zuul
/
zuul-jobs
Code Issues Proposed changes

Merge "Use zuul-registry as buildset registry"

This commit is contained in:
Zuul 2019-10-29 20:37:02 +00:00 committed by Gerrit Code Review
parent 652b2908ed 8766890012
commit 82faf394db
6 changed files with 35 additions and 89 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
roles/run-buildset-registry/README.rst
View File

@ -2,8 +2,7 @@ Runs a docker registry for the use of this buildset.
This may be used for a single job running on a single node, or it may
be used at the root of a job graph so that multiple jobs running for a
single change can share the registry. Two registry endpoints are
provided -- one is a local registry, the second is an upstream proxy.
single change can share the registry.
**Role Variables**
@ -26,10 +25,6 @@ provided -- one is a local registry, the second is an upstream proxy.
The port on which the registry is listening.
.. zuul:rolevar:: proxy_port
The port on which the proxy is listening.
.. zuul:rolevar:: username
The username used to access the registry via HTTP basic auth.

81
roles/run-buildset-registry/tasks/main.yaml
View File

@ -3,9 +3,8 @@
package:
name:
- python-docker
- python-openssl
- openssl
- python-passlib
- python-bcrypt
state: present
when: "'python3' not in ansible_python_interpreter"
- name: Install packages
@ -13,94 +12,50 @@
package:
name:
- python3-docker
- python3-openssl
- openssl
- python3-passlib
- python3-bcrypt
state: present
when: "'python3' in ansible_python_interpreter"
- name: Ensure Docker registry volume directories exists
- name: Ensure registry volume directories exists
file:
state: directory
path: "{{ buildset_registry_root }}/{{ item }}"
loop:
- certs
- auth
- name: Generate registry password
- tls
- conf
- name: Generate registry secrets
set_fact:
registry_password: "{{ lookup('password', '/dev/null') }}"
- name: Write htpassword file
htpasswd:
create: true
crypt_scheme: bcrypt
path: "{{ buildset_registry_root }}/auth/htpasswd"
name: "zuul"
password: "{{ registry_password }}"
- name: Generate a TLS key for the Docker registry
openssl_privatekey:
path: "{{ buildset_registry_root }}/certs/domain.key"
- name: Generate a TLS CSR for the Docker registry
openssl_csr:
path: "{{ buildset_registry_root }}/certs/domain.csr"
privatekey_path: "{{ buildset_registry_root }}/certs/domain.key"
common_name: "{{ ansible_host }}"
subject_alt_name: "DNS:zuul-jobs.buildset-registry,DNS:{{ ansible_host }},IP:{{ ansible_host }},IP:127.0.0.1"
- name: Generate a TLS cert for the Docker registry
openssl_certificate:
path: "{{ buildset_registry_root }}/certs/domain.crt"
csr_path: "{{ buildset_registry_root }}/certs/domain.csr"
privatekey_path: "{{ buildset_registry_root }}/certs/domain.key"
provider: selfsigned
register: generated_cert
registry_secret: "{{ lookup('password', '/dev/null') }}"
- name: Write registry config
template:
src: registry.yaml.j2
dest: "{{ buildset_registry_root }}/conf/registry.yaml"
- name: Generate a TLS key for the registry
command: "openssl req -x509 -newkey rsa:2048 -keyout {{ buildset_registry_root }}/tls/cert.key -out {{ buildset_registry_root }}/tls/cert.pem -days 365 -nodes -subj '/C=US/ST=California/L=Oakland/O=Company Name/OU=Org/CN={{ ansible_host }}' -addext 'subjectAltName = DNS:zuul-jobs.buildset-registry,DNS:{{ ansible_host }},IP:{{ ansible_host }},IP:127.0.0.1'"
- name: Read TLS certificate
slurp:
src: "{{ generated_cert.filename }}"
src: "{{ buildset_registry_root }}/tls/cert.pem"
register: certificate
- name: Decode TLS certificate
set_fact:
certificate: "{{ certificate.content | b64decode }}"
- name: Start a docker registry
- name: Start the buildset registry
docker_container:
name: buildset_registry
image: registry:2
image: zuul/zuul-registry:latest
state: started
restart_policy: always
ports:
- "5000:5000"
env:
REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
REGISTRY_HTTP_TLS_KEY: /certs/domain.key
REGISTRY_AUTH: htpasswd
REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
volumes:
- "{{ buildset_registry_root }}/certs:/certs"
- "{{ buildset_registry_root }}/auth:/auth"
- name: Start a docker proxy
docker_container:
name: buildset_proxy
image: registry:2
state: started
restart_policy: always
ports:
- "5001:5000"
env:
REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
REGISTRY_HTTP_TLS_KEY: /certs/domain.key
REGISTRY_AUTH: htpasswd
REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
REGISTRY_PROXY_REMOTEURL: https://registry-1.docker.io
REGISTRY_PROXY_USERNAME: ''
REGISTRY_PROXY_PASSWORD: ''
volumes:
- "{{ buildset_registry_root }}/certs:/certs"
- "{{ buildset_registry_root }}/auth:/auth"
- "{{ buildset_registry_root }}/tls:/tls"
- "{{ buildset_registry_root }}/conf:/conf"
- name: Set registry information fact
set_fact:
buildset_registry:
host: "{{ ansible_host }}"
port: 5000
proxy_port: 5001
username: zuul
password: "{{ registry_password }}"
cert: "{{ certificate }}"

