From 36c6511ed691d041f2dd708863a4cacd44cda626 Mon Sep 17 00:00:00 2001 From: Pavlov Makar Date: Thu, 9 Oct 2025 23:26:06 +0300 Subject: [PATCH] Remove registry installation from job --- Jenkinsfile | 16 ++++- README.md | 15 ++-- roles/rproxy/files/repo.conf | 2 +- roles/rproxy/tasks/addconfig.yml | 13 +++- roles/rproxy/tasks/dockerrepo.yml | 113 ------------------------------ roles/rproxy/tasks/main.yml | 8 --- roles/rproxy/tasks/repo.yml | 6 ++ roles/rproxy/tasks/rproxy.yml | 9 +-- roles/rproxy/vars/main.yml | 12 ++-- rproxy.yml | 4 ++ 10 files changed, 49 insertions(+), 149 deletions(-) delete mode 100644 roles/rproxy/tasks/dockerrepo.yml diff --git a/Jenkinsfile b/Jenkinsfile index cf7236e..e802635 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -13,6 +13,7 @@ pipeline { parameters { string(name: "target_host", defaultValue: "", trim: true, description: "Target host") booleanParam(name: "rproxy_install", defaultValue: true, description: "Install Rproxy") + string(name: "images_repo_url", defaultValue: "", trim: true, description: "Repository host with podman images (ex. rproxy.olsson.ul:5000)\n(for 'rproxy_install' job only)") booleanParam(name: "config_add", defaultValue: true, description: "Add config") string(name: "rproxy_service_name", defaultValue: "", trim: true, description: "Service name (for 'Add config' job only)") string(name: "rproxy_service_port", defaultValue: "", trim: true, description: "Service port (for 'Add config' job only)") @@ -62,7 +63,13 @@ pipeline { inventory: 'hosts.ini', tags: 'install', colorized: true, - extras: '--private-key ${SSH_KEY} -e "ansible_user=${username} ansible_password=${password} rproxy_service_name=${rproxy_service_name} rproxy_service_port=${rproxy_service_port} rproxy_service_address=${rproxy_service_address}"' + extras: '''--private-key ${SSH_KEY} + -e "ansible_user=${username} + ansible_password=${password} + rproxy_service_name=${rproxy_service_name} + rproxy_service_port=${rproxy_service_port} + rproxy_service_address=${rproxy_service_address} + image_repo=${images_repo_url}"''' ) } } @@ -89,7 +96,12 @@ pipeline { inventory: 'hosts.ini', tags: 'add_config', colorized: true, - extras: '--private-key ${SSH_KEY} -e "ansible_user=${username} ansible_password=${password} rproxy_service_name=${rproxy_service_name} rproxy_service_port=${rproxy_service_port} rproxy_service_address=${rproxy_service_address}"' + extras: '''--private-key ${SSH_KEY} + -e "ansible_user=${username} + ansible_password=${password} + rproxy_service_name=${rproxy_service_name} + rproxy_service_port=${rproxy_service_port} + rproxy_service_address=${rproxy_service_address}"''' ) } } diff --git a/README.md b/README.md index 785bdf9..7f07888 100644 --- a/README.md +++ b/README.md @@ -3,12 +3,11 @@ ## Content * Reverse proxy * HTTPS file share -* Docker-registry ## Installation ```yml target_host: Enter FQDN or IP Address of target host -rproxy_install: Install rproxy, https repo and docker-registry if checked +rproxy_install: Install rproxy and https repo if checked config_add: Will config be created rproxy_service_name: Server/service name without domain suffix @@ -34,13 +33,7 @@ Allows redirecting requests based on fqdn to the required address and ports with Would be installed with rproxy service. Hosted on port 9000. \ Files should be stored in /opt/rproxy/repo/ to be shared. -## Docker-registry -Would be installed with rproxy service. Hosted on port 5000. -Images would be stored in /opt/dockerrepo/repo/. Uses SSL so you should have trust with root certificate. \ -Install trust with root certificate -How to store image: +Put file in repo ```bash -# After image build -docker tag $image $registry_address:5000/$image -docker push $registry_address:5000/$image -``` +curl -T kafka_4.1.tar https://rproxy.olsson.ul:9000/podman/kafka/4.1/kafka_4.1.tar -k +``` \ No newline at end of file diff --git a/roles/rproxy/files/repo.conf b/roles/rproxy/files/repo.conf index dcee29d..a6adbf2 100644 --- a/roles/rproxy/files/repo.conf +++ b/roles/rproxy/files/repo.conf @@ -20,7 +20,7 @@ server { dav_methods PUT DELETE MKCOL; dav_access user:rw group:r all:r; create_full_put_path on; - client_max_body_size 100m; + client_max_body_size 5g; # auth_basic "Needs to auth"; # auth_basic_user_file /etc/nginx/.htpasswd; diff --git a/roles/rproxy/tasks/addconfig.yml b/roles/rproxy/tasks/addconfig.yml index 2de19ea..9b44dbc 100644 --- a/roles/rproxy/tasks/addconfig.yml +++ b/roles/rproxy/tasks/addconfig.yml @@ -45,6 +45,17 @@ become_user: "{{ ansible_user }}" ignore_errors: true + - name: Get all tracking certificates + ansible.builtin.shell: + cmd: ipa-getcert list | grep "ID" | awk '{print $NF}' | tr -d "'\|:" + register: tracking_list + + - name: Remove certificates from IPA tracking + ansible.builtin.shell: + cmd: "ipa-getcert stop-tracking -i {{ item }}" + loop: "{{ tracking_list.stdout_lines }}" + ignore_errors: true + - name: Request certificate via ipa-getcert ansible.builtin.command: > ipa-getcert request @@ -53,8 +64,6 @@ -K HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }} -N CN={{ rproxy_service_name }}.{{ ansible_facts['domain'] }} - # sudo ipa-getcert stop-tracking -i 20250813210258 if track already exists - - name: Wait for certificate to appear ansible.builtin.wait_for: path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt" diff --git a/roles/rproxy/tasks/dockerrepo.yml b/roles/rproxy/tasks/dockerrepo.yml deleted file mode 100644 index 4e41384..0000000 --- a/roles/rproxy/tasks/dockerrepo.yml +++ /dev/null @@ -1,113 +0,0 @@ ---- -- name: Prepare for image repository - block: - - name: Remove dockerrepo dir - ansible.builtin.file: - path: "{{ dockerrepo_dir }}" - state: absent - - - name: Create dockerrepo dir - ansible.builtin.file: - path: "{{ dockerrepo_dir }}" - state: directory - - - name: Create repo dir - ansible.builtin.file: - path: "{{ dockerrepo_data_dir }}" - state: directory - - - name: Create certs dir - ansible.builtin.file: - path: "{{ dockerrepo_dir }}/certs" - state: directory - -- name: Create certificates for image repository - block: - - name: Kinit - ansible.builtin.shell: - cmd: "echo '{{ ansible_password }}' | kinit" - become: false - become_user: "{{ ansible_user }}" - - - name: Create SPN for HTTP - ansible.builtin.shell: - cmd: "ipa service-add HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}" - become: false - become_user: "{{ ansible_user }}" - ignore_errors: true - - - name: Request certificate via ipa-getcert - ansible.builtin.command: > - ipa-getcert request - -f {{ rproxy_dir }}/certs/dockerrepo.crt - -k {{ rproxy_dir }}/certs/dockerrepo.key - -K HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} - -N CN={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }} - - # sudo ipa-getcert stop-tracking -i 20250813210258 if track already exists - - - name: Wait for certificate to appear - ansible.builtin.wait_for: - path: "{{ rproxy_dir }}/certs/dockerrepo.crt" - timeout: 60 - - - name: Change certificate permissions - ansible.builtin.file: - path: "{{ rproxy_dir }}/certs/dockerrepo.crt" - mode: "0744" - - - name: Wait for certificate key to appear - ansible.builtin.wait_for: - path: "{{ rproxy_dir }}/certs/dockerrepo.key" - timeout: 60 - - - name: Change certificate key permissions - ansible.builtin.file: - path: "{{ rproxy_dir }}/certs/dockerrepo.key" - mode: "0744" - -- name: Start