This commit adds functionality for Docker registry to authenticate
using Keystone.
First, this commit contains puppet changes which are required to
manage the new token server required for Keystone authentication.
Second, with proper authentication now implemented, we are removing
the "insecure" flag for the controller registry in the "daemon.json"
file in "/etc/docker".
With the "insecure" flag removed, Docker will start complaining about
certificate issues. This commit also includes generation of default
certificates suitable for use by Docker registry as well as a sysinv
command "system certificate-install -m docker_registry" to update the
certificate.
Docker registry token server works only with PKCS1 style keys while we
would like to use PKCS8 keys by default. This is why our default
certificate and installed certificate create both a PKCS1 style key as
well as a PKCS8 style key. The keys are installed to
"/etc/ssl/private/" as registry-cert.crt, registry-cert.key, and
registry-cert-pkcs1.key.
Story: 2002840
Task: 22783
Depends-On: https://review.openstack.org/#/c/626354/
Change-Id: I0127bd5f10f3950739678929b92eb1b77e2119db
Signed-off-by: Jerry Sun <jerry.sun@windriver.com>
In order to avoid conflicts with containerized services
binding to standard HTTP (80) / HTTPS (443) port numbers,
the default port numbers are changed to 8080 and 8443.
Furthermore, CLI commands are provided to allow binding
to alternate port numbers.
List of changes:
. Add service parameters for HTTP and HTTPS port
. Configure the lighttpd ports via puppet and use port
8008 for platform horizon
. Add http port to platform.conf for the config scripts
. Support helm repo URL update
. Add helm-toolkit plugin for location override
. Override Armada manifest location
. Add installer base URL option to pxeboot-update
script
. Add a patching run time class to restart patch-agent
when the port config is changed
. Add a semantic check to block port config when a
patching operation is in progress or a host is not
in unlocked/enabled state
CLI commands for viewing and updating port numbers are:
system service-parameter-list --service http
system service-parameter-modify lighttpd port http=8090
system service-parameter-apply lighttpd
Tests Performed:
Non-containerized deployment installation and sanity
AIO-DX: Sanity and Nightly automated test suite
2+2 System: Sanity and Nightly automated test suite
2+4+6 System: Sanity and Nightly automated test suite
Kubernetes deployment on VBox:
AIO-SX: application apply and launch instance
AIO-DX: application apply and launch instance
2+2 System: application apply and launch instance
HTTP/HTTPS port configuration
Enable/Disable https
Story: 2004642
Task: 28592
Change-Id: I65029e0c15aaf626acb56ab71e7bbde64c7e76a8
Signed-off-by: Tao Liu <tao.liu@windriver.com>
This update replaced the compute personality & subfunction
to worker, and updated internal and customer visible
references.
In addition, the compute-huge package has been renamed to
worker-utils as it contains various scripts/services that
used to affine running tasks or interface IRQ to specific CPUs.
The worker_reserved.conf is now installed to /etc/platform.
The cpu function 'VM' has also been renamed to 'Application'.
Tests Performed:
Non-containerized deployment
AIO-SX: Sanity and Nightly automated test suite
AIO-DX: Sanity and Nightly automated test suite
2+2 System: Sanity and Nightly automated test suite
2+2 System: Horizon Patch Orchestration
Kubernetes deployment:
AIO-SX: Create, delete, reboot and rebuild instances
2+2+2 System: worker nodes are unlock enable and no alarms
Story: 2004022
Task: 27013
Change-Id: I0e0be6b3a6f25f7fb8edf64ea4326854513aa396
Signed-off-by: Tao Liu <tao.liu@windriver.com>