chore: setup docker-registry

5 years ago · c10d556038
parent b741b5872a
commit c10d556038
20 changed files with 362 additions and 48 deletions
--- a/group_vars/all/plain.yml
+++ b/group_vars/all/plain.yml
@ -1,6 +1,6 @@
 ---

-send_status_messages: true
+send_status_messages: false

 domain: smardigo.digital

--- a/roles/_deploy/tasks/caddy_config.yml
+++ b/roles/_deploy/tasks/caddy_config.yml
@ -1,39 +0,0 @@
---
-
- name: 'Insert/Update caddy configuration in {{ caddy_config_file_path_full }}'
-  blockinfile:
-    marker: '# {mark} managed by ansible (reverse proxy config for {{ current_service }})'
-    path: '{{ caddy_config_file_path_full }}'
-    state: "{{ 'present' if reverse_proxy == 'caddy' else 'absent' }}"
-    create: yes
-    block: |
-      {% for service in current_services %}
-      {{ http_s }}://{{ service.external }} {
-        proxy / {{ service.internal }} {
-          transparent
-        }
-        tls {{ caddy_tls }}
-        {% if service.basicauth is defined %}
-        basicauth {{ service.basicauth }}
-        {% endif %}
-      }
-      {% endfor %}
-  tags:
-    - update_deployment
-
- name: "Stop caddy"
-  shell: docker-compose down
-  args:
-    chdir: '{{ service_base_path }}/caddy'
-  ignore_errors: yes
-  when: reverse_proxy == 'caddy'
-  tags:
-    - update_deployment
-
- name: "Start caddy"
-  shell: docker-compose up -d
-  args:
-    chdir: '{{ service_base_path }}/caddy'
-  when: reverse_proxy == 'caddy'
-  tags:
-    - update_deployment
--- a/roles/_deploy/tasks/configs.yml
+++ b/roles/_deploy/tasks/configs.yml
@ -20,7 +20,7 @@
  tags:
    - update_config

- name: Ensure docker files are populated from templates
+- name: Ensure docker files are populated from templates/_docker
  template:
    src: "{{ item.src }}"
    dest: "{{ current_base_path }}/{{ current_destination }}/{{ item.path | regex_replace('\\.j2$', '') }}"
@ -33,7 +33,7 @@
    - update_deployment
    - update_config

- name: Ensure config template files are populated from templates
+- name: Ensure config template files are populated from templates/{{ current_config }}
  template:
    src: "{{ item.src }}"
    dest: "{{ current_base_path }}/{{ current_destination }}/{{ item.path | regex_replace('\\.j2$', '') }}"
@ -45,7 +45,7 @@
  tags:
    - update_config

- name: Ensure config files are populated from templates
+- name: Ensure config files are populated from from templates/{{ current_config }}
  copy:
    src: "{{ item.src }}"
    dest: "{{ current_base_path }}/{{ current_destination }}/{{ item.path }}"
--- a/roles/_digitalocean/tasks/domain.yml
+++ b/roles/_digitalocean/tasks/domain.yml
@ -8,7 +8,6 @@
      authorization: Bearer {{ digitalocean_authentication_token }}
    return_content: yes
  register: domain_records_response
-  delegate_to: 127.0.0.1

 - name: Save DNS entry as variable (fact)
  set_fact: 
@ -35,7 +34,6 @@
  when:
        domain_record.ip != '-'
    and record_data != domain_record.ip
-  delegate_to: 127.0.0.1

