starlingx
/
utilities
Code Issues Proposed changes

Created script to change private registry config 

This script changes the needed system parameters in order to use a
different registry in an already deployed StarlingX. To do this, it
manipulates the system parameters 'url', 'type' and 'auth-secret' of
service 'docker'. Each one of these three parameters may exist inside
the docker service sections 'docker-registry', 'elastic-registry',
'gcr-registry', 'ghcr-registry', 'k8s-registry' and 'quay-registry'.

The tests below were executed using a StarlingX dev build.
The regression tests were not executed, as this script is not executed
unless the user calls it.

Test Plan:

PASS: In a AIO-SX deploy with no parameters present, execute the script
with 4 arguments (non-empty user and password), verify that the new
registry is used to download images.
PASS: In a AIO-SX deploy with all parameters present, execute the script
with 4 arguments (non-empty user and password), verify that the new
registry is used to download images.
PASS: In a AIO-SX deploy with no parameters present, execute the script
with 2 parameters (no user or password given), verify that the new
registry is used to download images.
PASS: In a AIO-SX deploy with all parameters present, execute the script
with 2 parameters (no user or password given), verify that the new
registry is used to download images.
PASS: In a distributed cloud scenario, reconfigure the central cloud
with a different private registry, verify that the new registry is used
to download images, then check that new images downloaded by central
cloud are being successfully downloaded in the subclouds.

Closes-Bug: 1948491
Signed-off-by: Joao Victor Portal <Joao.VictorPortal@windriver.com>
Change-Id: I3e10486333964264c8754c519163083a821eb54e
This commit is contained in:
Joao Victor Portal 2021-10-21 20:40:40 -03:00
parent 5bc220bc2b
commit 1e7bbc6b33
1 changed files with 135 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

135
utilities/platform-util/scripts/change_system_private_registry.sh Executable file
View File

@ -0,0 +1,135 @@
#!/bin/bash
#
# Copyright (c) 2021 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# Utility script to reconfigure system private registry
#
#
# It is assumed that the system private registry URLs are in the same level.
# Example: URLs "myregistry.sample.com/docker.io" and "myregistry.sample.com/docker.elastic.co"
# have the same base URL "myregistry.sample.com", so they are in the same level.
# In a distributed cloud environment, this script only needs to be run on the central cloud.
# It can have 2 or 4 parameters, because the pair username and password is optional.
# When the username and password parameters are not given, they are set to empty strings.
# The default value for docker registry is "docker".
#
# $1 - registry base url
# $2 - registry type
# $3 - registry username (optional)
# $4 - registry password (optional)
#
# This script manipulates the parameters 'url', 'type' and 'auth-secret' of docker service.
# Each one of these three parameters may exist inside the docker service sections docker-registry, elastic-registry,
# gcr-registry, ghcr-registry, k8s-registry and quay-registry, so 18 parameters are manipulated in total.
# Each section of service docker is referred also as registry in this script.
#
if (( $# != 2 && $# != 4 )); then
echo "The format of the command: $0 registry_base_url registry_type [registry_username] [registry_password]"
exit 1
fi
REGISTRY_BASE_URL=$1
REGISTRY_TYPE=$2
if (( $# == 4 )); then
REGISTRY_USERNAME=$3
REGISTRY_PASSWORD=$4
else
REGISTRY_USERNAME=''
REGISTRY_PASSWORD=''
fi
NEW_REGISTRY_USER_PASSWORD="username:${REGISTRY_USERNAME} password:${REGISTRY_PASSWORD}"
# This is a dictionary between registries (key) and the final part of their URL (value).
declare -A REGISTRY_DICT
REGISTRY_DICT['docker-registry']='docker.io'
REGISTRY_DICT['elastic-registry']='docker.elastic.co'
REGISTRY_DICT['gcr-registry']='gcr.io'
REGISTRY_DICT['ghcr-registry']='ghcr.io'
REGISTRY_DICT['k8s-registry']='k8s.gcr.io'
REGISTRY_DICT['quay-registry']='quay.io'
source /etc/platform/openrc
# Create or modify url parameter of registries.
for registry in "${!REGISTRY_DICT[@]}"; do
# Launchpad bug 1948839: the command "system service-parameter-list", when both "--section" and "--name" filters are
# given, ignores "--section" and uses only "--name". The correct behavior would be to use both. This is why the
# parameter "--name" is not present below and "grep -w" is used.
parameter_name_list=`system service-parameter-list --service docker \
--section ${registry} \
--column name \
--format value`
parameter_present=`echo ${parameter_name_list} | grep -w url`
if [[ -z "${parameter_present}" ]]; then
echo "The url parameter of ${registry} does not exist. Creating parameter..."
system service-parameter-add docker ${registry} url=${REGISTRY_BASE_URL}/${REGISTRY_DICT[${registry}]}
else
echo "The url parameter of ${registry} already exists. Changing its value..."
system service-parameter-modify docker ${registry} url=${REGISTRY_BASE_URL}/${REGISTRY_DICT[${registry}]}
fi
echo ""
done
# Create or modify type parameter of registries.
for registry in "${!REGISTRY_DICT[@]}"; do
# See the description of Launchpad bug 1948839, it also affects the implementation below.
parameter_name_list=`system service-parameter-list --service docker \
--section ${registry} \
--column name \
--format value`
parameter_present=`echo ${parameter_name_list} | grep -w type`
if [[ -z "${parameter_present}" ]]; then
echo "The type parameter of ${registry} does not exist. Creating parameter..."
system service-parameter-add docker ${registry} type=${REGISTRY_TYPE}
else
echo "The type parameter of ${registry} already exists. Changing its value..."
system service-parameter-modify docker ${registry} type=${REGISTRY_TYPE}
fi
echo ""
done
# Change registry credentials: delete and recreate secret in Barbican, then creates or modifies the reference in
# auth-secret parameter.
for registry in "${!REGISTRY_DICT[@]}"; do
# Note: the command "openstack secret list -n ${registry}-secret -c 'Secret href'", when it doesn't find the
# secret name "${registry}-secret", prints to stderr an error about not finding the column "Secret href" in the
# resulting empty table. To avoid informing the user about this error, stderr is redirected to '/dev/null'.
old_secret_uri=`openstack secret list -n ${registry}-secret -c 'Secret href' -f value 2>/dev/null`
if [[ -n "${old_secret_uri}" ]]; then
echo "Deleting secret ref ${old_secret_uri}"
openstack secret delete ${old_secret_uri}
fi
openstack secret store -n ${registry}-secret -p "${NEW_REGISTRY_USER_PASSWORD}"
new_secret_uri=`openstack secret list -n ${registry}-secret -c 'Secret href' -f value 2>/dev/null`
new_secret_uuid=`echo ${new_secret_uri} | awk -F '/' '{print $NF}'`
# See the description of Launchpad bug 1948839, it also affects the implementation below.
parameter_name_list=`system service-parameter-list --service docker \
--section ${registry} \
--column name \
--format value`
parameter_present=`echo ${parameter_name_list} | grep -w auth-secret`
if [[ -z "${parameter_present}" ]]; then
echo "The auth-secret parameter of ${registry} does not exist. Creating parameter..."
system service-parameter-add docker ${registry} auth-secret=${new_secret_uuid}
else
echo "The auth-secret parameter of ${registry} already exists. Changing its value..."
system service-parameter-modify docker ${registry} auth-secret=${new_secret_uuid}
fi
echo ""
done
# Apply parameters and return.
system service-parameter-apply docker
echo "Service parameters of docker service were successfully reconfigured."
exit 0