Pass user credentials when pull/push images from local docker registry

The functionality of local docker registry authentication is implemented in commit https://review.openstack.org/#/c/626355/. However, local docker registry is currently used to pull/push images during application apply without authentication. This commit passes user credentials when pulling/pushing images from docker registry, otherwise application apply will fail after the above docker registry authentication commit merged. Change-Id: Ifd43631e6fb685aed45fd2ad90d74ef3658bdb99 Story: 2002840 Task: 28945 Signed-off-by: Angie Wang <angie.wang@windriver.com>
2019-01-16 16:32:38 -05:00 · 2019-01-16 16:32:38 -05:00 · 6946ea845a
parent ad14905521
commit 6946ea845a
2 changed files with 21 additions and 2 deletions
--- a/sysinv/sysinv/sysinv/sysinv/common/exception.py
+++ b/sysinv/sysinv/sysinv/sysinv/common/exception.py
@ -923,6 +923,11 @@ class KubeAppNotFound(NotFound):
    message = _("No application with name %(name)s.")


+class DockerRegistryCredentialNotFound(NotFound):
+    message = _("Credentials to access local docker registry "
+                "for user %(name)s could not be found.")
+
+
 class SDNNotEnabled(SysinvException):
    message = _("SDN configuration is not enabled.")

--- a/sysinv/sysinv/sysinv/sysinv/conductor/kube_app.py
+++ b/sysinv/sysinv/sysinv/sysinv/conductor/kube_app.py
@ -11,6 +11,7 @@

 import docker
 import grp
+import keyring
 import os
 import pwd
 import re
@ -57,6 +58,8 @@ INSTALLATION_TIMEOUT = 3600
 MAX_DOWNLOAD_THREAD = 20
 TARFILE_DOWNLOAD_CONNECTION_TIMEOUT = 60
 TARFILE_TRANSFER_CHUNK_SIZE = 1024 * 512
+DOCKER_REGISTRY_USER = 'admin'
+DOCKER_REGISTRY_SERVICE = 'CGCS'


 # Helper functions
@ -97,6 +100,16 @@ def get_app_install_root_path_ownership():
    return (uid, gid)


+def get_docker_registry_authentication():
+    docker_registry_user_password = keyring.get_password(
+        DOCKER_REGISTRY_SERVICE, DOCKER_REGISTRY_USER)
+    if not docker_registry_user_password:
+        raise exception.DockerRegistryCredentialNotFound(
+            name=DOCKER_REGISTRY_USER)
+
+    return dict(username=DOCKER_REGISTRY_USER,
+        password=docker_registry_user_password)
+
 Chart = namedtuple('Chart', 'name namespace')


@ -1205,8 +1218,9 @@ class DockerHelper(object):
        try:
            # Pull image from local docker registry
            LOG.info("Image %s download started from local registry" % loc_img_tag)
+            docker_registry_auth = get_docker_registry_authentication()
            client = docker.APIClient(timeout=INSTALLATION_TIMEOUT)
-            client.pull(loc_img_tag)
+            client.pull(loc_img_tag, auth_config=docker_registry_auth)
        except docker.errors.NotFound:
            try:
                # Image is not available in local docker registry, get the image
@ -1216,7 +1230,7 @@ class DockerHelper(object):
                pub_img_tag = loc_img_tag[1 + loc_img_tag.find('/'):]
                client.pull(pub_img_tag)
                client.tag(pub_img_tag, loc_img_tag)
-                client.push(loc_img_tag)
+                client.push(loc_img_tag, auth_config=docker_registry_auth)
            except Exception as e:
                rc = False
                LOG.error("Image %s download failed from public registry: %s" % (pub_img_tag, e))