 - name: Create DNS entry for <{{ record_name }}> if necessary
  uri:
@ -57,4 +55,3 @@
        domain_record.ip == '-'
    or record_data != domain_record.ip
    or record_name != domain_record.name
-  delegate_to: 127.0.0.1
--- a/roles/docker-registry/defaults/main.yml
+++ b/roles/docker-registry/defaults/main.yml
@ -0,0 +1,137 @@
+---
+
+docker_registry_id: "{{ service_name }}-registry"
+
+docker_registry_image_name: "library/registry"
+docker_registry_image_version: "2.7"
+
+
+
+docker_portus_secret_key_base: docker-portus-secret-key-base
+docker_portus_password: docker-portus-admin
+
+
+docker_postgres_portus_image_name: "postgres"
+docker_postgres_portus_image_version: "12"
+
+docker_portus_postgres_database: docker-portus-postgres
+docker_portus_postgres_username: docker-portus-postgres-admin
+docker_portus_postgres_password: docker-portus-postgres-admin
+
+docker_registry_docker: {
+  networks: [
+    {
+      name: front-tier,
+      external: true,
+    },
+    {
+      name: back-tier,
+      external: true,
+    },
+  ],
+  volumes: [
+    {
+      name: "{{ service_name }}-registry-data",
+    },
+    {
+      name: "{{ service_name }}-postgres-portus-data"
+    }
+  ],
+  services: [
+    {
+      name: "{{ service_name }}-portus",
+      image_name: "opensuse/portus",
+      image_version: "2.4",
+      environment: [
+        "PORTUS_MACHINE_FQDN_VALUE: \"{{ stage_server_url_host }}\"",
+        "PORTUS_DB_HOST: \"{{ service_name }}-postgres-portus\"",
+        "PORTUS_DB_DATABASE: \"{{ docker_portus_postgres_database }}\"",
+        "PORTUS_DB_USERNAME: \"{{ docker_portus_postgres_username }}\"",
+        "PORTUS_DB_PASSWORD: \"{{ docker_portus_postgres_password }}\"",
+        "PORTUS_DB_POOL: \"5\"",
+        "PORTUS_SECRET_KEY_BASE: \"{{ docker_portus_secret_key_base }}\"",
+        "PORTUS_KEY_PATH: \"/certificates/portus.key\"",
+        "PORTUS_PASSWORD: \"{{ docker_portus_password }}\"",
+        "PORTUS_PUMA_TLS_KEY: \"/certificates/portus.key\"",
+        "PORTUS_PUMA_TLS_CERT: \"/certificates/portus.crt\"",
+        "RAILS_SERVE_STATIC_FILES: \"true\"",
+      ],
+      volumes: [
+        '"{{ service_name }}-postgres-portus-data:/var/lib/postgresql/data"',
+      ],
+      networks: [
+        '"front-tier"',
+        '"back-tier"',
+      ]
+    },
+    {
+      name: "{{ service_name }}-portus-background",
+      image_name: "opensuse/portus",
+      image_version: "2.4",
+      environment: [
+        "CCONFIG_PREFIX: \"PORTUS\"",
+        "PORTUS_MACHINE_FQDN_VALUE: \"{{ stage_server_url_host }}\"",
+        "PORTUS_DB_HOST: \"{{ service_name }}-postgres-portus\"",
+        "PORTUS_DB_DATABASE: \"{{ docker_portus_postgres_database }}\"",
+        "PORTUS_DB_USERNAME: \"{{ docker_portus_postgres_username }}\"",
+        "PORTUS_DB_PASSWORD: \"{{ docker_portus_postgres_password }}\"",
+        "PORTUS_DB_POOL: \"5\"",
+        "PORTUS_SECRET_KEY_BASE: \"{{ docker_portus_secret_key_base }}\"",
+        "PORTUS_KEY_PATH: \"/certificates/portus.key\"",
+        "PORTUS_PASSWORD: \"{{ docker_portus_password }}\"",
+        "PORTUS_BACKGROUND: \"true\"",
+      ],
+      volumes: [
+        '"./secrets:/certificates:ro"',
+      ],
+      networks: [
+        '"back-tier"',
+      ]
+    },
+    {
+      name: "{{ service_name }}-postgres-portus",
+      image_name: "{{ docker_postgres_portus_image_name }}",
+      image_version: "{{ docker_postgres_portus_image_version }}",
+      environment: [
+        'POSTGRES_DB: "{{ docker_portus_postgres_database }}"',
+        'POSTGRES_USER: "{{ docker_portus_postgres_username }}"',
+        'POSTGRES_PASSWORD: "{{ docker_portus_postgres_password }}"',
+      ],
+      volumes: [
+        '"{{ service_name }}-postgres-portus-data:/var/lib/postgresql/data"',
+      ],
+      networks: [
+        '"back-tier"',
+      ],
+      ports: "{{ docker_registry_postgres_ports | default([]) }}",
+    },
+    {
+      name: "{{ service_name }}-registry",
+      image_name: "{{ docker_registry_image_name }}",
+      image_version: "{{ docker_registry_image_version }}",
+      command: [
+        '"/bin/sh"',
+        '"/etc/docker/registry/init"',
+      ],
+      environment: [
+        "REGISTRY_HTTP_SECRET: \"3a025df1-c7df-4c63-9ec4-103ffe3bde42\"",
+        "REGISTRY_AUTH_TOKEN_REALM: \"{{ stage_server_url }}/v2/token\"",
+        "REGISTRY_AUTH_TOKEN_SERVICE: \"{{ stage_server_url_host }}\"",
+        "REGISTRY_AUTH_TOKEN_ISSUER: \"{{ stage_server_url_host }}\"",
+        "REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE: \"/secrets/portus.crt\"",
+        "REGISTRY_HTTP_TLS_CERTIFICATE: \"/secrets/portus.crt\"",
+        "REGISTRY_HTTP_TLS_KEY: \"/secrets/portus.key\"",
+      ],
+      volumes: [
+        '"{{ service_name }}-registry-data:/var/lib/registry"',
+        '"./secrets:/secrets:ro"',
+        '"./registry/init:/etc/docker/registry/init:ro"',
+        '"./registry/config.yml:/etc/docker/registry/config.yml:ro"',
+      ],
+      networks: [
+        '"front-tier"'
+      ],
+      ports: "{{ docker_registry_ports | default([]) }}",
+    }
+  ]
+}
--- a/roles/docker-registry/handlers/main.yml
+++ b/roles/docker-registry/handlers/main.yml
--- a/roles/docker-registry/meta/main.yml
+++ b/roles/docker-registry/meta/main.yml
--- a/roles/docker-registry/tasks/main.yml
+++ b/roles/docker-registry/tasks/main.yml
@ -0,0 +1,171 @@
+---
+
+### tags:
+###   update_deployment
+
+- name: "Send mattermost message"
+  uri:
+    url: "{{ mattermost_hook_smardigo }}"
+    method: POST
