From 12709a1c8bdeb403b2518a1c6528a50dce49ae84 Mon Sep 17 00:00:00 2001
From: "James E. Blair" <jeblair@redhat.com>
Date: Thu, 31 Jan 2019 09:59:26 -0800
Subject: [PATCH] Run a docker registry for CI
Change-Id: If9669bb3286e25bb16ab09373e823b914b645f26
---
.zuul.yaml | 25 +++++++++
inventory/groups.yaml | 2 +
playbooks/base.yaml | 6 +++
playbooks/group_vars/registry.yaml | 1 +
playbooks/roles/registry/README.rst | 1 +
.../files/registry-docker/docker-compose.yaml | 19 +++++++
playbooks/roles/registry/tasks/main.yaml | 40 ++++++++++++++
playbooks/zuul/run-base.yaml | 1 +
.../templates/group_vars/registry.yaml.j2 | 52 +++++++++++++++++++
testinfra/test_registry.py | 21 ++++++++
10 files changed, 168 insertions(+)
create mode 100644 playbooks/group_vars/registry.yaml
create mode 100644 playbooks/roles/registry/README.rst
create mode 100644 playbooks/roles/registry/files/registry-docker/docker-compose.yaml
create mode 100644 playbooks/roles/registry/tasks/main.yaml
create mode 100644 playbooks/zuul/templates/group_vars/registry.yaml.j2
create mode 100644 testinfra/test_registry.py
diff --git a/.zuul.yaml b/.zuul.yaml
index febcf8e462..f4b797c05b 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -476,6 +476,29 @@
- testinfra/test_adns.py
- testinfra/test_ns.py
+- job:
+ name: system-config-run-docker-registry
+ parent: system-config-run
+ description: |
+ Run the playbook for the docker registry.
+ nodeset:
+ nodes:
+ - name: bridge.openstack.org
+ label: ubuntu-bionic
+ - name: insecure-ci-registry01.opendev.org
+ label: ubuntu-bionic
+ host-vars:
+ insecure-ci-registry01.opendev.org:
+ host_copy_output:
+ '/var/registry/auth': logs
+ '/var/registry/certs': logs
+ files:
+ - .zuul.yaml
+ - playbooks/group_vars/registry.yaml
+ - playbooks/zuul/templates/group_vars/registry.yaml.j2
+ - playbooks/roles/registry/
+ - testinfra/test_registry.py
+
- job:
name: infra-prod-playbook
description: |
@@ -524,6 +547,7 @@
- system-config-run-eavesdrop
- system-config-run-nodepool
- system-config-run-docker
+ - system-config-run-docker-registry
- system-config-build-image-jinja-init
- system-config-build-image-gitea-init
- system-config-build-image-gitea
@@ -542,6 +566,7 @@
- system-config-run-eavesdrop
- system-config-run-nodepool
- system-config-run-docker
+ - system-config-run-docker-registry
- system-config-upload-image-jinja-init
- system-config-upload-image-gitea-init
- system-config-upload-image-gitea
diff --git a/inventory/groups.yaml b/inventory/groups.yaml
index ffd76693c0..b9ff0d79e0 100644
--- a/inventory/groups.yaml
+++ b/inventory/groups.yaml
@@ -172,6 +172,8 @@ groups:
- zk[0-9]*.open*.org
refstack:
- refstack*.open*.org
+ registry:
+ - insecure-ci-registry[0-9]*.opendev.org
review-dev:
- review-dev[0-9]*.open*.org
review:
diff --git a/playbooks/base.yaml b/playbooks/base.yaml
index e70b9b2889..5b601943aa 100644
--- a/playbooks/base.yaml
+++ b/playbooks/base.yaml
@@ -57,3 +57,9 @@
name: "Base: install and configure docker on docker hosts"
roles:
- install-docker
+
+- hosts: "registry:!disabled"
+ name: "Base: configure registry"
+ roles:
+ - install-docker
+ - registry
diff --git a/playbooks/group_vars/registry.yaml b/playbooks/group_vars/registry.yaml
new file mode 100644
index 0000000000..b4160e88d6
--- /dev/null
+++ b/playbooks/group_vars/registry.yaml
@@ -0,0 +1 @@
+registry_user: zuul
diff --git a/playbooks/roles/registry/README.rst b/playbooks/roles/registry/README.rst
new file mode 100644
index 0000000000..e69cc13e31
--- /dev/null
+++ b/playbooks/roles/registry/README.rst
@@ -0,0 +1 @@
+Install, configure, and run a Docker registry.
diff --git a/playbooks/roles/registry/files/registry-docker/docker-compose.yaml b/playbooks/roles/registry/files/registry-docker/docker-compose.yaml
new file mode 100644
index 0000000000..523b5c70dd
--- /dev/null
+++ b/playbooks/roles/registry/files/registry-docker/docker-compose.yaml
@@ -0,0 +1,19 @@
+# Version 2 is the latest that is supported by docker-compose in
+# Ubuntu Xenial.
