Bug 1377899

Summary: [RFE] Enable Ansible Configuration options to use Username/Password to authenticate against a Customer Hosted Secure Docker Repository while installing Openshift
Product: OpenShift Container Platform Reporter: cpatters
Component: InstallerAssignee: Jason DeTiberus <jdetiber>
Status: CLOSED DUPLICATE QA Contact: Johnny Liu <jialiu>
Severity: medium Docs Contact:
Priority: high    
Version: 3.2.1CC: aos-bugs, cpatters, erich, jokerman, mmccomas
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-02 14:42:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description cpatters 2016-09-20 23:39:02 UTC 
1. Proposed title of this feature request

Enable Ansible Configuration options to use Username/Password to authenticate against a Customer Hosted Secure Docker Repository upon installation of OpenShift

2. Who is the customer behind the request?

Account: Australian Signals Directorate
Account Number: 676102
TAM Customer: Yes
SRM customer: Yes
Strategic: Yes

3. What is the nature and description of the request?

The customer is looking for a functionality within the OpenShift installation script that will specify authentication credentials (username/password) to use against an Customer hosted Docker Repository in a
completely Disconnected Environment. This request is two fold:

a. The OpenShift installer must support pulling images from a customer hosted docker repository (not attempt to pull from registry.access.redhat.com - which should be blocked)
b. The OpenShift installed must support authenticating against the customer hosted docker repository with a username/password.

4. Why does the customer need this?

The Customer operates in a “*Disconnected Secure Environment*" and Red Hat Satellite 6 "DOES NOT" provide the capability to perform a seamless and simple way of bringing Red Hat approved Docker containers into their disconnected network. The proposed method requires additional manual work which is considered onerous and unsupported. See support case 01686814 Require capability to export Docker images to
disconnected Satellite.

The Organisation's Security Policy requires that access to this independent Secured Docker Repository have a authentication mechanism, via username/password, which include non-person entities (i.e service accounts). Currently to utilise the Ansible Advance Installation Script, the Customer must disable authentication.

5. How would the customer like to achieve this? (List the functional requirements here)

Customer would like to have configurable parameters that can be set on install within the Ansible advanced installation hosts file that will allow them to tell OpenShift master and nodes to pull from their secured registry (and provide credentials). This would possibly require two additional fields in the docker config file ~root/.dockercfg json config file:

a. openshift_docker_username; and
b. openshift_docker_password

Also need to enforce the blocked registries and remove all hard coding to registry.access.redhat.com in the current OpenShift code. This should be paramertised.

6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.

Customer is willing to perform a Disconnected OpenShift installation utilsing said improvements to Script and provide productive feedback to Red Hat.

7. Is there already an existing RFE upstream or in Red Hat Bugzilla?

No

8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?

ASAP. The current mechanism is not considered Enterprise or Production ready. Possibly target 3.3 or 3.4 depending on gating