Merge "Refactor bringup_local_registry.yml"

playbookconfig/src/playbooks/roles/bootstrap/bringup-essential-services/tasks/bringup_local_registry.yml

@@ -1,183 +1,15 @@
 ---
 #
-# Copyright (c) 2019-2021 Wind River Systems, Inc.
+# Copyright (c) 2019-2022 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
 # SUB-TASKS DESCRIPTION:
 #   Bring up local registry
-#   - Create daemon.json for insecure registries if applicable
-#   - Prepare config files for local registry
-#   - Prepare config file for registry token server
 #   - Set up docker registry certificate and keys required
 #   - Start registry token server
 #   - Start local registry
 
-- name: Set insecure registries
-  set_fact:
-    insecure_registries:
-      "{{ (insecure_registries|default([]) + [item.url|regex_replace('/.*', '')]) | unique }}"
-  with_items:
-    - "{{ docker_registry }}"
-    - "{{ gcr_registry }}"
-    - "{{ k8s_registry }}"
-    - "{{ quay_registry }}"
-    - "{{ elastic_registry }}"
-    - "{{ ghcr_registry }}"
-  when: (item.secure is defined and not item.secure)
-  no_log: true
-
-- block:
-  - name: Create daemon.json file for insecure registry
-    copy:
-      src: "{{ insecure_docker_registry_template }}"
-      dest: /etc/docker/daemon.json
-      remote_src: yes
-      mode: 0644
-
-  - name: Update daemon.json with registry IP
-    command: "sed -i -e 's|<%= @insecure_registries %>|$INSECURE_REGISTRIES|g' /etc/docker/daemon.json"
-    args:
-      warn: false
-    environment:
-      INSECURE_REGISTRIES: "{{ insecure_registries | to_json }}"
-
-  - name: Restart docker
-    systemd:
-      name: docker
-      state: restarted
-  when: (insecure_registries is defined and
-        insecure_registries | length > 0)
-
-- name: Create containerd config file directory
-  file:
-    path: /etc/containerd
-    state: directory
-    mode: 0700
-
-- name: Determine the stream_server_address for containerd
-  set_fact:
-    stream_server_address: "{{ '127.0.0.1' if ipv6_addressing == False else '::1' }}"
-
-- name: Get guest local registry credentials
-  vars:
-    script_content: |
-      import keyring
-      password = keyring.get_password("mtce", "services")
-      if not password:
-          raise Exception("Local registry password not found.")
-      print(dict(username='mtce', password=str(password)))
-  shell: "{{ script_content }}"
-  args:
-    executable: /usr/bin/python
-  register: guest_local_registry_credentials_output
-
-- set_fact:
-    guest_local_registry_credentials: "{{ guest_local_registry_credentials_output.stdout }}"
-
-- name: Determine the registry_auth for containerd
-  set_fact:
-    registry_auth: "{{ (guest_local_registry_credentials['username'] + ':'
-    + guest_local_registry_credentials['password']) | b64encode }}"
-
-- name: Create config.toml file for containerd configuration
-  template:
-    src: "config.toml.j2"
-    dest: /etc/containerd/config.toml
-    mode: 0600
-
-- name: Remove puppet template for insecure registries
-  replace:
-    path: /etc/containerd/config.toml
-    after: '# Begin of insecure registries'
-    regexp: '^(<%- @insecure_registries.+)\n(.+)\n(.+)\n(.+end -%>)'
-    replace: ''
-
-- name: Update config.toml with insecure registries
-  blockinfile:
-    path: /etc/containerd/config.toml
