buildset registry: don't put skopeo creds on command line
Use the docker user config file rather than the skopeo command line when performing skopeo push/pull operations. This should allow us to log the command. Change-Id: If6b1f3ab34461d77e619b188f48c5d209df7afce
This commit is contained in:
parent
be0ae67dff
commit
f4db0f0979
|
@ -11,13 +11,69 @@
|
||||||
copy:
|
copy:
|
||||||
content: "{{ buildset_registry.cert }}"
|
content: "{{ buildset_registry.cert }}"
|
||||||
dest: "/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/ca.crt"
|
dest: "/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/ca.crt"
|
||||||
- name: Pull artifact from intermediate registry
|
|
||||||
command: >-
|
|
||||||
skopeo --insecure-policy copy
|
# Update user config for intermediate and buildset registries
|
||||||
--src-creds={{ intermediate_registry.username }}:{{ intermediate_registry.password }}
|
- name: Ensure docker user directory exists
|
||||||
--dest-creds={{ buildset_registry.username }}:{{ buildset_registry.password }}
|
file:
|
||||||
{{ item.url }}
|
state: directory
|
||||||
docker://{{ buildset_registry.host }}:{{ buildset_registry.port }}/{{ item.metadata.repository }}:{{ item.metadata.tag }}
|
path: "~/.docker"
|
||||||
when: "item.metadata.type | default('') == 'container_image'"
|
mode: 0700
|
||||||
loop: "{{ zuul.artifacts | default([]) }}"
|
- name: Check if docker user configuration exists
|
||||||
no_log: true
|
stat:
|
||||||
|
path: "~/.docker/config.json"
|
||||||
|
register: docker_config_stat
|
||||||
|
- name: Load docker user configuration
|
||||||
|
when: docker_config_stat.stat.exists
|
||||||
|
slurp:
|
||||||
|
path: "~/.docker/config.json"
|
||||||
|
register: docker_config
|
||||||
|
- name: Parse docker user configuration
|
||||||
|
when: docker_config_stat.stat.exists
|
||||||
|
set_fact:
|
||||||
|
docker_config: "{{ docker_config.content | b64decode | from_json }}"
|
||||||
|
- name: Set default docker user configuration
|
||||||
|
when: not docker_config_stat.stat.exists
|
||||||
|
set_fact:
|
||||||
|
docker_config:
|
||||||
|
auths: {}
|
||||||
|
- name: Add registry to docker user configuration
|
||||||
|
vars:
|
||||||
|
new_config:
|
||||||
|
auths: |
|
||||||
|
{
|
||||||
|
"{{ intermediate_registry.host }}:{{ intermediate_registry.port }}":
|
||||||
|
{"auth": "{{ (intermediate_registry.username + ":" + intermediate_registry.password) | b64encode }}"},
|
||||||
|
"{{ intermediate_registry.host }}:{{ intermediate_registry.proxy_port }}":
|
||||||
|
{"auth": "{{ (intermediate_registry.username + ":" + intermediate_registry.password) | b64encode }}"}
|
||||||
|
"{{ buildset_registry.host }}:{{ buildset_registry.port }}":
|
||||||
|
{"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"},
|
||||||
|
"{{ buildset_registry.host }}:{{ buildset_registry.proxy_port }}":
|
||||||
|
{"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"}
|
||||||
|
}
|
||||||
|
set_fact:
|
||||||
|
new_docker_config: "{{ docker_config | combine(new_config, recursive=True) }}"
|
||||||
|
- name: Save docker user configuration
|
||||||
|
copy:
|
||||||
|
content: "{{ new_docker_config | to_nice_json }}"
|
||||||
|
dest: "~/.docker/config.json"
|
||||||
|
mode: 0600
|
||||||
|
|
||||||
|
# Pull the images
|
||||||
|
- name: Pull artifacts from intermediate registry
|
||||||
|
block:
|
||||||
|
- name: Pull artifacts from intermediate registry
|
||||||
|
command: >-
|
||||||
|
skopeo --insecure-policy copy
|
||||||
|
{{ item.url }}
|
||||||
|
docker://{{ buildset_registry.host }}:{{ buildset_registry.port }}/{{ item.metadata.repository }}:{{ item.metadata.tag }}
|
||||||
|
when: "item.metadata.type | default('') == 'container_image'"
|
||||||
|
loop: "{{ zuul.artifacts | default([]) }}"
|
||||||
|
always:
|
||||||
|
- name: Remove docker user config
|
||||||
|
command: "shred ~/.docker/config.json"
|
||||||
|
- name: Replace docker user configuration
|
||||||
|
copy:
|
||||||
|
content: "{{ docker_config | to_nice_json }}"
|
||||||
|
dest: "~/.docker/config.json"
|
||||||
|
mode: 0600
|
||||||
|
|
|
@ -1,14 +1,11 @@
|
||||||
- name: Push tag to intermediate registry
|
- name: Push tag to intermediate registry
|
||||||
command: >-
|
command: >-
|
||||||
skopeo --insecure-policy copy
|
