Browse Source

expand login subtasks so it can be used in all rdo jobs

With the upcoming activation of RHEL8 pipeline, we decided with infra it
was better to switch rdo registry to restricted access.
This means that all the job in rdo must login to registry to pull
containers.
All the Centos7 jobs must now call this role to login to the registry,
so we are expanding the login part to satisfy the workflow
RHEL8 job with podman will use a internal role instead.

Change-Id: I6e55bdcf493d04bfc88ae22154124a7888563147
changes/81/673481/33
Gabriele Cerami 1 month ago
parent
commit
78da67824a

+ 2
- 1
README.rst View File

@@ -1,8 +1,9 @@
1 1
 ansible-role-container-registry
2 2
 ===============================
3 3
 
4
-A role to deploy a container registry.
4
+A role to deploy a container registry and provide methods to login to it.
5 5
 For now, the role only support Docker Registry v2.
6
+The login currently doesn't work with hub.docker.com.
6 7
 
7 8
 
8 9
 Role Variables

+ 1
- 0
defaults/main.yml View File

@@ -15,3 +15,4 @@ container_registry_selinux: false
15 15
 container_registry_additional_sockets: []
16 16
 container_registry_skip_reconfiguration: false
17 17
 container_registry_logins: {}
18
+container_registry_cleanup_client: false

+ 3
- 3
molecule/default/molecule.yml View File

@@ -12,14 +12,14 @@ driver:
12 12
       -o VerifyHostKeyDNS=no
13 13
       -o ForwardX11=no
14 14
       -o ForwardAgent=no
15
-      {instance}
15
+      {instance-default}
16 16
     ansible_connection_options:
17 17
       ansible_connection: ssh
18 18
 
19 19
 log: true
20 20
 
21 21
 platforms:
22
-  - name: instance
22
+  - name: instance-default
23 23
 
24 24
 provisioner:
25 25
   name: ansible
@@ -31,7 +31,7 @@ provisioner:
31 31
     hosts:
32 32
       all:
33 33
         hosts:
34
-          instance:
34
+          instance-default:
35 35
             ansible_host: localhost
36 36
   log: true
37 37
   env:

+ 4
- 3
molecule/login/molecule.yml View File

@@ -12,14 +12,14 @@ driver:
12 12
       -o VerifyHostKeyDNS=no
13 13
       -o ForwardX11=no
14 14
       -o ForwardAgent=no
15
-      {instance}
15
+      {instance-login}
16 16
     ansible_connection_options:
17 17
       ansible_connection: ssh
18 18
 
19 19
 log: true
20 20
 
21 21
 platforms:
22
-  - name: instance
22
+  - name: instance-login
23 23
 
24 24
 provisioner:
25 25
   name: ansible
@@ -31,8 +31,9 @@ provisioner:
31 31
     hosts:
32 32
       all:
33 33
         hosts:
34
-          instance:
34
+          instance-login:
35 35
             ansible_host: localhost
36
+            ansible_user: zuul
36 37
   log: true
37 38
   env:
38 39
     ANSIBLE_STDOUT_CALLBACK: yaml

+ 160
- 4
molecule/login/playbook.yml View File

@@ -14,17 +14,173 @@
14 14
 # License for the specific language governing permissions and limitations
15 15
 # under the License.
16 16
 
