254 lines
7.8 KiB
YAML
254 lines
7.8 KiB
YAML
---
|
|
#
|
|
# Copyright (c) 2019 Wind River Systems, Inc.
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
#
|
|
# SUB-TASKS DESCRIPTION:
|
|
# Bring up local registry
|
|
# - Create daemon.json for insecure registries if applicable
|
|
# - Prepare config files for local registry
|
|
# - Prepare config file for registry token server
|
|
# - Set up docker registry certificate and keys required
|
|
# - Start registry token server
|
|
# - Start local registry
|
|
|
|
- name: Set insecure registries
|
|
set_fact:
|
|
insecure_registries:
|
|
"{{ (insecure_registries|default([]) + [item.url|regex_replace('/.*', '')]) | unique }}"
|
|
with_items:
|
|
- "{{ docker_registry }}"
|
|
- "{{ gcr_registry }}"
|
|
- "{{ k8s_registry }}"
|
|
- "{{ quay_registry }}"
|
|
- "{{ elastic_registry }}"
|
|
when: (item.secure is defined and not item.secure)
|
|
no_log: true
|
|
|
|
- block:
|
|
- name: Create daemon.json file for insecure registry
|
|
copy:
|
|
src: "{{ insecure_docker_registry_template }}"
|
|
dest: /etc/docker/daemon.json
|
|
remote_src: yes
|
|
mode: 0644
|
|
|
|
- name: Update daemon.json with registry IP
|
|
command: "sed -i -e 's|<%= @insecure_registries %>|$INSECURE_REGISTRIES|g' /etc/docker/daemon.json"
|
|
args:
|
|
warn: false
|
|
environment:
|
|
INSECURE_REGISTRIES: "{{ insecure_registries | to_json }}"
|
|
|
|
- name: Restart docker
|
|
systemd:
|
|
name: docker
|
|
state: restarted
|
|
when: (insecure_registries is defined and
|
|
insecure_registries | length > 0)
|
|
|
|
- name: Create containerd config file directory
|
|
file:
|
|
path: /etc/containerd
|
|
state: directory
|
|
mode: 0700
|
|
|
|
- name: Create config.toml file for containerd configuration
|
|
copy:
|
|
src: "{{ containerd_template }}"
|
|
dest: /etc/containerd/config.toml
|
|
remote_src: yes
|
|
mode: 0600
|
|
|
|
- name: Remove puppet template for insecure registries
|
|
replace:
|
|
path: /etc/containerd/config.toml
|
|
after: '# Begin of insecure registries'
|
|
regexp: '^(<%- @insecure_registries.+)\n(.+)\n(.+)\n(.+end -%>)'
|
|
replace: ''
|
|
|
|
- name: Update config.toml with insecure registries
|
|
blockinfile:
|
|
path: /etc/containerd/config.toml
|
|
insertafter: '# Begin of insecure registries'
|
|
marker: " # {{ item }}"
|
|
block: |2
|
|
[plugins.cri.registry.mirrors."{{ item }}"]
|
|
endpoint = ["http://{{ item }}"]
|
|
loop:
|
|
"{{ insecure_registries }}"
|
|
when: (insecure_registries is defined and
|
|
insecure_registries | length > 0)
|
|
|
|
- name: Update config.toml with cni bin dir
|
|
command: "sed -i -e 's|<%= @k8s_cni_bin_dir %>|$CNI_BIN_DIR|g' /etc/containerd/config.toml"
|
|
args:
|
|
warn: false
|
|
environment:
|
|
CNI_BIN_DIR: "{{ kubelet_cni_bin_dir }}"
|
|
|
|
- name: Restart containerd
|
|
systemd:
|
|
name: containerd
|
|
state: restarted
|
|
|
|
- name: Generate local registry runtime config file from template
|
|
copy:
|
|
src: "{{ registry_config_template }}"
|
|
dest: "{{ registry_runtime_config_file }}"
|
|
remote_src: yes
|
|
mode: 0644
|
|
|
|
- name: Generate local registry readonly config file from template
|
|
copy:
|
|
src: "{{ registry_config_template }}"
|
|
dest: "{{ registry_readonly_config_file }}"
|
|
remote_src: yes
|
|
mode: 0644
|
|
|
|
- name: Update local registry config files
|
|
command: "{{ item }}"
|
|
args:
|
|
warn: false
|
|
with_items:
|
|
- "sed -i -e 's|<%= @registry_readonly %>|'false'|g' {{ registry_runtime_config_file }}"
|
|
- "sed -i -e 's|<%= @registry_readonly %>|'true'|g' {{ registry_readonly_config_file }}"
|
|
- "sed -i -e 's|<%= @docker_registry_host %>|'$DOCKER_REGISTRY_HOST'|g' {{ registry_runtime_config_file }}"
|
|
- "sed -i -e 's|<%= @docker_registry_host %>|'$DOCKER_REGISTRY_HOST'|g' {{ registry_readonly_config_file }}"
|
|
- "sed -i -e 's|<%= @docker_realm_host %>|'$DOCKER_REGISTRY_HOST'|g' {{ registry_runtime_config_file }}"
|
|
- "sed -i -e 's|<%= @docker_realm_host %>|'$DOCKER_REGISTRY_HOST'|g' {{ registry_readonly_config_file }}"
|
|
environment:
|
|
DOCKER_REGISTRY_HOST: "{{ controller_floating_address_url }}"
|
|
|
|
