commit f274e1391bbcf4802ac6370e48de9a021153db2e
Author: Tao Liu <email address hidden>
Date: Tue Oct 22 10:01:51 2019 -0400
Allow subcloud to use central-cloud's local registry
Update the dnsmasq config with the following change which allows
the subcloud to use central-cloud's local registry via the OAM
interface
- Add a CNAME record on central cloud which indicates the 'registry.central' is the 'controller'
- Add 'registry.central' domain to return the system controller
OAM IP address on subcloud
- Add docker registry and token server ports to OAM Firewall
- Add docker registry and token server entries in HAPROXY with
passthrough configuration
- Add 'registry.central' and the OAM IP into the docker registry
certificate SAN
- Configure the docker auth token realm URL using the public URL
encoded address
Test cases:
Non-DC:
1. AIO-Simplex: auto-install and provisioning
2. AIO-Duplex: auto-install and provisioning
3. Enable https and verify the haproxy configuration
4. Verify docker login to registry.local
DC:
1. System controller installation and configuration
2. AIO-Simplex subcloud bootstrapping without http proxy
3. AIO-Duplex subcloud bootstrapping with http proxy and the
docker registry override using the registry.central
4. Standard system (controller + worker) bootstrapping with the
docker registry override using the registry.central
5. On subcloud controller, pull an image from the registry.central
via the OAM interface, it also verifies the firewall change
6. On subcloud worker node, pull an image from the registy.central
7. Install a custom certificate during system controller bootstrap
and verified the subcloud bootstrapping using the registry.central
8. Install a new certificate in the central cloud
system certificate-install -m docker_registry <path to cert>
Install the customer_ca on the subclouds as a trusted ca
system certificate-install -m ssl_ca ca-cert.pem
Verified docker login to the registry.central
Depends-On: https://review.opendev.org/#/c/690084/
Change-Id: I22f88183200a5b16a62773efba520b19e3ebe725
Closes-Bug: 1846799
Signed-off-by: Tao Liu <email address hidden>
Reviewed: https:/ /review. opendev. org/690086 /git.openstack. org/cgit/ starlingx/ stx-puppet/ commit/ ?id=f274e1391bb cf4802ac6370e48 de9a021153db2e
Committed: https:/
Submitter: Zuul
Branch: master
commit f274e1391bbcf48 02ac6370e48de9a 021153db2e
Author: Tao Liu <email address hidden>
Date: Tue Oct 22 10:01:51 2019 -0400
Allow subcloud to use central-cloud's local registry
Update the dnsmasq config with the following change which allows
the subcloud to use central-cloud's local registry via the OAM
interface
- Add a CNAME record on central cloud which indicates the
'registry. central' is the 'controller'
- Add 'registry.central' domain to return the system controller
OAM IP address on subcloud
- Add docker registry and token server ports to OAM Firewall
- Add docker registry and token server entries in HAPROXY with
passthrough configuration
- Add 'registry.central' and the OAM IP into the docker registry
certificate SAN
- Configure the docker auth token realm URL using the public URL
encoded address
Test cases:
registry. central
Non-DC:
1. AIO-Simplex: auto-install and provisioning
2. AIO-Duplex: auto-install and provisioning
3. Enable https and verify the haproxy configuration
4. Verify docker login to registry.local
DC:
1. System controller installation and configuration
2. AIO-Simplex subcloud bootstrapping without http proxy
3. AIO-Duplex subcloud bootstrapping with http proxy and the
docker registry override using the registry.central
4. Standard system (controller + worker) bootstrapping with the
docker registry override using the registry.central
5. On subcloud controller, pull an image from the registry.central
via the OAM interface, it also verifies the firewall change
6. On subcloud worker node, pull an image from the registy.central
7. Install a custom certificate during system controller bootstrap
and verified the subcloud bootstrapping using the
8. Install a new certificate in the central cloud
system certificate-install -m docker_registry <path to cert>
Install the customer_ca on the subclouds as a trusted ca
system certificate-install -m ssl_ca ca-cert.pem
Verified docker login to the registry.central
Depends-On: https:/ /review. opendev. org/#/c/ 690084/ 16a62773efba520 b19e3ebe725
Change-Id: I22f88183200a5b
Closes-Bug: 1846799
Signed-off-by: Tao Liu <email address hidden>