[CORD-717]
Install a SSL-secured docker registry on head node
Change-Id: I871073238669566b1789039d38b80180e21e6dec
diff --git a/prep-computenode-playbook.yml b/prep-computenode-playbook.yml
index d6beae9..caf016f 100644
--- a/prep-computenode-playbook.yml
+++ b/prep-computenode-playbook.yml
@@ -41,3 +41,14 @@
roles:
- compute-prep
+- name: Install docker and configure it
+ hosts: compute
+ roles:
+ - { role: docker-install, when: use_secure_docker_registry | default(True) }
+
+- name: Configure docker to use head docker registry
+ hosts: compute
+ become: yes
+ roles:
+ - { role: docker-registry-client, when: use_secure_docker_registry | default(True) }
+
diff --git a/prep-headnode-playbook.yml b/prep-headnode-playbook.yml
index eeaa972..baf9a43 100644
--- a/prep-headnode-playbook.yml
+++ b/prep-headnode-playbook.yml
@@ -28,11 +28,6 @@
- common-prep
- pki-install
-- name: Install docker and configure it
- hosts: head
- roles:
- - docker-install
-
- name: Configure network interfaces
hosts: head
become: yes
@@ -60,6 +55,18 @@
roles:
- { role: apt-cacher-ng, when: use_apt_cache | default(True) }
+- name: Install docker and configure it
+ hosts: head
+ roles:
+ - docker-install
+
+- name: Install docker registry, and configure docker client to use it
+ hosts: head
+ become: yes
+ roles:
+ - { role: docker-registry, when: use_secure_docker_registry | default(True) }
+ - { role: docker-registry-client, when: use_secure_docker_registry | default(True) }
+
- name: Install apache proxy
hosts: head
become: yes
diff --git a/roles/dns-nsd/defaults/main.yml b/roles/dns-nsd/defaults/main.yml
index 6d8f415..fc5319b 100644
--- a/roles/dns-nsd/defaults/main.yml
+++ b/roles/dns-nsd/defaults/main.yml
@@ -54,6 +54,7 @@
- { name: "cordloghost", dest: "{{ headnode_dns }}" }
- { name: "consul", dest: "{{ headnode_dns }}" }
- { name: "docker", dest: "{{ headnode_dns }}" }
+ - { name: "docker-registry", dest: "{{ headnode_dns }}" }
- { name: "mavenrepo", dest: "{{ headnode_dns }}" }
- { name: "ns", dest: "{{ headnode_dns }}" }
- { name: "ns1", dest: "{{ headnode_dns }}" }
diff --git a/roles/docker-registry-client/defaults/main.yml b/roles/docker-registry-client/defaults/main.yml
new file mode 100644
index 0000000..83f7950
--- /dev/null
+++ b/roles/docker-registry-client/defaults/main.yml
@@ -0,0 +1,27 @@
+---
+# Copyright 2017-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# docker-registry-client/defaults/main.yml
+
+pki_dir: "{{ playbook_dir }}/pki"
+
+# site name
+site_name: placeholder-sitename
+site_suffix: "{{ site_name }}.test"
+
+# docker registry
+docker_registry_ext_port: "5000"
+docker_registry: "docker-registry.{{ site_suffix }}:{{ docker_registry_ext_port }}"
+
diff --git a/roles/docker-registry-client/tasks/main.yml b/roles/docker-registry-client/tasks/main.yml
new file mode 100644
index 0000000..ce02d38
--- /dev/null
+++ b/roles/docker-registry-client/tasks/main.yml
@@ -0,0 +1,47 @@
+---
+# Copyright 2017-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# docker-registry-client/tasks/main.yml
+# Configure a node to be able to access the docker registry
+
+- name: Create directories for registry access client SSL keys
+ file:
+ state: directory
+ dest: "{{ item }}"
+ owner: root
+ group: docker
+ mode: 0755
+ with_items:
+ - "/etc/docker/certs.d/"
+ - "/etc/docker/certs.d/{{ docker_registry }}"
+
+- name: Copy over registry access client SSL keys
+ copy:
+ src: "{{ item.src }}"
+ dest: "/etc/docker/certs.d/{{ docker_registry }}/{{ item.dest }}"
+ mode: "{{ item.mode }}"
+ owner: root
+ group: docker
+ with_items:
+ - src: "{{ pki_dir }}/root_ca/certs/ca_cert.pem"
+ dest: "ca.crt"
+ mode: "0444"
+ - src: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/dockerclient_cert_chain.pem"
+ dest: "client.cert"
+ mode: "0444"
+ - src: "{{ pki_dir }}/{{ site_name }}_im_ca/private/dockerclient_key.pem"
+ dest: "client.key"
+ mode: "0400"
+
diff --git a/roles/docker-registry/defaults/main.yml b/roles/docker-registry/defaults/main.yml
new file mode 100644
index 0000000..4c8491d
--- /dev/null
+++ b/roles/docker-registry/defaults/main.yml