- name: Create symlink from local registry runtime config file
|
|
command: ln -fs {{ registry_runtime_config_file }} {{ registry_config_file }}
|
|
args:
|
|
warn: false
|
|
|
|
- name: Generate local registry token server config file from template
|
|
copy:
|
|
src: "{{ registry_token_server_template }}"
|
|
dest: "{{ registry_token_server_file }}"
|
|
remote_src: yes
|
|
mode: 0644
|
|
|
|
- name: Update local registry token server file
|
|
command: "{{ item }}"
|
|
args:
|
|
warn: false
|
|
with_items:
|
|
- "sed -i -e 's|<%= @docker_registry_host %>|'$DOCKER_REGISTRY_HOST'|g' {{ registry_token_server_file }}"
|
|
- "sed -i -e 's|<%= @registry_ks_endpoint %>|'$REGISTRY_KS_ENDPOINT'|g' {{ registry_token_server_file }}"
|
|
environment:
|
|
DOCKER_REGISTRY_HOST: "{{ controller_floating_address_url }}"
|
|
REGISTRY_KS_ENDPOINT: "http://{{ controller_floating_address_url }}:5000/v3"
|
|
|
|
- block:
|
|
- name: Generate cnf file from template
|
|
copy:
|
|
src: "{{ cert_cnf_template }}"
|
|
dest: "{{ cert_cnf_file }}"
|
|
remote_src: yes
|
|
|
|
- name: Update cnf file with network info
|
|
command: "{{ item }}"
|
|
args:
|
|
warn: false
|
|
with_items:
|
|
- "sed -i -e 's|<%= @docker_registry_ip %>|'$DOCKER_REGISTRY_IP'|g' {{ cert_cnf_file }}"
|
|
- "sed -i -e 's|<%= @docker_registry_public_ip %>|'$DOCKER_REGISTRY_PUBLIC_IP'|g' {{ cert_cnf_file }}"
|
|
environment:
|
|
DOCKER_REGISTRY_IP: "{{ controller_floating_address }}"
|
|
DOCKER_REGISTRY_PUBLIC_IP: "{{ external_oam_floating_address }}"
|
|
|
|
- name: Generate certificate and key files
|
|
command: >-
|
|
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout {{ registry_cert_key }}
|
|
-out {{ registry_cert_crt }} -config {{ cert_cnf_file }}
|
|
|
|
- name: Generate pkcs1 key file
|
|
command: openssl rsa -in {{ registry_cert_key }} -out {{ registry_cert_pkcs1_key }}
|
|
|
|
- name: Remove extfile used in certificate generation
|
|
file:
|
|
path: "{{ cert_cnf_file }}"
|
|
state: absent
|
|
|
|
- name: Set certificate file and key permissions to root read-only
|
|
file:
|
|
path: "{{ item }}"
|
|
mode: 0400
|
|
with_items:
|
|
- "{{ registry_cert_key }}"
|
|
- "{{ registry_cert_crt }}"
|
|
- "{{ registry_cert_pkcs1_key }}"
|
|
|
|
when: mode == 'bootstrap'
|
|
|
|
- block:
|
|
- name: Restore certificate and key files
|
|
command: >-
|
|
tar -C /etc/ssl/private -xpf {{ target_backup_dir }}/{{ backup_filename }} --transform='s,.*/,,'
|
|
'etc/ssl/private/*cert*'
|
|
args:
|
|
warn: false
|
|
|
|
- name: Check if {{ server_cert_pem }} exists
|
|
stat: path="{{ server_cert_pem }}"
|
|
register: server_cert_pem_stat
|
|
|
|
- name: Copy {{ server_cert_pem }} to shared filesystem for mate
|
|
copy:
|
|
src: "{{ server_cert_pem }}"
|
|
dest: "{{ config_permdir }}"
|
|
remote_src: yes
|
|
mode: preserve
|
|
when: server_cert_pem_stat.stat.exists
|
|
|
|
when: mode == 'restore'
|
|
|
|
- name: Copy certificate and keys to shared filesystem for mate
|
|
copy:
|
|
src: "{{ item }}"
|
|
dest: "{{ config_permdir }}"
|
|
remote_src: yes
|
|
mode: preserve
|
|
with_items:
|
|
- "{{ registry_cert_key }}"
|
|
- "{{ registry_cert_crt }}"
|
|
- "{{ registry_cert_pkcs1_key }}"
|
|
|
|
- name: Create docker certificate directory
|
|
file:
|
|
path: "{{ docker_cert_dir }}/registry.local:9001"
|
|
state: directory
|
|
recurse: yes
|
|
mode: 0700
|
|
|
|
- name: Copy certificate file to docker certificate directory
|
|
copy:
|
|
src: "{{ registry_cert_crt }}"
|
|
dest: "{{ docker_cert_dir }}/registry.local:9001"
|
|
remote_src: yes
|
|
|
|
- name: Start registry token server
|
|
systemd:
|
|
name: registry-token-server
|
|
state: restarted
|
|
|
|
- name: Start docker registry
|
|
systemd:
|
|
name: docker-distribution
|
|
state: restarted
|
|
|
|
- name: Update /etc/hosts with local registry host
|
|
command: >-
|
|
sed -i -e 's|'$CONTROLLER_ADDRESS'\t'$CONTROLLER'|'$CONTROLLER_ADDRESS'\t'$CONTROLLER'\t'$LOCAL_REGISTRY'|g' /etc/hosts
|
|
args:
|
|
warn: false
|
|
environment:
|
|
CONTROLLER_ADDRESS: "{{ controller_floating_address }}"
|
|
CONTROLLER: "controller"
|
|
LOCAL_REGISTRY: "registry.local"
|