-    insertafter: '# Begin of insecure registries'
-    marker: "        # {{ item }}"
-    block: |2
-              [plugins.cri.registry.mirrors."{{ item }}"]
-                endpoint = ["http://{{ item }}"]
-  loop:
-    "{{ insecure_registries }}"
-  when: (insecure_registries is defined and
-        insecure_registries | length > 0)
-
-- name: Get local registry credentials
-  vars:
-    script_content: |
-      import keyring
-      password = keyring.get_password("sysinv", "services")
-      if not password:
-          raise Exception("Local registry password not found.")
-      print(dict(username='sysinv', password=str(password)))
-  shell: "{{ script_content }}"
-  args:
-    executable: /usr/bin/python
-  register: local_registry_credentials_output
-
-- set_fact:
-    local_registry_credentials: "{{ local_registry_credentials_output.stdout }}"
-
-- name: Restart containerd
-  systemd:
-    name: containerd
-    state: restarted
-
-- name: Generate local registry runtime config file from template
-  copy:
-    src: "{{ registry_config_template }}"
-    dest: "{{ registry_runtime_config_file }}"
-    remote_src: yes
-    mode: 0644
-
-- name: Generate local registry readonly config file from template
-  copy:
-    src: "{{ registry_config_template }}"
-    dest: "{{ registry_readonly_config_file }}"
-    remote_src: yes
-    mode: 0644
-
-- name: Update local registry config files
-  command: "{{ item }}"
-  args:
-    warn: false
-  with_items:
-    - "sed -i -e 's|<%= @registry_readonly %>|'false'|g' {{ registry_runtime_config_file }}"
-    - "sed -i -e 's|<%= @registry_readonly %>|'true'|g' {{ registry_readonly_config_file }}"
-    - "sed -i -e 's|<%= @docker_registry_host %>|'$DOCKER_REGISTRY_HOST'|g' {{ registry_runtime_config_file }}"
-    - "sed -i -e 's|<%= @docker_registry_host %>|'$DOCKER_REGISTRY_HOST'|g' {{ registry_readonly_config_file }}"
-    - "sed -i -e 's|<%= @docker_realm_host %>|'$DOCKER_REGISTRY_HOST'|g' {{ registry_runtime_config_file }}"
-    - "sed -i -e 's|<%= @docker_realm_host %>|'$DOCKER_REGISTRY_HOST'|g' {{ registry_readonly_config_file }}"
-  environment:
-    DOCKER_REGISTRY_HOST: "{{ controller_floating_address_url }}"
-
-- name: Create symlink from local registry runtime config file
-  command: ln -fs {{ registry_runtime_config_file }} {{ registry_config_file }}
-  args:
-    warn: false
-
-- name: Generate local registry token server config file from template
-  copy:
-    src: "{{ registry_token_server_template }}"
-    dest: "{{ registry_token_server_file }}"
-    remote_src: yes
-    mode: 0644
-
-- name: Update local registry token server file
-  command: "{{ item }}"
-  args:
-    warn: false
-  with_items:
-    - "sed -i -e 's|<%= @docker_registry_host %>|'$DOCKER_REGISTRY_HOST'|g' {{ registry_token_server_file }}"
-    - "sed -i -e 's|<%= @registry_ks_endpoint %>|'$REGISTRY_KS_ENDPOINT'|g' {{ registry_token_server_file }}"
-  environment:
-    DOCKER_REGISTRY_HOST: "{{ controller_floating_address_url }}"
-    REGISTRY_KS_ENDPOINT: "http://{{ controller_floating_address_url }}:5000/v3"
-
 - block:
   - name: Set network info for docker registry
     set_fact:

playbookconfig/src/playbooks/roles/bootstrap/bringup-essential-services/tasks/configure_containerd.yml

