diff --git a/service-provider-setup/.gitignore b/service-provider-setup/.gitignore index f727d47..0d0eae9 100644 --- a/service-provider-setup/.gitignore +++ b/service-provider-setup/.gitignore @@ -1,2 +1,3 @@ dns-vars.yml k8s-vars.yml +container-vars.yml diff --git a/service-provider-setup/container-vars.example.yml b/service-provider-setup/container-vars.example.yml new file mode 100644 index 0000000..643335e --- /dev/null +++ b/service-provider-setup/container-vars.example.yml @@ -0,0 +1,3 @@ +container_registry_username: "" +container_registry_password: "" +container_registry_domain: "" diff --git a/service-provider-setup/setup-container-registry.yml b/service-provider-setup/setup-container-registry.yml new file mode 100644 index 0000000..ca81cfd --- /dev/null +++ b/service-provider-setup/setup-container-registry.yml @@ -0,0 +1,63 @@ +- name: Setup container registry + hosts: "{{ target_host }}" + + environment: + PATH: "{{ ansible_env.PATH }}:/home/{{ansible_user}}/bin" + + vars_files: + - k8s-vars.yml + - container-vars.yml + + tasks: + - name: Generate the spec file for the container-registry stack + template: + src: "./templates/container-registry.spec.j2" + dest: "{{ansible_env.HOME}}/container-registry.spec" + + - name: Create a deployment for the container-registry stack + command: laconic-so --stack container-registry deploy create --deployment-dir container-registry --spec-file container-registry.spec + + - name: Base64 encode the container registry credentials + set_fact: + b64_encoded_cred: "{{ (container_registry_username + ':' + container_registry_password) | b64encode }}" + + - name: Encrypt the container registry credentials to create an htpasswd file + command: > + htpasswd -bB -c container-registry/configmaps/config/htpasswd + {{ container_registry_username }} {{ container_registry_password }} + register: htpasswd_file + + - name: Read the htpasswd file + slurp: + src: "container-registry/configmaps/config/htpasswd" + register: htpasswd_file_content + + - name: Extract the hashed password (after the colon) + set_fact: + hashed_password: "{{ (htpasswd_file_content.content | b64decode).split(':')[1] | trim }}" + + - name: Create container-registry/my_password.json file + template: + src: "./templates/my_password.json.j2" + dest: "container-registry/my_password.json" + + - name: Configure the file container-registry/config.env + copy: + dest: "container-registry/config.env" + content: | + REGISTRY_AUTH=htpasswd + REGISTRY_AUTH_HTPASSWD_REALM="{{org_id}} Service Provider Image Registry" + REGISTRY_AUTH_HTPASSWD_PATH="/config/htpasswd" + REGISTRY_HTTP_SECRET='{{ hashed_password }}' + + - name: Add the container registry credentials as a secret available to the cluster + command: > + kubectl create secret generic laconic-registry + --from-file=.dockerconfigjson=container-registry/my_password.json + --type=kubernetes.io/dockerconfigjson + environment: + KUBECONFIG: "{{ ansible_env.HOME }}/.kube/config-default.yaml" + + - name: Deploy the container registry + command: > + laconic-so deployment --dir container-registry start diff --git a/service-provider-setup/setup-k8s.yml b/service-provider-setup/setup-k8s.yml index 2a1e262..1fe9a1c 100644 --- a/service-provider-setup/setup-k8s.yml +++ b/service-provider-setup/setup-k8s.yml @@ -83,32 +83,32 @@ args: chdir: "{{ ansible_env.HOME }}/service-provider-template/host_vars" - - name: Copy control-firewalld.yml.j2 to the remote VM + - name: Copy control-firewalld.yml to the remote VM template: src: ./templates/control-firewalld.yml.j2 dest: "{{ ansible_env.HOME }}/service-provider-template/host_vars/{{ org_id }}-{{ location_id }}-cluster-control/firewalld.yml" - - name: Copy daemon-firewalld.yml.j2 to the remote VM + - name: Copy daemon-firewalld.yml to the remote VM template: src: ./templates/daemon-firewalld.yml.j2 dest: "{{ ansible_env.HOME }}/service-provider-template/host_vars/{{ org_id }}-daemon/firewalld.yml" - - name: Copy nginx.yml.j2 to the remote VM + - name: Copy nginx.yml to the remote VM template: src: ./templates/nginx.yml.j2 dest: "{{ ansible_env.HOME }}/service-provider-template/host_vars/{{ org_id }}-daemon/nginx.yml" - - name: Copy hosts.j2 to the remote VM + - name: Copy hosts file to the remote VM template: src: ./templates/hosts.j2 dest: "{{ ansible_env.HOME }}/service-provider-template/hosts" - - name: Copy k8s.yml.j2 to the remote VM + - name: Copy k8s.yml to the remote VM template: src: ./templates/k8s.yml.j2 dest: "{{ ansible_env.HOME }}/service-provider-template/group_vars/{{ org_id }}_{{ location_id }}/k8s.yml" - - name: Copy wildcard-pwa-example.yml.j2 to the remote VM + - name: Copy wildcard-pwa-example.yml to the remote VM template: src: ./templates/wildcard-pwa-example.yml.j2 dest: "{{ ansible_env.HOME }}/service-provider-template/files/manifests/wildcard-pwa-{{dns_domain}}.yaml" diff --git a/service-provider-setup/templates/container-registry.spec.j2 b/service-provider-setup/templates/container-registry.spec.j2 new file mode 100644 index 0000000..4f55bae --- /dev/null +++ b/service-provider-setup/templates/container-registry.spec.j2 @@ -0,0 +1,16 @@ +stack: container-registry +deploy-to: k8s +kube-config: /home/{{ ansible_user }}/.kube/config-default.yaml +network: + ports: + registry: + - '5000' + http-proxy: + - host-name: container-registry.pwa.{{dns_domain}}.com + routes: + - path: '/' + proxy-to: registry:5000 +volumes: + registry-data: +configmaps: + config: ./configmaps/config diff --git a/service-provider-setup/templates/my_password.json.j2 b/service-provider-setup/templates/my_password.json.j2 new file mode 100644 index 0000000..f48d47d --- /dev/null +++ b/service-provider-setup/templates/my_password.json.j2 @@ -0,0 +1,9 @@ +{ + "auths": { + "{{container_registry_domain}}": { + "username": "{{ container_registry_username }}", + "password": "{{ hashed_password }}", + "auth": "{{ b64_encoded_cred }}" + } + } +}