add manage-container-images role, use w/ osbs-cluser

Currently the push-docker role requires a docker daemon to be
running on a machine somewhere which we don't want because it's
privileged, error prone, and only manages docker registry content.
This role instead uses skopeo[0], which is not privileged and
understands how to manage many types of OCI[1] compliant container
images.

[0] - https://github.com/projectatomic/skopeo
[1] - https://www.opencontainers.org/

Signed-off-by: Adam Miller <admiller@redhat.com>

playbooks/groups/osbs-cluster.yml

@@ -250,6 +250,13 @@
         docker_cert_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org",
       when: env == "staging"
     }
+    - {
+      role: "manage-container-images",
+        cert_dest_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org",
+        cert_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.pem",
+        key_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.key",
+      when: env == "staging"
+    }
     - {
       role: push-docker,
         docker_cert_name: "containerbuild",

roles/manage-container-images/tasks/main.yml

@@ -0,0 +1,28 @@
+---
+# tasks file for push-docker
+#
+- name: install necessary packages
+  package:
+    name: "{{item}}"
+    state: present
+  with_items:
+    - skopeo
+
+- name: ensure cert dir exists
+  file:
+    path: "{{container_dest_dir}}"
+    state: directory
+
+- name: install docker client cert for registry
+  copy:
+    src: "{{cert_src}}"
+    dest: "{{container_dest_dir}}/client.cert"
+    owner: root
+    mode: 0600
+
+- name: install docker client key for registry
+  copy:
+    src: "{{key_src}}"
+    dest: "{{container_dest_dir}}/client.key"
+    owner: root
+    mode: 0600