17
-
18
-- name: Converge
19
-  become: false
17
+####
18
+# Testing that the role fails with information when we are not passing
19
+# credentials for the login
20
+#
21
+- name: Ensure role checks for missing information
20 22
   hosts: all
23
+  tasks:
24
+    - set_fact:
25
+        role_failed: false
26
+
27
+    - name: ensure role fails when credentials missing
28
+      block:
29
+        - include_role:
30
+            name: ansible-role-container-registry
31
+            tasks_from: registry-login
32
+          vars:
33
+            ansible_python_interpreter: "{{ ansible_user_dir }}/test-python/bin/python"
34
+      rescue:
35
+        - set_fact:
36
+            role_failed: true
37
+
38
+    - name: assert on missing credentials
39
+      assert:
40
+        that: role_failed != false
41
+        fail_msg: Role did not fail and it should have while passing no credential
42
+        success_msg: Role failed correctly while passing no credentials
43
+
44
+#####
45
+# We don't want to pollute the host by installing packages that
46
+# should be installed elsewhere and maybe from different repository
47
+# Here we test that we are removing any client package after installing it
48
+# As sometimes the package is installed before we run this role, we are also
49
+# testing that we are removing packages if and only if we were the ones
50
+# installing it.
51
+#
52
+- name: Check role behaviour with docker installation
53
+  hosts: instance-login
21 54
   vars:
55
+    docker_login_cache: /root/.docker/config.json
56
+    docker_socket: /var/run/docker.sock
22 57
     container_registry_logins:
23 58
       localhost:5000:
24 59
         testuser: testpassword
60
+  tasks:
61
+    - name: preinstall docker
62
+      become: true
63
+      package:
64
+        name: docker
65
+        state: present
66
+
67
+    - name: Include role with docker preinstalled
68
+      include_role:
69
+        name: ansible-role-container-registry
70
+        tasks_from: install-engine
71
+      vars:
72
+        ansible_python_interpreter: "{{ ansible_user_dir }}/test-python/bin/python"
73
+
74
+    - name: remove clients with docker preinstalled
75
+      include_role:
76
+        name: ansible-role-container-registry
77
+        tasks_from: cleanup-engine
78
+      vars:
79
+        ansible_python_interpreter: "{{ ansible_user_dir }}/test-python/bin/python"
80
+        container_registry_cleanup_client: true
81
+
82
+    - name: Check if tasks removed docker and it shouldn't
83
+      assert:
84
+        that:
85
+          - remove_docker is not defined or remove_docker is skipped
86
+        fail_msg: Role removed docker when it shouldn't have
87
+        success_msg: Role correctly left docker as it was installed before
88
+
89
+    - name: remove docker
90
+      become: true
91
+      package:
92
+        name: docker
93
+        state: absent
94
+
95
+    - name: Install client without docker preinstalled
96
+      include_role:
97
+        name: ansible-role-container-registry
98
+        tasks_from: install-engine
99
+      vars:
100
+        ansible_python_interpreter: "{{ ansible_user_dir }}/test-python/bin/python"
101
+
102
+    - name: Cleanup client without docker preinstalled
103
+      include_role:
104
+        name: ansible-role-container-registry
105
+        tasks_from: cleanup-engine
106
+      vars:
107
+        ansible_python_interpreter: "{{ ansible_user_dir }}/test-python/bin/python"
108
+        container_registry_cleanup_client: true
109
+
110
+    - name: Check if tasks removed docker
111
+      assert:
112
+        that:
113
+          - remove_docker is defined
114
+        fail_msg: Role did not remove docker when it should have
115
+        success_msg: Role correctly removed docker as it was not present before call
116
+
117
+####
118
+# This play tests that docker is chosen in centos7 and the login successfully
119
+# created a auth cache file
120
+# it also ensure that docker deamon is still running after we remove the client
121
+#
122
+- name: Test login behaviour in centos7
123
+  hosts: instance-login
124
+  vars:
125
+    docker_login_cache: /root/.docker/config.json
126
+    docker_socket: /var/run/docker.sock
127
+    container_registry_logins:
128
+        localhost:5000:
129
+            testuser: testpassword
25 130
   tasks:
26 131
     - include_role:
27 132
         name: ansible-role-container-registry
28
-        tasks_from: docker-login
133
+        tasks_from: registry-login
134
+
135
+    - name: check credentials file
136
+      become: true
137
+      stat:
138
+        path: "{{ docker_login_cache }}"
139
+      register: cache_file
140
+
141
+    - block:
142
+        - name: assert on file existence
143
+          assert:
144
+            that:
145
+              - cache_file.stat.exists
146
+            fail_msg: Credential file was not created
147
+            success_msg: Credential file correctly present
148
+          failed_when: false
149
+      rescue:
150
+        - debug:
151
+            msg: noop
152
+
153
+    - name: Verify credentials can be used
154
+      block:
155
+        - name: create build dir
156
+          file:
157
+            path: /tmp/tempimage
158
+            state: directory
159
+
160
+        - name: create Dockerfile
161
+          copy:
162
+            content: |
163
+              FROM scratch
164
+              ADD nothing /
165
+            dest: /tmp/tempimage/Dockerfile
166
+
167
+        - name: Build test image
168
+          become: true
169
+          shell: |
170
+            cd /tmp/tempimage
171
+            touch nothing
172
+            docker build -t localhost:5000/test/testimage:v1 .
173
+          register: build
174
+
175
+    - name: Verify authenticated push works
176
+      become: true
177
+      shell: |
178
+        docker push localhost:5000/test/testimage:v1
179
+
180
+    - name: Cleanup
181
+      include_role:
182
+        name: ansible-role-container-registry
183
+        tasks_from: cleanup-engine
29 184
       vars:
30 185
         ansible_python_interpreter: "{{ ansible_user_dir }}/test-python/bin/python"
186
+        container_registry_cleanup_client: true