@@ -0,0 +1,86 @@
+---
+#
+# Copyright (c) 2022 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# SUB-TASKS DESCRIPTION:
+#   Configure containerd to use local registry
+
+- name: Create containerd config file directory
+  file:
+    path: /etc/containerd
+    state: directory
+    mode: 0700
+
+- name: Determine the stream_server_address for containerd
+  set_fact:
+    stream_server_address: "{{ '127.0.0.1' if ipv6_addressing == False else '::1' }}"
+
+- name: Get guest local registry credentials
+  vars:
+    script_content: |
+      import keyring
+      password = keyring.get_password("mtce", "services")
+      if not password:
+          raise Exception("Local registry password not found.")
+      print(dict(username='mtce', password=str(password)))
+  shell: "{{ script_content }}"
+  args:
+    executable: /usr/bin/python
+  register: guest_local_registry_credentials_output
+
+- set_fact:
+    guest_local_registry_credentials: "{{ guest_local_registry_credentials_output.stdout }}"
+
+- name: Determine the registry_auth for containerd
+  set_fact:
+    registry_auth: "{{ (guest_local_registry_credentials['username'] + ':'
+    + guest_local_registry_credentials['password']) | b64encode }}"
+
+- name: Create config.toml file for containerd configuration
+  template:
+    src: "config.toml.j2"
+    dest: /etc/containerd/config.toml
+    mode: 0600
+
+- name: Remove puppet template for insecure registries
+  replace:
+    path: /etc/containerd/config.toml
+    after: '# Begin of insecure registries'
+    regexp: '^(<%- @insecure_registries.+)\n(.+)\n(.+)\n(.+end -%>)'
+    replace: ''
+
+- name: Update config.toml with insecure registries
+  blockinfile:
+    path: /etc/containerd/config.toml
+    insertafter: '# Begin of insecure registries'
+    marker: "        # {{ item }}"
+    block: |2
+              [plugins.cri.registry.mirrors."{{ item }}"]
+                endpoint = ["http://{{ item }}"]
+  loop:
+    "{{ insecure_registries }}"
+  when: (insecure_registries is defined and
+        insecure_registries | length > 0)
+
+- name: Get local registry credentials
+  vars:
+    script_content: |
+      import keyring
+      password = keyring.get_password("sysinv", "services")
+      if not password:
+          raise Exception("Local registry password not found.")
+      print(dict(username='sysinv', password=str(password)))
+  shell: "{{ script_content }}"
+  args:
+    executable: /usr/bin/python
+  register: local_registry_credentials_output
+
+- set_fact:
+    local_registry_credentials: "{{ local_registry_credentials_output.stdout }}"
+
+- name: Restart containerd
+  systemd:
+    name: containerd
+    state: restarted

playbookconfig/src/playbooks/roles/bootstrap/bringup-essential-services/tasks/configure_dockerd.yml

@@ -0,0 +1,31 @@
+---
+#
+# Copyright (c) 2022 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# SUB-TASKS DESCRIPTION:
+#   Configure dockerd to use the local registry
+
+- name: Configure docker's daemon.json to use local registry
+  block:
+    - name: Create daemon.json file for insecure registry
+      copy:
+        src: "{{ insecure_docker_registry_template }}"
+        dest: /etc/docker/daemon.json
+        remote_src: yes
+        mode: 0644
+
+    - name: Update daemon.json with registry IP
+      command: "sed -i -e 's|<%= @insecure_registries %>|$INSECURE_REGISTRIES|g' /etc/docker/daemon.json"
+      args:
+        warn: false
+      environment:
+        INSECURE_REGISTRIES: "{{ insecure_registries | to_json }}"
+
+    - name: Restart docker
+      systemd:
+        name: docker
+        state: restarted
+  when: (insecure_registries is defined and
+        insecure_registries | length > 0)

playbookconfig/src/playbooks/roles/bootstrap/bringup-essential-services/tasks/configure_local_registry.yml

