Allow airgapped CRI-O installation (#6927)

roles/container-engine/cri-o/defaults/main.yml

@@ -11,6 +11,9 @@ crio_pause_image: "{{ pod_infra_image_repo }}:{{ pod_infra_version }}"
 # By default unqualified images are not allowed for security reasons
 crio_registries: []
 
+# Configure insecure registries.
+crio_insecure_registries: []
+
 crio_seccomp_profile: ""
 crio_selinux: "{{ (preinstall_selinux_state == 'enforcing')|lower }}"
 crio_signature_policy: "{% if ansible_os_family == 'ClearLinux' %}/usr/share/defaults/crio/policy.json{% endif %}"
@@ -50,3 +53,7 @@ kata_runtimes:
     path: /opt/kata/bin/kata-qemu
     type: oci
     root: /run/kata-containers
+
+# When this is true, CRI-O package repositories are added. Set this to false when using an
+# environment with preconfigured CRI-O package repositories.
+crio_add_repos: true

roles/container-engine/cri-o/tasks/main.yaml

@@ -39,7 +39,9 @@
     - (ansible_distribution_major_version | int) >= 31
     - ansible_proc_cmdline['systemd.unified_cgroup_hierarchy'] is not defined or ansible_proc_cmdline['systemd.unified_cgroup_hierarchy'] != '0'
 
-- import_tasks: "crio_repo.yml"
+- name: import crio repo
+  import_tasks: "crio_repo.yml"
+  when: crio_add_repos
 
 - import_tasks: "crictl.yml"
 

roles/container-engine/cri-o/templates/crio.conf.j2

@@ -339,7 +339,11 @@ signature_policy = "{{ crio_signature_policy }}"
 # List of registries to skip TLS verification for pulling images. Please
 # consider configuring the registries via /etc/containers/registries.conf before
 # changing them here.
-#insecure_registries = "[]"
+insecure_registries = [
+  {% for insecure_registry in crio_insecure_registries %}
+  "{{ insecure_registry }}",
+  {% endfor %}
+]
 
 # Controls how image volumes are handled. The valid values are mkdir, bind and
 # ignore; the latter will ignore volumes entirely.