can be used in all rdo jobs

With the upcoming activation of RHEL8 pipeline, we decided with infra it
was better to switch rdo registry to restricted access.
This means that all the job in rdo must login to registry to pull
containers.
All the Centos7 jobs must now call this role to login to the registry,
so we are expanding the login part to satisfy the workflow
RHEL8 job with podman will use a internal role instead.

Change-Id: I6e55bdcf493d04bfc88ae22154124a7888563147
changes/81/673481/33
Gabriele Cerami 6 months ago
parent
commit
78da67824a
9 changed files with 232 additions and 15 deletions
  1. +2
    -1
      README.rst
  2. +1
    -0
      defaults/main.yml
  3. +3
    -3
      molecule/default/molecule.yml
  4. +4
    -3
      molecule/login/molecule.yml
  5. +160
    -4
      molecule/login/playbook.yml
  6. +16
    -0
      tasks/cleanup-engine.yml
  7. +1
    -4
      tasks/docker.yml
  8. +17
    -0
      tasks/install-engine.yml
  9. +28
    -0
      tasks/registry-login.yml

+ 2
- 1
README.rst View File

@@ -1,8 +1,9 @@
ansible-role-container-registry
===============================

A role to deploy a container registry.
A role to deploy a container registry and provide methods to login to it.
For now, the role only support Docker Registry v2.
The login currently doesn't work with hub.docker.com.


Role Variables

+ 1
- 0
defaults/main.yml View File

@@ -15,3 +15,4 @@ container_registry_selinux: false
container_registry_additional_sockets: []
container_registry_skip_reconfiguration: false
container_registry_logins: {}
container_registry_cleanup_client: false

+ 3
- 3
molecule/default/molecule.yml View File

@@ -12,14 +12,14 @@ driver:
-o VerifyHostKeyDNS=no
-o ForwardX11=no
-o ForwardAgent=no
{instance}
{instance-default}
ansible_connection_options:
ansible_connection: ssh

log: true

platforms:
- name: instance
- name: instance-default

provisioner:
name: ansible
@@ -31,7 +31,7 @@ provisioner:
hosts:
all:
hosts:
instance:
instance-default:
ansible_host: localhost
log: true
env:

+ 4
- 3
molecule/login/molecule.yml View File

@@ -12,14 +12,14 @@ driver:
-o VerifyHostKeyDNS=no
-o ForwardX11=no
-o ForwardAgent=no
{instance}
{instance-login}
ansible_connection_options:
ansible_connection: ssh

log: true

platforms:
- name: instance
- name: instance-login

provisioner:
name: ansible
@@ -31,8 +31,9 @@ provisioner:
hosts:
all:
hosts:
instance:
instance-login:
ansible_host: localhost
ansible_user: zuul
log: true
env:
ANSIBLE_STDOUT_CALLBACK: yaml

+ 160
- 4
molecule/login/playbook.yml View File

@@ -14,17 +14,173 @@
# License for the specific language governing permissions and limitations
# under the License.


- name: Converge
become: false
####
# Testing that the role fails with information when we are not passing
# credentials for the login
#
- name: Ensure role checks for missing information
hosts: all
tasks:
- set_fact:
role_failed: false

- name: ensure role fails when credentials missing
block:
- include_role:
name: ansible-role-container-registry
tasks_from: registry-login
vars:
ansible_python_interpreter: "{{ ansible_user_dir }}/test-python/bin/python"
rescue:
- set_fact:
role_failed: true

- name: assert on missing credentials
assert:
that: role_failed != false
fail_msg: Role did not fail and it should have while passing no credential
success_msg: Role failed correctly while passing no credentials

#####
# We don't want to pollute the host by installing packages that
# should be installed elsewhere and maybe from different repository
# Here we test that we are removing any client package after installing it
# As sometimes the package is installed before we run this role, we are also
# testing that we are removing packages if and only if we were the ones
# installing it.
#
- name: Check role behaviour with docker installation
hosts: instance-login
vars:
docker_login_cache: /root/.docker/config.json
docker_socket: /var/run/docker.sock
container_registry_logins:
localhost:5000:
testuser: testpassword
tasks:
- name: preinstall docker
become: true
package:
name: docker
state: present

- name: Include role with docker preinstalled
include_role:
name: ansible-role-container-registry
tasks_from: install-engine
vars:
ansible_python_interpreter: "{{ ansible_user_dir }}/test-python/bin/python"

- name: remove clients with docker preinstalled
include_role:
name: ansible-role-container-registry
tasks_from: cleanup-engine
vars:
ansible_python_interpreter: "{{ ansible_user_dir }}/test-python/bin/python"
container_registry_cleanup_client: true

