Update configuration of registries in cri-o (#7852)

* Update configuration of registries in cri-o

* Update docs to match new registry configuration

docs/cri-o.md

@@ -33,7 +33,7 @@ etcd_deployment_type: host # optionally and mutually exclusive with etcd_kubeadm
 Enable docker hub registry mirrors
 
 ```yaml
-crio_registries_mirrors:
+crio_registries:
   - prefix: docker.io
     insecure: false
     blocked: false

roles/container-engine/cri-o/defaults/main.yml

@@ -7,32 +7,25 @@ crio_log_level: "info"
 crio_metrics_port: "9090"
 crio_pause_image: "{{ pod_infra_image_repo }}:{{ pod_infra_version }}"
 
-# Trusted registries to pull unqualified images (e.g. alpine:latest) from
+# Registries defined within cri-o.
 # By default unqualified images are not allowed for security reasons
 crio_registries: []
-
-# Configure insecure registries.
-crio_insecure_registries: []
-
-# Configure registry auth (if applicable to secure/insecure registries)
-crio_registry_auth: []
-#  - registry: 10.0.0.2:5000
-#    username: user
-#    password: pass
-
-# Define registiries mirror
-
-crio_registries_mirrors: []
 #  - prefix: docker.io
 #    insecure: false
 #    blocked: false
-#    location: registry-1.docker.io
+#    location: registry-1.docker.io ## REQUIRED
+#    unqualified: false
 #    mirrors:
 #      - location: 172.20.100.52:5000
 #        insecure: true
 #      - location: mirror.gcr.io
 #        insecure: false
 
+crio_registry_auth: []
+#  - registry: 10.0.0.2:5000
+#    username: user
+#    password: pass
+
 crio_seccomp_profile: ""
 crio_selinux: "{{ (preinstall_selinux_state == 'enforcing')|lower }}"
 crio_signature_policy: "{% if ansible_os_family == 'ClearLinux' %}/usr/share/defaults/crio/policy.json{% endif %}"

roles/container-engine/cri-o/tasks/main.yaml

@@ -166,12 +166,18 @@
     owner: root
     mode: 0755
 
-- name: Write registries mirror configs
+- name: Write registries configs
   template:
-    src: registry-mirror.conf.j2
+    src: registry.conf.j2
-    dest: "/etc/containers/registries.conf.d/{{ item.prefix }}.conf"
+    dest: "/etc/containers/registries.conf.d/10-{{ item.prefix | default(item.location) | regex_replace(':', '_') }}.conf"
     mode: 0644
-  loop: "{{ crio_registries_mirrors }}"
+  loop: "{{ crio_registries }}"
+  notify: restart crio
+
+- name: Configure unqualified registry settings
+  template:
+    src: unqualified.conf.j2
+    dest: "/etc/containers/registries.conf.d/01-unqualified.conf"
   notify: restart crio
 
 - name: Write cri-o proxy drop-in

roles/container-engine/cri-o/templates/crio.conf.j2

@@ -338,31 +338,10 @@ pause_command = "/pause"
 # refer to containers-policy.json(5) for more details.
 signature_policy = "{{ crio_signature_policy }}"
 
-# List of registries to skip TLS verification for pulling images. Please
-# consider configuring the registries via /etc/containers/registries.conf before
-# changing them here.
-insecure_registries = [
-  {% for insecure_registry in crio_insecure_registries %}
-  "{{ insecure_registry }}",
-  {% endfor %}
-]
-
 # Controls how image volumes are handled. The valid values are mkdir, bind and
 # ignore; the latter will ignore volumes entirely.
 image_volumes = "mkdir"
 
-# List of registries to be used when pulling an unqualified image (e.g.,
-# "alpine:latest"). By default, registries is set to "docker.io" for
-# compatibility reasons. Depending on your workload and usecase you may add more
-# registries (e.g., "quay.io", "registry.fedoraproject.org",
-# "registry.opensuse.org", etc.).
-registries = [
-  {% for registry in crio_registries %}
-  "{{ registry }}",
-  {% endfor %}
-]
-
-
 # The crio.network table containers settings pertaining to the management of
 # CNI plugins.
 [crio.network]

roles/container-engine/cri-o/templates/registry-mirror.conf.j2

@@ -1,11 +0,0 @@
-[[registry]]
-prefix = "{{ item.prefix }}"
-insecure = {{ item.insecure | d('false') | string | lower }}
-blocked = {{ item.blocked | d('false') | string | lower }}
-location = "{{ item.location | d(item.prefix) }}"
-{% for mirror in item.mirrors %}
-
-[[registry.mirror]]
-location = "{{ mirror.location }}"
-insecure = {{ mirror.insecure | d ('false') | string | lower }}
-{% endfor %}

roles/container-engine/cri-o/templates/registry.conf.j2

@@ -0,0 +1,13 @@
+[[registry]]
+prefix = "{{ item.prefix | default(item.location) }}"
+insecure = {{ item.insecure | default('false') | string | lower }}
+blocked = {{ item.blocked | default('false') | string | lower }}
+location = "{{ item.location }}"
+{% if item.mirrors is defined %}
+{% for mirror in item.mirrors %}
+
+[[registry.mirror]]
+location = "{{ mirror.location }}"
+insecure = {{ mirror.insecure | default('false') | string | lower }}
+{% endfor %}
+{% endif %}

roles/container-engine/cri-o/templates/unqualified.conf.j2

@@ -0,0 +1,10 @@
+{%- set _unqualified_registries = [] -%}
+{% for _registry in crio_registries if _registry.unqualified -%}
+{% if _registry.prefix is defined -%}
+{{ _unqualified_registries.append(_registry.prefix) }}
+{% else %}
+{{ _unqualified_registries.append(_registry.location) }}
+{%- endif %}
+{%- endfor %}
+
+unqualified-search-registries = {{ _unqualified_registries | to_yaml }}