ansible/playbooks/groups/oci-registry.yml

# create an osbs server
- import_playbook:  "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=oci_registry:oci_registry_stg"

- name: make the box be real
  hosts: oci_registry:oci_registry_stg
  user: root
  gather_facts: True

  vars_files:
   - /srv/web/infra/ansible/vars/global.yml
   - "/srv/private/ansible/vars.yml"
   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  roles:
  - base
  - rkhunter
  - nagios_client
  - hosts
  - fas_client
  - collectd/base
  - rsyncd
  - sudo
  - { role: openvpn/client,
      when: env != "staging" }
  - { role: nfs/client,
      mnt_dir: '/srv/registry',
      nfs_src_dir: "oci_registry",
      when: "env != 'staging' or 'candidate' not in inventory_hostname" }

  pre_tasks:
  - name: Create /srv/registry on staging and candidate since it does not use NFS
    file:
      path: /srv/registry
      state: directory
      owner: root
      group: root
      mode: 0755
    when: "env == 'staging' or 'candidate' not in inventory_hostname"
  - import_tasks: "{{ tasks_path }}/yumrepos.yml"

  tasks:
  - import_tasks: "{{ tasks_path }}/2fa_client.yml"
  - import_tasks: "{{ tasks_path }}/motd.yml"

  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"

- name: setup docker distribution registry
  hosts: oci_registry:oci_registry_stg
  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - /srv/private/ansible/vars.yml
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml


  # NOTE: tls is disabled for docker-distribution because we are listening only
  #       on localhost and all external connections will be through httpd which
  #       will be SSL enabled.
  roles:
    - {
      role: docker-distribution,
        conf_path: "/etc/docker-distribution/registry/config.yml",
        tls: {
          enabled: False,
        },
        log: {
          fields: {
            service: "registry"
          }
        },
        storage: {
          filesystem: {
            rootdirectory: "/srv/registry"
          }
        },
        http: {
          addr: ":5000"
        }
      }

    # Setup compose-x86-01 push docker images to registry
    - {
      role: push-docker,
        candidate_registry: "candidate-registry.stg.fedoraproject.org",
        candidate_registry_osbs_username: "{{candidate_registry_osbs_stg_username}}",
        candidate_registry_osbs_password: "{{candidate_registry_osbs_stg_password}}",
      when: env == "staging",
      delegate_to: compose-x86-01.phx2.fedoraproject.org
    }
    - {
      role: push-docker,
        candidate_registry: "candidate-registry.fedoraproject.org",
        candidate_registry_osbs_username: "{{candidate_registry_osbs_prod_username}}",
        candidate_registry_osbs_password: "{{candidate_registry_osbs_prod_password}}",
      when: env == "production",
      delegate_to: compose-x86-01.phx2.fedoraproject.org
    }
and away we go 2016-03-14 23:43:00 +00:00			`# create an osbs server`
ansible: fix -- mistake for import_playbook Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2019-05-20 18:23:42 +00:00			`- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=oci_registry:oci_registry_stg"`
and away we go 2016-03-14 23:43:00 +00:00
			`- name: make the box be real`
ansible: Change all our group names from foo-bar to foo_bar or foo-bar-baz to foo_bar_baz In ansible 2.8 the - character isn't supposed to be valid in group names. While we could override this, might has well just bite the bullet and change it. So, just switch all group names to use _ instead of - Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2019-05-20 17:36:07 +00:00			`hosts: oci_registry:oci_registry_stg`
and away we go 2016-03-14 23:43:00 +00:00			`user: root`
			`gather_facts: True`

			`vars_files:`
			`- /srv/web/infra/ansible/vars/global.yml`
			`- "/srv/private/ansible/vars.yml"`
			`- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml`

