Add container engine authentication support
We need to be able to run a docker or podman login during the deployment if the overcloud needs to pull images from an auth required container registry when deploying with docker. Add ContainerImageRegistryLogin as a flag to use ContainerImageRegistryCredentials to perform docker or podman logins when deploying. Closes-Bug: #1833584 Change-Id: I98a527f363056767fea45ab4828ae61c01de20ca Depends-On: https://review.opendev.org/#/c/666644/
This commit is contained in:
parent
6bf7195245
commit
ea37ee6638
@ -74,6 +74,23 @@ parameters:
|
||||
description: Flag to disable docker reconfiguration during stack update.
|
||||
tags:
|
||||
- role_specific
|
||||
ContainerImageRegistryLogin:
|
||||
type: boolean
|
||||
default: false
|
||||
description: Flag to enable container registry login actions during the deployment.
|
||||
Setting this to true will cause login calls to be performed during the
|
||||
deployment.
|
||||
ContainerImageRegistryCredentials:
|
||||
type: json
|
||||
hidden: true
|
||||
default: {}
|
||||
description: |
|
||||
Mapping of image registry hosts to login credentials. Must be in the following example format
|
||||
|
||||
docker.io:
|
||||
username: pa55word
|
||||
'192.0.2.1:8787':
|
||||
registry_username: password
|
||||
SELinuxMode:
|
||||
default: 'enforcing'
|
||||
description: Configures SELinux mode
|
||||
@ -143,9 +160,15 @@ outputs:
|
||||
- selinux_enforcing
|
||||
- true
|
||||
- false
|
||||
container_registry_login: {get_param: ContainerImageRegistryLogin}
|
||||
container_registry_logins: {get_param: ContainerImageRegistryCredentials}
|
||||
- include_role:
|
||||
name: container-registry
|
||||
tasks_from: docker
|
||||
- include_role:
|
||||
name: container-registry
|
||||
tasks_from: docker-login
|
||||
when: container_registry_login|bool
|
||||
service_config_settings:
|
||||
neutron_l3:
|
||||
docker_additional_sockets: {get_param: DockerAdditionalSockets}
|
||||
|
@ -36,6 +36,23 @@ parameters:
|
||||
default: {}
|
||||
description: Parameters specific to the role
|
||||
type: json
|
||||
ContainerImageRegistryLogin:
|
||||
type: boolean
|
||||
default: false
|
||||
description: Flag to enable container registry login actions during the deployment.
|
||||
Setting this to true will cause login calls to be performed during the
|
||||
deployment.
|
||||
ContainerImageRegistryCredentials:
|
||||
type: json
|
||||
hidden: true
|
||||
default: {}
|
||||
description: |
|
||||
Mapping of image registry hosts to login credentials. Must be in the following example format
|
||||
|
||||
docker.io:
|
||||
username: pa55word
|
||||
'192.0.2.1:8787':
|
||||
registry_username: password
|
||||
|
||||
conditions:
|
||||
insecure_registry_is_empty: {equals : [{get_param: DockerInsecureRegistryAddress}, []]}
|
||||
@ -56,6 +73,8 @@ outputs:
|
||||
- insecure_registry_is_empty
|
||||
- []
|
||||
- {get_param: DockerInsecureRegistryAddress}
|
||||
container_registry_login: {get_param: ContainerImageRegistryLogin}
|
||||
container_registry_logins: {get_param: ContainerImageRegistryCredentials}
|
||||
- name: ensure podman and deps are installed
|
||||
package:
|
||||
name: podman
|
||||
@ -76,6 +95,16 @@ outputs:
|
||||
option: registries
|
||||
value: "{{ container_registry_insecure_registries }}"
|
||||
when: container_registry_insecure_registries | length > 0
|
||||
- name: Perform container registry login(s)
|
||||
shell: podman login --username=$REGISTRY_USERNAME --password=$REGISTRY_PASSWORD $REGISTRY
|
||||
environment:
|
||||
REGISTRY_USERNAME: "{{ lookup('dict', item.value).key }}"
|
||||
REGISTRY_PASSWORD: "{{ lookup('dict', item.value).value }}"
|
||||
REGISTRY: "{{ item.key }}"
|
||||
loop: "{{ lookup('dict', container_registry_logins) }}"
|
||||
when:
|
||||
- container_registry_login | bool
|
||||
- container_registry_logins | length > 0
|
||||
service_config_settings: {}
|
||||
upgrade_tasks:
|
||||
- block:
|
||||
|
@ -0,0 +1,10 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
`ContainerImageRegistryLogin` has been added to indicate if login calls
|
||||
should be issued by the container engine on deployment. The default is
|
||||
set to `false`.
|
||||
- |
|
||||
Values specified in `ContainerImageRegistryCredentials` will now be used to
|
||||
issue a login call when deploying the container engine on the hosts if
|
||||
`ContainerImageRegistryLogin` is set to `true`
|
Loading…
x
Reference in New Issue
Block a user