From 0054b68e80369b93887a2e04351efbce8f682a9f Mon Sep 17 00:00:00 2001 From: David Galloway Date: Wed, 18 Nov 2020 20:57:35 -0500 Subject: [PATCH] common: Support for container mirror CA certs Signed-off-by: David Galloway --- roles/common/README.rst | 19 +++++++++ roles/common/tasks/container_mirror.yml | 25 ++++++++++++ roles/common/tasks/main.yml | 54 +++++++++++++++++++++++++ roles/common/vars/centos_7.yml | 2 + roles/common/vars/centos_8.yml | 2 + roles/common/vars/redhat_7.yml | 2 + roles/common/vars/redhat_8.yml | 2 + 7 files changed, 106 insertions(+) create mode 100644 roles/common/tasks/container_mirror.yml create mode 100644 roles/common/vars/centos_7.yml diff --git a/roles/common/README.rst b/roles/common/README.rst index d6b80bc6..382d8ee3 100644 --- a/roles/common/README.rst +++ b/roles/common/README.rst @@ -79,6 +79,22 @@ tasks OS-agnostic. They variables are mostly self-explanatory and defined in - nagios-nrpe-server - nagios-plugins-basic +The following variables are used to optionally configure a dockerhub mirror CA +certificate. The role will use `/etc/containers/certs.d` if it detects `podman` +and `/etc/docker/certs.d` if it does not detect `podman` but detects `docker`:: + + # Defined in all.yml in secrets repo + container_mirror: docker-mirror.front.sepia.ceph.com:5000 + + # Defined in all.yml in secrets repo + container_mirror_cert: | + -----BEGIN CERTIFICATE----- + ... + -----END CERTIFICATE----- + + # Defined in roles/common/vars/$distro_$version.yml or determined in roles/common/tasks/main.yml + container_mirror_cert_path: "/etc/docker/certs.d/{{ container_mirror }}" + Tags ++++ @@ -101,6 +117,9 @@ nagios applicable). ``monitoring-scripts`` is also always run with this tag since NRPE isn't very useful without them. +container-mirror + Put a (probably self-signed) certificate in place for an internal dockerhub mirror. + To Do +++++ diff --git a/roles/common/tasks/container_mirror.yml b/roles/common/tasks/container_mirror.yml new file mode 100644 index 00000000..87c78268 --- /dev/null +++ b/roles/common/tasks/container_mirror.yml @@ -0,0 +1,25 @@ +--- +# Note that these tasks only put the CA certificate in place. +# podman/docker installation is still handled in the testnodes repo because +# we don't want podman/docker installed everywhere but we do want this cert +# everywhere just in case. +# For example we might not want docker/podman installed on infrahost01 but +# we definitely need this cert installed on testnodes and infrahost0{2..5}. +- name: Include encrypted variables + include_vars: "{{ item }}" + with_first_found: + - "{{ secrets_path }}/all.yml" + - empty.yml + no_log: true + tags: + - vars + +- name: "Create {{ container_mirror_cert_path }}" + file: + path: "{{ container_mirror_cert_path }}" + state: directory + +- name: "Copy {{ container_mirror }} self-signed cert" + copy: + dest: "{{ container_mirror_cert_path }}/docker-mirror.crt" + content: "{{ container_mirror_cert }}" diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 3b620982..b8a65bf0 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -13,6 +13,7 @@ - vars # We need these vars for the entitlements tag to work - entitlements + - container-mirror # configure things specific to yum systems - import_tasks: yum_systems.yml @@ -60,3 +61,56 @@ (selinux_status is defined and selinux_status.stdout != "Disabled") tags: - nagios + +# We check for podman first because it was released after docker. +# If we find podman, we should use its certs path. +# Just because `docker` exists doesn't mean we're not using podman. +- name: Check for podman + command: podman --version + register: check_for_podman + ignore_errors: true + when: + - container_mirror_cert_path is not defined + - container_mirror is defined + - container_mirror_cert is defined + tags: + - container-mirror + +- set_fact: + container_mirror_cert_path: "/etc/containers/certs.d/{{ container_mirror }}" + when: + - check_for_podman is success + - container_mirror is defined + - container_mirror_cert is defined + tags: + - container-mirror + +- name: Check for docker + command: docker --version + register: check_for_docker + ignore_errors: true + when: + - container_mirror_cert_path is not defined + - check_for_podman is not success + - container_mirror is defined + - container_mirror_cert is defined + tags: + - container-mirror + +- set_fact: + container_mirror_cert_path: "/etc/docker/certs.d/{{ container_mirror }}" + when: + - check_for_docker is success + - check_for_podman is not success + - container_mirror is defined + - container_mirror_cert is defined + tags: + - container-mirror + +- import_tasks: container_mirror.yml + when: + - container_mirror is defined + - container_mirror_cert is defined + - container_mirror_cert_path is defined + tags: + - container-mirror diff --git a/roles/common/vars/centos_7.yml b/roles/common/vars/centos_7.yml new file mode 100644 index 00000000..8a1216b6 --- /dev/null +++ b/roles/common/vars/centos_7.yml @@ -0,0 +1,2 @@ +--- +container_mirror_cert_path: "/etc/docker/certs.d/{{ container_mirror }}" diff --git a/roles/common/vars/centos_8.yml b/roles/common/vars/centos_8.yml index 9af7db38..81abb64a 100644 --- a/roles/common/vars/centos_8.yml +++ b/roles/common/vars/centos_8.yml @@ -2,3 +2,5 @@ nrpe_selinux_packages: - python3-libsemanage - python3-policycoreutils + +container_mirror_cert_path: "/etc/containers/certs.d/{{ container_mirror }}" diff --git a/roles/common/vars/redhat_7.yml b/roles/common/vars/redhat_7.yml index a3855f1a..cad9fcdc 100644 --- a/roles/common/vars/redhat_7.yml +++ b/roles/common/vars/redhat_7.yml @@ -4,3 +4,5 @@ rhsm_repos: - rhel-7-server-optional-rpms - rhel-7-server-extras-rpms - rhel-ha-for-rhel-7-server-rpms + +container_mirror_cert_path: "/etc/docker/certs.d/{{ container_mirror }}" diff --git a/roles/common/vars/redhat_8.yml b/roles/common/vars/redhat_8.yml index 534fd209..dcbc52bd 100644 --- a/roles/common/vars/redhat_8.yml +++ b/roles/common/vars/redhat_8.yml @@ -6,3 +6,5 @@ rhsm_repos: nrpe_selinux_packages: - python3-libsemanage - python3-policycoreutils + +container_mirror_cert_path: "/etc/containers/certs.d/{{ container_mirror }}" -- 2.47.3