From ed6cef85d8f7be3796f8e7c75ef0648026390dc3 Mon Sep 17 00:00:00 2001
From: Sergey <s.bondarev@southbridge.ru>
Date: Fri, 4 Dec 2020 00:57:25 +0300
Subject: [PATCH] add crio registry mirror support (#6977)

* add crio registry mirror support

* mdlint fix
---
 docs/cri-o.md                                 | 21 +++++++++++++++++--
 .../container-engine/cri-o/defaults/main.yml  | 13 ++++++++++++
 roles/container-engine/cri-o/tasks/main.yaml  | 14 +++++++++++++
 .../cri-o/templates/registry-mirror.conf.j2   | 11 ++++++++++
 tests/common/_docker_hub_registry_mirror.yml  |  9 ++++++++
 5 files changed, 66 insertions(+), 2 deletions(-)
 create mode 100644 roles/container-engine/cri-o/templates/registry-mirror.conf.j2

diff --git a/docs/cri-o.md b/docs/cri-o.md
index 6a7f77a90..4e39e0549 100644
--- a/docs/cri-o.md
+++ b/docs/cri-o.md
@@ -8,7 +8,7 @@ Kubespray supports basic functionality for using CRI-O as the default container
 
 _To use the CRI-O container runtime set the following variables:_
 
-## all.yml
+## all/all.yml
 
 ```yaml
 download_container: false
@@ -16,7 +16,7 @@ skip_downloads: false
 etcd_kubeadm_enabled: true
 ```
 
-## k8s-cluster.yml
+## k8s-cluster/k8s-cluster.yml
 
 ```yaml
 container_manager: crio
@@ -28,4 +28,21 @@ container_manager: crio
 etcd_deployment_type: host # optionally and mutually exclusive with etcd_kubeadm_enabled
 ```
 
+## all/crio.yml
+
+Enable docker hub registry mirrors
+
+```yaml
+crio_registries_mirrors:
+  - prefix: docker.io
+    insecure: false
+    blocked: false
+    location: registry-1.docker.io
+    mirrors:
+      - location: 192.168.100.100:5000
+        insecure: true
+      - location: mirror.gcr.io
+        insecure: false
+```
+
 [CRI-O]: https://cri-o.io/
diff --git a/roles/container-engine/cri-o/defaults/main.yml b/roles/container-engine/cri-o/defaults/main.yml
index 25711588c..5ded3c64e 100644
--- a/roles/container-engine/cri-o/defaults/main.yml
+++ b/roles/container-engine/cri-o/defaults/main.yml
@@ -14,6 +14,19 @@ crio_registries: []
 # Configure insecure registries.
 crio_insecure_registries: []
 
+# Define registiries mirror
+
+crio_registries_mirrors: []
+#  - prefix: docker.io
+#    insecure: false
+#    blocked: false
+#    location: registry-1.docker.io
+#    mirrors:
+#      - location: 172.20.100.52:5000
+#        insecure: true
+#      - location: mirror.gcr.io
+#        insecure: false
+
 crio_seccomp_profile: ""
 crio_selinux: "{{ (preinstall_selinux_state == 'enforcing')|lower }}"
 crio_signature_policy: "{% if ansible_os_family == 'ClearLinux' %}/usr/share/defaults/crio/policy.json{% endif %}"
diff --git a/roles/container-engine/cri-o/tasks/main.yaml b/roles/container-engine/cri-o/tasks/main.yaml
index 92ef26ad6..83165f2a7 100644
--- a/roles/container-engine/cri-o/tasks/main.yaml
+++ b/roles/container-engine/cri-o/tasks/main.yaml
@@ -145,6 +145,20 @@
     - ansible_distribution == "CentOS"
     - ansible_distribution_major_version == "7"
 
+- name: Create directory registries configs
+  file:
+    path: /etc/containers/registries.conf.d
+    state: directory
+    owner: root
+    mode: 0755
+
+- name: Write registries mirror configs
+  template:
+    src: registry-mirror.conf.j2
+    dest: "/etc/containers/registries.conf.d/{{ item.prefix }}.conf"
+  loop: "{{ crio_registries_mirrors }}"
+  notify: restart crio
+
 - name: Write cri-o proxy drop-in
   template:
     src: http-proxy.conf.j2
diff --git a/roles/container-engine/cri-o/templates/registry-mirror.conf.j2 b/roles/container-engine/cri-o/templates/registry-mirror.conf.j2
new file mode 100644
index 000000000..3c55026ea
--- /dev/null
+++ b/roles/container-engine/cri-o/templates/registry-mirror.conf.j2
@@ -0,0 +1,11 @@
+[[registry]]
+prefix = "{{ item.prefix }}"
+insecure = {{ item.insecure | d('false') | string | lower }}
+blocked = {{ item.blocked | d('false') | string | lower }}
+location = "{{ item.location | d(item.prefix) }}"
+{% for mirror in item.mirrors %}
+
+[[registry.mirror]]
+location = "{{ mirror.location }}"
+insecure = {{ mirror.insecure | d ('false') | string | lower }}
+{% endfor %}
diff --git a/tests/common/_docker_hub_registry_mirror.yml b/tests/common/_docker_hub_registry_mirror.yml
index 3dadb08ff..a9d95e842 100644
--- a/tests/common/_docker_hub_registry_mirror.yml
+++ b/tests/common/_docker_hub_registry_mirror.yml
@@ -13,3 +13,12 @@ containerd_config:
       - "https://mirror.gcr.io"
       - "https://registry-1.docker.io"
   max_container_log_line_size: -1
+
+crio_registries_mirrors:
+  - prefix: docker.io
+    insecure: false
+    blocked: false
+    location: registry-1.docker.io
+    mirrors:
+      - location: mirror.gcr.io
+        insecure: false