Bug 1377899 - [RFE] Enable Ansible Configuration options to use Username/Password to authenticate against a Customer Hosted Secure Docker Repository while installing Openshift
Summary: [RFE] Enable Ansible Configuration options to use Username/Password to authen...
Keywords:
Status: CLOSED DUPLICATE of bug 1316341
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.2.1
Hardware: x86_64
OS: Linux
high
medium
Target Milestone: ---
: ---
Assignee: Jason DeTiberus
QA Contact: Johnny Liu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-20 23:39 UTC by cpatters
Modified: 2017-03-02 14:42 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-03-02 14:42:17 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description cpatters 2016-09-20 23:39:02 UTC 
1. Proposed title of this feature request

Enable Ansible Configuration options to use Username/Password to authenticate against a Customer Hosted Secure Docker Repository upon installation of OpenShift

2. Who is the customer behind the request?

Account: Australian Signals Directorate
Account Number: 676102
TAM Customer: Yes
SRM customer: Yes
Strategic: Yes

3. What is the nature and description of the request?

The customer is looking for a functionality within the OpenShift installation script that will specify authentication credentials (username/password) to use against an Customer hosted Docker Repository in a
completely Disconnected Environment. This request is two fold:

a. The OpenShift installer must support pulling images from a customer hosted docker repository (not attempt to pull from registry.access.redhat.com - which should be blocked)
b. The OpenShift installed must support authenticating against the customer hosted docker repository with a username/password.

4. Why does the customer need this?

The Customer operates in a “*Disconnected Secure Environment*" and Red Hat Satellite 6 "DOES NOT" provide the capability to perform a seamless and simple way of bringing Red Hat approved Docker containers into their disconnected network. The proposed method requires additional manual work which is considered onerous and unsupported. See support case 01686814 Require capability to export Docker images to
disconnected Satellite.

The Organisation's Security Policy requires that access to this independent Secured Docker Repository have a authentication mechanism, via username/password, which include non-person entities (i.e service accounts). Currently to utilise the Ansible Advance Installation Script, the Customer must disable authentication.

5. How would the customer like to achieve this? (List the functional requirements here)

Customer would like to have configurable parameters that can be set on install within the Ansible advanced installation hosts file that will allow them to tell OpenShift master and nodes to pull from their secured registry (and provide credentials). This would possibly require two additional fields in the docker config file ~root/.dockercfg json config file:

a. openshift_docker_username; and
b. openshift_docker_password

Also need to enforce the blocked registries and remove all hard coding to registry.access.redhat.com in the current OpenShift code. This should be paramertised.

6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.

Customer is willing to perform a Disconnected OpenShift installation utilsing said improvements to Script and provide productive feedback to Red Hat.

7. Is there already an existing RFE upstream or in Red Hat Bugzilla?

No

8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?

ASAP. The current mechanism is not considered Enterprise or Production ready. Possibly target 3.3 or 3.4 depending on gating
Note You need to log in before you can comment on or make changes to this bug.