From 9d3fbcf47e0beea81a40d23b448ccda908117d7d Mon Sep 17 00:00:00 2001
From: Dimitri Savineau <dsavinea@redhat.com>
Date: Tue, 10 Sep 2019 15:33:44 -0400
Subject: [PATCH] container: Allow to use registry authentication

The registry.redhat.io regsitry requires authentication so before pulling
the RHCS 4 container images from the registry we need to do the login
step.
This is done via the new ceph_docker_registry_auth variable. The
default value is false but true for RHCS setup.
When set to true, you need to provide the username and password
for the registry via the associated variables.
This patch also updates the ceph_docker_registry value for RHCS setup.

Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1748911

Signed-off-by: Dimitri Savineau <dsavinea@redhat.com>
(cherry picked from commit 9f4a99fb244a705b5f04a9e8ec911d425a4bd23f)
---
 group_vars/all.yml.sample                  |  1 +
 group_vars/rhcs.yml.sample                 | 11 ++++++-----
 rhcs_edits.txt                             | 11 ++++++-----
 roles/ceph-container-common/tasks/main.yml |  6 ++++++
 roles/ceph-defaults/defaults/main.yml      |  1 +
 roles/ceph-validate/tasks/main.yml         |  9 ++++++++-
 6 files changed, 28 insertions(+), 11 deletions(-)

diff --git a/group_vars/all.yml.sample b/group_vars/all.yml.sample
index 0f54a0518..d0fdfa4e2 100644
--- a/group_vars/all.yml.sample
+++ b/group_vars/all.yml.sample
@@ -571,6 +571,7 @@ dummy:
 #ceph_docker_image: "ceph/daemon"
 #ceph_docker_image_tag: latest
 #ceph_docker_registry: docker.io
+#ceph_docker_registry_auth: false
 ## Client only docker image - defaults to {{ ceph_docker_image }}
 #ceph_client_docker_image: "{{ ceph_docker_image }}"
 #ceph_client_docker_image_tag: "{{ ceph_docker_image_tag }}"
diff --git a/group_vars/rhcs.yml.sample b/group_vars/rhcs.yml.sample
index a33f8ff8e..e9929ad0f 100644
--- a/group_vars/rhcs.yml.sample
+++ b/group_vars/rhcs.yml.sample
@@ -570,7 +570,8 @@ ceph_rhcs_version: 4
 #docker: false
 ceph_docker_image: "rhceph/rhceph-4-rhel8"
 ceph_docker_image_tag: "latest"
-ceph_docker_registry: "registry.access.redhat.com"
+ceph_docker_registry: "registry.redhat.io"
+ceph_docker_registry_auth: true
 ## Client only docker image - defaults to {{ ceph_docker_image }}
 #ceph_client_docker_image: "{{ ceph_docker_image }}"
 #ceph_client_docker_image_tag: "{{ ceph_docker_image_tag }}"
@@ -716,14 +717,14 @@ ceph_docker_registry: "registry.access.redhat.com"
 #dashboard_rgw_api_scheme: ''
 #dashboard_rgw_api_admin_resource: ''
 #dashboard_rgw_api_no_ssl_verify: False
-node_exporter_container_image: registry.access.redhat.com/openshift4/ose-prometheus-node-exporter:v4.1
+node_exporter_container_image: registry.redhat.io/openshift4/ose-prometheus-node-exporter:v4.1
 #node_exporter_port: 9100
 #grafana_admin_user: admin
 #grafana_admin_password: admin
 # We only need this for SSL (https) connections
 #grafana_crt: ''
 #grafana_key: ''
-grafana_container_image: registry.access.redhat.com/openshift4/ose-grafana:v4.1
+grafana_container_image: registry.redhat.io/openshift4/ose-grafana:v4.1
 #grafana_container_cpu_period: 100000
 #grafana_container_cpu_cores: 2
 # container_memory is in GB
@@ -736,7 +737,7 @@ grafana_container_image: registry.access.redhat.com/openshift4/ose-grafana:v4.1
 #  - grafana-piechart-panel
 #grafana_allow_embedding: True
 #grafana_port: 3000
-prometheus_container_image: registry.access.redhat.com/openshift4/ose-prometheus:v4.1
+prometheus_container_image: registry.redhat.io/openshift4/ose-prometheus:v4.1
 #prometheus_container_cpu_period: 100000
 #prometheus_container_cpu_cores: 2
 # container_memory is in GB
@@ -745,7 +746,7 @@ prometheus_container_image: registry.access.redhat.com/openshift4/ose-prometheus
 #prometheus_conf_dir: /etc/prometheus
 #prometheus_user_id: '65534'  # This is the UID used by the prom/prometheus container image
 #prometheus_port: 9090
-alertmanager_container_image: registry.access.redhat.com/openshift4/ose-prometheus-alertmanager:v4.1
+alertmanager_container_image: registry.redhat.io/openshift4/ose-prometheus-alertmanager:v4.1
 #alertmanager_container_cpu_period: 100000
 #alertmanager_container_cpu_cores: 2
 # container_memory is in GB
diff --git a/rhcs_edits.txt b/rhcs_edits.txt
index c2681dad7..9fba033c5 100644
--- a/rhcs_edits.txt
+++ b/rhcs_edits.txt
@@ -4,9 +4,10 @@ fetch_directory: ~/ceph-ansible-keys
 ceph_rhcs_version: 4
 ceph_docker_image: "rhceph/rhceph-4-rhel8"
 ceph_docker_image_tag: "latest"
-ceph_docker_registry: "registry.access.redhat.com"
-node_exporter_container_image: registry.access.redhat.com/openshift4/ose-prometheus-node-exporter:v4.1
-grafana_container_image: registry.access.redhat.com/openshift4/ose-grafana:v4.1
-prometheus_container_image: registry.access.redhat.com/openshift4/ose-prometheus:v4.1
-alertmanager_container_image: registry.access.redhat.com/openshift4/ose-prometheus-alertmanager:v4.1
+ceph_docker_registry: "registry.redhat.io"
+ceph_docker_registry_auth: true
+node_exporter_container_image: registry.redhat.io/openshift4/ose-prometheus-node-exporter:v4.1
+grafana_container_image: registry.redhat.io/openshift4/ose-grafana:v4.1
+prometheus_container_image: registry.redhat.io/openshift4/ose-prometheus:v4.1
+alertmanager_container_image: registry.redhat.io/openshift4/ose-prometheus-alertmanager:v4.1
 # END OF FILE, DO NOT TOUCH ME!
diff --git a/roles/ceph-container-common/tasks/main.yml b/roles/ceph-container-common/tasks/main.yml
index aff88656e..7859ec2e6 100644
--- a/roles/ceph-container-common/tasks/main.yml
+++ b/roles/ceph-container-common/tasks/main.yml
@@ -15,6 +15,12 @@
         ceph_docker_version: "{{ ceph_docker_version.stdout.split(' ')[2] }}"
   when: container_binary == 'docker'
 
