diff --git a/docs/cri-o.md b/docs/cri-o.md index 5644d2e03..c4831529e 100644 --- a/docs/cri-o.md +++ b/docs/cri-o.md @@ -33,7 +33,7 @@ etcd_deployment_type: host # optionally and mutually exclusive with etcd_kubeadm Enable docker hub registry mirrors ```yaml -crio_registries_mirrors: +crio_registries: - prefix: docker.io insecure: false blocked: false diff --git a/roles/container-engine/cri-o/defaults/main.yml b/roles/container-engine/cri-o/defaults/main.yml index 9dd07074b..912428ff0 100644 --- a/roles/container-engine/cri-o/defaults/main.yml +++ b/roles/container-engine/cri-o/defaults/main.yml @@ -7,32 +7,25 @@ crio_log_level: "info" crio_metrics_port: "9090" crio_pause_image: "{{ pod_infra_image_repo }}:{{ pod_infra_version }}" -# Trusted registries to pull unqualified images (e.g. alpine:latest) from +# Registries defined within cri-o. # By default unqualified images are not allowed for security reasons crio_registries: [] - -# Configure insecure registries. -crio_insecure_registries: [] - -# Configure registry auth (if applicable to secure/insecure registries) -crio_registry_auth: [] -# - registry: 10.0.0.2:5000 -# username: user -# password: pass - -# Define registiries mirror - -crio_registries_mirrors: [] # - prefix: docker.io # insecure: false # blocked: false -# location: registry-1.docker.io +# location: registry-1.docker.io ## REQUIRED +# unqualified: false # mirrors: # - location: 172.20.100.52:5000 # insecure: true # - location: mirror.gcr.io # insecure: false +crio_registry_auth: [] +# - registry: 10.0.0.2:5000 +# username: user +# password: pass + crio_seccomp_profile: "" crio_selinux: "{{ (preinstall_selinux_state == 'enforcing')|lower }}" crio_signature_policy: "{% if ansible_os_family == 'ClearLinux' %}/usr/share/defaults/crio/policy.json{% endif %}" diff --git a/roles/container-engine/cri-o/tasks/main.yaml b/roles/container-engine/cri-o/tasks/main.yaml index 9283a772a..d8ae4ad44 100644 --- a/roles/container-engine/cri-o/tasks/main.yaml +++ b/roles/container-engine/cri-o/tasks/main.yaml @@ -166,12 +166,18 @@ owner: root mode: 0755 -- name: Write registries mirror configs +- name: Write registries configs template: - src: registry-mirror.conf.j2 - dest: "/etc/containers/registries.conf.d/{{ item.prefix }}.conf" + src: registry.conf.j2 + dest: "/etc/containers/registries.conf.d/10-{{ item.prefix | default(item.location) | regex_replace(':', '_') }}.conf" mode: 0644 - loop: "{{ crio_registries_mirrors }}" + loop: "{{ crio_registries }}" + notify: restart crio + +- name: Configure unqualified registry settings + template: + src: unqualified.conf.j2 + dest: "/etc/containers/registries.conf.d/01-unqualified.conf" notify: restart crio - name: Write cri-o proxy drop-in diff --git a/roles/container-engine/cri-o/templates/crio.conf.j2 b/roles/container-engine/cri-o/templates/crio.conf.j2 index 8fbd23a1d..780044c71 100644 --- a/roles/container-engine/cri-o/templates/crio.conf.j2 +++ b/roles/container-engine/cri-o/templates/crio.conf.j2 @@ -338,31 +338,10 @@ pause_command = "/pause" # refer to containers-policy.json(5) for more details. signature_policy = "{{ crio_signature_policy }}" -# List of registries to skip TLS verification for pulling images. Please -# consider configuring the registries via /etc/containers/registries.conf before -# changing them here. -insecure_registries = [ - {% for insecure_registry in crio_insecure_registries %} - "{{ insecure_registry }}", - {% endfor %} -] - # Controls how image volumes are handled. The valid values are mkdir, bind and # ignore; the latter will ignore volumes entirely. image_volumes = "mkdir" -# List of registries to be used when pulling an unqualified image (e.g., -# "alpine:latest"). By default, registries is set to "docker.io" for -# compatibility reasons. Depending on your workload and usecase you may add more -# registries (e.g., "quay.io", "registry.fedoraproject.org", -# "registry.opensuse.org", etc.). -registries = [ - {% for registry in crio_registries %} - "{{ registry }}", - {% endfor %} -] - - # The crio.network table containers settings pertaining to the management of # CNI plugins. [crio.network] diff --git a/roles/container-engine/cri-o/templates/registry-mirror.conf.j2 b/roles/container-engine/cri-o/templates/registry-mirror.conf.j2 deleted file mode 100644 index 3c55026ea..000000000 --- a/roles/container-engine/cri-o/templates/registry-mirror.conf.j2 +++ /dev/null @@ -1,11 +0,0 @@ -[[registry]] -prefix = "{{ item.prefix }}" -insecure = {{ item.insecure | d('false') | string | lower }} -blocked = {{ item.blocked | d('false') | string | lower }} -location = "{{ item.location | d(item.prefix) }}" -{% for mirror in item.mirrors %} - -[[registry.mirror]] -location = "{{ mirror.location }}" -insecure = {{ mirror.insecure | d ('false') | string | lower }} -{% endfor %} diff --git a/roles/container-engine/cri-o/templates/registry.conf.j2 b/roles/container-engine/cri-o/templates/registry.conf.j2 new file mode 100644 index 000000000..38368f989 --- /dev/null +++ b/roles/container-engine/cri-o/templates/registry.conf.j2 @@ -0,0 +1,13 @@ +[[registry]] +prefix = "{{ item.prefix | default(item.location) }}" +insecure = {{ item.insecure | default('false') | string | lower }} +blocked = {{ item.blocked | default('false') | string | lower }} +location = "{{ item.location }}" +{% if item.mirrors is defined %} +{% for mirror in item.mirrors %} + +[[registry.mirror]] +location = "{{ mirror.location }}" +insecure = {{ mirror.insecure | default('false') | string | lower }} +{% endfor %} +{% endif %} diff --git a/roles/container-engine/cri-o/templates/unqualified.conf.j2 b/roles/container-engine/cri-o/templates/unqualified.conf.j2 new file mode 100644 index 000000000..8d690dc24 --- /dev/null +++ b/roles/container-engine/cri-o/templates/unqualified.conf.j2 @@ -0,0 +1,10 @@ +{%- set _unqualified_registries = [] -%} +{% for _registry in crio_registries if _registry.unqualified -%} +{% if _registry.prefix is defined -%} +{{ _unqualified_registries.append(_registry.prefix) }} +{% else %} +{{ _unqualified_registries.append(_registry.location) }} +{%- endif %} +{%- endfor %} + +unqualified-search-registries = {{ _unqualified_registries | to_yaml }}