Stein: Re-enable container auth support

Squash of the revert of the revert + the fix

1) Revert "Revert "Add container engine authentication support""

This reverts commit ac5145c28d.

2) Convert the heat json format to a py dict

This change converts a heat json format option to a py dict within
a jinja expresion.

Closes-Bug: #1835657
Related-Bug: #1833584
Change-Id: I4b44214cd7007dc31ad5f4e0a0d7a3a531a9f20e
Signed-off-by: Kevin Carter <kecarter@redhat.com>
(cherry picked from commit 6e07f2a767)
This commit is contained in:
Emilien Macchi 2019-07-10 10:46:25 -04:00 committed by Alex Schultz
parent 691b18e71d
commit d6bd20d5b4
3 changed files with 81 additions and 1 deletions

View File

@ -74,6 +74,23 @@ parameters:
description: Flag to disable docker reconfiguration during stack update.
tags:
- role_specific
ContainerImageRegistryLogin:
type: boolean
default: false
description: Flag to enable container registry login actions during the deployment.
Setting this to true will cause login calls to be performed during the
deployment.
ContainerImageRegistryCredentials:
type: json
hidden: true
default: {}
description: |
Mapping of image registry hosts to login credentials. Must be in the following example format
docker.io:
username: pa55word
'192.0.2.1:8787':
registry_username: password
SELinuxMode:
default: 'enforcing'
description: Configures SELinux mode
@ -143,9 +160,23 @@ outputs:
- selinux_enforcing
- true
- false
container_registry_login: {get_param: ContainerImageRegistryLogin}
# default that is overwritten by the heat -> dict conversion
container_registry_logins: {}
container_registry_logins_json: {get_param: ContainerImageRegistryCredentials}
- name: Convert logins json to dict
set_fact:
container_registry_logins: "{{ container_registry_logins_json | from_json }}"
when:
- container_registry_login | bool
- (container_registry_logins_json | length) > 0
- include_role:
name: container-registry
tasks_from: docker
- include_role:
name: container-registry
tasks_from: docker-login
when: container_registry_login|bool
service_config_settings:
neutron_l3:
docker_additional_sockets: {get_param: DockerAdditionalSockets}

View File

@ -36,6 +36,23 @@ parameters:
default: {}
description: Parameters specific to the role
type: json
ContainerImageRegistryLogin:
type: boolean
default: false
description: Flag to enable container registry login actions during the deployment.
Setting this to true will cause login calls to be performed during the
deployment.
ContainerImageRegistryCredentials:
type: json
hidden: true
default: {}
description: |
Mapping of image registry hosts to login credentials. Must be in the following example format
docker.io:
username: pa55word
'192.0.2.1:8787':
registry_username: password
conditions:
insecure_registry_is_empty: {equals : [{get_param: DockerInsecureRegistryAddress}, []]}
@ -50,12 +67,24 @@ outputs:
host_prep_tasks:
- name: Install and configure Podman
block: &install_and_configure_podman
- set_fact:
- name: Set login facts
set_fact:
container_registry_insecure_registries:
if:
- insecure_registry_is_empty
- []
- {get_param: DockerInsecureRegistryAddress}
container_registry_login: {get_param: ContainerImageRegistryLogin}
# default that is overwritten by the heat -> dict conversion
container_registry_logins: {}
container_registry_logins_json: {get_param: ContainerImageRegistryCredentials}
- name: Convert logins json to dict
set_fact:
container_registry_logins: "{{ container_registry_logins_json | from_json }}"
when:
- container_registry_login | bool
- container_registry_logins_json | length) > 0
- name: ensure podman and deps are installed
package:
name: podman
@ -76,6 +105,16 @@ outputs:
option: registries
value: "{{ container_registry_insecure_registries }}"
when: container_registry_insecure_registries | length > 0
- name: Perform container registry login(s)
shell: podman login --username=$REGISTRY_USERNAME --password=$REGISTRY_PASSWORD $REGISTRY
environment:
REGISTRY_USERNAME: "{{ lookup('dict', item.value).key }}"
REGISTRY_PASSWORD: "{{ lookup('dict', item.value).value }}"
REGISTRY: "{{ item.key }}"
loop: "{{ query('dict', container_registry_logins) }}"
when:
- container_registry_login | bool
- container_registry_logins
service_config_settings: {}
upgrade_tasks:
- block:

View File

@ -0,0 +1,10 @@
---
features:
- |
`ContainerImageRegistryLogin` has been added to indicate if login calls
should be issued by the container engine on deployment. The default is
set to `false`.
- |
Values specified in `ContainerImageRegistryCredentials` will now be used to
issue a login call when deploying the container engine on the hosts if
`ContainerImageRegistryLogin` is set to `true`