diff --git a/roles/fedora-web/candidate-registry/files/passwd b/roles/fedora-web/candidate-registry/files/passwd-production similarity index 100% rename from roles/fedora-web/candidate-registry/files/passwd rename to roles/fedora-web/candidate-registry/files/passwd-production diff --git a/roles/fedora-web/candidate-registry/files/passwd-staging b/roles/fedora-web/candidate-registry/files/passwd-staging new file mode 100644 index 0000000000..90e491f810 --- /dev/null +++ b/roles/fedora-web/candidate-registry/files/passwd-staging @@ -0,0 +1 @@ +/C=US/ST=NM/L=Raleigh/O=Red Hat/OU=Fedora Project/CN=docker-registry-internal-stg:xxj31ZMTZzkVA diff --git a/roles/fedora-web/candidate-registry/tasks/main.yml b/roles/fedora-web/candidate-registry/tasks/main.yml index 426620009d..ced296c7ca 100644 --- a/roles/fedora-web/candidate-registry/tasks/main.yml +++ b/roles/fedora-web/candidate-registry/tasks/main.yml @@ -7,8 +7,18 @@ - fedora-web - fedora-web/candidate-registry -- name: Copy over the registry passwd - copy: src=passwd dest=/etc/httpd/conf.d/candidate-registry.fedoraproject.org/passwd +- name: Copy over the registry CA + copy: src="{{private}}/files/docker-registry/{{env}}/docker-registry-ca.pem" + dest="/etc/pki/httpd/registry-ca-{{env}}.cert" + owner=root group=root mode=0644 + notify: + - reload proxyhttpd + tags: + - fedora-web + - fedora-web/candidate-registry + +- name: Copy over the registry passwd + copy: src="passwd-{{env}}" dest=/etc/httpd/conf.d/candidate-registry.fedoraproject.org/passwd owner=root group=root mode=0644 notify: - reload proxyhttpd diff --git a/roles/fedora-web/registry/files/passwd b/roles/fedora-web/registry/files/passwd-production similarity index 100% rename from roles/fedora-web/registry/files/passwd rename to roles/fedora-web/registry/files/passwd-production diff --git a/roles/fedora-web/registry/files/passwd-staging b/roles/fedora-web/registry/files/passwd-staging new file mode 100644 index 0000000000..90e491f810 --- /dev/null +++ b/roles/fedora-web/registry/files/passwd-staging @@ -0,0 +1 @@ +/C=US/ST=NM/L=Raleigh/O=Red Hat/OU=Fedora Project/CN=docker-registry-internal-stg:xxj31ZMTZzkVA diff --git a/roles/fedora-web/registry/tasks/main.yml b/roles/fedora-web/registry/tasks/main.yml index 3b92726ddc..52437eca21 100644 --- a/roles/fedora-web/registry/tasks/main.yml +++ b/roles/fedora-web/registry/tasks/main.yml @@ -13,8 +13,18 @@ - fedora-web - fedora-web/registry +- name: Copy over the registry CA + copy: src="{{private}}/files/docker-registry/{{env}}/docker-registry-ca.pem" + dest="/etc/pki/httpd/registry-ca-{{env}}.cert" + owner=root group=root mode=0644 + notify: + - reload proxyhttpd + tags: + - fedora-web + - fedora-web/candidate-registry + - name: Copy over the registry passwd - copy: src=passwd dest=/etc/httpd/conf.d/registry.fedoraproject.org/passwd + copy: src="passwd-{{env}}" dest=/etc/httpd/conf.d/registry.fedoraproject.org/passwd owner=root group=root mode=0644 notify: - reload proxyhttpd diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.candidate-registry.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.candidate-registry.conf index d2c0cd650b..fce95b1b30 100644 --- a/roles/httpd/reverseproxy/templates/reversepassproxy.candidate-registry.conf +++ b/roles/httpd/reverseproxy/templates/reversepassproxy.candidate-registry.conf @@ -8,7 +8,7 @@ ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}} SSLVerifyClient optional SSLVerifyDepth 1 -SSLCACertificateFile /etc/pki/httpd/fedora-server-ca.cert +SSLCACertificateFile /etc/pki/httpd/registry-ca-{{env}}.cert SSLOptions +FakeBasicAuth diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.registry.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.registry.conf index e3e9f5a433..4bdd1b2ded 100644 --- a/roles/httpd/reverseproxy/templates/reversepassproxy.registry.conf +++ b/roles/httpd/reverseproxy/templates/reversepassproxy.registry.conf @@ -23,7 +23,7 @@ RewriteRule ^/(.*)$ http://localhost:6081/$1 [P,L] SSLVerifyClient optional SSLVerifyDepth 1 -SSLCACertificateFile /etc/pki/httpd/fedora-server-ca.cert +SSLCACertificateFile /etc/pki/httpd/registry-ca-{{env}}.cert SSLOptions +FakeBasicAuth