diff --git a/doc/source/managing.rst b/doc/source/managing.rst index cf409f3..887b5e6 100644 --- a/doc/source/managing.rst +++ b/doc/source/managing.rst @@ -1,51 +1,12 @@ -Managing the registry -===================== +How to get the service account tokens: +====================================== -.. warning:: This should eventually be automated, see - https://github.com/rdo-infra/rdo-container-registry/issues/1 +.. note:: These operation is done directly on the master -.. note:: These operations are done directly on the master +Retrieve service account token for image pushes (for CI and things like that):: -:: - - # Grant superuser privileges to a user (doesn't require the user to login before applying) - oadm policy add-cluster-role-to-user cluster-admin dmsimard - - # Create projects - oc new-project master \ - --description="TripleO container images for trunk and continuous integration for OpenStack 'master'" \ - --display-name="TripleO container images for 'master'" - - oc new-project pike \ - --description="TripleO container images for trunk and continuous integration for OpenStack 'pike'" \ - --display-name="TripleO container images for 'pike'" - - # Allow authenticated users to browse the projects - # Note: - # - https://github.com/cockpit-project/cockpit/issues/6711 - # - https://github.com/openshift/origin/issues/14381 - oc policy add-role-to-group registry-viewer system:authenticated -n master - oc policy add-role-to-group registry-viewer system:authenticated -n pike - - # Allow unauthenticated users to pull images from the projects - # (Anonymous, public access to registry, not the actual console) - oc policy add-role-to-group registry-viewer system:unauthenticated -n master - oc policy add-role-to-group registry-viewer system:unauthenticated -n pike - - # Create service account, make it admin of the projects - oc create serviceaccount tripleo.service -n default - - # Add permissions for the service account to push and pull images - oc policy add-role-to-user system:image-builder system:serviceaccount:default:tripleo.service -n master - oc policy add-role-to-user system:image-builder system:serviceaccount:default:tripleo.service -n pike - - # Retrieve service account token for image pushes, for example when doing CI - oc describe serviceaccount tripleo.service -n default - oc describe secret tripleo.service-token- -n default - - # Create a service account with exclusive rights to image pruning - oc create serviceaccount rdo.pruner -n default - oadm policy add-cluster-role-to-user system:image-pruner system:serviceaccount:default:rdo.pruner -n default + oc describe serviceaccount tripleo.service -n tripleo + oc describe secret tripleo.service-token- -n tripleo More reading ~~~~~~~~~~~~ diff --git a/letsencrypt.sh b/letsencrypt.sh index 703e8d0..b948e96 100755 --- a/letsencrypt.sh +++ b/letsencrypt.sh @@ -25,7 +25,7 @@ yum -y install git git clone https://github.com/letsencrypt/letsencrypt mkdir -p /tmp/letsencrypt -for domain in registry.rdoproject.org trunk.registry.rdoproject.org console.registry.rdoproject.org +for domain in registry.rdoproject.org trunk.registry.rdoproject.org console.registry.rdoproject.org registry.distributed-ci.io do letsencrypt/letsencrypt-auto --renew-by-default \ -a standalone \ diff --git a/projects-creation.yml b/projects-creation.yml new file mode 100644 index 0000000..52ef4a5 --- /dev/null +++ b/projects-creation.yml @@ -0,0 +1,23 @@ +--- +# Copyright Red Hat, Inc. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +- name: Prepare the configuration of the OpenShift Standalone Registry + hosts: masters + become: yes + tasks: + - include_role: + name: projects-creation + diff --git a/roles/projects-creation/defaults/main.yml b/roles/projects-creation/defaults/main.yml new file mode 100644 index 0000000..ca8b12c --- /dev/null +++ b/roles/projects-creation/defaults/main.yml @@ -0,0 +1,27 @@ +--- +# Copyright Red Hat, Inc. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +registry_admins: + - dmsimard + - jpena + - amoralej + +rdo_branches: + - master + - pike + +osp_branches: + - osp12 diff --git a/roles/projects-creation/tasks/main.yml b/roles/projects-creation/tasks/main.yml new file mode 100644 index 0000000..00c301b --- /dev/null +++ b/roles/projects-creation/tasks/main.yml @@ -0,0 +1,29 @@ +--- +# Copyright Red Hat, Inc. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +- name: Grant to cluster-admin privilege to the admin + oc_adm_policy_user: + user: '{{ item }}' + resource_kind: cluster-role + resource_name: cluster-admin + state: present + with_items: '{{ registry_admins }}' + +- name: Prepare the RDO configuration + include: rdo.yml + +- name: Prepare the OSP/DCI configuration + include: osp.yml diff --git a/roles/projects-creation/tasks/osp.yml b/roles/projects-creation/tasks/osp.yml new file mode 100644 index 0000000..57825ea --- /dev/null +++ b/roles/projects-creation/tasks/osp.yml @@ -0,0 +1,63 @@ +--- +# Copyright Red Hat, Inc. