StarlingX

Bug #1846799
Comment #7

Comment 7 for bug 1846799

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-10-30: Fix merged to stx-puppet (master)

Reviewed: https://review.opendev.org/690086
Committed: https://git.openstack.org/cgit/starlingx/stx-puppet/commit/?id=f274e1391bbcf4802ac6370e48de9a021153db2e
Submitter: Zuul
Branch: master

commit f274e1391bbcf4802ac6370e48de9a021153db2e
Author: Tao Liu <email address hidden>
Date: Tue Oct 22 10:01:51 2019 -0400

Allow subcloud to use central-cloud's local registry

    Update the dnsmasq config with the following change which allows
    the subcloud to use central-cloud's local registry via the OAM
    interface

     - Add a CNAME record on central cloud which indicates the
       'registry.central' is the 'controller'
     - Add 'registry.central' domain to return the system controller
       OAM IP address on subcloud
     - Add docker registry and token server ports to OAM Firewall
     - Add docker registry and token server entries in HAPROXY with
       passthrough configuration
     - Add 'registry.central' and the OAM IP into the docker registry
       certificate SAN
     - Configure the docker auth token realm URL using the public URL
       encoded address

    Test cases:
    Non-DC:
    1. AIO-Simplex: auto-install and provisioning
    2. AIO-Duplex: auto-install and provisioning
    3. Enable https and verify the haproxy configuration
    4. Verify docker login to registry.local
    DC:
    1. System controller installation and configuration
    2. AIO-Simplex subcloud bootstrapping without http proxy
    3. AIO-Duplex subcloud bootstrapping with http proxy and the
       docker registry override using the registry.central
    4. Standard system (controller + worker) bootstrapping with the
       docker registry override using the registry.central
    5. On subcloud controller, pull an image from the registry.central
       via the OAM interface, it also verifies the firewall change
    6. On subcloud worker node, pull an image from the registy.central
    7. Install a custom certificate during system controller bootstrap
       and verified the subcloud bootstrapping using the
       registry.central
    8. Install a new certificate in the central cloud
       system certificate-install -m docker_registry <path to cert>
       Install the customer_ca on the subclouds as a trusted ca
       system certificate-install -m ssl_ca ca-cert.pem
       Verified docker login to the registry.central

    Depends-On: https://review.opendev.org/#/c/690084/
    Change-Id: I22f88183200a5b16a62773efba520b19e3ebe725
    Closes-Bug: 1846799
    Signed-off-by: Tao Liu <email address hidden>

Reviewed:  https://review.opendev.org/690086
Committed: https://git.openstack.org/cgit/starlingx/stx-puppet/commit/?id=f274e1391bbcf4802ac6370e48de9a021153db2e
Submitter: Zuul
Branch:    master

commit f274e1391bbcf4802ac6370e48de9a021153db2e
Author: Tao Liu <tao.liu@windriver.com>
Date:   Tue Oct 22 10:01:51 2019 -0400

Allow subcloud to use central-cloud's local registry
    
    Update the dnsmasq config with the following change which allows
    the subcloud to use central-cloud's local registry via the OAM
    interface
    
     - Add a CNAME record on central cloud which indicates the
       'registry.central' is the 'controller'
     - Add 'registry.central' domain to return the system controller
       OAM IP address on subcloud
     - Add docker registry and token server ports to OAM Firewall
     - Add docker registry and token server entries in HAPROXY with
       passthrough configuration
     - Add 'registry.central' and the OAM IP into the docker registry
       certificate SAN
     - Configure the docker auth token realm URL using the public URL
       encoded address
    
    Test cases:
    Non-DC:
    1. AIO-Simplex: auto-install and provisioning
    2. AIO-Duplex: auto-install and provisioning
    3. Enable https and verify the haproxy configuration
    4. Verify docker login to registry.local
    DC:
    1. System controller installation and configuration
    2. AIO-Simplex subcloud bootstrapping without http proxy
    3. AIO-Duplex subcloud bootstrapping with http proxy and the
       docker registry override using the registry.central
    4. Standard system (controller + worker) bootstrapping with the
       docker registry override using the registry.central
    5. On subcloud controller, pull an image from the registry.central
       via the OAM interface, it also verifies the firewall change
    6. On subcloud worker node, pull an image from the registy.central
    7. Install a custom certificate during system controller bootstrap
       and verified the subcloud bootstrapping using the
       registry.central
    8. Install a new certificate in the central cloud
       system certificate-install -m docker_registry <path to cert>
       Install the customer_ca on the subclouds as a trusted ca
       system certificate-install -m ssl_ca ca-cert.pem
       Verified docker login to the registry.central
    
    Depends-On: https://review.opendev.org/#/c/690084/
    Change-Id: I22f88183200a5b16a62773efba520b19e3ebe725
    Closes-Bug: 1846799
    Signed-off-by: Tao Liu <tao.liu@windriver.com>