Update configuration of registries in cri-o (#7852)

* Update configuration of registries in cri-o

* Update docs to match new registry configuration
pull/8376/head
Bart Sloeserwij 2022-01-05 16:36:40 +01:00 committed by GitHub
parent 8fbd08d027
commit 59f62473c9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 42 additions and 52 deletions

View File

@ -33,7 +33,7 @@ etcd_deployment_type: host # optionally and mutually exclusive with etcd_kubeadm
Enable docker hub registry mirrors Enable docker hub registry mirrors
```yaml ```yaml
crio_registries_mirrors: crio_registries:
- prefix: docker.io - prefix: docker.io
insecure: false insecure: false
blocked: false blocked: false

View File

@ -7,32 +7,25 @@ crio_log_level: "info"
crio_metrics_port: "9090" crio_metrics_port: "9090"
crio_pause_image: "{{ pod_infra_image_repo }}:{{ pod_infra_version }}" crio_pause_image: "{{ pod_infra_image_repo }}:{{ pod_infra_version }}"
# Trusted registries to pull unqualified images (e.g. alpine:latest) from # Registries defined within cri-o.
# By default unqualified images are not allowed for security reasons # By default unqualified images are not allowed for security reasons
crio_registries: [] crio_registries: []
# Configure insecure registries.
crio_insecure_registries: []
# Configure registry auth (if applicable to secure/insecure registries)
crio_registry_auth: []
# - registry: 10.0.0.2:5000
# username: user
# password: pass
# Define registiries mirror
crio_registries_mirrors: []
# - prefix: docker.io # - prefix: docker.io
# insecure: false # insecure: false
# blocked: false # blocked: false
# location: registry-1.docker.io # location: registry-1.docker.io ## REQUIRED
# unqualified: false
# mirrors: # mirrors:
# - location: 172.20.100.52:5000 # - location: 172.20.100.52:5000
# insecure: true # insecure: true
# - location: mirror.gcr.io # - location: mirror.gcr.io
# insecure: false # insecure: false
crio_registry_auth: []
# - registry: 10.0.0.2:5000
# username: user
# password: pass
crio_seccomp_profile: "" crio_seccomp_profile: ""
crio_selinux: "{{ (preinstall_selinux_state == 'enforcing')|lower }}" crio_selinux: "{{ (preinstall_selinux_state == 'enforcing')|lower }}"
crio_signature_policy: "{% if ansible_os_family == 'ClearLinux' %}/usr/share/defaults/crio/policy.json{% endif %}" crio_signature_policy: "{% if ansible_os_family == 'ClearLinux' %}/usr/share/defaults/crio/policy.json{% endif %}"

View File

@ -166,12 +166,18 @@
owner: root owner: root
mode: 0755 mode: 0755
- name: Write registries mirror configs - name: Write registries configs
template: template:
src: registry-mirror.conf.j2 src: registry.conf.j2
dest: "/etc/containers/registries.conf.d/{{ item.prefix }}.conf" dest: "/etc/containers/registries.conf.d/10-{{ item.prefix | default(item.location) | regex_replace(':', '_') }}.conf"
mode: 0644 mode: 0644
loop: "{{ crio_registries_mirrors }}" loop: "{{ crio_registries }}"
notify: restart crio
- name: Configure unqualified registry settings
template:
src: unqualified.conf.j2
dest: "/etc/containers/registries.conf.d/01-unqualified.conf"
notify: restart crio notify: restart crio
- name: Write cri-o proxy drop-in - name: Write cri-o proxy drop-in

View File

@ -338,31 +338,10 @@ pause_command = "/pause"
# refer to containers-policy.json(5) for more details. # refer to containers-policy.json(5) for more details.
signature_policy = "{{ crio_signature_policy }}" signature_policy = "{{ crio_signature_policy }}"
# List of registries to skip TLS verification for pulling images. Please
# consider configuring the registries via /etc/containers/registries.conf before
# changing them here.
insecure_registries = [
{% for insecure_registry in crio_insecure_registries %}
"{{ insecure_registry }}",
{% endfor %}
]
# Controls how image volumes are handled. The valid values are mkdir, bind and # Controls how image volumes are handled. The valid values are mkdir, bind and
# ignore; the latter will ignore volumes entirely. # ignore; the latter will ignore volumes entirely.
image_volumes = "mkdir" image_volumes = "mkdir"
# List of registries to be used when pulling an unqualified image (e.g.,
# "alpine:latest"). By default, registries is set to "docker.io" for
# compatibility reasons. Depending on your workload and usecase you may add more
# registries (e.g., "quay.io", "registry.fedoraproject.org",
# "registry.opensuse.org", etc.).
registries = [
{% for registry in crio_registries %}
"{{ registry }}",
{% endfor %}
]
# The crio.network table containers settings pertaining to the management of # The crio.network table containers settings pertaining to the management of
# CNI plugins. # CNI plugins.
[crio.network] [crio.network]

View File

@ -1,11 +0,0 @@
[[registry]]
prefix = "{{ item.prefix }}"
insecure = {{ item.insecure | d('false') | string | lower }}
blocked = {{ item.blocked | d('false') | string | lower }}
location = "{{ item.location | d(item.prefix) }}"
{% for mirror in item.mirrors %}
[[registry.mirror]]
location = "{{ mirror.location }}"
insecure = {{ mirror.insecure | d ('false') | string | lower }}
{% endfor %}

View File

@ -0,0 +1,13 @@
[[registry]]
prefix = "{{ item.prefix | default(item.location) }}"
insecure = {{ item.insecure | default('false') | string | lower }}
blocked = {{ item.blocked | default('false') | string | lower }}
location = "{{ item.location }}"
{% if item.mirrors is defined %}
{% for mirror in item.mirrors %}
[[registry.mirror]]
location = "{{ mirror.location }}"
insecure = {{ mirror.insecure | default('false') | string | lower }}
{% endfor %}
{% endif %}

View File

@ -0,0 +1,10 @@
{%- set _unqualified_registries = [] -%}
{% for _registry in crio_registries if _registry.unqualified -%}
{% if _registry.prefix is defined -%}
{{ _unqualified_registries.append(_registry.prefix) }}
{% else %}
{{ _unqualified_registries.append(_registry.location) }}
{%- endif %}
{%- endfor %}
unqualified-search-registries = {{ _unqualified_registries | to_yaml }}