@@ -0,0 +1,61 @@
+---
+#
+# Copyright (c) 2022 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# SUB-TASKS DESCRIPTION:
+#   Configure local registry
+#   - Prepare config files for local registry
+#   - Prepare config file for registry token server
+
+- name: Generate local registry runtime config file from template
+  copy:
+    src: "{{ registry_config_template }}"
+    dest: "{{ registry_runtime_config_file }}"
+    remote_src: yes
+    mode: 0644
+
+- name: Generate local registry readonly config file from template
+  copy:
+    src: "{{ registry_config_template }}"
+    dest: "{{ registry_readonly_config_file }}"
+    remote_src: yes
+    mode: 0644
+
+- name: Update local registry config files
+  command: "{{ item }}"
+  args:
+    warn: false
+  with_items:
+    - "sed -i -e 's|<%= @registry_readonly %>|'false'|g' {{ registry_runtime_config_file }}"
+    - "sed -i -e 's|<%= @registry_readonly %>|'true'|g' {{ registry_readonly_config_file }}"
+    - "sed -i -e 's|<%= @docker_registry_host %>|'$DOCKER_REGISTRY_HOST'|g' {{ registry_runtime_config_file }}"
+    - "sed -i -e 's|<%= @docker_registry_host %>|'$DOCKER_REGISTRY_HOST'|g' {{ registry_readonly_config_file }}"
+    - "sed -i -e 's|<%= @docker_realm_host %>|'$DOCKER_REGISTRY_HOST'|g' {{ registry_runtime_config_file }}"
+    - "sed -i -e 's|<%= @docker_realm_host %>|'$DOCKER_REGISTRY_HOST'|g' {{ registry_readonly_config_file }}"
+  environment:
+    DOCKER_REGISTRY_HOST: "{{ controller_floating_address_url }}"
+
+- name: Create symlink from local registry runtime config file
+  command: ln -fs {{ registry_runtime_config_file }} {{ registry_config_file }}
+  args:
+    warn: false
+
+- name: Generate local registry token server config file from template
+  copy:
+    src: "{{ registry_token_server_template }}"
+    dest: "{{ registry_token_server_file }}"
+    remote_src: yes
+    mode: 0644
+
+- name: Update local registry token server file
+  command: "{{ item }}"
+  args:
+    warn: false
+  with_items:
+    - "sed -i -e 's|<%= @docker_registry_host %>|'$DOCKER_REGISTRY_HOST'|g' {{ registry_token_server_file }}"
+    - "sed -i -e 's|<%= @registry_ks_endpoint %>|'$REGISTRY_KS_ENDPOINT'|g' {{ registry_token_server_file }}"
+  environment:
+    DOCKER_REGISTRY_HOST: "{{ controller_floating_address_url }}"
+    REGISTRY_KS_ENDPOINT: "http://{{ controller_floating_address_url }}:5000/v3"

playbookconfig/src/playbooks/roles/bootstrap/bringup-essential-services/tasks/main.yml

@@ -50,15 +50,38 @@
     include_tasks: copy_central_registry_cert.yml
     when: distributed_cloud_role == 'subcloud'
 
+  - name: Set insecure registries
+    set_fact:
+      insecure_registries:
+        "{{ (insecure_registries|default([]) + [item.url|regex_replace('/.*', '')]) | unique }}"
+    with_items:
+      - "{{ docker_registry }}"
+      - "{{ gcr_registry }}"
+      - "{{ k8s_registry }}"
+      - "{{ quay_registry }}"
+      - "{{ elastic_registry }}"
+      - "{{ ghcr_registry }}"
+    when: (item.secure is defined and not item.secure)
+    no_log: true
+
   - name: Load images from archives if configured
     include: load_images_from_archive.yml input_archive={{ item.path }}
     with_items: "{{ images_archive_files }}"
     when: images_archive_exists
 
+  - name: Configure local docker registry
+    import_tasks: configure_local_registry.yml
+
   - name: Bring up local docker registry
     import_tasks: bringup_local_registry.yml
 
-  - name: Push images to local docker registry
+  - name: Configure dockerd to use local registry
+    import_tasks: configure_dockerd.yml
+
+  - name: Configure containerd to use local registry
+    import_tasks: configure_containerd.yml
+
+  - name: Populate local image registry
     import_role:
       name: common/push-docker-images