Browse Source

Merge "Add a role to run a buildset registry"

changes/22/634622/1
Zuul 6 months ago
parent
commit
d30f69d2ab

+ 38
- 0
roles/run-buildset-registry/README.rst View File

@@ -0,0 +1,38 @@
1
+Runs a docker registry for the use of this buildset.
2
+
3
+This may be used for a single job running on a single node, or it may
4
+be used at the root of a job graph so that multiple jobs running for a
5
+single change can share the registry.
6
+
7
+**Role Variables**
8
+
9
+.. zuul:rolevar:: buildset_registry_root
10
+   :default: {{ ansible_user_dir }}/buildset_registry
11
+
12
+   Path for the registry volumes.
13
+
14
+**Return Values**
15
+
16
+.. zuul:rolevar:: buildset_registry
17
+
18
+   Information about the registry.
19
+
20
+   .. zuul:rolevar:: host
21
+
22
+      The host (IP address) of the registry.
23
+
24
+   .. zuul:rolevar:: port
25
+
26
+      The port on which the registry is listening.
27
+
28
+   .. zuul:rolevar:: username
29
+
30
+      The username used to access the registry via HTTP basic auth.
31
+
32
+   .. zuul:rolevar:: password
33
+
34
+      The password used to access the registry via HTTP basic auth.
35
+
36
+   .. zuul:rolevar:: cert
37
+
38
+      The (self-signed) certificate used by the registry.

+ 1
- 0
roles/run-buildset-registry/defaults/main.yaml View File

@@ -0,0 +1 @@
1
+buildset_registry_root: "{{ ansible_user_dir }}/buildset_registry"

+ 91
- 0
roles/run-buildset-registry/tasks/main.yaml View File

@@ -0,0 +1,91 @@
1
+- name: Install packages
2
+  become: yes
3
+  package:
4
+    name:
5
+      - python-docker
6
+      - python-openssl
7
+      - python-passlib
8
+      - python-bcrypt
9
+    state: present
10
+  when: "'python3' not in ansible_python_interpreter"
11
+- name: Install packages
12
+  become: yes
13
+  package:
14
+    name:
15
+      - python3-docker
16
+      - python3-openssl
17
+      - python3-passlib
18
+      - python3-bcrypt
19
+    state: present
20
+  when: "'python3' in ansible_python_interpreter"
21
+- name: Ensure Docker registry volume directories exists
22
+  file:
23
+    state: directory
24
+    path: "{{ buildset_registry_root}}/{{ item }}"
25
+  loop:
26
+    - certs
27
+    - auth
28
+# TODO: use password lookup after allowing access to it in Zuul
29
+- name: Generate registry password
30
+  set_fact:
31
+    registry_password: "{{ (ansible_date_time.iso8601_micro | password_hash('sha256'))[-20:] }}"
32
+- name: Write htpassword file
33
+  htpasswd:
34
+    create: true
35
+    crypt_scheme: bcrypt
36
+    path: "{{ buildset_registry_root}}/auth/htpasswd"
37
+    name: "zuul"
38
+    password: "{{ registry_password }}"
39
+- name: Generate a TLS key for the Docker registry
40
+  openssl_privatekey:
41
+    path: "{{ buildset_registry_root}}/certs/domain.key"
42
+- name: Generate a TLS CSR for the Docker registry
43
+  openssl_csr:
44
+    path: "{{ buildset_registry_root}}/certs/domain.csr"
45
+    privatekey_path: "{{ buildset_registry_root}}/certs/domain.key"
46
+    common_name: "{{ ansible_host }}"
47
+    subject_alt_name: "DNS:{{ ansible_host }},IP:{{ ansible_host }}"
48
+- name: Generate a TLS cert for the Docker registry
49
+  openssl_certificate:
50
+    path: "{{ buildset_registry_root}}/certs/domain.crt"
51
+    csr_path: "{{ buildset_registry_root}}/certs/domain.csr"
52
+    privatekey_path: "{{ buildset_registry_root}}/certs/domain.key"
53
+    provider: selfsigned
54
+  register: generated_cert
55
+- name: Read TLS certificate
56
+  slurp:
57
+    src: "{{ generated_cert.filename }}"
58
+  register: certificate
59
+- name: Decode TLS certificate
60
+  set_fact:
61
+    certificate: "{{ certificate.content | b64decode }}"
62
+- name: Start a docker registry
63
+  docker_container:
64
+    name: buildset_registry
65
+    image: registry:2
66
+    state: started
67
+    restart_policy: always
68
+    ports:
69
+     - "5000:5000"
70
+    env:
71
+      REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
72
+      REGISTRY_HTTP_TLS_KEY: /certs/domain.key
73
+      REGISTRY_AUTH: htpasswd
74
+      REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
75
+      REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
76
+    volumes:
77
+      - "{{ buildset_registry_root}}/data:/var/lib/registry"
78
+      - "{{ buildset_registry_root}}/certs:/certs"
79
+      - "{{ buildset_registry_root}}/auth:/auth"
80
+- name: Set registry information fact
81
+  set_fact:
82
+    buildset_registry:
83
+      host: "{{ ansible_host }}"
84
+      port: 5000
85
+      username: zuul
86
+      password: "{{ registry_password }}"
87
+      cert: "{{ certificate }}"
88
+- name: Return registry information to Zuul
89
+  zuul_return:
90
+    data:
91
+      buildset_registry: "{{ buildset_registry }}"

Loading…
Cancel
Save