iac/rproxy
3
0
Fork 0
Code Issues Pull Requests Packages Releases 9 Activity

Remove registry installation from job

Browse Source
This commit is contained in:
Pavlov Makar
2025-10-09 23:26:06 +03:00
parent 414976a4bc
commit 36c6511ed6
10 changed files with 49 additions and 149 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
Jenkinsfile vendored
View File

@@ -13,6 +13,7 @@ pipeline {
parameters { parameters {
string(name: "target_host", defaultValue: "", trim: true, description: "Target host") string(name: "target_host", defaultValue: "", trim: true, description: "Target host")
booleanParam(name: "rproxy_install", defaultValue: true, description: "Install Rproxy") booleanParam(name: "rproxy_install", defaultValue: true, description: "Install Rproxy")
string(name: "images_repo_url", defaultValue: "", trim: true, description: "Repository host with podman images (ex. rproxy.olsson.ul:5000)\n(for 'rproxy_install' job only)")
booleanParam(name: "config_add", defaultValue: true, description: "Add config") booleanParam(name: "config_add", defaultValue: true, description: "Add config")
string(name: "rproxy_service_name", defaultValue: "", trim: true, description: "Service name (for 'Add config' job only)") string(name: "rproxy_service_name", defaultValue: "", trim: true, description: "Service name (for 'Add config' job only)")
string(name: "rproxy_service_port", defaultValue: "", trim: true, description: "Service port (for 'Add config' job only)") string(name: "rproxy_service_port", defaultValue: "", trim: true, description: "Service port (for 'Add config' job only)")
@@ -62,7 +63,13 @@ pipeline {
inventory: 'hosts.ini', inventory: 'hosts.ini',
tags: 'install', tags: 'install',
colorized: true, colorized: true,
extras: '--private-key ${SSH_KEY} -e "ansible_user=${username} ansible_password=${password} rproxy_service_name=${rproxy_service_name} rproxy_service_port=${rproxy_service_port} rproxy_service_address=${rproxy_service_address}"' extras: '''--private-key ${SSH_KEY}
-e "ansible_user=${username}
ansible_password=${password}
rproxy_service_name=${rproxy_service_name}
rproxy_service_port=${rproxy_service_port}
rproxy_service_address=${rproxy_service_address}
image_repo=${images_repo_url}"'''
) )
} }
} }
@@ -89,7 +96,12 @@ pipeline {
inventory: 'hosts.ini', inventory: 'hosts.ini',
tags: 'add_config', tags: 'add_config',
colorized: true, colorized: true,
extras: '--private-key ${SSH_KEY} -e "ansible_user=${username} ansible_password=${password} rproxy_service_name=${rproxy_service_name} rproxy_service_port=${rproxy_service_port} rproxy_service_address=${rproxy_service_address}"' extras: '''--private-key ${SSH_KEY}
-e "ansible_user=${username}
ansible_password=${password}
rproxy_service_name=${rproxy_service_name}
rproxy_service_port=${rproxy_service_port}
rproxy_service_address=${rproxy_service_address}"'''
) )
} }
} }