- name: Check if tasks removed docker and it shouldn't
assert:
that:
- remove_docker is not defined or remove_docker is skipped
fail_msg: Role removed docker when it shouldn't have
success_msg: Role correctly left docker as it was installed before

- name: remove docker
become: true
package:
name: docker
state: absent

- name: Install client without docker preinstalled
include_role:
name: ansible-role-container-registry
tasks_from: install-engine
vars:
ansible_python_interpreter: "{{ ansible_user_dir }}/test-python/bin/python"

- name: Cleanup client without docker preinstalled
include_role:
name: ansible-role-container-registry
tasks_from: cleanup-engine
vars:
ansible_python_interpreter: "{{ ansible_user_dir }}/test-python/bin/python"
container_registry_cleanup_client: true

- name: Check if tasks removed docker
assert:
that:
- remove_docker is defined
fail_msg: Role did not remove docker when it should have
success_msg: Role correctly removed docker as it was not present before call

####
# This play tests that docker is chosen in centos7 and the login successfully
# created a auth cache file
# it also ensure that docker deamon is still running after we remove the client
#
- name: Test login behaviour in centos7
hosts: instance-login
vars:
docker_login_cache: /root/.docker/config.json
docker_socket: /var/run/docker.sock
container_registry_logins:
localhost:5000:
testuser: testpassword
tasks:
- include_role:
name: ansible-role-container-registry
tasks_from: docker-login
tasks_from: registry-login

- name: check credentials file
become: true
stat:
path: "{{ docker_login_cache }}"
register: cache_file

- block:
- name: assert on file existence
assert:
that:
- cache_file.stat.exists
fail_msg: Credential file was not created
success_msg: Credential file correctly present
failed_when: false
rescue:
- debug:
msg: noop

- name: Verify credentials can be used
block:
- name: create build dir
file:
path: /tmp/tempimage
state: directory

- name: create Dockerfile
copy:
content: |
FROM scratch
ADD nothing /
dest: /tmp/tempimage/Dockerfile

- name: Build test image
become: true
shell: |
cd /tmp/tempimage
touch nothing
docker build -t localhost:5000/test/testimage:v1 .
register: build

- name: Verify authenticated push works
become: true
shell: |
docker push localhost:5000/test/testimage:v1

- name: Cleanup
include_role:
name: ansible-role-container-registry
tasks_from: cleanup-engine
vars:
ansible_python_interpreter: "{{ ansible_user_dir }}/test-python/bin/python"
container_registry_cleanup_client: true

+ 16
- 0
tasks/cleanup-engine.yml View File

@@ -0,0 +1,16 @@
- name: Cleanup Engine
block:
- name: Remove docker
package:
name:
- docker
state: absent
register: remove_docker
when:
- container_registry_docker_install is defined
- container_registry_docker_install is changed
rescue:
- debug:
msg: "unable to remove docker"
become: true


+ 1
- 4
tasks/docker.yml View File

@@ -52,10 +52,7 @@
- not ansible_check_mode
- ftype.stdout == 'ftype=0'

- name: ensure docker is installed
package:
name: docker
state: present
- include_tasks: install-engine.yml

- name: manage /etc/systemd/system/docker.service.d
file:

+ 17
- 0
tasks/install-engine.yml View File

@@ -0,0 +1,17 @@
---
- name: Install and Start Docker
when:
- ansible_distribution == "CentOS"
- ansible_distribution_major_version|int < 8
become: true
block:
- name: Install Docker
package:
name: docker
state: present
register: container_registry_docker_install

- name: Start Docker daemon
service:
name: docker
state: started

+ 28
- 0
tasks/registry-login.yml View File

@@ -0,0 +1,28 @@
---
# TODO(gcerami): The login process does not work with dockerhub, as dockerhub requires an
# auth API call to pass an email address (aven a fake one)

- name: Fail if credentials are not defined or empty
fail:
msg: "Registry credentials are missing"
when: container_registry_logins|default({}) == {}

- import_tasks: install-engine.yml

- name: Try docker command line for authentication
block:
- name: Login via docker command
become: true
command: >
docker login "{{ item.key }}"
--username "{{ lookup('dict', item.value).key }}"
--password "{{ lookup('dict', item.value).value }}"
loop: "{{ query('dict', container_registry_logins | default({})) }}"
register: registry_login_docker
rescue:
- debug:
msg: "Warning: login failed for some credentials while using docker login"

- import_tasks: cleanup-engine.yml
when: container_registry_cleanup_client


Loading…
Cancel
Save