+version: '2'
+
+services:
+ registry:
+ restart: always
+ image: registry:2
+ network_mode: host
+ environment:
+ REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
+ REGISTRY_HTTP_TLS_KEY: /certs/domain.key
+ REGISTRY_AUTH: htpasswd
+ REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
+ REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
+ volumes:
+ - /var/registry/data:/var/lib/registry
+ - /var/registry/certs:/certs
+ - /var/registry/auth:/auth
diff --git a/playbooks/roles/registry/tasks/main.yaml b/playbooks/roles/registry/tasks/main.yaml
new file mode 100644
index 0000000000..1121dff67e
--- /dev/null
+++ b/playbooks/roles/registry/tasks/main.yaml
@@ -0,0 +1,40 @@
+- name: Synchronize docker-compose directory
+ synchronize:
+ src: registry-docker/
+ dest: /etc/registry-docker/
+- name: Ensure registry volume directories exists
+ file:
+ state: directory
+ path: "/var/registry/{{ item }}"
+ loop:
+ - data
+ - certs
+ - auth
+- name: Install passlib
+ package:
+ name:
+ - python-passlib
+ state: present
+- name: Write htpassword file
+ htpasswd:
+ create: true
+ path: /var/registry/auth/htpassword
+ name: "{{ registry_user }}"
+ password: "{{ registry_password }}"
+- name: Write TLS private key
+ copy:
+ content: "{{ registry_tls_key }}"
+ dest: /var/registry/certs/domain.key
+- name: Write TLS certificate
+ copy:
+ content: "{{ registry_tls_cert }}{{ registry_tls_chain | default('') }}"
+ dest: /var/registry/certs/domain.crt
+- name: Install docker-compose
+ package:
+ name:
+ - docker-compose
+ state: present
+- name: Run docker-compose up
+ shell:
+ cmd: docker-compose up -d
+ chdir: /etc/registry-docker/
diff --git a/playbooks/zuul/run-base.yaml b/playbooks/zuul/run-base.yaml
index 0ff4c311a6..ebd45fafb0 100644
--- a/playbooks/zuul/run-base.yaml
+++ b/playbooks/zuul/run-base.yaml
@@ -61,6 +61,7 @@
- group_vars/adns.yaml
- group_vars/nodepool.yaml
- group_vars/ns.yaml
+ - group_vars/registry.yaml
- host_vars/bridge.openstack.org.yaml
- name: Display group membership
command: ansible localhost -m debug -a 'var=groups'
diff --git a/playbooks/zuul/templates/group_vars/registry.yaml.j2 b/playbooks/zuul/templates/group_vars/registry.yaml.j2
new file mode 100644
index 0000000000..bd38909e75
--- /dev/null
+++ b/playbooks/zuul/templates/group_vars/registry.yaml.j2
@@ -0,0 +1,52 @@
+registry_password: testpassword
+registry_tls_cert: |
+ -----BEGIN CERTIFICATE-----
+ MIIDXTCCAkWgAwIBAgIJAKnLZ+dUZQ6UMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
+ BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
+ aWRnaXRzIFB0eSBMdGQwHhcNMTkwMTMxMTc0ODE5WhcNMTkwMzAyMTc0ODE5WjBF
+ MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
+ ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+ CgKCAQEA3IwbwpVkQGheW95MNkquuh7Y+/KIemlbyxQZILUiRt4R4kLT+MAI0F1z
+ u/cCErICNOeVBRXq6yZpTPH0UuBVpSpbFXhsxaW3ICmvevtEAw/EJZHqI8cjTcoa
+ oWoOQEDDr2sCnWDVpnnyuGIBk+Lajro6wy8teSeASJDmxexRKFaWRghrMUO2SKr2
