Docker registry basic auth

Adds support for HTTP basic authentication with the Docker registry. The kolla docker registry password is now written to passwords.yml. Change-Id: Ie6e854a66a6660d4e02771fe2b5dd97af814194d Story: 2007952 Task: 40429
2020-07-01 14:00:14 +00:00 · 2020-07-01 14:00:14 +00:00 · 7b80482ac3
commit 7b80482ac3
parent 54b6b72b67
10 changed files with 103 additions and 11 deletions
--- a/ansible/group_vars/all/docker-registry
+++ b/ansible/group_vars/all/docker-registry
@ -30,3 +30,9 @@ docker_registry_cert_path:

 # Path to a TLS key to use when TLS is enabled.
 docker_registry_key_path:
+
+# Whether to enable basic authentication for the registry.
+docker_registry_enable_basic_auth: false
+
+# Path to a htpasswd formatted password store for the registry.
+docker_registry_basic_auth_htpasswd_path:
--- a/ansible/group_vars/all/kolla
+++ b/ansible/group_vars/all/kolla
@ -496,6 +496,7 @@ kolla_ansible_default_custom_passwords:
  kolla_ssh_key:
    private_key: "{{ lookup('file', ssh_private_key_path) }}"
    public_key: "{{ lookup('file', ssh_public_key_path) }}"
+  docker_registry_password: "{{ kolla_docker_registry_password }}"

 # Dictionary containing custom passwords to add or override in the Kolla
 # passwords file.
--- a/ansible/roles/docker-registry/defaults/main.yml
+++ b/ansible/roles/docker-registry/defaults/main.yml
@ -23,12 +23,22 @@ docker_registry_env_tls:
  REGISTRY_HTTP_TLS_CERTIFICATE: "{{ docker_registry_config_path }}/cert.pem"
  REGISTRY_HTTP_TLS_KEY: "{{ docker_registry_config_path }}/key.pem"

+# Dict of environment variables to provide to the docker registry container
+# when basic authentication is enabled.
+docker_registry_env_basic_auth:
+  REGISTRY_AUTH: htpasswd
+  REGISTRY_AUTH_HTPASSWD_REALM: "Registry realm"
+  REGISTRY_AUTH_HTPASSWD_PATH: "{{ docker_registry_config_path }}/htpasswd"
+
 # Service deployment definition.
 docker_registry_services:
  docker_registry:
    container_name: docker_registry
-    env: "{{ docker_registry_env }}"
-    env: "{{ (docker_registry_env_tls if docker_registry_enable_tls | bool else {}) | combine(docker_registry_env) }}"
+    env: >-
+     {{ {} |
+        combine(docker_registry_env_tls if docker_registry_enable_tls | bool else {}) |
+        combine(docker_registry_env_basic_auth if docker_registry_enable_basic_auth | bool else {}) |
+        combine(docker_registry_env) }}
    enabled: "{{ docker_registry_enabled }}"
    image: "{{ docker_registry_image_full }}"
    ports:
@ -54,6 +64,12 @@ docker_registry_cert_path:
 # Path to a TLS key to use when TLS is enabled.
 docker_registry_key_path:

+# Whether to enable basic authentication for the registry.
+docker_registry_enable_basic_auth: false
+
+# Path to a htpasswd formatted password store for the registry.
+docker_registry_basic_auth_htpasswd_path:
+
 ####################
 # Docker
 ####################
@ -68,7 +84,7 @@ docker_registry_image_full: "{{ docker_registry_image }}:{{ docker_registry_tag
 docker_registry_volumes:
  - "/etc/localtime:/etc/localtime:ro"
  - "{{ docker_registry_datadir_volume }}:/var/lib/registry"
-  - "{% if docker_registry_enable_tls | bool %}{{ docker_registry_config_path }}:{{ docker_registry_config_path }}:ro{% endif %}"
+  - "{% if docker_registry_enable_tls | bool or docker_registry_enable_basic_auth | bool %}{{ docker_registry_config_path }}:{{ docker_registry_config_path }}:ro{% endif %}"

 docker_registry_restart_policy: "unless-stopped"
 #docker_registry_restart_retries:
--- a/ansible/roles/docker-registry/tasks/config.yml
+++ b/ansible/roles/docker-registry/tasks/config.yml
@ -7,7 +7,9 @@
    group: "{{ ansible_user_gid }}"
    mode: 0750
  become: True
-  when: docker_registry_enable_tls | bool
+  when: >-
+    docker_registry_enable_tls | bool or
+    docker_registry_enable_basic_auth | bool

 - name: Ensure TLS certificate exists
  copy:
@ -32,3 +34,15 @@
  when: docker_registry_enable_tls | bool
  notify:
    - Restart docker-registry container
+
+- name: Ensure basic auth htpasswd file exists
+  copy:
+    src: "{{ docker_registry_basic_auth_htpasswd_path }}"
+    dest: "{{ docker_registry_config_path }}/htpasswd"
+    owner: "{{ ansible_user_uid }}"
+    group: "{{ ansible_user_gid }}"
+    mode: 0600
+  become: True
+  when: docker_registry_enable_basic_auth | bool
+  notify:
+    - Restart docker-registry container
--- a/ansible/roles/kolla-ansible/defaults/main.yml
+++ b/ansible/roles/kolla-ansible/defaults/main.yml
@ -164,9 +164,6 @@ kolla_docker_registry:
 # Username to use to access a docker registry.
 kolla_docker_registry_username:

