Bug 1703866 - Add support for pulling container images from registries that require authentication
Summary: Add support for pulling container images from registries that require authent...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 13.0 (Queens)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: ---
Assignee: Alex Schultz
QA Contact: Sasha Smolyak
URL:
Whiteboard:
Depends On: 1670419
Blocks: 1750446
TreeView+ depends on / blocked
 
Reported: 2019-04-28 23:31 UTC by PURANDHAR SAIRAM MANNIDI
Modified: 2019-10-08 10:49 UTC (History)
15 users (show)

Fixed In Version: puppet-tripleo-8.4.1-25.el7ost openstack-tripleo-heat-templates-8.3.1-80.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1670419
: 1750446 (view as bug list)
Environment:
Last Closed: 2019-10-08 10:49:25 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1833584 0 None None None 2019-06-20 16:50:08 UTC
OpenStack gerrit 674955 0 None None None 2019-08-06 23:09:06 UTC
OpenStack gerrit 674956 0 None None None 2019-08-06 23:09:06 UTC

Comment 2 Alex Schultz 2019-05-06 20:19:46 UTC 
Steve is this something we can backport to OSP13?
Comment 4 Steve Baker 2019-06-12 05:09:01 UTC 
The authentication support which has been added cannot be backported because it is podman specific and podman support was only added in OSP-15.

For OSP-13, it should be possible to make the required "docker login" calls before running "openstack overcloud container image prepare --push-destination=192.168.24.1:8787 ...". 

Other than the extra docker login calls, the flow should be the same as the documentation[1]

[1] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html/director_installation_and_usage/configuring-a-container-image-source
Comment 5 Alex Schultz 2019-06-12 15:41:39 UTC 
For the record, I've seen docker login added to a PreConfig task to have it occur prior to the deployment for the overcloud nodes. Perhaps we might need to provide a basic template for this.
Comment 6 Steve Baker 2019-06-12 22:39:38 UTC 
(In reply to Alex Schultz from comment #5)
> For the record, I've seen docker login added to a PreConfig task to have it
> occur prior to the deployment for the overcloud nodes. Perhaps we might need
> to provide a basic template for this.

That is another option which could be considered. However it might be easier for the customer to only require docker login on the undercloud before the container prepare, because from that point on the images are served from the undercloud registry where auth isn't required for the overcloud nodes.
Comment 7 Alex Schultz 2019-06-12 23:51:39 UTC 
Yes that would be much easier to just have the user use docker login and sync to the undercloud.
Comment 8 Alex Schultz 2019-08-19 21:30:13 UTC 
To test, you can enable authentication on the undercloud after you follow the procedure to use the undercloud as a registry.  https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html/director_installation_and_usage/configuring-a-container-image-source#Configuring-Registry_Details-Local

Enable auth configuration for docker-distribution:

cat <<EOF | sudo tee -a /etc/docker-distribution/registry/config.yml
auth:
    htpasswd:
       realm: basic-realm
       path: /etc/docker-distribution/auth
EOF
sudo htpasswd -Bbc /etc/docker-distribution/auth admin admin
sudo systemctl restart docker-distribution


Then enable login via parameter_default:

cat > ~/container-login.yaml <<EOF
parameter_defaults:
  ContainerImageRegistryLogin: true
  ContainerImageRegistryCredentials:
    '192.168.24.1:8787':
      admin: admin
EOF
Comment 10 Lon Hohberger 2019-09-25 10:44:57 UTC 
According to our records, this should be resolved by puppet-tripleo-8.4.1-27.el7ost.  This build is available now.
Comment 11 Lon Hohberger 2019-09-25 10:44:59 UTC 
According to our records, this should be resolved by openstack-tripleo-heat-templates-8.3.1-87.el7ost.  This build is available now.
Comment 12 Jad Haj Yahya 2019-10-07 07:54:15 UTC 
Verified on 13  -p 2019-10-01.1
Note You need to log in before you can comment on or make changes to this bug.