diff options
author | Christian Breunig <christian@breunig.cc> | 2023-04-05 17:52:00 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-04-05 17:52:00 +0200 |
commit | 0b0f991a86461ed725762010cf263fb2f0eaa16a (patch) | |
tree | c2dbbe85008b9b1a946fea78ae0142f034a480e7 /src/conf_mode/container.py | |
parent | e890a70d134fc63507ec396f9b7d4290df1cc0cb (diff) | |
parent | df58e083979a40df8c1a1391b82b2e4d856225dd (diff) | |
download | vyos-1x-0b0f991a86461ed725762010cf263fb2f0eaa16a.tar.gz vyos-1x-0b0f991a86461ed725762010cf263fb2f0eaa16a.zip |
Merge pull request #1928 from c-po/t4959-backport
T4959: Add container registry authentication config for containers (backport)
Diffstat (limited to 'src/conf_mode/container.py')
-rwxr-xr-x | src/conf_mode/container.py | 38 |
1 files changed, 37 insertions, 1 deletions
diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py index 50c3424d2..2d7f03e7f 100755 --- a/src/conf_mode/container.py +++ b/src/conf_mode/container.py @@ -18,7 +18,6 @@ import os from ipaddress import ip_address from ipaddress import ip_network -from time import sleep from json import dumps as json_write from vyos.base import Warning @@ -30,6 +29,7 @@ from vyos.util import call from vyos.util import cmd from vyos.util import dict_search from vyos.util import run +from vyos.util import rc_cmd from vyos.util import write_file from vyos.template import inc_ip from vyos.template import is_ipv4 @@ -70,6 +70,9 @@ def get_config(config=None): # container base default values can not be merged here - remove and add them later if 'name' in default_values: del default_values['name'] + # registry will be handled below + if 'registry' in default_values: + del default_values['registry'] container = dict_merge(default_values, container) # Merge per-container default values @@ -106,6 +109,15 @@ def get_config(config=None): container['name'][name]['volume'][volume] = dict_merge( default_values_volume, container['name'][name]['volume'][volume]) + # registry is a tagNode with default values - merge the list from + # default_values['registry'] into the tagNode variables + if 'registry' not in container: + container.update({'registry' : {}}) + default_values = defaults(base) + for registry in default_values['registry'].split(): + tmp = {registry : {}} + container['registry'] = dict_merge(tmp, container['registry']) + # Delete container network, delete containers tmp = node_changed(conf, base + ['network']) if tmp: container.update({'network_remove' : tmp}) @@ -237,6 +249,13 @@ def verify(container): if 'network' in container_config and network in container_config['network']: raise ConfigError(f'Can not remove network "{network}", used by container "{container}"!') + if 'registry' in container: + for registry, registry_config in container['registry'].items(): + if 'authentication' in registry_config: + if ('user' not in registry_config and 'password' in registry_config) or \ + ('user' in registry_config and 'password' not in registry_config): + raise ConfigError('If registry username or password is defined, so must be the other!') + return None def generate_run_arguments(name, container_config): @@ -366,6 +385,23 @@ def generate(container): write_file(f'/etc/cni/net.d/{network}.conflist', json_write(tmp, indent=2)) + if 'registry' in container: + cmd = f'podman logout --all' + rc, out = rc_cmd(cmd) + if rc != 0: + raise ConfigError(out) + + for registry, registry_config in container['registry'].items(): + if 'disable' in registry_config: + continue + if 'authentication' in registry_config: + username = registry_config['authentication']['user'] + password = registry_config['authentication']['password'] + cmd = f'podman login --username {username} --password {password} {registry}' + rc, out = rc_cmd(cmd) + if rc != 0: + raise ConfigError(out) + render(config_containers_registry, 'container/registries.conf.j2', container) render(config_containers_storage, 'container/storage.conf.j2', container) |