create docker-distribution-proxy to proxy the docker-distribution registry

Signed-off-by: Adam Miller <admiller@redhat.com>

playbooks/groups/docker-registry.yml

@@ -89,4 +89,45 @@
         },
         when: env == "production"
       }
+    - {
+      role: docker-distribution-proxy,
+        servername: registry.stg.fedorproject.org,
+        ssl: {
+          destdir: "/etc/pki/docker-distribution/",
+          certfile_src: "{{private}}/files/docker-registry/staging/docker-registry-internal.pem",
+          certfile_dest: "docker-registry-internal.pem",
+          keyfile_src: "{{private}}/files/docker-registry/staging/docker-registry-internal.key",
+          keyfile_dest: "docker-registry-internal.key",
+        },
+        auth: {
+          type: basic,
+          basic: {
+            destdir: "/etc/httpd/"
+            userfile_src: "{{private}}/files/httpd/osbs.htpasswd"
+            userfile_dest: "osbs.htpasswd"
+          }
+        },
+        when: env == "staging"
+      }
+    - {
+      role: docker-distribution-proxy,
+        servername: registry.fedorproject.org,
+        ssl: {
+          destdir: "/etc/pki/docker-distribution/",
+          certfile_src: "{{private}}/files/docker-registry/docker-registry-internal.pem",
+          certfile_dest: "docker-registry-internal.pem",
+          keyfile_src: "{{private}}/files/docker-registry/docker-registry-internal.key",
+          keyfile_dest: "docker-registry-internal.key",
+        },
+        auth: {
+          type: basic,
+          basic: {
+            destdir: "/etc/httpd/"
+            userfile_src: "{{private}}/files/httpd/osbs.htpasswd"
+            userfile_dest: "osbs.htpasswd"
+          }
+        },
+        when: env == "staging"
+      }
+
 

roles/docker-distribution-proxy/defaults/main.yml

@@ -0,0 +1,19 @@
+---
+# defaults file for docker-distribution-proxy
+#
+servername: "registry.example.com"
+ssl:
+  destdir: "/etc/pki/docker-registry/"
+  certfile_src: "ssl.cert"
+  certfile_dest: "ssl.cert"
+  keyfile_src: "ssl.key"
+  keyfile_dest: "ssl.key"
+
+auth:
+  type: basic
+  basic:
+    dest_dir:
+    userfile_src: /etc/httpd/users.htpasswd
+    userfile_dest: /etc/httpd/users.htpasswd
+
+

roles/docker-distribution-proxy/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+# handlers file for docker-distribution-proxy
+
+- name: reload httpd
+  service:
+    name: httpd
+    state: reloaded

roles/docker-distribution-proxy/tasks/main.yml

@@ -0,0 +1,41 @@
+---
+# tasks file for docker-distribution-proxy
+#
+- name: Make sure httpd is installed
+  action: "{{ ansible_pkg_manager }} name=httpd state=installed"
+
+- name: Make sure mod_ssl is installed
+  action: "{{ ansible_pkg_manager }} name=mod_ssl state=installed"
+
+- name: ensure pki destination directory exists
+  file:
+    path: "{{ ssl.destdir }}"
+
+- name: install ssl certfile
+  copy:
+    src: "{{ ssl.certfile_src }}"
+    dest: "{{ ssl.destdir }}/{{ ssl.certfile_dest }}"
+
+- name: install ssl keyfile
+  copy:
+    src: "{{ ssl.keyfile_src }}"
+    dest: "{{ ssl.destdir }}/{{ ssl.keyfile_dest }}"
+
+- name: ensure htpasswd basic auth dest dir exists
+  file:
+    path: "{{ auth.basic.destdir }}"
+    state: directory
+  when: auth.type == "basic"
+
+- name: place htpasswd file
+  copy:
+    src: "{{ auth.basic.userfile_src }}"
+    dest: "{{ auth.basic.destdir }}/{{ auth.basic.userfile_dest }}"
+  when: auth.type == "basic"
+
+- name: Configure the vhost
+  template:
+    src: "docker-registry-vhost.conf.j2"
+    dest: "/etc/httpd/conf.d/docker-registry-vhost.conf"
+  notify: reload httpd
+

roles/docker-distribution-proxy/templates/docker-registry-vhost.conf.j2

@@ -0,0 +1,54 @@
+<VirtualHost *:443>
+
+  ServerName {{ domainname }}
+
+  SSLEngine on
+  SSLCertificateFile {{ sslcertfile }}
+  SSLCertificateKeyFile {{ sslkeyfile }}
+
+  ## SSL settings recommandation from: https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
+  # Anti CRIME
+  SSLCompression off
+
+  # POODLE and other stuff
+  SSLProtocol all -SSLv2 -SSLv3 -TLSv1
+
+  # Secure cypher suites
+  SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+  SSLHonorCipherOrder on
+
+  Header always set "Docker-Distribution-Api-Version" "registry/2.0"
+  Header onsuccess set "Docker-Distribution-Api-Version" "registry/2.0"
+  RequestHeader set X-Forwarded-Proto "https"
+
+  ProxyRequests     off
+  ProxyPreserveHost on
+
+  # no proxy for /error/ (Apache HTTPd errors messages)
+  ProxyPass /error/ !
+
+  ProxyPass        /v2 http://localhost:5000/v2
+  ProxyPassReverse /v2 http://localhost:5000/v2
+
+  <Location /v2>
+    Order deny,allow
+    Allow from all
+    AuthName "Registry Authentication"
+{% if auth.type == "basic" }
+    AuthType basic
+    AuthUserFile {{ auth.basic.userfile_dest }}
+{% endif %}
+
+    ## Read access to authentified users
+    #<Limit GET HEAD>
+    #  Require valid-user
+    #</Limit>
+
+    # Write access restricted
+    <Limit POST PUT DELETE PATCH>
+      Require value-user
+    </Limit>
+
+  </Location>
+
+</VirtualHost>