+ 16
- 0
tasks/cleanup-engine.yml View File

@@ -0,0 +1,16 @@
1
+- name: Cleanup Engine
2
+  block:
3
+    - name: Remove docker
4
+      package:
5
+        name:
6
+           - docker
7
+        state: absent
8
+      register: remove_docker
9
+      when:
10
+        - container_registry_docker_install is defined
11
+        - container_registry_docker_install is changed
12
+  rescue:
13
+    - debug:
14
+        msg: "unable to remove docker"
15
+  become: true
16
+

+ 1
- 4
tasks/docker.yml View File

@@ -52,10 +52,7 @@
52 52
         - not ansible_check_mode
53 53
         - ftype.stdout == 'ftype=0'
54 54
 
55
-    - name: ensure docker is installed
56
-      package:
57
-        name: docker
58
-        state: present
55
+    - include_tasks: install-engine.yml
59 56
 
60 57
     - name: manage /etc/systemd/system/docker.service.d
61 58
       file:

+ 17
- 0
tasks/install-engine.yml View File

@@ -0,0 +1,17 @@
1
+---
2
+- name: Install and Start Docker
3
+  when:
4
+    - ansible_distribution == "CentOS"
5
+    - ansible_distribution_major_version|int < 8
6
+  become: true
7
+  block:
8
+    - name: Install Docker
9
+      package:
10
+        name: docker
11
+        state: present
12
+      register: container_registry_docker_install
13
+
14
+    - name: Start Docker daemon
15
+      service:
16
+        name: docker
17
+        state: started

+ 28
- 0
tasks/registry-login.yml View File

@@ -0,0 +1,28 @@
1
+---
2
+# TODO(gcerami): The login process does not work with dockerhub, as dockerhub requires an
3
+# auth API call to pass an email address (aven a fake one)
4
+
5
+- name: Fail if credentials are not defined or empty
6
+  fail:
7
+    msg: "Registry credentials are missing"
8
+  when: container_registry_logins|default({}) == {}
9
+
10
+- import_tasks: install-engine.yml
11
+
12
+- name: Try docker command line for authentication
13
+  block:
14
+    - name: Login via docker command
15
+      become: true
16
+      command: >
17
+        docker login "{{ item.key }}"
18
+         --username "{{ lookup('dict', item.value).key }}"
19
+         --password "{{ lookup('dict', item.value).value  }}"
20
+      loop: "{{ query('dict', container_registry_logins | default({})) }}"
21
+      register: registry_login_docker
22
+  rescue:
23
+    - debug:
24
+        msg: "Warning: login failed for some credentials while using docker login"
25
+
26
+- import_tasks: cleanup-engine.yml
27
+  when: container_registry_cleanup_client
28
+

Loading…
Cancel
Save