commit 77a68d3cadf57103ef8a3cd42fae5f700413b0fd Author: Jerry Sun Date: Wed Oct 7 12:28:08 2020 -0400 Replace containerd Sysinv credentials with mtce credentials Sysinv credentials in the containerd config allowed kubernetes to deploy images without pull secrets. We replace the credentials with "mtce" user's credentials. The "mtce" user is treated as a public user and is not allowed to deploy non-public images. Partial-bug: 1894930 Depends-On: https://review.opendev.org/756557 Change-Id: Icf293a8c3e44a587d5392db57f612ea26b422f12 Signed-off-by: Jerry Sun diff --git a/playbookconfig/src/playbooks/roles/bootstrap/bringup-essential-services/tasks/bringup_local_registry.yml b/playbookconfig/src/playbooks/roles/bootstrap/bringup-essential-services/tasks/bringup_local_registry.yml index 8cb03de..4dab95f 100644 --- a/playbookconfig/src/playbooks/roles/bootstrap/bringup-essential-services/tasks/bringup_local_registry.yml +++ b/playbookconfig/src/playbooks/roles/bootstrap/bringup-essential-services/tasks/bringup_local_registry.yml @@ -104,12 +104,29 @@ - set_fact: local_registry_credentials: "{{ local_registry_credentials_output.stdout }}" +- name: Get guest local registry credentials + vars: + script_content: | + import keyring + password = keyring.get_password("mtce", "services") + if not password: + raise Exception("Local registry password not found.") + print dict(username='mtce', password=str(password)) + shell: "{{ script_content }}" + args: + executable: /usr/bin/python + register: guest_local_registry_credentials_output + +- set_fact: + guest_local_registry_credentials: "{{ guest_local_registry_credentials_output.stdout }}" + - name: Update config.toml with registry auth command: "sed -i -e 's|<%= @registry_auth %>|$REG_AUTH|g' /etc/containerd/config.toml" args: warn: false environment: - REG_AUTH: "{{ (local_registry_credentials['username'] + ':' + local_registry_credentials['password']) | b64encode }}" + REG_AUTH: "{{ (guest_local_registry_credentials['username'] + ':' + + guest_local_registry_credentials['password']) | b64encode }}" - name: Determine the stream_server_address for containerd set_fact: