Configure the projects

- some of the post deployment steps from registry.rdoproject.org
- configure the registry.distributed-ci.io

Closes #1

Change-Id: If32684ad4b6ed6e3614970d41d22c60d48da9623

doc/source/managing.rst

@@ -1,51 +1,12 @@
-Managing the registry
-=====================
+How to get the service account tokens:
+======================================
 
-.. warning:: This should eventually be automated, see
-             https://github.com/rdo-infra/rdo-container-registry/issues/1
+.. note:: These operation is done directly on the master
 
-.. note:: These operations are done directly on the master
+Retrieve service account token for image pushes (for CI and things like that)::
 
-::
-
-    # Grant superuser privileges to a user (doesn't require the user to login before applying)
-    oadm policy add-cluster-role-to-user cluster-admin dmsimard
-
-    # Create projects
-    oc new-project master \
-      --description="TripleO container images for trunk and continuous integration for OpenStack 'master'" \
-      --display-name="TripleO container images for 'master'"
-
-    oc new-project pike \
-      --description="TripleO container images for trunk and continuous integration for OpenStack 'pike'" \
-      --display-name="TripleO container images for 'pike'"
-
-    # Allow authenticated users to browse the projects
-    # Note:
-    #  - https://github.com/cockpit-project/cockpit/issues/6711
-    #  - https://github.com/openshift/origin/issues/14381
-    oc policy add-role-to-group registry-viewer system:authenticated -n master
-    oc policy add-role-to-group registry-viewer system:authenticated -n pike
-
-    # Allow unauthenticated users to pull images from the projects
-    # (Anonymous, public access to registry, not the actual console)
-    oc policy add-role-to-group registry-viewer system:unauthenticated -n master
-    oc policy add-role-to-group registry-viewer system:unauthenticated -n pike
-
-    # Create service account, make it admin of the projects
-    oc create serviceaccount tripleo.service -n default
-
-    # Add permissions for the service account to push and pull images
-    oc policy add-role-to-user system:image-builder system:serviceaccount:default:tripleo.service -n master
-    oc policy add-role-to-user system:image-builder system:serviceaccount:default:tripleo.service -n pike
-
-    # Retrieve service account token for image pushes, for example when doing CI
-    oc describe serviceaccount tripleo.service -n default
-    oc describe secret tripleo.service-token-<generated> -n default
-
-    # Create a service account with exclusive rights to image pruning
-    oc create serviceaccount rdo.pruner -n default
-    oadm policy add-cluster-role-to-user system:image-pruner system:serviceaccount:default:rdo.pruner -n default
+    oc describe serviceaccount tripleo.service -n tripleo
+    oc describe secret tripleo.service-token-<generated> -n tripleo
 
