starlingx
/
ansible-playbooks
Code Issues Proposed changes
ansible-playbooks/playbookconfig/src/playbooks/roles/bootstrap/bringup-essential-services/tasks/bringup_local_registry.yml

254 lines
7.8 KiB
YAML
Raw Blame History

---
#
# Copyright (c) 2019 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# SUB-TASKS DESCRIPTION:
# Bring up local registry
# - Create daemon.json for insecure registries if applicable
# - Prepare config files for local registry
# - Prepare config file for registry token server
# - Set up docker registry certificate and keys required
# - Start registry token server
# - Start local registry
- name: Set insecure registries
set_fact:
insecure_registries:
"{{ (insecure_registries|default([]) + [item.url|regex_replace('/.*', '')]) | unique }}"
with_items:
- "{{ docker_registry }}"
- "{{ gcr_registry }}"
- "{{ k8s_registry }}"
- "{{ quay_registry }}"
- "{{ elastic_registry }}"
when: (item.secure is defined and not item.secure)
no_log: true
- block:
- name: Create daemon.json file for insecure registry
copy:
src: "{{ insecure_docker_registry_template }}"
dest: /etc/docker/daemon.json
remote_src: yes
mode: 0644
- name: Update daemon.json with registry IP
command: "sed -i -e 's|<%= @insecure_registries %>|$INSECURE_REGISTRIES|g' /etc/docker/daemon.json"
args:
warn: false
environment:
INSECURE_REGISTRIES: "{{ insecure_registries | to_json }}"
- name: Restart docker
systemd:
name: docker
state: restarted
when: (insecure_registries is defined and
insecure_registries | length > 0)
- name: Create containerd config file directory
file:
path: /etc/containerd
state: directory
mode: 0700
- name: Create config.toml file for containerd configuration
copy:
src: "{{ containerd_template }}"
dest: /etc/containerd/config.toml
remote_src: yes
mode: 0600
- name: Remove puppet template for insecure registries
replace:
path: /etc/containerd/config.toml
after: '# Begin of insecure registries'
regexp: '^(<%- @insecure_registries.+)\n(.+)\n(.+)\n(.+end -%>)'
replace: ''
- name: Update config.toml with insecure registries
blockinfile:
path: /etc/containerd/config.toml
insertafter: '# Begin of insecure registries'
marker: " # {{ item }}"
block: |2
[plugins.cri.registry.mirrors."{{ item }}"]
endpoint = ["http://{{ item }}"]
loop:
"{{ insecure_registries }}"
when: (insecure_registries is defined and
insecure_registries | length > 0)
- name: Update config.toml with cni bin dir
command: "sed -i -e 's|<%= @k8s_cni_bin_dir %>|$CNI_BIN_DIR|g' /etc/containerd/config.toml"
args:
warn: false
environment:
CNI_BIN_DIR: "{{ kubelet_cni_bin_dir }}"
- name: Restart containerd
systemd:
name: containerd
state: restarted
- name: Generate local registry runtime config file from template
copy:
src: "{{ registry_config_template }}"
dest: "{{ registry_runtime_config_file }}"
remote_src: yes
mode: 0644
- name: Generate local registry readonly config file from template
copy:
src: "{{ registry_config_template }}"
dest: "{{ registry_readonly_config_file }}"
remote_src: yes
mode: 0644
- name: Update local registry config files
command: "{{ item }}"
args:
warn: false
with_items:
- "sed -i -e 's|<%= @registry_readonly %>|'false'|g' {{ registry_runtime_config_file }}"
- "sed -i -e 's|<%= @registry_readonly %>|'true'|g' {{ registry_readonly_config_file }}"
- "sed -i -e 's|<%= @docker_registry_host %>|'$DOCKER_REGISTRY_HOST'|g' {{ registry_runtime_config_file }}"
- "sed -i -e 's|<%= @docker_registry_host %>|'$DOCKER_REGISTRY_HOST'|g' {{ registry_readonly_config_file }}"
- "sed -i -e 's|<%= @docker_realm_host %>|'$DOCKER_REGISTRY_HOST'|g' {{ registry_runtime_config_file }}"
- "sed -i -e 's|<%= @docker_realm_host %>|'$DOCKER_REGISTRY_HOST'|g' {{ registry_readonly_config_file }}"