+ pGdgJzcX6kRMzvfVFxNBQHp8tsiePCYX6ItA5GCckpY+Ry2wtP/+SDso3JB0FT9X
+ cwU+jwOgJ/qoilYzJj/t6qkAERn7068YOgkYF/lE6xc0u9WipGzmWfPhK/FtsWR0
+ m5AahsxSkbrNGEmXXD1MvrdDsgTZTQIDAQABo1AwTjAdBgNVHQ4EFgQUtkzdWtTK
+ 4Ikk/YJGwMfO9543baMwHwYDVR0jBBgwFoAUtkzdWtTK4Ikk/YJGwMfO9543baMw
+ DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAUblwXaHPD15RkiIzvNIB
+ iYfinZZHV9zDolNMK4TaPh/e4rIzuqnDqaqt+JdgvLLWHpbmYoHEhawKx4zxq2ko
+ UsjRBFoH/MMvokCZiaePUMl0FgqCBgr5ExMM+ClTomTqDU/piEY8qEokiI+hsOKh
+ X38JQL1XrPiO56lutO6ZzsswTPsKx/jVAFGItmqg9qjjoo8klKRNcTBHRgCr7tRS
+ loxC6xb+4WxgNlnR1mFBHy/9TXh6awGFB5iR4vzmu0qPazmmz/ZuGgh64R2RE1e6
+ 4RyZK/F5fqRZhU2E23CFF82sxrSxOfyvc6I+I7t+at4tWx/v0ButmDtpUfM6v+/i
+ gA==
+ -----END CERTIFICATE-----
+registry_tls_key: |
+ -----BEGIN PRIVATE KEY-----
+ MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDcjBvClWRAaF5b
+ 3kw2Sq66Htj78oh6aVvLFBkgtSJG3hHiQtP4wAjQXXO79wISsgI055UFFerrJmlM
+ 8fRS4FWlKlsVeGzFpbcgKa96+0QDD8QlkeojxyNNyhqhag5AQMOvawKdYNWmefK4
+ YgGT4tqOujrDLy15J4BIkObF7FEoVpZGCGsxQ7ZIqvakZ2AnNxfqREzO99UXE0FA
+ eny2yJ48Jhfoi0DkYJySlj5HLbC0//5IOyjckHQVP1dzBT6PA6An+qiKVjMmP+3q
+ qQARGfvTrxg6CRgX+UTrFzS71aKkbOZZ8+Er8W2xZHSbkBqGzFKRus0YSZdcPUy+
+ t0OyBNlNAgMBAAECggEAAgF0LyzUoJFSalt3Lfc355FoP8JQ42wZ3ZrtL5L2INbc
+ KsaYzuZQLjTrXIY+ipT72CdS/5zXahQLWRvKMQbBQKNF+MgDlTiQlcZLRj8Ku0xl
+ aEIPcwvYkliILXedcZAlN28tsuiyiLULNAoQIZwqiKnA5w2CyFtHm2FV9+7SPh+n
+ I1i5OzG0rnvIdOIk+ENgZAePmNSTktkH1HBcHhBkWjInhrxpojWgsjdljmxj5/qk
+ QaPuCBDQ6wZeU4WQ2OiQCjzxRxA06681N06vjq23x/nxpw3gDncbT01vRCYkmXVX
+ xqL0IrypDFOWqdWeqKLUCDnzpzf3OtUodnsfc+JQAQKBgQD0oh+PxqoaupStYD98
+ GIMTNGuG2Ii77vw92i4b8pPL8lg4edl3boDMj+q+Z9zONrYdEddwzHjLS+v2jwbf
+ YPXtZGVDGcYBONtb+vyUmbJtS6SXbatSvqMwG2E6aZypLN2DC4qTQsG2GKtDiAEk
+ +KRuahXaegY7TVxJVXZ7TfhaTQKBgQDmy3xeB2fV48sk5kKVtTZQkBGhtsn8MiOb
+ rmDBqH9hf7UUT8tmZrp747QwDpZTuwvtHkF/XechH4nHKnui14q2tyJ9fauxHXHt
+ omZ26ECzmjMJ0bk2mUQjPVnQZ/PtnIZEY5MRDOzNgh1GzP5s2tUiacyEJ+BgAq99
+ jYL1fQ/7AQKBgQDFuUvdP2s5k1icEVD+kilPGm1WXimWDIFf1Lqz6ArBKq1XaFT2
+ jSAZNrE7GGOFYP8s28DP8NQpLMIZVFzvq0TajOyzoV9CmZvi6ifAS8HFSQBNTFzO
+ 0jq/pUGensH6ksKvKmLkx24eKi4ytPiH01fDzoa/QSVMRSi0NRlAbDKxeQKBgQCk
+ KpAfblMc4LjKWYN5a/njmmcASb4pRxzvCz3F4u4g0y9h8FR1VZNGtrSgDnA9xOn5
+ 07CxQYE7nWxqoDxrm7gOufutmeu7w38bko4h/JixaHjvfh+px6GhE23EgX0QQmt7
+ T/z3fuMeV3QtvXkowwwiO3F/e8HtaVudCkDiEACDAQKBgBZhje6z3COHW4Nt/oos
+ gYojwgF6YQHXvfKxm6jjps77ar80XeID5wvuGj1HUw8f0IpnY/oh4TH6ddelnbEI
+ a1ccBlsEu6roxKAEJKuIUbGwV8tlWeaw+f9CoP3VvmtBW4SqA7c76J/9wgmypotk
+ lLz/WCDkOWqGgPF2gkdW09NZ
+ -----END PRIVATE KEY-----
diff --git a/testinfra/test_registry.py b/testinfra/test_registry.py
new file mode 100644
index 0000000000..e3277a649e
--- /dev/null
+++ b/testinfra/test_registry.py
@@ -0,0 +1,21 @@
+# Copyright 2018 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+testinfra_hosts = ['insecure-ci-registry.opendev.org']
+
+
+def test_registry_listening(host):
+ registry = host.socket("tcp://0.0.0.0:5000")
+ assert registry.is_listening