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +- name: create the OSP projects + oc_project: + state: present + name: 'rh{{ item }}' + display_name: 'Red Hat {{ item }} images' + with_items: '{{ osp_branches }}' + +- name: Create DCI service accounts + oc_serviceaccount: + state: present + name: "dci-registry-user-{{ item }}.service" + namespace: default + with_items: '{{ osp_branches }}' + +- name: Grant to DCI users the ability to read their OSP images + oc_adm_policy_user: + user: 'system:serviceaccount:default:dci-registry-user-{{ item }}.service' + resource_kind: role + resource_name: registry-viewer + state: present + namespace: 'rh{{ item }}' + with_items: '{{ osp_branches }}' + +- name: Create DCI admin service account + oc_serviceaccount: + state: present + name: dci-registry-admin.service + namespace: default + +- name: Grant to DCI admin service account the admin privileges for the OSP projects + oc_adm_policy_user: + user: system:serviceaccount:default:dci-registry-admin.service + resource_kind: role + resource_name: admin + state: present + namespace: 'rh{{ item }}' + with_items: '{{ osp_branches }}' + +- name: Configure the reencrypt route for DCI image registry + oc_route: + name: docker-registry-dci + namespace: default + service_name: docker-registry + tls_termination: 'reencrypt' + host: 'registry.distributed-ci.io' + cert_path: '/etc/letsencrypt/live/registry.distributed-ci.io/registry.distributed-ci.io-cert.pem' + key_path: '/etc/letsencrypt/live/registry.distributed-ci.io/registry.distributed-ci.io-privkey.pem' diff --git a/roles/projects-creation/tasks/rdo.yml b/roles/projects-creation/tasks/rdo.yml new file mode 100644 index 0000000..602888f --- /dev/null +++ b/roles/projects-creation/tasks/rdo.yml @@ -0,0 +1,69 @@ +--- +# Copyright Red Hat, Inc. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +- name: create the TripleO project + oc_project: + state: present + name: '{{ item }}' + display_name: "TripleO {{ item }} container images" + with_items: '{{ rdo_branches }}' + +- name: create TripleO service account + oc_serviceaccount: + name: tripleo.service + namespace: default + +- name: Grant to tripleo.service the admin privileges for the TripleO projects + oc_adm_policy_user: + user: system:serviceaccount:default:tripleo.service + resource_kind: role + resource_name: admin + state: present + namespace: '{{ item }}' + with_items: '{{ rdo_branches }}' + +- name: create the rdo.pruner serviceaccount + oc_serviceaccount: + name: rdo.pruner + namespace: default + +- name: Grant to rdo.pruner the system:image-pruner super power! + oc_adm_policy_user: + user: system:serviceaccount:default:rdo.pruner + resource_kind: cluster-role + resource_name: system:image-pruner + state: present + namespace: default + +- name: Allow authenticated users to pull images from the TripleO projects + # Note: https://github.com/cockpit-project/cockpit/issues/6711 + oc_adm_policy_group: + group: system:authenticated + resource_kind: role + resource_name: registry-viewer + state: present + namespace: '{{ item }}' + with_items: '{{ rdo_branches }}' + +- name: Allow unauthenticated users to browse the TripleO projects + oc_adm_policy_group: + group: system:unauthenticated + resource_kind: role + resource_name: registry-viewer + state: present + namespace: '{{ item }}' + with_items: '{{ rdo_branches }}' + diff --git a/run_tests.sh b/run_tests.sh index 59fe4ef..bdc0160 100755 --- a/run_tests.sh +++ b/run_tests.sh @@ -14,7 +14,7 @@ function cleanup() { sudo ./mock-certs.sh # This runs on localhost but uses registry.rdoproject.org resources -for host in registry.rdoproject.org console.registry.rdoproject.org trunk.registry.rdoproject.org +for host in registry.rdoproject.org console.registry.rdoproject.org trunk.registry.rdoproject.org registry.distributed-ci.io do if ! grep -q "127.0.0.1 ${host}" /etc/hosts; then echo "127.0.0.1 ${host}" | sudo tee -a /etc/hosts @@ -38,6 +38,8 @@ cleanup tox -e ansible-playbook -- -b -i hosts openshift-ansible/playbooks/byo/openshift-node/network_manager.yml -e "ansible_ssh_user=${USER}" cleanup tox -e ansible-playbook -- -b -i hosts openshift-ansible/playbooks/byo/config.yml -e "ansible_ssh_user=${USER}" +cleanup +tox -e ansible-playbook -- -b -i hosts projects-creation.yml -e "ansible_ssh_user=${USER}" -M openshift-ansible/roles/lib_openshift/library sudo oc get pods sudo oc get routes