From 17fb1ceed8c24f0486cf8856da30987156d1b200 Mon Sep 17 00:00:00 2001 From: Bas van den Brink Date: Sat, 28 Nov 2020 17:38:47 +0100 Subject: [PATCH] Allow airgapped CRI-O installation (#6927) --- roles/container-engine/cri-o/defaults/main.yml | 7 +++++++ roles/container-engine/cri-o/tasks/main.yaml | 4 +++- roles/container-engine/cri-o/templates/crio.conf.j2 | 6 +++++- 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/roles/container-engine/cri-o/defaults/main.yml b/roles/container-engine/cri-o/defaults/main.yml index a2d690b3f..3fadc9719 100644 --- a/roles/container-engine/cri-o/defaults/main.yml +++ b/roles/container-engine/cri-o/defaults/main.yml @@ -11,6 +11,9 @@ crio_pause_image: "{{ pod_infra_image_repo }}:{{ pod_infra_version }}" # By default unqualified images are not allowed for security reasons crio_registries: [] +# Configure insecure registries. +crio_insecure_registries: [] + crio_seccomp_profile: "" crio_selinux: "{{ (preinstall_selinux_state == 'enforcing')|lower }}" crio_signature_policy: "{% if ansible_os_family == 'ClearLinux' %}/usr/share/defaults/crio/policy.json{% endif %}" @@ -50,3 +53,7 @@ kata_runtimes: path: /opt/kata/bin/kata-qemu type: oci root: /run/kata-containers + +# When this is true, CRI-O package repositories are added. Set this to false when using an +# environment with preconfigured CRI-O package repositories. +crio_add_repos: true diff --git a/roles/container-engine/cri-o/tasks/main.yaml b/roles/container-engine/cri-o/tasks/main.yaml index 5eedfc28c..0a9ebc93c 100644 --- a/roles/container-engine/cri-o/tasks/main.yaml +++ b/roles/container-engine/cri-o/tasks/main.yaml @@ -39,7 +39,9 @@ - (ansible_distribution_major_version | int) >= 31 - ansible_proc_cmdline['systemd.unified_cgroup_hierarchy'] is not defined or ansible_proc_cmdline['systemd.unified_cgroup_hierarchy'] != '0' -- import_tasks: "crio_repo.yml" +- name: import crio repo + import_tasks: "crio_repo.yml" + when: crio_add_repos - import_tasks: "crictl.yml" diff --git a/roles/container-engine/cri-o/templates/crio.conf.j2 b/roles/container-engine/cri-o/templates/crio.conf.j2 index a456d16d4..7cb9f93b6 100644 --- a/roles/container-engine/cri-o/templates/crio.conf.j2 +++ b/roles/container-engine/cri-o/templates/crio.conf.j2 @@ -339,7 +339,11 @@ signature_policy = "{{ crio_signature_policy }}" # List of registries to skip TLS verification for pulling images. Please # consider configuring the registries via /etc/containers/registries.conf before # changing them here. -#insecure_registries = "[]" +insecure_registries = [ + {% for insecure_registry in crio_insecure_registries %} + "{{ insecure_registry }}", + {% endfor %} +] # Controls how image volumes are handled. The valid values are mkdir, bind and # ignore; the latter will ignore volumes entirely.