Update configuration of registries in cri-o (#7852)
* Update configuration of registries in cri-o * Update docs to match new registry configuration
This commit is contained in:
parent
8fbd08d027
commit
59f62473c9
7 changed files with 42 additions and 52 deletions
|
@ -33,7 +33,7 @@ etcd_deployment_type: host # optionally and mutually exclusive with etcd_kubeadm
|
||||||
Enable docker hub registry mirrors
|
Enable docker hub registry mirrors
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
crio_registries_mirrors:
|
crio_registries:
|
||||||
- prefix: docker.io
|
- prefix: docker.io
|
||||||
insecure: false
|
insecure: false
|
||||||
blocked: false
|
blocked: false
|
||||||
|
|
|
@ -7,32 +7,25 @@ crio_log_level: "info"
|
||||||
crio_metrics_port: "9090"
|
crio_metrics_port: "9090"
|
||||||
crio_pause_image: "{{ pod_infra_image_repo }}:{{ pod_infra_version }}"
|
crio_pause_image: "{{ pod_infra_image_repo }}:{{ pod_infra_version }}"
|
||||||
|
|
||||||
# Trusted registries to pull unqualified images (e.g. alpine:latest) from
|
# Registries defined within cri-o.
|
||||||
# By default unqualified images are not allowed for security reasons
|
# By default unqualified images are not allowed for security reasons
|
||||||
crio_registries: []
|
crio_registries: []
|
||||||
|
|
||||||
# Configure insecure registries.
|
|
||||||
crio_insecure_registries: []
|
|
||||||
|
|
||||||
# Configure registry auth (if applicable to secure/insecure registries)
|
|
||||||
crio_registry_auth: []
|
|
||||||
# - registry: 10.0.0.2:5000
|
|
||||||
# username: user
|
|
||||||
# password: pass
|
|
||||||
|
|
||||||
# Define registiries mirror
|
|
||||||
|
|
||||||
crio_registries_mirrors: []
|
|
||||||
# - prefix: docker.io
|
# - prefix: docker.io
|
||||||
# insecure: false
|
# insecure: false
|
||||||
# blocked: false
|
# blocked: false
|
||||||
# location: registry-1.docker.io
|
# location: registry-1.docker.io ## REQUIRED
|
||||||
|
# unqualified: false
|
||||||
# mirrors:
|
# mirrors:
|
||||||
# - location: 172.20.100.52:5000
|
# - location: 172.20.100.52:5000
|
||||||
# insecure: true
|
# insecure: true
|
||||||
# - location: mirror.gcr.io
|
# - location: mirror.gcr.io
|
||||||
# insecure: false
|
# insecure: false
|
||||||
|
|
||||||
|
crio_registry_auth: []
|
||||||
|
# - registry: 10.0.0.2:5000
|
||||||
|
# username: user
|
||||||
|
# password: pass
|
||||||
|
|
||||||
crio_seccomp_profile: ""
|
crio_seccomp_profile: ""
|
||||||
crio_selinux: "{{ (preinstall_selinux_state == 'enforcing')|lower }}"
|
crio_selinux: "{{ (preinstall_selinux_state == 'enforcing')|lower }}"
|
||||||
crio_signature_policy: "{% if ansible_os_family == 'ClearLinux' %}/usr/share/defaults/crio/policy.json{% endif %}"
|
crio_signature_policy: "{% if ansible_os_family == 'ClearLinux' %}/usr/share/defaults/crio/policy.json{% endif %}"
|
||||||
|
|
|
@ -166,12 +166,18 @@
|
||||||
owner: root
|
owner: root
|
||||||
mode: 0755
|
mode: 0755
|
||||||
|
|
||||||
- name: Write registries mirror configs
|
- name: Write registries configs
|
||||||
template:
|
template:
|
||||||
src: registry-mirror.conf.j2
|
src: registry.conf.j2
|
||||||
dest: "/etc/containers/registries.conf.d/{{ item.prefix }}.conf"
|
dest: "/etc/containers/registries.conf.d/10-{{ item.prefix | default(item.location) | regex_replace(':', '_') }}.conf"
|
||||||
mode: 0644
|
mode: 0644
|
||||||
loop: "{{ crio_registries_mirrors }}"
|
loop: "{{ crio_registries }}"
|
||||||
|
notify: restart crio
|
||||||
|
|
||||||
|
- name: Configure unqualified registry settings
|
||||||
|
template:
|
||||||
|
src: unqualified.conf.j2
|
||||||
|
dest: "/etc/containers/registries.conf.d/01-unqualified.conf"
|
||||||
notify: restart crio
|
notify: restart crio
|
||||||
|
|
||||||
- name: Write cri-o proxy drop-in
|
- name: Write cri-o proxy drop-in
|
||||||
|
|
|
@ -338,31 +338,10 @@ pause_command = "/pause"