skopeo --insecure-policy copy
|
||||||
--src-creds={{ buildset_registry.username }}:{{ buildset_registry.password }}
|
|
||||||
--dest-creds={{ intermediate_registry.username }}:{{ intermediate_registry.password }}
|
|
||||||
docker://{{ buildset_registry.host }}:{{ buildset_registry.port }}/{{ image.repository }}:{{ image_tag }}
|
docker://{{ buildset_registry.host }}:{{ buildset_registry.port }}/{{ image.repository }}:{{ image_tag }}
|
||||||
docker://{{ intermediate_registry.host }}:{{ intermediate_registry.port}}/{{ image.repository }}:{{ zuul.build }}_{{ image_tag }}
|
docker://{{ intermediate_registry.host }}:{{ intermediate_registry.port}}/{{ image.repository }}:{{ zuul.build }}_{{ image_tag }}
|
||||||
loop: "{{ image.tags | default(['latest']) }}"
|
loop: "{{ image.tags | default(['latest']) }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
loop_var: image_tag
|
loop_var: image_tag
|
||||||
no_log: true
|
|
||||||
|
|
||||||
- name: Return artifact to Zuul
|
- name: Return artifact to Zuul
|
||||||
zuul_return:
|
zuul_return:
|
||||||
|
|
|
@ -11,8 +11,66 @@
|
||||||
copy:
|
copy:
|
||||||
content: "{{ buildset_registry.cert }}"
|
content: "{{ buildset_registry.cert }}"
|
||||||
dest: "/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/ca.crt"
|
dest: "/etc/docker/certs.d/{{ buildset_registry.host }}:{{ buildset_registry.port }}/ca.crt"
|
||||||
- name: Push image to intermediate registry
|
|
||||||
include_tasks: push-image.yaml
|
# Update user config for intermediate and buildset registries
|
||||||
loop: "{{ docker_images }}"
|
- name: Ensure docker user directory exists
|
||||||
loop_control:
|
file:
|
||||||
loop_var: image
|
state: directory
|
||||||
|
path: "~/.docker"
|
||||||
|
mode: 0700
|
||||||
|
- name: Check if docker user configuration exists
|
||||||
|
stat:
|
||||||
|
path: "~/.docker/config.json"
|
||||||
|
register: docker_config_stat
|
||||||
|
- name: Load docker user configuration
|
||||||
|
when: docker_config_stat.stat.exists
|
||||||
|
slurp:
|
||||||
|
path: "~/.docker/config.json"
|
||||||
|
register: docker_config
|
||||||
|
- name: Parse docker user configuration
|
||||||
|
when: docker_config_stat.stat.exists
|
||||||
|
set_fact:
|
||||||
|
docker_config: "{{ docker_config.content | b64decode | from_json }}"
|
||||||
|
- name: Set default docker user configuration
|
||||||
|
when: not docker_config_stat.stat.exists
|
||||||
|
set_fact:
|
||||||
|
docker_config:
|
||||||
|
auths: {}
|
||||||
|
- name: Add registry to docker user configuration
|
||||||
|
vars:
|
||||||
|
new_config:
|
||||||
|
auths: |
|
||||||
|
{
|
||||||
|
"{{ intermediate_registry.host }}:{{ intermediate_registry.port }}":
|
||||||
|
{"auth": "{{ (intermediate_registry.username + ":" + intermediate_registry.password) | b64encode }}"},
|
||||||
|
"{{ intermediate_registry.host }}:{{ intermediate_registry.proxy_port }}":
|
||||||
|
{"auth": "{{ (intermediate_registry.username + ":" + intermediate_registry.password) | b64encode }}"}
|
||||||
|
"{{ buildset_registry.host }}:{{ buildset_registry.port }}":
|
||||||
|
{"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"},
|
||||||
|
"{{ buildset_registry.host }}:{{ buildset_registry.proxy_port }}":
|
||||||
|
{"auth": "{{ (buildset_registry.username + ":" + buildset_registry.password) | b64encode }}"}
|
||||||
|
}
|
||||||
|
set_fact:
|
||||||
|
new_docker_config: "{{ docker_config | combine(new_config, recursive=True) }}"
|
||||||
|
- name: Save docker user configuration
|
||||||
|
copy:
|
||||||
|
content: "{{ new_docker_config | to_nice_json }}"
|
||||||
|
dest: "~/.docker/config.json"
|
||||||
|
mode: 0600
|
||||||
|
|
||||||
|
# Push the images
|
||||||
|
- name: Push images to intermediate registry
|
||||||
|
block:
|
||||||
|
- name: Push image to intermediate registry
|
||||||
|
include_tasks: push-image.yaml
|
||||||
|
loop: "{{ docker_images }}"
|
||||||
|
loop_control:
|
||||||
|
loop_var: image
|
||||||
|
always:
|
||||||
|
- name: Remove docker user config
|
||||||
|
command: "shred ~/.docker/config.json"
|
||||||
|
- name: Replace docker user configuration
|
||||||
|
copy:
|
||||||
|
content: "{{ docker_config | to_nice_json }}"
|
||||||
|
dest: "~/.docker/config.json"
|
||||||
|
mode: 0600
|
||||||
|
|
Loading…
Reference in New Issue