Docker registry basic auth
Adds support for HTTP basic authentication with the Docker registry. The kolla docker registry password is now written to passwords.yml. Change-Id: Ie6e854a66a6660d4e02771fe2b5dd97af814194d Story: 2007952 Task: 40429
This commit is contained in:
parent
54b6b72b67
commit
7b80482ac3
@ -30,3 +30,9 @@ docker_registry_cert_path:
|
||||
|
||||
# Path to a TLS key to use when TLS is enabled.
|
||||
docker_registry_key_path:
|
||||
|
||||
# Whether to enable basic authentication for the registry.
|
||||
docker_registry_enable_basic_auth: false
|
||||
|
||||
# Path to a htpasswd formatted password store for the registry.
|
||||
docker_registry_basic_auth_htpasswd_path:
|
||||
|
@ -496,6 +496,7 @@ kolla_ansible_default_custom_passwords:
|
||||
kolla_ssh_key:
|
||||
private_key: "{{ lookup('file', ssh_private_key_path) }}"
|
||||
public_key: "{{ lookup('file', ssh_public_key_path) }}"
|
||||
docker_registry_password: "{{ kolla_docker_registry_password }}"
|
||||
|
||||
# Dictionary containing custom passwords to add or override in the Kolla
|
||||
# passwords file.
|
||||
|
@ -23,12 +23,22 @@ docker_registry_env_tls:
|
||||
REGISTRY_HTTP_TLS_CERTIFICATE: "{{ docker_registry_config_path }}/cert.pem"
|
||||
REGISTRY_HTTP_TLS_KEY: "{{ docker_registry_config_path }}/key.pem"
|
||||
|
||||
# Dict of environment variables to provide to the docker registry container
|
||||
# when basic authentication is enabled.
|
||||
docker_registry_env_basic_auth:
|
||||
REGISTRY_AUTH: htpasswd
|
||||
REGISTRY_AUTH_HTPASSWD_REALM: "Registry realm"
|
||||
REGISTRY_AUTH_HTPASSWD_PATH: "{{ docker_registry_config_path }}/htpasswd"
|
||||
|
||||
# Service deployment definition.
|
||||
docker_registry_services:
|
||||
docker_registry:
|
||||
container_name: docker_registry
|
||||
env: "{{ docker_registry_env }}"
|
||||
env: "{{ (docker_registry_env_tls if docker_registry_enable_tls | bool else {}) | combine(docker_registry_env) }}"
|
||||
env: >-
|
||||
{{ {} |
|
||||
combine(docker_registry_env_tls if docker_registry_enable_tls | bool else {}) |
|
||||
combine(docker_registry_env_basic_auth if docker_registry_enable_basic_auth | bool else {}) |
|
||||
combine(docker_registry_env) }}
|
||||
enabled: "{{ docker_registry_enabled }}"
|
||||
image: "{{ docker_registry_image_full }}"
|
||||
ports:
|
||||
@ -54,6 +64,12 @@ docker_registry_cert_path:
|
||||
# Path to a TLS key to use when TLS is enabled.
|
||||
docker_registry_key_path:
|
||||
|
||||
# Whether to enable basic authentication for the registry.
|
||||
docker_registry_enable_basic_auth: false
|
||||
|
||||
# Path to a htpasswd formatted password store for the registry.
|
||||
docker_registry_basic_auth_htpasswd_path:
|
||||
|
||||
####################
|
||||
# Docker
|
||||
####################
|
||||
@ -68,7 +84,7 @@ docker_registry_image_full: "{{ docker_registry_image }}:{{ docker_registry_tag
|
||||
docker_registry_volumes:
|
||||
- "/etc/localtime:/etc/localtime:ro"
|
||||
- "{{ docker_registry_datadir_volume }}:/var/lib/registry"
|
||||
- "{% if docker_registry_enable_tls | bool %}{{ docker_registry_config_path }}:{{ docker_registry_config_path }}:ro{% endif %}"
|
||||
- "{% if docker_registry_enable_tls | bool or docker_registry_enable_basic_auth | bool %}{{ docker_registry_config_path }}:{{ docker_registry_config_path }}:ro{% endif %}"
|
||||
|
||||
docker_registry_restart_policy: "unless-stopped"
|
||||
#docker_registry_restart_retries:
|
||||
|
@ -7,7 +7,9 @@
|
||||
group: "{{ ansible_user_gid }}"
|
||||
mode: 0750
|
||||
become: True
|
||||
when: docker_registry_enable_tls | bool
|
||||
when: >-
|
||||
docker_registry_enable_tls | bool or
|
||||
docker_registry_enable_basic_auth | bool
|
||||
|
||||
- name: Ensure TLS certificate exists
|
||||
copy:
|
||||
@ -32,3 +34,15 @@
|
||||
when: docker_registry_enable_tls | bool
|
||||
notify:
|
||||
- Restart docker-registry container
|
||||
|
||||
- name: Ensure basic auth htpasswd file exists
|
||||
copy:
|
||||
src: "{{ docker_registry_basic_auth_htpasswd_path }}"
|
||||
dest: "{{ docker_registry_config_path }}/htpasswd"
|
||||
owner: "{{ ansible_user_uid }}"
|
||||
group: "{{ ansible_user_gid }}"
|
||||
mode: 0600
|
||||
become: True
|
||||
when: docker_registry_enable_basic_auth | bool
|
||||
notify:
|
||||
- Restart docker-registry container
|
||||
|
@ -164,9 +164,6 @@ kolla_docker_registry:
|
||||
# Username to use to access a docker registry.
|
||||
kolla_docker_registry_username:
|
||||
|
||||
# Password to use to access a docker registry.
|
||||
kolla_docker_registry_password:
|
||||
|
||||
# Valid option is Docker repository tag
|
||||
kolla_openstack_release:
|
||||
|
||||
|
@ -58,9 +58,8 @@ kolla_external_fqdn: "{{ kolla_external_fqdn }}"
|
||||
docker_registry: "{{ kolla_docker_registry }}"
|
||||
{% endif %}
|
||||
docker_namespace: "{{ kolla_docker_namespace }}"
|
||||
{% if kolla_docker_registry_username and kolla_docker_registry_password %}
|
||||
{% if kolla_docker_registry_username %}
|
||||
docker_registry_username: "{{ kolla_docker_registry_username }}"
|
||||
docker_registry_password: "{{ kolla_docker_registry_password }}"
|
||||
{% endif %}
|
||||
docker_storage_driver: "{{ docker_storage_driver }}"
|
||||
docker_custom_config: {{ kolla_docker_custom_config | to_nice_json | indent(2) }}
|
||||
|
@ -106,7 +106,6 @@
|
||||
kolla_docker_namespace: "fake-namespace"
|
||||
kolla_docker_registry: "fake-registry"
|
||||
kolla_docker_registry_username: "fake-username"
|
||||
kolla_docker_registry_password: "fake-password"
|
||||
kolla_openstack_release: "fake-release"
|
||||
kolla_internal_vip_address: "10.0.0.1"
|
||||
kolla_internal_fqdn: "fake.internal.fqdn"
|
||||
@ -261,7 +260,6 @@
|
||||
docker_namespace: "fake-namespace"
|
||||
docker_registry: "fake-registry"
|
||||
docker_registry_username: "fake-username"
|
||||
docker_registry_password: "fake-password"
|
||||
neutron_plugin_agent: "openvswitch"
|
||||
kolla_enable_tls_external: True
|
||||
kolla_external_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/external.pem"
|
||||
|
@ -59,6 +59,43 @@ may be encrypted via Ansible Vault.
|
||||
docker_registry_cert_path: "{{ kayobe_config_path }}/docker-registry/cert.pem
|
||||
docker_registry_key_path: "{{ kayobe_config_path }}/docker-registry/key.pem
|
||||
|
||||
Basic authentication
|
||||
--------------------
|
||||
|
||||
It is recommended to enable HTTP basic authentication for the registry. This
|
||||
needs to be done in conjunction with enabling TLS for the registry: `using
|
||||
basic authentication over unencrypted HTTP is not supported
|
||||
<https://docs.docker.com/registry/deploying/#native-basic-auth>`__.
|
||||
|
||||
``docker_registry_enable_basic_auth``
|
||||
Whether to enable basic authentication for the registry. Default is
|
||||
``false``.
|
||||
|
||||
``docker_registry_basic_auth_htpasswd_path``
|
||||
Path to a `htpasswd
|
||||
<https://httpd.apache.org/docs/2.4/programs/htpasswd.html>`__ formatted
|
||||
password store for the registry. Default is none.
|
||||
|
||||
The password store uses a ``htpasswd`` format. The following example shows how
|
||||
to generate a password and add it to the ``kolla`` user in the password store.
|
||||
The password store may be stored with the Kayobe configuration, under
|
||||
``${KAYOBE_CONFIG_PATH}/docker-registry/``. The file may be encrypted via
|
||||
Ansible Vault.
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
uuidgen | tr -d '\n' > registry-password
|
||||
cat registry-password | docker run --rm -i --entrypoint htpasswd httpd:latest -niB kolla > $KAYOBE_CONFIG_PATH/docker-registry/htpasswd
|
||||
|
||||
Next we configure Kayobe to enable basic authentication for the registry, and
|
||||
specify the path to the password store.
|
||||
|
||||
.. code-block:: yaml
|
||||
:caption: ``docker-registry.yml``
|
||||
|
||||
docker_registry_enable_basic_auth: true
|
||||
docker_registry_basic_auth_htpasswd_path: "{{ kayobe_config_path }}/docker-registry/htpasswd"
|
||||
|
||||
Using the registry
|
||||
==================
|
||||
|
||||
@ -80,3 +117,15 @@ communicate with it:
|
||||
:caption: ``kolla/globals.yml``
|
||||
|
||||
docker_registry_insecure: false
|
||||
|
||||
Basic authentication
|
||||
--------------------
|
||||
|
||||
If basic authentication is enabled, Kolla Ansible needs to be configured with
|
||||
the username and password.
|
||||
|
||||
.. code-block:: yaml
|
||||
:caption: ``kolla.yml``
|
||||
|
||||
kolla_docker_registry_username: <registry username>
|
||||
kolla_docker_registry_password: <registry password>
|
||||
|
@ -30,6 +30,13 @@
|
||||
# Path to a TLS key to use when TLS is enabled. Default is none.
|
||||
#docker_registry_key_path:
|
||||
|
||||
# Whether to enable basic authentication for the registry. Default is false.
|
||||
#docker_registry_enable_basic_auth:
|
||||
|
||||
# Path to a htpasswd formatted password store for the registry. Default is
|
||||
# none.
|
||||
#docker_registry_basic_auth_htpasswd_path:
|
||||
|
||||
###############################################################################
|
||||
# Dummy variable to allow Ansible to accept this file.
|
||||
workaround_ansible_issue_8743: yes
|
||||
|
@ -0,0 +1,5 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
Adds support for deploying a Docker registry with HTTP basic
|
||||
authentication.
|
Loading…
Reference in New Issue
Block a user