tripleo

need to be able to pull containers from registries requiring auth when using docker

Bug #1833584 reported by Alex Schultz
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Alex Schultz
tripleo train-2

Bug Description

We've recently added support for authentication when using podman, however we need to be able to use authenticated registries when using docker.

Alex Schultz (alex-schultz)
tags: added: queens-backport-potential rocky-backport-potential stein-backport-potential
removed: stei
Changed in tripleo:
assignee: nobody → Alex Schultz (alex-schultz)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to ansible-role-container-registry (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/666644

OpenStack Infra (hudson-openstack)
Changed in tripleo:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to ansible-role-container-registry (master)

Reviewed: https://review.opendev.org/666644
Committed: https://git.openstack.org/cgit/openstack/ansible-role-container-registry/commit/?id=9bf5868d028638e4b265a740e272eb9fedc12489
Submitter: Zuul
Branch: master

commit 9bf5868d028638e4b265a740e272eb9fedc12489
Author: Alex Schultz <email address hidden>
Date: Thu Jun 20 10:45:28 2019 -0600

    Add docker login support

    We need to be able to perform a login prior to pulling containers from
    registries that require authentication.

    Change-Id: Ic3b720ba35db8e3f3f866cd31d9171e91b04a86c
    Related-Bug: #1833584

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/666646
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=ea37ee6638b08375974ae3ceddd6dc136c67b983
Submitter: Zuul
Branch: master

commit ea37ee6638b08375974ae3ceddd6dc136c67b983
Author: Alex Schultz <email address hidden>
Date: Thu Jun 20 11:01:41 2019 -0600

    Add container engine authentication support

    We need to be able to run a docker or podman login during the
    deployment if the overcloud needs to pull images from an auth
    required container registry when deploying with docker. Add
    ContainerImageRegistryLogin as a flag to use
    ContainerImageRegistryCredentials to perform docker or podman logins
    when deploying.

    Closes-Bug: #1833584
    Change-Id: I98a527f363056767fea45ab4828ae61c01de20ca
    Depends-On: https://review.opendev.org/#/c/666644/

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/669222

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/stein)

Reviewed: https://review.opendev.org/669222
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=169f4ac83710916f801db278385a750306f9c8ea
Submitter: Zuul
Branch: stable/stein

commit 169f4ac83710916f801db278385a750306f9c8ea
Author: Alex Schultz <email address hidden>
Date: Thu Jun 20 11:01:41 2019 -0600

    Add container engine authentication support

    We need to be able to run a docker or podman login during the
    deployment if the overcloud needs to pull images from an auth
    required container registry when deploying with docker. Add
    ContainerImageRegistryLogin as a flag to use
    ContainerImageRegistryCredentials to perform docker or podman logins
    when deploying.

    Closes-Bug: #1833584
    Change-Id: I98a527f363056767fea45ab4828ae61c01de20ca
    (cherry picked from commit ea37ee6638b08375974ae3ceddd6dc136c67b983)

tags: added: in-stable-stein
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/670077

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (stable/stein)

Related fix proposed to branch: stable/stein
Review: https://review.opendev.org/670082

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-quickstart (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/670083

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to ansible-role-container-registry (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/670174

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to ansible-role-container-registry (master)

Reviewed: https://review.opendev.org/670174
Committed: https://git.openstack.org/cgit/openstack/ansible-role-container-registry/commit/?id=b295cc9aefc5b6635312067b4b399f20664d4412
Submitter: Zuul
Branch: master

commit b295cc9aefc5b6635312067b4b399f20664d4412
Author: Kevin Carter <email address hidden>
Date: Wed Jul 10 14:52:18 2019 -0500

    Covert lookup to query

    This change updates our loop so that it will expect a list.

    More on the query lookup can be seen here[0]

    [0] https://docs.ansible.com/ansible/2.6/plugins/lookup.html#invoking-lookup-plugins-with-query

    Change-Id: Id8bfea751a7239fd9be6e9dbbb5a0a700e29b64e
    Closes-Bug: #1835657
    Related-Bug: #1833584
    Signed-off-by: Kevin Carter <email address hidden>

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (stable/stein)

Reviewed: https://review.opendev.org/670082
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=d6bd20d5b46d7ede598e022f0d34814c8dbe8a66
Submitter: Zuul
Branch: stable/stein

commit d6bd20d5b46d7ede598e022f0d34814c8dbe8a66
Author: Emilien Macchi <email address hidden>
Date: Wed Jul 10 10:46:25 2019 -0400

    Stein: Re-enable container auth support

    Squash of the revert of the revert + the fix

    1) Revert "Revert "Add container engine authentication support""

    This reverts commit ac5145c28d02e54453ab69d32237ca2b81e2568c.

    2) Convert the heat json format to a py dict

    This change converts a heat json format option to a py dict within
    a jinja expresion.