@@ -0,0 +1,28 @@
+---
+# Copyright 2017-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# docker-registry/defaults/main.yml
+
+pki_dir: "{{ playbook_dir }}/pki"
+credentials_dir: "{{ playbook_dir }}/credentials"
+
+# docker registry settings
+docker_registry_dir: "/var/lib/docker_registry"
+
+docker_registry_image: "registry:2"
+docker_registry_ext_port: "5000"
+
+docker_registry_http_secret: "{{ lookup('password', credentials_dir ~ '/docker_registry_http_secret chars=ascii_letters,digits,length=32') }}"
+
diff --git a/roles/docker-registry/tasks/main.yml b/roles/docker-registry/tasks/main.yml
new file mode 100644
index 0000000..103002b
--- /dev/null
+++ b/roles/docker-registry/tasks/main.yml
@@ -0,0 +1,66 @@
+---
+# Copyright 2017-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# docker-registry/tasks/main.yml
+# Install a SSL secured (server and client cert) docker registry
+
+- name: Create docker registry directories
+ file:
+ path: "{{ item }}"
+ state: directory
+ owner: root
+ group: docker
+ mode: 0750
+ with_items:
+ - "{{ docker_registry_dir }}"
+ - "{{ docker_registry_dir }}/certs"
+ - "{{ docker_registry_dir }}/data"
+
+- name: Copy over SSL keys for the registry
+ copy:
+ src: "{{ item.src }}"
+ dest: "{{ docker_registry_dir }}/certs/{{ item.dest }}"
+ mode: "{{ item.mode }}"
+ owner: root
+ group: docker
+ with_items:
+ - src: "{{ pki_dir }}/root_ca/certs/ca_cert.pem"
+ dest: "ca_cert.pem"
+ mode: "0444"
+ - src: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/docker-registry.{{ site_suffix }}_cert_chain.pem"
+ dest: "docker_registry.pem"
+ mode: "0444"
+ - src: "{{ pki_dir }}/{{ site_name }}_im_ca/private/docker-registry.{{ site_suffix }}_key.pem"
+ dest: "docker_registry_key.pem"
+ mode: "0440"
+
+- name: Pull the docker registry image
+ docker_image:
+ pull: True
+ name: "{{ docker_registry_image }}"
+
+- name: Create docker-compose file for running the registry
+ template:
+ src: docker-compose.yml.j2
+ dest: "{{ docker_registry_dir }}/docker-compose.yml"
+ owner: root
+ group: docker
+ mode: 0640
+
+- name: Start the docker registry
+ docker_service:
+ project_name: "cordreg"
+ project_src: "{{ docker_registry_dir }}/"
+
diff --git a/roles/docker-registry/templates/docker-compose.yml.j2 b/roles/docker-registry/templates/docker-compose.yml.j2
new file mode 100644
index 0000000..a38bd7a
--- /dev/null
+++ b/roles/docker-registry/templates/docker-compose.yml.j2
@@ -0,0 +1,18 @@
+---
+version: '2'
+
+services:
+ registry:
+ restart: always
+ image: {{ docker_registry_image }}
+ ports:
+ - {{ docker_registry_ext_port }}:5000
+ environment:
+ REGISTRY_HTTP_TLS_CERTIFICATE: /certs/docker_registry.pem
+ REGISTRY_HTTP_TLS_KEY: /certs/docker_registry_key.pem
+ REGISTRY_HTTP_TLS_CLIENTCAS: "[ '/certs/ca_cert.pem' ]"
+ REGISTRY_HTTP_SECRET: {{ docker_registry_http_secret }}
+ volumes:
+ - {{ docker_registry_dir }}/data:/var/lib/registry
+ - {{ docker_registry_dir }}/certs:/certs
+
diff --git a/roles/pki-cert/defaults/main.yml b/roles/pki-cert/defaults/main.yml
index e6af770..3ccdd6d 100644
--- a/roles/pki-cert/defaults/main.yml
+++ b/roles/pki-cert/defaults/main.yml
@@ -1,4 +1,4 @@
-
+---
# Copyright 2017-present Open Networking Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -13,8 +13,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-
----
# pki-cert/defaults/main.yml
pki_dir: "{{ playbook_dir }}/pki"
@@ -45,5 +43,23 @@
- "DNS:xos-core.{{ site_suffix }}"
- "DNS:xos-core"
-client_certs: []
+# secure docker registry on head node
+ - cn: "docker-registry.{{ site_suffix }}"
+ subj: "{{ ssl_cert_subj_prefix }}/CN=docker-registry.{{ site_suffix }}"
+ altnames:
+ - "DNS:docker-registry.{{ site_suffix }}"
+ - "DNS:docker-registry"
+ - "DNS:registry.{{ site_suffix }}"
+ - "DNS:registry"
+
+client_certs:
+ - cn: "dockerclient"
+ subj: "{{ ssl_cert_subj_prefix }}/CN=dockerclient"
+ altnames:
+ - "email:dockerclient@{{ site_suffix }}"
+ - cn: "dockerbuildhost"
+ subj: "{{ ssl_cert_subj_prefix }}/CN=dockerbuildhost"
+ altnames:
+ - "email:dockerbuildhost@{{ site_suffix }}"
+