			`roles:`
			`- base`
			`- rkhunter`
and this is how you break everything before going on a week vacation 2017-05-05 22:12:33 +00:00			`- nagios_client`
and away we go 2016-03-14 23:43:00 +00:00			`- hosts`
			`- fas_client`
			`- collectd/base`
			`- rsyncd`
			`- sudo`
Add vpn rol to registry Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-07-12 17:19:38 +00:00			`- { role: openvpn/client,`
			`when: env != "staging" }`
add NFS to oci Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2018-10-04 15:31:12 +00:00			`- { role: nfs/client,`
			`mnt_dir: '/srv/registry',`
			`nfs_src_dir: "oci_registry",`
OCI registry: do not use the NFS mount in staging or candidate. Fixes #https://pagure.io/fedora-infrastructure/issue/8507 Signed-off-by: Clement Verna <cverna@tutanota.com> 2020-01-07 20:50:31 +01:00			`when: "env != 'staging' or 'candidate' not in inventory_hostname" }`
and away we go 2016-03-14 23:43:00 +00:00
make yumrepos be a pre_task Signed-off-by: Ricky Elrod <relrod@redhat.com> 2018-04-01 22:18:56 +00:00			`pre_tasks:`
OCI registry: do not use the NFS mount in staging or candidate. Fixes #https://pagure.io/fedora-infrastructure/issue/8507 Signed-off-by: Clement Verna <cverna@tutanota.com> 2020-01-07 20:50:31 +01:00			`- name: Create /srv/registry on staging and candidate since it does not use NFS`
Give the staging registry a dir to use for local storage. We decided not to use NFS storage for the staging registry, so I am adding a /srv/registry directory to simulate having the same path that we would have on the production registry. Signed-off-by: Randy Barlow <randy@electronsweatshop.com> 2018-10-04 17:41:47 +00:00			`file:`
			`path: /srv/registry`
			`state: directory`
			`owner: root`
			`group: root`
			`mode: 0755`
OCI registry: do not use the NFS mount in staging or candidate. Fixes #https://pagure.io/fedora-infrastructure/issue/8507 Signed-off-by: Clement Verna <cverna@tutanota.com> 2020-01-07 20:50:31 +01:00			`when: "env == 'staging' or 'candidate' not in inventory_hostname"`
switch all the include tasks to import tasks 2017-10-17 17:37:03 +00:00			`- import_tasks: "{{ tasks_path }}/yumrepos.yml"`
make yumrepos be a pre_task Signed-off-by: Ricky Elrod <relrod@redhat.com> 2018-04-01 22:18:56 +00:00
			`tasks:`
switch all the include tasks to import tasks 2017-10-17 17:37:03 +00:00			`- import_tasks: "{{ tasks_path }}/2fa_client.yml"`
			`- import_tasks: "{{ tasks_path }}/motd.yml"`
and away we go 2016-03-14 23:43:00 +00:00
			`handlers:`
typo on a massive scale 2017-10-15 20:33:11 +00:00			`- import_tasks: "{{ handlers_path }}/restart_services.yml"`
initial setup for docker-registry Signed-off-by: Adam Miller <admiller@redhat.com> 2016-04-07 15:36:10 +00:00
			`- name: setup docker distribution registry`
ansible: Change all our group names from foo-bar to foo_bar or foo-bar-baz to foo_bar_baz In ansible 2.8 the - character isn't supposed to be valid in group names. While we could override this, might has well just bite the bullet and change it. So, just switch all group names to use _ instead of - Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2019-05-20 17:36:07 +00:00			`hosts: oci_registry:oci_registry_stg`
initial setup for docker-registry Signed-off-by: Adam Miller <admiller@redhat.com> 2016-04-07 15:36:10 +00:00			`vars_files:`
			`- /srv/web/infra/ansible/vars/global.yml`
			`- /srv/private/ansible/vars.yml`
			`- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml`