image repository - block: - - name: Pull repo image - containers.podman.podman_image: - name: registry:latest - state: present - - - name: Delete image repository container if exists - containers.podman.podman_container: - name: registry - state: absent - - - name: Start registry - containers.podman.podman_container: - name: registry - image: registry:latest - state: started - ports: - - "5000:5000" - env: - REGISTRY_HTTP_TLS_CERTIFICATE: "/certs/dockerrepo.crt" - REGISTRY_HTTP_TLS_KEY: "/certs/dockerrepo.key" - volumes: - - "{{ dockerrepo_data_dir }}:/var/lib/registry:z,rw" - - "{{ dockerrepo_dir }}/certs:/certs:z,rw" - - "/etc/localtime:/etc/localtime:ro" - privileged: true - security_opt: - - "label=disable" - log_driver: journald - generate_systemd: - path: /etc/systemd/system/ - restart_policy: always - stop_timeout: 120 - names: true - - - name: Daemon reload - ansible.builtin.shell: - cmd: systemctl daemon-reload - - - name: Enable registry service - ansible.builtin.systemd: - name: "container-registry.service" - state: started - enabled: yes \ No newline at end of file diff --git a/roles/rproxy/tasks/main.yml b/roles/rproxy/tasks/main.yml index 2d528d5..68a2643 100644 --- a/roles/rproxy/tasks/main.yml +++ b/roles/rproxy/tasks/main.yml @@ -23,14 +23,6 @@ tags: - install -- name: Docker repo install - ansible.builtin.include_tasks: - file: dockerrepo.yml - apply: - tags: install - tags: - - install - - name: Add config ansible.builtin.include_tasks: file: addconfig.yml diff --git a/roles/rproxy/tasks/repo.yml b/roles/rproxy/tasks/repo.yml index ebff6fe..21452e2 100644 --- a/roles/rproxy/tasks/repo.yml +++ b/roles/rproxy/tasks/repo.yml @@ -12,6 +12,12 @@ src: files/repo.conf dest: "{{ rproxy_dir }}/sites/repo.conf" + - name: Install createrepo + ansible.builtin.yum: + name: + - createrepo + update_cache: yes + - name: Create https certificates for repository block: - name: Kinit diff --git a/roles/rproxy/tasks/rproxy.yml b/roles/rproxy/tasks/rproxy.yml index de2058f..8a18152 100644 --- a/roles/rproxy/tasks/rproxy.yml +++ b/roles/rproxy/tasks/rproxy.yml @@ -6,11 +6,6 @@ path: "{{ rproxy_dir }}" state: absent - - name: Create data dir - ansible.builtin.file: - path: "{{ data_dir }}" - state: directory - - name: Create rproxy dir ansible.builtin.file: path: "{{ rproxy_dir }}" @@ -40,7 +35,7 @@ block: - name: Pull rproxy image containers.podman.podman_image: - name: "docker.io/library/nginx:{{ rproxy_version }}" + name: "{{ image_repo }}/{{ rproxy_image }}:{{ rproxy_version }}" state: present - name: Delete rproxy container if exists @@ -51,7 +46,7 @@ - name: Start rproxy containers.podman.podman_container: name: rproxy - image: "docker.io/library/nginx:{{ rproxy_version }}" + image: "{{ image_repo }}/{{ rproxy_image }}:{{ rproxy_version }}" state: started ports: - "443:443" diff --git a/roles/rproxy/vars/main.yml b/roles/rproxy/vars/main.yml index a189b12..ebd446c 100644 --- a/roles/rproxy/vars/main.yml +++ b/roles/rproxy/vars/main.yml @@ -1,7 +1,9 @@ +--- +# General ansible_python_interpreter: /usr/bin/python3 + +# Rproxy +rproxy_image: nginx +rproxy_version: 1.29 rproxy_dir: /opt/rproxy -rproxy_version: 1.29.0 -data_dir: /opt/data -repo_data_dir: /opt/data/repo -dockerrepo_dir: /opt/dockerrepo -dockerrepo_data_dir: /opt/data/dockerrepo \ No newline at end of file +repo_data_dir: /opt/repodata \ No newline at end of file diff --git a/rproxy.yml b/rproxy.yml index 1f910d8..debe606 100644 --- a/rproxy.yml +++ b/rproxy.yml @@ -18,5 +18,9 @@ prompt: Enter service for rproxy private: false + - name: image_repo + prompt: Enter repository address with podman images (ex. rproxy.olsson.ul:5000) + private: false + roles: - rproxy