From 8223eadf01bfcf9f3508c41f5ee81b4459ee700d Mon Sep 17 00:00:00 2001
From: "James E. Blair" <jeblair@redhat.com>
Date: Wed, 2 Oct 2019 14:11:33 -0700
Subject: [PATCH] Switch the insecure-ci-registry to zuul-registry

This uses the new zuul-registry container image to run the
intermediate registry.  The same authentication data and certs
are used.  The new registry also writes to the same swift container,
but uses different pseudo-directories so it won't clash with the
current registry.  If there are problems, we can switch back easily.
After successful use of the new registry, we can delete the old data.

Change-Id: Ib855fb99c991411293a617b9b238d79a6bfae328
---
 .../files/registry-docker/docker-compose.yaml |  7 ++--
 playbooks/roles/registry/tasks/main.yaml      | 27 +++++----------
 .../roles/registry/templates/clouds.yaml.j2   |  8 +++++
 .../roles/registry/templates/config.yml.j2    | 33 -------------------
 .../roles/registry/templates/registry.yaml.j2 | 17 ++++++++++
 5 files changed, 36 insertions(+), 56 deletions(-)
 create mode 100644 playbooks/roles/registry/templates/clouds.yaml.j2
 delete mode 100644 playbooks/roles/registry/templates/config.yml.j2
 create mode 100644 playbooks/roles/registry/templates/registry.yaml.j2

diff --git a/playbooks/roles/registry/files/registry-docker/docker-compose.yaml b/playbooks/roles/registry/files/registry-docker/docker-compose.yaml
index 2dea072786..5d45f09515 100644
--- a/playbooks/roles/registry/files/registry-docker/docker-compose.yaml
+++ b/playbooks/roles/registry/files/registry-docker/docker-compose.yaml
@@ -5,10 +5,9 @@ version: '2'
 services:
   registry:
     restart: always
-    image: registry:2
+    image: zuul/zuul-registry
     network_mode: host
     volumes:
-      - /var/registry/data:/var/lib/registry
       - /var/registry/certs:/certs
-      - /var/registry/auth:/auth
-      - /var/registry/etc:/etc/docker/registry
+      - /var/registry/conf:/conf
+      - /var/registry/etc:/etc
diff --git a/playbooks/roles/registry/tasks/main.yaml b/playbooks/roles/registry/tasks/main.yaml
index 4126e8dc52..356b55a85d 100644
--- a/playbooks/roles/registry/tasks/main.yaml
+++ b/playbooks/roles/registry/tasks/main.yaml
@@ -7,23 +7,9 @@
     state: directory
     path: "/var/registry/{{ item }}"
   loop:
-    - data
     - certs
-    - auth
+    - conf
     - etc
-- name: Install passlib
-  package:
-    name:
-      - python3-passlib
-      - python3-bcrypt
-    state: present
-- name: Write htpassword file
-  htpasswd:
-    create: true
-    crypt_scheme: bcrypt
-    path: /var/registry/auth/htpasswd
-    name: "{{ registry_user }}"
-    password: "{{ registry_password }}"
 - name: Write TLS private key
   copy:
     content: "{{ registry_tls_key }}"
@@ -32,10 +18,14 @@
   copy:
     content: "{{ registry_tls_cert }}{{ registry_tls_chain | default('') }}"
     dest: /var/registry/certs/domain.crt
+- name: Write clouds.yaml
+  template:
+    src: clouds.yaml.j2
+    dest: /var/registry/etc/clouds.yaml
 - name: Write registry config
   template:
-    src: config.yml.j2
-    dest: /var/registry/etc/config.yml
+    src: registry.yaml.j2
+    dest: /var/registry/conf/registry.yaml
 - name: Install docker-compose
   package:
     name:
@@ -52,10 +42,9 @@
 - name: Run docker prune to cleanup unneeded images
   shell:
     cmd: docker image prune -f
-
 - name: Install cron to garbage collect the registry daily
   cron:
     name: "docker registry garbage-collect"
     minute: "0"
     hour: "0"
-    job: "/usr/bin/docker exec registrydocker_registry_1 registry garbage-collect /etc/docker/registry/config.yml > /dev/null"
+    job: "/usr/bin/docker exec registrydocker_registry_1 zuul-registry prune"
diff --git a/playbooks/roles/registry/templates/clouds.yaml.j2 b/playbooks/roles/registry/templates/clouds.yaml.j2
new file mode 100644
index 0000000000..bd62a1225b
--- /dev/null
+++ b/playbooks/roles/registry/templates/clouds.yaml.j2
@@ -0,0 +1,8 @@
+clouds:
+  registry:
+    profile: rackspace
+    region_name: {{ registry_swift_region }}
+    auth:
+      username: {{ registry_swift_username }}
+      password: {{ registry_swift_password }}
+      project_id: {{ registry_swift_tenant }}
diff --git a/playbooks/roles/registry/templates/config.yml.j2 b/playbooks/roles/registry/templates/config.yml.j2
deleted file mode 100644
index 49f74ec6ae..0000000000
--- a/playbooks/roles/registry/templates/config.yml.j2
+++ /dev/null
@@ -1,33 +0,0 @@
-version: 0.1
-log:
-  fields:
-    service: registry
-storage:
-  cache:
-    blobdescriptor: inmemory
-  swift:
-    username: {{ registry_swift_username }}
-    password: {{ registry_swift_password }}
-    authurl: {{ registry_swift_authurl }}
-    tenant: {{ registry_swift_tenant }}
-    region: {{ registry_swift_region }}
-    container: {{ registry_swift_container }}
-    secretkey: {{ registry_swift_secretkey }}
-  delete:
-    enabled: true
-http:
-  addr: :5000
-  headers:
-    X-Content-Type-Options: [nosniff]
-  tls:
-    certificate: /certs/domain.crt
-    key: /certs/domain.key
-health:
-  storagedriver:
-    enabled: true
-    interval: 10s
-    threshold: 3
-auth:
-  htpasswd:
-    realm: Registry Realm
-    path: /auth/htpasswd
diff --git a/playbooks/roles/registry/templates/registry.yaml.j2 b/playbooks/roles/registry/templates/registry.yaml.j2
new file mode 100644
index 0000000000..28a19a7acd
--- /dev/null
+++ b/playbooks/roles/registry/templates/registry.yaml.j2
@@ -0,0 +1,17 @@
+registry:
+  address: '0.0.0.0'
+  port: 5000
+  tls-cert: /certs/domain.crt
+  tls-key: /certs/domain.key
+  users:
+    - name: {{ registry_user }}
+      pass: {{ registry_password }}
+      access: write
+    - name: anonymous
+      pass: ''
+      access: read
+  storage:
+    driver: swift
+    cloud: registry
+    container: {{ registry_swift_container }}
+    expiration: 15552000  # 180 days