Browse Source

Merge "Add a role to run a buildset registry"

changes/22/634622/1
Zuul 10 months ago
parent
commit
d30f69d2ab
3 changed files with 130 additions and 0 deletions
  1. +38
    -0
      roles/run-buildset-registry/README.rst
  2. +1
    -0
      roles/run-buildset-registry/defaults/main.yaml
  3. +91
    -0
      roles/run-buildset-registry/tasks/main.yaml

+ 38
- 0
roles/run-buildset-registry/README.rst View File

@@ -0,0 +1,38 @@
Runs a docker registry for the use of this buildset.

This may be used for a single job running on a single node, or it may
be used at the root of a job graph so that multiple jobs running for a
single change can share the registry.

**Role Variables**

.. zuul:rolevar:: buildset_registry_root
:default: {{ ansible_user_dir }}/buildset_registry

Path for the registry volumes.

**Return Values**

.. zuul:rolevar:: buildset_registry

Information about the registry.

.. zuul:rolevar:: host

The host (IP address) of the registry.

.. zuul:rolevar:: port

The port on which the registry is listening.

.. zuul:rolevar:: username

The username used to access the registry via HTTP basic auth.

.. zuul:rolevar:: password

The password used to access the registry via HTTP basic auth.

.. zuul:rolevar:: cert

The (self-signed) certificate used by the registry.

+ 1
- 0
roles/run-buildset-registry/defaults/main.yaml View File

@@ -0,0 +1 @@
buildset_registry_root: "{{ ansible_user_dir }}/buildset_registry"

+ 91
- 0
roles/run-buildset-registry/tasks/main.yaml View File

@@ -0,0 +1,91 @@
- name: Install packages
become: yes
package:
name:
- python-docker
- python-openssl
- python-passlib
- python-bcrypt
state: present
when: "'python3' not in ansible_python_interpreter"
- name: Install packages
become: yes
package:
name:
- python3-docker
- python3-openssl
- python3-passlib
- python3-bcrypt
state: present
when: "'python3' in ansible_python_interpreter"
- name: Ensure Docker registry volume directories exists
file:
state: directory
path: "{{ buildset_registry_root}}/{{ item }}"
loop:
- certs
- auth
# TODO: use password lookup after allowing access to it in Zuul
- name: Generate registry password
set_fact:
registry_password: "{{ (ansible_date_time.iso8601_micro | password_hash('sha256'))[-20:] }}"
- name: Write htpassword file
htpasswd:
create: true
crypt_scheme: bcrypt
path: "{{ buildset_registry_root}}/auth/htpasswd"
name: "zuul"
password: "{{ registry_password }}"
- name: Generate a TLS key for the Docker registry
openssl_privatekey:
path: "{{ buildset_registry_root}}/certs/domain.key"
- name: Generate a TLS CSR for the Docker registry
openssl_csr:
path: "{{ buildset_registry_root}}/certs/domain.csr"
privatekey_path: "{{ buildset_registry_root}}/certs/domain.key"
common_name: "{{ ansible_host }}"
subject_alt_name: "DNS:{{ ansible_host }},IP:{{ ansible_host }}"
- name: Generate a TLS cert for the Docker registry
openssl_certificate:
path: "{{ buildset_registry_root}}/certs/domain.crt"
csr_path: "{{ buildset_registry_root}}/certs/domain.csr"
privatekey_path: "{{ buildset_registry_root}}/certs/domain.key"
provider: selfsigned
register: generated_cert
- name: Read TLS certificate
slurp:
src: "{{ generated_cert.filename }}"
register: certificate
- name: Decode TLS certificate
set_fact:
certificate: "{{ certificate.content | b64decode }}"
- name: Start a docker registry
docker_container:
name: buildset_registry
image: registry:2
state: started
restart_policy: always
ports:
- "5000:5000"
env:
REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
REGISTRY_HTTP_TLS_KEY: /certs/domain.key
REGISTRY_AUTH: htpasswd
REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
volumes:
- "{{ buildset_registry_root}}/data:/var/lib/registry"
- "{{ buildset_registry_root}}/certs:/certs"
- "{{ buildset_registry_root}}/auth:/auth"
- name: Set registry information fact
set_fact:
buildset_registry:
host: "{{ ansible_host }}"
port: 5000
username: zuul
password: "{{ registry_password }}"
cert: "{{ certificate }}"
- name: Return registry information to Zuul
zuul_return:
data:
buildset_registry: "{{ buildset_registry }}"

Loading…
Cancel
Save