15
README.md
View File

@@ -3,12 +3,11 @@
## Content ## Content
* Reverse proxy * Reverse proxy
* HTTPS file share * HTTPS file share
* Docker-registry
## Installation ## Installation
```yml ```yml
target_host: Enter FQDN or IP Address of target host target_host: Enter FQDN or IP Address of target host
rproxy_install: Install rproxy, https repo and docker-registry if checked rproxy_install: Install rproxy and https repo if checked
config_add: Will config be created config_add: Will config be created
rproxy_service_name: Server/service name without domain suffix rproxy_service_name: Server/service name without domain suffix
@@ -34,13 +33,7 @@ Allows redirecting requests based on fqdn to the required address and ports with
Would be installed with rproxy service. Hosted on port 9000. \ Would be installed with rproxy service. Hosted on port 9000. \
Files should be stored in /opt/rproxy/repo/ to be shared. Files should be stored in /opt/rproxy/repo/ to be shared.
## Docker-registry Put file in repo
Would be installed with rproxy service. Hosted on port 5000.
Images would be stored in /opt/dockerrepo/repo/. Uses SSL so you should have trust with root certificate. \
Install trust with root certificate
How to store image:
```bash ```bash
# After image build curl -T kafka_4.1.tar https://rproxy.olsson.ul:9000/podman/kafka/4.1/kafka_4.1.tar -k
docker tag $image $registry_address:5000/$image ```
docker push $registry_address:5000/$image
```

2
roles/rproxy/files/repo.conf
View File

@@ -20,7 +20,7 @@ server {
dav_methods PUT DELETE MKCOL; dav_methods PUT DELETE MKCOL;
dav_access user:rw group:r all:r; dav_access user:rw group:r all:r;
create_full_put_path on; create_full_put_path on;
client_max_body_size 100m; client_max_body_size 5g;
# auth_basic "Needs to auth"; # auth_basic "Needs to auth";
# auth_basic_user_file /etc/nginx/.htpasswd; # auth_basic_user_file /etc/nginx/.htpasswd;

13
roles/rproxy/tasks/addconfig.yml
View File

@@ -45,6 +45,17 @@
become_user: "{{ ansible_user }}" become_user: "{{ ansible_user }}"
ignore_errors: true ignore_errors: true
- name: Get all tracking certificates
ansible.builtin.shell:
cmd: ipa-getcert list | grep "ID" | awk '{print $NF}' | tr -d "'\|:"
register: tracking_list
- name: Remove certificates from IPA tracking
ansible.builtin.shell:
cmd: "ipa-getcert stop-tracking -i {{ item }}"
loop: "{{ tracking_list.stdout_lines }}"
ignore_errors: true
- name: Request certificate via ipa-getcert - name: Request certificate via ipa-getcert
ansible.builtin.command: > ansible.builtin.command: >
ipa-getcert request ipa-getcert request
@@ -53,8 +64,6 @@
-K HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }} -K HTTP/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}
-N CN={{ rproxy_service_name }}.{{ ansible_facts['domain'] }} -N CN={{ rproxy_service_name }}.{{ ansible_facts['domain'] }}
# sudo ipa-getcert stop-tracking -i 20250813210258 if track already exists
- name: Wait for certificate to appear - name: Wait for certificate to appear
ansible.builtin.wait_for: ansible.builtin.wait_for:
path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt" path: "{{ rproxy_dir }}/certs/{{ rproxy_service_name }}.{{ ansible_facts['domain'] }}.crt"

113
roles/rproxy/tasks/dockerrepo.yml
View File

@@ -1,113 +0,0 @@
---
- name: Prepare for image repository
block:
- name: Remove dockerrepo dir
ansible.builtin.file:
path: "{{ dockerrepo_dir }}"
state: absent
- name: Create dockerrepo dir
ansible.builtin.file:
path: "{{ dockerrepo_dir }}"
state: directory
- name: Create repo dir
ansible.builtin.file:
path: "{{ dockerrepo_data_dir }}"
state: directory
- name: Create certs dir
ansible.builtin.file:
path: "{{ dockerrepo_dir }}/certs"
state: directory
- name: Create certificates for image repository
block:
- name: Kinit
ansible.builtin.shell:
cmd: "echo '{{ ansible_password }}' | kinit"
become: false
become_user: "{{ ansible_user }}"
- name: Create SPN for HTTP
ansible.builtin.shell:
cmd: "ipa service-add HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}"
become: false
become_user: "{{ ansible_user }}"
ignore_errors: true
- name: Request certificate via ipa-getcert
ansible.builtin.command: >
ipa-getcert request
-f {{ rproxy_dir }}/certs/dockerrepo.crt
-k {{ rproxy_dir }}/certs/dockerrepo.key
