[CORD-717]
Install a SSL-secured docker registry on head node

Change-Id: I871073238669566b1789039d38b80180e21e6dec
diff --git a/prep-computenode-playbook.yml b/prep-computenode-playbook.yml
index d6beae9..caf016f 100644
--- a/prep-computenode-playbook.yml
+++ b/prep-computenode-playbook.yml
@@ -41,3 +41,14 @@
   roles:
     - compute-prep
 
+- name: Install docker and configure it
+  hosts: compute
+  roles:
+    - { role: docker-install, when: use_secure_docker_registry | default(True) }
+
+- name: Configure docker to use head docker registry
+  hosts: compute
+  become: yes
+  roles:
+    - { role: docker-registry-client, when: use_secure_docker_registry | default(True) }
+
diff --git a/prep-headnode-playbook.yml b/prep-headnode-playbook.yml
index eeaa972..baf9a43 100644
--- a/prep-headnode-playbook.yml
+++ b/prep-headnode-playbook.yml
@@ -28,11 +28,6 @@
     - common-prep
     - pki-install
 
-- name: Install docker and configure it
-  hosts: head
-  roles:
-    - docker-install
-
 - name: Configure network interfaces
   hosts: head
   become: yes
@@ -60,6 +55,18 @@
   roles:
     - { role: apt-cacher-ng, when: use_apt_cache | default(True) }
 
