Merge pull request #162 from ceph/mergify/bp/pacific/pr-145

playbooks: add new playbook 'cephadm-set-container-insecure-registries' (backport #145)
ceph · Sep 21, 2022 · dcb581a · dcb581a
2 parents db21743 + 5f5c22d
commit dcb581a
Show file tree

Hide file tree

Showing 5 changed files with 113 additions and 8 deletions.
diff --git a/cephadm-preflight.yml b/cephadm-preflight.yml
@@ -32,6 +32,9 @@
 # Then, you can run the the same way as shown above. The playbook will automatically install
 # chronyd and ceph-common on those nodes.
 
+- name: variables validations
+  ansible.builtin.import_playbook: validate/preflight.yml
+
 - hosts: all
   become: true
   gather_facts: true
@@ -40,14 +43,6 @@
       import_role:
         name: ceph_defaults
 
-    - name: fail when ceph_origin is custom with no repository defined
-      fail:
-        msg: "You must define 'ceph_custom_repositories' or 'custom_repo_url' when ceph_origin is 'custom'"
-      when:
-        - ceph_origin == 'custom'
-        - custom_repo_url is undefined
-        - ceph_custom_repositories is undefined
-
     - name: rhcs related tasks
       when: ceph_origin == 'rhcs'
       block:
@@ -165,3 +160,7 @@
         name: chronyd
         state: started
         enabled: yes
+
+- name: set insecure container registry in /etc/containers/registries.conf
+  ansible.builtin.import_playbook: cephadm-set-container-insecure-registries.yml
+  when: set_insecure_registries | default(false) | bool
diff --git a/cephadm-set-container-insecure-registries.yml b/cephadm-set-container-insecure-registries.yml
@@ -0,0 +1,36 @@
+---
+# Copyright Red Hat
+# SPDX-License-Identifier: Apache-2.0
+# Author: Guillaume Abrioux <[email protected]>
+#
+# Usage:
+#
+# ansible-playbook -i <inventory host file> cephadm-set-container-insecure-registries.yml -e insecure_registry=<registry url>
+#
+# eg:
+#
+# ansible-playbook -i hosts cephadm-set-container-insecure-registries.yml -e insecure_registry=localhost:5000
+
+- name: variables validations
+  ansible.builtin.import_playbook: validate/insecure-registries.yml
+
+- hosts: all
+  become: true
+  gather_facts: false
+  tasks:
+    - name: fail if insecure_registry is undefined
+      fail:
+        msg: "'insecure_registry' is undefined"
+      when: insecure_registry is undefined
+
+    - name: add registry as insecure registry in registries.conf
+      blockinfile:
+        path: "{{ registries_conf_path | default('/etc/containers/registries.conf') }}"
+        state: present
+        marker: "# {mark} cephadm-ansible managed : {{ insecure_registry }}"
+        create: yes
+        mode: '0644'
+        block: |
+          [[registry]]
+          location = '{{ insecure_registry }}'
+          insecure = true
diff --git a/doc/source/index.rst b/doc/source/index.rst
@@ -10,6 +10,7 @@ workflows that are not covered by [cephadm]_. They are covered by the following
 * cephadm-clients.yml: Setting up client hosts
 * cephadm-purge-cluster.yml: Remove a Ceph cluster
 * cephadm-distribute-ssh-key.yml: Distribute a SSH public key to all hosts
+* cephadm-set-container-insecure-registries.yml: Add a block in /etc/containers/registries.conf to add an insecure registry
 
 Additionnally, several ansible modules are provided in order to let people writing their own playbooks.
 
@@ -272,6 +273,37 @@ Example::
       file: ceph_shaman_build_x86_64
       priority: '2'
 
+set_insecure_registries
+~~~~~~~~~~~~~~~~~~~~~~~
+**description**
+  Whether ``cephadm-preflight.yml`` playbook will call ``cephadm-set-container-insecure-registries.yml`` to add an insecure registry in ``/etc/containers/registries.conf``.
+  ``insecure_registry`` option must be passed (-e insecure_registry=<registry url>)
+
+**default**
+  false
+
+cephadm-set-container-insecure-registries
+=========================================
+
+This playbook adds a block in ``/etc/containers/registries.conf`` in order to allow an insecure registry to be used.
+
+Usage::
+
+   ansible-playbook -i <inventory host file> cephadm-set-container-insecure-registries.yml -e insecure_registry=<registry url>
+
+
+
+Options
++++++++
+
+insecure_registry
+~~~~~~~~~~~~~~~~~
+**description**
+  The address of the insecure registry to be added to ``/etc/containers/registries.conf``.
+
+**default**
+  No default.
+
 cephadm-distribute-ssh-key
 ==========================
 

diff --git a/validate/insecure-registries.yml b/validate/insecure-registries.yml
@@ -0,0 +1,15 @@
+---
+# Copyright Red Hat
+# SPDX-License-Identifier: Apache-2.0
+# Author: Guillaume Abrioux <[email protected]>
+
+- hosts: localhost
+  become: false
+  gather_facts: false
+  tasks:
+    - name: fail if insecure_registry is undefined
+      fail:
+        msg: "'insecure_registry' is undefined, it must be set when 'set_insecure_registries' is 'true'."
+      when:
+        - set_insecure_registries | default(false) | bool
+        - insecure_registry is undefined
diff --git a/validate/preflight.yml b/validate/preflight.yml
@@ -0,0 +1,23 @@
+---
+# Copyright Red Hat
+# SPDX-License-Identifier: Apache-2.0
+# Author: Guillaume Abrioux <[email protected]>
+
+- ansible.builtin.import_playbook: insecure-registries.yml
+  when: set_insecure_registries | default(false) | bool
+
+- hosts: localhost
+  become: false
+  gather_facts: false
+  tasks:
+    - name: import_role ceph_defaults
+      import_role:
+        name: ceph_defaults
+
+    - name: fail when ceph_origin is custom with no repository defined
+      fail:
+        msg: "You must define 'ceph_custom_repositories' or 'custom_repo_url' when ceph_origin is 'custom'"
+      when:
+        - ceph_origin == 'custom'
+        - custom_repo_url is undefined
+        - ceph_custom_repositories is undefined