    Closes-Bug: #1835657
    Related-Bug: #1833584
    Change-Id: I4b44214cd7007dc31ad5f4e0a0d7a3a531a9f20e
    Signed-off-by: Kevin Carter <email address hidden>
    (cherry picked from commit 6e07f2a7675b2dd8ff340a24823eb3808d2b07b3)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/670077
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=6e07f2a7675b2dd8ff340a24823eb3808d2b07b3
Submitter: Zuul
Branch: master

commit 6e07f2a7675b2dd8ff340a24823eb3808d2b07b3
Author: Kevin Carter <email address hidden>
Date: Wed Jul 10 09:28:07 2019 -0500

    Convert the heat json format to a py dict

    This change converts a heat json format option to a py dict within
    a jinja expresion.

    Closes-Bug: #1835657
    Related-Bug: #1833584
    Change-Id: I4b44214cd7007dc31ad5f4e0a0d7a3a531a9f20e
    Signed-off-by: Kevin Carter <email address hidden>

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to ansible-role-container-registry (master)

Reviewed: https://review.opendev.org/670205
Committed: https://git.openstack.org/cgit/openstack/ansible-role-container-registry/commit/?id=1217799b1bef82dcd2a6c69eb795c398cbac0d1b
Submitter: Zuul
Branch: master

commit 1217799b1bef82dcd2a6c69eb795c398cbac0d1b
Author: Kevin Carter <email address hidden>
Date: Wed Jul 10 15:33:31 2019 -0500

    Add molecule testing

    This change adds molecule testing using a simple base job and pre|run playbooks.
    The test will be executed via a native zuul job and will ensure we're exercising
    all of the available code path's as provide by this role.

    Two molecule scenarios will be executed whenever any change is made to this role

    * default - runs through the typical main code path
    * login - tests a secure docker registry ensuring our login capabilities are
              never broken.

    Documentation in the readme has been added to show how local testing can be run.

    A bindep.txt file has been added to ensure zuul knows how to install our
    required base packages.

    Closes-Bug: #1835657
    Related-Bug: #1833584
    Change-Id: I48f74b69c5d29dce4a576fa96e79563a4b484469
    Signed-off-by: Kevin Carter <email address hidden>

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (stable/rocky)

Related fix proposed to branch: stable/rocky
Review: https://review.opendev.org/670349

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tripleo-quickstart (master)

Change abandoned by Emilien Macchi (<email address hidden>) on branch: master
Review: https://review.opendev.org/670083

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (stable/rocky)

Reviewed: https://review.opendev.org/670349
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=59e4b8140a22fadf5e7c8c2256cfee5c865755e1
Submitter: Zuul
Branch: stable/rocky

commit 59e4b8140a22fadf5e7c8c2256cfee5c865755e1
Author: Emilien Macchi <email address hidden>
Date: Wed Jul 10 10:46:25 2019 -0400

    Rocky: enable container auth support

    Squash of adding container enginene support and the subsequent fix

    1) Add container engine authentication support

    See I98a527f363056767fea45ab4828ae61c01de20ca. This is only the docker
    support as podman was added in Stein

    2) Convert the heat json format to a py dict

    This change converts a heat json format option to a py dict within
    a jinja expresion.

    Closes-Bug: #1835657
    Related-Bug: #1833584
    Change-Id: I4b44214cd7007dc31ad5f4e0a0d7a3a531a9f20e
    Signed-off-by: Kevin Carter <email address hidden>
    (cherry picked from commit 6e07f2a7675b2dd8ff340a24823eb3808d2b07b3)
    (cherry picked from commit d6bd20d5b46d7ede598e022f0d34814c8dbe8a66)

tags: added: in-stable-rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/670627

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tripleo-heat-templates (master)

Change abandoned by Kevin Carter (cloudnull) (<email address hidden>) on branch: master
Review: https://review.opendev.org/670627

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 11.1.0

This issue was fixed in the openstack/tripleo-heat-templates 11.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.opendev.org/674956

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (stable/queens)

Reviewed: https://review.opendev.org/674955
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=e3fae2b04a3e42cba88396e7abebb37f9978d81f
Submitter: Zuul
Branch: stable/queens

commit e3fae2b04a3e42cba88396e7abebb37f9978d81f
Author: Alex Schultz <email address hidden>
Date: Tue Aug 6 16:55:12 2019 -0600

    [queens only] Add registry login support

    Queens uses puppet to configure docker so we need to add support for
    logging into the registry in the puppet class itself.

    Change-Id: I8ca84798ba0e89cee9674dbe414de892d5d9e3f1
    Related-Bug: #1833584

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/queens)

Reviewed: https://review.opendev.org/674956
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=ce0cc752d985b82ca52e6d7f769329486f68ccf7
Submitter: Zuul
Branch: stable/queens

commit ce0cc752d985b82ca52e6d7f769329486f68ccf7
Author: Alex Schultz <email address hidden>
Date: Tue Aug 6 16:41:25 2019 -0600

    [Queens] Enable container auth support

    In queens we didn't use the ansible-role-container-registry so we need
    to port the ansible logic that we use into puppet for the docker
    service configuration.

    Closes-Bug: #1833584
    Depends-On: https://review.opendev.org/#/c/670082/
    Change-Id: I5ee8f8b17ad3424a3bf9d4a420d6c65ab977c6b7

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 10.6.1

This issue was fixed in the openstack/tripleo-heat-templates 10.6.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 8.4.1

This issue was fixed in the openstack/tripleo-heat-templates 8.4.1 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.