Add container engine authentication support

We need to be able to run a docker or podman login during the deployment if the overcloud needs to pull images from an auth required container registry when deploying with docker. Add ContainerImageRegistryLogin as a flag to use ContainerImageRegistryCredentials to perform docker or podman logins when deploying. Closes-Bug: #1833584 Change-Id: I98a527f363056767fea45ab4828ae61c01de20ca (cherry picked from commit ea37ee6638)
2019-06-20 11:01:41 -06:00 · 2019-06-20 11:01:41 -06:00 · 169f4ac837
parent 09a1215c4f
commit 169f4ac837
3 changed files with 62 additions and 0 deletions
--- a/deployment/deprecated/docker/docker-baremetal-ansible.yaml
+++ b/deployment/deprecated/docker/docker-baremetal-ansible.yaml
@ -74,6 +74,23 @@ parameters:
    description: Flag to disable docker reconfiguration during stack update.
    tags:
      - role_specific
+  ContainerImageRegistryLogin:
+    type: boolean
+    default: false
+    description: Flag to enable container registry login actions during the deployment.
+                 Setting this to true will cause login calls to be performed during the
+                 deployment.
+  ContainerImageRegistryCredentials:
+    type: json
+    hidden: true
+    default: {}
+    description: |
+      Mapping of image registry hosts to login credentials. Must be in the following example format
+
+        docker.io:
+          username: pa55word
+        '192.0.2.1:8787':
+          registry_username: password
  SELinuxMode:
    default: 'enforcing'
    description: Configures SELinux mode
@ -143,9 +160,15 @@ outputs:
                  - selinux_enforcing
                  - true
                  - false
+              container_registry_login: {get_param: ContainerImageRegistryLogin}
+              container_registry_logins: {get_param: ContainerImageRegistryCredentials}
          - include_role:
              name: container-registry
              tasks_from: docker
+          - include_role:
+              name: container-registry
+              tasks_from: docker-login
+            when: container_registry_login|bool
      service_config_settings:
        neutron_l3:
          docker_additional_sockets: {get_param: DockerAdditionalSockets}
--- a/deployment/podman/podman-baremetal-ansible.yaml
+++ b/deployment/podman/podman-baremetal-ansible.yaml
@ -36,6 +36,23 @@ parameters:
    default: {}
    description: Parameters specific to the role
    type: json
+  ContainerImageRegistryLogin:
+    type: boolean
+    default: false
+    description: Flag to enable container registry login actions during the deployment.
+                 Setting this to true will cause login calls to be performed during the
+                 deployment.
+  ContainerImageRegistryCredentials:
+    type: json
+    hidden: true
+    default: {}
+    description: |
+      Mapping of image registry hosts to login credentials. Must be in the following example format
+
+        docker.io:
+          username: pa55word
+        '192.0.2.1:8787':
+          registry_username: password

 conditions:
  insecure_registry_is_empty: {equals : [{get_param: DockerInsecureRegistryAddress}, []]}
@ -56,6 +73,8 @@ outputs:
                  - insecure_registry_is_empty
                  - []
                  - {get_param: DockerInsecureRegistryAddress}
+              container_registry_login: {get_param: ContainerImageRegistryLogin}
+              container_registry_logins: {get_param: ContainerImageRegistryCredentials}
          - name: ensure podman and deps are installed
            package:
              name: podman
@ -76,6 +95,16 @@ outputs:
              option: registries
              value: "{{ container_registry_insecure_registries }}"
            when: container_registry_insecure_registries | length > 0
+          - name: Perform container registry login(s)
+            shell: podman login --username=$REGISTRY_USERNAME --password=$REGISTRY_PASSWORD $REGISTRY
+            environment:
+              REGISTRY_USERNAME: "{{ lookup('dict', item.value).key }}"
+              REGISTRY_PASSWORD: "{{ lookup('dict', item.value).value }}"
+              REGISTRY: "{{ item.key }}"
+            loop: "{{ lookup('dict', container_registry_logins) }}"
+            when:
+              - container_registry_login | bool
+              - container_registry_logins | length > 0
      service_config_settings: {}
      upgrade_tasks:
        - block:
--- a/releasenotes/notes/add-container-registry-login-08d6a87586c84a99.yaml
+++ b/releasenotes/notes/add-container-registry-login-08d6a87586c84a99.yaml
@ -0,0 +1,10 @@
+---
+features:
+  - |
+    `ContainerImageRegistryLogin` has been added to indicate if login calls
+    should be issued by the container engine on deployment. The default is
+    set to `false`.
+  - |
+    Values specified in `ContainerImageRegistryCredentials` will now be used to
+    issue a login call when deploying the container engine on the hosts if
+    `ContainerImageRegistryLogin` is set to `true`