|
||||||
# refer to containers-policy.json(5) for more details.
|
# refer to containers-policy.json(5) for more details.
|
||||||
signature_policy = "{{ crio_signature_policy }}"
|
signature_policy = "{{ crio_signature_policy }}"
|
||||||
|
|
||||||
# List of registries to skip TLS verification for pulling images. Please
|
|
||||||
# consider configuring the registries via /etc/containers/registries.conf before
|
|
||||||
# changing them here.
|
|
||||||
insecure_registries = [
|
|
||||||
{% for insecure_registry in crio_insecure_registries %}
|
|
||||||
"{{ insecure_registry }}",
|
|
||||||
{% endfor %}
|
|
||||||
]
|
|
||||||
|
|
||||||
# Controls how image volumes are handled. The valid values are mkdir, bind and
|
# Controls how image volumes are handled. The valid values are mkdir, bind and
|
||||||
# ignore; the latter will ignore volumes entirely.
|
# ignore; the latter will ignore volumes entirely.
|
||||||
image_volumes = "mkdir"
|
image_volumes = "mkdir"
|
||||||
|
|
||||||
# List of registries to be used when pulling an unqualified image (e.g.,
|
|
||||||
# "alpine:latest"). By default, registries is set to "docker.io" for
|
|
||||||
# compatibility reasons. Depending on your workload and usecase you may add more
|
|
||||||
# registries (e.g., "quay.io", "registry.fedoraproject.org",
|
|
||||||
# "registry.opensuse.org", etc.).
|
|
||||||
registries = [
|
|
||||||
{% for registry in crio_registries %}
|
|
||||||
"{{ registry }}",
|
|
||||||
{% endfor %}
|
|
||||||
]
|
|
||||||
|
|
||||||
|
|
||||||
# The crio.network table containers settings pertaining to the management of
|
# The crio.network table containers settings pertaining to the management of
|
||||||
# CNI plugins.
|
# CNI plugins.
|
||||||
[crio.network]
|
[crio.network]
|
||||||
|
|
|
@ -1,11 +0,0 @@
|
||||||
[[registry]]
|
|
||||||
prefix = "{{ item.prefix }}"
|
|
||||||
insecure = {{ item.insecure | d('false') | string | lower }}
|
|
||||||
blocked = {{ item.blocked | d('false') | string | lower }}
|
|
||||||
location = "{{ item.location | d(item.prefix) }}"
|
|
||||||
{% for mirror in item.mirrors %}
|
|
||||||
|
|
||||||
[[registry.mirror]]
|
|
||||||
location = "{{ mirror.location }}"
|
|
||||||
insecure = {{ mirror.insecure | d ('false') | string | lower }}
|
|
||||||
{% endfor %}
|
|
13
roles/container-engine/cri-o/templates/registry.conf.j2
Normal file
13
roles/container-engine/cri-o/templates/registry.conf.j2
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
[[registry]]
|
||||||
|
prefix = "{{ item.prefix | default(item.location) }}"
|
||||||
|
insecure = {{ item.insecure | default('false') | string | lower }}
|
||||||
|
blocked = {{ item.blocked | default('false') | string | lower }}
|
||||||
|
location = "{{ item.location }}"
|
||||||
|
{% if item.mirrors is defined %}
|
||||||
|
{% for mirror in item.mirrors %}
|
||||||
|
|
||||||
|
[[registry.mirror]]
|
||||||
|
location = "{{ mirror.location }}"
|
||||||
|
insecure = {{ mirror.insecure | default('false') | string | lower }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
10
roles/container-engine/cri-o/templates/unqualified.conf.j2
Normal file
10
roles/container-engine/cri-o/templates/unqualified.conf.j2
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
{%- set _unqualified_registries = [] -%}
|
||||||
|
{% for _registry in crio_registries if _registry.unqualified -%}
|
||||||
|
{% if _registry.prefix is defined -%}
|
||||||
|
{{ _unqualified_registries.append(_registry.prefix) }}
|
||||||
|
{% else %}
|
||||||
|
{{ _unqualified_registries.append(_registry.location) }}
|
||||||
|
{%- endif %}
|
||||||
|
{%- endfor %}
|
||||||
|
|
||||||
|
unqualified-search-registries = {{ _unqualified_registries | to_yaml }}
|
Loading…
Reference in a new issue