common: Support for container mirror CA certs

Signed-off-by: David Galloway <dgallowa@redhat.com>

diff --git a/roles/common/README.rst b/roles/common/README.rst
index d6b80bc62784ea3ced0a684724089df101c853c4..382d8ee37f771c01428306fdd6eb650f285328fd 100644 (file)
--- a/roles/common/README.rst
+++ b/roles/common/README.rst
@@ -79,6 +79,22 @@ tasks OS-agnostic.  They variables are mostly self-explanatory and defined in
       - nagios-nrpe-server
       - nagios-plugins-basic
 
+The following variables are used to optionally configure a dockerhub mirror CA
+certificate. The role will use `/etc/containers/certs.d` if it detects `podman`
+and `/etc/docker/certs.d` if it does not detect `podman` but detects `docker`::
+
+    # Defined in all.yml in secrets repo
+    container_mirror: docker-mirror.front.sepia.ceph.com:5000
+
+    # Defined in all.yml in secrets repo
+    container_mirror_cert: |
+      -----BEGIN CERTIFICATE-----
+      ...
+      -----END CERTIFICATE-----
+
+    # Defined in roles/common/vars/$distro_$version.yml or determined in roles/common/tasks/main.yml
+    container_mirror_cert_path: "/etc/docker/certs.d/{{ container_mirror }}"
+
 Tags
 ++++
 
@@ -101,6 +117,9 @@ nagios
     applicable).  ``monitoring-scripts`` is also always run with this tag since
     NRPE isn't very useful without them.
 
+container-mirror
+    Put a (probably self-signed) certificate in place for an internal dockerhub mirror.
+
 To Do
 +++++
 

diff --git a/roles/common/tasks/container_mirror.yml b/roles/common/tasks/container_mirror.yml
new file mode 100644 (file)
index 0000000..87c7826
--- /dev/null
+++ b/roles/common/tasks/container_mirror.yml
@@ -0,0 +1,25 @@
+---
+# Note that these tasks only put the CA certificate in place.
+# podman/docker installation is still handled in the testnodes repo because
+# we don't want podman/docker installed everywhere but we do want this cert
+# everywhere just in case.
+# For example we might not want docker/podman installed on infrahost01 but
+# we definitely need this cert installed on testnodes and infrahost0{2..5}.
+- name: Include encrypted variables
+  include_vars: "{{ item }}"
+  with_first_found:
+    - "{{ secrets_path }}/all.yml"
+    - empty.yml
+  no_log: true
+  tags:
+    - vars
+
+- name: "Create {{ container_mirror_cert_path }}"
+  file:
+    path: "{{ container_mirror_cert_path }}"
+    state: directory
+
+- name: "Copy {{ container_mirror }} self-signed cert"
+  copy:
+    dest: "{{ container_mirror_cert_path }}/docker-mirror.crt"
+    content: "{{ container_mirror_cert }}"

diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 3b62098223a97a5036d056b3c7cf991ed5268a5e..b8a65bf08d16f9b90a8f3ee9aaea5b339dddd89c 100644 (file)
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -13,6 +13,7 @@
     - vars
     # We need these vars for the entitlements tag to work
     - entitlements
+    - container-mirror
 
 # configure things specific to yum systems
 - import_tasks: yum_systems.yml
@@ -60,3 +61,56 @@
         (selinux_status is defined and selinux_status.stdout != "Disabled")
   tags:
     - nagios
+
+# We check for podman first because it was released after docker.
+# If we find podman, we should use its certs path.
+# Just because `docker` exists doesn't mean we're not using podman.
+- name: Check for podman
+  command: podman --version
+  register: check_for_podman
+  ignore_errors: true
+  when:
+    - container_mirror_cert_path is not defined
+    - container_mirror is defined
+    - container_mirror_cert is defined
+  tags:
+    - container-mirror
+
+- set_fact:
+    container_mirror_cert_path: "/etc/containers/certs.d/{{ container_mirror }}"
+  when:
+    - check_for_podman is success
+    - container_mirror is defined
+    - container_mirror_cert is defined
+  tags:
+    - container-mirror
+
+- name: Check for docker
+  command: docker --version
+  register: check_for_docker
+  ignore_errors: true
+  when:
+    - container_mirror_cert_path is not defined
+    - check_for_podman is not success
+    - container_mirror is defined
+    - container_mirror_cert is defined
+  tags:
+    - container-mirror
+
+- set_fact:
+    container_mirror_cert_path: "/etc/docker/certs.d/{{ container_mirror }}"
+  when:
+    - check_for_docker is success
+    - check_for_podman is not success
+    - container_mirror is defined
+    - container_mirror_cert is defined
+  tags:
+    - container-mirror
+
+- import_tasks: container_mirror.yml
+  when:
+    - container_mirror is defined
+    - container_mirror_cert is defined
+    - container_mirror_cert_path is defined
+  tags:
+    - container-mirror

diff --git a/roles/common/vars/centos_7.yml b/roles/common/vars/centos_7.yml
new file mode 100644 (file)
index 0000000..8a1216b
--- /dev/null
+++ b/roles/common/vars/centos_7.yml
@@ -0,0 +1,2 @@
+---
+container_mirror_cert_path: "/etc/docker/certs.d/{{ container_mirror }}"

diff --git a/roles/common/vars/centos_8.yml b/roles/common/vars/centos_8.yml
index 9af7db383b87daa63dc0f7d3d0d34ab0cc421961..81abb64a07b57b71f82fd8fa688a8950108d353a 100644 (file)
--- a/roles/common/vars/centos_8.yml
+++ b/roles/common/vars/centos_8.yml
@@ -2,3 +2,5 @@
 nrpe_selinux_packages:
   - python3-libsemanage
   - python3-policycoreutils
+
+container_mirror_cert_path: "/etc/containers/certs.d/{{ container_mirror }}"

diff --git a/roles/common/vars/redhat_7.yml b/roles/common/vars/redhat_7.yml
index a3855f1ae09c923b2d6acc107adadd36d0e51fbf..cad9fcdc350e70b094a0d104ad67e445fe615396 100644 (file)
--- a/roles/common/vars/redhat_7.yml
+++ b/roles/common/vars/redhat_7.yml
@@ -4,3 +4,5 @@ rhsm_repos:
   - rhel-7-server-optional-rpms
   - rhel-7-server-extras-rpms
   - rhel-ha-for-rhel-7-server-rpms
+
+container_mirror_cert_path: "/etc/docker/certs.d/{{ container_mirror }}"

diff --git a/roles/common/vars/redhat_8.yml b/roles/common/vars/redhat_8.yml
index 534fd209eb22ee91acffe5c2b38865ac57eb69ce..dcbc52bd3e799b9dda2d08b1aa76594dd79b177b 100644 (file)
--- a/roles/common/vars/redhat_8.yml
+++ b/roles/common/vars/redhat_8.yml
@@ -6,3 +6,5 @@ rhsm_repos:
 nrpe_selinux_packages:
   - python3-libsemanage
   - python3-policycoreutils
+
+container_mirror_cert_path: "/etc/containers/certs.d/{{ container_mirror }}"