Docker registry basic auth

Adds support for HTTP basic authentication with the Docker registry.

The kolla docker registry password is now written to passwords.yml.

Change-Id: Ie6e854a66a6660d4e02771fe2b5dd97af814194d
Story: 2007952
Task: 40429
This commit is contained in:
Mark Goddard 2020-07-01 14:00:14 +00:00 committed by Pierre Riteau
parent 54b6b72b67
commit 7b80482ac3
10 changed files with 103 additions and 11 deletions

View File

@ -30,3 +30,9 @@ docker_registry_cert_path:
# Path to a TLS key to use when TLS is enabled.
docker_registry_key_path:
# Whether to enable basic authentication for the registry.
docker_registry_enable_basic_auth: false
# Path to a htpasswd formatted password store for the registry.
docker_registry_basic_auth_htpasswd_path:

View File

@ -496,6 +496,7 @@ kolla_ansible_default_custom_passwords:
kolla_ssh_key:
private_key: "{{ lookup('file', ssh_private_key_path) }}"
public_key: "{{ lookup('file', ssh_public_key_path) }}"
docker_registry_password: "{{ kolla_docker_registry_password }}"
# Dictionary containing custom passwords to add or override in the Kolla
# passwords file.

View File

@ -23,12 +23,22 @@ docker_registry_env_tls:
REGISTRY_HTTP_TLS_CERTIFICATE: "{{ docker_registry_config_path }}/cert.pem"
REGISTRY_HTTP_TLS_KEY: "{{ docker_registry_config_path }}/key.pem"
# Dict of environment variables to provide to the docker registry container
# when basic authentication is enabled.
docker_registry_env_basic_auth:
REGISTRY_AUTH: htpasswd
REGISTRY_AUTH_HTPASSWD_REALM: "Registry realm"
REGISTRY_AUTH_HTPASSWD_PATH: "{{ docker_registry_config_path }}/htpasswd"
# Service deployment definition.
docker_registry_services:
docker_registry:
container_name: docker_registry
env: "{{ docker_registry_env }}"
env: "{{ (docker_registry_env_tls if docker_registry_enable_tls | bool else {}) | combine(docker_registry_env) }}"
env: >-
{{ {} |
combine(docker_registry_env_tls if docker_registry_enable_tls | bool else {}) |
combine(docker_registry_env_basic_auth if docker_registry_enable_basic_auth | bool else {}) |
combine(docker_registry_env) }}
enabled: "{{ docker_registry_enabled }}"
image: "{{ docker_registry_image_full }}"
ports:
@ -54,6 +64,12 @@ docker_registry_cert_path:
# Path to a TLS key to use when TLS is enabled.
docker_registry_key_path:
# Whether to enable basic authentication for the registry.
docker_registry_enable_basic_auth: false
# Path to a htpasswd formatted password store for the registry.
docker_registry_basic_auth_htpasswd_path:
####################
# Docker
####################
@ -68,7 +84,7 @@ docker_registry_image_full: "{{ docker_registry_image }}:{{ docker_registry_tag
docker_registry_volumes:
- "/etc/localtime:/etc/localtime:ro"
- "{{ docker_registry_datadir_volume }}:/var/lib/registry"
- "{% if docker_registry_enable_tls | bool %}{{ docker_registry_config_path }}:{{ docker_registry_config_path }}:ro{% endif %}"
- "{% if docker_registry_enable_tls | bool or docker_registry_enable_basic_auth | bool %}{{ docker_registry_config_path }}:{{ docker_registry_config_path }}:ro{% endif %}"
docker_registry_restart_policy: "unless-stopped"
#docker_registry_restart_retries:

View File

@ -7,7 +7,9 @@
group: "{{ ansible_user_gid }}"
mode: 0750
become: True
when: docker_registry_enable_tls | bool
when: >-
docker_registry_enable_tls | bool or
docker_registry_enable_basic_auth | bool
- name: Ensure TLS certificate exists
copy:
@ -32,3 +34,15 @@
when: docker_registry_enable_tls | bool
notify:
- Restart docker-registry container
- name: Ensure basic auth htpasswd file exists
copy:
src: "{{ docker_registry_basic_auth_htpasswd_path }}"
dest: "{{ docker_registry_config_path }}/htpasswd"
owner: "{{ ansible_user_uid }}"
group: "{{ ansible_user_gid }}"
mode: 0600
become: True
when: docker_registry_enable_basic_auth | bool
notify:
- Restart docker-registry container

