Add independent registry auth support #5128
Conversation
|
I have tested the logic of the new statements to ensure the auth file is placed in the suggested location. I have not yet tested to see if openshift will actually use this auth with a 3rd party registry. |
michaelgugino
force-pushed
the
reg-auth
branch
from
b765139 to
e6c0953
Compare
| path: "{{ registry_auth_credentials_path }}" | ||
| when: | ||
| - registry_auth_user is defined | ||
| - openshift_examples_modify_imagestreams | bool |
There was a problem hiding this comment.
Personally I think openshift_examples_modify_imagestreams have nothing with registry auth here.
There was a problem hiding this comment.
You could be right. Perhats registry_auth_user check is enough?
There was a problem hiding this comment.
Yeah I agree, only need the first condition.
| register: master_registry_auth_credentials_stat | ||
|
|
||
| - name: Create credentials for registry auth | ||
| command: "docker --config={{ registry_auth_credentials_path }} login -u {{ registry_auth_user }} -p {{ registry_auth_token }} {{ oreg_host }}" |
There was a problem hiding this comment.
where should user define registry_auth_user and registry_auth_token? In inventory host file?
There was a problem hiding this comment.
Personally I would put those values in a vault file in group_vars. You could also put those values in inventory, yes, if you don't mind your service account's username/password living in there. You can also pass those values via extra_vars.
There was a problem hiding this comment.
It is better to mention that in inventory/byo/hosts.ose.example, give some example to show user how to define registry_auth_user and registry_auth_token.
|
so, the code I committed executes as expected. Also somewhat as expected, openshift still does not try to auth or consume those credentials in any way: |
|
Looks like the instructions from bugzilla were close. I'm going to try to update the location of the .docker/config.json to /root to see if that works. On origin /root is the home dir. |
|
This is currently blocked on: openshift/origin#15880 |
michaelgugino
force-pushed
the
reg-auth
branch
from
e6c0953 to
a6b8b24
Compare
|
How to test: Currently blocked on 3.6, but works on 1.5. |
| @@ -19,3 +19,6 @@ r_openshift_master_os_firewall_allow: | |||
| - service: etcd embedded | |||
| port: 4001/tcp | |||
| cond: "{{ groups.oo_etcd_to_config | default([]) | length == 0 }}" | |||
|
|
|||
| registry_auth_credentials_path: "/var/lib/{{ openshift.common.service_type }}/.docker" | |||
There was a problem hiding this comment.
registry_auth_credentials_path: "{{ openshift.common.data_dir }}/.docker" instead? This should be pretty stable but that's the var we use elsewhere.
| path: "{{ registry_auth_credentials_path }}" | ||
| when: | ||
| - registry_auth_user is defined | ||
| - openshift_examples_modify_imagestreams | bool |
There was a problem hiding this comment.
Yeah I agree, only need the first condition.
inventory/byo/hosts.ose.example
Outdated
| # If oreg_url points to a registry requiring authentication, provide the following: | ||
| oreg_host: example.com:443 | ||
| registry_auth_user: some_user | ||
| registry_auth_token: 'my-token' |
There was a problem hiding this comment.
Just to ensure commonality with most of our variables what about openshift_registry_auth_host openshift_registry_auth_user and openshift_registry_auth_password instead? Password over token because it's more generic, for our use case where it's an openshift registry it happens to be a token but elsewhere it may just be a password.
There was a problem hiding this comment.
how about oreg_* as it matches the bits that we're modifying?
oreg_auth_password seems fine.
There was a problem hiding this comment.
Should not we get oreg_host from oreg_url? Seem like oreg_host is a little redundant.
There was a problem hiding this comment.
I thought about this. I feel it should actually be the other way around, but that's outside the scope of this PR.
I suppose this would also work in something like this:
oreg_url: somehost.com:443/somedir/registry/openshift3/{{ component }}/{{ version }}
oreg_host: somehost.com:443/somedir/registry
What's the best way to parse oreg_url to derive oreg_host in both situations?
Better situation is this:
oreg_host = somehost.example.com
oreg_url = {{ oreg_host }}/{{ oreg_suffix }}
But that would probably break existing users and would require some refactoring.
There was a problem hiding this comment.
There's a few places that parse oreg_url to get registry host.
registry_host: "{{ registry_url.split('/')[0] if '.' in registry_url.split('/')[0] else '' }}"
There was a problem hiding this comment.
Yes, and if someone's registry is sitting at example.com/myregistry (ie, it's sitting behind a reverse proxy or something of that nature) then this will break for this purpose. For example: https://docs.docker.com/registry/recipes/nginx/#setting-things-up
I'm happy to change it, but I think we're introducing a bug, and I think it's bad practice to split variables rather than combine them.
michaelgugino
force-pushed
the
reg-auth
branch
2 times, most recently
from
e3338f3 to
b0efbf6
Compare
openshift-bot
added
the
needs-rebase
michaelgugino
force-pushed
the
reg-auth
branch
from
b0efbf6 to
b5a7c96
Compare
openshift-bot
removed
the
needs-rebase
inventory/byo/hosts.ose.example
Outdated
| @@ -167,6 +167,13 @@ openshift_release=v3.6 | |||
| # modify image streams to point at that registry by setting the following to true | |||
| #openshift_examples_modify_imagestreams=true | |||
|
|
|||
| # If oreg_url points to a registry requiring authentication, provide the following: | |||
| oreg_auth_user=some_user | |||
| oreg_auth_password='my-pass' | |||
There was a problem hiding this comment.
Lets comment these and make it clear that you must set oreg_url for this to work, otherwise we don't have a registry host to log into. otherwise LGTM.
michaelgugino
force-pushed
the
reg-auth
branch
from
b5a7c96 to
de6ccdf
Compare
|
aos-ci-test |
|
[merge] |
|
Needs a release-3.6 branch backport too |
|
[test]ing while waiting on the merge queue |
|
aos-ci-test |
Added the ability to support authentication for independent / 3rd party registries. This commit will allow users to provide a `oreg_auth_user` and `oreg_auth_password` to dynmically generate a docker config.json file. The docker config.json file can be used by openshift to authenticate to independent / 3rd party registries. `oreg_host` must supply endpoint connection info in the form of 'hostname.com:port', with (optional) port 443 default. To update the config.json on a later run, the user can specify `oreg_auth_credentials_replace=False` to update the credentials. These settings must be used in tandem with `oreg_url` Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1316341
michaelgugino
force-pushed
the
reg-auth
branch
from
de6ccdf to
5815311
Compare
|
Evaluated for openshift ansible merge up to 5815311 |
|
Evaluated for openshift ansible test up to 5815311 |
|
continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_openshift_ansible/549/) (Base Commit: ca5ebcb) (PR Branch Commit: 5815311) |
|
continuous-integration/openshift-jenkins/merge FAILURE (https://ci.openshift.redhat.com/jenkins/job/merge_pull_request_openshift_ansible/940/) (Base Commit: 60d5448) (PR Branch Commit: 5815311) |
Added the ability to support authentication for independent / 3rd party
registries. This commit will allow users to provide a
oreg_auth_userandoreg_auth_passwordto dynmically generate a docker config.json file.The docker config.json file can be used by openshift to authenticate to
independent / 3rd party registries.
oreg_hostmust supply endpoint connectioninfo in the form of 'hostname.com:port', with (optional) port 443 default.
To update the config.json on a later run, the user can specify
oreg_auth_credentials_replace=Falseto update the credentials.These settings must be used in tandem with
oreg_urlFixes: https://bugzilla.redhat.com/show_bug.cgi?id=1316341