-# Password to use to access a docker registry.
-kolla_docker_registry_password:
-
 # Valid option is Docker repository tag
 kolla_openstack_release:

--- a/ansible/roles/kolla-ansible/templates/globals.yml.j2
+++ b/ansible/roles/kolla-ansible/templates/globals.yml.j2
@ -58,9 +58,8 @@ kolla_external_fqdn: "{{ kolla_external_fqdn }}"
 docker_registry: "{{ kolla_docker_registry }}"
 {% endif %}
 docker_namespace: "{{ kolla_docker_namespace }}"
-{% if kolla_docker_registry_username and kolla_docker_registry_password %}
+{% if kolla_docker_registry_username %}
 docker_registry_username: "{{ kolla_docker_registry_username }}"
-docker_registry_password: "{{ kolla_docker_registry_password }}"
 {% endif %}
 docker_storage_driver: "{{ docker_storage_driver }}"
 docker_custom_config: {{ kolla_docker_custom_config | to_nice_json | indent(2) }}
--- a/ansible/roles/kolla-ansible/tests/test-extras.yml
+++ b/ansible/roles/kolla-ansible/tests/test-extras.yml
@ -106,7 +106,6 @@
            kolla_docker_namespace: "fake-namespace"
            kolla_docker_registry: "fake-registry"
            kolla_docker_registry_username: "fake-username"
-            kolla_docker_registry_password: "fake-password"
            kolla_openstack_release: "fake-release"
            kolla_internal_vip_address: "10.0.0.1"
            kolla_internal_fqdn: "fake.internal.fqdn"
@ -261,7 +260,6 @@
              docker_namespace: "fake-namespace"
              docker_registry: "fake-registry"
              docker_registry_username: "fake-username"
-              docker_registry_password: "fake-password"
              neutron_plugin_agent: "openvswitch"
              kolla_enable_tls_external: True
              kolla_external_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/external.pem"
--- a/doc/source/configuration/reference/docker-registry.rst
+++ b/doc/source/configuration/reference/docker-registry.rst
@ -59,6 +59,43 @@ may be encrypted via Ansible Vault.
   docker_registry_cert_path: "{{ kayobe_config_path }}/docker-registry/cert.pem
   docker_registry_key_path: "{{ kayobe_config_path }}/docker-registry/key.pem

+Basic authentication
+--------------------
+
+It is recommended to enable HTTP basic authentication for the registry. This
+needs to be done in conjunction with enabling TLS for the registry: `using
+basic authentication over unencrypted HTTP is not supported
+<https://docs.docker.com/registry/deploying/#native-basic-auth>`__.
+
+``docker_registry_enable_basic_auth``
+    Whether to enable basic authentication for the registry. Default is
+    ``false``.
+
+``docker_registry_basic_auth_htpasswd_path``
+    Path to a `htpasswd
+    <https://httpd.apache.org/docs/2.4/programs/htpasswd.html>`__ formatted
+    password store for the registry.  Default is none.
+
+The password store uses a ``htpasswd`` format. The following example shows how
+to generate a password and add it to the ``kolla`` user in the password store.
+The password store may be stored with the Kayobe configuration, under
+``${KAYOBE_CONFIG_PATH}/docker-registry/``. The file may be encrypted via
+Ansible Vault.
+
+.. code-block:: console
+
+   uuidgen | tr -d '\n' > registry-password
+   cat registry-password | docker run --rm -i --entrypoint htpasswd httpd:latest -niB kolla > $KAYOBE_CONFIG_PATH/docker-registry/htpasswd
+
+Next we configure Kayobe to enable basic authentication for the registry, and
+specify the path to the password store.
+
+.. code-block:: yaml
+   :caption: ``docker-registry.yml``
+
+   docker_registry_enable_basic_auth: true
+   docker_registry_basic_auth_htpasswd_path: "{{ kayobe_config_path }}/docker-registry/htpasswd"
+
 Using the registry
 ==================

@ -80,3 +117,15 @@ communicate with it:
   :caption: ``kolla/globals.yml``

   docker_registry_insecure: false
+
+Basic authentication
+--------------------
+
+If basic authentication is enabled, Kolla Ansible needs to be configured with
+the username and password.
+
+.. code-block:: yaml
+   :caption: ``kolla.yml``
+
+   kolla_docker_registry_username: <registry username>
+   kolla_docker_registry_password: <registry password>
--- a/etc/kayobe/docker-registry.yml
+++ b/etc/kayobe/docker-registry.yml
@ -30,6 +30,13 @@
 # Path to a TLS key to use when TLS is enabled. Default is none.
 #docker_registry_key_path:

+# Whether to enable basic authentication for the registry. Default is false.
+#docker_registry_enable_basic_auth:
+
+# Path to a htpasswd formatted password store for the registry. Default is
+# none.
+#docker_registry_basic_auth_htpasswd_path:
+
 ###############################################################################
 # Dummy variable to allow Ansible to accept this file.
 workaround_ansible_issue_8743: yes
--- a/releasenotes/notes/docker-registry-basic-auth-b94b4a66e1ce9095.yaml
+++ b/releasenotes/notes/docker-registry-basic-auth-b94b4a66e1ce9095.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Adds support for deploying a Docker registry with HTTP basic
+    authentication.