View File

@ -164,9 +164,6 @@ kolla_docker_registry:
# Username to use to access a docker registry.
kolla_docker_registry_username:
# Password to use to access a docker registry.
kolla_docker_registry_password:
# Valid option is Docker repository tag
kolla_openstack_release:

View File

@ -58,9 +58,8 @@ kolla_external_fqdn: "{{ kolla_external_fqdn }}"
docker_registry: "{{ kolla_docker_registry }}"
{% endif %}
docker_namespace: "{{ kolla_docker_namespace }}"
{% if kolla_docker_registry_username and kolla_docker_registry_password %}
{% if kolla_docker_registry_username %}
docker_registry_username: "{{ kolla_docker_registry_username }}"
docker_registry_password: "{{ kolla_docker_registry_password }}"
{% endif %}
docker_storage_driver: "{{ docker_storage_driver }}"
docker_custom_config: {{ kolla_docker_custom_config | to_nice_json | indent(2) }}

View File

@ -106,7 +106,6 @@
kolla_docker_namespace: "fake-namespace"
kolla_docker_registry: "fake-registry"
kolla_docker_registry_username: "fake-username"
kolla_docker_registry_password: "fake-password"
kolla_openstack_release: "fake-release"
kolla_internal_vip_address: "10.0.0.1"
kolla_internal_fqdn: "fake.internal.fqdn"
@ -261,7 +260,6 @@
docker_namespace: "fake-namespace"
docker_registry: "fake-registry"
docker_registry_username: "fake-username"
docker_registry_password: "fake-password"
neutron_plugin_agent: "openvswitch"
kolla_enable_tls_external: True
kolla_external_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/external.pem"

View File

@ -59,6 +59,43 @@ may be encrypted via Ansible Vault.
docker_registry_cert_path: "{{ kayobe_config_path }}/docker-registry/cert.pem
docker_registry_key_path: "{{ kayobe_config_path }}/docker-registry/key.pem
Basic authentication
--------------------
It is recommended to enable HTTP basic authentication for the registry. This
needs to be done in conjunction with enabling TLS for the registry: `using
basic authentication over unencrypted HTTP is not supported
<https://docs.docker.com/registry/deploying/#native-basic-auth>`__.
``docker_registry_enable_basic_auth``
Whether to enable basic authentication for the registry. Default is
``false``.
``docker_registry_basic_auth_htpasswd_path``
Path to a `htpasswd
<https://httpd.apache.org/docs/2.4/programs/htpasswd.html>`__ formatted
password store for the registry. Default is none.
The password store uses a ``htpasswd`` format. The following example shows how
to generate a password and add it to the ``kolla`` user in the password store.
The password store may be stored with the Kayobe configuration, under
``${KAYOBE_CONFIG_PATH}/docker-registry/``. The file may be encrypted via
Ansible Vault.
.. code-block:: console
uuidgen | tr -d '\n' > registry-password
cat registry-password | docker run --rm -i --entrypoint htpasswd httpd:latest -niB kolla > $KAYOBE_CONFIG_PATH/docker-registry/htpasswd
Next we configure Kayobe to enable basic authentication for the registry, and
specify the path to the password store.
.. code-block:: yaml
:caption: ``docker-registry.yml``
docker_registry_enable_basic_auth: true
docker_registry_basic_auth_htpasswd_path: "{{ kayobe_config_path }}/docker-registry/htpasswd"
Using the registry
==================
@ -80,3 +117,15 @@ communicate with it:
:caption: ``kolla/globals.yml``
docker_registry_insecure: false
Basic authentication
--------------------
If basic authentication is enabled, Kolla Ansible needs to be configured with
the username and password.
.. code-block:: yaml
:caption: ``kolla.yml``
kolla_docker_registry_username: <registry username>
kolla_docker_registry_password: <registry password>

View File

@ -30,6 +30,13 @@
# Path to a TLS key to use when TLS is enabled. Default is none.
#docker_registry_key_path:
# Whether to enable basic authentication for the registry. Default is false.
#docker_registry_enable_basic_auth:
# Path to a htpasswd formatted password store for the registry. Default is
# none.
#docker_registry_basic_auth_htpasswd_path:
###############################################################################
# Dummy variable to allow Ansible to accept this file.
workaround_ansible_issue_8743: yes

View File

@ -0,0 +1,5 @@
---
features:
- |
Adds support for deploying a Docker registry with HTTP basic
authentication.