From 6939f62b4c3260acfa42a5c312c2e3d5310cdfab Mon Sep 17 00:00:00 2001
From: Adam Miller <admiller@redhat.com>
Date: Mon, 10 Apr 2017 20:47:41 +0000
Subject: [PATCH] add manage-container-images role, use w/ osbs-cluser

Currently the push-docker role requires a docker daemon to be
running on a machine somewhere which we don't want because it's
privileged, error prone, and only manages docker registry content.
This role instead uses skopeo[0], which is not privileged and
understands how to manage many types of OCI[1] compliant container
images.

[0] - https://github.com/projectatomic/skopeo
[1] - https://www.opencontainers.org/

Signed-off-by: Adam Miller <admiller@redhat.com>
---
 playbooks/groups/osbs-cluster.yml            |  7 +++++
 roles/manage-container-images/tasks/main.yml | 28 ++++++++++++++++++++
 2 files changed, 35 insertions(+)
 create mode 100644 roles/manage-container-images/tasks/main.yml

diff --git a/playbooks/groups/osbs-cluster.yml b/playbooks/groups/osbs-cluster.yml
index 2f6ee5fda5..c667d07c3c 100644
--- a/playbooks/groups/osbs-cluster.yml
+++ b/playbooks/groups/osbs-cluster.yml
@@ -250,6 +250,13 @@
         docker_cert_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org",
       when: env == "staging"
     }
+    - {
+      role: "manage-container-images",
+        cert_dest_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org",
+        cert_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.pem",
+        key_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.key",
+      when: env == "staging"
+    }
     - {
       role: push-docker,
         docker_cert_name: "containerbuild",
diff --git a/roles/manage-container-images/tasks/main.yml b/roles/manage-container-images/tasks/main.yml
new file mode 100644
index 0000000000..0dca948270
--- /dev/null
+++ b/roles/manage-container-images/tasks/main.yml
@@ -0,0 +1,28 @@
+---
+# tasks file for push-docker
+#
+- name: install necessary packages
+  package:
+    name: "{{item}}"
+    state: present
+  with_items:
+    - skopeo
+
+- name: ensure cert dir exists
+  file:
+    path: "{{container_dest_dir}}"
+    state: directory
+
+- name: install docker client cert for registry
+  copy:
+    src: "{{cert_src}}"
+    dest: "{{container_dest_dir}}/client.cert"
+    owner: root
+    mode: 0600
+
+- name: install docker client key for registry
+  copy:
+    src: "{{key_src}}"
+    dest: "{{container_dest_dir}}/client.key"
+    owner: root
+    mode: 0600