+    body: "{{ lookup('template','mattermost-deploy-start.json.j2') }}"
+    body_format: json
+    headers:
+      Content-Type: "application/json"
+  delegate_to: 127.0.0.1
+  become: false
+  when:
+    - send_status_messages
+
+- name: Gather current server infos
+  hcloud_server_info:
+    api_token: "{{ hetzner_authentication_token }}"
+  register: hetzner_server_infos
+  delegate_to: 127.0.0.1
+  become: false
+
+- name: Save current server infos as variable (fact)
+  set_fact: 
+    hetzner_server_infos_json: "{{ hetzner_server_infos.hcloud_server_info }}"
+  delegate_to: 127.0.0.1
+  become: false
+
+- name: Read ip for {{ inventory_hostname }}
+  set_fact:
+    stage_server_ip: "{{ item.ipv4_address }}"
+  when: item.name == inventory_hostname
+  with_items: "{{ hetzner_server_infos_json }}"
+  delegate_to: 127.0.0.1
+  become: false
+
+- name: "Setup DNS configuration for {{ service_name }}"
+  include_role:
+    name: _digitalocean
+    tasks_from: domain
+  vars:
+    record_data: "{{ stage_server_ip }}"
+    record_name: "{{ service_name }}"
+
+- name: "Setup public DNS configuration for {{ service_name }}"
+  include_role:
+    name: _digitalocean
+    tasks_from: domain
+  vars:
+    record_data: "{{ item.ip }}"
+    record_name: "{{ item.name }}"
+  loop: "{{ docker_registry_public_dns_entries }}"
+  when: docker_registry_public_dns_entries is defined
+
+- name: "Check docker networks"
+  include_role:
+    name: _docker
+    tasks_from: networks
+
+- name: "Check if {{ service_name }}/docker-compose.yml exists"
+  stat:
+    path: '{{ service_base_path }}/{{ service_name }}/docker-compose.yml'
+  register: check_docker_compose_file
+  tags:
+    - update_deployment
+
+- name: "Stop {{ service_name }}"
+  shell: docker-compose down
+  args:
+    chdir: '{{ service_base_path }}/{{ service_name }}'
+  when: check_docker_compose_file.stat.exists
+  ignore_errors: yes
+  tags:
+    - update_deployment
+
+- name: "Deploy service configuration for {{ service_name }}"
+  include_role:
+    name: _deploy
+    tasks_from: configs
+  vars:
+    current_config: "docker-registry"
+    current_base_path: "{{ service_base_path }}"
+    current_destination: "{{ service_name }}"
+    current_owner: "{{ docker_owner }}"
+    current_group: "{{ docker_group }}"
+    current_docker: "{{ docker_registry_docker }}"
+
+- name: "Update {{ service_name }}"
+  shell: docker-compose pull
+  args:
+    chdir: '{{ service_base_path }}/{{ service_name }}'
+  tags:
+    - update_deployment
+
+- name: "Start {{ service_name }}"
+  shell: docker-compose up -d
+  args:
+    chdir: '{{ service_base_path }}/{{ service_name }}'
+  tags:
+    - update_deployment
+
+- name: "Update landing page entries for {{ service_name }}"
+  include_role:
+    name: _deploy
+    tasks_from: caddy_landing_page
+  vars:
+    current_services: [
+      {
+        current_name: "{{ service_name }}",
+        current_url: "{{ http_s }}://{{ service_url }}",
+        current_version: "{{ docker_registry_image_version }}",
+        current_date: "{{ ansible_date_time.iso8601 }}",
+        management: "{{ http_s }}://{{ service_url }}:{{ monitor_port_service }}/management",
+      },
+    ]
+  tags:
+    - update_deployment
+
+- name: "Update landing page with public entries {{ service_name }}"
+  include_role:
+    name: _deploy
+    tasks_from: caddy_landing_page
+  vars:
+    current_services: [
+      {
+        current_name: "{{ item.name }}",
+        current_url: "{{ http_s }}://{{ item.name }}.{{ domain }}",
+        current_version: "{{ docker_registry_image_version }}",
+        current_date: "{{ ansible_date_time.iso8601 }}",
+        management: "{{ http_s }}://{{ service_url }}:{{ monitor_port_service }}/management",
+      },
+    ]
+  loop: "{{ docker_registry_public_dns_entries }}"
+  when: docker_registry_public_dns_entries is defined
+  tags:
+    - update_deployment
+
+- name: "Update landing page with extra entries for {{ service_name }}"
+  include_role:
+    name: _deploy
+    tasks_from: caddy_landing_page
+  vars:
+    current_services: [
+      {
+        current_name: "{{ item.name }}",
+        current_url: "{{ item.domain }}",
+        current_version: "{{ docker_registry_image_version }}",
+        current_date: "{{ ansible_date_time.iso8601 }}",
+        management: "{{ http_s }}://{{ service_url }}:{{ monitor_port_service }}/management",
+      },
+    ]
+  loop: "{{ docker_registry_extra_domain_entries }}"
+  when: docker_registry_extra_domain_entries is defined
+  tags:
+    - update_deployment
+
+- name: "Send mattermost messsge"
+  uri:
+    url: "{{ mattermost_hook_smardigo }}"
+    method: POST
+    body: "{{ lookup('template','mattermost-deploy-end.json.j2') }}"
+    body_format: json
+    headers:
+      Content-Type: "application/json"
+  delegate_to: 127.0.0.1
+  become: false
+  when:
+    - send_status_messages
--- a/roles/docker-registry/vars/main.yml
+++ b/roles/docker-registry/vars/main.yml
--- a/roles/node-exporter/defaults/main.yml
+++ b/roles/node-exporter/defaults/main.yml
--- a/roles/node-exporter/handlers/main.yml
+++ b/roles/node-exporter/handlers/main.yml
@ -0,0 +1 @@
+---
--- a/roles/node-exporter/meta/main.yml
+++ b/roles/node-exporter/meta/main.yml
@ -0,0 +1 @@
+---
--- a/roles/node-exporter/tasks/main.yml
+++ b/roles/node-exporter/tasks/main.yml
--- a/roles/node-exporter/vars/main.yml
+++ b/roles/node-exporter/vars/main.yml
@ -0,0 +1 @@
+---
--- a/setup.yml
+++ b/setup.yml
@ -40,10 +40,10 @@
      tags:
        - common

