From 6946ea845a7933a150c4c69ff7731eca48d3a0bb Mon Sep 17 00:00:00 2001 From: Angie Wang Date: Wed, 16 Jan 2019 16:32:38 -0500 Subject: [PATCH] Pass user credentials when pull/push images from local docker registry The functionality of local docker registry authentication is implemented in commit https://review.openstack.org/#/c/626355/. However, local docker registry is currently used to pull/push images during application apply without authentication. This commit passes user credentials when pulling/pushing images from docker registry, otherwise application apply will fail after the above docker registry authentication commit merged. Change-Id: Ifd43631e6fb685aed45fd2ad90d74ef3658bdb99 Story: 2002840 Task: 28945 Signed-off-by: Angie Wang --- .../sysinv/sysinv/sysinv/common/exception.py | 5 +++++ .../sysinv/sysinv/sysinv/conductor/kube_app.py | 18 ++++++++++++++++-- 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/sysinv/sysinv/sysinv/sysinv/common/exception.py b/sysinv/sysinv/sysinv/sysinv/common/exception.py index 8bb17e0c27..e4c89e97f0 100644 --- a/sysinv/sysinv/sysinv/sysinv/common/exception.py +++ b/sysinv/sysinv/sysinv/sysinv/common/exception.py @@ -923,6 +923,11 @@ class KubeAppNotFound(NotFound): message = _("No application with name %(name)s.") +class DockerRegistryCredentialNotFound(NotFound): + message = _("Credentials to access local docker registry " + "for user %(name)s could not be found.") + + class SDNNotEnabled(SysinvException): message = _("SDN configuration is not enabled.") diff --git a/sysinv/sysinv/sysinv/sysinv/conductor/kube_app.py b/sysinv/sysinv/sysinv/sysinv/conductor/kube_app.py index a1177e756d..c6a8d29b3c 100644 --- a/sysinv/sysinv/sysinv/sysinv/conductor/kube_app.py +++ b/sysinv/sysinv/sysinv/sysinv/conductor/kube_app.py @@ -11,6 +11,7 @@ import docker import grp +import keyring import os import pwd import re @@ -57,6 +58,8 @@ INSTALLATION_TIMEOUT = 3600 MAX_DOWNLOAD_THREAD = 20 TARFILE_DOWNLOAD_CONNECTION_TIMEOUT = 60 TARFILE_TRANSFER_CHUNK_SIZE = 1024 * 512 +DOCKER_REGISTRY_USER = 'admin' +DOCKER_REGISTRY_SERVICE = 'CGCS' # Helper functions @@ -97,6 +100,16 @@ def get_app_install_root_path_ownership(): return (uid, gid) +def get_docker_registry_authentication(): + docker_registry_user_password = keyring.get_password( + DOCKER_REGISTRY_SERVICE, DOCKER_REGISTRY_USER) + if not docker_registry_user_password: + raise exception.DockerRegistryCredentialNotFound( + name=DOCKER_REGISTRY_USER) + + return dict(username=DOCKER_REGISTRY_USER, + password=docker_registry_user_password) + Chart = namedtuple('Chart', 'name namespace') @@ -1205,8 +1218,9 @@ class DockerHelper(object): try: # Pull image from local docker registry LOG.info("Image %s download started from local registry" % loc_img_tag) + docker_registry_auth = get_docker_registry_authentication() client = docker.APIClient(timeout=INSTALLATION_TIMEOUT) - client.pull(loc_img_tag) + client.pull(loc_img_tag, auth_config=docker_registry_auth) except docker.errors.NotFound: try: # Image is not available in local docker registry, get the image @@ -1216,7 +1230,7 @@ class DockerHelper(object): pub_img_tag = loc_img_tag[1 + loc_img_tag.find('/'):] client.pull(pub_img_tag) client.tag(pub_img_tag, loc_img_tag) - client.push(loc_img_tag) + client.push(loc_img_tag, auth_config=docker_registry_auth) except Exception as e: rc = False LOG.error("Image %s download failed from public registry: %s" % (pub_img_tag, e))