Allow airgapped CRI-O installation (#6927)

This commit is contained in:
Bas van den Brink 2020-11-28 17:38:47 +01:00 committed by GitHub
parent 97ff67e54a
commit 17fb1ceed8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 15 additions and 2 deletions

View file

@ -11,6 +11,9 @@ crio_pause_image: "{{ pod_infra_image_repo }}:{{ pod_infra_version }}"
# By default unqualified images are not allowed for security reasons # By default unqualified images are not allowed for security reasons
crio_registries: [] crio_registries: []
# Configure insecure registries.
crio_insecure_registries: []
crio_seccomp_profile: "" crio_seccomp_profile: ""
crio_selinux: "{{ (preinstall_selinux_state == 'enforcing')|lower }}" crio_selinux: "{{ (preinstall_selinux_state == 'enforcing')|lower }}"
crio_signature_policy: "{% if ansible_os_family == 'ClearLinux' %}/usr/share/defaults/crio/policy.json{% endif %}" crio_signature_policy: "{% if ansible_os_family == 'ClearLinux' %}/usr/share/defaults/crio/policy.json{% endif %}"
@ -50,3 +53,7 @@ kata_runtimes:
path: /opt/kata/bin/kata-qemu path: /opt/kata/bin/kata-qemu
type: oci type: oci
root: /run/kata-containers root: /run/kata-containers
# When this is true, CRI-O package repositories are added. Set this to false when using an
# environment with preconfigured CRI-O package repositories.
crio_add_repos: true

View file

@ -39,7 +39,9 @@
- (ansible_distribution_major_version | int) >= 31 - (ansible_distribution_major_version | int) >= 31
- ansible_proc_cmdline['systemd.unified_cgroup_hierarchy'] is not defined or ansible_proc_cmdline['systemd.unified_cgroup_hierarchy'] != '0' - ansible_proc_cmdline['systemd.unified_cgroup_hierarchy'] is not defined or ansible_proc_cmdline['systemd.unified_cgroup_hierarchy'] != '0'
- import_tasks: "crio_repo.yml" - name: import crio repo
import_tasks: "crio_repo.yml"
when: crio_add_repos
- import_tasks: "crictl.yml" - import_tasks: "crictl.yml"

View file

@ -339,7 +339,11 @@ signature_policy = "{{ crio_signature_policy }}"
# List of registries to skip TLS verification for pulling images. Please # List of registries to skip TLS verification for pulling images. Please
# consider configuring the registries via /etc/containers/registries.conf before # consider configuring the registries via /etc/containers/registries.conf before
# changing them here. # changing them here.
#insecure_registries = "[]" insecure_registries = [
{% for insecure_registry in crio_insecure_registries %}
"{{ insecure_registry }}",
{% endfor %}
]
# Controls how image volumes are handled. The valid values are mkdir, bind and # Controls how image volumes are handled. The valid values are mkdir, bind and
# ignore; the latter will ignore volumes entirely. # ignore; the latter will ignore volumes entirely.