environment:
DOCKER_REGISTRY_HOST: "{{ controller_floating_address_url }}"
- name: Create symlink from local registry runtime config file
command: ln -fs {{ registry_runtime_config_file }} {{ registry_config_file }}
args:
warn: false
- name: Generate local registry token server config file from template
copy:
src: "{{ registry_token_server_template }}"
dest: "{{ registry_token_server_file }}"
remote_src: yes
mode: 0644
- name: Update local registry token server file
command: "{{ item }}"
args:
warn: false
with_items:
- "sed -i -e 's|<%= @docker_registry_host %>|'$DOCKER_REGISTRY_HOST'|g' {{ registry_token_server_file }}"
- "sed -i -e 's|<%= @registry_ks_endpoint %>|'$REGISTRY_KS_ENDPOINT'|g' {{ registry_token_server_file }}"
environment:
DOCKER_REGISTRY_HOST: "{{ controller_floating_address_url }}"
REGISTRY_KS_ENDPOINT: "http://{{ controller_floating_address_url }}:5000/v3"
- block:
- name: Generate cnf file from template
copy:
src: "{{ cert_cnf_template }}"
dest: "{{ cert_cnf_file }}"
remote_src: yes
- name: Update cnf file with network info
command: "{{ item }}"
args:
warn: false
with_items:
- "sed -i -e 's|<%= @docker_registry_ip %>|'$DOCKER_REGISTRY_IP'|g' {{ cert_cnf_file }}"
- "sed -i -e 's|<%= @docker_registry_public_ip %>|'$DOCKER_REGISTRY_PUBLIC_IP'|g' {{ cert_cnf_file }}"
environment:
DOCKER_REGISTRY_IP: "{{ controller_floating_address }}"
DOCKER_REGISTRY_PUBLIC_IP: "{{ external_oam_floating_address }}"
- name: Generate certificate and key files
command: >-
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout {{ registry_cert_key }}
-out {{ registry_cert_crt }} -config {{ cert_cnf_file }}
- name: Generate pkcs1 key file
command: openssl rsa -in {{ registry_cert_key }} -out {{ registry_cert_pkcs1_key }}
- name: Remove extfile used in certificate generation
file:
path: "{{ cert_cnf_file }}"
state: absent
- name: Set certificate file and key permissions to root read-only
file:
path: "{{ item }}"
mode: 0400
with_items:
- "{{ registry_cert_key }}"
- "{{ registry_cert_crt }}"
- "{{ registry_cert_pkcs1_key }}"
when: mode == 'bootstrap'
- block:
- name: Restore certificate and key files
command: >-
tar -C /etc/ssl/private -xpf {{ target_backup_dir }}/{{ backup_filename }} --transform='s,.*/,,'
'etc/ssl/private/*cert*'
args:
warn: false
- name: Check if {{ server_cert_pem }} exists
stat: path="{{ server_cert_pem }}"
register: server_cert_pem_stat
- name: Copy {{ server_cert_pem }} to shared filesystem for mate
copy:
src: "{{ server_cert_pem }}"
dest: "{{ config_permdir }}"
remote_src: yes
mode: preserve
when: server_cert_pem_stat.stat.exists
when: mode == 'restore'
- name: Copy certificate and keys to shared filesystem for mate
copy:
src: "{{ item }}"
dest: "{{ config_permdir }}"
remote_src: yes
mode: preserve
with_items:
- "{{ registry_cert_key }}"
- "{{ registry_cert_crt }}"
- "{{ registry_cert_pkcs1_key }}"
- name: Create docker certificate directory
file:
path: "{{ docker_cert_dir }}/registry.local:9001"
state: directory
recurse: yes
mode: 0700
- name: Copy certificate file to docker certificate directory
copy:
src: "{{ registry_cert_crt }}"
dest: "{{ docker_cert_dir }}/registry.local:9001"
remote_src: yes
- name: Start registry token server
systemd:
name: registry-token-server
state: restarted
- name: Start docker registry
systemd:
name: docker-distribution
state: restarted
- name: Update /etc/hosts with local registry host
command: >-
sed -i -e 's|'$CONTROLLER_ADDRESS'\t'$CONTROLLER'|'$CONTROLLER_ADDRESS'\t'$CONTROLLER'\t'$LOCAL_REGISTRY'|g' /etc/hosts
args:
warn: false
environment:
CONTROLLER_ADDRESS: "{{ controller_floating_address }}"
CONTROLLER: "controller"
LOCAL_REGISTRY: "registry.local"
View Git Blame Copy Permalink