			`# NOTE: tls is disabled for docker-distribution because we are listening only`
			`# on localhost and all external connections will be through httpd which`
Rebuild docker registry stg boxes as f27 (#6744) Signed-off-by: Ricky Elrod <relrod@redhat.com> 2018-04-01 21:47:27 +00:00			`# will be SSL enabled.`
initial setup for docker-registry Signed-off-by: Adam Miller <admiller@redhat.com> 2016-04-07 15:36:10 +00:00			`roles:`
			`- {`
			`role: docker-distribution,`
			`conf_path: "/etc/docker-distribution/registry/config.yml",`
			`tls: {`
			`enabled: False,`
			`},`
			`log: {`
			`fields: {`
			`service: "registry"`
			`}`
			`},`
			`storage: {`
			`filesystem: {`
storage.filesystem.rootdirectory = /srv/registry for registries. Signed-off-by: Randy Barlow <randy@electronsweatshop.com> 2018-10-04 18:07:09 +00:00			`rootdirectory: "/srv/registry"`
docker-registry: fix missing closing curly brace Signed-off-by: Adam Miller <admiller@redhat.com> 2016-04-07 15:57:06 +00:00			`}`
initial setup for docker-registry Signed-off-by: Adam Miller <admiller@redhat.com> 2016-04-07 15:36:10 +00:00			`},`
This field is called http, not httpd Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-04-12 14:33:37 +00:00			`http: {`
docker-registry: fix http.addr entry Signed-off-by: Adam Miller <admiller@redhat.com> 2016-04-12 14:51:16 +00:00			`addr: ":5000"`
since ssl is handled at the proxy, no need to differentiate between prod/stg registry Signed-off-by: Adam Miller <admiller@redhat.com> 2016-07-12 18:34:42 +00:00			`}`
initial setup for docker-registry Signed-off-by: Adam Miller <admiller@redhat.com> 2016-04-07 15:36:10 +00:00			`}`
Add access to push to docker registry to compose-x86-01, Infra Ticket#5368 Signed-off-by: Adam Miller <admiller@redhat.com> 2016-06-24 16:55:38 +00:00
try delegate_to for a role Signed-off-by: Adam Miller <admiller@redhat.com> 2016-07-05 16:19:28 +00:00			`# Setup compose-x86-01 push docker images to registry`
Add access to push to docker registry to compose-x86-01, Infra Ticket#5368 Signed-off-by: Adam Miller <admiller@redhat.com> 2016-06-24 16:55:38 +00:00			`- {`
			`role: push-docker,`
use basic auth to authenticate against the candidate registry Signed-off-by: Clement Verna <cverna@tutanota.com> 2018-06-08 11:49:04 +02:00			`candidate_registry: "candidate-registry.stg.fedoraproject.org",`
Get the name of the variable right Signed-off-by: Clement Verna <cverna@tutanota.com> 2018-06-08 11:56:49 +02:00			`candidate_registry_osbs_username: "{{candidate_registry_osbs_stg_username}}",`
			`candidate_registry_osbs_password: "{{candidate_registry_osbs_stg_password}}",`
add candidate-registry.stg for compose-x86-01 push-docker Signed-off-by: Adam Miller <admiller@redhat.com> 2016-08-29 20:27:50 +00:00			`when: env == "staging",`
			`delegate_to: compose-x86-01.phx2.fedoraproject.org`
			`}`
Add access to push to docker registry to compose-x86-01, Infra Ticket#5368 Signed-off-by: Adam Miller <admiller@redhat.com> 2016-06-24 16:55:38 +00:00			`- {`
			`role: push-docker,`
use basic auth to authenticate against the candidate registry Signed-off-by: Clement Verna <cverna@tutanota.com> 2018-06-08 11:49:04 +02:00			`candidate_registry: "candidate-registry.fedoraproject.org",`
Get the name of the variable right Signed-off-by: Clement Verna <cverna@tutanota.com> 2018-06-08 11:56:49 +02:00			`candidate_registry_osbs_username: "{{candidate_registry_osbs_prod_username}}",`
			`candidate_registry_osbs_password: "{{candidate_registry_osbs_prod_password}}",`
enable candidate-registry for osbs in prod Signed-off-by: Adam Miller <admiller@redhat.com> 2016-09-02 14:24:33 +00:00			`when: env == "production",`
			`delegate_to: compose-x86-01.phx2.fedoraproject.org`
			`}`