-K HTTP/{{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}
-N CN={{ ansible_facts['hostname'] }}.{{ ansible_facts['domain'] }}
# sudo ipa-getcert stop-tracking -i 20250813210258 if track already exists
- name: Wait for certificate to appear
ansible.builtin.wait_for:
path: "{{ rproxy_dir }}/certs/dockerrepo.crt"
timeout: 60
- name: Change certificate permissions
ansible.builtin.file:
path: "{{ rproxy_dir }}/certs/dockerrepo.crt"
mode: "0744"
- name: Wait for certificate key to appear
ansible.builtin.wait_for:
path: "{{ rproxy_dir }}/certs/dockerrepo.key"
timeout: 60
- name: Change certificate key permissions
ansible.builtin.file:
path: "{{ rproxy_dir }}/certs/dockerrepo.key"
mode: "0744"
- name: Start image repository
block:
- name: Pull repo image
containers.podman.podman_image:
name: registry:latest
state: present
- name: Delete image repository container if exists
containers.podman.podman_container:
name: registry
state: absent
- name: Start registry
containers.podman.podman_container:
name: registry
image: registry:latest
state: started
ports:
- "5000:5000"
env:
REGISTRY_HTTP_TLS_CERTIFICATE: "/certs/dockerrepo.crt"
REGISTRY_HTTP_TLS_KEY: "/certs/dockerrepo.key"
volumes:
- "{{ dockerrepo_data_dir }}:/var/lib/registry:z,rw"
- "{{ dockerrepo_dir }}/certs:/certs:z,rw"
- "/etc/localtime:/etc/localtime:ro"
privileged: true
security_opt:
- "label=disable"
log_driver: journald
generate_systemd:
path: /etc/systemd/system/
restart_policy: always
stop_timeout: 120
names: true
- name: Daemon reload
ansible.builtin.shell:
cmd: systemctl daemon-reload
- name: Enable registry service
ansible.builtin.systemd:
name: "container-registry.service"
state: started
enabled: yes

8
roles/rproxy/tasks/main.yml
View File

@@ -23,14 +23,6 @@
tags: tags:
- install - install
- name: Docker repo install
ansible.builtin.include_tasks:
file: dockerrepo.yml
apply:
tags: install
tags:
- install
- name: Add config - name: Add config
ansible.builtin.include_tasks: ansible.builtin.include_tasks:
file: addconfig.yml file: addconfig.yml

6
roles/rproxy/tasks/repo.yml
View File

@@ -12,6 +12,12 @@
src: files/repo.conf src: files/repo.conf
dest: "{{ rproxy_dir }}/sites/repo.conf" dest: "{{ rproxy_dir }}/sites/repo.conf"
- name: Install createrepo
ansible.builtin.yum:
name:
- createrepo
update_cache: yes
- name: Create https certificates for repository - name: Create https certificates for repository
block: block:
- name: Kinit - name: Kinit

9
roles/rproxy/tasks/rproxy.yml
View File

@@ -6,11 +6,6 @@
path: "{{ rproxy_dir }}" path: "{{ rproxy_dir }}"
state: absent state: absent
- name: Create data dir
ansible.builtin.file:
path: "{{ data_dir }}"
state: directory
- name: Create rproxy dir - name: Create rproxy dir
ansible.builtin.file: ansible.builtin.file:
path: "{{ rproxy_dir }}" path: "{{ rproxy_dir }}"
@@ -40,7 +35,7 @@
block: block:
- name: Pull rproxy image - name: Pull rproxy image
containers.podman.podman_image: containers.podman.podman_image:
name: "docker.io/library/nginx:{{ rproxy_version }}" name: "{{ image_repo }}/{{ rproxy_image }}:{{ rproxy_version }}"
state: present state: present
- name: Delete rproxy container if exists - name: Delete rproxy container if exists
@@ -51,7 +46,7 @@
- name: Start rproxy - name: Start rproxy
containers.podman.podman_container: containers.podman.podman_container:
name: rproxy name: rproxy
image: "docker.io/library/nginx:{{ rproxy_version }}" image: "{{ image_repo }}/{{ rproxy_image }}:{{ rproxy_version }}"
state: started state: started
ports: ports:
- "443:443" - "443:443"

12
roles/rproxy/vars/main.yml
View File

@@ -1,7 +1,9 @@
---
# General
ansible_python_interpreter: /usr/bin/python3 ansible_python_interpreter: /usr/bin/python3
# Rproxy
rproxy_image: nginx
rproxy_version: 1.29
rproxy_dir: /opt/rproxy rproxy_dir: /opt/rproxy
rproxy_version: 1.29.0 repo_data_dir: /opt/repodata
data_dir: /opt/data
repo_data_dir: /opt/data/repo
dockerrepo_dir: /opt/dockerrepo
dockerrepo_data_dir: /opt/data/dockerrepo

4
rproxy.yml
View File

@@ -18,5 +18,9 @@
prompt: Enter service for rproxy prompt: Enter service for rproxy
private: false private: false
- name: image_repo
prompt: Enter repository address with podman images (ex. rproxy.olsson.ul:5000)
private: false
roles: roles:
- rproxy - rproxy