From 81bf4f93047f3d05c592a10bb0e95543f8099fac Mon Sep 17 00:00:00 2001 From: kranthi guttikonda Date: Wed, 1 Sep 2021 13:20:59 -0400 Subject: [PATCH] cri-o registry auth support (#7837) * cri-o registry auth support * yaml lint for comments * crio_registry_auth from registry_auth * crio_registry_auth as defaults --- inventory/sample/group_vars/all/cri-o.yml | 6 ++++++ roles/container-engine/cri-o/defaults/main.yml | 6 ++++++ roles/container-engine/cri-o/tasks/main.yaml | 7 +++++++ .../cri-o/templates/config.json.j2 | 17 +++++++++++++++++ .../cri-o/templates/crio.conf.j2 | 2 +- 5 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 inventory/sample/group_vars/all/cri-o.yml create mode 100644 roles/container-engine/cri-o/templates/config.json.j2 diff --git a/inventory/sample/group_vars/all/cri-o.yml b/inventory/sample/group_vars/all/cri-o.yml new file mode 100644 index 000000000..3e6e4eebb --- /dev/null +++ b/inventory/sample/group_vars/all/cri-o.yml @@ -0,0 +1,6 @@ +# crio_insecure_registries: +# - 10.0.0.2:5000 +# crio_registry_auth: +# - registry: 10.0.0.2:5000 +# username: user +# password: pass diff --git a/roles/container-engine/cri-o/defaults/main.yml b/roles/container-engine/cri-o/defaults/main.yml index bc9092fd7..5f53aa6f9 100644 --- a/roles/container-engine/cri-o/defaults/main.yml +++ b/roles/container-engine/cri-o/defaults/main.yml @@ -14,6 +14,12 @@ crio_registries: [] # Configure insecure registries. crio_insecure_registries: [] +# Configure registry auth (if applicable to secure/insecure registries) +crio_registry_auth: [] +# - registry: 10.0.0.2:5000 +# username: user +# password: pass + # Define registiries mirror crio_registries_mirrors: [] diff --git a/roles/container-engine/cri-o/tasks/main.yaml b/roles/container-engine/cri-o/tasks/main.yaml index d22d1dc32..55db2690f 100644 --- a/roles/container-engine/cri-o/tasks/main.yaml +++ b/roles/container-engine/cri-o/tasks/main.yaml @@ -80,6 +80,12 @@ mode: 0644 register: config_install +- name: Install config.json + template: + src: config.json.j2 + dest: /etc/crio/config.json + register: reg_auth_install + - name: Add skopeo pkg to install set_fact: crio_packages: "{{ crio_packages + skopeo_packages }}" @@ -198,6 +204,7 @@ state: restarted when: - config_install.changed + - reg_auth_install.changed - not package_install.changed - not service_start.changed diff --git a/roles/container-engine/cri-o/templates/config.json.j2 b/roles/container-engine/cri-o/templates/config.json.j2 new file mode 100644 index 000000000..522ade7a4 --- /dev/null +++ b/roles/container-engine/cri-o/templates/config.json.j2 @@ -0,0 +1,17 @@ +{% if crio_registry_auth is defined and crio_registry_auth|length %} +{ +{% for reg in crio_registry_auth %} + "auths": { + "{{ reg.registry }}": { + "auth": "{{ (reg.username + ':' + reg.password) | string | b64encode }}" + } +{% if not loop.last %} + }, +{% else %} + } +{% endif %} +{% endfor %} +} +{% else %} +{} +{% endif %} diff --git a/roles/container-engine/cri-o/templates/crio.conf.j2 b/roles/container-engine/cri-o/templates/crio.conf.j2 index cdc7363ac..b6f5357dd 100644 --- a/roles/container-engine/cri-o/templates/crio.conf.j2 +++ b/roles/container-engine/cri-o/templates/crio.conf.j2 @@ -313,7 +313,7 @@ default_transport = "docker://" # The path to a file containing credentials necessary for pulling images from # secure registries. The file is similar to that of /var/lib/kubelet/config.json -global_auth_file = "" +global_auth_file = "/etc/crio/config.json" # The image used to instantiate infra containers. # This option supports live configuration reload.