+- name: Install docker and configure it
+  hosts: head
+  roles:
+    - docker-install
+
+- name: Install docker registry, and configure docker client to use it
+  hosts: head
+  become: yes
+  roles:
+    - { role: docker-registry, when: use_secure_docker_registry | default(True) }
+    - { role: docker-registry-client, when: use_secure_docker_registry | default(True) }
+
 - name: Install apache proxy
   hosts: head
   become: yes
diff --git a/roles/dns-nsd/defaults/main.yml b/roles/dns-nsd/defaults/main.yml
index 6d8f415..fc5319b 100644
--- a/roles/dns-nsd/defaults/main.yml
+++ b/roles/dns-nsd/defaults/main.yml
@@ -54,6 +54,7 @@
       - { name: "cordloghost", dest: "{{ headnode_dns }}" }
       - { name: "consul", dest: "{{ headnode_dns }}" }
       - { name: "docker", dest: "{{ headnode_dns }}" }
+      - { name: "docker-registry", dest: "{{ headnode_dns }}" }
       - { name: "mavenrepo", dest: "{{ headnode_dns }}" }
       - { name: "ns", dest: "{{ headnode_dns }}" }
       - { name: "ns1", dest: "{{ headnode_dns }}" }
diff --git a/roles/docker-registry-client/defaults/main.yml b/roles/docker-registry-client/defaults/main.yml
new file mode 100644
index 0000000..83f7950
--- /dev/null
+++ b/roles/docker-registry-client/defaults/main.yml
@@ -0,0 +1,27 @@
+---
+# Copyright 2017-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# docker-registry-client/defaults/main.yml
+
+pki_dir: "{{ playbook_dir }}/pki"
+
+# site name
+site_name: placeholder-sitename
+site_suffix: "{{ site_name }}.test"
+
+# docker registry
+docker_registry_ext_port: "5000"
+docker_registry: "docker-registry.{{ site_suffix }}:{{ docker_registry_ext_port }}"
+
diff --git a/roles/docker-registry-client/tasks/main.yml b/roles/docker-registry-client/tasks/main.yml
new file mode 100644
index 0000000..ce02d38
--- /dev/null
+++ b/roles/docker-registry-client/tasks/main.yml
@@ -0,0 +1,47 @@
+---
+# Copyright 2017-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# docker-registry-client/tasks/main.yml
+# Configure a node to be able to access the docker registry
+
+- name: Create directories for registry access client SSL keys
+  file:
+    state: directory
+    dest: "{{ item }}"
+    owner: root
+    group: docker
+    mode: 0755
+  with_items:
+    - "/etc/docker/certs.d/"
+    - "/etc/docker/certs.d/{{ docker_registry }}"
+
+- name: Copy over registry access client SSL keys
+  copy:
+    src: "{{ item.src }}"
+    dest: "/etc/docker/certs.d/{{ docker_registry }}/{{ item.dest }}"
+    mode: "{{ item.mode }}"
+    owner: root
+    group: docker
+  with_items:
+    - src: "{{ pki_dir }}/root_ca/certs/ca_cert.pem"
+      dest: "ca.crt"
+      mode: "0444"
+    - src: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/dockerclient_cert_chain.pem"
+      dest: "client.cert"
+      mode: "0444"
+    - src: "{{ pki_dir }}/{{ site_name }}_im_ca/private/dockerclient_key.pem"
+      dest: "client.key"
+      mode: "0400"
+
diff --git a/roles/docker-registry/defaults/main.yml b/roles/docker-registry/defaults/main.yml
new file mode 100644
index 0000000..4c8491d
--- /dev/null
+++ b/roles/docker-registry/defaults/main.yml
@@ -0,0 +1,28 @@
+---
+# Copyright 2017-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# docker-registry/defaults/main.yml
+
+pki_dir: "{{ playbook_dir }}/pki"
+credentials_dir: "{{ playbook_dir }}/credentials"
+
+# docker registry settings
+docker_registry_dir: "/var/lib/docker_registry"
+
+docker_registry_image: "registry:2"
+docker_registry_ext_port: "5000"
+
+docker_registry_http_secret: "{{ lookup('password', credentials_dir ~ '/docker_registry_http_secret chars=ascii_letters,digits,length=32') }}"
+
diff --git a/roles/docker-registry/tasks/main.yml b/roles/docker-registry/tasks/main.yml
new file mode 100644
index 0000000..103002b
--- /dev/null
+++ b/roles/docker-registry/tasks/main.yml
@@ -0,0 +1,66 @@
+---
+# Copyright 2017-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# docker-registry/tasks/main.yml
+# Install a SSL secured (server and client cert) docker registry
+
+- name: Create docker registry directories
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: root
+    group: docker
+    mode: 0750
+  with_items:
+    - "{{ docker_registry_dir }}"
+    - "{{ docker_registry_dir }}/certs"
+    - "{{ docker_registry_dir }}/data"
+
+- name: Copy over SSL keys for the registry
+  copy:
+    src: "{{ item.src }}"
+    dest:  "{{ docker_registry_dir }}/certs/{{ item.dest }}"
+    mode: "{{ item.mode }}"
+    owner: root
+    group: docker
+  with_items:
+    - src: "{{ pki_dir }}/root_ca/certs/ca_cert.pem"
+      dest: "ca_cert.pem"
+      mode: "0444"
+    - src: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/docker-registry.{{ site_suffix }}_cert_chain.pem"
+      dest: "docker_registry.pem"
+      mode: "0444"
+    - src: "{{ pki_dir }}/{{ site_name }}_im_ca/private/docker-registry.{{ site_suffix }}_key.pem"
+      dest: "docker_registry_key.pem"
+      mode: "0440"
+
+- name: Pull the docker registry image
+  docker_image:
+    pull: True
+    name: "{{ docker_registry_image }}"
+
+- name: Create docker-compose file for running the registry
+  template:
+    src: docker-compose.yml.j2
+    dest: "{{ docker_registry_dir }}/docker-compose.yml"
+    owner: root
+    group: docker
+    mode: 0640
+
+- name: Start the docker registry
+  docker_service:
+    project_name: "cordreg"
+    project_src: "{{ docker_registry_dir }}/"
+
diff --git a/roles/docker-registry/templates/docker-compose.yml.j2 b/roles/docker-registry/templates/docker-compose.yml.j2
new file mode 100644
index 0000000..a38bd7a
--- /dev/null
+++ b/roles/docker-registry/templates/docker-compose.yml.j2
@@ -0,0 +1,18 @@
+---
+version: '2'
+
+services:
+  registry:
+    restart: always
+    image: {{ docker_registry_image }}
+    ports:
+      - {{ docker_registry_ext_port }}:5000
+    environment:
+      REGISTRY_HTTP_TLS_CERTIFICATE: /certs/docker_registry.pem
+      REGISTRY_HTTP_TLS_KEY: /certs/docker_registry_key.pem
+      REGISTRY_HTTP_TLS_CLIENTCAS: "[ '/certs/ca_cert.pem' ]"
+      REGISTRY_HTTP_SECRET: {{ docker_registry_http_secret }}
+    volumes:
+      - {{ docker_registry_dir }}/data:/var/lib/registry
+      - {{ docker_registry_dir }}/certs:/certs
+
diff --git a/roles/pki-cert/defaults/main.yml b/roles/pki-cert/defaults/main.yml
index e6af770..3ccdd6d 100644
--- a/roles/pki-cert/defaults/main.yml
+++ b/roles/pki-cert/defaults/main.yml
@@ -1,4 +1,4 @@
-
+---
 # Copyright 2017-present Open Networking Foundation
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -13,8 +13,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-
----
 # pki-cert/defaults/main.yml
 
 pki_dir: "{{ playbook_dir }}/pki"
@@ -45,5 +43,23 @@
       - "DNS:xos-core.{{ site_suffix }}"
       - "DNS:xos-core"
 
-client_certs: []
+# secure docker registry on head node
+  - cn: "docker-registry.{{ site_suffix }}"
+    subj: "{{ ssl_cert_subj_prefix }}/CN=docker-registry.{{ site_suffix }}"
+    altnames:
+      - "DNS:docker-registry.{{ site_suffix }}"
+      - "DNS:docker-registry"
+      - "DNS:registry.{{ site_suffix }}"
+      - "DNS:registry"
+
+client_certs:
+  - cn: "dockerclient"
+    subj: "{{ ssl_cert_subj_prefix }}/CN=dockerclient"
+    altnames:
+      - "email:dockerclient@{{ site_suffix }}"
+  - cn: "dockerbuildhost"
+    subj: "{{ ssl_cert_subj_prefix }}/CN=dockerbuildhost"
+    altnames:
+      - "email:dockerbuildhost@{{ site_suffix }}"
+