+- name: container registry authentication
+  command: '{{ container_binary }} login -u {{ ceph_docker_registry_username }} -p {{ ceph_docker_registry_password }} {{ ceph_docker_registry }}'
+  changed_when: false
+  no_log: true
+  when: ceph_docker_registry_auth | bool
+
 - name: include fetch_image.yml
   include_tasks: fetch_image.yml
   tags: fetch_container_image
diff --git a/roles/ceph-defaults/defaults/main.yml b/roles/ceph-defaults/defaults/main.yml
index 27b7f650c..84a275720 100644
--- a/roles/ceph-defaults/defaults/main.yml
+++ b/roles/ceph-defaults/defaults/main.yml
@@ -563,6 +563,7 @@ docker: false
 ceph_docker_image: "ceph/daemon"
 ceph_docker_image_tag: latest
 ceph_docker_registry: docker.io
+ceph_docker_registry_auth: false
 ## Client only docker image - defaults to {{ ceph_docker_image }}
 ceph_client_docker_image: "{{ ceph_docker_image }}"
 ceph_client_docker_image_tag: "{{ ceph_docker_image_tag }}"
diff --git a/roles/ceph-validate/tasks/main.yml b/roles/ceph-validate/tasks/main.yml
index 916503570..997fb57c1 100644
--- a/roles/ceph-validate/tasks/main.yml
+++ b/roles/ceph-validate/tasks/main.yml
@@ -116,4 +116,11 @@
       fail:
         msg: "you must add at least one node in the [grafana-server] hosts group"
       when: groups[grafana_server_group_name] | length < 1
-  when: dashboard_enabled | bool
\ No newline at end of file
+  when: dashboard_enabled | bool
+
+- name: validate container registry credentials
+  fail:
+    msg: 'ceph_docker_registry_username and/or ceph_docker_registry_password variables need to be set'
+  when:
+    - ceph_docker_registry_auth | bool
+    - ceph_docker_registry_username is not defined or ceph_docker_registry_password is not defined
-- 
2.39.5