cri-o registry auth support (#7837)

* cri-o registry auth support * yaml lint for comments * crio_registry_auth from registry_auth * crio_registry_auth as defaults
2021-09-01 13:20:59 -04:00 · 2021-09-01 13:20:59 -04:00 · 81bf4f9304
parent e1967b0700
commit 81bf4f9304
5 changed files with 37 additions and 1 deletions
--- a/inventory/sample/group_vars/all/cri-o.yml
+++ b/inventory/sample/group_vars/all/cri-o.yml
@ -0,0 +1,6 @@
+# crio_insecure_registries:
+#   - 10.0.0.2:5000
+# crio_registry_auth:
+#   - registry: 10.0.0.2:5000
+#     username: user
+#     password: pass
--- a/roles/container-engine/cri-o/defaults/main.yml
+++ b/roles/container-engine/cri-o/defaults/main.yml
@ -14,6 +14,12 @@ crio_registries: []
 # Configure insecure registries.
 crio_insecure_registries: []

+# Configure registry auth (if applicable to secure/insecure registries)
+crio_registry_auth: []
+#  - registry: 10.0.0.2:5000
+#    username: user
+#    password: pass
+
 # Define registiries mirror

 crio_registries_mirrors: []
--- a/roles/container-engine/cri-o/tasks/main.yaml
+++ b/roles/container-engine/cri-o/tasks/main.yaml
@ -80,6 +80,12 @@
    mode: 0644
  register: config_install

+- name: Install config.json
+  template:
+    src: config.json.j2
+    dest: /etc/crio/config.json
+  register: reg_auth_install
+
 - name: Add skopeo pkg to install
  set_fact:
    crio_packages: "{{ crio_packages + skopeo_packages }}"
@ -198,6 +204,7 @@
    state: restarted
  when:
    - config_install.changed
+    - reg_auth_install.changed
    - not package_install.changed
    - not service_start.changed

--- a/roles/container-engine/cri-o/templates/config.json.j2
+++ b/roles/container-engine/cri-o/templates/config.json.j2
@ -0,0 +1,17 @@
+{% if crio_registry_auth is defined and crio_registry_auth|length %}
+{ 
+{% for reg in crio_registry_auth %}
+  "auths": {
+    "{{ reg.registry }}": {
+      "auth": "{{ (reg.username + ':' + reg.password) | string | b64encode }}"
+    }
+{% if not loop.last %}
+  },
+{% else %}
+  }
+{% endif %}
+{% endfor %}
+}
+{% else %}
+{}
+{% endif %}
--- a/roles/container-engine/cri-o/templates/crio.conf.j2
+++ b/roles/container-engine/cri-o/templates/crio.conf.j2
@ -313,7 +313,7 @@ default_transport = "docker://"

 # The path to a file containing credentials necessary for pulling images from
 # secure registries. The file is similar to that of /var/lib/kubelet/config.json
-global_auth_file = ""
+global_auth_file = "/etc/crio/config.json"

 # The image used to instantiate infra containers.
 # This option supports live configuration reload.