[CORD-717]
Install a SSL-secured docker registry on head node
Change-Id: I871073238669566b1789039d38b80180e21e6dec
diff --git a/roles/docker-registry/defaults/main.yml b/roles/docker-registry/defaults/main.yml
new file mode 100644
index 0000000..4c8491d
--- /dev/null
+++ b/roles/docker-registry/defaults/main.yml
@@ -0,0 +1,28 @@
+---
+# Copyright 2017-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# docker-registry/defaults/main.yml
+
+pki_dir: "{{ playbook_dir }}/pki"
+credentials_dir: "{{ playbook_dir }}/credentials"
+
+# docker registry settings
+docker_registry_dir: "/var/lib/docker_registry"
+
+docker_registry_image: "registry:2"
+docker_registry_ext_port: "5000"
+
+docker_registry_http_secret: "{{ lookup('password', credentials_dir ~ '/docker_registry_http_secret chars=ascii_letters,digits,length=32') }}"
+
diff --git a/roles/docker-registry/tasks/main.yml b/roles/docker-registry/tasks/main.yml
new file mode 100644
index 0000000..103002b
--- /dev/null
+++ b/roles/docker-registry/tasks/main.yml
@@ -0,0 +1,66 @@
+---
+# Copyright 2017-present Open Networking Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# docker-registry/tasks/main.yml
+# Install a SSL secured (server and client cert) docker registry
+
+- name: Create docker registry directories
+ file:
+ path: "{{ item }}"
+ state: directory
+ owner: root
+ group: docker
+ mode: 0750
+ with_items:
+ - "{{ docker_registry_dir }}"
+ - "{{ docker_registry_dir }}/certs"
+ - "{{ docker_registry_dir }}/data"
+
+- name: Copy over SSL keys for the registry
+ copy:
+ src: "{{ item.src }}"
+ dest: "{{ docker_registry_dir }}/certs/{{ item.dest }}"
+ mode: "{{ item.mode }}"
+ owner: root
+ group: docker
+ with_items:
+ - src: "{{ pki_dir }}/root_ca/certs/ca_cert.pem"
+ dest: "ca_cert.pem"
+ mode: "0444"
+ - src: "{{ pki_dir }}/{{ site_name }}_im_ca/certs/docker-registry.{{ site_suffix }}_cert_chain.pem"
+ dest: "docker_registry.pem"
+ mode: "0444"
+ - src: "{{ pki_dir }}/{{ site_name }}_im_ca/private/docker-registry.{{ site_suffix }}_key.pem"
+ dest: "docker_registry_key.pem"
+ mode: "0440"
+
+- name: Pull the docker registry image
+ docker_image:
+ pull: True
+ name: "{{ docker_registry_image }}"
+
+- name: Create docker-compose file for running the registry
+ template:
+ src: docker-compose.yml.j2
+ dest: "{{ docker_registry_dir }}/docker-compose.yml"
+ owner: root
+ group: docker
+ mode: 0640
+
+- name: Start the docker registry
+ docker_service:
+ project_name: "cordreg"
+ project_src: "{{ docker_registry_dir }}/"
+
diff --git a/roles/docker-registry/templates/docker-compose.yml.j2 b/roles/docker-registry/templates/docker-compose.yml.j2
new file mode 100644
index 0000000..a38bd7a
--- /dev/null
+++ b/roles/docker-registry/templates/docker-compose.yml.j2
@@ -0,0 +1,18 @@
+---
+version: '2'
+
+services:
+ registry:
+ restart: always
+ image: {{ docker_registry_image }}
+ ports:
+ - {{ docker_registry_ext_port }}:5000
+ environment:
+ REGISTRY_HTTP_TLS_CERTIFICATE: /certs/docker_registry.pem
+ REGISTRY_HTTP_TLS_KEY: /certs/docker_registry_key.pem
+ REGISTRY_HTTP_TLS_CLIENTCAS: "[ '/certs/ca_cert.pem' ]"
+ REGISTRY_HTTP_SECRET: {{ docker_registry_http_secret }}
+ volumes:
+ - {{ docker_registry_dir }}/data:/var/lib/registry
+ - {{ docker_registry_dir }}/certs:/certs
+