From b2692e9f0066a61a951c7436978a46f947070f54 Mon Sep 17 00:00:00 2001 From: Marat Talipov Date: Mon, 13 Dec 2021 13:41:58 +0500 Subject: [PATCH] containerd insecure registry support (#8298) --- inventory/sample/group_vars/all/containerd.yml | 8 ++++++++ .../container-engine/containerd/templates/config.toml.j2 | 6 ++++++ roles/kubespray-defaults/defaults/main.yaml | 9 +++++++++ 3 files changed, 23 insertions(+) diff --git a/inventory/sample/group_vars/all/containerd.yml b/inventory/sample/group_vars/all/containerd.yml index 3f617f20643..4aee14bcdb4 100644 --- a/inventory/sample/group_vars/all/containerd.yml +++ b/inventory/sample/group_vars/all/containerd.yml @@ -28,6 +28,14 @@ # containerd_metrics_grpc_histogram: false +## An obvious use case is allowing insecure-registry access to self hosted registries. +## Can be ipaddress and domain_name. +## example define mirror.registry.io or 172.19.16.11:5000 +## Port number is also needed if the default HTTPS port is not used. +# containerd_insecure_registries: +# - mirror.registry.io +# - 172.19.16.11:5000 + # containerd_registries: # "docker.io": "https://registry-1.docker.io" diff --git a/roles/container-engine/containerd/templates/config.toml.j2 b/roles/container-engine/containerd/templates/config.toml.j2 index 48f3628e069..0bc24984622 100644 --- a/roles/container-engine/containerd/templates/config.toml.j2 +++ b/roles/container-engine/containerd/templates/config.toml.j2 @@ -54,6 +54,12 @@ oom_score = {{ containerd_oom_score }} [plugins."io.containerd.grpc.v1.cri".registry.mirrors."{{ registry }}"] endpoint = ["{{ ([ addr ] | flatten ) | join('","') }}"] {% endfor %} +{% for addr in containerd_insecure_registries %} + [plugins."io.containerd.grpc.v1.cri".registry.mirrors."{{ addr }}"] + endpoint = ["{{ ([ addr ] | flatten ) | join('","') }}"] + [plugins."io.containerd.grpc.v1.cri".registry.configs."{{ addr }}".tls] + insecure_skip_verify = true +{% endfor %} {% for registry in containerd_registry_auth if registry['registry'] is defined %} {% if (registry['username'] is defined and registry['password'] is defined) or registry['auth'] is defined %} [plugins."io.containerd.grpc.v1.cri".registry.configs."{{ registry['registry'] }}".auth] diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml index 12a28b9afbc..ef9d4d21c2f 100644 --- a/roles/kubespray-defaults/defaults/main.yaml +++ b/roles/kubespray-defaults/defaults/main.yaml @@ -346,6 +346,15 @@ containerd_use_systemd_cgroup: true # Docker options - this is relevant when container_manager == 'docker' docker_containerd_version: 1.4.12 +## An obvious use case is allowing insecure-registry access to self hosted registries. +## Can be ipaddress and domain_name. +## example define mirror.registry.io or 172.19.16.11:5000 +## Port number is also needed if the default HTTPS port is not used. +# containerd_insecure_registries: +# - mirror.registry.io +# - 172.19.16.11:5000 +containerd_insecure_registries: [] + # Settings for containerized control plane (etcd/kubelet/secrets) # deployment type for legacy etcd mode etcd_deployment_type: host