14
roles/run-buildset-registry/templates/registry.yaml.j2 Normal file
View File

@ -0,0 +1,14 @@
registry:
address: '::'
port: 5000
public-url: 'https://{{ ansible_host | ipwrap }}:5000'
tls-cert: /tls/cert.pem
tls-key: /tls/cert.key
secret: "{{ registry_secret }}"
users:
- name: zuul
pass: "{{ registry_password }}"
access: write
storage:
driver: filesystem
root: /storage

4
roles/use-buildset-registry/README.rst
View File

@ -17,10 +17,6 @@ Use this role on any host which should use the buildset registry.
The port on which the registry is listening.
.. zuul:rolevar:: proxy_port
The port on which the registry proxy is listening.
.. zuul:rolevar:: username
The username used to access the registry via HTTP basic auth.

12
roles/use-buildset-registry/tasks/main.yaml
View File

@ -28,21 +28,11 @@
file:
path: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.port }}/"
state: directory
- name: Ensure proxy registry cert directory exists
become: true
file:
path: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.proxy_port }}/"
state: directory
- name: Write buildset registry TLS certificate
become: true
copy:
content: "{{ buildset_registry.cert }}"
dest: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.port }}/ca.crt"
- name: Write proxy registry TLS certificate
become: true
copy:
content: "{{ buildset_registry.cert }}"
dest: "/etc/docker/certs.d/{{ buildset_registry_alias }}:{{ buildset_registry.proxy_port }}/ca.crt"
# Update daemon config
- name: Check if docker daemon configuration exists
@ -66,7 +56,7 @@
- name: Add registry to docker daemon configuration
vars:
new_config:
registry-mirrors: "['https://{{ buildset_registry_alias }}:{{ buildset_registry.port }}/', 'https://{{ buildset_registry_alias }}:{{ buildset_registry.proxy_port }}/']"
registry-mirrors: "['https://{{ buildset_registry_alias }}:{{ buildset_registry.port }}/']"
set_fact:
docker_config: "{{ docker_config | combine(new_config) }}"
- name: Save docker daemon configuration

6
roles/use-buildset-registry/tasks/user-config.yaml
View File

@ -27,11 +27,7 @@
new_config:
auths: |
{
"https://index.docker.io/v1/":
{"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"},
"{{ buildset_registry_alias }}:{{ buildset_registry.port }}":
{"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"},
"{{ buildset_registry_alias }}:{{ buildset_registry.proxy_port }}":
{"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"}
}
set_fact:
@ -51,4 +47,4 @@
file:
src: "~{{ buildset_registry_docker_user | default(ansible_user) }}/.docker/config.json"
dest: /var/lib/kubelet/config.json
state: link
state: link