-    - role: node_exporter
+    - role: node-exporter
      when: node_exporter_enabled | default(True)
      tags:
-        - node_exporter
+        - node-exporter

    - role: traefik
      when: traefik_enabled | default(True)
--- a/smardigo.yml
+++ b/smardigo.yml
@ -0,0 +1,17 @@
+---
+- name: 'apply setup to {{ host | default("all") }}'
+  hosts: '{{ host | default("all") }}'
+  serial: "{{ serial_number|default(1) }}"
+  become: yes
+
+  pre_tasks:
+    - name: "Check if ansible version is at least 2.10.x"
+      assert:
+        that:
+          - ansible_version.major >= 2
+          - ansible_version.minor >= 10
+        msg: "The ansible version has to be at least ({{ ansible_version.full }})"
+
+  roles:
+    - role: docker-registry
+      when: "'docker_registry' in group_names"
--- a/8
+++ b/8
@ -1,12 +1,20 @@
 [hcloud]
+dev-docker-registry-01
 dev-elastic-stack-01
 dev-elastic-stack-02
 dev-elastic-stack-03
+dev-prometheus-01
+
+[docker_registry]
 dev-docker-registry-01
+
+[prometheus]
 dev-prometheus-01

 [stage_dev:children]
 hcloud
+docker_registry
+prometheus

 [all:children]
 stage_dev
--- a/templates/docker-registry/registry/config.yml
+++ b/templates/docker-registry/registry/config.yml
@ -0,0 +1,12 @@
+version: 0.1
+
+storage:
+  filesystem:
+    rootdirectory: /var/lib/registry
+  delete:
+    enabled: true
+
+http:
+  addr: 0.0.0.0:5000
+  debug:
+    addr: 0.0.0.0:5001
--- a/templates/docker-registry/registry/init
+++ b/templates/docker-registry/registry/init
@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -x
+
+cp /secrets/portus.crt /usr/local/share/ca-certificates
+update-ca-certificates
+registry serve /etc/docker/registry/config.yml
--- a/templates/docker-registry/secrets/.gitignore
+++ b/templates/docker-registry/secrets/.gitignore
@ -0,0 +1 @@
+portus.*