 More reading
 ~~~~~~~~~~~~

letsencrypt.sh

@@ -25,7 +25,7 @@ yum -y install git
 git clone https://github.com/letsencrypt/letsencrypt
 mkdir -p /tmp/letsencrypt
 
-for domain in registry.rdoproject.org trunk.registry.rdoproject.org console.registry.rdoproject.org
+for domain in registry.rdoproject.org trunk.registry.rdoproject.org console.registry.rdoproject.org registry.distributed-ci.io
 do
 letsencrypt/letsencrypt-auto --renew-by-default \
   -a standalone \

projects-creation.yml

@@ -0,0 +1,23 @@
+---
+#   Copyright Red Hat, Inc. All Rights Reserved.
+#
+#   Licensed under the Apache License, Version 2.0 (the "License"); you may
+#   not use this file except in compliance with the License. You may obtain
+#   a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#   WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#   License for the specific language governing permissions and limitations
+#   under the License.
+#
+
+- name: Prepare the configuration of the OpenShift Standalone Registry
+  hosts: masters
+  become: yes
+  tasks:
+    - include_role:
+        name: projects-creation
+

roles/projects-creation/defaults/main.yml

@@ -0,0 +1,27 @@
+---
+#   Copyright Red Hat, Inc. All Rights Reserved.
+#
+#   Licensed under the Apache License, Version 2.0 (the "License"); you may
+#   not use this file except in compliance with the License. You may obtain
+#   a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#   WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#   License for the specific language governing permissions and limitations
+#   under the License.
+#
+
+registry_admins:
+  - dmsimard
+  - jpena
+  - amoralej
+
+rdo_branches:
+  - master
+  - pike
+
+osp_branches:
+  - osp12

roles/projects-creation/tasks/main.yml

@@ -0,0 +1,29 @@
+---
+#   Copyright Red Hat, Inc. All Rights Reserved.
+#
+#   Licensed under the Apache License, Version 2.0 (the "License"); you may
+#   not use this file except in compliance with the License. You may obtain
+#   a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#   WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#   License for the specific language governing permissions and limitations
+#   under the License.
+#
+
+- name: Grant to cluster-admin privilege to the admin
+  oc_adm_policy_user:
+    user: '{{ item }}'
+    resource_kind: cluster-role
+    resource_name: cluster-admin
+    state: present
+  with_items: '{{ registry_admins }}'
+
+- name: Prepare the RDO configuration
+  include: rdo.yml
+
+- name: Prepare the OSP/DCI configuration
+  include: osp.yml

roles/projects-creation/tasks/osp.yml

@@ -0,0 +1,63 @@
+---
+#   Copyright Red Hat, Inc. All Rights Reserved.
+#
+#   Licensed under the Apache License, Version 2.0 (the "License"); you may
+#   not use this file except in compliance with the License. You may obtain
+#   a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#   WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#   License for the specific language governing permissions and limitations
+#   under the License.
+#
+
+- name: create the OSP projects
+  oc_project:
+    state: present
+    name: 'rh{{ item }}'
+    display_name: 'Red Hat {{ item }} images'
+  with_items: '{{ osp_branches }}'
+
+- name: Create DCI service accounts
+  oc_serviceaccount:
+    state: present
+    name: "dci-registry-user-{{ item }}.service"
+    namespace: default
+  with_items: '{{ osp_branches }}'
+
+- name: Grant to DCI users the ability to read their OSP images
+  oc_adm_policy_user:
+    user: 'system:serviceaccount:default:dci-registry-user-{{ item }}.service'
+    resource_kind: role
+    resource_name: registry-viewer
+    state: present
+    namespace: 'rh{{ item }}'
+  with_items: '{{ osp_branches }}'
+
+- name: Create DCI admin service account
+  oc_serviceaccount:
+    state: present
+    name: dci-registry-admin.service
+    namespace: default
+
+- name: Grant to DCI admin service account the admin privileges for the OSP projects
+  oc_adm_policy_user:
+    user: system:serviceaccount:default:dci-registry-admin.service
+    resource_kind: role
+    resource_name: admin
+    state: present
+    namespace: 'rh{{ item }}'
+  with_items: '{{ osp_branches }}'
+
+- name: Configure the reencrypt route for DCI image registry
+  oc_route:
+    name: docker-registry-dci
+    namespace: default
+    service_name: docker-registry
+    tls_termination: 'reencrypt'
+    host: 'registry.distributed-ci.io'
+    cert_path: '/etc/letsencrypt/live/registry.distributed-ci.io/registry.distributed-ci.io-cert.pem'
+    key_path: '/etc/letsencrypt/live/registry.distributed-ci.io/registry.distributed-ci.io-privkey.pem'

roles/projects-creation/tasks/rdo.yml

@@ -0,0 +1,69 @@
+---
+#   Copyright Red Hat, Inc. All Rights Reserved.
+#
+#   Licensed under the Apache License, Version 2.0 (the "License"); you may
+#   not use this file except in compliance with the License. You may obtain
+#   a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#   WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#   License for the specific language governing permissions and limitations
+#   under the License.
+#
+
+- name: create the TripleO project
+  oc_project:
+    state: present
+    name: '{{ item }}'
+    display_name: "TripleO {{ item }} container images"
+  with_items: '{{ rdo_branches }}'
+
+- name: create TripleO service account
+  oc_serviceaccount:
+    name: tripleo.service
+    namespace: default
+
+- name: Grant to tripleo.service the admin privileges for the TripleO projects
+  oc_adm_policy_user:
+    user: system:serviceaccount:default:tripleo.service
+    resource_kind: role
+    resource_name: admin
+    state: present
+    namespace: '{{ item }}'
+  with_items: '{{ rdo_branches }}'
+
+- name: create the rdo.pruner serviceaccount
+  oc_serviceaccount:
+    name: rdo.pruner
+    namespace: default
+
+- name: Grant to rdo.pruner the system:image-pruner super power!
+  oc_adm_policy_user:
+    user: system:serviceaccount:default:rdo.pruner
+    resource_kind: cluster-role
+    resource_name: system:image-pruner
+    state: present
+    namespace: default
+
+- name: Allow authenticated users to pull images from the TripleO projects
+  # Note: https://github.com/cockpit-project/cockpit/issues/6711
+  oc_adm_policy_group:
+    group: system:authenticated
+    resource_kind: role
+    resource_name: registry-viewer
+    state: present
+    namespace: '{{ item }}'
+  with_items: '{{ rdo_branches }}'
+
+- name: Allow unauthenticated users to browse the TripleO projects
+  oc_adm_policy_group:
+    group: system:unauthenticated
+    resource_kind: role
+    resource_name: registry-viewer
+    state: present
+    namespace: '{{ item }}'
+  with_items: '{{ rdo_branches }}'
+

run_tests.sh

@@ -14,7 +14,7 @@ function cleanup() {
 sudo ./mock-certs.sh
 
 # This runs on localhost but uses registry.rdoproject.org resources
-for host in registry.rdoproject.org console.registry.rdoproject.org trunk.registry.rdoproject.org
+for host in registry.rdoproject.org console.registry.rdoproject.org trunk.registry.rdoproject.org registry.distributed-ci.io
 do
     if ! grep -q "127.0.0.1 ${host}" /etc/hosts; then
         echo "127.0.0.1 ${host}" | sudo tee -a /etc/hosts
@@ -38,6 +38,8 @@ cleanup
 tox -e ansible-playbook -- -b -i hosts openshift-ansible/playbooks/byo/openshift-node/network_manager.yml -e "ansible_ssh_user=${USER}"
 cleanup
 tox -e ansible-playbook -- -b -i hosts openshift-ansible/playbooks/byo/config.yml -e "ansible_ssh_user=${USER}"
+cleanup
+tox -e ansible-playbook -- -b -i hosts projects-creation.yml -e "ansible_ssh_user=${USER}" -M openshift-ansible/roles/lib_openshift/library
 
 sudo oc get pods
 sudo oc get routes