-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- We're now using release-based projects - Flesh out management docs a bit - Add some more tips to troubleshooting docs - Add a service account for image pruning Change-Id: Id74044dc741032be8c70bc2a863f991c51654451
- Loading branch information
David Moreau-Simard
committed
Dec 14, 2017
1 parent
981f88e
commit 7664fb2
Showing
2 changed files
with
60 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,33 +1,55 @@ | ||
Managing the registry | ||
===================== | ||
|
||
.. warning:: Fleshing out this documentation is a work in progress. | ||
.. warning:: This should eventually be automated, see | ||
https://github.com/rdo-infra/rdo-container-registry/issues/1 | ||
|
||
.. note:: These operations are done directly on the master | ||
|
||
:: | ||
|
||
# Grant superuser privileges to a user once he has logged in at least once | ||
# https://docs.openshift.com/container-platform/3.5/admin_guide/manage_authorization_policy.html | ||
oc policy add-role-to-user cluster-admin dmsimard | ||
# Grant superuser privileges to a user (doesn't require the user to login before applying) | ||
oadm policy add-cluster-role-to-user cluster-admin dmsimard | ||
|
||
# Create project | ||
oc new-project tripleo \ | ||
--description="TripleO container images for trunk and continuous integration" \ | ||
--display-name="TripleO container images" | ||
# Create projects | ||
oc new-project master \ | ||
--description="TripleO container images for trunk and continuous integration for OpenStack 'master'" \ | ||
--display-name="TripleO container images for 'master'" | ||
|
||
# Create service account, make it admin of the project | ||
oc create serviceaccount tripleo.service -n tripleo | ||
oc policy add-role-to-user admin system:serviceaccount:tripleo:tripleo.service -n tripleo | ||
oc new-project pike \ | ||
--description="TripleO container images for trunk and continuous integration for OpenStack 'pike'" \ | ||
--display-name="TripleO container images for 'pike'" | ||
|
||
# Retrieve service account token for image pushes (for CI and things like that) | ||
oc describe serviceaccount tripleo.service -n tripleo | ||
oc describe secret tripleo.service-token-<generated> -n tripleo | ||
# Allow authenticated users to browse the projects | ||
# Note: | ||
# - https://github.com/cockpit-project/cockpit/issues/6711 | ||
# - https://github.com/openshift/origin/issues/14381 | ||
oc policy add-role-to-group registry-viewer system:authenticated -n master | ||
oc policy add-role-to-group registry-viewer system:authenticated -n pike | ||
|
||
# Allow authenticated users to browse the TripleO project | ||
# Note: https://github.com/cockpit-project/cockpit/issues/6711 | ||
oc policy add-role-to-group registry-viewer system:authenticated -n tripleo | ||
|
||
# Allow unauthenticated users to pull images from the TripleO project | ||
# Allow unauthenticated users to pull images from the projects | ||
# (Anonymous, public access to registry, not the actual console) | ||
oc policy add-role-to-group registry-viewer system:unauthenticated -n tripleo | ||
oc policy add-role-to-group registry-viewer system:unauthenticated -n master | ||
oc policy add-role-to-group registry-viewer system:unauthenticated -n pike | ||
|
||
# Create service account, make it admin of the projects | ||
oc create serviceaccount tripleo.service -n default | ||
|
||
# Add permissions for the service account to push and pull images | ||
oc policy add-role-to-user system:image-builder system:serviceaccount:default:tripleo.service -n master | ||
oc policy add-role-to-user system:image-builder system:serviceaccount:default:tripleo.service -n pike | ||
|
||
# Retrieve service account token for image pushes, for example when doing CI | ||
oc describe serviceaccount tripleo.service -n default | ||
oc describe secret tripleo.service-token-<generated> -n default | ||
|
||
# Create a service account with exclusive rights to image pruning | ||
oc create serviceaccount rdo.pruner -n default | ||
oadm policy add-cluster-role-to-user system:image-pruner system:serviceaccount:default:rdo.pruner -n default | ||
|
||
More reading | ||
~~~~~~~~~~~~ | ||
|
||
- https://docs.openshift.com/container-platform/latest/admin_guide/manage_authorization_policy.html | ||
- https://docs.openshift.com/container-platform/latest/dev_guide/projects.html | ||
- https://docs.openshift.com/container-platform/latest/admin_guide/service_accounts.html |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters